You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2014/06/24 21:13:15 UTC
svn commit: r1605159 - in /subversion/branches/svn-auth-x509/subversion:
include/svn_error_codes.h libsvn_subr/x509.h libsvn_subr/x509parse.c
svn/auth-cmd.c
Author: stsp
Date: Tue Jun 24 19:13:14 2014
New Revision: 1605159
URL: http://svn.apache.org/r1605159
Log:
On the svn-auth-x509 branch, make the X509 parser return svn-style errors.
* subversion/include/svn_error_codes.h
(SVN_ERR_X509_CATEGORY_START): New error category for the X509 parser.
(SVN_ERR_ASN1_OUT_OF_DATA, SVN_ERR_ASN1_UNEXPECTED_TAG,
SVN_ERR_ASN1_INVALID_LENGTH, SVN_ERR_ASN1_LENGTH_MISMATCH,
SVN_ERR_ASN1_INVALID_DATA, SVN_ERR_X509_FEATURE_UNAVAILABLE,
SVN_ERR_X509_CERT_INVALID_PEM, SVN_ERR_X509_CERT_INVALID_FORMAT,
SVN_ERR_X509_CERT_INVALID_VERSION, SVN_ERR_X509_CERT_INVALID_SERIAL,
SVN_ERR_X509_CERT_INVALID_ALG, SVN_ERR_X509_CERT_INVALID_NAME,
SVN_ERR_X509_CERT_INVALID_DATE, SVN_ERR_X509_CERT_INVALID_PUBKEY,
SVN_ERR_X509_CERT_INVALID_SIGNATURE, SVN_ERR_X509_CERT_INVALID_EXTENSIONS,
SVN_ERR_X509_CERT_UNKNOWN_VERSION, SVN_ERR_X509_CERT_UNKNOWN_SIG_ALG,
SVN_ERR_X509_CERT_UNKNOWN_PK_ALG, SVN_ERR_X509_CERT_SIG_MISMATCH,
SVN_ERR_X509_CERT_VERIFY_FAILED): New error codes. Mapped from tropicssl.
* subversion/libsvn_subr/x509.h
(TROPICSSL_ERR_ASN1_OUT_OF_DATA0014,
TROPICSSL_ERR_ASN1_UNEXPECTED_TAG0016,
TROPICSSL_ERR_ASN1_INVALID_LENGTH0018,
TROPICSSL_ERR_ASN1_LENGTH_MISMATCH001A,
TROPICSSL_ERR_ASN1_INVALID_DATA001C,
TROPICSSL_ERR_X509_FEATURE_UNAVAILABLE0020,
TROPICSSL_ERR_X509_CERT_INVALID_PEM0040,
TROPICSSL_ERR_X509_CERT_INVALID_FORMAT0060,
TROPICSSL_ERR_X509_CERT_INVALID_VERSION0080,
TROPICSSL_ERR_X509_CERT_INVALID_SERIAL00A0,
TROPICSSL_ERR_X509_CERT_INVALID_ALG00C0,
TROPICSSL_ERR_X509_CERT_INVALID_NAME00E0,
TROPICSSL_ERR_X509_CERT_INVALID_DATE0100,
TROPICSSL_ERR_X509_CERT_INVALID_PUBKEY0120,
TROPICSSL_ERR_X509_CERT_INVALID_SIGNATURE0140,
TROPICSSL_ERR_X509_CERT_INVALID_EXTENSIONS0160,
TROPICSSL_ERR_X509_CERT_UNKNOWN_VERSION0180,
TROPICSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG01A0,
TROPICSSL_ERR_X509_CERT_UNKNOWN_PK_ALG01C0,
TROPICSSL_ERR_X509_CERT_SIG_MISMATCH01E0,
TROPICSSL_ERR_X509_CERT_VERIFY_FAILED0200,
TROPICSSL_ERR_X509_KEY_INVALID_PEM0220,
TROPICSSL_ERR_X509_KEY_INVALID_VERSION0240,
TROPICSSL_ERR_X509_KEY_INVALID_FORMAT0260,
TROPICSSL_ERR_X509_KEY_INVALID_ENC_IV0280,
TROPICSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG02A0,
TROPICSSL_ERR_X509_KEY_PASSWORD_REQUIRED02C0,
TROPICSSL_ERR_X509_KEY_PASSWORD_MISMATCH02E0,
TROPICSSL_ERR_X509_POINT_ERROR0300,
TROPICSSL_ERR_X509_VALUE_TO_LENGTH0320): Remove tropicssl error codes,
superseded by SVN error codes.
(svn_x509_parse_cert): Return "svn_error_t *".
* subversion/libsvn_subr/x509parse.c
(asn1_get_len, asn1_get_tag, asn1_get_int, x509_get_version,
x509_get_serial, x509_get_alg, x509_get_name, x509_get_dates,
x509_get_sig, x509_get_uid, svn_x509_parse_cert): Return "svn_error_t *".
In cases where the original code returned a bitwise OR of tropicssl
error codes, return an error chain.
* subversion/svn/auth-cmd.c
(show_cert): Adjust caller.
Modified:
subversion/branches/svn-auth-x509/subversion/include/svn_error_codes.h
subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509.h
subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c
subversion/branches/svn-auth-x509/subversion/svn/auth-cmd.c
Modified: subversion/branches/svn-auth-x509/subversion/include/svn_error_codes.h
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/include/svn_error_codes.h?rev=1605159&r1=1605158&r2=1605159&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/include/svn_error_codes.h (original)
+++ subversion/branches/svn-auth-x509/subversion/include/svn_error_codes.h Tue Jun 24 19:13:14 2014
@@ -150,6 +150,8 @@ extern "C" {
+ (22 * SVN_ERR_CATEGORY_SIZE))
#define SVN_ERR_MALFUNC_CATEGORY_START (APR_OS_START_USERERR \
+ (23 * SVN_ERR_CATEGORY_SIZE))
+#define SVN_ERR_X509_CATEGORY_START (APR_OS_START_USERERR \
+ + (24 * SVN_ERR_CATEGORY_SIZE))
#endif /* DOXYGEN_SHOULD_SKIP_THIS */
@@ -1607,6 +1609,94 @@ SVN_ERROR_START
SVN_ERR_MALFUNC_CATEGORY_START + 1,
"No non-tracing links found in the error chain")
+ /* X509 parser errors.
+ * Names of these error codes are based on tropicssl error codes.
+ * @since New in 1.9 */
+
+ SVN_ERRDEF(SVN_ERR_ASN1_OUT_OF_DATA,
+ SVN_ERR_X509_CATEGORY_START + 0,
+ "Unexpected end of ASN1 data")
+
+ SVN_ERRDEF(SVN_ERR_ASN1_UNEXPECTED_TAG,
+ SVN_ERR_X509_CATEGORY_START + 1,
+ "Unexpected ASN1 tag")
+
+ SVN_ERRDEF(SVN_ERR_ASN1_INVALID_LENGTH,
+ SVN_ERR_X509_CATEGORY_START + 2,
+ "Invalid ASN1 length")
+
+ SVN_ERRDEF(SVN_ERR_ASN1_LENGTH_MISMATCH,
+ SVN_ERR_X509_CATEGORY_START + 3,
+ "ASN1 length mismatch")
+
+ SVN_ERRDEF(SVN_ERR_ASN1_INVALID_DATA,
+ SVN_ERR_X509_CATEGORY_START + 4,
+ "Invalid ASN1 data")
+
+ SVN_ERRDEF(SVN_ERR_X509_FEATURE_UNAVAILABLE,
+ SVN_ERR_X509_CATEGORY_START + 5,
+ "Unavailable X509 feature")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_PEM,
+ SVN_ERR_X509_CATEGORY_START + 6,
+ "Invalid PEM certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_FORMAT,
+ SVN_ERR_X509_CATEGORY_START + 7,
+ "Invalid certificate format")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_VERSION,
+ SVN_ERR_X509_CATEGORY_START + 8,
+ "Invalid certificate version")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_SERIAL,
+ SVN_ERR_X509_CATEGORY_START + 9,
+ "Invalid certificate serial number")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_ALG,
+ SVN_ERR_X509_CATEGORY_START + 10,
+ "Found invalid algorithm in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_NAME,
+ SVN_ERR_X509_CATEGORY_START + 11,
+ "Found invalid name in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_DATE,
+ SVN_ERR_X509_CATEGORY_START + 12,
+ "Found invalid date in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_PUBKEY,
+ SVN_ERR_X509_CATEGORY_START + 13,
+ "Found invalid public key in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_SIGNATURE,
+ SVN_ERR_X509_CATEGORY_START + 14,
+ "Found invalid signature in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_INVALID_EXTENSIONS,
+ SVN_ERR_X509_CATEGORY_START + 15,
+ "Found invalid extensions in certificate")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_UNKNOWN_VERSION,
+ SVN_ERR_X509_CATEGORY_START + 16,
+ "Unknown certificate version")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_UNKNOWN_SIG_ALG,
+ SVN_ERR_X509_CATEGORY_START + 17,
+ "Certficate uses unknown signature algorithm")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_UNKNOWN_PK_ALG,
+ SVN_ERR_X509_CATEGORY_START + 18,
+ "Certificate uses unknown public key algorithm")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_SIG_MISMATCH,
+ SVN_ERR_X509_CATEGORY_START + 19,
+ "Certificate signature mismatch")
+
+ SVN_ERRDEF(SVN_ERR_X509_CERT_VERIFY_FAILED,
+ SVN_ERR_X509_CATEGORY_START + 20,
+ "Certficate verification failed")
+
SVN_ERROR_END
Modified: subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509.h
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509.h?rev=1605159&r1=1605158&r2=1605159&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509.h (original)
+++ subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509.h Tue Jun 24 19:13:14 2014
@@ -35,38 +35,6 @@
#ifndef TROPICSSL_X509_H
#define TROPICSSL_X509_H
-#define TROPICSSL_ERR_ASN1_OUT_OF_DATA -0x0014
-#define TROPICSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
-#define TROPICSSL_ERR_ASN1_INVALID_LENGTH -0x0018
-#define TROPICSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
-#define TROPICSSL_ERR_ASN1_INVALID_DATA -0x001C
-
-#define TROPICSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
-#define TROPICSSL_ERR_X509_CERT_INVALID_PEM -0x0040
-#define TROPICSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
-#define TROPICSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
-#define TROPICSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
-#define TROPICSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
-#define TROPICSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
-#define TROPICSSL_ERR_X509_CERT_INVALID_DATE -0x0100
-#define TROPICSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
-#define TROPICSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
-#define TROPICSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
-#define TROPICSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
-#define TROPICSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
-#define TROPICSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
-#define TROPICSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
-#define TROPICSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
-#define TROPICSSL_ERR_X509_KEY_INVALID_PEM -0x0220
-#define TROPICSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
-#define TROPICSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
-#define TROPICSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
-#define TROPICSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
-#define TROPICSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
-#define TROPICSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
-#define TROPICSSL_ERR_X509_POINT_ERROR -0x0300
-#define TROPICSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
-
#define BADCERT_EXPIRED 1
#define BADCERT_REVOKED 2
#define BADCERT_CN_MISMATCH 4
@@ -181,11 +149,11 @@ extern "C" {
* and return certificate information in *CERT, allocated in
* RESULT_POOL. The certinfo hash contains values of type
* 'const char *' keyed by SVN_X509_CERTINFO_KEY_* macros. */
- int svn_x509_parse_cert(apr_hash_t **certinfo,
- const char *buf,
- int buflen,
- apr_pool_t *result_pool,
- apr_pool_t *scratch_pool);
+ svn_error_t * svn_x509_parse_cert(apr_hash_t **certinfo,
+ const char *buf,
+ int buflen,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool);
/*
* Store the name in printable form into buf; no more
Modified: subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c?rev=1605159&r1=1605158&r2=1605159&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/branches/svn-auth-x509/subversion/libsvn_subr/x509parse.c Tue Jun 24 19:13:14 2014
@@ -57,10 +57,11 @@
/*
* ASN.1 DER decoding routines
*/
-static int asn1_get_len(const unsigned char **p, const unsigned char *end, int *len)
+static svn_error_t *
+asn1_get_len(const unsigned char **p, const unsigned char *end, int *len)
{
if ((end - *p) < 1)
- return (TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, NULL, NULL);
if ((**p & 0x80) == 0)
*len = *(*p)++;
@@ -68,7 +69,7 @@ static int asn1_get_len(const unsigned c
switch (**p & 0x7F) {
case 1:
if ((end - *p) < 2)
- return (TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, NULL, NULL);
*len = (*p)[1];
(*p) += 2;
@@ -76,47 +77,48 @@ static int asn1_get_len(const unsigned c
case 2:
if ((end - *p) < 3)
- return (TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, NULL, NULL);
*len = ((*p)[1] << 8) | (*p)[2];
(*p) += 3;
break;
default:
- return (TROPICSSL_ERR_ASN1_INVALID_LENGTH);
+ return svn_error_create(SVN_ERR_ASN1_INVALID_LENGTH, NULL, NULL);
break;
}
}
if (*len > (int)(end - *p))
- return (TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, NULL, NULL);
- return (0);
+ return SVN_NO_ERROR;
}
-static int asn1_get_tag(const unsigned char **p,
- const unsigned char *end, int *len, int tag)
+static svn_error_t *
+asn1_get_tag(const unsigned char **p,
+ const unsigned char *end, int *len, int tag)
{
if ((end - *p) < 1)
- return (TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, NULL, NULL);
if (**p != tag)
- return (TROPICSSL_ERR_ASN1_UNEXPECTED_TAG);
+ return svn_error_create(SVN_ERR_ASN1_UNEXPECTED_TAG, NULL, NULL);
(*p)++;
- return (asn1_get_len(p, end, len));
+ return svn_error_trace(asn1_get_len(p, end, len));
}
-static int asn1_get_int(const unsigned char **p, const unsigned char *end, int *val)
+static svn_error_t *
+asn1_get_int(const unsigned char **p, const unsigned char *end, int *val)
{
- int ret, len;
+ int len;
- if ((ret = asn1_get_tag(p, end, &len, ASN1_INTEGER)) != 0)
- return (ret);
+ SVN_ERR(asn1_get_tag(p, end, &len, ASN1_INTEGER));
if (len > (int)sizeof(int) || (**p & 0x80) != 0)
- return (TROPICSSL_ERR_ASN1_INVALID_LENGTH);
+ return svn_error_create(SVN_ERR_ASN1_INVALID_LENGTH, NULL, NULL);
*val = 0;
@@ -125,63 +127,79 @@ static int asn1_get_int(const unsigned c
(*p)++;
}
- return (0);
+ return SVN_NO_ERROR;
}
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
-static int x509_get_version(const unsigned char **p, const unsigned char *end, int *ver)
+static svn_error_t *
+x509_get_version(const unsigned char **p, const unsigned char *end, int *ver)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
- if ((ret = asn1_get_tag(p, end, &len,
- ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0))
- != 0) {
- if (ret == TROPICSSL_ERR_ASN1_UNEXPECTED_TAG)
- return (*ver = 0);
+ err = asn1_get_tag(p, end, &len,
+ ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0);
+ if (err)
+ {
+ if (err->apr_err == SVN_ERR_ASN1_UNEXPECTED_TAG)
+ {
+ svn_error_clear(err);
+ *ver = 0;
+ return SVN_NO_ERROR;
+ }
- return (ret);
- }
+ return svn_error_trace(err);
+ }
end = *p + len;
- if ((ret = asn1_get_int(p, end, ver)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_VERSION | ret);
+ err = asn1_get_int(p, end, ver);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_VERSION, err, NULL);
if (*p != end)
- return (TROPICSSL_ERR_X509_CERT_INVALID_VERSION |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_VERSION, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
- return (0);
+ return SVN_NO_ERROR;
}
/*
* CertificateSerialNumber ::= INTEGER
*/
-static int x509_get_serial(const unsigned char **p,
- const unsigned char *end, x509_buf * serial)
+static svn_error_t *
+x509_get_serial(const unsigned char **p,
+ const unsigned char *end, x509_buf * serial)
{
- int ret;
+ svn_error_t *err;
if ((end - *p) < 1)
- return (TROPICSSL_ERR_X509_CERT_INVALID_SERIAL |
- TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_SERIAL, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, err, NULL);
+ }
if (**p != (ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2) &&
**p != ASN1_INTEGER)
- return (TROPICSSL_ERR_X509_CERT_INVALID_SERIAL |
- TROPICSSL_ERR_ASN1_UNEXPECTED_TAG);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_SERIAL, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_UNEXPECTED_TAG, err, NULL);
+ }
serial->tag = *(*p)++;
- if ((ret = asn1_get_len(p, end, &serial->len)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_SERIAL | ret);
+ err = asn1_get_len(p, end, &serial->len);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_SERIAL, err, NULL);
serial->p = *p;
*p += serial->len;
- return (0);
+ return SVN_NO_ERROR;
}
/*
@@ -189,37 +207,43 @@ static int x509_get_serial(const unsigne
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
*/
-static int x509_get_alg(const unsigned char **p, const unsigned char *end, x509_buf * alg)
+static svn_error_t *
+x509_get_alg(const unsigned char **p, const unsigned char *end, x509_buf * alg)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
- if ((ret = asn1_get_tag(p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_ALG | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
end = *p + len;
alg->tag = **p;
- if ((ret = asn1_get_tag(p, end, &alg->len, ASN1_OID)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_ALG | ret);
+ err = asn1_get_tag(p, end, &alg->len, ASN1_OID);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
alg->p = *p;
*p += alg->len;
if (*p == end)
- return (0);
+ return SVN_NO_ERROR;
/*
* assume the algorithm parameters must be NULL
*/
- if ((ret = asn1_get_tag(p, end, &len, ASN1_NULL)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_ALG | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_NULL);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
if (*p != end)
- return (TROPICSSL_ERR_X509_CERT_INVALID_ALG |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
- return (0);
+ return SVN_NO_ERROR;
}
/*
@@ -234,52 +258,62 @@ static int x509_get_alg(const unsigned c
*
* AttributeValue ::= ANY DEFINED BY AttributeType
*/
-static int x509_get_name(const unsigned char **p, const unsigned char *end, x509_name * cur)
+static svn_error_t *
+x509_get_name(const unsigned char **p, const unsigned char *end, x509_name * cur)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
const unsigned char *end2;
x509_buf *oid;
x509_buf *val;
- if ((ret = asn1_get_tag(p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SET)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SET);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, err, NULL);
end2 = end;
end = *p + len;
- if ((ret = asn1_get_tag(p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, err, NULL);
if (*p + len != end)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
oid = &cur->oid;
oid->tag = **p;
- if ((ret = asn1_get_tag(p, end, &oid->len, ASN1_OID)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME | ret);
+ err = asn1_get_tag(p, end, &oid->len, ASN1_OID);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, err, NULL);
oid->p = *p;
*p += oid->len;
if ((end - *p) < 1)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME |
- TROPICSSL_ERR_ASN1_OUT_OF_DATA);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_OUT_OF_DATA, err, NULL);
+ }
if (**p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
**p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
**p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME |
- TROPICSSL_ERR_ASN1_UNEXPECTED_TAG);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_UNEXPECTED_TAG, err, NULL);
+ }
val = &cur->val;
val->tag = *(*p)++;
- if ((ret = asn1_get_len(p, end, &val->len)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME | ret);
+ err = asn1_get_len(p, end, &val->len);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, err, NULL);
val->p = *p;
*p += val->len;
@@ -287,21 +321,23 @@ static int x509_get_name(const unsigned
cur->next = NULL;
if (*p != end)
- return (TROPICSSL_ERR_X509_CERT_INVALID_NAME |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_NAME, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
/*
* recurse until end of SEQUENCE is reached
*/
if (*p == end2)
- return (0);
+ return SVN_NO_ERROR;
cur->next = (x509_name *) malloc(sizeof(x509_name));
if (cur->next == NULL)
- return (1);
+ return SVN_NO_ERROR;
- return (x509_get_name(p, end2, cur->next));
+ return svn_error_trace(x509_get_name(p, end2, cur->next));
}
/*
@@ -313,23 +349,26 @@ static int x509_get_name(const unsigned
* utcTime UTCTime,
* generalTime GeneralizedTime }
*/
-static int x509_get_dates(const unsigned char **p,
- const unsigned char *end, x509_time * from, x509_time * to)
+static svn_error_t *
+x509_get_dates(const unsigned char **p,
+ const unsigned char *end, x509_time * from, x509_time * to)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
char date[64];
- if ((ret = asn1_get_tag(p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, err, NULL);
end = *p + len;
/*
* TODO: also handle GeneralizedTime
*/
- if ((ret = asn1_get_tag(p, end, &len, ASN1_UTC_TIME)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_UTC_TIME);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, err, NULL);
memset(date, 0, sizeof(date));
memcpy(date, *p, (len < (int)sizeof(date) - 1) ?
@@ -338,15 +377,16 @@ static int x509_get_dates(const unsigned
if (sscanf(date, "%2d%2d%2d%2d%2d%2d",
&from->year, &from->mon, &from->day,
&from->hour, &from->min, &from->sec) < 5)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE);
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, NULL, NULL);
from->year += 100 * (from->year < 90);
from->year += 1900;
*p += len;
- if ((ret = asn1_get_tag(p, end, &len, ASN1_UTC_TIME)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_UTC_TIME);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, err, NULL);
memset(date, 0, sizeof(date));
memcpy(date, *p, (len < (int)sizeof(date) - 1) ?
@@ -355,7 +395,7 @@ static int x509_get_dates(const unsigned
if (sscanf(date, "%2d%2d%2d%2d%2d%2d",
&to->year, &to->mon, &to->day,
&to->hour, &to->min, &to->sec) < 5)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE);
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, NULL, NULL);
to->year += 100 * (to->year < 90);
to->year += 1900;
@@ -363,71 +403,81 @@ static int x509_get_dates(const unsigned
*p += len;
if (*p != end)
- return (TROPICSSL_ERR_X509_CERT_INVALID_DATE |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_DATE, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
- return (0);
+ return SVN_NO_ERROR;
}
-static int x509_get_sig(const unsigned char **p, const unsigned char *end, x509_buf * sig)
+static svn_error_t *
+x509_get_sig(const unsigned char **p, const unsigned char *end, x509_buf * sig)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
sig->tag = **p;
- if ((ret = asn1_get_tag(p, end, &len, ASN1_BIT_STRING)) != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_SIGNATURE | ret);
+ err = asn1_get_tag(p, end, &len, ASN1_BIT_STRING);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_SIGNATURE, err, NULL);
if (--len < 1 || *(*p)++ != 0)
- return (TROPICSSL_ERR_X509_CERT_INVALID_SIGNATURE);
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_SIGNATURE, NULL, NULL);
sig->len = len;
sig->p = *p;
*p += len;
- return (0);
+ return SVN_NO_ERROR;
}
/*
* X.509 v2/v3 unique identifier (not parsed)
*/
-static int x509_get_uid(const unsigned char **p,
- const unsigned char *end, x509_buf * uid, int n)
+static svn_error_t *
+x509_get_uid(const unsigned char **p,
+ const unsigned char *end, x509_buf * uid, int n)
{
- int ret;
+ svn_error_t *err;
if (*p == end)
- return (0);
+ return SVN_NO_ERROR;
uid->tag = **p;
- if ((ret = asn1_get_tag(p, end, &uid->len,
- ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n))
- != 0) {
- if (ret == TROPICSSL_ERR_ASN1_UNEXPECTED_TAG)
- return (0);
+ err = asn1_get_tag(p, end, &uid->len,
+ ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n);
+ {
+ if (err->apr_err == SVN_ERR_ASN1_UNEXPECTED_TAG)
+ {
+ svn_error_clear(err);
+ return SVN_NO_ERROR;
+ }
- return (ret);
- }
+ return svn_error_trace(err);
+ }
uid->p = *p;
*p += uid->len;
- return (0);
+ return SVN_NO_ERROR;
}
/*
* Parse one certificate.
*/
-int
+svn_error_t *
svn_x509_parse_cert(apr_hash_t **certinfo,
const char *buf,
int buflen,
apr_pool_t *result_pool,
apr_pool_t *scratch_pool)
{
- int ret, len;
+ svn_error_t *err;
+ int len;
const unsigned char *p;
const unsigned char *end;
x509_cert *crt;
@@ -444,25 +494,24 @@ svn_x509_parse_cert(apr_hash_t **certinf
* signatureAlgorithm AlgorithmIdentifier,
* signatureValue BIT STRING }
*/
- if ((ret = asn1_get_tag(&p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT);
- }
-
- if (len != (int)(end - p)) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
- }
+ err = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, NULL, NULL);
+
+ if (len != (int)(end - p))
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
/*
* TBSCertificate ::= SEQUENCE {
*/
crt->tbs.p = p;
- if ((ret = asn1_get_tag(&p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT | ret);
- }
+ err = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, err, NULL);
end = p + len;
crt->tbs.len = end - crt->tbs.p;
@@ -474,25 +523,23 @@ svn_x509_parse_cert(apr_hash_t **certinf
*
* signature AlgorithmIdentifier
*/
- if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
- (ret = x509_get_serial(&p, end, &crt->serial)) != 0 ||
- (ret = x509_get_alg(&p, end, &crt->sig_oid1)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_version(&p, end, &crt->version));
+ SVN_ERR(x509_get_serial(&p, end, &crt->serial));
+ SVN_ERR(x509_get_alg(&p, end, &crt->sig_oid1));
crt->version++;
if (crt->version > 3) {
- return (TROPICSSL_ERR_X509_CERT_UNKNOWN_VERSION);
+ return svn_error_create(SVN_ERR_X509_CERT_UNKNOWN_VERSION, NULL, NULL);
}
if (crt->sig_oid1.len != 9 ||
memcmp(crt->sig_oid1.p, OID_PKCS1, 8) != 0) {
- return (TROPICSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG);
+ return svn_error_create(SVN_ERR_X509_CERT_UNKNOWN_SIG_ALG, NULL, NULL);
}
if (crt->sig_oid1.p[8] < 2 || crt->sig_oid1.p[8] > 5) {
- return (TROPICSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG);
+ return svn_error_create(SVN_ERR_X509_CERT_UNKNOWN_SIG_ALG, NULL, NULL);
}
/*
@@ -500,14 +547,11 @@ svn_x509_parse_cert(apr_hash_t **certinf
*/
crt->issuer_raw.p = p;
- if ((ret = asn1_get_tag(&p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT | ret);
- }
+ err = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, err, NULL);
- if ((ret = x509_get_name(&p, p + len, &crt->issuer)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_name(&p, p + len, &crt->issuer));
crt->issuer_raw.len = p - crt->issuer_raw.p;
@@ -517,24 +561,18 @@ svn_x509_parse_cert(apr_hash_t **certinf
* notAfter Time }
*
*/
- if ((ret = x509_get_dates(&p, end, &crt->valid_from,
- &crt->valid_to)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_dates(&p, end, &crt->valid_from, &crt->valid_to));
/*
* subject Name
*/
crt->subject_raw.p = p;
- if ((ret = asn1_get_tag(&p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT | ret);
- }
+ err = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, err, NULL);
- if ((ret = x509_get_name(&p, p + len, &crt->subject)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_name(&p, p + len, &crt->subject));
crt->subject_raw.len = p - crt->subject_raw.p;
@@ -543,10 +581,9 @@ svn_x509_parse_cert(apr_hash_t **certinf
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*/
- if ((ret = asn1_get_tag(&p, end, &len,
- ASN1_CONSTRUCTED | ASN1_SEQUENCE)) != 0) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT | ret);
- }
+ err = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, err, NULL);
/* Skip pubkey. */
p += len;
@@ -560,22 +597,16 @@ svn_x509_parse_cert(apr_hash_t **certinf
* -- If present, version shall be v3
*/
if (crt->version == 2 || crt->version == 3) {
- ret = x509_get_uid(&p, end, &crt->issuer_id, 1);
- if (ret != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_uid(&p, end, &crt->issuer_id, 1));
}
if (crt->version == 2 || crt->version == 3) {
- ret = x509_get_uid(&p, end, &crt->subject_id, 2);
- if (ret != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_uid(&p, end, &crt->subject_id, 2));
}
if (p != end) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
}
end = buf + buflen;
@@ -584,22 +615,19 @@ svn_x509_parse_cert(apr_hash_t **certinf
* signatureAlgorithm AlgorithmIdentifier,
* signatureValue BIT STRING
*/
- if ((ret = x509_get_alg(&p, end, &crt->sig_oid2)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_alg(&p, end, &crt->sig_oid2));
if (memcmp(crt->sig_oid1.p, crt->sig_oid2.p, 9) != 0) {
- return (TROPICSSL_ERR_X509_CERT_SIG_MISMATCH);
+ return svn_error_create(SVN_ERR_X509_CERT_SIG_MISMATCH, NULL, NULL);
}
- if ((ret = x509_get_sig(&p, end, &crt->sig)) != 0) {
- return (ret);
- }
+ SVN_ERR(x509_get_sig(&p, end, &crt->sig));
- if (p != end) {
- return (TROPICSSL_ERR_X509_CERT_INVALID_FORMAT |
- TROPICSSL_ERR_ASN1_LENGTH_MISMATCH);
- }
+ if (p != end)
+ {
+ err = svn_error_create(SVN_ERR_X509_CERT_INVALID_FORMAT, NULL, NULL);
+ return svn_error_create(SVN_ERR_ASN1_LENGTH_MISMATCH, err, NULL);
+ }
*certinfo = apr_hash_make(result_pool);
@@ -626,7 +654,7 @@ svn_x509_parse_cert(apr_hash_t **certinf
crt->valid_to.hour,
crt->valid_to.min,
crt->valid_to.sec));
- return (0);
+ return SVN_NO_ERROR;
}
/*
Modified: subversion/branches/svn-auth-x509/subversion/svn/auth-cmd.c
URL: http://svn.apache.org/viewvc/subversion/branches/svn-auth-x509/subversion/svn/auth-cmd.c?rev=1605159&r1=1605158&r2=1605159&view=diff
==============================================================================
--- subversion/branches/svn-auth-x509/subversion/svn/auth-cmd.c (original)
+++ subversion/branches/svn-auth-x509/subversion/svn/auth-cmd.c Tue Jun 24 19:13:14 2014
@@ -173,19 +173,13 @@ static svn_error_t *
show_cert(const svn_string_t *pem_cert, apr_pool_t *scratch_pool)
{
const svn_string_t *der_cert;
- int x509_err;
apr_hash_t *certinfo;
/* Convert header-less PEM to DER by undoing base64 encoding. */
der_cert = svn_base64_decode_string(pem_cert, scratch_pool);
- x509_err = svn_x509_parse_cert(&certinfo, der_cert->data, der_cert->len,
- scratch_pool, scratch_pool);
- if (x509_err)
- {
- svn_cmdline_printf(scratch_pool, _("Error parsing certificate: 0x%x\n"), -x509_err);
- return SVN_NO_ERROR;
- }
+ SVN_ERR(svn_x509_parse_cert(&certinfo, der_cert->data, der_cert->len,
+ scratch_pool, scratch_pool));
SVN_ERR(svn_cmdline_printf(scratch_pool, _("Valid from: %s\n"),
(const char *)svn_hash_gets(certinfo,
RE: svn commit: r1605159 - in /subversion/branches/svn-auth-x509/subversion: include/svn_error_codes.h libsvn_subr/x509.h libsvn_subr/x509parse.c svn/auth-cmd.c
Posted by Bert Huijben <be...@qqmail.nl>.
> -----Original Message-----
> From: stsp@apache.org [mailto:stsp@apache.org]
> Sent: dinsdag 24 juni 2014 21:13
> To: commits@subversion.apache.org
> Subject: svn commit: r1605159 - in /subversion/branches/svn-auth-
> x509/subversion: include/svn_error_codes.h libsvn_subr/x509.h
> libsvn_subr/x509parse.c svn/auth-cmd.c
>
> Author: stsp
> Date: Tue Jun 24 19:13:14 2014
> New Revision: 1605159
>
> URL: http://svn.apache.org/r1605159
> Log:
> On the svn-auth-x509 branch, make the X509 parser return svn-style errors.
>
> * subversion/include/svn_error_codes.h
> (SVN_ERR_X509_CATEGORY_START): New error category for the X509
> parser.
> (SVN_ERR_ASN1_OUT_OF_DATA, SVN_ERR_ASN1_UNEXPECTED_TAG,
> SVN_ERR_ASN1_INVALID_LENGTH, SVN_ERR_ASN1_LENGTH_MISMATCH,
> SVN_ERR_ASN1_INVALID_DATA,
> SVN_ERR_X509_FEATURE_UNAVAILABLE,
> SVN_ERR_X509_CERT_INVALID_PEM,
> SVN_ERR_X509_CERT_INVALID_FORMAT,
> SVN_ERR_X509_CERT_INVALID_VERSION,
> SVN_ERR_X509_CERT_INVALID_SERIAL,
> SVN_ERR_X509_CERT_INVALID_ALG,
> SVN_ERR_X509_CERT_INVALID_NAME,
> SVN_ERR_X509_CERT_INVALID_DATE,
> SVN_ERR_X509_CERT_INVALID_PUBKEY,
> SVN_ERR_X509_CERT_INVALID_SIGNATURE,
> SVN_ERR_X509_CERT_INVALID_EXTENSIONS,
> SVN_ERR_X509_CERT_UNKNOWN_VERSION,
> SVN_ERR_X509_CERT_UNKNOWN_SIG_ALG,
> SVN_ERR_X509_CERT_UNKNOWN_PK_ALG,
> SVN_ERR_X509_CERT_SIG_MISMATCH,
> SVN_ERR_X509_CERT_VERIFY_FAILED): New error codes. Mapped from
> tropicssl.
[Moving to dev@]
21:25 <@Bert> stsp: Just wondering: do we really need to wrap all of these as separate error codes? (E.g. we don't do
that for sqlite, which has less error values than this parser)
Bert