/*

   Copyright 2005 Red Hat, Inc.

   This program is free software; you can redistribute it and/or modify

   it under the terms of the GNU General Public License as published by

   the Free Software Foundation; either version 2 of the License, or

   (at your option) any later version.

   This program is distributed in the hope that it will be useful,

   but WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License

   along with this program; if not, write to the Free Software

   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

   In addition, as a special exception, Red Hat, Inc. gives permission

   to link the code of this program with the OpenSSL library (or with

   modified versions of OpenSSL that use the same license as OpenSSL),

   and distribute linked combinations including the two. You must obey

   the GNU General Public License in all respects for all of the code

   used other than OpenSSL. If you modify this file, you may extend

   this exception to your version of the file, but you are not

   obligated to do so. If you do not wish to do so, delete this

   exception statement from your version.

*/

/* ***** BEGIN LICENSE BLOCK *****

 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

 *

 * The contents of this file are subject to the Mozilla Public License Version

 * 1.1 (the "License"); you may not use this file except in compliance with

 * the License. You may obtain a copy of the License at

 * http://www.mozilla.org/MPL/

 *

 * Software distributed under the License is distributed on an "AS IS" basis,

 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License

 * for the specific language governing rights and limitations under the

 * License.

 *

 * The Original Code is the Netscape security libraries.

 *

 * The Initial Developer of the Original Code is

 * Netscape Communications Corporation.

 * Portions created by the Initial Developer are Copyright (C) 1994-2000

 * the Initial Developer. All Rights Reserved.

 *

 * Contributor(s):

 *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories

 *

 * Alternatively, the contents of this file may be used under the terms of

 * either the GNU General Public License Version 2 or later (the "GPL"), or

 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),

 * in which case the provisions of the GPL or the LGPL are applicable instead

 * of those above. If you wish to allow use of your version of this file only

 * under the terms of either the GPL or the LGPL, and not to allow others to

 * use your version of this file under the terms of the MPL, indicate your

 * decision by deleting the provisions above and replace them with the notice

 * and other provisions required by the GPL or the LGPL. If you do not delete

 * the provisions above, a recipient may use your version of this file under

 * the terms of any one of the MPL, the GPL or the LGPL.

 *

 * ***** END LICENSE BLOCK ***** */

/*

** certext.c

**

** part of certutil for managing certificates extensions

**

*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include "secutil.h"

#include <unistd.h>

#include <cert.h>

#include <prprf.h>

#include <certt.h>

#include "keyutil.h"

#define GEN_BREAK(e) rv=e; break;

/* CERT_EncodeSubjectKeyID is a private function decleared in <xconst.h> */

/* Begin From NSS's xconst.c */

static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {

    { SEC_ASN1_OCTET_STRING }

};

SECStatus 

CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString,

                        SECItem *encodedValue)

{

    SECStatus rv = SECSuccess;

    if (!srcString) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    if (SEC_ASN1EncodeItem (arena, encodedValue, srcString,

                CERTSubjectKeyIDTemplate) == NULL) {

        rv = SECFailure;

    }

    return(rv);

}

/* End From xconst.c */

/* From oidstring.c */

/* if to->data is not NULL, and to->len is large enough to hold the result,

 * then the resultant OID will be copyed into to->data, and to->len will be

 * changed to show the actual OID length.

 * Otherwise, memory for the OID will be allocated (from the caller's 

 * PLArenaPool, if pool is non-NULL) and to->data will receive the address

 * of the allocated data, and to->len will receive the OID length.

 * The original value of to->data is not freed when a new buffer is allocated.

 * 

 * The input string may begin with "OID." and this still be ignored.

 * The length of the input string is given in len.  If len == 0, then 

 * len will be computed as strlen(from), meaning it must be NUL terminated.

 * It is an error if from == NULL, or if *from == '\0'.

 */

SECStatus

SEC_StringToOID(PLArenaPool *pool, SECItem *to, const char *from, PRUint32 len)

{

    /*PRUint32 result_len = 0;*/

    PRUint32 decimal_numbers = 0;

    PRUint32 result_bytes = 0;

    SECStatus rv;

    PRUint8 result[1024];

    static const PRUint32 max_decimal = (0xffffffff / 10);

    static const char OIDstring[] = {"OID."};

    if (!from || !to) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

    return SECFailure;

    }

    if (!len) {

        len = PL_strlen(from);

    }

    if (len >= 4 && !PL_strncasecmp(from, OIDstring, 4)) {

        from += 4; /* skip leading "OID." if present */

        len  -= 4;

    }

    if (!len) {

bad_data:

        PORT_SetError(SEC_ERROR_BAD_DATA);

        return SECFailure;

    }

    do {

        PRUint32 decimal = 0;

            while (len > 0 && isdigit(*from)) {

            PRUint32 addend = (*from++ - '0');

            --len;

            if (decimal > max_decimal)  /* overflow */

            goto bad_data;

            decimal = (decimal * 10) + addend;

            if (decimal < addend)   /* overflow */

            goto bad_data;

        }

        if (len != 0 && *from != '.') {

            goto bad_data;

        }

        if (decimal_numbers == 0) {

            if (decimal > 2)

                goto bad_data;

            result[0] = decimal * 40;

            result_bytes = 1;

        } else if (decimal_numbers == 1) {

            if (decimal > 40)

                goto bad_data;

            result[0] += decimal;

        } else {

            /* encode the decimal number,  */

            PRUint8 * rp;

            PRUint32 num_bytes = 0;

            PRUint32 tmp = decimal;

            while (tmp) {

                num_bytes++;

                tmp >>= 7;

            }

            if (!num_bytes )

                ++num_bytes;  /* use one byte for a zero value */

            if (num_bytes + result_bytes > sizeof result)

                goto bad_data;

            tmp = num_bytes;

            rp = result + result_bytes - 1;

            rp[tmp] = (PRUint8)(decimal & 0x7f);

            decimal >>= 7;

            while (--tmp > 0) {

                rp[tmp] = (PRUint8)(decimal | 0x80);

                decimal >>= 7;

            }

            result_bytes += num_bytes;

        }

        ++decimal_numbers;

        if (len > 0) { /* skip trailing '.' */

            ++from;

            --len;

        }

    } while (len > 0);

    /* now result contains result_bytes of data */

    if (to->data && to->len >= result_bytes) {

        PORT_Memcpy(to->data, result, to->len = result_bytes);

        rv = SECSuccess;

    } else {

        SECItem result_item = {siBuffer, NULL, 0 };

        result_item.data = result;

        result_item.len  = result_bytes;

        rv = SECITEM_CopyItem(pool, to, &result_item);

    }

    return rv;

}

static char *

Gets_s(char *buff, size_t size) {

    char *str;

    if (buff == NULL || size < 1) {

        PORT_Assert(0);

        return NULL;

    }

    if ((str = fgets(buff, size, stdin)) != NULL) {

        int len = PORT_Strlen(str);

        /*

         * fgets() automatically converts native text file

         * line endings to '\n'.  As defensive programming

         * (just in case fgets has a bug or we put stdin in

         * binary mode by mistake), we handle three native 

         * text file line endings here:

         *   '\n'      Unix (including Linux and Mac OS X)

         *   '\r''\n'  DOS/Windows & OS/2

         *   '\r'      Mac OS Classic

         * len can not be less then 1, since in case with

         * empty string it has at least '\n' in the buffer

         */

        if (buff[len - 1] == '\n' || buff[len - 1] == '\r') {

            buff[len - 1] = '\0';

            if (len > 1 && buff[len - 2] == '\r')

                buff[len - 2] = '\0';

        }

    } else {

        buff[0] = '\0';

    }

    return str;

}

static SECStatus

PrintChoicesAndGetAnswer(char* str, char* rBuff, int rSize)

{

    fprintf(stdout, str);

    fprintf(stdout, " > ");

    fflush (stdout);

    if (Gets_s(rBuff, rSize) == NULL) {

        PORT_SetError(SEC_ERROR_INPUT_LEN);

        return SECFailure;

    }

    return SECSuccess;

}

static CERTGeneralName *

GetGeneralName (PRArenaPool *arena)

{

    CERTGeneralName *namesList = NULL;

    CERTGeneralName *current;

    CERTGeneralName *tail = NULL;

    SECStatus rv = SECSuccess;

    int intValue;

    char buffer[512];

    void *mark;

    PORT_Assert (arena);

    mark = PORT_ArenaMark (arena);

    do {

        if (PrintChoicesAndGetAnswer(

        "\nSelect one of the following general name type: \n"

        "\t2 - rfc822Name\n"

        "\t3 - dnsName\n"

        "\t5 - directoryName\n"

        "\t7 - uniformResourceidentifier\n"

        "\t8 - ipAddress\n"

        "\t9 - registerID\n"

        "\tAny other number to finish\n"

        "\t\tChoice:", buffer, sizeof(buffer)) == SECFailure) {

            GEN_BREAK (SECFailure);

        }

        intValue = PORT_Atoi (buffer);

        /*

         * Should use ZAlloc instead of Alloc to avoid problem with garbage

         * initialized pointers in CERT_CopyName

         */

        switch (intValue) {

        case certRFC822Name:

        case certDNSName:

        case certDirectoryName:

        case certURI:

        case certIPAddress:

        case certRegisterID:

        break;

        default:

        intValue = 0;   /* force a break for anything else */

        }

        if (intValue == 0)

            break;

        if (namesList == NULL) {

            namesList = current = tail =

            PORT_ArenaZNew(arena, CERTGeneralName);

        } else {

            current = PORT_ArenaZNew(arena, CERTGeneralName);

        }

        if (current == NULL) {

            GEN_BREAK (SECFailure);

        }

        current->type = intValue;

        puts ("\nEnter data:");

        fflush (stdout);

        if (Gets_s (buffer, sizeof(buffer)) == NULL) {

            PORT_SetError(SEC_ERROR_INPUT_LEN);

            GEN_BREAK (SECFailure);

        }

        switch (current->type) {

        case certURI:

        case certDNSName:

        case certRFC822Name:

            current->name.other.data =

                PORT_ArenaAlloc (arena, strlen (buffer));

            if (current->name.other.data == NULL) {

                GEN_BREAK (SECFailure);

            }

            PORT_Memcpy(current->name.other.data, buffer,

                        current->name.other.len = strlen(buffer));

            break;

        case certEDIPartyName:

        case certIPAddress:

        case certOtherName:

        case certRegisterID:

        case certX400Address: {

            current->name.other.data =

                PORT_ArenaAlloc (arena, strlen (buffer) + 2);

            if (current->name.other.data == NULL) {

                GEN_BREAK (SECFailure);

            }

            PORT_Memcpy (current->name.other.data + 2, buffer,

                         strlen (buffer));

            /* This may not be accurate for all cases.  For now,

             * use this tag type */

            current->name.other.data[0] =

                (char)(((current->type - 1) & 0x1f)| 0x80);

            current->name.other.data[1] = (char)strlen (buffer);

            current->name.other.len = strlen (buffer) + 2;

            break;

        }

        case certDirectoryName: {

                CERTName *directoryName = NULL;

                directoryName = CERT_AsciiToName (buffer);

                if (!directoryName) {

                    fprintf(stderr, "certutil: improperly formatted name: "

                            "\"%s\"\n", buffer);

                    break;

                }

                rv = CERT_CopyName (arena, &current->name.directoryName,

                                    directoryName);

                CERT_DestroyName (directoryName);

                break;

            }

        }

        if (rv != SECSuccess)

            break;

        current->l.next = &(namesList->l);

        current->l.prev = &(tail->l);

        tail->l.next = &(current->l);

        tail = current;

    } while (1);

    if (rv != SECSuccess) {

        PORT_ArenaRelease (arena, mark);

        namesList = NULL;

    }

    return (namesList);

}

static SECStatus 

GetString(PRArenaPool *arena, char *prompt, SECItem *value)

{

    char buffer[251];

    char *buffPrt;

    buffer[0] = '\0';

    value->data = NULL;

    value->len = 0;

    puts (prompt);

    buffPrt = Gets_s (buffer, sizeof(buffer));

    /* returned NULL here treated the same way as empty string */

    if (buffPrt && strlen (buffer) > 0) {

        value->data = PORT_ArenaAlloc (arena, strlen (buffer));

        if (value->data == NULL) {

            PORT_SetError (SEC_ERROR_NO_MEMORY);

            return (SECFailure);

        }

        PORT_Memcpy (value->data, buffer, value->len = strlen(buffer));

    }

    return (SECSuccess);

}

static PRBool 

GetYesNo(char *prompt) 

{

    char buf[3];

    char *buffPrt;

    buf[0] = 'n';

    puts(prompt);

    buffPrt = Gets_s(buf, sizeof(buf));

    return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;

}

static SECStatus 

AddKeyUsage (void *extHandle)

{

    SECItem bitStringValue;

    unsigned char keyUsage = 0x0;

    char buffer[5];

    int value;

    PRBool yesNoAns;

    while (1) {

        if (PrintChoicesAndGetAnswer(

                "\t\t0 - Digital Signature\n"

                "\t\t1 - Non-repudiation\n"

                "\t\t2 - Key encipherment\n"

                "\t\t3 - Data encipherment\n"   

                "\t\t4 - Key agreement\n"

                "\t\t5 - Cert signing key\n"   

                "\t\t6 - CRL signing key\n"

                "\t\tOther to finish\n",

                buffer, sizeof(buffer)) == SECFailure) {

            return SECFailure;

        }

        value = PORT_Atoi (buffer);

        if (value < 0 || value > 6)

            break;

        if (value == 0) {

            /* Checking that zero value of variable 'value'

             * corresponds to '0' input made by user */

            char *chPtr = strchr(buffer, '0');

            if (chPtr == NULL) {

                continue;

            }

        }

        keyUsage |= (0x80 >> value);

    }

    bitStringValue.data = &keyUsage;

    bitStringValue.len = 1;

    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");

    return (CERT_EncodeAndAddBitStrExtension

            (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,

             yesNoAns));

}

static CERTOidSequence *

CreateOidSequence(void)

{

    CERTOidSequence *rv = (CERTOidSequence *)NULL;

    PRArenaPool *arena = (PRArenaPool *)NULL;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if( (PRArenaPool *)NULL == arena ) {

        goto loser;

    }

    rv = (CERTOidSequence *)PORT_ArenaZNew(arena, CERTOidSequence);

    if( (CERTOidSequence *)NULL == rv ) {

        goto loser;

    }

    rv->oids = (SECItem **)PORT_ArenaZNew(arena, SECItem *);

    if( (SECItem **)NULL == rv->oids ) {

        goto loser;

    }

    rv->arena = arena;

    return rv;

loser:

    if( (PRArenaPool *)NULL != arena ) {

        PORT_FreeArena(arena, PR_FALSE);

    }

    return (CERTOidSequence *)NULL;

}

static void

DestroyOidSequence(CERTOidSequence *os)

{

    if (os->arena) {

        PORT_FreeArena(os->arena, PR_FALSE);

    }

}

static SECStatus

AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)

{

    SECItem **oids;

    PRUint32 count = 0;

    SECOidData *od;

    od = SECOID_FindOIDByTag(oidTag);

    if( (SECOidData *)NULL == od ) {

        return SECFailure;

    }

    for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {

        count++;

    }

    /* ArenaZRealloc */

    {

        PRUint32 i;

        oids = (SECItem **)PORT_ArenaZNewArray(os->arena, SECItem *, count + 2);

        if( (SECItem **)NULL == oids ) {

            return SECFailure;

        }

        for( i = 0; i < count; i++ ) {

            oids[i] = os->oids[i];

        }

        /* ArenaZFree(os->oids); */

    }

    os->oids = oids;

    os->oids[count] = &od->oid;

    return SECSuccess;

}

SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)

const SEC_ASN1Template CERT_OidSeqTemplate[] = {

    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),

      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }

};

static SECItem *

EncodeOidSequence(CERTOidSequence *os)

{

    SECItem *rv;

    rv = (SECItem *)PORT_ArenaZNew(os->arena, SECItem);

    if( (SECItem *)NULL == rv ) {

        goto loser;

    }

    if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {

        goto loser;

    }

    return rv;

loser:

    return (SECItem *)NULL;

}

static SECStatus 

AddExtKeyUsage (void *extHandle)

{

    char buffer[5];

    int value;

    CERTOidSequence *os;

    SECStatus rv;

    SECItem *item;

    PRBool yesNoAns;

    os = CreateOidSequence();

    if( (CERTOidSequence *)NULL == os ) {

        return SECFailure;

    }

    while (1) {

        if (PrintChoicesAndGetAnswer(

                "\t\t0 - Server Auth\n"

                "\t\t1 - Client Auth\n"

                "\t\t2 - Code Signing\n"

                "\t\t3 - Email Protection\n"

                "\t\t4 - Timestamp\n"

                "\t\t5 - OCSP Responder\n"

                "\t\t6 - Step-up\n"

                "\t\tOther to finish\n",

                buffer, sizeof(buffer)) == SECFailure) {

            GEN_BREAK(SECFailure);

        }

        value = PORT_Atoi(buffer);

        if (value == 0) {

            /* Checking that zero value of variable 'value'

             * corresponds to '0' input made by user */

            char *chPtr = strchr(buffer, '0');

            if (chPtr == NULL) {

                continue;

            }

        }

        switch( value ) {

        case 0:

            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);

            break;

        case 1:

            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);

            break;

        case 2:

            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);

            break;

        case 3:

            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);

            break;

        case 4:

            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);

            break;

        case 5:

            rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);

            break;

        case 6:

            rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);

            break;

        default:

            goto endloop;

        }

        if( SECSuccess != rv ) goto loser;

    }

endloop:

    item = EncodeOidSequence(os);

    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");

    rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,

                           yesNoAns, PR_TRUE);

    /*FALLTHROUGH*/

loser:

    DestroyOidSequence(os);

    return rv;

}

static SECStatus 

AddNscpCertType (void *extHandle)

{

    SECItem bitStringValue;

    unsigned char keyUsage = 0x0;

    char buffer[5];

    int value;

    PRBool yesNoAns;

    while (1) {

        if (PrintChoicesAndGetAnswer(

                "\t\t0 - SSL Client\n"

                "\t\t1 - SSL Server\n"

                "\t\t2 - S/MIME\n"

                "\t\t3 - Object Signing\n"   

                "\t\t4 - Reserved for future use\n"

                "\t\t5 - SSL CA\n"   

                "\t\t6 - S/MIME CA\n"

                "\t\t7 - Object Signing CA\n"

                "\t\tOther to finish\n",

                buffer, sizeof(buffer)) == SECFailure) {

            return SECFailure;

        }

        value = PORT_Atoi (buffer);

        if (value < 0 || value > 7)

            break;

        if (value == 0) {

            /* Checking that zero value of variable 'value'

             * corresponds to '0' input made by user */

            char *chPtr = strchr(buffer, '0');

            if (chPtr == NULL) {

                continue;

            }

        }

        keyUsage |= (0x80 >> value);

    }

    bitStringValue.data = &keyUsage;

    bitStringValue.len = 1;

    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");

    return (CERT_EncodeAndAddBitStrExtension

            (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,

             yesNoAns));

}