PKCS: Use ASN.1 helper functions

Simplify ASN.1 parser operations by using the shared helper functions.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/tls/pkcs1.c

@@ -236,11 +236,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 	 *
 	 */
 	if (asn1_get_next(decrypted, decrypted_len, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #1: Expected SEQUENCE (DigestInfo)");
-			   "PKCS #1: Expected SEQUENCE (DigestInfo) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		os_free(decrypted);
 		return -1;
 	}
@@ -259,11 +257,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 	 */
 
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #1: Expected SEQUENCE (AlgorithmIdentifier)");
-			   "PKCS #1: Expected SEQUENCE (AlgorithmIdentifier) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		os_free(decrypted);
 		return -1;
 	}
@@ -310,11 +306,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 	pos = da_end;
 
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr)) {
-	    hdr.tag != ASN1_TAG_OCTETSTRING) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #1: Expected OCTETSTRING (Digest)");
-			   "PKCS #1: Expected OCTETSTRING (Digest) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		os_free(decrypted);
 		return -1;
 	}

src/tls/pkcs5.c

@@ -107,22 +107,18 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 	 */
 
 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #5: Expected SEQUENCE (PBES2-params)");
-			   "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 	pos = hdr.payload;
 	end = hdr.payload + hdr.length;
 
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #5: Expected SEQUENCE (keyDerivationFunc)");
-			   "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 
@@ -161,11 +157,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 	 */
 
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #5: Expected SEQUENCE (PBKDF2-params)");
-			   "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 
@@ -174,12 +168,10 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 
 	/* For now, only support the salt CHOICE specified (OCTET STRING) */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr) ||
-	    hdr.tag != ASN1_TAG_OCTETSTRING ||
 	    hdr.length > sizeof(params->salt)) {
-		wpa_printf(MSG_DEBUG,
+		asn1_unexpected(&hdr,
-			   "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d",
+				"PKCS #5: Expected OCTET STRING (salt.specified)");
-			   hdr.class, hdr.tag, hdr.length);
 		return -1;
 	}
 	pos = hdr.payload + hdr.length;
@@ -188,11 +180,8 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 	wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len);
 
 	/* iterationCount INTEGER */
-	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
+	if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
-	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
+		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
-		wpa_printf(MSG_DEBUG,
-			   "PKCS #5: Expected INTEGER - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 	if (hdr.length == 1) {
@@ -222,11 +211,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 	/* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */
 
 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG,
+				"PKCS #5: Expected SEQUENCE (encryptionScheme)");
-			   "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 
@@ -258,12 +245,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos,
 	 * specifying the initialization vector for CBC mode.
 	 */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr) || hdr.length != 8) {
-	    hdr.tag != ASN1_TAG_OCTETSTRING ||
+		asn1_unexpected(&hdr,
-	    hdr.length != 8) {
+				"PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)");
-		wpa_printf(MSG_DEBUG,
-			   "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d",
-			   hdr.class, hdr.tag, hdr.length);
 		return -1;
 	}
 	os_memcpy(params->iv, hdr.payload, hdr.length);
@@ -323,11 +307,9 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
 	 */
 
 	if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE "
+				"PKCS #5: Expected SEQUENCE (PBEParameter)");
-			   "(PBEParameter) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return -1;
 	}
 	pos = hdr.payload;
@@ -335,12 +317,9 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
 
 	/* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) {
-	    hdr.tag != ASN1_TAG_OCTETSTRING ||
+		asn1_unexpected(&hdr,
-	    hdr.length > sizeof(params->salt)) {
+				"PKCS #5: Expected OCTETSTRING SIZE(8) (salt)");
-		wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) "
-			   "(salt) - found class %d tag 0x%x size %d",
-			   hdr.class, hdr.tag, hdr.length);
 		return -1;
 	}
 	pos = hdr.payload + hdr.length;
@@ -351,9 +330,8 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len,
 
 	/* iterationCount INTEGER */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
+	    !asn1_is_integer(&hdr)) {
-		wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found "
+		asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER");
-			   "class %d tag 0x%x", hdr.class, hdr.tag);
 		return -1;
 	}
 	if (hdr.length == 1)

src/tls/pkcs8.c

@@ -27,22 +27,17 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len)
 	/* PKCS #8, Chapter 6 */
 
 	/* PrivateKeyInfo ::= SEQUENCE */
-	if (asn1_get_next(buf, len, &hdr) < 0 ||
+	if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+		asn1_unexpected(&hdr,
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+				"PKCS #8: Does not start with PKCS #8 header (SEQUENCE)");
-		wpa_printf(MSG_DEBUG, "PKCS #8: Does not start with PKCS #8 "
-			   "header (SEQUENCE); assume PKCS #8 not used");
 		return NULL;
 	}
 	pos = hdr.payload;
 	end = pos + hdr.length;
 
 	/* version Version (Version ::= INTEGER) */
-	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
+	if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
-	    hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
+		asn1_unexpected(&hdr, "PKCS #8: Expected INTEGER");
-		wpa_printf(MSG_DEBUG, "PKCS #8: Expected INTEGER - found "
-			   "class %d tag 0x%x; assume PKCS #8 not used",
-			   hdr.class, hdr.tag);
 		return NULL;
 	}
 
@@ -68,13 +63,9 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len)
 
 	/* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier
 	 * (PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier) */
-	if (asn1_get_next(pos, len, &hdr) < 0 ||
+	if (asn1_get_next(pos, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+		asn1_unexpected(&hdr,
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+				"PKCS #8: Expected SEQUENCE (AlgorithmIdentifier); assume PKCS #8 not used");
-		wpa_printf(MSG_DEBUG, "PKCS #8: Expected SEQUENCE "
-			   "(AlgorithmIdentifier) - found class %d tag 0x%x; "
-			   "assume PKCS #8 not used",
-			   hdr.class, hdr.tag);
 		return NULL;
 	}
 
@@ -104,11 +95,9 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len)
 
 	/* privateKey PrivateKey (PrivateKey ::= OCTET STRING) */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr)) {
-	    hdr.tag != ASN1_TAG_OCTETSTRING) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG, "PKCS #8: Expected OCTETSTRING "
+				"PKCS #8: Expected OCTETSTRING (privateKey)");
-			   "(privateKey) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return NULL;
 	}
 	wpa_printf(MSG_DEBUG, "PKCS #8: Try to parse RSAPrivateKey");
@@ -139,12 +128,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd)
 	 * EncryptedData ::= OCTET STRING
 	 */
 
-	if (asn1_get_next(buf, len, &hdr) < 0 ||
+	if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+		asn1_unexpected(&hdr,
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+				"PKCS #8: Does not start with PKCS #8 header (SEQUENCE); assume encrypted PKCS #8 not used");
-		wpa_printf(MSG_DEBUG, "PKCS #8: Does not start with PKCS #8 "
-			   "header (SEQUENCE); assume encrypted PKCS #8 not "
-			   "used");
 		return NULL;
 	}
 	pos = hdr.payload;
@@ -152,12 +138,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd)
 
 	/* encryptionAlgorithm EncryptionAlgorithmIdentifier */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_sequence(&hdr)) {
-	    hdr.tag != ASN1_TAG_SEQUENCE) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG, "PKCS #8: Expected SEQUENCE "
+				"PKCS #8: Expected SEQUENCE (AlgorithmIdentifier); assume encrypted PKCS #8 not used");
-			   "(AlgorithmIdentifier) - found class %d tag 0x%x; "
-			   "assume encrypted PKCS #8 not used",
-			   hdr.class, hdr.tag);
 		return NULL;
 	}
 	enc_alg = hdr.payload;
@@ -166,11 +149,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd)
 
 	/* encryptedData EncryptedData */
 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
-	    hdr.class != ASN1_CLASS_UNIVERSAL ||
+	    !asn1_is_octetstring(&hdr)) {
-	    hdr.tag != ASN1_TAG_OCTETSTRING) {
+		asn1_unexpected(&hdr,
-		wpa_printf(MSG_DEBUG, "PKCS #8: Expected OCTETSTRING "
+				"PKCS #8: Expected OCTETSTRING (encryptedData)");
-			   "(encryptedData) - found class %d tag 0x%x",
-			   hdr.class, hdr.tag);
 		return NULL;
 	}