LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/hx509 - ca.c (source / functions) Hit Total Coverage
Test: coverage report for support-claim-type-attributes 6b5c566e Lines: 0 1360 0.0 %
Date: 2023-11-21 12:31:41 Functions: 0 57 0.0 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 2006 - 2010 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Redistribution and use in source and binary forms, with or without
       7             :  * modification, are permitted provided that the following conditions
       8             :  * are met:
       9             :  *
      10             :  * 1. Redistributions of source code must retain the above copyright
      11             :  *    notice, this list of conditions and the following disclaimer.
      12             :  *
      13             :  * 2. Redistributions in binary form must reproduce the above copyright
      14             :  *    notice, this list of conditions and the following disclaimer in the
      15             :  *    documentation and/or other materials provided with the distribution.
      16             :  *
      17             :  * 3. Neither the name of the Institute nor the names of its contributors
      18             :  *    may be used to endorse or promote products derived from this software
      19             :  *    without specific prior written permission.
      20             :  *
      21             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      22             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      23             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      24             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      25             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      26             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      27             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      28             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      29             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      30             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      31             :  * SUCH DAMAGE.
      32             :  */
      33             : 
      34             : #include "hx_locl.h"
      35             : 
      36             : /**
      37             :  * @page page_ca Hx509 CA functions
      38             :  *
      39             :  * See the library functions here: @ref hx509_ca
      40             :  */
      41             : 
      42             : struct hx509_ca_tbs {
      43             :     hx509_name subject;
      44             :     SubjectPublicKeyInfo spki;
      45             :     KeyUsage ku;
      46             :     ExtKeyUsage eku;
      47             :     GeneralNames san;
      48             :     CertificatePolicies cps;
      49             :     PolicyMappings pms;
      50             :     heim_integer serial;
      51             :     struct {
      52             :         unsigned int proxy:1;
      53             :         unsigned int ca:1;
      54             :         unsigned int key:1;
      55             :         unsigned int serial:1;
      56             :         unsigned int domaincontroller:1;
      57             :         unsigned int xUniqueID:1;
      58             :     } flags;
      59             :     time_t notBefore;
      60             :     time_t notAfter;
      61             :     HeimPkinitPrincMaxLifeSecs pkinitTicketMaxLife;
      62             :     int pathLenConstraint; /* both for CA and Proxy */
      63             :     CRLDistributionPoints crldp;
      64             :     heim_bit_string subjectUniqueID;
      65             :     heim_bit_string issuerUniqueID;
      66             :     AlgorithmIdentifier *sigalg;
      67             : };
      68             : 
      69             : /**
      70             :  * Allocate an to-be-signed certificate object that will be converted
      71             :  * into an certificate.
      72             :  *
      73             :  * @param context A hx509 context.
      74             :  * @param tbs returned to-be-signed certicate object, free with
      75             :  * hx509_ca_tbs_free().
      76             :  *
      77             :  * @return An hx509 error code, see hx509_get_error_string().
      78             :  *
      79             :  * @ingroup hx509_ca
      80             :  */
      81             : 
      82             : HX509_LIB_FUNCTION int HX509_LIB_CALL
      83           0 : hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
      84             : {
      85           0 :     *tbs = calloc(1, sizeof(**tbs));
      86           0 :     if (*tbs == NULL)
      87           0 :         return ENOMEM;
      88             : 
      89           0 :     return 0;
      90             : }
      91             : 
      92             : /**
      93             :  * Free an To Be Signed object.
      94             :  *
      95             :  * @param tbs object to free.
      96             :  *
      97             :  * @ingroup hx509_ca
      98             :  */
      99             : 
     100             : HX509_LIB_FUNCTION void HX509_LIB_CALL
     101           0 : hx509_ca_tbs_free(hx509_ca_tbs *tbs)
     102             : {
     103           0 :     if (tbs == NULL || *tbs == NULL)
     104           0 :         return;
     105             : 
     106           0 :     free_SubjectPublicKeyInfo(&(*tbs)->spki);
     107           0 :     free_CertificatePolicies(&(*tbs)->cps);
     108           0 :     free_PolicyMappings(&(*tbs)->pms);
     109           0 :     free_GeneralNames(&(*tbs)->san);
     110           0 :     free_ExtKeyUsage(&(*tbs)->eku);
     111           0 :     der_free_heim_integer(&(*tbs)->serial);
     112           0 :     free_CRLDistributionPoints(&(*tbs)->crldp);
     113           0 :     der_free_bit_string(&(*tbs)->subjectUniqueID);
     114           0 :     der_free_bit_string(&(*tbs)->issuerUniqueID);
     115           0 :     if ((*tbs)->subject)
     116           0 :         hx509_name_free(&(*tbs)->subject);
     117           0 :     if ((*tbs)->sigalg) {
     118           0 :         free_AlgorithmIdentifier((*tbs)->sigalg);
     119           0 :         free((*tbs)->sigalg);
     120             :     }
     121             : 
     122           0 :     memset(*tbs, 0, sizeof(**tbs));
     123           0 :     free(*tbs);
     124           0 :     *tbs = NULL;
     125             : }
     126             : 
     127             : /**
     128             :  * Set the absolute time when the certificate is valid from. If not
     129             :  * set the current time will be used.
     130             :  *
     131             :  * @param context A hx509 context.
     132             :  * @param tbs object to be signed.
     133             :  * @param t time the certificated will start to be valid
     134             :  *
     135             :  * @return An hx509 error code, see hx509_get_error_string().
     136             :  *
     137             :  * @ingroup hx509_ca
     138             :  */
     139             : 
     140             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     141           0 : hx509_ca_tbs_set_notBefore(hx509_context context,
     142             :                            hx509_ca_tbs tbs,
     143             :                            time_t t)
     144             : {
     145           0 :     tbs->notBefore = t;
     146           0 :     return 0;
     147             : }
     148             : 
     149             : /**
     150             :  * Set the absolute time when the certificate is valid to.
     151             :  *
     152             :  * @param context A hx509 context.
     153             :  * @param tbs object to be signed.
     154             :  * @param t time when the certificate will expire
     155             :  *
     156             :  * @return An hx509 error code, see hx509_get_error_string().
     157             :  *
     158             :  * @ingroup hx509_ca
     159             :  */
     160             : 
     161             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     162           0 : hx509_ca_tbs_set_notAfter(hx509_context context,
     163             :                            hx509_ca_tbs tbs,
     164             :                            time_t t)
     165             : {
     166           0 :     tbs->notAfter = t;
     167           0 :     return 0;
     168             : }
     169             : 
     170             : /**
     171             :  * Set the relative time when the certificiate is going to expire.
     172             :  *
     173             :  * @param context A hx509 context.
     174             :  * @param tbs object to be signed.
     175             :  * @param delta seconds to the certificate is going to expire.
     176             :  *
     177             :  * @return An hx509 error code, see hx509_get_error_string().
     178             :  *
     179             :  * @ingroup hx509_ca
     180             :  */
     181             : 
     182             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     183           0 : hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
     184             :                                    hx509_ca_tbs tbs,
     185             :                                    time_t delta)
     186             : {
     187           0 :     return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
     188             : }
     189             : 
     190             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     191           0 : hx509_ca_tbs_set_pkinit_max_life(hx509_context context,
     192             :                                  hx509_ca_tbs tbs,
     193             :                                  time_t max_life)
     194             : {
     195           0 :     tbs->pkinitTicketMaxLife = max_life;
     196           0 :     return 0;
     197             : }
     198             : 
     199             : static const struct units templatebits[] = {
     200             :     { "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
     201             :     { "KeyUsage", HX509_CA_TEMPLATE_KU },
     202             :     { "SPKI", HX509_CA_TEMPLATE_SPKI },
     203             :     { "notAfter", HX509_CA_TEMPLATE_NOTAFTER },
     204             :     { "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
     205             :     { "serial", HX509_CA_TEMPLATE_SERIAL },
     206             :     { "subject", HX509_CA_TEMPLATE_SUBJECT },
     207             :     { "pkinitMaxLife", HX509_CA_TEMPLATE_PKINIT_MAX_LIFE },
     208             :     { NULL, 0 }
     209             : };
     210             : 
     211             : /**
     212             :  * Make of template units, use to build flags argument to
     213             :  * hx509_ca_tbs_set_template() with parse_units().
     214             :  *
     215             :  * @return an units structure.
     216             :  *
     217             :  * @ingroup hx509_ca
     218             :  */
     219             : 
     220             : HX509_LIB_FUNCTION const struct units * HX509_LIB_CALL
     221           0 : hx509_ca_tbs_template_units(void)
     222             : {
     223           0 :     return templatebits;
     224             : }
     225             : 
     226             : /**
     227             :  * Initialize the to-be-signed certificate object from a template certificate.
     228             :  *
     229             :  * @param context A hx509 context.
     230             :  * @param tbs object to be signed.
     231             :  * @param flags bit field selecting what to copy from the template
     232             :  * certificate.
     233             :  * @param cert template certificate.
     234             :  *
     235             :  * @return An hx509 error code, see hx509_get_error_string().
     236             :  *
     237             :  * @ingroup hx509_ca
     238             :  */
     239             : 
     240             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     241           0 : hx509_ca_tbs_set_template(hx509_context context,
     242             :                           hx509_ca_tbs tbs,
     243             :                           int flags,
     244             :                           hx509_cert cert)
     245             : {
     246           0 :     int ret;
     247             : 
     248           0 :     if (flags & HX509_CA_TEMPLATE_SUBJECT) {
     249           0 :         if (tbs->subject)
     250           0 :             hx509_name_free(&tbs->subject);
     251           0 :         ret = hx509_cert_get_subject(cert, &tbs->subject);
     252           0 :         if (ret) {
     253           0 :             hx509_set_error_string(context, 0, ret,
     254             :                                    "Failed to get subject from template");
     255           0 :             return ret;
     256             :         }
     257             :     }
     258           0 :     if (flags & HX509_CA_TEMPLATE_SERIAL) {
     259           0 :         der_free_heim_integer(&tbs->serial);
     260           0 :         ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
     261           0 :         tbs->flags.serial = !ret;
     262           0 :         if (ret) {
     263           0 :             hx509_set_error_string(context, 0, ret,
     264             :                                    "Failed to copy serial number");
     265           0 :             return ret;
     266             :         }
     267             :     }
     268           0 :     if (flags & HX509_CA_TEMPLATE_NOTBEFORE)
     269           0 :         tbs->notBefore = hx509_cert_get_notBefore(cert);
     270           0 :     if (flags & HX509_CA_TEMPLATE_NOTAFTER)
     271           0 :         tbs->notAfter = hx509_cert_get_notAfter(cert);
     272           0 :     if (flags & HX509_CA_TEMPLATE_SPKI) {
     273           0 :         free_SubjectPublicKeyInfo(&tbs->spki);
     274           0 :         ret = hx509_cert_get_SPKI(context, cert, &tbs->spki);
     275           0 :         tbs->flags.key = !ret;
     276           0 :         if (ret)
     277           0 :             return ret;
     278             :     }
     279           0 :     if (flags & HX509_CA_TEMPLATE_KU) {
     280           0 :         ret = _hx509_cert_get_keyusage(context, cert, &tbs->ku);
     281           0 :         if (ret)
     282           0 :             return ret;
     283             :     }
     284           0 :     if (flags & HX509_CA_TEMPLATE_EKU) {
     285           0 :         ExtKeyUsage eku;
     286           0 :         size_t i;
     287           0 :         ret = _hx509_cert_get_eku(context, cert, &eku);
     288           0 :         if (ret)
     289           0 :             return ret;
     290           0 :         for (i = 0; i < eku.len; i++) {
     291           0 :             ret = hx509_ca_tbs_add_eku(context, tbs, &eku.val[i]);
     292           0 :             if (ret) {
     293           0 :                 free_ExtKeyUsage(&eku);
     294           0 :                 return ret;
     295             :             }
     296             :         }
     297           0 :         free_ExtKeyUsage(&eku);
     298             :     }
     299           0 :     if (flags & HX509_CA_TEMPLATE_PKINIT_MAX_LIFE) {
     300           0 :         time_t max_life;
     301             : 
     302           0 :         if ((max_life = hx509_cert_get_pkinit_max_life(context, cert, 0)) > 0)
     303           0 :             hx509_ca_tbs_set_pkinit_max_life(context, tbs, max_life);
     304             :     }
     305           0 :     return 0;
     306             : }
     307             : 
     308             : /**
     309             :  * Make the to-be-signed certificate object a CA certificate. If the
     310             :  * pathLenConstraint is negative path length constraint is used.
     311             :  *
     312             :  * @param context A hx509 context.
     313             :  * @param tbs object to be signed.
     314             :  * @param pathLenConstraint path length constraint, negative, no
     315             :  * constraint.
     316             :  *
     317             :  * @return An hx509 error code, see hx509_get_error_string().
     318             :  *
     319             :  * @ingroup hx509_ca
     320             :  */
     321             : 
     322             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     323           0 : hx509_ca_tbs_set_ca(hx509_context context,
     324             :                     hx509_ca_tbs tbs,
     325             :                     int pathLenConstraint)
     326             : {
     327           0 :     tbs->flags.ca = 1;
     328           0 :     tbs->pathLenConstraint = pathLenConstraint;
     329           0 :     return 0;
     330             : }
     331             : 
     332             : /**
     333             :  * Make the to-be-signed certificate object a proxy certificate. If the
     334             :  * pathLenConstraint is negative path length constraint is used.
     335             :  *
     336             :  * @param context A hx509 context.
     337             :  * @param tbs object to be signed.
     338             :  * @param pathLenConstraint path length constraint, negative, no
     339             :  * constraint.
     340             :  *
     341             :  * @return An hx509 error code, see hx509_get_error_string().
     342             :  *
     343             :  * @ingroup hx509_ca
     344             :  */
     345             : 
     346             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     347           0 : hx509_ca_tbs_set_proxy(hx509_context context,
     348             :                        hx509_ca_tbs tbs,
     349             :                        int pathLenConstraint)
     350             : {
     351           0 :     tbs->flags.proxy = 1;
     352           0 :     tbs->pathLenConstraint = pathLenConstraint;
     353           0 :     return 0;
     354             : }
     355             : 
     356             : 
     357             : /**
     358             :  * Make the to-be-signed certificate object a windows domain controller certificate.
     359             :  *
     360             :  * @param context A hx509 context.
     361             :  * @param tbs object to be signed.
     362             :  *
     363             :  * @return An hx509 error code, see hx509_get_error_string().
     364             :  *
     365             :  * @ingroup hx509_ca
     366             :  */
     367             : 
     368             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     369           0 : hx509_ca_tbs_set_domaincontroller(hx509_context context,
     370             :                                   hx509_ca_tbs tbs)
     371             : {
     372           0 :     tbs->flags.domaincontroller = 1;
     373           0 :     return 0;
     374             : }
     375             : 
     376             : /**
     377             :  * Set the subject public key info (SPKI) in the to-be-signed certificate
     378             :  * object. SPKI is the public key and key related parameters in the
     379             :  * certificate.
     380             :  *
     381             :  * @param context A hx509 context.
     382             :  * @param tbs object to be signed.
     383             :  * @param spki subject public key info to use for the to-be-signed certificate object.
     384             :  *
     385             :  * @return An hx509 error code, see hx509_get_error_string().
     386             :  *
     387             :  * @ingroup hx509_ca
     388             :  */
     389             : 
     390             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     391           0 : hx509_ca_tbs_set_spki(hx509_context context,
     392             :                       hx509_ca_tbs tbs,
     393             :                       const SubjectPublicKeyInfo *spki)
     394             : {
     395           0 :     int ret;
     396           0 :     free_SubjectPublicKeyInfo(&tbs->spki);
     397           0 :     ret = copy_SubjectPublicKeyInfo(spki, &tbs->spki);
     398           0 :     tbs->flags.key = !ret;
     399           0 :     return ret;
     400             : }
     401             : 
     402             : /**
     403             :  * Set the serial number to use for to-be-signed certificate object.
     404             :  *
     405             :  * @param context A hx509 context.
     406             :  * @param tbs object to be signed.
     407             :  * @param serialNumber serial number to use for the to-be-signed
     408             :  * certificate object.
     409             :  *
     410             :  * @return An hx509 error code, see hx509_get_error_string().
     411             :  *
     412             :  * @ingroup hx509_ca
     413             :  */
     414             : 
     415             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     416           0 : hx509_ca_tbs_set_serialnumber(hx509_context context,
     417             :                               hx509_ca_tbs tbs,
     418             :                               const heim_integer *serialNumber)
     419             : {
     420           0 :     int ret;
     421           0 :     der_free_heim_integer(&tbs->serial);
     422           0 :     ret = der_copy_heim_integer(serialNumber, &tbs->serial);
     423           0 :     tbs->flags.serial = !ret;
     424           0 :     return ret;
     425             : }
     426             : 
     427             : /**
     428             :  * Copy elements of a CSR into a TBS, but only if all of them are authorized.
     429             :  *
     430             :  * @param context A hx509 context.
     431             :  * @param tbs object to be signed.
     432             :  * @param req CSR
     433             :  *
     434             :  * @return An hx509 error code, see hx509_get_error_string().
     435             :  *
     436             :  * @ingroup hx509_ca
     437             :  */
     438             : 
     439             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     440           0 : hx509_ca_tbs_set_from_csr(hx509_context context,
     441             :                           hx509_ca_tbs tbs,
     442             :                           hx509_request req)
     443             : {
     444           0 :     hx509_san_type san_type;
     445           0 :     heim_oid oid = { 0, NULL };
     446           0 :     KeyUsage ku;
     447           0 :     size_t i;
     448           0 :     char *s = NULL;
     449           0 :     int ret;
     450             : 
     451           0 :     if (hx509_request_count_unauthorized(req)) {
     452           0 :         hx509_set_error_string(context, 0, EACCES,
     453             :                                "Some certificate features requested in the CSR were not authorized");
     454           0 :         return EACCES;
     455             :     }
     456             : 
     457           0 :     ret = hx509_request_get_ku(context, req, &ku);
     458           0 :     if (ret == 0 && KeyUsage2int(ku))
     459           0 :         ret = hx509_ca_tbs_add_ku(context, tbs, ku);
     460             : 
     461           0 :     for (i = 0; ret == 0; i++) {
     462           0 :         free(s); s = NULL;
     463           0 :         der_free_oid(&oid);
     464           0 :         ret = hx509_request_get_eku(req, i, &s);
     465           0 :         if (ret == 0)
     466           0 :             ret = der_parse_heim_oid(s, ".", &oid);
     467           0 :         if (ret == 0)
     468           0 :             ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
     469             :     }
     470           0 :     if (ret == HX509_NO_ITEM)
     471           0 :         ret = 0;
     472             : 
     473           0 :     for (i = 0; ret == 0; i++) {
     474           0 :         free(s); s = NULL;
     475           0 :         ret = hx509_request_get_san(req, i, &san_type, &s);
     476           0 :         if (ret == 0)
     477           0 :             ret = hx509_ca_tbs_add_san(context, tbs, san_type, s);
     478             :     }
     479           0 :     if (ret == HX509_NO_ITEM)
     480           0 :         ret = 0;
     481             : 
     482           0 :     der_free_oid(&oid);
     483           0 :     free(s);
     484           0 :     return ret;
     485             : }
     486             : 
     487             : /**
     488             :  * An an extended key usage to the to-be-signed certificate object.
     489             :  * Duplicates will detected and not added.
     490             :  *
     491             :  * @param context A hx509 context.
     492             :  * @param tbs object to be signed.
     493             :  * @param oid extended key usage to add.
     494             :  *
     495             :  * @return An hx509 error code, see hx509_get_error_string().
     496             :  *
     497             :  * @ingroup hx509_ca
     498             :  */
     499             : 
     500             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     501           0 : hx509_ca_tbs_add_ku(hx509_context context,
     502             :                     hx509_ca_tbs tbs,
     503             :                     KeyUsage ku)
     504             : {
     505           0 :     tbs->ku = ku;
     506           0 :     return 0;
     507             : }
     508             : 
     509             : /**
     510             :  * An an extended key usage to the to-be-signed certificate object.
     511             :  * Duplicates will detected and not added.
     512             :  *
     513             :  * @param context A hx509 context.
     514             :  * @param tbs object to be signed.
     515             :  * @param oid extended key usage to add.
     516             :  *
     517             :  * @return An hx509 error code, see hx509_get_error_string().
     518             :  *
     519             :  * @ingroup hx509_ca
     520             :  */
     521             : 
     522             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     523           0 : hx509_ca_tbs_add_eku(hx509_context context,
     524             :                      hx509_ca_tbs tbs,
     525             :                      const heim_oid *oid)
     526             : {
     527           0 :     void *ptr;
     528           0 :     int ret;
     529           0 :     unsigned i;
     530             : 
     531             :     /* search for duplicates */
     532           0 :     for (i = 0; i < tbs->eku.len; i++) {
     533           0 :         if (der_heim_oid_cmp(oid, &tbs->eku.val[i]) == 0)
     534           0 :             return 0;
     535             :     }
     536             : 
     537           0 :     ptr = realloc(tbs->eku.val, sizeof(tbs->eku.val[0]) * (tbs->eku.len + 1));
     538           0 :     if (ptr == NULL) {
     539           0 :         hx509_set_error_string(context, 0, ENOMEM, "out of memory");
     540           0 :         return ENOMEM;
     541             :     }
     542           0 :     tbs->eku.val = ptr;
     543           0 :     ret = der_copy_oid(oid, &tbs->eku.val[tbs->eku.len]);
     544           0 :     if (ret) {
     545           0 :         hx509_set_error_string(context, 0, ret, "out of memory");
     546           0 :         return ret;
     547             :     }
     548           0 :     tbs->eku.len += 1;
     549           0 :     return 0;
     550             : }
     551             : 
     552             : /**
     553             :  * Add a certificate policy to the to-be-signed certificate object.  Duplicates
     554             :  * will detected and not added.
     555             :  *
     556             :  * @param context A hx509 context.
     557             :  * @param tbs object to be signed.
     558             :  * @param oid policy OID.
     559             :  * @param cps_uri CPS URI to qualify policy with.
     560             :  * @param user_notice user notice display text to qualify policy with.
     561             :  *
     562             :  * @return An hx509 error code, see hx509_get_error_string().
     563             :  *
     564             :  * @ingroup hx509_ca
     565             :  */
     566             : 
     567             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     568           0 : hx509_ca_tbs_add_pol(hx509_context context,
     569             :                      hx509_ca_tbs tbs,
     570             :                      const heim_oid *oid,
     571             :                      const char *cps_uri,
     572             :                      const char *user_notice)
     573             : {
     574           0 :     PolicyQualifierInfos pqis;
     575           0 :     PolicyQualifierInfo pqi;
     576           0 :     PolicyInformation pi;
     577           0 :     size_t i, size;
     578           0 :     int ret = 0;
     579             : 
     580             :     /* search for duplicates */
     581           0 :     for (i = 0; i < tbs->cps.len; i++) {
     582           0 :         if (der_heim_oid_cmp(oid, &tbs->cps.val[i].policyIdentifier) == 0)
     583           0 :             return 0;
     584             :     }
     585             : 
     586           0 :     memset(&pi, 0, sizeof(pi));
     587           0 :     memset(&pqi, 0, sizeof(pqi));
     588           0 :     memset(&pqis, 0, sizeof(pqis));
     589             : 
     590           0 :     pi.policyIdentifier = *oid;
     591           0 :     if (cps_uri) {
     592           0 :         CPSuri uri;
     593             : 
     594           0 :         uri.length = strlen(cps_uri);
     595           0 :         uri.data = (void *)(uintptr_t)cps_uri;
     596           0 :         pqi.policyQualifierId = asn1_oid_id_pkix_qt_cps;
     597             : 
     598           0 :         ASN1_MALLOC_ENCODE(CPSuri,
     599             :                            pqi.qualifier.data,
     600             :                            pqi.qualifier.length,
     601             :                            &uri, &size, ret);
     602           0 :         if (ret == 0) {
     603           0 :             ret = add_PolicyQualifierInfos(&pqis, &pqi);
     604           0 :             free_heim_any(&pqi.qualifier);
     605             :         }
     606             :     }
     607           0 :     if (ret == 0 && user_notice) {
     608           0 :         DisplayText dt;
     609           0 :         UserNotice un;
     610             : 
     611           0 :         dt.element = choice_DisplayText_utf8String;
     612           0 :         dt.u.utf8String = (void *)(uintptr_t)user_notice;
     613           0 :         un.explicitText = &dt;
     614           0 :         un.noticeRef = 0;
     615             : 
     616           0 :         pqi.policyQualifierId = asn1_oid_id_pkix_qt_unotice;
     617           0 :         ASN1_MALLOC_ENCODE(UserNotice,
     618             :                            pqi.qualifier.data,
     619             :                            pqi.qualifier.length,
     620             :                            &un, &size, ret);
     621           0 :         if (ret == 0) {
     622           0 :             ret = add_PolicyQualifierInfos(&pqis, &pqi);
     623           0 :             free_heim_any(&pqi.qualifier);
     624             :         }
     625             :     }
     626             : 
     627           0 :     pi.policyQualifiers = pqis.len ? &pqis : 0;
     628             : 
     629           0 :     if (ret == 0)
     630           0 :         ret = add_CertificatePolicies(&tbs->cps, &pi);
     631             : 
     632           0 :     free_PolicyQualifierInfos(&pqis);
     633           0 :     return ret;
     634             : }
     635             : 
     636             : /**
     637             :  * Add a certificate policy mapping to the to-be-signed certificate object.
     638             :  * Duplicates will detected and not added.
     639             :  *
     640             :  * @param context A hx509 context.
     641             :  * @param tbs object to be signed.
     642             :  * @param issuer issuerDomainPolicy policy OID.
     643             :  * @param subject subjectDomainPolicy policy OID.
     644             :  *
     645             :  * @return An hx509 error code, see hx509_get_error_string().
     646             :  *
     647             :  * @ingroup hx509_ca
     648             :  */
     649             : 
     650             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     651           0 : hx509_ca_tbs_add_pol_mapping(hx509_context context,
     652             :                              hx509_ca_tbs tbs,
     653             :                              const heim_oid *issuer,
     654             :                              const heim_oid *subject)
     655             : {
     656           0 :     PolicyMapping pm;
     657           0 :     size_t i;
     658             : 
     659             :     /* search for duplicates */
     660           0 :     for (i = 0; i < tbs->pms.len; i++) {
     661           0 :         PolicyMapping *pmp = &tbs->pms.val[i];
     662           0 :         if (der_heim_oid_cmp(issuer, &pmp->issuerDomainPolicy) == 0 &&
     663           0 :             der_heim_oid_cmp(subject, &pmp->subjectDomainPolicy) == 0)
     664           0 :             return 0;
     665             :     }
     666             : 
     667           0 :     memset(&pm, 0, sizeof(pm));
     668           0 :     pm.issuerDomainPolicy = *issuer;
     669           0 :     pm.subjectDomainPolicy = *subject;
     670           0 :     return add_PolicyMappings(&tbs->pms, &pm);
     671             : }
     672             : 
     673             : /**
     674             :  * Add CRL distribution point URI to the to-be-signed certificate
     675             :  * object.
     676             :  *
     677             :  * @param context A hx509 context.
     678             :  * @param tbs object to be signed.
     679             :  * @param uri uri to the CRL.
     680             :  * @param issuername name of the issuer.
     681             :  *
     682             :  * @return An hx509 error code, see hx509_get_error_string().
     683             :  *
     684             :  * @ingroup hx509_ca
     685             :  */
     686             : 
     687             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     688           0 : hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
     689             :                             hx509_ca_tbs tbs,
     690             :                             const char *uri,
     691             :                             hx509_name issuername)
     692             : {
     693           0 :     DistributionPointName dpn;
     694           0 :     DistributionPoint dp;
     695           0 :     GeneralNames crlissuer;
     696           0 :     GeneralName gn, ign;
     697           0 :     Name in;
     698           0 :     int ret;
     699             : 
     700           0 :     memset(&dp, 0, sizeof(dp));
     701           0 :     memset(&gn, 0, sizeof(gn));
     702           0 :     memset(&ign, 0, sizeof(ign));
     703           0 :     memset(&in, 0, sizeof(in));
     704           0 :     gn.element = choice_GeneralName_uniformResourceIdentifier;
     705           0 :     gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
     706           0 :     gn.u.uniformResourceIdentifier.length = strlen(uri);
     707           0 :     dpn.element = choice_DistributionPointName_fullName;
     708           0 :     dpn.u.fullName.len = 1;
     709           0 :     dpn.u.fullName.val = &gn;
     710           0 :     dp.distributionPoint = &dpn;
     711             : 
     712           0 :     if (issuername) {
     713           0 :         ign.element = choice_GeneralName_directoryName;
     714           0 :         ret = hx509_name_to_Name(issuername, &ign.u.directoryName);
     715           0 :         if (ret) {
     716           0 :             hx509_set_error_string(context, 0, ret, "out of memory");
     717           0 :             return ret;
     718             :         }
     719           0 :         crlissuer.len = 1;
     720           0 :         crlissuer.val = &ign;
     721           0 :         dp.cRLIssuer = &crlissuer;
     722             :     }
     723             : 
     724           0 :     ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
     725           0 :     if (issuername)
     726           0 :         free_Name(&ign.u.directoryName);
     727             : 
     728           0 :     if (ret)
     729           0 :         hx509_set_error_string(context, 0, ret, "out of memory");
     730           0 :     return ret;
     731             : }
     732             : 
     733             : /**
     734             :  * Add Subject Alternative Name otherName to the to-be-signed
     735             :  * certificate object.
     736             :  *
     737             :  * @param context A hx509 context.
     738             :  * @param tbs object to be signed.
     739             :  * @param oid the oid of the OtherName.
     740             :  * @param os data in the other name.
     741             :  *
     742             :  * @return An hx509 error code, see hx509_get_error_string().
     743             :  *
     744             :  * @ingroup hx509_ca
     745             :  */
     746             : 
     747             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     748           0 : hx509_ca_tbs_add_san_otherName(hx509_context context,
     749             :                                hx509_ca_tbs tbs,
     750             :                                const heim_oid *oid,
     751             :                                const heim_octet_string *os)
     752             : {
     753           0 :     GeneralName gn;
     754             : 
     755           0 :     memset(&gn, 0, sizeof(gn));
     756           0 :     gn.element = choice_GeneralName_otherName;
     757           0 :     gn.u.otherName.type_id = *oid;
     758           0 :     gn.u.otherName.value = *os;
     759             : 
     760           0 :     return add_GeneralNames(&tbs->san, &gn);
     761             : }
     762             : 
     763             : static
     764             : int
     765           0 : dequote_strndup(hx509_context context, const char *in, size_t len, char **out)
     766             : {
     767           0 :     size_t i, k;
     768           0 :     char *s;
     769             : 
     770           0 :     *out = NULL;
     771           0 :     if ((s = malloc(len + 1)) == NULL) {
     772           0 :         hx509_set_error_string(context, 0, ENOMEM, "malloc: out of memory");
     773           0 :         return ENOMEM;
     774             :     }
     775             : 
     776           0 :     for (k = i = 0; i < len; i++) {
     777           0 :         if (in[i] == '\\') {
     778           0 :             switch (in[++i]) {
     779           0 :             case 't': s[k++] = '\t'; break;
     780           0 :             case 'b': s[k++] = '\b'; break;
     781           0 :             case 'n': s[k++] = '\n'; break;
     782           0 :             case '0':
     783           0 :                 for (i++; i < len; i++) {
     784           0 :                     if (in[i] == '\0')
     785           0 :                         break;
     786           0 :                     if (in[i++] == '\\' && in[i] == '0')
     787           0 :                         continue;
     788           0 :                     hx509_set_error_string(context, 0,
     789             :                                            HX509_PARSING_NAME_FAILED,
     790             :                                            "embedded NULs not supported in "
     791             :                                            "PKINIT SANs");
     792           0 :                     free(s);
     793           0 :                     return HX509_PARSING_NAME_FAILED;
     794             :                 }
     795           0 :                 break;
     796           0 :             case '\0':
     797           0 :                 hx509_set_error_string(context, 0,
     798             :                                        HX509_PARSING_NAME_FAILED,
     799             :                                        "trailing unquoted backslashes not "
     800             :                                        "allowed in PKINIT SANs");
     801           0 :                 free(s);
     802           0 :                 return HX509_PARSING_NAME_FAILED;
     803           0 :             default:  s[k++] = in[i]; break;
     804             :             }
     805             :         } else {
     806           0 :             s[k++] = in[i];
     807             :         }
     808             :     }
     809           0 :     s[k] = '\0';
     810             : 
     811           0 :     *out = s;
     812           0 :     return 0;
     813             : }
     814             : 
     815             : int
     816           0 : _hx509_make_pkinit_san(hx509_context context,
     817             :                        const char *principal,
     818             :                        heim_octet_string *os)
     819             : {
     820           0 :     KRB5PrincipalName p;
     821           0 :     size_t size;
     822           0 :     int ret;
     823             : 
     824           0 :     os->data = NULL;
     825           0 :     os->length = 0;
     826           0 :     memset(&p, 0, sizeof(p));
     827             : 
     828             :     /* Parse principal */
     829             :     {
     830           0 :         const char *str, *str_start;
     831           0 :         size_t n, i;
     832             : 
     833             :         /* Count number of components */
     834           0 :         n = 1;
     835           0 :         for (str = principal; *str != '\0' && *str != '@'; str++) {
     836           0 :             if (*str == '\\') {
     837           0 :                 if (str[1] == '\0') {
     838           0 :                     ret = HX509_PARSING_NAME_FAILED;
     839           0 :                     hx509_set_error_string(context, 0, ret,
     840             :                                            "trailing \\ in principal name");
     841           0 :                     goto out;
     842             :                 }
     843           0 :                 str++;
     844           0 :             } else if(*str == '/') {
     845           0 :                 n++;
     846           0 :             } else if(*str == '@') {
     847           0 :                 break;
     848             :             }
     849             :         }
     850           0 :         if (*str != '@') {
     851             :             /* Note that we allow the realm to be empty */
     852           0 :             ret = HX509_PARSING_NAME_FAILED;
     853           0 :             hx509_set_error_string(context, 0, ret, "Missing @ in principal");
     854           0 :             goto out;
     855           0 :         };
     856             : 
     857           0 :         p.principalName.name_string.val =
     858           0 :             calloc(n, sizeof(*p.principalName.name_string.val));
     859           0 :         if (p.principalName.name_string.val == NULL) {
     860           0 :             ret = ENOMEM;
     861           0 :             hx509_set_error_string(context, 0, ret, "malloc: out of memory");
     862           0 :             goto out;
     863             :         }
     864           0 :         p.principalName.name_string.len = n;
     865           0 :         p.principalName.name_type = KRB5_NT_PRINCIPAL;
     866             : 
     867           0 :         for (i = 0, str_start = str = principal; *str != '\0'; str++) {
     868           0 :             if (*str=='\\') {
     869           0 :                 str++;
     870           0 :             } else if(*str == '/') {
     871             :                 /* Note that we allow components to be empty */
     872           0 :                 ret = dequote_strndup(context, str_start, str - str_start,
     873           0 :                                       &p.principalName.name_string.val[i++]);
     874           0 :                 if (ret)
     875           0 :                     goto out;
     876           0 :                 str_start = str + 1;
     877           0 :             } else if(*str == '@') {
     878           0 :                 ret = dequote_strndup(context, str_start, str - str_start,
     879           0 :                                       &p.principalName.name_string.val[i++]);
     880           0 :                 if (ret == 0)
     881           0 :                     ret = dequote_strndup(context, str + 1, strlen(str + 1), &p.realm);
     882           0 :                 if (ret)
     883           0 :                     goto out;
     884           0 :                 break;
     885             :             }
     886             :         }
     887             :     }
     888             : 
     889           0 :     ASN1_MALLOC_ENCODE(KRB5PrincipalName, os->data, os->length, &p, &size, ret);
     890           0 :     if (ret) {
     891           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
     892           0 :         goto out;
     893             :     }
     894           0 :     if (size != os->length)
     895           0 :         _hx509_abort("internal ASN.1 encoder error");
     896             : 
     897           0 : out:
     898           0 :     free_KRB5PrincipalName(&p);
     899           0 :     return ret;
     900             : }
     901             : 
     902             : static int
     903           0 : add_ia5string_san(hx509_context context,
     904             :                   hx509_ca_tbs tbs,
     905             :                   const heim_oid *oid,
     906             :                   const char *string)
     907             : {
     908           0 :     SRVName ustring;
     909           0 :     heim_octet_string os;
     910           0 :     size_t size;
     911           0 :     int ret;
     912             : 
     913           0 :     ustring.data = (void *)(uintptr_t)string;
     914           0 :     ustring.length = strlen(string);
     915             : 
     916           0 :     os.length = 0;
     917           0 :     os.data = NULL;
     918             : 
     919           0 :     ASN1_MALLOC_ENCODE(SRVName, os.data, os.length, &ustring, &size, ret);
     920           0 :     if (ret) {
     921           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
     922           0 :         return ret;
     923             :     }
     924           0 :     if (size != os.length)
     925           0 :         _hx509_abort("internal ASN.1 encoder error");
     926             : 
     927           0 :     ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
     928           0 :     free(os.data);
     929           0 :     return ret;
     930             : }
     931             : 
     932             : /**
     933             :  * Add DNSSRV Subject Alternative Name to the to-be-signed certificate object.
     934             :  *
     935             :  * @param context A hx509 context.
     936             :  * @param tbs object to be signed.
     937             :  * @param dnssrv An ASCII string of the for _Service.Name.
     938             :  *
     939             :  * @return An hx509 error code, see hx509_get_error_string().
     940             :  *
     941             :  * @ingroup hx509_ca
     942             :  */
     943             : 
     944             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     945           0 : hx509_ca_tbs_add_san_dnssrv(hx509_context context,
     946             :                             hx509_ca_tbs tbs,
     947             :                             const char *dnssrv)
     948             : {
     949           0 :     size_t i, len;
     950             : 
     951             :     /* Minimal DNSSRV input validation */
     952           0 :     if (dnssrv == 0 || dnssrv[0] != '_') {
     953           0 :         hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
     954           0 :         return EINVAL;
     955             :     }
     956           0 :     for (i = 1, len = strlen(dnssrv); i < len; i++) {
     957           0 :         if (dnssrv[i] == '.' && dnssrv[i + 1] != '\0')
     958           0 :             break;
     959             :     }
     960           0 :     if (i == len) {
     961           0 :         hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
     962           0 :         return EINVAL;
     963             :     }
     964             : 
     965           0 :     return add_ia5string_san(context, tbs,
     966             :                              &asn1_oid_id_pkix_on_dnsSRV, dnssrv);
     967             : }
     968             : 
     969             : /**
     970             :  * Add Kerberos Subject Alternative Name to the to-be-signed
     971             :  * certificate object. The principal string is a UTF8 string.
     972             :  *
     973             :  * @param context A hx509 context.
     974             :  * @param tbs object to be signed.
     975             :  * @param principal Kerberos principal to add to the certificate.
     976             :  *
     977             :  * @return An hx509 error code, see hx509_get_error_string().
     978             :  *
     979             :  * @ingroup hx509_ca
     980             :  */
     981             : 
     982             : HX509_LIB_FUNCTION int HX509_LIB_CALL
     983           0 : hx509_ca_tbs_add_san_pkinit(hx509_context context,
     984             :                             hx509_ca_tbs tbs,
     985             :                             const char *principal)
     986             : {
     987           0 :     heim_octet_string os;
     988           0 :     int ret;
     989             : 
     990           0 :     ret = _hx509_make_pkinit_san(context, principal, &os);
     991           0 :     if (ret == 0)
     992           0 :         ret = hx509_ca_tbs_add_san_otherName(context, tbs,
     993             :                                              &asn1_oid_id_pkinit_san, &os);
     994           0 :     free(os.data);
     995           0 :     return ret;
     996             : }
     997             : 
     998             : /*
     999             :  *
    1000             :  */
    1001             : 
    1002             : static int
    1003           0 : add_utf8_san(hx509_context context,
    1004             :              hx509_ca_tbs tbs,
    1005             :              const heim_oid *oid,
    1006             :              const char *string)
    1007             : {
    1008           0 :     const PKIXXmppAddr ustring = (const PKIXXmppAddr)(uintptr_t)string;
    1009           0 :     heim_octet_string os;
    1010           0 :     size_t size;
    1011           0 :     int ret;
    1012             : 
    1013           0 :     os.length = 0;
    1014           0 :     os.data = NULL;
    1015             : 
    1016           0 :     ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
    1017           0 :     if (ret) {
    1018           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1019           0 :         return ret;
    1020             :     }
    1021           0 :     if (size != os.length)
    1022           0 :         _hx509_abort("internal ASN.1 encoder error");
    1023             : 
    1024           0 :     ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
    1025           0 :     free(os.data);
    1026           0 :     return ret;
    1027             : }
    1028             : 
    1029             : /**
    1030             :  * Add Microsoft UPN Subject Alternative Name to the to-be-signed
    1031             :  * certificate object. The principal string is a UTF8 string.
    1032             :  *
    1033             :  * @param context A hx509 context.
    1034             :  * @param tbs object to be signed.
    1035             :  * @param principal Microsoft UPN string.
    1036             :  *
    1037             :  * @return An hx509 error code, see hx509_get_error_string().
    1038             :  *
    1039             :  * @ingroup hx509_ca
    1040             :  */
    1041             : 
    1042             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1043           0 : hx509_ca_tbs_add_san_ms_upn(hx509_context context,
    1044             :                             hx509_ca_tbs tbs,
    1045             :                             const char *principal)
    1046             : {
    1047           0 :     return add_utf8_san(context, tbs, &asn1_oid_id_pkinit_ms_san, principal);
    1048             : }
    1049             : 
    1050             : /**
    1051             :  * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
    1052             :  * certificate object. The jid is an UTF8 string.
    1053             :  *
    1054             :  * @param context A hx509 context.
    1055             :  * @param tbs object to be signed.
    1056             :  * @param jid string of an a jabber id in UTF8.
    1057             :  *
    1058             :  * @return An hx509 error code, see hx509_get_error_string().
    1059             :  *
    1060             :  * @ingroup hx509_ca
    1061             :  */
    1062             : 
    1063             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1064           0 : hx509_ca_tbs_add_san_jid(hx509_context context,
    1065             :                          hx509_ca_tbs tbs,
    1066             :                          const char *jid)
    1067             : {
    1068           0 :     return add_utf8_san(context, tbs, &asn1_oid_id_pkix_on_xmppAddr, jid);
    1069             : }
    1070             : 
    1071             : 
    1072             : /**
    1073             :  * Add a Subject Alternative Name hostname to to-be-signed certificate
    1074             :  * object. A domain match starts with ., an exact match does not.
    1075             :  *
    1076             :  * Example of a an domain match: .domain.se matches the hostname
    1077             :  * host.domain.se.
    1078             :  *
    1079             :  * @param context A hx509 context.
    1080             :  * @param tbs object to be signed.
    1081             :  * @param dnsname a hostame.
    1082             :  *
    1083             :  * @return An hx509 error code, see hx509_get_error_string().
    1084             :  *
    1085             :  * @ingroup hx509_ca
    1086             :  */
    1087             : 
    1088             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1089           0 : hx509_ca_tbs_add_san_hostname(hx509_context context,
    1090             :                               hx509_ca_tbs tbs,
    1091             :                               const char *dnsname)
    1092             : {
    1093           0 :     GeneralName gn;
    1094             : 
    1095           0 :     memset(&gn, 0, sizeof(gn));
    1096           0 :     gn.element = choice_GeneralName_dNSName;
    1097           0 :     gn.u.dNSName.data = rk_UNCONST(dnsname);
    1098           0 :     gn.u.dNSName.length = strlen(dnsname);
    1099             : 
    1100           0 :     return add_GeneralNames(&tbs->san, &gn);
    1101             : }
    1102             : 
    1103             : /**
    1104             :  * Add a Subject Alternative Name rfc822 (email address) to
    1105             :  * to-be-signed certificate object.
    1106             :  *
    1107             :  * @param context A hx509 context.
    1108             :  * @param tbs object to be signed.
    1109             :  * @param rfc822Name a string to a email address.
    1110             :  *
    1111             :  * @return An hx509 error code, see hx509_get_error_string().
    1112             :  *
    1113             :  * @ingroup hx509_ca
    1114             :  */
    1115             : 
    1116             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1117           0 : hx509_ca_tbs_add_san_rfc822name(hx509_context context,
    1118             :                                 hx509_ca_tbs tbs,
    1119             :                                 const char *rfc822Name)
    1120             : {
    1121           0 :     GeneralName gn;
    1122             : 
    1123           0 :     memset(&gn, 0, sizeof(gn));
    1124           0 :     gn.element = choice_GeneralName_rfc822Name;
    1125           0 :     gn.u.rfc822Name.data = rk_UNCONST(rfc822Name);
    1126           0 :     gn.u.rfc822Name.length = strlen(rfc822Name);
    1127             : 
    1128           0 :     return add_GeneralNames(&tbs->san, &gn);
    1129             : }
    1130             : 
    1131             : /*
    1132             :  * PermanentIdentifier is one SAN for naming devices with TPMs after their
    1133             :  * endorsement keys or EK certificates.  See TPM 2.0 Keys for Device Identity
    1134             :  * and Attestation, Version 1.00, Revision 2, 9/17/2020 (DRAFT).
    1135             :  *
    1136             :  * The text on the form of permanent identifiers for TPM endorsement keys sans
    1137             :  * certificates is clearly problematic, saying: "When the TPM does not have an
    1138             :  * EK certificate, the identifierValue is a digest of a concatenation of the
    1139             :  * UTF8 string “EkPubkey” (terminating NULL not included) with the binary EK
    1140             :  * public key", but since arbitrary binary is not necessarily valid UTF-8...
    1141             :  * and since NULs embedded in UTF-8 might be OK in some contexts but really
    1142             :  * isn't in C (and Heimdal's ASN.1 compiler does not allow NULs in the
    1143             :  * middle of strings)...  That just cannot be correct.  Since elsewhere the TCG
    1144             :  * specs use the hex encoding of the SHA-256 digest of the DER encoding of
    1145             :  * public keys, that's what we should support in Heimdal, and maybe send in a
    1146             :  * comment.
    1147             :  *
    1148             :  * Also, even where one should use hex encoding of the SHA-256 digest of the
    1149             :  * DER encoding of public keys, how should the public keys be represented?
    1150             :  * Presumably as SPKIs, with all the required parameters and no more.
    1151             :  */
    1152             : 
    1153             : /**
    1154             :  * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
    1155             :  * certificate object.  The permanent identifier form for TPM endorsement key
    1156             :  * certificates is the hex encoding of the SHA-256 digest of the DER encoding
    1157             :  * of the certificate.  The permanent identifier form for TPM endorsement keys
    1158             :  * are of the form "EkPubkey<public-key>", where the form of <public-key> is
    1159             :  * not well specified at this point.  It is the caller's responsibility to
    1160             :  * format the identifierValue.
    1161             :  *
    1162             :  * @param context A hx509 context.
    1163             :  * @param tbs object to be signed.
    1164             :  * @param str permanent identifier name in the form "[<assigner-oid>]:[<id>]".
    1165             :  * @param assigner The OID of an assigner.
    1166             :  *
    1167             :  * @return An hx509 error code, see hx509_get_error_string().
    1168             :  *
    1169             :  * @ingroup hx509_ca
    1170             :  */
    1171             : 
    1172             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1173           0 : hx509_ca_tbs_add_san_permanentIdentifier_string(hx509_context context,
    1174             :                                                 hx509_ca_tbs tbs,
    1175             :                                                 const char *str)
    1176             : {
    1177           0 :     const heim_oid *found = NULL;
    1178           0 :     heim_oid oid;
    1179           0 :     const char *oidstr, *id;
    1180           0 :     char *freeme, *p;
    1181           0 :     int ret;
    1182             : 
    1183           0 :     memset(&oid, 0, sizeof(oid));
    1184           0 :     if ((freeme = strdup(str)) == NULL)
    1185           0 :         return hx509_enomem(context);
    1186             : 
    1187           0 :     oidstr = freeme;
    1188           0 :     p = strchr(freeme, ':');
    1189           0 :     if (!p) {
    1190           0 :         hx509_set_error_string(context, 0, EINVAL,
    1191             :                                "Invalid PermanentIdentifier string (should be \"[<oid>]:[<id>]\")");
    1192           0 :         free(freeme);
    1193           0 :         return EINVAL;
    1194             :     }
    1195           0 :     if (p) {
    1196           0 :         *(p++) = '\0';
    1197           0 :         id = p;
    1198             :     }
    1199           0 :     if (oidstr[0] != '\0') {
    1200           0 :         ret = der_find_heim_oid_by_name(oidstr, &found);
    1201           0 :         if (ret) {
    1202           0 :             ret = der_parse_heim_oid(oidstr, " .", &oid);
    1203           0 :             if (ret == 0)
    1204           0 :                 found = &oid;
    1205             :         }
    1206             :     }
    1207           0 :     ret = hx509_ca_tbs_add_san_permanentIdentifier(context, tbs, id, found);
    1208           0 :     if (found == &oid)
    1209           0 :         der_free_oid(&oid);
    1210           0 :     free(freeme);
    1211           0 :     return ret;
    1212             : }
    1213             : 
    1214             : /**
    1215             :  * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
    1216             :  * certificate object.  The permanent identifier form for TPM endorsement key
    1217             :  * certificates is the hex encoding of the SHA-256 digest of the DER encoding
    1218             :  * of the certificate.  The permanent identifier form for TPM endorsement keys
    1219             :  * are of the form "EkPubkey<public-key>", where the form of <public-key> is
    1220             :  * not well specified at this point.  It is the caller's responsibility to
    1221             :  * format the identifierValue.
    1222             :  *
    1223             :  * @param context A hx509 context.
    1224             :  * @param tbs object to be signed.
    1225             :  * @param identifierValue The permanent identifier name.
    1226             :  * @param assigner The OID of an assigner.
    1227             :  *
    1228             :  * @return An hx509 error code, see hx509_get_error_string().
    1229             :  *
    1230             :  * @ingroup hx509_ca
    1231             :  */
    1232             : 
    1233             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1234           0 : hx509_ca_tbs_add_san_permanentIdentifier(hx509_context context,
    1235             :                                          hx509_ca_tbs tbs,
    1236             :                                          const char *identifierValue,
    1237             :                                          const heim_oid *assigner)
    1238             : {
    1239           0 :     PermanentIdentifier pi;
    1240           0 :     heim_utf8_string s = (void *)(uintptr_t)identifierValue;
    1241           0 :     heim_octet_string os;
    1242           0 :     size_t size;
    1243           0 :     int ret;
    1244             : 
    1245           0 :     pi.identifierValue = &s;
    1246           0 :     pi.assigner = (heim_oid*)(uintptr_t)assigner;
    1247           0 :     os.length = 0;
    1248           0 :     os.data = NULL;
    1249             : 
    1250           0 :     ASN1_MALLOC_ENCODE(PermanentIdentifier, os.data, os.length, &pi, &size,
    1251             :                        ret);
    1252           0 :     if (ret) {
    1253           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1254           0 :         return ret;
    1255             :     }
    1256           0 :     if (size != os.length)
    1257           0 :         _hx509_abort("internal ASN.1 encoder error");
    1258             : 
    1259           0 :     ret = hx509_ca_tbs_add_san_otherName(context, tbs,
    1260             :                                          &asn1_oid_id_pkix_on_permanentIdentifier,
    1261             :                                          &os);
    1262           0 :     free(os.data);
    1263           0 :     return ret;
    1264             : }
    1265             : 
    1266             : /**
    1267             :  * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
    1268             :  * certificate object.
    1269             :  *
    1270             :  * @param context A hx509 context.
    1271             :  * @param tbs object to be signed.
    1272             :  * @param str a string of the form "<oid>:<serial>".
    1273             :  * @param hwserial The serial number.
    1274             :  *
    1275             :  * @return An hx509 error code, see hx509_get_error_string().
    1276             :  *
    1277             :  * @ingroup hx509_ca
    1278             :  */
    1279             : 
    1280             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1281           0 : hx509_ca_tbs_add_san_hardwareModuleName_string(hx509_context context,
    1282             :                                                hx509_ca_tbs tbs,
    1283             :                                                const char *str)
    1284             : {
    1285           0 :     const heim_oid *found = NULL;
    1286           0 :     heim_oid oid;
    1287           0 :     const char *oidstr, *sno;
    1288           0 :     char *freeme, *p;
    1289           0 :     int ret;
    1290             : 
    1291           0 :     memset(&oid, 0, sizeof(oid));
    1292           0 :     if ((freeme = strdup(str)) == NULL)
    1293           0 :         return hx509_enomem(context);
    1294             : 
    1295           0 :     oidstr = freeme;
    1296           0 :     p = strchr(freeme, ':');
    1297           0 :     if (!p) {
    1298           0 :         hx509_set_error_string(context, 0, EINVAL,
    1299             :                                "Invalid HardwareModuleName string (should be "
    1300             :                                "\"<oid>:<serial>\")");
    1301           0 :         free(freeme);
    1302           0 :         return EINVAL;
    1303             :     }
    1304           0 :     if (p) {
    1305           0 :         *(p++) = '\0';
    1306           0 :         sno = p;
    1307             :     }
    1308           0 :     if (oidstr[0] == '\0') {
    1309           0 :         found = &asn1_oid_tcg_tpm20;
    1310             :     } else {
    1311           0 :         ret = der_find_heim_oid_by_name(oidstr, &found);
    1312           0 :         if (ret) {
    1313           0 :             ret = der_parse_heim_oid(oidstr, " .", &oid);
    1314           0 :             if (ret == 0)
    1315           0 :                 found = &oid;
    1316             :         }
    1317             :     }
    1318           0 :     if (!found) {
    1319           0 :         hx509_set_error_string(context, 0, EINVAL,
    1320             :                                "Could not resolve or parse OID \"%s\"",
    1321             :                                oidstr);
    1322           0 :         free(freeme);
    1323           0 :         return EINVAL;
    1324             :     }
    1325           0 :     ret = hx509_ca_tbs_add_san_hardwareModuleName(context, tbs, found, sno);
    1326           0 :     if (found == &oid)
    1327           0 :         der_free_oid(&oid);
    1328           0 :     free(freeme);
    1329           0 :     return ret;
    1330             : }
    1331             : 
    1332             : /**
    1333             :  * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
    1334             :  * certificate object.
    1335             :  *
    1336             :  * @param context A hx509 context.
    1337             :  * @param tbs object to be signed.
    1338             :  * @param hwtype The hardwar module type (e.g., `&asn1_oid_tcg_tpm20').
    1339             :  * @param hwserial The serial number.
    1340             :  *
    1341             :  * @return An hx509 error code, see hx509_get_error_string().
    1342             :  *
    1343             :  * @ingroup hx509_ca
    1344             :  */
    1345             : 
    1346             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1347           0 : hx509_ca_tbs_add_san_hardwareModuleName(hx509_context context,
    1348             :                                         hx509_ca_tbs tbs,
    1349             :                                         const heim_oid *hwtype,
    1350             :                                         const char *hwserial)
    1351             : {
    1352           0 :     HardwareModuleName hm;
    1353           0 :     heim_octet_string os;
    1354           0 :     size_t size;
    1355           0 :     int ret;
    1356             : 
    1357           0 :     hm.hwType = *hwtype;
    1358           0 :     hm.hwSerialNum.data = (void *)(uintptr_t)hwserial;
    1359           0 :     hm.hwSerialNum.length = strlen(hwserial);
    1360           0 :     os.length = 0;
    1361           0 :     os.data = NULL;
    1362             : 
    1363           0 :     ASN1_MALLOC_ENCODE(HardwareModuleName, os.data, os.length, &hm, &size,
    1364             :                        ret);
    1365           0 :     if (ret) {
    1366           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1367           0 :         return ret;
    1368             :     }
    1369           0 :     if (size != os.length)
    1370           0 :         _hx509_abort("internal ASN.1 encoder error");
    1371             : 
    1372           0 :     ret = hx509_ca_tbs_add_san_otherName(context, tbs,
    1373             :                                          &asn1_oid_id_on_hardwareModuleName,
    1374             :                                          &os);
    1375           0 :     free(os.data);
    1376           0 :     return ret;
    1377             : }
    1378             : 
    1379             : /**
    1380             :  * Add a Subject Alternative Name of the given type to the
    1381             :  * to-be-signed certificate object.
    1382             :  *
    1383             :  * @param context A hx509 context.
    1384             :  * @param tbs object to be signed.
    1385             :  * @param rfc822Name a string to a email address.
    1386             :  *
    1387             :  * @return An hx509 error code, see hx509_get_error_string().
    1388             :  *
    1389             :  * @ingroup hx509_ca
    1390             :  */
    1391             : 
    1392             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1393           0 : hx509_ca_tbs_add_san(hx509_context context,
    1394             :                      hx509_ca_tbs tbs,
    1395             :                      hx509_san_type type,
    1396             :                      const char *s)
    1397             : {
    1398           0 :     switch (type) {
    1399           0 :     case HX509_SAN_TYPE_EMAIL:
    1400           0 :         return hx509_ca_tbs_add_san_rfc822name(context, tbs, s);
    1401           0 :     case HX509_SAN_TYPE_DNSNAME:
    1402           0 :         return hx509_ca_tbs_add_san_hostname(context, tbs, s);
    1403           0 :     case HX509_SAN_TYPE_DN:
    1404           0 :         return ENOTSUP;
    1405           0 :     case HX509_SAN_TYPE_REGISTERED_ID:
    1406           0 :         return ENOTSUP;
    1407           0 :     case HX509_SAN_TYPE_XMPP:
    1408           0 :         return hx509_ca_tbs_add_san_jid(context, tbs, s);
    1409           0 :     case HX509_SAN_TYPE_PKINIT:
    1410           0 :         return hx509_ca_tbs_add_san_pkinit(context, tbs, s);
    1411           0 :     case HX509_SAN_TYPE_MS_UPN:
    1412           0 :         return hx509_ca_tbs_add_san_ms_upn(context, tbs, s);
    1413           0 :     default:
    1414           0 :         return ENOTSUP;
    1415             :     }
    1416             : }
    1417             : 
    1418             : /**
    1419             :  * Set the subject name of a to-be-signed certificate object.
    1420             :  *
    1421             :  * @param context A hx509 context.
    1422             :  * @param tbs object to be signed.
    1423             :  * @param subject the name to set a subject.
    1424             :  *
    1425             :  * @return An hx509 error code, see hx509_get_error_string().
    1426             :  *
    1427             :  * @ingroup hx509_ca
    1428             :  */
    1429             : 
    1430             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1431           0 : hx509_ca_tbs_set_subject(hx509_context context,
    1432             :                          hx509_ca_tbs tbs,
    1433             :                          hx509_name subject)
    1434             : {
    1435           0 :     if (tbs->subject)
    1436           0 :         hx509_name_free(&tbs->subject);
    1437           0 :     return hx509_name_copy(context, subject, &tbs->subject);
    1438             : }
    1439             : 
    1440             : /**
    1441             :  * Set the issuerUniqueID and subjectUniqueID
    1442             :  *
    1443             :  * These are only supposed to be used considered with version 2
    1444             :  * certificates, replaced by the two extensions SubjectKeyIdentifier
    1445             :  * and IssuerKeyIdentifier. This function is to allow application
    1446             :  * using legacy protocol to issue them.
    1447             :  *
    1448             :  * @param context A hx509 context.
    1449             :  * @param tbs object to be signed.
    1450             :  * @param issuerUniqueID to be set
    1451             :  * @param subjectUniqueID to be set
    1452             :  *
    1453             :  * @return An hx509 error code, see hx509_get_error_string().
    1454             :  *
    1455             :  * @ingroup hx509_ca
    1456             :  */
    1457             : 
    1458             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1459           0 : hx509_ca_tbs_set_unique(hx509_context context,
    1460             :                         hx509_ca_tbs tbs,
    1461             :                         const heim_bit_string *subjectUniqueID,
    1462             :                         const heim_bit_string *issuerUniqueID)
    1463             : {
    1464           0 :     int ret;
    1465             : 
    1466           0 :     der_free_bit_string(&tbs->subjectUniqueID);
    1467           0 :     der_free_bit_string(&tbs->issuerUniqueID);
    1468             : 
    1469           0 :     if (subjectUniqueID) {
    1470           0 :         ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID);
    1471           0 :         if (ret)
    1472           0 :             return ret;
    1473             :     }
    1474             : 
    1475           0 :     if (issuerUniqueID) {
    1476           0 :         ret = der_copy_bit_string(issuerUniqueID, &tbs->issuerUniqueID);
    1477           0 :         if (ret)
    1478           0 :             return ret;
    1479             :     }
    1480             : 
    1481           0 :     return 0;
    1482             : }
    1483             : 
    1484             : /**
    1485             :  * Expand the the subject name in the to-be-signed certificate object
    1486             :  * using hx509_name_expand().
    1487             :  *
    1488             :  * @param context A hx509 context.
    1489             :  * @param tbs object to be signed.
    1490             :  * @param env environment variable to expand variables in the subject
    1491             :  * name, see hx509_env_init().
    1492             :  *
    1493             :  * @return An hx509 error code, see hx509_get_error_string().
    1494             :  *
    1495             :  * @ingroup hx509_ca
    1496             :  */
    1497             : 
    1498             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1499           0 : hx509_ca_tbs_subject_expand(hx509_context context,
    1500             :                             hx509_ca_tbs tbs,
    1501             :                             hx509_env env)
    1502             : {
    1503           0 :     return hx509_name_expand(context, tbs->subject, env);
    1504             : }
    1505             : 
    1506             : /**
    1507             :  * Get the name of a to-be-signed certificate object.
    1508             :  *
    1509             :  * @param context A hx509 context.
    1510             :  * @param tbs object to be signed.
    1511             :  *
    1512             :  * @return An hx509 name.
    1513             :  *
    1514             :  * @ingroup hx509_ca
    1515             :  */
    1516             : 
    1517             : HX509_LIB_FUNCTION hx509_name HX509_LIB_CALL
    1518           0 : hx509_ca_tbs_get_name(hx509_ca_tbs tbs)
    1519             : {
    1520           0 :     return tbs->subject;
    1521             : }
    1522             : 
    1523             : /**
    1524             :  * Set signature algorithm on the to be signed certificate
    1525             :  *
    1526             :  * @param context A hx509 context.
    1527             :  * @param tbs object to be signed.
    1528             :  * @param sigalg signature algorithm to use
    1529             :  *
    1530             :  * @return An hx509 error code, see hx509_get_error_string().
    1531             :  *
    1532             :  * @ingroup hx509_ca
    1533             :  */
    1534             : 
    1535             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    1536           0 : hx509_ca_tbs_set_signature_algorithm(hx509_context context,
    1537             :                                      hx509_ca_tbs tbs,
    1538             :                                      const AlgorithmIdentifier *sigalg)
    1539             : {
    1540           0 :     int ret;
    1541             : 
    1542           0 :     tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
    1543           0 :     if (tbs->sigalg == NULL) {
    1544           0 :         hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
    1545           0 :         return ENOMEM;
    1546             :     }
    1547           0 :     ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
    1548           0 :     if (ret) {
    1549           0 :         free(tbs->sigalg);
    1550           0 :         tbs->sigalg = NULL;
    1551           0 :         return ret;
    1552             :     }
    1553           0 :     return 0;
    1554             : }
    1555             : 
    1556             : /*
    1557             :  *
    1558             :  */
    1559             : 
    1560             : static int
    1561           0 : add_extension(hx509_context context,
    1562             :               TBSCertificate *tbsc,
    1563             :               int critical_flag,
    1564             :               const heim_oid *oid,
    1565             :               const heim_octet_string *data)
    1566             : {
    1567           0 :     Extension ext;
    1568           0 :     int ret;
    1569             : 
    1570           0 :     memset(&ext, 0, sizeof(ext));
    1571             : 
    1572           0 :     ext.critical = critical_flag;
    1573           0 :     ret = der_copy_oid(oid, &ext.extnID);
    1574           0 :     if (ret) {
    1575           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1576           0 :         goto out;
    1577             :     }
    1578           0 :     ret = der_copy_octet_string(data, &ext.extnValue);
    1579           0 :     if (ret) {
    1580           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1581           0 :         goto out;
    1582             :     }
    1583           0 :     ret = add_Extensions(tbsc->extensions, &ext);
    1584           0 :     if (ret) {
    1585           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1586           0 :         goto out;
    1587             :     }
    1588           0 : out:
    1589           0 :     free_Extension(&ext);
    1590           0 :     return ret;
    1591             : }
    1592             : 
    1593             : static int
    1594           0 : build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
    1595             : {
    1596           0 :     char *tstr;
    1597           0 :     time_t t;
    1598           0 :     int ret;
    1599             : 
    1600           0 :     ret = copy_Name(issuer, subject);
    1601           0 :     if (ret) {
    1602           0 :         hx509_set_error_string(context, 0, ret,
    1603             :                                "Failed to copy subject name");
    1604           0 :         return ret;
    1605             :     }
    1606             : 
    1607           0 :     t = time(NULL);
    1608           0 :     ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
    1609           0 :     if (ret == -1 || tstr == NULL) {
    1610           0 :         hx509_set_error_string(context, 0, ENOMEM,
    1611             :                                "Failed to copy subject name");
    1612           0 :         return ENOMEM;
    1613             :     }
    1614             :     /* prefix with CN=<ts>,...*/
    1615           0 :     ret = _hx509_name_modify(context, subject, 1, &asn1_oid_id_at_commonName, tstr);
    1616           0 :     free(tstr);
    1617           0 :     if (ret)
    1618           0 :         free_Name(subject);
    1619           0 :     return ret;
    1620             : }
    1621             : 
    1622             : static int
    1623           0 : ca_sign(hx509_context context,
    1624             :         hx509_ca_tbs tbs,
    1625             :         hx509_private_key signer,
    1626             :         const AuthorityKeyIdentifier *ai,
    1627             :         const Name *issuername,
    1628             :         hx509_cert *certificate)
    1629             : {
    1630           0 :     heim_error_t error = NULL;
    1631           0 :     heim_octet_string data;
    1632           0 :     Certificate c;
    1633           0 :     TBSCertificate *tbsc;
    1634           0 :     size_t size;
    1635           0 :     int ret;
    1636           0 :     const AlgorithmIdentifier *sigalg;
    1637           0 :     time_t notBefore;
    1638           0 :     time_t notAfter;
    1639             : 
    1640           0 :     sigalg = tbs->sigalg;
    1641           0 :     if (sigalg == NULL)
    1642           0 :         sigalg = _hx509_crypto_default_sig_alg;
    1643             : 
    1644           0 :     memset(&c, 0, sizeof(c));
    1645             : 
    1646             :     /*
    1647             :      * Default values are: Valid since 24h ago, valid one year into
    1648             :      * the future, KeyUsage digitalSignature and keyEncipherment set,
    1649             :      * and keyCertSign for CA certificates.
    1650             :      */
    1651           0 :     notBefore = tbs->notBefore;
    1652           0 :     if (notBefore == 0)
    1653           0 :         notBefore = time(NULL) - 3600 * 24;
    1654           0 :     notAfter = tbs->notAfter;
    1655           0 :     if (notAfter == 0)
    1656           0 :         notAfter = time(NULL) + 3600 * 24 * 365;
    1657             : 
    1658           0 :     if (tbs->flags.ca) {
    1659           0 :         tbs->ku.keyCertSign = 1;
    1660           0 :         tbs->ku.cRLSign = 1;
    1661           0 :     } else if (KeyUsage2int(tbs->ku) == 0) {
    1662           0 :         tbs->ku.digitalSignature = 1;
    1663           0 :         tbs->ku.keyEncipherment = 1;
    1664             :     }
    1665             : 
    1666             :     /*
    1667             :      *
    1668             :      */
    1669             : 
    1670           0 :     tbsc = &c.tbsCertificate;
    1671             : 
    1672             :     /* Default subject Name to empty */
    1673           0 :     if (tbs->subject == NULL &&
    1674           0 :         (ret = hx509_empty_name(context, &tbs->subject)))
    1675           0 :         return ret;
    1676             : 
    1677             :     /* Sanity checks */
    1678           0 :     if (tbs->flags.key == 0) {
    1679           0 :         ret = EINVAL;
    1680           0 :         hx509_set_error_string(context, 0, ret, "No public key set");
    1681           0 :         return ret;
    1682             :     }
    1683             :     /*
    1684             :      * Don't put restrictions on proxy certificate's subject name, it
    1685             :      * will be generated below.
    1686             :      */
    1687           0 :     if (!tbs->flags.proxy) {
    1688           0 :         if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
    1689           0 :             hx509_set_error_string(context, 0, EINVAL,
    1690             :                                    "Empty subject and no SubjectAltNames");
    1691           0 :             return EINVAL;
    1692             :         }
    1693             :     }
    1694           0 :     if (tbs->flags.ca && tbs->flags.proxy) {
    1695           0 :         hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
    1696             :                                "at the same time");
    1697           0 :         return EINVAL;
    1698             :     }
    1699           0 :     if (tbs->flags.proxy) {
    1700           0 :         if (tbs->san.len > 0) {
    1701           0 :             hx509_set_error_string(context, 0, EINVAL,
    1702             :                                    "Proxy certificate is not allowed "
    1703             :                                    "to have SubjectAltNames");
    1704           0 :             return EINVAL;
    1705             :         }
    1706             :     }
    1707             : 
    1708             :     /* version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, */
    1709           0 :     tbsc->version = calloc(1, sizeof(*tbsc->version));
    1710           0 :     if (tbsc->version == NULL) {
    1711           0 :         ret = ENOMEM;
    1712           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1713           0 :         goto out;
    1714             :     }
    1715           0 :     *tbsc->version = rfc3280_version_3;
    1716             :     /* serialNumber         CertificateSerialNumber, */
    1717           0 :     if (tbs->flags.serial) {
    1718           0 :         ret = der_copy_heim_integer(&tbs->serial, &tbsc->serialNumber);
    1719           0 :         if (ret) {
    1720           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1721           0 :             goto out;
    1722             :         }
    1723             :     } else {
    1724             :         /*
    1725             :          * If no explicit serial number is specified, 20 random bytes should be
    1726             :          * sufficiently collision resistant.  Since the serial number must be a
    1727             :          * positive integer, ensure minimal ASN.1 DER form by forcing the high
    1728             :          * bit off and the next bit on (thus avoiding an all zero first octet).
    1729             :          */
    1730           0 :         tbsc->serialNumber.length = 20;
    1731           0 :         tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
    1732           0 :         if (tbsc->serialNumber.data == NULL){
    1733           0 :             ret = ENOMEM;
    1734           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1735           0 :             goto out;
    1736             :         }
    1737           0 :         ret = RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
    1738           0 :         if (ret != 1) {
    1739           0 :             ret = HX509_CRYPTO_INTERNAL_ERROR;
    1740           0 :             hx509_set_error_string(context, 0, ret, "Failed to generate random bytes");
    1741           0 :             goto out;
    1742             :         }
    1743           0 :         ((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
    1744           0 :         ((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40;
    1745             :     }
    1746             :     /* signature            AlgorithmIdentifier, */
    1747           0 :     ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
    1748           0 :     if (ret) {
    1749           0 :         hx509_set_error_string(context, 0, ret, "Failed to copy signature alg");
    1750           0 :         goto out;
    1751             :     }
    1752             :     /* issuer               Name, */
    1753           0 :     if (issuername)
    1754           0 :         ret = copy_Name(issuername, &tbsc->issuer);
    1755             :     else
    1756           0 :         ret = hx509_name_to_Name(tbs->subject, &tbsc->issuer);
    1757           0 :     if (ret) {
    1758           0 :         hx509_set_error_string(context, 0, ret, "Failed to copy issuer name");
    1759           0 :         goto out;
    1760             :     }
    1761             :     /* validity             Validity, */
    1762             :     {
    1763             :         /*
    1764             :          * From RFC 5280, section 4.1.2.5:
    1765             :          *
    1766             :          *    CAs conforming to this profile MUST always encode certificate
    1767             :          *    validity dates through the year 2049 as UTCTime; certificate validity
    1768             :          *    dates in 2050 or later MUST be encoded as GeneralizedTime.
    1769             :          *    Conforming applications MUST be able to process validity dates that
    1770             :          *    are encoded in either UTCTime or GeneralizedTime.
    1771             :          *
    1772             :          * 2524608000 is seconds since the epoch for 2050-01-01T00:00:00Z.
    1773             :          *
    1774             :          * Both, ...u.generalTime and ...u..utcTime are time_t.
    1775             :          */
    1776           0 :         if (notBefore < 1 || (int64_t)notBefore < 2524608000)
    1777           0 :             tbsc->validity.notBefore.element = choice_Time_utcTime;
    1778             :         else
    1779           0 :             tbsc->validity.notBefore.element = choice_Time_generalTime;
    1780           0 :         tbsc->validity.notBefore.u.generalTime = notBefore;
    1781             : 
    1782           0 :         if (notAfter < 1 || (int64_t)notAfter < 2524608000)
    1783           0 :             tbsc->validity.notAfter.element = choice_Time_utcTime;
    1784             :         else
    1785           0 :             tbsc->validity.notAfter.element = choice_Time_generalTime;
    1786           0 :         tbsc->validity.notAfter.u.generalTime = notAfter;
    1787             :     }
    1788             :     /* subject              Name, */
    1789           0 :     if (tbs->flags.proxy) {
    1790           0 :         ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
    1791           0 :         if (ret)
    1792           0 :             goto out;
    1793             :     } else {
    1794           0 :         ret = hx509_name_to_Name(tbs->subject, &tbsc->subject);
    1795           0 :         if (ret) {
    1796           0 :             hx509_set_error_string(context, 0, ret,
    1797             :                                    "Failed to copy subject name");
    1798           0 :             goto out;
    1799             :         }
    1800             :     }
    1801             :     /* subjectPublicKeyInfo SubjectPublicKeyInfo, */
    1802           0 :     ret = copy_SubjectPublicKeyInfo(&tbs->spki, &tbsc->subjectPublicKeyInfo);
    1803           0 :     if (ret) {
    1804           0 :         hx509_set_error_string(context, 0, ret, "Failed to copy spki");
    1805           0 :         goto out;
    1806             :     }
    1807             :     /* issuerUniqueID  [1]  IMPLICIT BIT STRING OPTIONAL */
    1808           0 :     if (tbs->issuerUniqueID.length) {
    1809           0 :         tbsc->issuerUniqueID = calloc(1, sizeof(*tbsc->issuerUniqueID));
    1810           0 :         if (tbsc->issuerUniqueID == NULL) {
    1811           0 :             ret = ENOMEM;
    1812           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1813           0 :             goto out;
    1814             :         }
    1815           0 :         ret = der_copy_bit_string(&tbs->issuerUniqueID, tbsc->issuerUniqueID);
    1816           0 :         if (ret) {
    1817           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1818           0 :             goto out;
    1819             :         }
    1820             :     }
    1821             :     /* subjectUniqueID [2]  IMPLICIT BIT STRING OPTIONAL */
    1822           0 :     if (tbs->subjectUniqueID.length) {
    1823           0 :         tbsc->subjectUniqueID = calloc(1, sizeof(*tbsc->subjectUniqueID));
    1824           0 :         if (tbsc->subjectUniqueID == NULL) {
    1825           0 :             ret = ENOMEM;
    1826           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1827           0 :             goto out;
    1828             :         }
    1829             : 
    1830           0 :         ret = der_copy_bit_string(&tbs->subjectUniqueID, tbsc->subjectUniqueID);
    1831           0 :         if (ret) {
    1832           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1833           0 :             goto out;
    1834             :         }
    1835             :     }
    1836             : 
    1837             :     /* extensions      [3]  EXPLICIT Extensions OPTIONAL */
    1838           0 :     tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));
    1839           0 :     if (tbsc->extensions == NULL) {
    1840           0 :         ret = ENOMEM;
    1841           0 :         hx509_set_error_string(context, 0, ret, "Out of memory");
    1842           0 :         goto out;
    1843             :     }
    1844             : 
    1845             :     /* Add the text BMP string Domaincontroller to the cert */
    1846           0 :     if (tbs->flags.domaincontroller) {
    1847           0 :         data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
    1848             :                                "\x00\x61\x00\x69\x00\x6e\x00\x43"
    1849             :                                "\x00\x6f\x00\x6e\x00\x74\x00\x72"
    1850             :                                "\x00\x6f\x00\x6c\x00\x6c\x00\x65"
    1851             :                                "\x00\x72");
    1852           0 :         data.length = 34;
    1853             : 
    1854           0 :         ret = add_extension(context, tbsc, 0,
    1855             :                             &asn1_oid_id_ms_cert_enroll_domaincontroller,
    1856             :                             &data);
    1857           0 :         if (ret)
    1858           0 :             goto out;
    1859             :     }
    1860             : 
    1861             :     /* Add KeyUsage */
    1862           0 :     if (KeyUsage2int(tbs->ku) > 0) {
    1863           0 :         ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length,
    1864             :                            &tbs->ku, &size, ret);
    1865           0 :         if (ret) {
    1866           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1867           0 :             goto out;
    1868             :         }
    1869           0 :         if (size != data.length)
    1870           0 :             _hx509_abort("internal ASN.1 encoder error");
    1871           0 :         ret = add_extension(context, tbsc, 1,
    1872             :                             &asn1_oid_id_x509_ce_keyUsage, &data);
    1873           0 :         free(data.data);
    1874           0 :         if (ret)
    1875           0 :             goto out;
    1876             :     }
    1877             : 
    1878             :     /* Add ExtendedKeyUsage */
    1879           0 :     if (tbs->eku.len > 0) {
    1880           0 :         ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
    1881             :                            &tbs->eku, &size, ret);
    1882           0 :         if (ret) {
    1883           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1884           0 :             goto out;
    1885             :         }
    1886           0 :         if (size != data.length)
    1887           0 :             _hx509_abort("internal ASN.1 encoder error");
    1888           0 :         ret = add_extension(context, tbsc, 1,
    1889             :                             &asn1_oid_id_x509_ce_extKeyUsage, &data);
    1890           0 :         free(data.data);
    1891           0 :         if (ret)
    1892           0 :             goto out;
    1893             :     }
    1894             : 
    1895             :     /* Add Subject Alternative Name */
    1896           0 :     if (tbs->san.len > 0) {
    1897           0 :         ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
    1898             :                            &tbs->san, &size, ret);
    1899           0 :         if (ret) {
    1900           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1901           0 :             goto out;
    1902             :         }
    1903           0 :         if (size != data.length)
    1904           0 :             _hx509_abort("internal ASN.1 encoder error");
    1905             : 
    1906             :         /* The SAN extension is critical if the subject Name is empty */
    1907           0 :         ret = add_extension(context, tbsc, hx509_name_is_null_p(tbs->subject),
    1908             :                             &asn1_oid_id_x509_ce_subjectAltName, &data);
    1909           0 :         free(data.data);
    1910           0 :         if (ret)
    1911           0 :             goto out;
    1912             :     }
    1913             : 
    1914             :     /* Add Authority Key Identifier */
    1915           0 :     if (ai) {
    1916           0 :         ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
    1917             :                            ai, &size, ret);
    1918           0 :         if (ret) {
    1919           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1920           0 :             goto out;
    1921             :         }
    1922           0 :         if (size != data.length)
    1923           0 :             _hx509_abort("internal ASN.1 encoder error");
    1924           0 :         ret = add_extension(context, tbsc, 0,
    1925             :                             &asn1_oid_id_x509_ce_authorityKeyIdentifier,
    1926             :                             &data);
    1927           0 :         free(data.data);
    1928           0 :         if (ret)
    1929           0 :             goto out;
    1930             :     }
    1931             : 
    1932             :     /* Add Subject Key Identifier */
    1933             :     {
    1934           0 :         SubjectKeyIdentifier si;
    1935           0 :         unsigned char hash[SHA_DIGEST_LENGTH];
    1936             : 
    1937             :         {
    1938           0 :             EVP_MD_CTX *ctx;
    1939             : 
    1940           0 :             ctx = EVP_MD_CTX_create();
    1941           0 :             EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
    1942           0 :             EVP_DigestUpdate(ctx, tbs->spki.subjectPublicKey.data,
    1943           0 :                              tbs->spki.subjectPublicKey.length / 8);
    1944           0 :             EVP_DigestFinal_ex(ctx, hash, NULL);
    1945           0 :             EVP_MD_CTX_destroy(ctx);
    1946             :         }
    1947             : 
    1948           0 :         si.data = hash;
    1949           0 :         si.length = sizeof(hash);
    1950             : 
    1951           0 :         ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
    1952             :                            &si, &size, ret);
    1953           0 :         if (ret) {
    1954           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1955           0 :             goto out;
    1956             :         }
    1957           0 :         if (size != data.length)
    1958           0 :             _hx509_abort("internal ASN.1 encoder error");
    1959           0 :         ret = add_extension(context, tbsc, 0,
    1960             :                             &asn1_oid_id_x509_ce_subjectKeyIdentifier,
    1961             :                             &data);
    1962           0 :         free(data.data);
    1963           0 :         if (ret)
    1964           0 :             goto out;
    1965             :     }
    1966             : 
    1967             :     /* Add BasicConstraints */
    1968             :     {
    1969           0 :         BasicConstraints bc;
    1970           0 :         unsigned int path;
    1971             : 
    1972           0 :         memset(&bc, 0, sizeof(bc));
    1973             : 
    1974           0 :         if (tbs->flags.ca) {
    1975           0 :             bc.cA = 1;
    1976           0 :             if (tbs->pathLenConstraint >= 0) {
    1977           0 :                 path = tbs->pathLenConstraint;
    1978           0 :                 bc.pathLenConstraint = &path;
    1979             :             }
    1980             :         }
    1981             : 
    1982           0 :         ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
    1983             :                            &bc, &size, ret);
    1984           0 :         if (ret) {
    1985           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    1986           0 :             goto out;
    1987             :         }
    1988           0 :         if (size != data.length)
    1989           0 :             _hx509_abort("internal ASN.1 encoder error");
    1990             :         /* Critical if this is a CA */
    1991           0 :         ret = add_extension(context, tbsc, tbs->flags.ca,
    1992             :                             &asn1_oid_id_x509_ce_basicConstraints,
    1993             :                             &data);
    1994           0 :         free(data.data);
    1995           0 :         if (ret)
    1996           0 :             goto out;
    1997             :     }
    1998             : 
    1999             :     /* Add Proxy */
    2000           0 :     if (tbs->flags.proxy) {
    2001           0 :         ProxyCertInfo info;
    2002             : 
    2003           0 :         memset(&info, 0, sizeof(info));
    2004             : 
    2005           0 :         if (tbs->pathLenConstraint >= 0) {
    2006           0 :             info.pCPathLenConstraint =
    2007           0 :                 malloc(sizeof(*info.pCPathLenConstraint));
    2008           0 :             if (info.pCPathLenConstraint == NULL) {
    2009           0 :                 ret = ENOMEM;
    2010           0 :                 hx509_set_error_string(context, 0, ret, "Out of memory");
    2011           0 :                 goto out;
    2012             :             }
    2013           0 :             *info.pCPathLenConstraint = tbs->pathLenConstraint;
    2014             :         }
    2015             : 
    2016           0 :         ret = der_copy_oid(&asn1_oid_id_pkix_ppl_inheritAll,
    2017             :                            &info.proxyPolicy.policyLanguage);
    2018           0 :         if (ret) {
    2019           0 :             free_ProxyCertInfo(&info);
    2020           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2021           0 :             goto out;
    2022             :         }
    2023             : 
    2024           0 :         ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
    2025             :                            &info, &size, ret);
    2026           0 :         free_ProxyCertInfo(&info);
    2027           0 :         if (ret) {
    2028           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2029           0 :             goto out;
    2030             :         }
    2031           0 :         if (size != data.length)
    2032           0 :             _hx509_abort("internal ASN.1 encoder error");
    2033           0 :         ret = add_extension(context, tbsc, 0,
    2034             :                             &asn1_oid_id_pkix_pe_proxyCertInfo,
    2035             :                             &data);
    2036           0 :         free(data.data);
    2037           0 :         if (ret)
    2038           0 :             goto out;
    2039             :     }
    2040             : 
    2041             :     /* Add CRL distribution point */
    2042           0 :     if (tbs->crldp.len) {
    2043           0 :         ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
    2044             :                            &tbs->crldp, &size, ret);
    2045           0 :         if (ret) {
    2046           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2047           0 :             goto out;
    2048             :         }
    2049           0 :         if (size != data.length)
    2050           0 :             _hx509_abort("internal ASN.1 encoder error");
    2051           0 :         ret = add_extension(context, tbsc, FALSE,
    2052             :                             &asn1_oid_id_x509_ce_cRLDistributionPoints,
    2053             :                             &data);
    2054           0 :         free(data.data);
    2055           0 :         if (ret)
    2056           0 :             goto out;
    2057             :     }
    2058             : 
    2059             :     /* Add CertificatePolicies */
    2060           0 :     if (tbs->cps.len) {
    2061           0 :         ASN1_MALLOC_ENCODE(CertificatePolicies, data.data, data.length,
    2062             :                            &tbs->cps, &size, ret);
    2063           0 :         if (ret) {
    2064           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2065           0 :             goto out;
    2066             :         }
    2067           0 :         if (size != data.length)
    2068           0 :             _hx509_abort("internal ASN.1 encoder error");
    2069           0 :         ret = add_extension(context, tbsc, FALSE,
    2070             :                             &asn1_oid_id_x509_ce_certificatePolicies, &data);
    2071           0 :         free(data.data);
    2072           0 :         if (ret)
    2073           0 :             goto out;
    2074             :     }
    2075             : 
    2076             :     /* Add PolicyMappings */
    2077           0 :     if (tbs->cps.len) {
    2078           0 :         ASN1_MALLOC_ENCODE(PolicyMappings, data.data, data.length,
    2079             :                            &tbs->pms, &size, ret);
    2080           0 :         if (ret) {
    2081           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2082           0 :             goto out;
    2083             :         }
    2084           0 :         if (size != data.length)
    2085           0 :             _hx509_abort("internal ASN.1 encoder error");
    2086           0 :         ret = add_extension(context, tbsc, FALSE,
    2087             :                             &asn1_oid_id_x509_ce_policyMappings, &data);
    2088           0 :         free(data.data);
    2089           0 :         if (ret)
    2090           0 :             goto out;
    2091             :     }
    2092             : 
    2093             :     /* Add Heimdal PKINIT ticket max life extension */
    2094           0 :     if (tbs->pkinitTicketMaxLife > 0) {
    2095           0 :         ASN1_MALLOC_ENCODE(HeimPkinitPrincMaxLifeSecs, data.data, data.length,
    2096             :                            &tbs->pkinitTicketMaxLife, &size, ret);
    2097           0 :         if (ret) {
    2098           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2099           0 :             goto out;
    2100             :         }
    2101           0 :         if (size != data.length)
    2102           0 :             _hx509_abort("internal ASN.1 encoder error");
    2103           0 :         ret = add_extension(context, tbsc, FALSE,
    2104             :                             &asn1_oid_id_heim_ce_pkinit_princ_max_life, &data);
    2105           0 :         free(data.data);
    2106           0 :         if (ret)
    2107           0 :             goto out;
    2108             :     }
    2109             : 
    2110           0 :     ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
    2111           0 :     if (ret) {
    2112           0 :         hx509_set_error_string(context, 0, ret, "malloc out of memory");
    2113           0 :         goto out;
    2114             :     }
    2115           0 :     if (data.length != size)
    2116           0 :         _hx509_abort("internal ASN.1 encoder error");
    2117             : 
    2118           0 :     ret = _hx509_create_signature_bitstring(context,
    2119             :                                             signer,
    2120             :                                             sigalg,
    2121             :                                             &data,
    2122             :                                             &c.signatureAlgorithm,
    2123             :                                             &c.signatureValue);
    2124           0 :     free(data.data);
    2125           0 :     if (ret)
    2126           0 :         goto out;
    2127             : 
    2128           0 :     *certificate = hx509_cert_init(context, &c, &error);
    2129           0 :     if (*certificate == NULL) {
    2130           0 :         ret = heim_error_get_code(error);
    2131           0 :         heim_release(error);
    2132           0 :         goto out;
    2133             :     }
    2134             : 
    2135           0 :     free_Certificate(&c);
    2136             : 
    2137           0 :     return 0;
    2138             : 
    2139           0 : out:
    2140           0 :     free_Certificate(&c);
    2141           0 :     return ret;
    2142             : }
    2143             : 
    2144             : static int
    2145           0 : get_AuthorityKeyIdentifier(hx509_context context,
    2146             :                            const Certificate *certificate,
    2147             :                            AuthorityKeyIdentifier *ai)
    2148             : {
    2149           0 :     SubjectKeyIdentifier si;
    2150           0 :     int ret;
    2151             : 
    2152           0 :     ret = _hx509_find_extension_subject_key_id(certificate, &si);
    2153           0 :     if (ret == 0) {
    2154           0 :         ai->keyIdentifier = calloc(1, sizeof(*ai->keyIdentifier));
    2155           0 :         if (ai->keyIdentifier == NULL) {
    2156           0 :             free_SubjectKeyIdentifier(&si);
    2157           0 :             ret = ENOMEM;
    2158           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2159           0 :             goto out;
    2160             :         }
    2161           0 :         ret = der_copy_octet_string(&si, ai->keyIdentifier);
    2162           0 :         free_SubjectKeyIdentifier(&si);
    2163           0 :         if (ret) {
    2164           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2165           0 :             goto out;
    2166             :         }
    2167             :     } else {
    2168           0 :         GeneralNames gns;
    2169           0 :         GeneralName gn;
    2170           0 :         Name name;
    2171             : 
    2172           0 :         memset(&gn, 0, sizeof(gn));
    2173           0 :         memset(&gns, 0, sizeof(gns));
    2174           0 :         memset(&name, 0, sizeof(name));
    2175             : 
    2176           0 :         ai->authorityCertIssuer =
    2177           0 :             calloc(1, sizeof(*ai->authorityCertIssuer));
    2178           0 :         if (ai->authorityCertIssuer == NULL) {
    2179           0 :             ret = ENOMEM;
    2180           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2181           0 :             goto out;
    2182             :         }
    2183           0 :         ai->authorityCertSerialNumber =
    2184           0 :             calloc(1, sizeof(*ai->authorityCertSerialNumber));
    2185           0 :         if (ai->authorityCertSerialNumber == NULL) {
    2186           0 :             ret = ENOMEM;
    2187           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2188           0 :             goto out;
    2189             :         }
    2190             : 
    2191             :         /*
    2192             :          * XXX unbreak when asn1 compiler handle IMPLICIT
    2193             :          *
    2194             :          * This is so horrible.
    2195             :          */
    2196             : 
    2197           0 :         ret = copy_Name(&certificate->tbsCertificate.subject, &name);
    2198           0 :         if (ret) {
    2199           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2200           0 :             goto out;
    2201             :         }
    2202             : 
    2203           0 :         memset(&gn, 0, sizeof(gn));
    2204           0 :         gn.element = choice_GeneralName_directoryName;
    2205           0 :         gn.u.directoryName.element = choice_Name_rdnSequence;
    2206           0 :         gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
    2207             : 
    2208           0 :         ret = add_GeneralNames(&gns, &gn);
    2209           0 :         if (ret) {
    2210           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2211           0 :             goto out;
    2212             :         }
    2213             : 
    2214           0 :         ai->authorityCertIssuer->val = gns.val;
    2215           0 :         ai->authorityCertIssuer->len = gns.len;
    2216             : 
    2217           0 :         ret = der_copy_heim_integer(&certificate->tbsCertificate.serialNumber,
    2218             :                                     ai->authorityCertSerialNumber);
    2219           0 :         if (ai->authorityCertSerialNumber == NULL) {
    2220           0 :             ret = ENOMEM;
    2221           0 :             hx509_set_error_string(context, 0, ret, "Out of memory");
    2222           0 :             goto out;
    2223             :         }
    2224             :     }
    2225           0 : out:
    2226           0 :     if (ret)
    2227           0 :         free_AuthorityKeyIdentifier(ai);
    2228           0 :     return ret;
    2229             : }
    2230             : 
    2231             : 
    2232             : /**
    2233             :  * Sign a to-be-signed certificate object with a issuer certificate.
    2234             :  *
    2235             :  * The caller needs to at least have called the following functions on the
    2236             :  * to-be-signed certificate object:
    2237             :  * - hx509_ca_tbs_init()
    2238             :  * - hx509_ca_tbs_set_subject()
    2239             :  * - hx509_ca_tbs_set_spki()
    2240             :  *
    2241             :  * When done the to-be-signed certificate object should be freed with
    2242             :  * hx509_ca_tbs_free().
    2243             :  *
    2244             :  * When creating self-signed certificate use hx509_ca_sign_self() instead.
    2245             :  *
    2246             :  * @param context A hx509 context.
    2247             :  * @param tbs object to be signed.
    2248             :  * @param signer the CA certificate object to sign with (need private key).
    2249             :  * @param certificate return cerificate, free with hx509_cert_free().
    2250             :  *
    2251             :  * @return An hx509 error code, see hx509_get_error_string().
    2252             :  *
    2253             :  * @ingroup hx509_ca
    2254             :  */
    2255             : 
    2256             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    2257           0 : hx509_ca_sign(hx509_context context,
    2258             :               hx509_ca_tbs tbs,
    2259             :               hx509_cert signer,
    2260             :               hx509_cert *certificate)
    2261             : {
    2262           0 :     const Certificate *signer_cert;
    2263           0 :     AuthorityKeyIdentifier ai;
    2264           0 :     int ret;
    2265             : 
    2266           0 :     memset(&ai, 0, sizeof(ai));
    2267             : 
    2268           0 :     signer_cert = _hx509_get_cert(signer);
    2269             : 
    2270           0 :     ret = get_AuthorityKeyIdentifier(context, signer_cert, &ai);
    2271           0 :     if (ret)
    2272           0 :         goto out;
    2273             : 
    2274           0 :     ret = ca_sign(context,
    2275             :                   tbs,
    2276             :                   _hx509_cert_private_key(signer),
    2277             :                   &ai,
    2278             :                   &signer_cert->tbsCertificate.subject,
    2279             :                   certificate);
    2280             : 
    2281           0 : out:
    2282           0 :     free_AuthorityKeyIdentifier(&ai);
    2283             : 
    2284           0 :     return ret;
    2285             : }
    2286             : 
    2287             : /**
    2288             :  * Work just like hx509_ca_sign() but signs it-self.
    2289             :  *
    2290             :  * @param context A hx509 context.
    2291             :  * @param tbs object to be signed.
    2292             :  * @param signer private key to sign with.
    2293             :  * @param certificate return cerificate, free with hx509_cert_free().
    2294             :  *
    2295             :  * @return An hx509 error code, see hx509_get_error_string().
    2296             :  *
    2297             :  * @ingroup hx509_ca
    2298             :  */
    2299             : 
    2300             : HX509_LIB_FUNCTION int HX509_LIB_CALL
    2301           0 : hx509_ca_sign_self(hx509_context context,
    2302             :                    hx509_ca_tbs tbs,
    2303             :                    hx509_private_key signer,
    2304             :                    hx509_cert *certificate)
    2305             : {
    2306           0 :     return ca_sign(context,
    2307             :                    tbs,
    2308             :                    signer,
    2309             :                    NULL,
    2310             :                    NULL,
    2311             :                    certificate);
    2312             : }
    2313             : 
    2314             : /*
    2315             :  * The following used to be `kdc_issue_certificate()', which was added for
    2316             :  * kx509 support in the kdc, then adapted for bx509d.  It now has no
    2317             :  * kdc-specific code and very little krb5-specific code, and is named
    2318             :  * `hx509_ca_issue_certificate()'.
    2319             :  */
    2320             : 
    2321             : /* From lib/krb5/principal.c */
    2322             : #define princ_num_comp(P) ((P)->principalName.name_string.len)
    2323             : #define princ_type(P) ((P)->principalName.name_type)
    2324             : #define princ_comp(P) ((P)->principalName.name_string.val)
    2325             : #define princ_ncomp(P, N) ((P)->principalName.name_string.val[(N)])
    2326             : #define princ_realm(P) ((P)->realm)
    2327             : 
    2328             : static const char *
    2329           0 : princ_get_comp_string(KRB5PrincipalName *principal, unsigned int component)
    2330             : {
    2331           0 :     if (component >= princ_num_comp(principal))
    2332           0 :        return NULL;
    2333           0 :     return princ_ncomp(principal, component);
    2334             : }
    2335             : /* XXX Add unparse_name() */
    2336             : 
    2337             : typedef enum {
    2338             :     CERT_NOTSUP = 0,
    2339             :     CERT_CLIENT = 1,
    2340             :     CERT_SERVER = 2,
    2341             :     CERT_MIXED  = 3
    2342             : } cert_type;
    2343             : 
    2344             : static void
    2345           0 : frees(char **s)
    2346             : {
    2347           0 :     free(*s);
    2348           0 :     *s = NULL;
    2349           0 : }
    2350             : 
    2351             : static heim_error_code
    2352           0 : count_sans(hx509_request req, size_t *n)
    2353             : {
    2354           0 :     size_t i;
    2355           0 :     char *s = NULL;
    2356           0 :     int ret = 0;
    2357             : 
    2358           0 :     *n = 0;
    2359           0 :     for (i = 0; ret == 0; i++) {
    2360           0 :         hx509_san_type san_type;
    2361             : 
    2362           0 :         ret = hx509_request_get_san(req, i, &san_type, &s);
    2363           0 :         if (ret)
    2364           0 :             break;
    2365           0 :         switch (san_type) {
    2366           0 :         case HX509_SAN_TYPE_DNSNAME:
    2367             :         case HX509_SAN_TYPE_EMAIL:
    2368             :         case HX509_SAN_TYPE_XMPP:
    2369             :         case HX509_SAN_TYPE_PKINIT:
    2370             :         case HX509_SAN_TYPE_MS_UPN:
    2371           0 :             (*n)++;
    2372           0 :             break;
    2373           0 :         default:
    2374           0 :             ret = ENOTSUP;
    2375             :         }
    2376           0 :         frees(&s);
    2377             :     }
    2378           0 :     free(s);
    2379           0 :     return ret == HX509_NO_ITEM ? 0 : ret;
    2380             : }
    2381             : 
    2382             : static int
    2383           0 : has_sans(hx509_request req)
    2384             : {
    2385           0 :     hx509_san_type san_type;
    2386           0 :     char *s = NULL;
    2387           0 :     int ret = hx509_request_get_san(req, 0, &san_type, &s);
    2388             : 
    2389           0 :     frees(&s);
    2390           0 :     return ret == HX509_NO_ITEM ? 0 : 1;
    2391             : }
    2392             : 
    2393             : static cert_type
    2394           0 : characterize_cprinc(hx509_context context,
    2395             :                     KRB5PrincipalName *cprinc)
    2396             : {
    2397           0 :     unsigned int ncomp = princ_num_comp(cprinc);
    2398           0 :     const char *comp1 = princ_get_comp_string(cprinc, 1);
    2399             : 
    2400           0 :     switch (ncomp) {
    2401           0 :     case 1:
    2402           0 :         return CERT_CLIENT;
    2403           0 :     case 2:
    2404           0 :         if (strchr(comp1, '.') == NULL)
    2405           0 :             return CERT_CLIENT;
    2406           0 :         return CERT_SERVER;
    2407           0 :     case 3:
    2408           0 :         if (strchr(comp1, '.'))
    2409           0 :             return CERT_SERVER;
    2410           0 :         return CERT_NOTSUP;
    2411           0 :     default:
    2412           0 :         return CERT_NOTSUP;
    2413             :     }
    2414             : }
    2415             : 
    2416             : /* Characterize request as client or server cert req */
    2417             : static cert_type
    2418           0 : characterize(hx509_context context,
    2419             :              KRB5PrincipalName *cprinc,
    2420             :              hx509_request req)
    2421             : {
    2422           0 :     heim_error_code ret = 0;
    2423           0 :     cert_type res = CERT_NOTSUP;
    2424           0 :     size_t i;
    2425           0 :     char *s = NULL;
    2426           0 :     int want_ekus = 0;
    2427             : 
    2428           0 :     if (!has_sans(req))
    2429           0 :         return characterize_cprinc(context, cprinc);
    2430             : 
    2431           0 :     for (i = 0; ret == 0; i++) {
    2432           0 :         heim_oid oid;
    2433             : 
    2434           0 :         frees(&s);
    2435           0 :         ret = hx509_request_get_eku(req, i, &s);
    2436           0 :         if (ret)
    2437           0 :             break;
    2438             : 
    2439           0 :         want_ekus = 1;
    2440           0 :         ret = der_parse_heim_oid(s, ".", &oid);
    2441           0 :         if (ret)
    2442           0 :             break;
    2443             :         /*
    2444             :          * If the client wants only a server certificate, then we'll be
    2445             :          * willing to issue one that may be longer-lived than the client's
    2446             :          * ticket/token.
    2447             :          *
    2448             :          * There may be other server EKUs, but these are the ones we know
    2449             :          * of.
    2450             :          */
    2451           0 :         if (der_heim_oid_cmp(&asn1_oid_id_pkix_kp_serverAuth, &oid) &&
    2452           0 :             der_heim_oid_cmp(&asn1_oid_id_pkix_kp_OCSPSigning, &oid) &&
    2453           0 :             der_heim_oid_cmp(&asn1_oid_id_pkix_kp_secureShellServer, &oid))
    2454           0 :             res |= CERT_CLIENT;
    2455             :         else
    2456           0 :             res |= CERT_SERVER;
    2457           0 :         der_free_oid(&oid);
    2458             :     }
    2459           0 :     frees(&s);
    2460           0 :     if (ret == HX509_NO_ITEM)
    2461           0 :         ret = 0;
    2462             : 
    2463           0 :     for (i = 0; ret == 0; i++) {
    2464           0 :         hx509_san_type san_type;
    2465             : 
    2466           0 :         frees(&s);
    2467           0 :         ret = hx509_request_get_san(req, i, &san_type, &s);
    2468           0 :         if (ret)
    2469           0 :             break;
    2470           0 :         switch (san_type) {
    2471           0 :         case HX509_SAN_TYPE_DNSNAME:
    2472           0 :             if (!want_ekus)
    2473           0 :                 res |= CERT_SERVER;
    2474           0 :             break;
    2475           0 :         case HX509_SAN_TYPE_EMAIL:
    2476             :         case HX509_SAN_TYPE_XMPP:
    2477             :         case HX509_SAN_TYPE_PKINIT:
    2478             :         case HX509_SAN_TYPE_MS_UPN:
    2479           0 :             if (!want_ekus)
    2480           0 :                 res |= CERT_CLIENT;
    2481           0 :             break;
    2482           0 :         default:
    2483           0 :             ret = ENOTSUP;
    2484             :         }
    2485           0 :         if (ret)
    2486           0 :             break;
    2487             :     }
    2488           0 :     frees(&s);
    2489           0 :     if (ret == HX509_NO_ITEM)
    2490           0 :         ret = 0;
    2491           0 :     return ret ? CERT_NOTSUP : res;
    2492             : }
    2493             : 
    2494             : /*
    2495             :  * Get a configuration sub-tree for kx509 based on what's being requested and
    2496             :  * by whom.
    2497             :  *
    2498             :  * We have a number of cases:
    2499             :  *
    2500             :  *  - default certificate (no CSR used, or no certificate extensions requested)
    2501             :  *     - for client principals
    2502             :  *     - for service principals
    2503             :  *  - client certificate requested (CSR used and client-y SANs/EKUs requested)
    2504             :  *  - server certificate requested (CSR used and server-y SANs/EKUs requested)
    2505             :  *  - mixed client/server certificate requested (...)
    2506             :  */
    2507             : static heim_error_code
    2508           0 : get_cf(hx509_context context,
    2509             :        const heim_config_binding *cf,
    2510             :        heim_log_facility *logf,
    2511             :        hx509_request req,
    2512             :        KRB5PrincipalName *cprinc,
    2513             :        const heim_config_binding **out)
    2514             : {
    2515           0 :     heim_error_code ret;
    2516           0 :     unsigned int ncomp = princ_num_comp(cprinc);
    2517           0 :     const char *realm = princ_realm(cprinc);
    2518           0 :     const char *comp0 = princ_get_comp_string(cprinc, 0);
    2519           0 :     const char *comp1 = princ_get_comp_string(cprinc, 1);
    2520           0 :     const char *label = NULL;
    2521           0 :     const char *svc = NULL;
    2522           0 :     const char *def = NULL;
    2523           0 :     cert_type certtype = CERT_NOTSUP;
    2524           0 :     size_t nsans = 0;
    2525             : 
    2526           0 :     *out = NULL;
    2527           0 :     if (ncomp == 0) {
    2528           0 :         heim_log_msg(context->hcontext, logf, 5, NULL,
    2529             :                      "Client principal has no components!");
    2530           0 :         hx509_set_error_string(context, 0, ret = ENOTSUP,
    2531             :                                "Client principal has no components!");
    2532           0 :         return ret;
    2533             :     }
    2534             : 
    2535           0 :     if ((ret = count_sans(req, &nsans)) ||
    2536           0 :         (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
    2537           0 :         heim_log_msg(context->hcontext, logf, 5, NULL,
    2538             :                      "Could not characterize CSR");
    2539           0 :         hx509_set_error_string(context, 0, ret, "Could not characterize CSR");
    2540           0 :         return ret;
    2541             :     }
    2542             : 
    2543           0 :     if (nsans) {
    2544           0 :         def = "custom";
    2545             :         /* Client requested some certificate extension, a SAN or EKU */
    2546           0 :         switch (certtype) {
    2547           0 :         case CERT_MIXED:    label = "mixed";  break;
    2548           0 :         case CERT_CLIENT:   label = "client"; break;
    2549           0 :         case CERT_SERVER:   label = "server"; break;
    2550           0 :         default:
    2551           0 :             hx509_set_error_string(context, 0, ret = ENOTSUP,
    2552             :                                    "Requested SAN/EKU combination not "
    2553             :                                    "supported");
    2554           0 :             return ret;
    2555             :         }
    2556             :     } else {
    2557           0 :         def = "default";
    2558             :         /* Default certificate desired */
    2559           0 :         if (ncomp == 1) {
    2560           0 :             label = "user";
    2561           0 :         } else if (ncomp == 2 && strcmp(comp1, "root") == 0) {
    2562           0 :             label = "root_user";
    2563           0 :         } else if (ncomp == 2 && strcmp(comp1, "admin") == 0) {
    2564           0 :             label = "admin_user";
    2565           0 :         } else if (strchr(comp1, '.')) {
    2566           0 :             label = "hostbased_service";
    2567           0 :             svc = comp0;
    2568             :         } else {
    2569           0 :             label = "other";
    2570             :         }
    2571             :     }
    2572             : 
    2573           0 :     *out = heim_config_get_list(context->hcontext, cf, label, svc, NULL);
    2574           0 :     if (*out) {
    2575           0 :         ret = 0;
    2576             :     } else {
    2577           0 :         heim_log_msg(context->hcontext, logf, 3, NULL,
    2578             :                      "No configuration for %s %s certificate's realm "
    2579             :                      "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
    2580             :                      svc ? " -> " : "", svc ? svc : "");
    2581           0 :         hx509_set_error_string(context, 0, EACCES,
    2582             :                 "No configuration for %s %s certificate's realm "
    2583             :                 "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
    2584             :                 svc ? " -> " : "", svc ? svc : "");
    2585             :     }
    2586           0 :     return ret;
    2587             : }
    2588             : 
    2589             : 
    2590             : /*
    2591             :  * Find and set a certificate template using a configuration sub-tree
    2592             :  * appropriate to the requesting principal.
    2593             :  *
    2594             :  * This allows for the specification of the following in configuration:
    2595             :  *
    2596             :  *  - certificates as templates, with ${var} tokens in subjectName attribute
    2597             :  *    values that will be expanded later
    2598             :  *  - a plain string with ${var} tokens to use as the subjectName
    2599             :  *  - EKUs
    2600             :  *  - whether to include a PKINIT SAN
    2601             :  */
    2602             : static heim_error_code
    2603           0 : set_template(hx509_context context,
    2604             :              heim_log_facility *logf,
    2605             :              const heim_config_binding *cf,
    2606             :              hx509_ca_tbs tbs)
    2607             : {
    2608           0 :     heim_error_code ret = 0;
    2609           0 :     const char *cert_template = NULL;
    2610           0 :     const char *subj_name = NULL;
    2611           0 :     char **ekus = NULL;
    2612             : 
    2613           0 :     if (cf == NULL)
    2614           0 :         return EACCES; /* Can't happen */
    2615             : 
    2616           0 :     cert_template = heim_config_get_string(context->hcontext, cf,
    2617             :                                            "template_cert", NULL);
    2618           0 :     subj_name = heim_config_get_string(context->hcontext, cf, "subject_name",
    2619             :                                        NULL);
    2620             : 
    2621           0 :     if (cert_template) {
    2622           0 :         hx509_certs certs;
    2623           0 :         hx509_cert template;
    2624             : 
    2625           0 :         ret = hx509_certs_init(context, cert_template, 0, NULL, &certs);
    2626           0 :         if (ret == 0)
    2627           0 :             ret = hx509_get_one_cert(context, certs, &template);
    2628           0 :         hx509_certs_free(&certs);
    2629           0 :         if (ret) {
    2630           0 :             heim_log_msg(context->hcontext, logf, 1, NULL,
    2631             :                          "Failed to load certificate template from %s",
    2632             :                          cert_template);
    2633           0 :             hx509_set_error_string(context, 0, EACCES,
    2634             :                                    "Failed to load certificate template from "
    2635             :                                    "%s", cert_template);
    2636           0 :             return ret;
    2637             :         }
    2638             : 
    2639             :         /*
    2640             :          * Only take the subjectName, the keyUsage, and EKUs from the template
    2641             :          * certificate.
    2642             :          */
    2643           0 :         ret = hx509_ca_tbs_set_template(context, tbs,
    2644             :                                         HX509_CA_TEMPLATE_SUBJECT |
    2645             :                                         HX509_CA_TEMPLATE_KU |
    2646             :                                         HX509_CA_TEMPLATE_EKU,
    2647             :                                         template);
    2648           0 :         hx509_cert_free(template);
    2649           0 :         if (ret)
    2650           0 :             return ret;
    2651             :     }
    2652             : 
    2653           0 :     if (subj_name) {
    2654           0 :         hx509_name dn = NULL;
    2655             : 
    2656           0 :         ret = hx509_parse_name(context, subj_name, &dn);
    2657           0 :         if (ret == 0)
    2658           0 :             ret = hx509_ca_tbs_set_subject(context, tbs, dn);
    2659           0 :         hx509_name_free(&dn);
    2660           0 :         if (ret)
    2661           0 :             return ret;
    2662             :     }
    2663             : 
    2664           0 :     if (cert_template == NULL && subj_name == NULL) {
    2665           0 :         hx509_name dn = NULL;
    2666             : 
    2667           0 :         ret = hx509_empty_name(context, &dn);
    2668           0 :         if (ret == 0)
    2669           0 :             ret = hx509_ca_tbs_set_subject(context, tbs, dn);
    2670           0 :         hx509_name_free(&dn);
    2671           0 :         if (ret)
    2672           0 :             return ret;
    2673             :     }
    2674             : 
    2675           0 :     ekus = heim_config_get_strings(context->hcontext, cf, "ekus", NULL);
    2676           0 :     if (ekus) {
    2677             :         size_t i;
    2678             : 
    2679           0 :         for (i = 0; ret == 0 && ekus[i]; i++) {
    2680           0 :             heim_oid oid = { 0, NULL };
    2681             : 
    2682           0 :             if ((ret = der_find_or_parse_heim_oid(ekus[i], ".", &oid)) == 0)
    2683           0 :                 ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
    2684           0 :             der_free_oid(&oid);
    2685             :         }
    2686           0 :         heim_config_free_strings(ekus);
    2687             :     }
    2688             : 
    2689             :     /*
    2690             :      * XXX A KeyUsage template would be nice, but it needs some smarts to
    2691             :      * remove, e.g., encipherOnly, decipherOnly, keyEncipherment, if the SPKI
    2692             :      * algorithm does not support encryption.  The same logic should be added
    2693             :      * to hx509_ca_tbs_set_template()'s HX509_CA_TEMPLATE_KU functionality.
    2694             :      */
    2695           0 :     return ret;
    2696             : }
    2697             : 
    2698             : /*
    2699             :  * Find and set a certificate template, set "variables" in `env', and add add
    2700             :  * default SANs/EKUs as appropriate.
    2701             :  *
    2702             :  * TODO:
    2703             :  *  - lookup a template for the client principal in its HDB entry
    2704             :  *  - lookup subjectName, SANs for a principal in its HDB entry
    2705             :  *  - lookup a host-based client principal's HDB entry and add its canonical
    2706             :  *    name / aliases as dNSName SANs
    2707             :  *    (this would have to be if requested by the client, perhaps)
    2708             :  */
    2709             : static heim_error_code
    2710           0 : set_tbs(hx509_context context,
    2711             :         heim_log_facility *logf,
    2712             :         const heim_config_binding *cf,
    2713             :         hx509_request req,
    2714             :         KRB5PrincipalName *cprinc,
    2715             :         hx509_env *env,
    2716             :         hx509_ca_tbs tbs)
    2717             : {
    2718           0 :     KRB5PrincipalName cprinc_no_realm = *cprinc;
    2719           0 :     heim_error_code ret;
    2720           0 :     unsigned int ncomp = princ_num_comp(cprinc);
    2721           0 :     const char *realm = princ_realm(cprinc);
    2722           0 :     const char *comp0 = princ_get_comp_string(cprinc, 0);
    2723           0 :     const char *comp1 = princ_get_comp_string(cprinc, 1);
    2724           0 :     const char *comp2 = princ_get_comp_string(cprinc, 2);
    2725           0 :     struct rk_strpool *strpool;
    2726           0 :     char *princ_no_realm = NULL;
    2727           0 :     char *princ = NULL;
    2728             : 
    2729           0 :     strpool = _hx509_unparse_kerberos_name(NULL, cprinc);
    2730           0 :     if (strpool)
    2731           0 :         princ = rk_strpoolcollect(strpool);
    2732           0 :     cprinc_no_realm.realm = NULL;
    2733           0 :     strpool = _hx509_unparse_kerberos_name(NULL, &cprinc_no_realm);
    2734           0 :     if (strpool)
    2735           0 :         princ_no_realm = rk_strpoolcollect(strpool);
    2736           0 :     if (princ == NULL || princ_no_realm == NULL) {
    2737           0 :         free(princ);
    2738           0 :         return hx509_enomem(context);
    2739             :     }
    2740           0 :     strpool = NULL;
    2741           0 :     ret = hx509_env_add(context, env, "principal-name-without-realm",
    2742             :                         princ_no_realm);
    2743           0 :     if (ret == 0)
    2744           0 :         ret = hx509_env_add(context, env, "principal-name", princ);
    2745           0 :     if (ret == 0)
    2746           0 :         ret = hx509_env_add(context, env, "principal-name-realm",
    2747             :                             realm);
    2748             : 
    2749             :     /* Populate requested certificate extensions from CSR/CSRPlus if allowed */
    2750           0 :     if (ret == 0)
    2751           0 :         ret = hx509_ca_tbs_set_from_csr(context, tbs, req);
    2752           0 :     if (ret == 0)
    2753           0 :         ret = set_template(context, logf, cf, tbs);
    2754             : 
    2755             :     /*
    2756             :      * Optionally add PKINIT SAN.
    2757             :      *
    2758             :      * Adding an id-pkinit-san means the client can use the certificate to
    2759             :      * initiate PKINIT.  That might seem odd, but it enables a sort of PKIX
    2760             :      * credential delegation by allowing forwarded Kerberos tickets to be
    2761             :      * used to acquire PKIX credentials.  Thus this can work:
    2762             :      *
    2763             :      *      PKIX (w/ HW token) -> Kerberos ->
    2764             :      *        PKIX (w/ softtoken) -> Kerberos ->
    2765             :      *          PKIX (w/ softtoken) -> Kerberos ->
    2766             :      *            ...
    2767             :      *
    2768             :      * Note that we may not have added the PKINIT EKU -- that depends on the
    2769             :      * template, and host-based service templates might well not include it.
    2770             :      */
    2771           0 :     if (ret == 0 && !has_sans(req) &&
    2772           0 :         heim_config_get_bool_default(context->hcontext, cf, FALSE,
    2773             :                                      "include_pkinit_san", NULL)) {
    2774           0 :         ret = hx509_ca_tbs_add_san_pkinit(context, tbs, princ);
    2775             :     }
    2776             : 
    2777           0 :     if (ret)
    2778           0 :         goto out;
    2779             : 
    2780           0 :     if (ncomp == 1) {
    2781           0 :         const char *email_domain;
    2782             : 
    2783           0 :         ret = hx509_env_add(context, env, "principal-component0",
    2784             :                             princ_no_realm);
    2785             : 
    2786             :         /*
    2787             :          * If configured, include an rfc822Name that's just the client's
    2788             :          * principal name sans realm @ configured email domain.
    2789             :          */
    2790           0 :         if (ret == 0 && !has_sans(req) &&
    2791           0 :             (email_domain = heim_config_get_string(context->hcontext, cf,
    2792             :                                                    "email_domain", NULL))) {
    2793           0 :             char *email;
    2794             : 
    2795           0 :             if (asprintf(&email, "%s@%s", princ_no_realm, email_domain) == -1 ||
    2796           0 :                 email == NULL)
    2797           0 :                 goto enomem;
    2798           0 :             ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email);
    2799           0 :             free(email);
    2800             :         }
    2801           0 :     } else if (ncomp == 2 || ncomp == 3) {
    2802             :         /*
    2803             :          * 2- and 3-component principal name.
    2804             :          *
    2805             :          * We do not have a reliable name-type indicator.  If the second
    2806             :          * component has a '.' in it then we'll assume that the name is a
    2807             :          * host-based (2-component) or domain-based (3-component) service
    2808             :          * principal name.  Else we'll assume it's a two-component admin-style
    2809             :          * username.
    2810             :          */
    2811             : 
    2812           0 :         ret = hx509_env_add(context, env, "principal-component0", comp0);
    2813           0 :         if (ret == 0)
    2814           0 :             ret = hx509_env_add(context, env, "principal-component1", comp1);
    2815           0 :         if (ret == 0 && ncomp == 3)
    2816           0 :             ret = hx509_env_add(context, env, "principal-component2", comp2);
    2817           0 :         if (ret == 0 && strchr(comp1, '.')) {
    2818             :             /* Looks like host-based or domain-based service */
    2819           0 :             ret = hx509_env_add(context, env, "principal-service-name", comp0);
    2820           0 :             if (ret == 0)
    2821           0 :                 ret = hx509_env_add(context, env, "principal-host-name",
    2822             :                                     comp1);
    2823           0 :             if (ret == 0 && ncomp == 3)
    2824           0 :                 ret = hx509_env_add(context, env, "principal-domain-name",
    2825             :                                     comp2);
    2826           0 :             if (ret == 0 && !has_sans(req) &&
    2827           0 :                 heim_config_get_bool_default(context->hcontext, cf, FALSE,
    2828             :                                              "include_dnsname_san", NULL)) {
    2829           0 :                 ret = hx509_ca_tbs_add_san_hostname(context, tbs, comp1);
    2830             :             }
    2831             :         }
    2832             :     } else {
    2833           0 :         heim_log_msg(context->hcontext, logf, 5, NULL,
    2834             :                      "kx509/bx509 client %s has too many components!", princ);
    2835           0 :         hx509_set_error_string(context, 0, ret = EACCES,
    2836             :                                "kx509/bx509 client %s has too many "
    2837             :                                "components!", princ);
    2838             :     }
    2839             : 
    2840           0 : out:
    2841           0 :     if (ret == ENOMEM)
    2842           0 :         goto enomem;
    2843           0 :     free(princ_no_realm);
    2844           0 :     free(princ);
    2845           0 :     return ret;
    2846             : 
    2847           0 : enomem:
    2848           0 :     heim_log_msg(context->hcontext, logf, 0, NULL,
    2849             :                  "Could not set up TBSCertificate: Out of memory");
    2850           0 :     ret = hx509_enomem(context);
    2851           0 :     goto out;
    2852             : }
    2853             : 
    2854             : /*
    2855             :  * Set the notBefore/notAfter for the certificate to be issued.
    2856             :  *
    2857             :  * Here `starttime' is the supplicant's credentials' notBefore equivalent,
    2858             :  * while `endtime' is the supplicant's credentials' notAfter equivalent.
    2859             :  *
    2860             :  * `req_life' is the lifetime requested by the supplicant.
    2861             :  *
    2862             :  * `endtime' must be larger than the current time.
    2863             :  *
    2864             :  * `starttime' can be zero or negative, in which case the notBefore will be the
    2865             :  * current time minus five minutes.
    2866             :  *
    2867             :  * `endtime', `req_life' and configuration parameters will be used to compute
    2868             :  * the actual notAfter.
    2869             :  */
    2870             : static heim_error_code
    2871           0 : tbs_set_times(hx509_context context,
    2872             :               const heim_config_binding *cf,
    2873             :               heim_log_facility *logf,
    2874             :               time_t starttime,
    2875             :               time_t endtime,
    2876             :               time_t req_life,
    2877             :               hx509_ca_tbs tbs)
    2878             : {
    2879           0 :     time_t now = time(NULL);
    2880           0 :     time_t force = heim_config_get_time_default(context->hcontext,
    2881             :                                                 cf, 5 * 24 * 3600,
    2882             :                                                 "force_cert_lifetime", NULL);
    2883           0 :     time_t clamp = heim_config_get_time_default(context->hcontext, cf, 0,
    2884             :                                                 "max_cert_lifetime", NULL);
    2885           0 :     int allow_more = heim_config_get_bool_default(context->hcontext, cf, FALSE,
    2886             :                                                   "allow_extra_lifetime",
    2887             :                                                   NULL);
    2888           0 :     starttime = starttime > 0 ? starttime : now - 5 * 60;
    2889             : 
    2890           0 :     if (endtime < now) {
    2891           0 :         heim_log_msg(context->hcontext, logf, 3, NULL,
    2892             :                      "Endtime is in the past");
    2893           0 :         hx509_set_error_string(context, 0, ERANGE, "Endtime is in the past");
    2894           0 :         return ERANGE;
    2895             :     }
    2896             : 
    2897             :     /* Apply requested lifetime if shorter or if allowed more */
    2898           0 :     if (req_life > 0 && req_life <= endtime - now)
    2899           0 :         endtime = now + req_life;
    2900           0 :     else if (req_life > 0 && allow_more)
    2901           0 :         endtime = now + req_life;
    2902             : 
    2903             :     /* Apply floor */
    2904           0 :     if (force > 0 && force > endtime - now)
    2905           0 :         endtime = now + force;
    2906             : 
    2907             :     /* Apply ceiling */
    2908           0 :     if (clamp > 0 && clamp < endtime - now)
    2909           0 :         endtime = now + clamp;
    2910             : 
    2911           0 :     hx509_ca_tbs_set_notAfter(context, tbs, endtime);
    2912           0 :     hx509_ca_tbs_set_notBefore(context, tbs, starttime);
    2913           0 :     return 0;
    2914             : }
    2915             : 
    2916             : /*
    2917             :  * Build a certifate for `principal' and its CSR.
    2918             :  *
    2919             :  * XXX Make `cprinc' a GeneralName!  That's why this is private for now.
    2920             :  */
    2921             : heim_error_code
    2922           0 : _hx509_ca_issue_certificate(hx509_context context,
    2923             :                             const heim_config_binding *cf,
    2924             :                             heim_log_facility *logf,
    2925             :                             hx509_request req,
    2926             :                             KRB5PrincipalName *cprinc,
    2927             :                             time_t starttime,
    2928             :                             time_t endtime,
    2929             :                             time_t req_life,
    2930             :                             int send_chain,
    2931             :                             hx509_certs *out)
    2932             : {
    2933           0 :     heim_error_code ret;
    2934           0 :     const char *ca;
    2935           0 :     hx509_ca_tbs tbs = NULL;
    2936           0 :     hx509_certs chain = NULL;
    2937           0 :     hx509_cert signer = NULL;
    2938           0 :     hx509_cert cert = NULL;
    2939           0 :     hx509_env env = NULL;
    2940           0 :     KeyUsage ku;
    2941             : 
    2942           0 :     *out = NULL;
    2943             :     /* Force KU */
    2944           0 :     ku = int2KeyUsage(0);
    2945           0 :     ku.digitalSignature = 1;
    2946           0 :     hx509_request_authorize_ku(req, ku);
    2947             : 
    2948           0 :     ret = get_cf(context, cf, logf, req, cprinc, &cf);
    2949           0 :     if (ret)
    2950           0 :         return ret;
    2951             : 
    2952           0 :     if ((ca = heim_config_get_string(context->hcontext, cf,
    2953             :                                      "ca", NULL)) == NULL) {
    2954           0 :         heim_log_msg(context->hcontext, logf, 3, NULL,
    2955             :                      "No kx509 CA issuer credential specified");
    2956           0 :         hx509_set_error_string(context, 0, ret = EACCES,
    2957             :                                "No kx509 CA issuer credential specified");
    2958           0 :         return ret;
    2959             :     }
    2960             : 
    2961           0 :     ret = hx509_ca_tbs_init(context, &tbs);
    2962           0 :     if (ret) {
    2963           0 :         heim_log_msg(context->hcontext, logf, 0, NULL,
    2964             :                      "Failed to create certificate: Out of memory");
    2965           0 :         return ret;
    2966             :     }
    2967             : 
    2968             :     /* Lookup a template and set things in `env' and `tbs' as appropriate */
    2969           0 :     if (ret == 0)
    2970           0 :         ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);
    2971             : 
    2972             :     /* Populate generic template "env" variables */
    2973             : 
    2974             :     /*
    2975             :      * The `tbs' and `env' are now complete as to naming and EKUs.
    2976             :      *
    2977             :      * We check that the `tbs' is not name-less, after which all remaining
    2978             :      * failures here will not be policy failures.  So we also log the intent to
    2979             :      * issue a certificate now.
    2980             :      */
    2981           0 :     if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
    2982           0 :         !has_sans(req)) {
    2983           0 :         heim_log_msg(context->hcontext, logf, 3, NULL,
    2984             :                      "Not issuing certificate because it would have no names");
    2985           0 :         hx509_set_error_string(context, 0, ret = EACCES,
    2986             :                                "Not issuing certificate because it "
    2987             :                                "would have no names");
    2988             :     }
    2989           0 :     if (ret)
    2990           0 :         goto out;
    2991             : 
    2992             :     /*
    2993             :      * Still to be done below:
    2994             :      *
    2995             :      *  - set certificate spki
    2996             :      *  - set certificate validity
    2997             :      *  - expand variables in certificate subject name template
    2998             :      *  - sign certificate
    2999             :      *  - encode certificate and chain
    3000             :      */
    3001             : 
    3002             :     /* Load the issuer certificate and private key */
    3003             :     {
    3004           0 :         hx509_certs certs;
    3005           0 :         hx509_query *q;
    3006             : 
    3007           0 :         ret = hx509_certs_init(context, ca, 0, NULL, &certs);
    3008           0 :         if (ret) {
    3009           0 :             heim_log_msg(context->hcontext, logf, 1, NULL,
    3010             :                          "Failed to load CA certificate and private key %s",
    3011             :                          ca);
    3012           0 :             hx509_set_error_string(context, 0, ret, "Failed to load "
    3013             :                                    "CA certificate and private key %s", ca);
    3014           0 :             goto out;
    3015             :         }
    3016           0 :         ret = hx509_query_alloc(context, &q);
    3017           0 :         if (ret) {
    3018           0 :             hx509_certs_free(&certs);
    3019           0 :             goto out;
    3020             :         }
    3021             : 
    3022           0 :         hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
    3023           0 :         hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
    3024             : 
    3025           0 :         ret = hx509_certs_find(context, certs, q, &signer);
    3026           0 :         hx509_query_free(context, q);
    3027           0 :         hx509_certs_free(&certs);
    3028           0 :         if (ret) {
    3029           0 :             heim_log_msg(context->hcontext, logf, 1, NULL,
    3030             :                          "Failed to find a CA certificate in %s", ca);
    3031           0 :             hx509_set_error_string(context, 0, ret,
    3032             :                                    "Failed to find a CA certificate in %s",
    3033             :                                    ca);
    3034           0 :             goto out;
    3035             :         }
    3036             :     }
    3037             : 
    3038             :     /* Populate the subject public key in the TBS context */
    3039             :     {
    3040           0 :         SubjectPublicKeyInfo spki;
    3041             : 
    3042           0 :         ret = hx509_request_get_SubjectPublicKeyInfo(context,
    3043             :                                                      req, &spki);
    3044           0 :         if (ret == 0)
    3045           0 :             ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
    3046           0 :         free_SubjectPublicKeyInfo(&spki);
    3047           0 :         if (ret)
    3048           0 :             goto out;
    3049             :     }
    3050             : 
    3051             :     /* Work out cert expiration */
    3052           0 :     if (ret == 0)
    3053           0 :         ret = tbs_set_times(context, cf, logf, starttime, endtime, req_life,
    3054             :                             tbs);
    3055             : 
    3056             :     /* Expand the subjectName template in the TBS using the env */
    3057           0 :     if (ret == 0)
    3058           0 :         ret = hx509_ca_tbs_subject_expand(context, tbs, env);
    3059           0 :     hx509_env_free(&env);
    3060             : 
    3061             :     /* All done with the TBS, sign/issue the certificate */
    3062           0 :     if (ret == 0)
    3063           0 :         ret = hx509_ca_sign(context, tbs, signer, &cert);
    3064             : 
    3065             :     /*
    3066             :      * Gather the certificate and chain into a MEMORY store, being careful not
    3067             :      * to include private keys in the chain.
    3068             :      *
    3069             :      * We could have specified a separate configuration parameter for an hx509
    3070             :      * store meant to have only the chain and no private keys, but expecting
    3071             :      * the full chain in the issuer credential store and copying only the certs
    3072             :      * (but not the private keys) is safer and easier to configure.
    3073             :      */
    3074           0 :     if (ret == 0)
    3075           0 :         ret = hx509_certs_init(context, "MEMORY:certs",
    3076             :                                HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
    3077           0 :     if (ret == 0)
    3078           0 :         ret = hx509_certs_add(context, *out, cert);
    3079           0 :     if (ret == 0 && send_chain) {
    3080           0 :         ret = hx509_certs_init(context, ca,
    3081             :                                HX509_CERTS_NO_PRIVATE_KEYS, NULL, &chain);
    3082           0 :         if (ret == 0)
    3083           0 :             ret = hx509_certs_merge(context, *out, chain);
    3084             :     }
    3085             : 
    3086           0 : out:
    3087           0 :     hx509_certs_free(&chain);
    3088           0 :     if (env)
    3089           0 :         hx509_env_free(&env);
    3090           0 :     if (tbs)
    3091           0 :         hx509_ca_tbs_free(&tbs);
    3092           0 :     if (cert)
    3093           0 :         hx509_cert_free(cert);
    3094           0 :     if (signer)
    3095           0 :         hx509_cert_free(signer);
    3096           0 :     if (ret)
    3097           0 :         hx509_certs_free(out);
    3098           0 :     return ret;
    3099             : }

Generated by: LCOV version 1.14