1*4724848cSchristos /*
2*4724848cSchristos * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3*4724848cSchristos *
4*4724848cSchristos * Licensed under the OpenSSL license (the "License"). You may not use
5*4724848cSchristos * this file except in compliance with the License. You can obtain a copy
6*4724848cSchristos * in the file LICENSE in the source distribution or at
7*4724848cSchristos * https://www.openssl.org/source/license.html
8*4724848cSchristos */
9*4724848cSchristos
10*4724848cSchristos #include <stdio.h>
11*4724848cSchristos #include "internal/cryptlib.h"
12*4724848cSchristos #include <openssl/asn1t.h>
13*4724848cSchristos #include <openssl/x509.h>
14*4724848cSchristos #include "crypto/x509.h"
15*4724848cSchristos
16*4724848cSchristos /*-
17*4724848cSchristos * X509_REQ_INFO is handled in an unusual way to get round
18*4724848cSchristos * invalid encodings. Some broken certificate requests don't
19*4724848cSchristos * encode the attributes field if it is empty. This is in
20*4724848cSchristos * violation of PKCS#10 but we need to tolerate it. We do
21*4724848cSchristos * this by making the attributes field OPTIONAL then using
22*4724848cSchristos * the callback to initialise it to an empty STACK.
23*4724848cSchristos *
24*4724848cSchristos * This means that the field will be correctly encoded unless
25*4724848cSchristos * we NULL out the field.
26*4724848cSchristos *
27*4724848cSchristos * As a result we no longer need the req_kludge field because
28*4724848cSchristos * the information is now contained in the attributes field:
29*4724848cSchristos * 1. If it is NULL then it's the invalid omission.
30*4724848cSchristos * 2. If it is empty it is the correct encoding.
31*4724848cSchristos * 3. If it is not empty then some attributes are present.
32*4724848cSchristos *
33*4724848cSchristos */
34*4724848cSchristos
rinf_cb(int operation,ASN1_VALUE ** pval,const ASN1_ITEM * it,void * exarg)35*4724848cSchristos static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
36*4724848cSchristos void *exarg)
37*4724848cSchristos {
38*4724848cSchristos X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
39*4724848cSchristos
40*4724848cSchristos if (operation == ASN1_OP_NEW_POST) {
41*4724848cSchristos rinf->attributes = sk_X509_ATTRIBUTE_new_null();
42*4724848cSchristos if (!rinf->attributes)
43*4724848cSchristos return 0;
44*4724848cSchristos }
45*4724848cSchristos return 1;
46*4724848cSchristos }
47*4724848cSchristos
48*4724848cSchristos ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
49*4724848cSchristos ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
50*4724848cSchristos ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
51*4724848cSchristos ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
52*4724848cSchristos /* This isn't really OPTIONAL but it gets round invalid
53*4724848cSchristos * encodings
54*4724848cSchristos */
55*4724848cSchristos ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
56*4724848cSchristos } ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
57*4724848cSchristos
58*4724848cSchristos IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
59*4724848cSchristos
60*4724848cSchristos ASN1_SEQUENCE_ref(X509_REQ, 0) = {
61*4724848cSchristos ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
62*4724848cSchristos ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
63*4724848cSchristos ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
64*4724848cSchristos } ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
65*4724848cSchristos
66*4724848cSchristos IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
67*4724848cSchristos
68*4724848cSchristos IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
69