//+------------------------------------------------------------------------- // Microsoft Windows // // Copyright (C) Microsoft Corporation, 2001 - 2001 // // File: asn1util.cpp // // Contents: Minimal ASN.1 utility helper functions. // // Functions: MinAsn1DecodeLength // MinAsn1ExtractContent // MinAsn1ExtractValues // // MinAsn1FindExtension // MinAsn1FindAttribute // MinAsn1ExtractParsedCertificatesFromSignedData // // History: 15-Jan-01 philh created //-------------------------------------------------------------------------- #include "global.hxx" //+------------------------------------------------------------------------- // Get the number of contents octets in a definite-length BER-encoding. // // Parameters: // pcbContent - receives the number of contents octets // pbLength - points to the first length octet // cbBER - number of bytes remaining in the BER encoding // // Returns: // success - the number of bytes in the length field, > 0 // failure - < 0 // // One of the following failure values can be returned: // MINASN1_LENGTH_TOO_LARGE // MINASN1_INSUFFICIENT_DATA // MINASN1_UNSUPPORTED_INDEFINITE_LENGTH //-------------------------------------------------------------------------- LONG WINAPI MinAsn1DecodeLength( OUT DWORD *pcbContent, IN const BYTE *pbLength, IN DWORD cbBER) { long i; BYTE cbLength; const BYTE *pb; if (cbBER < 1) goto TooLittleData; if (0x80 == *pbLength) goto IndefiniteLength; // determine the number of length octets and contents octets if ((cbLength = *pbLength) & 0x80) { cbLength &= ~0x80; // low 7 bits have number of bytes if (cbLength > 4) goto LengthTooLargeError; if (cbLength >= cbBER) goto TooLittleData; *pcbContent = 0; for (i=cbLength, pb=pbLength+1; i>0; i--, pb++) *pcbContent = (*pcbContent << 8) + (const DWORD)*pb; i = cbLength + 1; } else { *pcbContent = (DWORD)cbLength; i = 1; } CommonReturn: return i; // how many bytes there were in the length field LengthTooLargeError: i = MINASN1_LENGTH_TOO_LARGE; goto CommonReturn; IndefiniteLength: i = MINASN1_UNSUPPORTED_INDEFINITE_LENGTH; goto CommonReturn; TooLittleData: i = MINASN1_INSUFFICIENT_DATA; goto CommonReturn; } //+------------------------------------------------------------------------- // Point to the content octets in a definite-length BER-encoded blob. // // Returns: // success - the number of bytes skipped, > 0 // failure - < 0 // // One of the following failure values can be returned: // MINASN1_LENGTH_TOO_LARGE // MINASN1_INSUFFICIENT_DATA // MINASN1_UNSUPPORTED_INDEFINITE_LENGTH // // Assumption: pbData points to a definite-length BER-encoded blob. // If *pcbContent isn't within cbBER, MINASN1_INSUFFICIENT_DATA // is returned. //-------------------------------------------------------------------------- LONG WINAPI MinAsn1ExtractContent( IN const BYTE *pbBER, IN DWORD cbBER, OUT DWORD *pcbContent, OUT const BYTE **ppbContent) { #define TAG_MASK 0x1f DWORD cbIdentifier; DWORD cbContent; LONG cbLength; LONG lHeader; const BYTE *pb = pbBER; if (0 == cbBER--) goto TooLittleData; // Skip over the identifier octet(s) if (TAG_MASK == (*pb++ & TAG_MASK)) { // high-tag-number form cbIdentifier = 2; while (TRUE) { if (0 == cbBER--) goto TooLittleData; if (0 == (*pb++ & 0x80)) break; cbIdentifier++; } } else { // low-tag-number form cbIdentifier = 1; } if (0 > (cbLength = MinAsn1DecodeLength( &cbContent, pb, cbBER))) { lHeader = cbLength; goto CommonReturn; } if (cbContent > (cbBER - cbLength)) goto TooLittleData; pb += cbLength; *pcbContent = cbContent; *ppbContent = pb; lHeader = cbLength + cbIdentifier; CommonReturn: return lHeader; TooLittleData: lHeader = MINASN1_INSUFFICIENT_DATA; goto CommonReturn; } typedef struct _STEP_INTO_STACK_ENTRY { const BYTE *pb; DWORD cb; BOOL fSkipIntoValues; } STEP_INTO_STACK_ENTRY, *PSTEP_INTO_STACK_ENTRY; #define MAX_STEP_INTO_DEPTH 8 //+------------------------------------------------------------------------- // Extract one or more tagged values from the ASN.1 encoded byte array. // // Either steps into the value's content octets (MINASN1_STEP_INTO_VALUE_OP or // MINASN1_OPTIONAL_STEP_INTO_VALUE_OP) or steps over the value's tag, // length and content octets (MINASN1_STEP_OVER_VALUE_OP or // MINASN1_OPTIONAL_STEP_OVER_VALUE_OP). // // You can step out of a stepped into sequence via MINASN1_STEP_OUT_VALUE_OP. // // For tag matching, only supports single byte tags. // // Only definite-length ASN.1 is supported. // // *pcValue is updated with the number of values successfully extracted. // // Returns: // success - >= 0 => length of all bytes consumed through the last value // extracted. For STEP_INTO, only the tag and length // octets. // failure - < 0 => negative (offset + 1) of first bad tagged value // // A non-NULL rgValueBlob[] is updated with the pointer to and length of the // tagged value or its content octets. The rgValuePara[].dwIndex is used to // index into rgValueBlob[]. For OPTIONAL_STEP_OVER or // OPTIONAL_STEP_INTO, if no more bytes in the outer SEQUENCE or if the tag // isn't found, pbData and cbData are set to 0. Additioanlly, for // OPTIONAL_STEP_INTO, all subsequent values are skipped and their // rgValueBlob[] entries zeroed until a STEP_OUT is encountered. // // If MINASN1_RETURN_VALUE_BLOB_FLAG is set, pbData points to // the tag. cbData includes the tag, length and content octets. // // If MINASN1_RETURN_CONTENT_BLOB_FLAG is set, pbData points to the content // octets. cbData includes only the content octets. // // If neither BLOB_FLAG is set, rgValueBlob[] isn't updated. // // For MINASN1_RETURN_CONTENT_BLOB_FLAG of a BITSTRING, pbData is // advanced past the first contents octet containing the number of // unused bits and cbData has been decremented by 1. If cbData > 0, then, // *(pbData - 1) will contain the number of unused bits. //-------------------------------------------------------------------------- LONG WINAPI MinAsn1ExtractValues( IN const BYTE *pbEncoded, IN DWORD cbEncoded, IN OUT DWORD *pcValuePara, IN const MINASN1_EXTRACT_VALUE_PARA *rgValuePara, IN DWORD cValueBlob, OUT OPTIONAL PCRYPT_DER_BLOB rgValueBlob ) { DWORD cValue = *pcValuePara; const BYTE *pb = pbEncoded; DWORD cb = cbEncoded; BOOL fSkipIntoValues = FALSE; DWORD iValue; LONG lAllValues; STEP_INTO_STACK_ENTRY rgStepIntoStack[MAX_STEP_INTO_DEPTH]; DWORD dwStepIntoDepth = 0; for (iValue = 0; iValue < cValue; iValue++) { DWORD dwParaFlags = rgValuePara[iValue].dwFlags; DWORD dwOp = dwParaFlags & MINASN1_MASK_VALUE_OP; const BYTE *pbParaTag = rgValuePara[iValue].rgbTag; DWORD dwIndex = rgValuePara[iValue].dwIndex; BOOL fValueBlob = (dwParaFlags & (MINASN1_RETURN_VALUE_BLOB_FLAG | MINASN1_RETURN_CONTENT_BLOB_FLAG)) && rgValueBlob && (dwIndex < cValueBlob); BOOL fSkipValue = FALSE; LONG lTagLength; DWORD cbContent; const BYTE *pbContent; DWORD cbValue; if (MINASN1_STEP_OUT_VALUE_OP == dwOp) { // Unstack and advance past the last STEP_INTO if (0 == dwStepIntoDepth) goto InvalidStepOutOp; dwStepIntoDepth--; pb = rgStepIntoStack[dwStepIntoDepth].pb; cb = rgStepIntoStack[dwStepIntoDepth].cb; fSkipIntoValues = rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues; continue; } if (fSkipIntoValues) { // For an omitted OPTIONAL_STEP_INTO, all of its included values // are also omitted. fSkipValue = TRUE; } else if (0 == cb) { if (!(MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_OVER_VALUE_OP == dwOp)) goto TooLittleData; fSkipValue = TRUE; } else if (pbParaTag) { // Assumption: single byte tag for doing comparison // Check if the encoded tag matches one of the expected tags BYTE bEncodedTag; BYTE bParaTag; bEncodedTag = *pb; while ((bParaTag = *pbParaTag) && bParaTag != bEncodedTag) pbParaTag++; if (0 == bParaTag) { if (!(MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_OVER_VALUE_OP == dwOp)) goto InvalidTag; fSkipValue = TRUE; } } if (fSkipValue) { if (fValueBlob) { rgValueBlob[dwIndex].pbData = NULL; rgValueBlob[dwIndex].cbData = 0; } if (MINASN1_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp) { // Stack this skipped STEP_INTO if (MAX_STEP_INTO_DEPTH <= dwStepIntoDepth) goto ExceededStepIntoDepth; rgStepIntoStack[dwStepIntoDepth].pb = pb; rgStepIntoStack[dwStepIntoDepth].cb = cb; rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues = fSkipIntoValues; dwStepIntoDepth++; fSkipIntoValues = TRUE; } continue; } lTagLength = MinAsn1ExtractContent( pb, cb, &cbContent, &pbContent ); if (0 >= lTagLength) goto InvalidTagOrLength; cbValue = cbContent + lTagLength; if (fValueBlob) { if (dwParaFlags & MINASN1_RETURN_CONTENT_BLOB_FLAG) { rgValueBlob[dwIndex].pbData = (BYTE *) pbContent; rgValueBlob[dwIndex].cbData = cbContent; if (MINASN1_TAG_BITSTRING == *pb) { if (0 < cbContent) { // Advance past the first contents octet containing // the number of unused bits rgValueBlob[dwIndex].pbData += 1; rgValueBlob[dwIndex].cbData -= 1; } } } else if (dwParaFlags & MINASN1_RETURN_VALUE_BLOB_FLAG) { rgValueBlob[dwIndex].pbData = (BYTE *) pb; rgValueBlob[dwIndex].cbData = cbValue; } } switch (dwOp) { case MINASN1_STEP_INTO_VALUE_OP: case MINASN1_OPTIONAL_STEP_INTO_VALUE_OP: // Stack this STEP_INTO if (MAX_STEP_INTO_DEPTH <= dwStepIntoDepth) goto ExceededStepIntoDepth; rgStepIntoStack[dwStepIntoDepth].pb = pb + cbValue; rgStepIntoStack[dwStepIntoDepth].cb = cb - cbValue; assert(!fSkipIntoValues); rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues = FALSE; dwStepIntoDepth++; pb = pbContent; cb = cbContent; break; case MINASN1_STEP_OVER_VALUE_OP: case MINASN1_OPTIONAL_STEP_OVER_VALUE_OP: pb += cbValue; cb -= cbValue; break; default: goto InvalidArg; } } lAllValues = (LONG)(pb - pbEncoded); assert((DWORD) lAllValues <= cbEncoded); CommonReturn: *pcValuePara = iValue; return lAllValues; InvalidStepOutOp: TooLittleData: InvalidTag: ExceededStepIntoDepth: InvalidTagOrLength: InvalidArg: lAllValues = -((LONG)(pb - pbEncoded)) - 1; goto CommonReturn; } //+------------------------------------------------------------------------- // Find an extension identified by its Encoded Object Identifier. // // Searches the list of parsed extensions returned by // MinAsn1ParseExtensions(). // // If found, returns pointer to the rgExtBlob[MINASN1_EXT_BLOB_CNT]. // Otherwise, returns NULL. //-------------------------------------------------------------------------- PCRYPT_DER_BLOB WINAPI MinAsn1FindExtension( IN PCRYPT_DER_BLOB pEncodedOIDBlob, IN DWORD cExt, IN CRYPT_DER_BLOB rgrgExtBlob[][MINASN1_EXT_BLOB_CNT] ) { DWORD i; DWORD cbOID = pEncodedOIDBlob->cbData; const BYTE *pbOID = pEncodedOIDBlob->pbData; for (i = 0; i < cExt; i++) { if (cbOID == rgrgExtBlob[i][MINASN1_EXT_OID_IDX].cbData && 0 == memcmp(pbOID, rgrgExtBlob[i][MINASN1_EXT_OID_IDX].pbData, cbOID)) return rgrgExtBlob[i]; } return NULL; } //+------------------------------------------------------------------------- // Find the first attribute identified by its Encoded Object Identifier. // // Searches the list of parsed attributes returned by // MinAsn1ParseAttributes(). // // If found, returns pointer to the rgAttrBlob[MINASN1_ATTR_BLOB_CNT]. // Otherwise, returns NULL. //-------------------------------------------------------------------------- PCRYPT_DER_BLOB WINAPI MinAsn1FindAttribute( IN PCRYPT_DER_BLOB pEncodedOIDBlob, IN DWORD cAttr, IN CRYPT_DER_BLOB rgrgAttrBlob[][MINASN1_ATTR_BLOB_CNT] ) { DWORD i; DWORD cbOID = pEncodedOIDBlob->cbData; const BYTE *pbOID = pEncodedOIDBlob->pbData; for (i = 0; i < cAttr; i++) { if (cbOID == rgrgAttrBlob[i][MINASN1_ATTR_OID_IDX].cbData && 0 == memcmp(pbOID, rgrgAttrBlob[i][MINASN1_ATTR_OID_IDX].pbData, cbOID)) return rgrgAttrBlob[i]; } return NULL; } //+------------------------------------------------------------------------- // Parses an ASN.1 encoded PKCS #7 Signed Data Message to extract and // parse the X.509 certificates it contains. // // Assumes the PKCS #7 message is definite length encoded. // Assumes PKCS #7 version 1.5, ie, not the newer CMS version. // // Upon input, *pcCert contains the maximum number of parsed certificates // that can be returned. Updated with the number of certificates processed. // // If the encoded message was successfully parsed, TRUE is returned // with *pcCert updated with the number of parsed certificates. Otherwise, // FALSE is returned for a parse error. // Returns: // success - >= 0 => bytes skipped, length of the encoded certificates // processed. // failure - < 0 => negative (offset + 1) of first bad tagged value // from beginning of message. // // The rgrgCertBlob[][] is updated with pointer to and length of the // fields in the encoded certificate. See MinAsn1ParseCertificate for the // field definitions. //-------------------------------------------------------------------------- LONG WINAPI MinAsn1ExtractParsedCertificatesFromSignedData( IN const BYTE *pbEncoded, IN DWORD cbEncoded, IN OUT DWORD *pcCert, OUT CRYPT_DER_BLOB rgrgCertBlob[][MINASN1_CERT_BLOB_CNT] ) { LONG lSkipped; CRYPT_DER_BLOB rgSignedDataBlob[MINASN1_SIGNED_DATA_BLOB_CNT]; lSkipped = MinAsn1ParseSignedData( pbEncoded, cbEncoded, rgSignedDataBlob ); if (0 >= lSkipped) goto ParseError; lSkipped = MinAsn1ParseSignedDataCertificates( &rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX], pcCert, rgrgCertBlob ); if (0 > lSkipped) { assert(rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX].pbData > pbEncoded); // number of data bytes should be bounded, so this is a safe cast lSkipped -= (LONG) (rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX].pbData - pbEncoded); goto ParseError; } CommonReturn: return lSkipped; ParseError: *pcCert = 0; goto CommonReturn; }