summaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2013-01-24 11:34:47 +0100
committerStef Walter <stefw@gnome.org>2013-02-05 14:54:46 +0100
commit5147d71466455b3d087b3f3a7472a35e8216c55a (patch)
tree4b81eee35b7d0ec877a34c4fde06478d700a3960 /common
parent603c7d4eb996f51178ccc9d235597497bbb2c7a4 (diff)
Add basic trust module
This is based off the roots-store from gnome-keyring and loads certificates from a root directory and exposes them as PKCS#11 objects.
Diffstat (limited to 'common')
-rw-r--r--common/Makefile.am15
-rw-r--r--common/compat.c107
-rw-r--r--common/compat.h17
-rw-r--r--common/debug.c1
-rw-r--r--common/debug.h11
-rw-r--r--common/pkix.asn566
-rw-r--r--common/pkix.asn.h408
-rw-r--r--common/tests/Makefile.am20
-rw-r--r--common/tests/frob-cert.c147
-rw-r--r--common/tests/frob-eku.c101
-rw-r--r--common/tests/frob-ku.c134
11 files changed, 1519 insertions, 8 deletions
diff --git a/common/Makefile.am b/common/Makefile.am
index aae9b35..5f2852e 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -26,17 +26,24 @@ libp11_library_la_SOURCES = \
dict.c dict.h \
library.c library.h \
pkcs11.h pkcs11x.h \
- pkix.asn pkix.asn.h \
$(NULL)
+libp11_mock_la_SOURCES = \
+ mock.c mock.h \
+ $(NULL)
+
+if WITH_ASN1
+
noinst_LTLIBRARIES += \
libp11-data.la \
$(NULL)
libp11_data_la_SOURCES = \
checksum.c checksum.h \
+ pkix.asn pkix.asn.h \
$(NULL)
-libp11_mock_la_SOURCES = \
- mock.c mock.h \
- $(NULL)
+asn:
+ asn1Parser -o pkix.asn.h pkix.asn
+
+endif # WITH_ASN1
diff --git a/common/compat.c b/common/compat.c
index a22071a..74fb130 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -37,6 +37,7 @@
#include "compat.h"
#include <assert.h>
+#include <errno.h>
#include <stdlib.h>
#include <string.h>
@@ -185,6 +186,72 @@ p11_thread_join (p11_thread_t thread)
#endif /* OS_WIN32 */
+#ifndef HAVE_STRNSTR
+
+/*-
+ * Copyright (c) 2001 Mike Barcroft <mike@FreeBSD.org>
+ * Copyright (c) 1990, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Chris Torek.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <string.h>
+
+/*
+ * Find the first occurrence of find in s, where the search is limited to the
+ * first slen characters of s.
+ */
+char *
+strnstr (const char *s,
+ const char *find,
+ size_t slen)
+{
+ char c, sc;
+ size_t len;
+
+ if ((c = *find++) != '\0') {
+ len = strlen (find);
+ do {
+ do {
+ if (slen-- < 1 || (sc = *s++) == '\0')
+ return (NULL);
+ } while (sc != c);
+ if (len > slen)
+ return (NULL);
+ } while (strncmp(s, find, len) != 0);
+ s--;
+ }
+ return ((char *)s);
+}
+
+#endif /* HAVE_STRNSTR */
+
#ifndef HAVE_MEMDUP
void *
@@ -204,3 +271,43 @@ memdup (void *data,
}
#endif /* HAVE_MEMDUP */
+
+#ifndef HAVE_STRCONCAT
+
+#include <stdarg.h>
+
+char *
+strconcat (const char *first,
+ ...)
+{
+ size_t length = 0;
+ const char *arg;
+ char *result, *at;
+ va_list va;
+
+ va_start (va, first);
+
+ for (arg = first; arg; arg = va_arg (va, const char*))
+ length += strlen (arg);
+
+ va_end (va);
+
+ at = result = malloc (length + 1);
+ if (result == NULL)
+ return NULL;
+
+ va_start (va, first);
+
+ for (arg = first; arg; arg = va_arg (va, const char*)) {
+ length = strlen (arg);
+ memcpy (at, arg, length);
+ at += length;
+ }
+
+ va_end (va);
+
+ *at = 0;
+ return result;
+}
+
+#endif /* HAVE_STRCONCAT */
diff --git a/common/compat.h b/common/compat.h
index 6305768..68786a7 100644
--- a/common/compat.h
+++ b/common/compat.h
@@ -39,8 +39,6 @@
#include <sys/types.h>
-typedef enum { false, true } bool;
-
#if !defined(__cplusplus) && (__GNUC__ > 2)
#define GNUC_PRINTF(x, y) __attribute__((__format__(__printf__, x, y)))
#else
@@ -175,6 +173,14 @@ typedef void * dl_module_t;
#include <errno.h>
#endif /* HAVE_ERRNO_H */
+#ifndef HAVE_STRNSTR
+
+char * strnstr (const char *s,
+ const char *find,
+ size_t slen);
+
+#endif /* HAVE_STRNSTR */
+
#ifndef HAVE_MEMDUP
void * memdup (void *data,
@@ -188,4 +194,11 @@ void * memdup (void *data,
typedef enum { false, true } bool;
#endif
+#ifndef HAVE_STRCONCAT
+
+char * strconcat (const char *first,
+ ...) GNUC_NULL_TERMINATED;
+
+#endif /* HAVE_STRCONCAT */
+
#endif /* __COMPAT_H__ */
diff --git a/common/debug.c b/common/debug.c
index 2728bf6..1ef51d3 100644
--- a/common/debug.c
+++ b/common/debug.c
@@ -55,6 +55,7 @@ static struct DebugKey debug_keys[] = {
{ "conf", P11_DEBUG_CONF },
{ "uri", P11_DEBUG_URI },
{ "proxy", P11_DEBUG_PROXY },
+ { "trust", P11_DEBUG_TRUST },
{ 0, }
};
diff --git a/common/debug.h b/common/debug.h
index 2374b6f..ff2af0f 100644
--- a/common/debug.h
+++ b/common/debug.h
@@ -43,6 +43,7 @@ enum {
P11_DEBUG_CONF = 1 << 2,
P11_DEBUG_URI = 1 << 3,
P11_DEBUG_PROXY = 1 << 4,
+ P11_DEBUG_TRUST = 1 << 5,
};
extern int p11_debug_current_flags;
@@ -83,6 +84,16 @@ void p11_debug_precond (const char *format,
return v; \
} while (false)
+#define warn_if_reached(v) \
+ do { \
+ p11_debug_precond ("p11-kit: shouldn't be reached at %s\n", __func__); \
+ } while (false)
+
+#define warn_if_fail(x) \
+ do { if (!(x)) { \
+ p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
+ } } while (false)
+
#endif /* DEBUG_H */
/* -----------------------------------------------------------------------------
diff --git a/common/pkix.asn b/common/pkix.asn
new file mode 100644
index 0000000..38bb028
--- /dev/null
+++ b/common/pkix.asn
@@ -0,0 +1,566 @@
+
+PKIX1 { }
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
+
+id-pkix OBJECT IDENTIFIER ::=
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) }
+
+-- ISO arc for standard certificate and CRL extensions
+
+-- authority key identifier OID and syntax
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ -- authorityCertIssuer and authorityCertSerialNumber shall both
+ -- be present or both be absgent
+
+KeyIdentifier ::= OCTET STRING
+
+-- subject key identifier OID and syntax
+
+SubjectKeyIdentifier ::= KeyIdentifier
+
+-- key usage extension OID and syntax
+
+KeyUsage ::= BIT STRING
+
+-- Directory string type --
+
+DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE(1..MAX)),
+ -- IA5String is added here to handle old UID encoded as ia5String --
+ -- See tests/userid/ for more information. It shouldn't be here, --
+ -- so if it causes problems, considering dropping it. --
+ ia5String IA5String (SIZE(1..MAX)) }
+
+SubjectAltName ::= GeneralNames
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] AnotherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ANY,
+-- Changed to work with the libtasn1 parser.
+ directoryName [4] EXPLICIT RDNSequence, --Name,
+ ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER }
+
+-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
+-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
+
+AnotherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+-- issuer alternative name extension OID and syntax
+
+IssuerAltName ::= GeneralNames
+
+-- basic constraints extension OID and syntax
+
+BasicConstraints ::= SEQUENCE {
+ cA BOOLEAN DEFAULT FALSE,
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+
+-- CRL distribution points extension OID and syntax
+
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+DistributionPoint ::= SEQUENCE {
+ distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL
+}
+
+DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RelativeDistinguishedName
+}
+
+ReasonFlags ::= BIT STRING
+
+-- extended key usage extension OID and syntax
+
+ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+
+KeyPurposeId ::= OBJECT IDENTIFIER
+
+-- CRL number extension OID and syntax
+
+CRLNumber ::= INTEGER (0..MAX)
+
+-- certificate issuer CRL entry extension OID and syntax
+
+CertificateIssuer ::= GeneralNames
+
+-- --------------------------------------
+-- EXPLICIT
+-- --------------------------------------
+
+-- UNIVERSAL Types defined in '93 and '98 ASN.1
+-- but required by this specification
+
+NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
+
+IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
+
+TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
+
+PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
+
+UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+ -- UniversalString is defined in ASN.1:1993
+
+BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+ -- BMPString is the subtype of UniversalString and models
+ -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
+
+UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+ -- The content of this type conforms to RFC 2279.
+
+
+-- attribute data types --
+
+Attribute ::= SEQUENCE {
+ type AttributeType,
+ values SET OF AttributeValue
+ -- at least one value is required --
+}
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY DEFINED BY type
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type AttributeType,
+ value AttributeValue }
+
+-- suggested naming attributes: Definition of the following
+-- information object set may be augmented to meet local
+-- requirements. Note that deleting members of the set may
+-- prevent interoperability with conforming implementations.
+-- presented in pairs: the AttributeType followed by the
+-- type definition for the corresponding AttributeValue
+
+-- Arc for standard naming attributes
+id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
+
+-- Attributes of type NameDirectoryString
+
+-- gnutls: Note that the Object ID (id-at*) is being set just before the
+-- actual definition. This is done in order for asn1_find_structure_from_oid
+-- to work (locate structure from OID).
+-- Maybe this is inefficient and memory consuming. Should we replace with
+-- a table that maps OIDs to structures?
+
+PostalAddress ::= SEQUENCE OF DirectoryString
+
+ -- Legacy attributes
+
+emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 }
+
+Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
+
+-- naming data types --
+
+Name ::= CHOICE { -- only one possibility for now --
+ rdnSequence RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+DistinguishedName ::= RDNSequence
+
+RelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+
+
+
+-- --------------------------------------------------------
+-- certificate and CRL specific structures begin here
+-- --------------------------------------------------------
+
+Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertificate ::= SEQUENCE {
+ version [0] EXPLICIT Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version shall be v2 or v3
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version shall be v2 or v3
+ extensions [3] EXPLICIT Extensions OPTIONAL
+ -- If present, version shall be v3 --
+}
+
+Version ::= INTEGER { v1(0), v2(1), v3(2) }
+
+CertificateSerialNumber ::= INTEGER
+
+Validity ::= SEQUENCE {
+ notBefore Time,
+ notAfter Time }
+
+Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+UniqueIdentifier ::= BIT STRING
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING }
+
+Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+Extension ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING }
+
+
+-- ------------------------------------------
+-- CRL structures
+-- ------------------------------------------
+
+CertificateList ::= SEQUENCE {
+ tbsCertList TBSCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertList ::= SEQUENCE {
+ version Version OPTIONAL,
+ -- if present, shall be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates SEQUENCE OF SEQUENCE {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, shall be v2
+ } OPTIONAL,
+ crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ -- if present, shall be v2 --
+}
+
+-- Version, Time, CertificateSerialNumber, and Extensions were
+-- defined earlier for use in the certificate structure
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+ -- contains a value of the type
+ -- registered for use with the
+ -- algorithm object identifier value
+
+-- Algorithm OIDs and parameter structures
+
+Dss-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER
+}
+
+DomainParameters ::= SEQUENCE {
+ p INTEGER, -- odd prime, p=jq +1
+ g INTEGER, -- generator, g
+ q INTEGER, -- factor of p-1
+ j INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ validationParms ValidationParms OPTIONAL }
+
+ValidationParms ::= SEQUENCE {
+ seed BIT STRING,
+ pgenCounter INTEGER }
+
+Dss-Parms ::= SEQUENCE {
+ p INTEGER,
+ q INTEGER,
+ g INTEGER }
+
+-- x400 address syntax starts here
+-- OR Names
+
+CountryName ::= [APPLICATION 1] CHOICE {
+ x121-dcc-code NumericString
+ (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+OrganizationName ::= PrintableString
+ (SIZE (1..ub-organization-name-length))
+-- see also teletex-organization-name
+
+NumericUserIdentifier ::= NumericString
+ (SIZE (1..ub-numeric-user-id-length))
+
+-- see also teletex-personal-name
+
+OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ OF OrganizationalUnitName
+-- see also teletex-organizational-unit-names
+
+OrganizationalUnitName ::= PrintableString (SIZE
+ (1..ub-organizational-unit-name-length))
+
+-- Extension types and attribute values
+--
+
+CommonName ::= PrintableString
+
+-- END of PKIX1Implicit88
+
+
+-- BEGIN of RFC2630
+
+-- Cryptographic Message Syntax
+
+pkcs-7-ContentInfo ::= SEQUENCE {
+ contentType pkcs-7-ContentType,
+ content [0] EXPLICIT ANY DEFINED BY contentType }
+
+pkcs-7-DigestInfo ::= SEQUENCE {
+ digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
+ digest pkcs-7-Digest
+}
+
+pkcs-7-Digest ::= OCTET STRING
+
+pkcs-7-ContentType ::= OBJECT IDENTIFIER
+
+pkcs-7-SignedData ::= SEQUENCE {
+ version pkcs-7-CMSVersion,
+ digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
+ encapContentInfo pkcs-7-EncapsulatedContentInfo,
+ certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
+ crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
+ signerInfos pkcs-7-SignerInfos
+}
+
+pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
+
+pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
+
+pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+
+pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
+ eContentType pkcs-7-ContentType,
+ eContent [0] EXPLICIT OCTET STRING OPTIONAL }
+
+-- We don't use CertificateList here since we only want
+-- to read the raw data.
+pkcs-7-CertificateRevocationLists ::= SET OF ANY
+
+pkcs-7-CertificateChoices ::= CHOICE {
+-- Although the paper uses Certificate type, we
+-- don't use it since, we don't need to parse it.
+-- We only need to read and store it.
+ certificate ANY
+}
+
+pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
+
+pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
+ -- anyway
+
+
+-- BEGIN of RFC2986
+
+-- Certificate requests
+pkcs-10-CertificationRequestInfo ::= SEQUENCE {
+ version INTEGER { v1(0) },
+ subject Name,
+ subjectPKInfo SubjectPublicKeyInfo,
+ attributes [0] Attributes
+}
+
+Attributes ::= SET OF Attribute
+
+pkcs-10-CertificationRequest ::= SEQUENCE {
+ certificationRequestInfo pkcs-10-CertificationRequestInfo,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING
+}
+
+-- stuff from PKCS#9
+
+pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7}
+
+pkcs-9-challengePassword ::= CHOICE {
+ printableString PrintableString,
+ utf8String UTF8String }
+
+pkcs-9-localKeyId ::= OCTET STRING
+
+-- PKCS #8 stuff
+
+-- Private-key information syntax
+
+pkcs-8-PrivateKeyInfo ::= SEQUENCE {
+ version pkcs-8-Version,
+ privateKeyAlgorithm AlgorithmIdentifier,
+ privateKey pkcs-8-PrivateKey,
+ attributes [0] Attributes OPTIONAL }
+
+pkcs-8-Version ::= INTEGER {v1(0)}
+
+pkcs-8-PrivateKey ::= OCTET STRING
+
+pkcs-8-Attributes ::= SET OF Attribute
+
+-- Encrypted private-key information syntax
+
+pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
+ encryptionAlgorithm AlgorithmIdentifier,
+ encryptedData pkcs-8-EncryptedData
+}
+
+pkcs-8-EncryptedData ::= OCTET STRING
+
+-- PKCS #5 stuff
+
+pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
+pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16))
+pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16))
+pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16))
+
+pkcs-5-PBES2-params ::= SEQUENCE {
+ keyDerivationFunc AlgorithmIdentifier,
+ encryptionScheme AlgorithmIdentifier }
+
+-- PBKDF2
+
+-- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
+-- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
+
+pkcs-5-PBKDF2-params ::= SEQUENCE {
+ salt CHOICE {
+ specified OCTET STRING,
+ otherSource AlgorithmIdentifier
+ },
+ iterationCount INTEGER (1..MAX),
+ keyLength INTEGER (1..MAX) OPTIONAL,
+ prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
+}
+
+-- PKCS #12 stuff
+
+pkcs-12-PFX ::= SEQUENCE {
+ version INTEGER {v3(3)},
+ authSafe pkcs-7-ContentInfo,
+ macData pkcs-12-MacData OPTIONAL
+}
+
+pkcs-12-PbeParams ::= SEQUENCE {
+ salt OCTET STRING,
+ iterations INTEGER
+}
+
+pkcs-12-MacData ::= SEQUENCE {
+ mac pkcs-7-DigestInfo,
+ macSalt OCTET STRING,
+ iterations INTEGER DEFAULT 1
+-- Note: The default is for historical reasons and its use is
+-- deprecated. A higher value, like 1024 is recommended.
+}
+
+pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
+ -- Data if unencrypted
+ -- EncryptedData if password-encrypted
+ -- EnvelopedData if public key-encrypted
+
+pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
+
+pkcs-12-SafeBag ::= SEQUENCE {
+ bagId OBJECT IDENTIFIER,
+ bagValue [0] EXPLICIT ANY DEFINED BY badId,
+ bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
+}
+
+-- Bag types
+
+pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
+
+-- Shrouded KeyBag
+
+pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
+
+-- CertBag
+
+pkcs-12-CertBag ::= SEQUENCE {
+ certId OBJECT IDENTIFIER,
+ certValue [0] EXPLICIT ANY DEFINED BY certId
+}
+
+-- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
+-- DER-encoded X.509 certificate stored in OCTET STRING
+
+pkcs-12-CRLBag ::= SEQUENCE {
+ crlId OBJECT IDENTIFIER,
+ crlValue [0] EXPLICIT ANY DEFINED BY crlId
+}
+
+pkcs-12-SecretBag ::= SEQUENCE {
+ secretTypeId OBJECT IDENTIFIER,
+ secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
+}
+
+-- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
+-- DER-encoded X.509 CRL stored in OCTET STRING
+
+pkcs-12-PKCS12Attribute ::= Attribute
+
+-- PKCS #7 stuff (needed in PKCS 12)
+
+pkcs-7-Data ::= OCTET STRING
+
+pkcs-7-EncryptedData ::= SEQUENCE {
+ version pkcs-7-CMSVersion,
+ encryptedContentInfo pkcs-7-EncryptedContentInfo,
+ unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
+
+pkcs-7-EncryptedContentInfo ::= SEQUENCE {
+ contentType pkcs-7-ContentType,
+ contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
+ encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
+
+pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+pkcs-7-EncryptedContent ::= OCTET STRING
+
+pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
+
+-- rfc3820
+
+ProxyCertInfo ::= SEQUENCE {
+ pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
+ proxyPolicy ProxyPolicy }
+
+ProxyPolicy ::= SEQUENCE {
+ policyLanguage OBJECT IDENTIFIER,
+ policy OCTET STRING OPTIONAL }
+
+END
diff --git a/common/pkix.asn.h b/common/pkix.asn.h
new file mode 100644
index 0000000..d5d5cc4
--- /dev/null
+++ b/common/pkix.asn.h
@@ -0,0 +1,408 @@
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <libtasn1.h>
+
+const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
+ { "PKIX1", 536875024, NULL },
+ { NULL, 1073741836, NULL },
+ { "id-pkix", 1879048204, NULL },
+ { "iso", 1073741825, "1"},
+ { "identified-organization", 1073741825, "3"},
+ { "dod", 1073741825, "6"},
+ { "internet", 1073741825, "1"},
+ { "security", 1073741825, "5"},
+ { "mechanisms", 1073741825, "5"},
+ { "pkix", 1, "7"},
+ { "AuthorityKeyIdentifier", 1610612741, NULL },
+ { "keyIdentifier", 1610637314, "KeyIdentifier"},
+ { NULL, 4104, "0"},
+ { "authorityCertIssuer", 1610637314, "GeneralNames"},
+ { NULL, 4104, "1"},
+ { "authorityCertSerialNumber", 536895490, "CertificateSerialNumber"},
+ { NULL, 4104, "2"},
+ { "KeyIdentifier", 1073741831, NULL },
+ { "SubjectKeyIdentifier", 1073741826, "KeyIdentifier"},
+ { "KeyUsage", 1073741830, NULL },
+ { "DirectoryString", 1610612754, NULL },
+ { "teletexString", 1612709890, "TeletexString"},
+ { "MAX", 524298, "1"},
+ { "printableString", 1612709890, "PrintableString"},
+ { "MAX", 524298, "1"},
+ { "universalString", 1612709890, "UniversalString"},
+ { "MAX", 524298, "1"},
+ { "utf8String", 1612709890, "UTF8String"},
+ { "MAX", 524298, "1"},
+ { "bmpString", 1612709890, "BMPString"},
+ { "MAX", 524298, "1"},
+ { "ia5String", 538968066, "IA5String"},
+ { "MAX", 524298, "1"},
+ { "SubjectAltName", 1073741826, "GeneralNames"},
+ { "GeneralNames", 1612709899, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "GeneralName"},
+ { "GeneralName", 1610612754, NULL },
+ { "otherName", 1610620930, "AnotherName"},
+ { NULL, 4104, "0"},
+ { "rfc822Name", 1610620930, "IA5String"},
+ { NULL, 4104, "1"},
+ { "dNSName", 1610620930, "IA5String"},
+ { NULL, 4104, "2"},
+ { "x400Address", 1610620941, NULL },
+ { NULL, 4104, "3"},
+ { "directoryName", 1610620930, "RDNSequence"},
+ { NULL, 2056, "4"},
+ { "ediPartyName", 1610620941, NULL },
+ { NULL, 4104, "5"},
+ { "uniformResourceIdentifier", 1610620930, "IA5String"},
+ { NULL, 4104, "6"},
+ { "iPAddress", 1610620935, NULL },
+ { NULL, 4104, "7"},
+ { "registeredID", 536879116, NULL },
+ { NULL, 4104, "8"},
+ { "AnotherName", 1610612741, NULL },
+ { "type-id", 1073741836, NULL },
+ { "value", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "type-id", 1, NULL },
+ { "IssuerAltName", 1073741826, "GeneralNames"},
+ { "BasicConstraints", 1610612741, NULL },
+ { "cA", 1610645508, NULL },
+ { NULL, 131081, NULL },
+ { "pathLenConstraint", 537411587, NULL },
+ { "0", 10, "MAX"},
+ { "CRLDistributionPoints", 1612709899, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "DistributionPoint"},
+ { "DistributionPoint", 1610612741, NULL },
+ { "distributionPoint", 1610637314, "DistributionPointName"},
+ { NULL, 2056, "0"},
+ { "reasons", 1610637314, "ReasonFlags"},
+ { NULL, 4104, "1"},
+ { "cRLIssuer", 536895490, "GeneralNames"},
+ { NULL, 4104, "2"},
+ { "DistributionPointName", 1610612754, NULL },
+ { "fullName", 1610620930, "GeneralNames"},
+ { NULL, 4104, "0"},
+ { "nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"},
+ { NULL, 4104, "1"},
+ { "ReasonFlags", 1073741830, NULL },
+ { "ExtKeyUsageSyntax", 1612709899, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "KeyPurposeId"},
+ { "KeyPurposeId", 1073741836, NULL },
+ { "CRLNumber", 1611137027, NULL },
+ { "0", 10, "MAX"},
+ { "CertificateIssuer", 1073741826, "GeneralNames"},
+ { "NumericString", 1610620935, NULL },
+ { NULL, 4360, "18"},
+ { "IA5String", 1610620935, NULL },
+ { NULL, 4360, "22"},
+ { "TeletexString", 1610620935, NULL },
+ { NULL, 4360, "20"},
+ { "PrintableString", 1610620935, NULL },
+ { NULL, 4360, "19"},
+ { "UniversalString", 1610620935, NULL },
+ { NULL, 4360, "28"},
+ { "BMPString", 1610620935, NULL },
+ { NULL, 4360, "30"},
+ { "UTF8String", 1610620935, NULL },
+ { NULL, 4360, "12"},
+ { "Attribute", 1610612741, NULL },
+ { "type", 1073741826, "AttributeType"},
+ { "values", 536870927, NULL },
+ { NULL, 2, "AttributeValue"},
+ { "AttributeType", 1073741836, NULL },
+ { "AttributeValue", 1614807053, NULL },
+ { "type", 1, NULL },
+ { "AttributeTypeAndValue", 1610612741, NULL },
+ { "type", 1073741826, "AttributeType"},
+ { "value", 2, "AttributeValue"},
+ { "id-at", 1879048204, NULL },
+ { "joint-iso-ccitt", 1073741825, "2"},
+ { "ds", 1073741825, "5"},
+ { NULL, 1, "4"},
+ { "PostalAddress", 1610612747, NULL },
+ { NULL, 2, "DirectoryString"},
+ { "emailAddress", 1880096780, "AttributeType"},
+ { "iso", 1073741825, "1"},
+ { "member-body", 1073741825, "2"},
+ { "us", 1073741825, "840"},
+ { "rsadsi", 1073741825, "113549"},
+ { "pkcs", 1073741825, "1"},
+ { NULL, 1073741825, "9"},
+ { NULL, 1, "1"},
+ { "Pkcs9email", 1612709890, "IA5String"},
+ { "ub-emailaddress-length", 524298, "1"},
+ { "Name", 1610612754, NULL },
+ { "rdnSequence", 2, "RDNSequence"},
+ { "RDNSequence", 1610612747, NULL },
+ { NULL, 2, "RelativeDistinguishedName"},
+ { "DistinguishedName", 1073741826, "RDNSequence"},
+ { "RelativeDistinguishedName", 1612709903, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "AttributeTypeAndValue"},
+ { "Certificate", 1610612741, NULL },
+ { "tbsCertificate", 1073741826, "TBSCertificate"},
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ { "signature", 6, NULL },
+ { "TBSCertificate", 1610612741, NULL },
+ { "version", 1610653698, "Version"},
+ { NULL, 1073741833, "v1"},
+ { NULL, 2056, "0"},
+ { "serialNumber", 1073741826, "CertificateSerialNumber"},
+ { "signature", 1073741826, "AlgorithmIdentifier"},
+ { "issuer", 1073741826, "Name"},
+ { "validity", 1073741826, "Validity"},
+ { "subject", 1073741826, "Name"},
+ { "subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"},
+ { "issuerUniqueID", 1610637314, "UniqueIdentifier"},
+ { NULL, 4104, "1"},
+ { "subjectUniqueID", 1610637314, "UniqueIdentifier"},
+ { NULL, 4104, "2"},
+ { "extensions", 536895490, "Extensions"},
+ { NULL, 2056, "3"},
+ { "Version", 1610874883, NULL },
+ { "v1", 1073741825, "0"},
+ { "v2", 1073741825, "1"},
+ { "v3", 1, "2"},
+ { "CertificateSerialNumber", 1073741827, NULL },
+ { "Validity", 1610612741, NULL },
+ { "notBefore", 1073741826, "Time"},
+ { "notAfter", 2, "Time"},
+ { "Time", 1610612754, NULL },
+ { "utcTime", 1090519057, NULL },
+ { "generalTime", 8388625, NULL },
+ { "UniqueIdentifier", 1073741830, NULL },
+ { "SubjectPublicKeyInfo", 1610612741, NULL },
+ { "algorithm", 1073741826, "AlgorithmIdentifier"},
+ { "subjectPublicKey", 6, NULL },
+ { "Extensions", 1612709899, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "Extension"},
+ { "Extension", 1610612741, NULL },
+ { "extnID", 1073741836, NULL },
+ { "critical", 1610645508, NULL },
+ { NULL, 131081, NULL },
+ { "extnValue", 7, NULL },
+ { "CertificateList", 1610612741, NULL },
+ { "tbsCertList", 1073741826, "TBSCertList"},
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ { "signature", 6, NULL },
+ { "TBSCertList", 1610612741, NULL },
+ { "version", 1073758210, "Version"},
+ { "signature", 1073741826, "AlgorithmIdentifier"},
+ { "issuer", 1073741826, "Name"},
+ { "thisUpdate", 1073741826, "Time"},
+ { "nextUpdate", 1073758210, "Time"},
+ { "revokedCertificates", 1610629131, NULL },
+ { NULL, 536870917, NULL },
+ { "userCertificate", 1073741826, "CertificateSerialNumber"},
+ { "revocationDate", 1073741826, "Time"},
+ { "crlEntryExtensions", 16386, "Extensions"},
+ { "crlExtensions", 536895490, "Extensions"},
+ { NULL, 2056, "0"},
+ { "AlgorithmIdentifier", 1610612741, NULL },
+ { "algorithm", 1073741836, NULL },
+ { "parameters", 541081613, NULL },
+ { "algorithm", 1, NULL },
+ { "Dss-Sig-Value", 1610612741, NULL },
+ { "r", 1073741827, NULL },
+ { "s", 3, NULL },
+ { "DomainParameters", 1610612741, NULL },
+ { "p", 1073741827, NULL },
+ { "g", 1073741827, NULL },
+ { "q", 1073741827, NULL },
+ { "j", 1073758211, NULL },
+ { "validationParms", 16386, "ValidationParms"},
+ { "ValidationParms", 1610612741, NULL },
+ { "seed", 1073741830, NULL },
+ { "pgenCounter", 3, NULL },
+ { "Dss-Parms", 1610612741, NULL },
+ { "p", 1073741827, NULL },
+ { "q", 1073741827, NULL },
+ { "g", 3, NULL },
+ { "CountryName", 1610620946, NULL },
+ { NULL, 1073746952, "1"},
+ { "x121-dcc-code", 1612709890, "NumericString"},
+ { NULL, 1048586, "ub-country-name-numeric-length"},
+ { "iso-3166-alpha2-code", 538968066, "PrintableString"},
+ { NULL, 1048586, "ub-country-name-alpha-length"},
+ { "OrganizationName", 1612709890, "PrintableString"},
+ { "ub-organization-name-length", 524298, "1"},
+ { "NumericUserIdentifier", 1612709890, "NumericString"},
+ { "ub-numeric-user-id-length", 524298, "1"},
+ { "OrganizationalUnitNames", 1612709899, NULL },
+ { "ub-organizational-units", 1074266122, "1"},
+ { NULL, 2, "OrganizationalUnitName"},
+ { "OrganizationalUnitName", 1612709890, "PrintableString"},
+ { "ub-organizational-unit-name-length", 524298, "1"},
+ { "CommonName", 1073741826, "PrintableString"},
+ { "pkcs-7-ContentInfo", 1610612741, NULL },
+ { "contentType", 1073741826, "pkcs-7-ContentType"},
+ { "content", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "contentType", 1, NULL },
+ { "pkcs-7-DigestInfo", 1610612741, NULL },
+ { "digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"},
+ { "digest", 2, "pkcs-7-Digest"},
+ { "pkcs-7-Digest", 1073741831, NULL },
+ { "pkcs-7-ContentType", 1073741836, NULL },
+ { "pkcs-7-SignedData", 1610612741, NULL },
+ { "version", 1073741826, "pkcs-7-CMSVersion"},
+ { "digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"},
+ { "encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"},
+ { "certificates", 1610637314, "pkcs-7-CertificateSet"},
+ { NULL, 4104, "0"},
+ { "crls", 1610637314, "pkcs-7-CertificateRevocationLists"},
+ { NULL, 4104, "1"},
+ { "signerInfos", 2, "pkcs-7-SignerInfos"},
+ { "pkcs-7-CMSVersion", 1610874883, NULL },
+ { "v0", 1073741825, "0"},
+ { "v1", 1073741825, "1"},
+ { "v2", 1073741825, "2"},
+ { "v3", 1073741825, "3"},
+ { "v4", 1, "4"},
+ { "pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL },
+ { NULL, 2, "pkcs-7-DigestAlgorithmIdentifier"},
+ { "pkcs-7-DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
+ { "pkcs-7-EncapsulatedContentInfo", 1610612741, NULL },
+ { "eContentType", 1073741826, "pkcs-7-ContentType"},
+ { "eContent", 536895495, NULL },
+ { NULL, 2056, "0"},
+ { "pkcs-7-CertificateRevocationLists", 1610612751, NULL },
+ { NULL, 13, NULL },
+ { "pkcs-7-CertificateChoices", 1610612754, NULL },
+ { "certificate", 13, NULL },
+ { "pkcs-7-CertificateSet", 1610612751, NULL },
+ { NULL, 2, "pkcs-7-CertificateChoices"},
+ { "pkcs-7-SignerInfos", 1610612751, NULL },
+ { NULL, 13, NULL },
+ { "pkcs-10-CertificationRequestInfo", 1610612741, NULL },
+ { "version", 1610874883, NULL },
+ { "v1", 1, "0"},
+ { "subject", 1073741826, "Name"},
+ { "subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"},
+ { "attributes", 536879106, "Attributes"},
+ { NULL, 4104, "0"},
+ { "Attributes", 1610612751, NULL },
+ { NULL, 2, "Attribute"},
+ { "pkcs-10-CertificationRequest", 1610612741, NULL },
+ { "certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"},
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ { "signature", 6, NULL },
+ { "pkcs-9-at-challengePassword", 1879048204, NULL },
+ { "iso", 1073741825, "1"},
+ { "member-body", 1073741825, "2"},
+ { "us", 1073741825, "840"},
+ { "rsadsi", 1073741825, "113549"},
+ { "pkcs", 1073741825, "1"},
+ { NULL, 1073741825, "9"},
+ { NULL, 1, "7"},
+ { "pkcs-9-challengePassword", 1610612754, NULL },
+ { "printableString", 1073741826, "PrintableString"},
+ { "utf8String", 2, "UTF8String"},
+ { "pkcs-9-localKeyId", 1073741831, NULL },
+ { "pkcs-8-PrivateKeyInfo", 1610612741, NULL },
+ { "version", 1073741826, "pkcs-8-Version"},
+ { "privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ { "privateKey", 1073741826, "pkcs-8-PrivateKey"},
+ { "attributes", 536895490, "Attributes"},
+ { NULL, 4104, "0"},
+ { "pkcs-8-Version", 1610874883, NULL },
+ { "v1", 1, "0"},
+ { "pkcs-8-PrivateKey", 1073741831, NULL },
+ { "pkcs-8-Attributes", 1610612751, NULL },
+ { NULL, 2, "Attribute"},
+ { "pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL },
+ { "encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ { "encryptedData", 2, "pkcs-8-EncryptedData"},
+ { "pkcs-8-EncryptedData", 1073741831, NULL },
+ { "pkcs-5-des-EDE3-CBC-params", 1612709895, NULL },
+ { NULL, 1048586, "8"},
+ { "pkcs-5-aes128-CBC-params", 1612709895, NULL },
+ { NULL, 1048586, "16"},
+ { "pkcs-5-aes192-CBC-params", 1612709895, NULL },
+ { NULL, 1048586, "16"},
+ { "pkcs-5-aes256-CBC-params", 1612709895, NULL },
+ { NULL, 1048586, "16"},
+ { "pkcs-5-PBES2-params", 1610612741, NULL },
+ { "keyDerivationFunc", 1073741826, "AlgorithmIdentifier"},
+ { "encryptionScheme", 2, "AlgorithmIdentifier"},
+ { "pkcs-5-PBKDF2-params", 1610612741, NULL },
+ { "salt", 1610612754, NULL },
+ { "specified", 1073741831, NULL },
+ { "otherSource", 2, "AlgorithmIdentifier"},
+ { "iterationCount", 1611137027, NULL },
+ { "1", 10, "MAX"},
+ { "keyLength", 1611153411, NULL },
+ { "1", 10, "MAX"},
+ { "prf", 16386, "AlgorithmIdentifier"},
+ { "pkcs-12-PFX", 1610612741, NULL },
+ { "version", 1610874883, NULL },
+ { "v3", 1, "3"},
+ { "authSafe", 1073741826, "pkcs-7-ContentInfo"},
+ { "macData", 16386, "pkcs-12-MacData"},
+ { "pkcs-12-PbeParams", 1610612741, NULL },
+ { "salt", 1073741831, NULL },
+ { "iterations", 3, NULL },
+ { "pkcs-12-MacData", 1610612741, NULL },
+ { "mac", 1073741826, "pkcs-7-DigestInfo"},
+ { "macSalt", 1073741831, NULL },
+ { "iterations", 536903683, NULL },
+ { NULL, 9, "1"},
+ { "pkcs-12-AuthenticatedSafe", 1610612747, NULL },
+ { NULL, 2, "pkcs-7-ContentInfo"},
+ { "pkcs-12-SafeContents", 1610612747, NULL },
+ { NULL, 2, "pkcs-12-SafeBag"},
+ { "pkcs-12-SafeBag", 1610612741, NULL },
+ { "bagId", 1073741836, NULL },
+ { "bagValue", 1614815245, NULL },
+ { NULL, 1073743880, "0"},
+ { "badId", 1, NULL },
+ { "bagAttributes", 536887311, NULL },
+ { NULL, 2, "pkcs-12-PKCS12Attribute"},
+ { "pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"},
+ { "pkcs-12-PKCS8ShroudedKeyBag", 1073741826, "pkcs-8-EncryptedPrivateKeyInfo"},
+ { "pkcs-12-CertBag", 1610612741, NULL },
+ { "certId", 1073741836, NULL },
+ { "certValue", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "certId", 1, NULL },
+ { "pkcs-12-CRLBag", 1610612741, NULL },
+ { "crlId", 1073741836, NULL },
+ { "crlValue", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "crlId", 1, NULL },
+ { "pkcs-12-SecretBag", 1610612741, NULL },
+ { "secretTypeId", 1073741836, NULL },
+ { "secretValue", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "secretTypeId", 1, NULL },
+ { "pkcs-12-PKCS12Attribute", 1073741826, "Attribute"},
+ { "pkcs-7-Data", 1073741831, NULL },
+ { "pkcs-7-EncryptedData", 1610612741, NULL },
+ { "version", 1073741826, "pkcs-7-CMSVersion"},
+ { "encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"},
+ { "unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"},
+ { NULL, 4104, "1"},
+ { "pkcs-7-EncryptedContentInfo", 1610612741, NULL },
+ { "contentType", 1073741826, "pkcs-7-ContentType"},
+ { "contentEncryptionAlgorithm", 1073741826, "pkcs-7-ContentEncryptionAlgorithmIdentifier"},
+ { "encryptedContent", 536895490, "pkcs-7-EncryptedContent"},
+ { NULL, 4104, "0"},
+ { "pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
+ { "pkcs-7-EncryptedContent", 1073741831, NULL },
+ { "pkcs-7-UnprotectedAttributes", 1612709903, NULL },
+ { "MAX", 1074266122, "1"},
+ { NULL, 2, "Attribute"},
+ { "ProxyCertInfo", 1610612741, NULL },
+ { "pCPathLenConstraint", 1611153411, NULL },
+ { "0", 10, "MAX"},
+ { "proxyPolicy", 2, "ProxyPolicy"},
+ { "ProxyPolicy", 536870917, NULL },
+ { "policyLanguage", 1073741836, NULL },
+ { "policy", 16391, NULL },
+ { NULL, 0, NULL }
+};
diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
index e3f2063..be92e8d 100644
--- a/common/tests/Makefile.am
+++ b/common/tests/Makefile.am
@@ -14,12 +14,10 @@ INCLUDES = \
LDADD = \
$(top_builddir)/common/libp11-library.la \
$(top_builddir)/common/libp11-compat.la \
- $(top_builddir)/common/libp11-data.la \
$(CUTEST_LIBS) \
$(NULL)
CHECK_PROGS = \
- test-checksum \
test-dict \
test-array \
test-attrs \
@@ -30,3 +28,21 @@ noinst_PROGRAMS = \
$(CHECK_PROGS)
TESTS = $(CHECK_PROGS:=$(EXEEXT))
+
+if WITH_ASN1
+
+LDADD += \
+ $(top_builddir)/common/libp11-data.la \
+ $(LIBTASN1_LIBS)
+ $(NULL)
+
+CHECK_PROGS += \
+ test-checksum
+
+noinst_PROGRAMS += \
+ frob-ku \
+ frob-eku \
+ frob-cert \
+ $(NULL)
+
+endif # WITH_ASN1
diff --git a/common/tests/frob-cert.c b/common/tests/frob-cert.c
new file mode 100644
index 0000000..f8ad392
--- /dev/null
+++ b/common/tests/frob-cert.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <assert.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+ do { if ((ret) != ASN1_SUCCESS) { \
+ fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+ exit (1); \
+ } } while (0)
+
+static ssize_t
+tlv_length (const unsigned char *data,
+ size_t length)
+{
+ unsigned char cls;
+ int counter = 0;
+ int cb, len;
+ unsigned long tag;
+
+ if (asn1_get_tag_der (data, length, &cls, &cb, &tag) == ASN1_SUCCESS) {
+ counter += cb;
+ len = asn1_get_length_der (data + cb, length - cb, &cb);
+ counter += cb;
+ if (len >= 0) {
+ len += counter;
+ if (length >= len)
+ return len;
+ }
+ }
+
+ return -1;
+}
+
+int
+main (int argc,
+ char *argv[])
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+ node_asn *definitions = NULL;
+ node_asn *cert = NULL;
+ unsigned char *data;
+ struct stat sb;
+ int start, end;
+ ssize_t len;
+ int ret;
+ int fd;
+
+ if (argc != 4) {
+ fprintf (stderr, "usage: frob-cert struct field filename\n");
+ return 2;
+ }
+
+ ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "definitions: %s\n", message);
+ return 1;
+ }
+
+ ret = asn1_create_element (definitions, argv[1], &cert);
+ err_if_fail (ret, "Certificate");
+
+ fd = open (argv[3], O_RDONLY);
+ if (fd == -1) {
+ fprintf (stderr, "couldn't open file: %s\n", argv[3]);
+ return 1;
+ }
+
+ if (fstat (fd, &sb) < 0) {
+ fprintf (stderr, "couldn't stat file: %s\n", argv[3]);
+ return 1;
+ }
+
+ data = mmap (NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (data == NULL) {
+ fprintf (stderr, "couldn't map file: %s\n", argv[3]);
+ return 1;
+ }
+
+ ret = asn1_der_decoding (&cert, data, sb.st_size, message);
+ err_if_fail (ret, message);
+
+ ret = asn1_der_decoding_startEnd (cert, data, sb.st_size, argv[2], &start, &end);
+ err_if_fail (ret, "asn1_der_decoding_startEnd");
+
+ len = tlv_length (data + start, sb.st_size - start);
+ assert (len >= 0);
+
+ fprintf (stderr, "%lu %d %d %ld\n", sb.st_size, start, end, len);
+ fwrite (data + start, 1, len, stdout);
+ fflush (stdout);
+
+ munmap (data, sb.st_size);
+ close (fd);
+
+ asn1_delete_structure (&cert);
+ asn1_delete_structure (&definitions);
+
+ return 0;
+}
diff --git a/common/tests/frob-eku.c b/common/tests/frob-eku.c
new file mode 100644
index 0000000..42bf50b
--- /dev/null
+++ b/common/tests/frob-eku.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+ do { if ((ret) != ASN1_SUCCESS) { \
+ fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+ exit (1); \
+ } } while (0)
+
+int
+main (int argc,
+ char *argv[])
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+ node_asn *definitions = NULL;
+ node_asn *ekus = NULL;
+ char *buf;
+ int len;
+ int ret;
+ int i;
+
+ ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "definitions: %s\n", message);
+ return 1;
+ }
+
+ ret = asn1_create_element (definitions, "PKIX1.ExtKeyUsageSyntax", &ekus);
+ err_if_fail (ret, "ExtKeyUsageSyntax");
+
+ for (i = 1; i < argc; i++) {
+ ret = asn1_write_value (ekus, "", "NEW", 1);
+ err_if_fail (ret, "NEW");
+
+ ret = asn1_write_value (ekus, "?LAST", argv[i], strlen (argv[i]));
+ err_if_fail (ret, "asn1_write_value");
+ }
+
+ len = 0;
+ ret = asn1_der_coding (ekus, "", NULL, &len, message);
+ assert (ret == ASN1_MEM_ERROR);
+
+ buf = malloc (len);
+ assert (buf != NULL);
+ ret = asn1_der_coding (ekus, "", buf, &len, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "asn1_der_coding: %s\n", message);
+ return 1;
+ }
+
+ fwrite (buf, 1, len, stdout);
+ fflush (stdout);
+
+ asn1_delete_structure (&ekus);
+ asn1_delete_structure (&definitions);
+
+ return 0;
+}
diff --git a/common/tests/frob-ku.c b/common/tests/frob-ku.c
new file mode 100644
index 0000000..c0abd88
--- /dev/null
+++ b/common/tests/frob-ku.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+ do { if ((ret) != ASN1_SUCCESS) { \
+ fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+ exit (1); \
+ } } while (0)
+
+enum {
+ KU_DIGITAL_SIGNATURE = 128,
+ KU_NON_REPUDIATION = 64,
+ KU_KEY_ENCIPHERMENT = 32,
+ KU_DATA_ENCIPHERMENT = 16,
+ KU_KEY_AGREEMENT = 8,
+ KU_KEY_CERT_SIGN = 4,
+ KU_CRL_SIGN = 2,
+ KU_ENCIPHER_ONLY = 1,
+ KU_DECIPHER_ONLY = 32768,
+};
+
+int
+main (int argc,
+ char *argv[])
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+ node_asn *definitions = NULL;
+ node_asn *ku = NULL;
+ unsigned int usage = 0;
+ char bits[2];
+ char *buf;
+ int len;
+ int ret;
+ int i;
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp (argv[i], "digital-signature") == 0)
+ usage |= KU_DIGITAL_SIGNATURE;
+ else if (strcmp (argv[i], "non-repudiation") == 0)
+ usage |= KU_NON_REPUDIATION;
+ else if (strcmp (argv[i], "key-encipherment") == 0)
+ usage |= KU_KEY_ENCIPHERMENT;
+ else if (strcmp (argv[i], "data-encipherment") == 0)
+ usage |= KU_DATA_ENCIPHERMENT;
+ else if (strcmp (argv[i], "key-agreement") == 0)
+ usage |= KU_KEY_AGREEMENT;
+ else if (strcmp (argv[i], "key-cert-sign") == 0)
+ usage |= KU_KEY_CERT_SIGN;
+ else if (strcmp (argv[i], "crl-sign") == 0)
+ usage |= KU_CRL_SIGN;
+ else {
+ fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]);
+ return 2;
+ }
+ }
+
+ ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "definitions: %s\n", message);
+ return 1;
+ }
+
+ ret = asn1_create_element (definitions, "PKIX1.KeyUsage", &ku);
+ err_if_fail (ret, "KeyUsage");
+
+ bits[0] = usage & 0xff;
+ bits[1] = (usage >> 8) & 0xff;
+
+ ret = asn1_write_value (ku, "", bits, 9);
+ err_if_fail (ret, "asn1_write_value");
+
+ len = 0;
+ ret = asn1_der_coding (ku, "", NULL, &len, message);
+ assert (ret == ASN1_MEM_ERROR);
+
+ buf = malloc (len);
+ assert (buf != NULL);
+ ret = asn1_der_coding (ku, "", buf, &len, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "asn1_der_coding: %s\n", message);
+ return 1;
+ }
+
+ fwrite (buf, 1, len, stdout);
+ fflush (stdout);
+
+ asn1_delete_structure (&ku);
+ asn1_delete_structure (&definitions);
+
+ return 0;
+}