+ x.bv_val += STRLENOF("serial ");
+ x.bv_len -= STRLENOF("serial ");
+
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
+ /* empty */;
+ }
+
+ if ( checkNum( &x, i_sn ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ x.bv_val += i_sn->bv_len;
+ x.bv_len -= i_sn->bv_len;
+
+ have2 |= HAVE_SN;
+
+ } else {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ if ( have2 == HAVE_ALL ) {
+ break;
+ }
+
+ if ( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+ } while ( 1 );
+
+ if ( x.bv_val[0] != /*{*/ '}' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ if ( x.bv_val[0] != /*{*/ '}' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+ have |= HAVE_ISSUER;
+
+ } else if ( strncasecmp( x.bv_val, "serialNumber", STRLENOF("serialNumber") ) == 0 ) {
+ if ( have & HAVE_SN ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ /* parse serialNumber */
+ x.bv_val += STRLENOF("serialNumber");
+ x.bv_len -= STRLENOF("serialNumber");
+
+ if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ if ( checkNum( &x, sn ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ x.bv_val += sn->bv_len;
+ x.bv_len -= sn->bv_len;
+
+ have |= HAVE_SN;
+
+ } else {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ /* eat spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ if ( have == HAVE_ALL ) {
+ break;
+ }
+
+ if ( x.bv_val[0] != ',' ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+ x.bv_val++ ;
+ x.bv_len--;
+ } while ( 1 );
+
+ /* should have no characters left... */
+ if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+ if ( numdquotes == 0 ) {
+ ber_dupbv_x( &ni, is, ctx );
+
+ } else {
+ ber_len_t src, dst;
+
+ ni.bv_len = is->bv_len - numdquotes;
+ ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
+ if ( is->bv_val[src] == '"' ) {
+ src++;
+ }
+ ni.bv_val[dst] = is->bv_val[src];
+ }
+ ni.bv_val[dst] = '\0';
+ }
+
+ *is = ni;
+
+ /* need to handle double dquotes here */
+ return 0;
+}
+
+/* X.509 PMI serialNumberAndIssuerSerialValidate */
+static int
+serialNumberAndIssuerSerialValidate(
+ Syntax *syntax,
+ struct berval *in )
+{
+ int rc;
+ struct berval sn, i, i_sn;
+
+ Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerSerialValidate: <%s>\n",
+ in->bv_val, 0, 0 );
+
+ rc = serialNumberAndIssuerSerialCheck( in, &sn, &i, &i_sn, NULL );
+ if ( rc ) {
+ goto done;
+ }
+
+ /* validate DN -- doesn't handle double dquote */
+ rc = dnValidate( NULL, &i );
+ if ( rc ) {
+ rc = LDAP_INVALID_SYNTAX;
+ }
+
+ if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+ slap_sl_free( i.bv_val, NULL );
+ }
+
+done:;
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerSerialValidate: <%s> err=%d\n",
+ in->bv_val, rc, 0 );
+
+ return rc;
+}
+
+/* X.509 PMI serialNumberAndIssuerSerialPretty */
+static int
+serialNumberAndIssuerSerialPretty(
+ Syntax *syntax,
+ struct berval *in,
+ struct berval *out,
+ void *ctx )
+{
+ struct berval sn, i, i_sn, ni = BER_BVNULL;
+ char *p;
+ int rc;
+
+ assert( in != NULL );
+ assert( out != NULL );
+
+ Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerSerialPretty: <%s>\n",
+ in->bv_val, 0, 0 );
+
+ rc = serialNumberAndIssuerSerialCheck( in, &sn, &i, &i_sn, ctx );
+ if ( rc ) {
+ goto done;
+ }
+
+ rc = dnPretty( syntax, &i, &ni, ctx );
+
+ if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+ slap_sl_free( i.bv_val, ctx );
+ }
+
+ if ( rc ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+
+ /* make room from sn + "$" */
+ out->bv_len = STRLENOF("{ serialNumber , issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"\" }, serial } } }")
+ + sn.bv_len + ni.bv_len + i_sn.bv_len;
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
+
+ if ( out->bv_val == NULL ) {
+ out->bv_len = 0;
+ rc = LDAP_OTHER;
+ goto done;
+ }
+
+ p = out->bv_val;
+ p = lutil_strcopy( p, "{ serialNumber " );
+ p = lutil_strncopy( p, sn.bv_val, sn.bv_len );
+ p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
+ p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+ p = lutil_strcopy( p, "\" }, serial " );
+ p = lutil_strncopy( p, i_sn.bv_val, i_sn.bv_len );
+ p = lutil_strcopy( p, " } } }" );
+
+ assert( p == &out->bv_val[out->bv_len] );
+
+done:;
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerSerialPretty: <%s> => <%s>\n",
+ in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 );
+
+ slap_sl_free( ni.bv_val, ctx );
+
+ return rc;
+}
+
+/* X.509 PMI serialNumberAndIssuerSerialNormalize */
+/*
+ * This routine is called by attributeCertificateExactNormalize
+ * when attributeCertificateExactNormalize receives a search
+ * string instead of a attribute certificate. This routine
+ * checks if the search value is valid and then returns the
+ * normalized value
+ */
+static int
+serialNumberAndIssuerSerialNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *in,
+ struct berval *out,
+ void *ctx )
+{
+ struct berval i, ni = BER_BVNULL,
+ sn, sn2 = BER_BVNULL, sn3 = BER_BVNULL,
+ i_sn, i_sn2 = BER_BVNULL, i_sn3 = BER_BVNULL;
+ char sbuf2[SLAP_SN_BUFLEN], i_sbuf2[SLAP_SN_BUFLEN],
+ sbuf3[SLAP_SN_BUFLEN], i_sbuf3[SLAP_SN_BUFLEN];
+ char *p;
+ int rc;
+
+ assert( in != NULL );
+ assert( out != NULL );
+
+ Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerSerialNormalize: <%s>\n",
+ in->bv_val, 0, 0 );
+
+ rc = serialNumberAndIssuerSerialCheck( in, &sn, &i, &i_sn, ctx );
+ if ( rc ) {
+ goto func_leave;
+ }
+
+ rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
+
+ if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+ slap_sl_free( i.bv_val, ctx );
+ }
+
+ if ( rc ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto func_leave;
+ }
+
+ /* Convert sn to canonical hex */
+ sn2.bv_val = sbuf2;
+ sn2.bv_len = sn.bv_len;
+ if ( sn.bv_len > sizeof( sbuf2 ) ) {
+ sn2.bv_val = slap_sl_malloc( sn.bv_len, ctx );
+ }
+ if ( lutil_str2bin( &sn, &sn2, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto func_leave;
+ }
+
+ /* Convert i_sn to canonical hex */
+ i_sn2.bv_val = i_sbuf2;
+ i_sn2.bv_len = i_sn.bv_len;
+ if ( i_sn.bv_len > sizeof( i_sbuf2 ) ) {
+ i_sn2.bv_val = slap_sl_malloc( i_sn.bv_len, ctx );
+ }
+ if ( lutil_str2bin( &i_sn, &i_sn2, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto func_leave;
+ }
+
+ sn3.bv_val = sbuf3;
+ sn3.bv_len = sizeof(sbuf3);
+ if ( slap_bin2hex( &sn2, &sn3, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto func_leave;
+ }
+
+ i_sn3.bv_val = i_sbuf3;
+ i_sn3.bv_len = sizeof(i_sbuf3);
+ if ( slap_bin2hex( &i_sn2, &i_sn3, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto func_leave;
+ }
+
+ out->bv_len = STRLENOF("{ serialNumber , issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"\" }, serial } } }")
+ + sn3.bv_len + ni.bv_len + i_sn3.bv_len;
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
+
+ if ( out->bv_val == NULL ) {
+ out->bv_len = 0;
+ rc = LDAP_OTHER;
+ goto func_leave;
+ }
+
+ p = out->bv_val;
+
+ p = lutil_strcopy( p, "{ serialNumber " );
+ p = lutil_strncopy( p, sn3.bv_val, sn3.bv_len );
+ p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
+ p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+ p = lutil_strcopy( p, "\" }, serial " );
+ p = lutil_strncopy( p, i_sn3.bv_val, i_sn3.bv_len );
+ p = lutil_strcopy( p, " } } }" );
+
+ assert( p == &out->bv_val[out->bv_len] );
+
+func_leave:
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerSerialNormalize: <%s> => <%s>\n",
+ in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 );
+
+ if ( sn2.bv_val != sbuf2 ) {
+ slap_sl_free( sn2.bv_val, ctx );
+ }
+
+ if ( i_sn2.bv_val != i_sbuf2 ) {
+ slap_sl_free( i_sn2.bv_val, ctx );
+ }
+
+ if ( sn3.bv_val != sbuf3 ) {
+ slap_sl_free( sn3.bv_val, ctx );
+ }
+
+ if ( i_sn3.bv_val != i_sbuf3 ) {
+ slap_sl_free( i_sn3.bv_val, ctx );
+ }
+
+ slap_sl_free( ni.bv_val, ctx );
+
+ return rc;
+}
+
+/* X.509 PMI attributeCertificateExactNormalize */
+static int
+attributeCertificateExactNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
+ ber_tag_t tag;
+ ber_len_t len;
+ char issuer_serialbuf[SLAP_SN_BUFLEN], serialbuf[SLAP_SN_BUFLEN];
+ struct berval sn, i_sn, sn2, i_sn2;
+ struct berval issuer_dn = BER_BVNULL, bvdn;
+ char *p;
+ int rc = LDAP_INVALID_SYNTAX;
+
+ if ( BER_BVISEMPTY( val ) ) {
+ goto done;
+ }
+
+ if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
+ return serialNumberAndIssuerSerialNormalize( 0, NULL, NULL, val, normalized, ctx );
+ }
+
+ assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
+
+ ber_init2( ber, val, LBER_USE_DER );
+ tag = ber_skip_tag( ber, &len ); /* Signed Sequence */
+ tag = ber_skip_tag( ber, &len ); /* Sequence */
+ tag = ber_skip_tag( ber, &len ); /* (Mandatory) version; must be v2(1) */
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len ); /* Holder Sequence */
+ ber_skip_data( ber, len );
+
+ /* Issuer */
+ tag = ber_skip_tag( ber, &len ); /* Sequence */
+ /* issuerName (GeneralNames sequence; optional)? */
+ tag = ber_skip_tag( ber, &len ); /* baseCertificateID (sequence; optional)? */
+ tag = ber_skip_tag( ber, &len ); /* GeneralNames (sequence) */
+ tag = ber_skip_tag( ber, &len ); /* directoryName (we only accept this form of GeneralName) */
+ if ( tag != SLAP_X509_GN_DIRECTORYNAME ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ tag = ber_peek_tag( ber, &len ); /* sequence of RDN */
+ len = ber_ptrlen( ber );
+ bvdn.bv_val = val->bv_val + len;
+ bvdn.bv_len = val->bv_len - len;
+ rc = dnX509normalize( &bvdn, &issuer_dn );
+ if ( rc != LDAP_SUCCESS ) goto done;
+
+ tag = ber_skip_tag( ber, &len ); /* sequence of RDN */
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len ); /* serial number */
+ if ( tag != LBER_INTEGER ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ i_sn.bv_val = (char *)ber->ber_ptr;
+ i_sn.bv_len = len;
+ i_sn2.bv_val = issuer_serialbuf;
+ i_sn2.bv_len = sizeof(issuer_serialbuf);
+ if ( slap_bin2hex( &i_sn, &i_sn2, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ ber_skip_data( ber, len );
+
+ /* issuerUID (bitstring; optional)? */
+ /* objectDigestInfo (sequence; optional)? */
+
+ tag = ber_skip_tag( ber, &len ); /* Signature (sequence) */
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len ); /* serial number */
+ if ( tag != LBER_INTEGER ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ sn.bv_val = (char *)ber->ber_ptr;
+ sn.bv_len = len;
+ sn2.bv_val = serialbuf;
+ sn2.bv_len = sizeof(serialbuf);
+ if ( slap_bin2hex( &sn, &sn2, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ ber_skip_data( ber, len );
+
+ normalized->bv_len = STRLENOF( "{ serialNumber , issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"\" }, serial } } }" )
+ + sn2.bv_len + issuer_dn.bv_len + i_sn2.bv_len;
+ normalized->bv_val = ch_malloc( normalized->bv_len + 1 );
+
+ p = normalized->bv_val;
+
+ p = lutil_strcopy( p, "{ serialNumber " );
+ p = lutil_strncopy( p, sn2.bv_val, sn2.bv_len );
+ p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
+ p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
+ p = lutil_strcopy( p, "\" }, serial " );
+ p = lutil_strncopy( p, i_sn2.bv_val, i_sn2.bv_len );
+ p = lutil_strcopy( p, " } } }" );
+
+ Debug( LDAP_DEBUG_TRACE, "attributeCertificateExactNormalize: %s\n",
+ normalized->bv_val, NULL, NULL );
+
+ rc = LDAP_SUCCESS;
+
+done:
+ if ( issuer_dn.bv_val ) ber_memfree( issuer_dn.bv_val );
+ if ( i_sn2.bv_val != issuer_serialbuf ) ber_memfree_x( i_sn2.bv_val, ctx );
+ if ( sn2.bv_val != serialbuf ) ber_memfree_x( sn2.bv_val, ctx );
+
+ return rc;
+}
+
+
+static int
+hexValidate(
+ Syntax *syntax,
+ struct berval *in )
+{
+ ber_len_t i;
+
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
+
+ for ( i = 0; i < in->bv_len; i++ ) {
+ if ( !ASCII_HEX( in->bv_val[ i ] ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+ }
+
+ return LDAP_SUCCESS;
+}
+
+/* Normalize a SID as used inside a CSN:
+ * three-digit numeric string */
+static int
+hexNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ ber_len_t i;
+
+ assert( val != NULL );
+ assert( normalized != NULL );
+
+ ber_dupbv_x( normalized, val, ctx );
+
+ for ( i = 0; i < normalized->bv_len; i++ ) {
+ if ( !ASCII_HEX( normalized->bv_val[ i ] ) ) {
+ ber_memfree_x( normalized->bv_val, ctx );
+ BER_BVZERO( normalized );
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ normalized->bv_val[ i ] = TOLOWER( normalized->bv_val[ i ] );
+ }
+
+ return LDAP_SUCCESS;
+}
+
+static int
+sidValidate (
+ Syntax *syntax,
+ struct berval *in )
+{
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
+
+ if ( in->bv_len != 3 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ return hexValidate( NULL, in );
+}
+
+/* Normalize a SID as used inside a CSN:
+ * three-digit numeric string */
+static int
+sidNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ if ( val->bv_len != 3 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ return hexNormalize( 0, NULL, NULL, val, normalized, ctx );
+}
+
+static int
+sidPretty(
+ Syntax *syntax,
+ struct berval *val,
+ struct berval *out,
+ void *ctx )
+{
+ return sidNormalize( SLAP_MR_VALUE_OF_SYNTAX, NULL, NULL, val, out, ctx );
+}
+
+/* Normalize a SID as used inside a CSN, either as-is
+ * (assertion value) or extracted from the CSN
+ * (attribute value) */
+static int
+csnSidNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ struct berval bv;
+ char *ptr,
+ buf[ 4 ];
+
+
+ if ( BER_BVISEMPTY( val ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
+ return sidNormalize( 0, NULL, NULL, val, normalized, ctx );
+ }
+
+ assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
+
+ ptr = ber_bvchr( val, '#' );
+ if ( ptr == NULL || ptr == &val->bv_val[val->bv_len] ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ bv.bv_val = ptr + 1;
+ bv.bv_len = val->bv_len - ( ptr + 1 - val->bv_val );
+
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr == &val->bv_val[val->bv_len] ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ bv.bv_val = ptr + 1;
+ bv.bv_len = val->bv_len - ( ptr + 1 - val->bv_val );
+
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr == &val->bv_val[val->bv_len] ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ bv.bv_len = ptr - bv.bv_val;
+
+ if ( bv.bv_len == 2 ) {
+ /* OpenLDAP 2.3 SID */
+ buf[ 0 ] = '0';