From efadbf79e9c864578bfd1277d824e69b2989aac5 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 30 Mar 2006 07:22:01 +0000 Subject: - rewrote a lot of RSA stuff - done major work for ASN1/decoder - allow loading of ASN1 der encoded private keys, public keys and certificates - extracting public key from certificates - passing certificates from stroke to charon => basic authentication with RSA certificates works! --- Source/charon/asn1/asn1.c | 34 +++- Source/charon/asn1/asn1.h | 86 +++++++-- Source/charon/asn1/der_decoder.c | 395 +++++++++++++++++++++++++++++++++------ Source/charon/asn1/der_decoder.h | 22 ++- 4 files changed, 449 insertions(+), 88 deletions(-) (limited to 'Source/charon/asn1') diff --git a/Source/charon/asn1/asn1.c b/Source/charon/asn1/asn1.c index cbd030bb5..01952386c 100644 --- a/Source/charon/asn1/asn1.c +++ b/Source/charon/asn1/asn1.c @@ -1,21 +1,33 @@ +/** + * @file asn1.c + * + * @brief String mappings for asn1.h + * + */ - - - - +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ #include "asn1.h" - - - - mapping_t asn1_type_m[] = { {ASN1_END, "ASN1_END"}, {ASN1_BOOLEAN, "ASN1_BOOLEAN"}, {ASN1_INTEGER, "ASN1_INTEGER"}, - {ASN1_BIT_STRING, "ASN1_BIT_STRING"}, - {ASN1_OCTET_STRING, "ASN1_OCTET_STRING"}, + {ASN1_BITSTRING, "ASN1_BITSTRING"}, + {ASN1_OCTETSTRING, "ASN1_OCTETSTRING"}, {ASN1_NULL, "ASN1_NULL"}, {ASN1_OID, "ASN1_OID"}, {ASN1_ENUMERATED, "ASN1_ENUMERATED"}, @@ -43,6 +55,7 @@ mapping_t asn1_type_m[] = { {ASN1_TAG_E_5, "ASN1_TAG_E_5"}, {ASN1_TAG_E_6, "ASN1_TAG_E_6"}, {ASN1_TAG_E_7, "ASN1_TAG_E_7"}, + {ASN1_TAG_I_0, "ASN1_TAG_I_0"}, {ASN1_TAG_I_1, "ASN1_TAG_I_1"}, {ASN1_TAG_I_2, "ASN1_TAG_I_2"}, {ASN1_TAG_I_3, "ASN1_TAG_I_3"}, @@ -50,6 +63,7 @@ mapping_t asn1_type_m[] = { {ASN1_TAG_I_5, "ASN1_TAG_I_5"}, {ASN1_TAG_I_6, "ASN1_TAG_I_6"}, {ASN1_TAG_I_7, "ASN1_TAG_I_7"}, + {ASN1_CHOICE, "ASN1_CHOICE"}, }; mapping_t asn1_flag_m[] = { diff --git a/Source/charon/asn1/asn1.h b/Source/charon/asn1/asn1.h index a828034ee..894f048d2 100644 --- a/Source/charon/asn1/asn1.h +++ b/Source/charon/asn1/asn1.h @@ -1,7 +1,7 @@ /** * @file asn1.h * - * @brief Definition of asn1_type_t and asn1_rule_t. + * @brief Definition of asn1_rule_t and other ASN1 stuff. * */ @@ -27,12 +27,20 @@ typedef enum asn1_type_t asn1_type_t; +/** + * @brief Real and some special ASN1 types. + * + * @ingroup asn1 + */ enum asn1_type_t { + /** + * End of a sequence, set, choice + */ ASN1_END = 0x00, ASN1_BOOLEAN = 0x01, ASN1_INTEGER = 0x02, - ASN1_BIT_STRING = 0x03, - ASN1_OCTET_STRING = 0x04, + ASN1_BITSTRING = 0x03, + ASN1_OCTETSTRING = 0x04, ASN1_NULL = 0x05, ASN1_OID = 0x06, ASN1_ENUMERATED = 0x0A, @@ -52,6 +60,9 @@ enum asn1_type_t { ASN1_CONSTRUCTED = 0x20, ASN1_SEQUENCE = 0x30, ASN1_SET = 0x31, + /** + * EXCPLICIT tags + */ ASN1_TAG_E_0 = 0xA0, ASN1_TAG_E_1 = 0xA1, ASN1_TAG_E_2 = 0xA2, @@ -60,6 +71,10 @@ enum asn1_type_t { ASN1_TAG_E_5 = 0xA5, ASN1_TAG_E_6 = 0xA6, ASN1_TAG_E_7 = 0xA7, + /** + * IMPLICIT tags + */ + ASN1_TAG_I_0 = 0x80, ASN1_TAG_I_1 = 0x81, ASN1_TAG_I_2 = 0x82, ASN1_TAG_I_3 = 0x83, @@ -67,24 +82,70 @@ enum asn1_type_t { ASN1_TAG_I_5 = 0x85, ASN1_TAG_I_6 = 0x86, ASN1_TAG_I_7 = 0x87, + /** + * Begin of a choice + */ + ASN1_CHOICE = 0xFE, + /** + * ANY type + */ + ASN1_ANY = 0xFF, }; +/** + * String mappings for asn1_type_t + */ extern mapping_t asn1_type_m[]; + typedef enum asn1_flag_t asn1_flag_t; +/** + * @brief Flags used to build ASN1 rules. + * + * @ingroup asn1 + */ enum asn1_flag_t { + /** + * Field is optional + */ ASN1_OPTIONAL = 0x01, + /** + * Field has a default value and is therefore optional + */ ASN1_DEFAULT = 0x02, + /** + * Convert this INTEGER to an mpz_t + */ ASN1_MPZ = 0x04, + /** + * SEQUENCE or SET OF + */ ASN1_OF = 0x08, + /** + * Parse this Sequence in a RAW chunk too. + * Used for crypto calculations... + */ + ASN1_RAW = 0x10, }; +/** + * String mappings for asn1_flag_t + */ extern mapping_t asn1_flag_m[]; typedef struct asn1_rule_t asn1_rule_t; +/** + * @brief Single rule of a complet ruleset. + * + * This rule containing a type, flags and additional + * data allow modellation of complex ASN1 structures and + * allow their en- and decoding... + * + * @ingroup asn1 + */ struct asn1_rule_t { /** * ASN1 type @@ -98,18 +159,13 @@ struct asn1_rule_t { * offset of data in structure */ u_int data_offset; -// union { - /** - * offset to a boolean, which says if optional - * data is available at data_offset. Used if - * flags & ASN1_OPTIONAL. - */ -// u_int available_offset; - /** - * default value, used if flags & ASN1_DEFAULT - */ - u_int default_value; -// }; + /** + * offset to a boolean, which says if optional + * data is available at data_offset. Used if + * flags & ASN1_OPTIONAL. + * default value, used if flags & ASN1_DEFAULT + */ + u_int additional; }; diff --git a/Source/charon/asn1/der_decoder.c b/Source/charon/asn1/der_decoder.c index 59ea4b077..91521b96a 100644 --- a/Source/charon/asn1/der_decoder.c +++ b/Source/charon/asn1/der_decoder.c @@ -5,9 +5,12 @@ */ /* - * Copyright (C) 2005 Jan Hutter, Martin Willi + * Copyright (C) 2000-2004 Andreas Steffen + * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * + * Some parts taken over from pluto/asn1.c + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -39,56 +42,269 @@ struct private_der_decoder_t { */ der_decoder_t public; + /** + * Rule which was just processed + */ asn1_rule_t *rule; + /** + * First rule of the hole ruleset + */ asn1_rule_t *first_rule; + /** + * Output data struct + */ void *output; + /** + * Complex things like this need a logger ;-) + */ logger_t *logger; }; status_t read_hdr(private_der_decoder_t *this, chunk_t *data); +/** + * Read a sequence from data, parse its contents recursivly + */ status_t read_sequence(private_der_decoder_t *this, chunk_t data) { - while (this->rule->type != ASN1_END) + status_t status; + asn1_rule_t *next_rule; + + while(TRUE) { - read_hdr(this, &data); + next_rule = this->rule + 1; + if (next_rule->type == ASN1_END) + { + this->rule++; + break; + } + status = read_hdr(this, &data); + if (status != SUCCESS) + { + return status; + } } + + this->logger->log(this->logger, CONTROL|LEVEL2, "Sequence end"); return SUCCESS; } +/** + * Read choice of data, parse if one of the choosable types arise + */ +status_t read_choice(private_der_decoder_t *this, chunk_t *data) +{ + status_t status = PARSE_ERROR; + asn1_rule_t *next_rule; + bool found = FALSE; + + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "Choice data", *data); + + while(TRUE) + { + next_rule = this->rule + 1; + if (next_rule->type == ASN1_END) + { + this->rule++; + return status; + } + if (!found && *(data->ptr) == next_rule->type) + { + found = TRUE; + status = read_hdr(this, data); + } + else + { + this->rule++; + } + } + this->logger->log(this->logger, CONTROL|LEVEL2, "Choice end"); + return status; +} +/** + * Read a utc or generalized time + */ +status_t read_time(private_der_decoder_t *this, chunk_t data) +{ + struct tm t; + time_t tz_offset; + u_char *eot = NULL; + const char* format; + time_t *result = (time_t*)((u_int8_t*)this->output + this->rule->data_offset); + + /* TODO: Test it */ + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "TIME", data); + + if ((eot = memchr(data.ptr, 'Z', data.len)) != NULL) + { + /* Zulu time with a zero time zone offset */ + tz_offset = 0; + } + else if ((eot = memchr(data.ptr, '+', data.len)) != NULL) + { + int tz_hour, tz_min; + + sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + /* positive time zone offset */ + tz_offset = 3600*tz_hour + 60*tz_min; + } + else if ((eot = memchr(data.ptr, '-', data.len)) != NULL) + { + int tz_hour, tz_min; + + sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + /* negative time zone offset */ + tz_offset = -3600*tz_hour - 60*tz_min; + } + else + { + /* error in time format */ + return PARSE_ERROR; + } + + if (this->rule->type == ASN1_UTCTIME) + { + format = "%2d%2d%2d%2d%2d"; + } + else + { + format = "%4d%2d%2d%2d%2d"; + } + + sscanf(data.ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, &t.tm_hour, &t.tm_min); + + /* is there a seconds field? */ + if ((eot - data.ptr) == ((this->rule->type == ASN1_UTCTIME)?12:14)) + { + sscanf(eot-2, "%2d", &t.tm_sec); + } + else + { + t.tm_sec = 0; + } + + /* representation of year */ + if (t.tm_year >= 1900) + { + t.tm_year -= 1900; + } + else if (t.tm_year >= 100) + { + return PARSE_ERROR; + } + else if (t.tm_year < 50) + { + t.tm_year += 100; + } + + /* representation of month 0..11*/ + t.tm_mon--; + + /* set daylight saving time to off */ + t.tm_isdst = 0; + + /* compensate timezone */ + + *result = mktime(&t) - timezone - tz_offset; + return SUCCESS; +} + +/** + * Read an integer as u_int or as mpz_t + */ status_t read_int(private_der_decoder_t *this, chunk_t data) { this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_INTEGER", data); - u_int *integ = (u_int*)((u_int8_t*)this->output + this->rule->data_offset); - *integ = 0; - while (data.len-- > 0) + if (this->rule->flags & ASN1_MPZ) { - *integ = 256 * (*integ) + *data.ptr++; + mpz_t *mpz = (mpz_t*)((u_int8_t*)this->output + this->rule->data_offset); + mpz_import(*mpz, data.len, 1, 1, 1, 0, data.ptr); + } + else + { + u_int *integ = (u_int*)((u_int8_t*)this->output + this->rule->data_offset); + + *integ = 0; + while (data.len-- > 0) + { + *integ = 256 * (*integ) + *data.ptr++; + } } return SUCCESS; } -status_t read_mpz(private_der_decoder_t *this, chunk_t data) +/** + * Read boolean value + */ +status_t read_bool(private_der_decoder_t *this, chunk_t data) { - this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_INTEGER as mpz", data); - mpz_t *mpz = (mpz_t*)((u_int8_t*)this->output + this->rule->data_offset); + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_BOOLEAN", data); + + bool *boolean = (u_int*)((u_int8_t*)this->output + this->rule->data_offset); - mpz_import(*mpz, data.len, 1, 1, 1, 0, data.ptr); + *boolean = *data.ptr; + + return SUCCESS; +} + +/** + * Read an OID + */ +status_t read_oid(private_der_decoder_t *this, chunk_t data) +{ + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_OID", data); + /* TODO: OID parsing stuff */ return SUCCESS; } +/** + * Read a bitstring + */ +status_t read_bitstring(private_der_decoder_t *this, chunk_t data) +{ + /* TODO: cleanly determine amount of unused bits */ + + /* skip "unused-bits-in-following-byte"-byte */ + data.ptr += 1; + data.len -= 1; + + chunk_t *chunk = (chunk_t*)((u_int8_t*)this->output + this->rule->data_offset); + + *chunk = allocator_clone_chunk(data); + + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_BITSTRING", data); + return SUCCESS; +} + +/** + * Read any type which appears in a chunk + */ +status_t read_any(private_der_decoder_t *this, chunk_t data) +{ + chunk_t *chunk = (chunk_t*)((u_int8_t*)this->output + this->rule->data_offset); + + *chunk = allocator_clone_chunk(data); + + this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "ASN1_ANY", data); + return SUCCESS; +} + +/** + * Read the length field of a type + */ u_int32_t read_length(chunk_t *data) { u_int8_t n; size_t len; /* read first octet of length field */ - n = *data->ptr++; + n = *data->ptr; + data->ptr++; data->len--; if ((n & 0x80) == 0) { @@ -114,81 +330,138 @@ u_int32_t read_length(chunk_t *data) len = 0; while (n-- > 0) { - len = 256 * len + *data->ptr++; + len = 256 * len + *data->ptr; + data->ptr++; data->len--; } return len; } +/** + * Read the next field + */ status_t read_hdr(private_der_decoder_t *this, chunk_t *data) { chunk_t inner; + /* TODO: Redo this that an average mid-european can understand it */ +beginning: /* advance to the next rule */ this->rule++; - if (this->rule->type == ASN1_END) - { - return SUCCESS; - } - - this->logger->log(this->logger, CONTROL|LEVEL2, "reading header of rule %s", - mapping_find(asn1_type_m, this->rule->type)); - - this->logger->log_chunk(this->logger, CONTROL|LEVEL2, "reading from:", *data); - - /* read type, advance in data */ - if (*(data->ptr) != this->rule->type) - { - this->logger->log(this->logger, CONTROL|LEVEL2, "Bad byte found (%x)", *data->ptr); - return PARSE_ERROR; - } - data->ptr++; - data->len--; - - /* read length, advance in data */ - inner.len = read_length(data); - if (inner.len == -1) - { - this->logger->log(this->logger, CONTROL|LEVEL2, "Error reading length"); - return PARSE_ERROR; - } - this->logger->log(this->logger, CONTROL|LEVEL2, "Length is %d", - inner.len); - inner.ptr = data->ptr; - - /* advance in data */ - data->ptr += inner.len; - data->len -= inner.len; + this->logger->log(this->logger, CONTROL|LEVEL2, "reading rule %d %s", + this->rule - this->first_rule, + mapping_find(asn1_type_m, this->rule->type)); - /* process inner */ switch (this->rule->type) { - case ASN1_INTEGER: - if (this->rule->flags & ASN1_MPZ) + case ASN1_END: + /* ignore, handled outside */ + return SUCCESS; + case ASN1_CHOICE: + /* CHOICE has no type/length */ + break; + default: + /* anything else has type/length */ + if (data->len == 0) { - read_mpz(this, inner); + goto beginning; } - else + this->logger->log_chunk(this->logger, CONTROL|LEVEL3, "reading from:", *data); + + /* read type, advance in data */ + if (this->rule->type != ASN1_ANY && *(data->ptr) != this->rule->type) { - read_int(this, inner); + if (this->rule->flags & ASN1_OPTIONAL) + { + goto beginning; + } + if (this->rule->flags & ASN1_DEFAULT) + { + goto beginning; + } + this->logger->log(this->logger, CONTROL|LEVEL2, "Bad byte found: %x, %x expected", + *data->ptr, this->rule->type); + return PARSE_ERROR; } - break; - case ASN1_SEQUENCE: - read_sequence(this, inner); - break; - default: - break; + data->ptr++; + data->len--; + + /* read length, advance in data */ + inner.len = read_length(data); + if (inner.len == -1) + { + this->logger->log(this->logger, CONTROL|LEVEL2, "Error reading length"); + return PARSE_ERROR; + } + this->logger->log(this->logger, CONTROL|LEVEL2, "Length is %d", inner.len); + inner.ptr = data->ptr; + + /* advance in data, at the size of the inner */ + data->ptr += inner.len; + data->len -= inner.len; } - return SUCCESS; + /* process inner */ + while (TRUE) + { + switch (this->rule->type) + { + case ASN1_INTEGER: + return read_int(this, inner); + case ASN1_BOOLEAN: + return read_bool(this, inner); + case ASN1_SEQUENCE: + case ASN1_SET: + return read_sequence(this, inner); + case ASN1_TAG_E_0: + case ASN1_TAG_E_1: + case ASN1_TAG_E_2: + case ASN1_TAG_E_3: + case ASN1_TAG_E_4: + case ASN1_TAG_E_5: + case ASN1_TAG_E_6: + case ASN1_TAG_E_7: + return read_hdr(this, &inner); + case ASN1_TAG_I_0: + case ASN1_TAG_I_1: + case ASN1_TAG_I_2: + case ASN1_TAG_I_3: + case ASN1_TAG_I_4: + case ASN1_TAG_I_5: + case ASN1_TAG_I_6: + case ASN1_TAG_I_7: + this->rule++; + continue; + case ASN1_OID: + return read_oid(this, inner); + case ASN1_CHOICE: + return read_choice(this, data); + case ASN1_NULL: + return SUCCESS; + case ASN1_ANY: + return read_any(this, inner); + case ASN1_UTCTIME: + return read_time(this, inner); + case ASN1_GENERALIZEDTIME: + return read_time(this, inner); + case ASN1_BITSTRING: + return read_bitstring(this, inner); + case ASN1_OCTETSTRING: + return read_any(this, inner); + default: + return NOT_SUPPORTED; + } + } } - - +/** + * Implements der_decoder_t.decode + */ status_t decode(private_der_decoder_t *this, chunk_t input, void *output) { this->rule = this->first_rule - 1; this->output = output; + /* start parsing recursivly */ return read_hdr(this, &input); } diff --git a/Source/charon/asn1/der_decoder.h b/Source/charon/asn1/der_decoder.h index d6ccaf4cc..68731b5d9 100644 --- a/Source/charon/asn1/der_decoder.h +++ b/Source/charon/asn1/der_decoder.h @@ -29,15 +29,29 @@ typedef struct der_decoder_t der_decoder_t; /** - * @brief Decode der_encoded bytes to usable structures. + * @brief Decode ASN1 DER encoded chunks. * * @b Constructors: * - der_decoder_create() * + * @todo A lot. + * * @ingroup asn1 */ struct der_decoder_t { + /** + * @brief Decode a chunk of bytes to a data structure + * + * @param der_decoder calling object + * @param input chunk of data to decode + * @param output data structure where decoded data is written + * @return + * - PARSE_ERROR + * - FAILED + * - NOT_SUPPORTED + * - or SUCCESS sometimes + */ status_t (*decode) (der_decoder_t *this, chunk_t input, void *output); /** @@ -52,7 +66,11 @@ struct der_decoder_t { /** * @brief Create a der_decoder instance. * - * @return der_decoder_t object + * The instance needs ASN1 rules to know how to decode + * data... + * + * @param rules set of ASN1 coding rules + * @return der_decoder_t object * * @ingroup ans1 */ -- cgit v1.2.3