|
|
//+-------------------------------------------------------------------------
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 2001 - 2001
//
// File: asn1util.cpp
//
// Contents: Minimal ASN.1 utility helper functions.
//
// Functions: MinAsn1DecodeLength
// MinAsn1ExtractContent
// MinAsn1ExtractValues
//
// MinAsn1FindExtension
// MinAsn1FindAttribute
// MinAsn1ExtractParsedCertificatesFromSignedData
//
// History: 15-Jan-01 philh created
//--------------------------------------------------------------------------
#include "global.hxx"
//+-------------------------------------------------------------------------
// Get the number of contents octets in a definite-length BER-encoding.
//
// Parameters:
// pcbContent - receives the number of contents octets
// pbLength - points to the first length octet
// cbBER - number of bytes remaining in the BER encoding
//
// Returns:
// success - the number of bytes in the length field, > 0
// failure - < 0
//
// One of the following failure values can be returned:
// MINASN1_LENGTH_TOO_LARGE
// MINASN1_INSUFFICIENT_DATA
// MINASN1_UNSUPPORTED_INDEFINITE_LENGTH
//--------------------------------------------------------------------------
LONGWINAPIMinAsn1DecodeLength( OUT DWORD *pcbContent, IN const BYTE *pbLength, IN DWORD cbBER){ long i; BYTE cbLength; const BYTE *pb;
if (cbBER < 1) goto TooLittleData;
if (0x80 == *pbLength) goto IndefiniteLength;
// determine the number of length octets and contents octets
if ((cbLength = *pbLength) & 0x80) { cbLength &= ~0x80; // low 7 bits have number of bytes
if (cbLength > 4) goto LengthTooLargeError; if (cbLength >= cbBER) goto TooLittleData; *pcbContent = 0; for (i=cbLength, pb=pbLength+1; i>0; i--, pb++) *pcbContent = (*pcbContent << 8) + (const DWORD)*pb; i = cbLength + 1; } else { *pcbContent = (DWORD)cbLength; i = 1; }
CommonReturn: return i; // how many bytes there were in the length field
LengthTooLargeError: i = MINASN1_LENGTH_TOO_LARGE; goto CommonReturn;
IndefiniteLength: i = MINASN1_UNSUPPORTED_INDEFINITE_LENGTH; goto CommonReturn;
TooLittleData: i = MINASN1_INSUFFICIENT_DATA; goto CommonReturn;}
//+-------------------------------------------------------------------------
// Point to the content octets in a definite-length BER-encoded blob.
//
// Returns:
// success - the number of bytes skipped, > 0
// failure - < 0
//
// One of the following failure values can be returned:
// MINASN1_LENGTH_TOO_LARGE
// MINASN1_INSUFFICIENT_DATA
// MINASN1_UNSUPPORTED_INDEFINITE_LENGTH
//
// Assumption: pbData points to a definite-length BER-encoded blob.
// If *pcbContent isn't within cbBER, MINASN1_INSUFFICIENT_DATA
// is returned.
//--------------------------------------------------------------------------
LONGWINAPIMinAsn1ExtractContent( IN const BYTE *pbBER, IN DWORD cbBER, OUT DWORD *pcbContent, OUT const BYTE **ppbContent){#define TAG_MASK 0x1f
DWORD cbIdentifier; DWORD cbContent; LONG cbLength; LONG lHeader; const BYTE *pb = pbBER;
if (0 == cbBER--) goto TooLittleData;
// Skip over the identifier octet(s)
if (TAG_MASK == (*pb++ & TAG_MASK)) { // high-tag-number form
cbIdentifier = 2; while (TRUE) { if (0 == cbBER--) goto TooLittleData; if (0 == (*pb++ & 0x80)) break; cbIdentifier++; } } else { // low-tag-number form
cbIdentifier = 1; }
if (0 > (cbLength = MinAsn1DecodeLength( &cbContent, pb, cbBER))) { lHeader = cbLength; goto CommonReturn; }
if (cbContent > (cbBER - cbLength)) goto TooLittleData;
pb += cbLength;
*pcbContent = cbContent; *ppbContent = pb;
lHeader = cbLength + cbIdentifier;CommonReturn: return lHeader;
TooLittleData: lHeader = MINASN1_INSUFFICIENT_DATA; goto CommonReturn;}
typedef struct _STEP_INTO_STACK_ENTRY { const BYTE *pb; DWORD cb; BOOL fSkipIntoValues;} STEP_INTO_STACK_ENTRY, *PSTEP_INTO_STACK_ENTRY;
#define MAX_STEP_INTO_DEPTH 8
//+-------------------------------------------------------------------------
// Extract one or more tagged values from the ASN.1 encoded byte array.
//
// Either steps into the value's content octets (MINASN1_STEP_INTO_VALUE_OP or
// MINASN1_OPTIONAL_STEP_INTO_VALUE_OP) or steps over the value's tag,
// length and content octets (MINASN1_STEP_OVER_VALUE_OP or
// MINASN1_OPTIONAL_STEP_OVER_VALUE_OP).
//
// You can step out of a stepped into sequence via MINASN1_STEP_OUT_VALUE_OP.
//
// For tag matching, only supports single byte tags.
//
// Only definite-length ASN.1 is supported.
//
// *pcValue is updated with the number of values successfully extracted.
//
// Returns:
// success - >= 0 => length of all bytes consumed through the last value
// extracted. For STEP_INTO, only the tag and length
// octets.
// failure - < 0 => negative (offset + 1) of first bad tagged value
//
// A non-NULL rgValueBlob[] is updated with the pointer to and length of the
// tagged value or its content octets. The rgValuePara[].dwIndex is used to
// index into rgValueBlob[]. For OPTIONAL_STEP_OVER or
// OPTIONAL_STEP_INTO, if no more bytes in the outer SEQUENCE or if the tag
// isn't found, pbData and cbData are set to 0. Additioanlly, for
// OPTIONAL_STEP_INTO, all subsequent values are skipped and their
// rgValueBlob[] entries zeroed until a STEP_OUT is encountered.
//
// If MINASN1_RETURN_VALUE_BLOB_FLAG is set, pbData points to
// the tag. cbData includes the tag, length and content octets.
//
// If MINASN1_RETURN_CONTENT_BLOB_FLAG is set, pbData points to the content
// octets. cbData includes only the content octets.
//
// If neither BLOB_FLAG is set, rgValueBlob[] isn't updated.
//
// For MINASN1_RETURN_CONTENT_BLOB_FLAG of a BITSTRING, pbData is
// advanced past the first contents octet containing the number of
// unused bits and cbData has been decremented by 1. If cbData > 0, then,
// *(pbData - 1) will contain the number of unused bits.
//--------------------------------------------------------------------------
LONGWINAPIMinAsn1ExtractValues( IN const BYTE *pbEncoded, IN DWORD cbEncoded, IN OUT DWORD *pcValuePara, IN const MINASN1_EXTRACT_VALUE_PARA *rgValuePara, IN DWORD cValueBlob, OUT OPTIONAL PCRYPT_DER_BLOB rgValueBlob ){ DWORD cValue = *pcValuePara; const BYTE *pb = pbEncoded; DWORD cb = cbEncoded; BOOL fSkipIntoValues = FALSE;
DWORD iValue; LONG lAllValues;
STEP_INTO_STACK_ENTRY rgStepIntoStack[MAX_STEP_INTO_DEPTH]; DWORD dwStepIntoDepth = 0;
for (iValue = 0; iValue < cValue; iValue++) { DWORD dwParaFlags = rgValuePara[iValue].dwFlags; DWORD dwOp = dwParaFlags & MINASN1_MASK_VALUE_OP; const BYTE *pbParaTag = rgValuePara[iValue].rgbTag; DWORD dwIndex = rgValuePara[iValue].dwIndex; BOOL fValueBlob = (dwParaFlags & (MINASN1_RETURN_VALUE_BLOB_FLAG | MINASN1_RETURN_CONTENT_BLOB_FLAG)) && rgValueBlob && (dwIndex < cValueBlob); BOOL fSkipValue = FALSE;
LONG lTagLength; DWORD cbContent; const BYTE *pbContent; DWORD cbValue;
if (MINASN1_STEP_OUT_VALUE_OP == dwOp) { // Unstack and advance past the last STEP_INTO
if (0 == dwStepIntoDepth) goto InvalidStepOutOp;
dwStepIntoDepth--; pb = rgStepIntoStack[dwStepIntoDepth].pb; cb = rgStepIntoStack[dwStepIntoDepth].cb; fSkipIntoValues = rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues;
continue; }
if (fSkipIntoValues) { // For an omitted OPTIONAL_STEP_INTO, all of its included values
// are also omitted.
fSkipValue = TRUE; } else if (0 == cb) { if (!(MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_OVER_VALUE_OP == dwOp)) goto TooLittleData; fSkipValue = TRUE; } else if (pbParaTag) { // Assumption: single byte tag for doing comparison
// Check if the encoded tag matches one of the expected tags
BYTE bEncodedTag; BYTE bParaTag;
bEncodedTag = *pb; while ((bParaTag = *pbParaTag) && bParaTag != bEncodedTag) pbParaTag++;
if (0 == bParaTag) { if (!(MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_OVER_VALUE_OP == dwOp)) goto InvalidTag; fSkipValue = TRUE; } }
if (fSkipValue) { if (fValueBlob) { rgValueBlob[dwIndex].pbData = NULL; rgValueBlob[dwIndex].cbData = 0; }
if (MINASN1_STEP_INTO_VALUE_OP == dwOp || MINASN1_OPTIONAL_STEP_INTO_VALUE_OP == dwOp) { // Stack this skipped STEP_INTO
if (MAX_STEP_INTO_DEPTH <= dwStepIntoDepth) goto ExceededStepIntoDepth; rgStepIntoStack[dwStepIntoDepth].pb = pb; rgStepIntoStack[dwStepIntoDepth].cb = cb; rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues = fSkipIntoValues; dwStepIntoDepth++;
fSkipIntoValues = TRUE; } continue; }
lTagLength = MinAsn1ExtractContent( pb, cb, &cbContent, &pbContent ); if (0 >= lTagLength) goto InvalidTagOrLength;
cbValue = cbContent + lTagLength;
if (fValueBlob) { if (dwParaFlags & MINASN1_RETURN_CONTENT_BLOB_FLAG) { rgValueBlob[dwIndex].pbData = (BYTE *) pbContent; rgValueBlob[dwIndex].cbData = cbContent;
if (MINASN1_TAG_BITSTRING == *pb) { if (0 < cbContent) { // Advance past the first contents octet containing
// the number of unused bits
rgValueBlob[dwIndex].pbData += 1; rgValueBlob[dwIndex].cbData -= 1; } } } else if (dwParaFlags & MINASN1_RETURN_VALUE_BLOB_FLAG) { rgValueBlob[dwIndex].pbData = (BYTE *) pb; rgValueBlob[dwIndex].cbData = cbValue; } }
switch (dwOp) { case MINASN1_STEP_INTO_VALUE_OP: case MINASN1_OPTIONAL_STEP_INTO_VALUE_OP: // Stack this STEP_INTO
if (MAX_STEP_INTO_DEPTH <= dwStepIntoDepth) goto ExceededStepIntoDepth; rgStepIntoStack[dwStepIntoDepth].pb = pb + cbValue; rgStepIntoStack[dwStepIntoDepth].cb = cb - cbValue; assert(!fSkipIntoValues); rgStepIntoStack[dwStepIntoDepth].fSkipIntoValues = FALSE; dwStepIntoDepth++; pb = pbContent; cb = cbContent; break; case MINASN1_STEP_OVER_VALUE_OP: case MINASN1_OPTIONAL_STEP_OVER_VALUE_OP: pb += cbValue; cb -= cbValue; break; default: goto InvalidArg; } }
lAllValues = (LONG)(pb - pbEncoded); assert((DWORD) lAllValues <= cbEncoded);
CommonReturn: *pcValuePara = iValue; return lAllValues;
InvalidStepOutOp:TooLittleData:InvalidTag:ExceededStepIntoDepth:InvalidTagOrLength:InvalidArg: lAllValues = -((LONG)(pb - pbEncoded)) - 1; goto CommonReturn;}
//+-------------------------------------------------------------------------
// Find an extension identified by its Encoded Object Identifier.
//
// Searches the list of parsed extensions returned by
// MinAsn1ParseExtensions().
//
// If found, returns pointer to the rgExtBlob[MINASN1_EXT_BLOB_CNT].
// Otherwise, returns NULL.
//--------------------------------------------------------------------------
PCRYPT_DER_BLOBWINAPIMinAsn1FindExtension( IN PCRYPT_DER_BLOB pEncodedOIDBlob, IN DWORD cExt, IN CRYPT_DER_BLOB rgrgExtBlob[][MINASN1_EXT_BLOB_CNT] ){ DWORD i; DWORD cbOID = pEncodedOIDBlob->cbData; const BYTE *pbOID = pEncodedOIDBlob->pbData;
for (i = 0; i < cExt; i++) { if (cbOID == rgrgExtBlob[i][MINASN1_EXT_OID_IDX].cbData && 0 == memcmp(pbOID, rgrgExtBlob[i][MINASN1_EXT_OID_IDX].pbData, cbOID)) return rgrgExtBlob[i]; }
return NULL;}
//+-------------------------------------------------------------------------
// Find the first attribute identified by its Encoded Object Identifier.
//
// Searches the list of parsed attributes returned by
// MinAsn1ParseAttributes().
//
// If found, returns pointer to the rgAttrBlob[MINASN1_ATTR_BLOB_CNT].
// Otherwise, returns NULL.
//--------------------------------------------------------------------------
PCRYPT_DER_BLOBWINAPIMinAsn1FindAttribute( IN PCRYPT_DER_BLOB pEncodedOIDBlob, IN DWORD cAttr, IN CRYPT_DER_BLOB rgrgAttrBlob[][MINASN1_ATTR_BLOB_CNT] ){ DWORD i; DWORD cbOID = pEncodedOIDBlob->cbData; const BYTE *pbOID = pEncodedOIDBlob->pbData;
for (i = 0; i < cAttr; i++) { if (cbOID == rgrgAttrBlob[i][MINASN1_ATTR_OID_IDX].cbData && 0 == memcmp(pbOID, rgrgAttrBlob[i][MINASN1_ATTR_OID_IDX].pbData, cbOID)) return rgrgAttrBlob[i]; }
return NULL;}
//+-------------------------------------------------------------------------
// Parses an ASN.1 encoded PKCS #7 Signed Data Message to extract and
// parse the X.509 certificates it contains.
//
// Assumes the PKCS #7 message is definite length encoded.
// Assumes PKCS #7 version 1.5, ie, not the newer CMS version.
//
// Upon input, *pcCert contains the maximum number of parsed certificates
// that can be returned. Updated with the number of certificates processed.
//
// If the encoded message was successfully parsed, TRUE is returned
// with *pcCert updated with the number of parsed certificates. Otherwise,
// FALSE is returned for a parse error.
// Returns:
// success - >= 0 => bytes skipped, length of the encoded certificates
// processed.
// failure - < 0 => negative (offset + 1) of first bad tagged value
// from beginning of message.
//
// The rgrgCertBlob[][] is updated with pointer to and length of the
// fields in the encoded certificate. See MinAsn1ParseCertificate for the
// field definitions.
//--------------------------------------------------------------------------
LONGWINAPIMinAsn1ExtractParsedCertificatesFromSignedData( IN const BYTE *pbEncoded, IN DWORD cbEncoded, IN OUT DWORD *pcCert, OUT CRYPT_DER_BLOB rgrgCertBlob[][MINASN1_CERT_BLOB_CNT] ){ LONG lSkipped; CRYPT_DER_BLOB rgSignedDataBlob[MINASN1_SIGNED_DATA_BLOB_CNT];
lSkipped = MinAsn1ParseSignedData( pbEncoded, cbEncoded, rgSignedDataBlob ); if (0 >= lSkipped) goto ParseError;
lSkipped = MinAsn1ParseSignedDataCertificates( &rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX], pcCert, rgrgCertBlob );
if (0 > lSkipped) { assert(rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX].pbData > pbEncoded); lSkipped -= rgSignedDataBlob[MINASN1_SIGNED_DATA_CERTS_IDX].pbData - pbEncoded;
goto ParseError; }
CommonReturn: return lSkipped;
ParseError: *pcCert = 0; goto CommonReturn;}
|
