+ p = out->bv_val;
+
+ p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
+ p = lutil_strncopy( p, sn3.bv_val, sn3.bv_len );
+ p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
+ p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+ p = lutil_strcopy( p, /*{*/ "\" }" );
+
+ assert( p == &out->bv_val[out->bv_len] );
+
+func_leave:
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s> => <%s>\n",
+ in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 );
+
+ if ( sn2.bv_val != sbuf2 ) {
+ slap_sl_free( sn2.bv_val, ctx );
+ }
+
+ if ( sn3.bv_val != sbuf3 ) {
+ slap_sl_free( sn3.bv_val, ctx );
+ }
+
+ slap_sl_free( ni.bv_val, ctx );
+
+ return rc;
+}
+
+static int
+certificateExactNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
+ ber_tag_t tag;
+ ber_len_t len;
+ ber_int_t i;
+ char serialbuf2[SLAP_SN_BUFLEN];
+ struct berval sn, sn2 = BER_BVNULL;
+ struct berval issuer_dn = BER_BVNULL, bvdn;
+ char *p;
+ int rc = LDAP_INVALID_SYNTAX;
+
+ assert( val != NULL );
+
+ Debug( LDAP_DEBUG_TRACE, ">>> certificateExactNormalize: <%p, %lu>\n",
+ val->bv_val, val->bv_len, 0 );
+
+ if ( BER_BVISEMPTY( val ) ) goto done;
+
+ if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
+ return serialNumberAndIssuerNormalize( 0, NULL, NULL, val, normalized, ctx );
+ }
+
+ assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
+
+ ber_init2( ber, val, LBER_USE_DER );
+ tag = ber_skip_tag( ber, &len ); /* Signed Sequence */
+ tag = ber_skip_tag( ber, &len ); /* Sequence */
+ tag = ber_peek_tag( ber, &len ); /* Optional version? */
+ if ( tag == SLAP_X509_OPT_C_VERSION ) {
+ tag = ber_skip_tag( ber, &len );
+ tag = ber_get_int( ber, &i ); /* version */
+ }
+
+ /* NOTE: move the test here from certificateValidate,
+ * so that we can validate certs with serial longer
+ * than sizeof(ber_int_t) */
+ tag = ber_skip_tag( ber, &len ); /* serial */
+ sn.bv_len = len;
+ sn.bv_val = (char *)ber->ber_ptr;
+ sn2.bv_val = serialbuf2;
+ sn2.bv_len = sizeof(serialbuf2);
+ if ( slap_bin2hex( &sn, &sn2, ctx ) ) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
+ }
+ ber_skip_data( ber, len );
+
+ tag = ber_skip_tag( ber, &len ); /* SignatureAlg */
+ ber_skip_data( ber, len );
+ tag = ber_peek_tag( ber, &len ); /* IssuerDN */
+ len = ber_ptrlen( ber );
+ bvdn.bv_val = val->bv_val + len;
+ bvdn.bv_len = val->bv_len - len;
+
+ rc = dnX509normalize( &bvdn, &issuer_dn );
+ if ( rc != LDAP_SUCCESS ) goto done;
+
+ normalized->bv_len = STRLENOF( "{ serialNumber , issuer rdnSequence:\"\" }" )
+ + sn2.bv_len + issuer_dn.bv_len;
+ normalized->bv_val = ch_malloc( normalized->bv_len + 1 );
+
+ p = normalized->bv_val;
+
+ p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
+ p = lutil_strncopy( p, sn2.bv_val, sn2.bv_len );
+ p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
+ p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
+ p = lutil_strcopy( p, /*{*/ "\" }" );
+
+ rc = LDAP_SUCCESS;
+
+done:
+ Debug( LDAP_DEBUG_TRACE, "<<< certificateExactNormalize: <%p, %lu> => <%s>\n",
+ val->bv_val, val->bv_len, rc == LDAP_SUCCESS ? normalized->bv_val : "(err)" );
+
+ if ( issuer_dn.bv_val ) ber_memfree( issuer_dn.bv_val );
+ if ( sn2.bv_val != serialbuf2 ) ber_memfree_x( sn2.bv_val, ctx );
+
+ return rc;
+}
+
+/* X.509 PKI certificateList stuff */
+static int
+checkTime( struct berval *in, struct berval *out )
+{
+ int rc;
+ ber_len_t i;
+ char buf[STRLENOF("YYYYmmddHHMMSSZ") + 1];
+ struct berval bv;
+
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
+ assert( !BER_BVISEMPTY( in ) );
+
+ if ( in->bv_len < STRLENOF( "YYmmddHHMMSSZ" ) ) {
+ return -1;
+ }
+
+ if ( out != NULL ) {
+ assert( !BER_BVISNULL( out ) );
+ assert( out->bv_len >= sizeof( buf ) );
+ bv.bv_val = out->bv_val;
+
+ } else {
+ bv.bv_val = buf;
+ }
+
+ for ( i = 0; i < STRLENOF( "YYYYmmddHHMMSS" ); i++ ) {
+ if ( !ASCII_DIGIT( in->bv_val[i] ) ) break;
+ }
+
+ if ( in->bv_val[i] != 'Z' ) {
+ return -1;
+ }
+ i++;
+
+ if ( i != in->bv_len ) {
+ return -1;
+ }
+
+ if ( i == STRLENOF( "YYYYmmddHHMMSSZ" ) ) {
+ lutil_strncopy( bv.bv_val, in->bv_val, i );
+ bv.bv_len = i;
+
+ } else if ( i == STRLENOF( "YYmmddHHMMSSZ" ) ) {
+ char *p = bv.bv_val;
+ if ( in->bv_val[0] < '7' ) {
+ p = lutil_strcopy( p, "20" );
+
+ } else {
+ p = lutil_strcopy( p, "19" );
+ }
+ lutil_strncopy( p, in->bv_val, i );
+ bv.bv_len = 2 + i;
+
+ } else {
+ return -1;
+ }
+
+ rc = generalizedTimeValidate( NULL, &bv );
+ if ( rc == LDAP_SUCCESS && out != NULL ) {
+ out->bv_len = bv.bv_len;
+ }
+
+ return rc != LDAP_SUCCESS;
+}
+
+static int
+issuerAndThisUpdateCheck(
+ struct berval *in,
+ struct berval *is,
+ struct berval *tu,
+ void *ctx )
+{
+ int numdquotes = 0;
+ struct berval x = *in;
+ struct berval ni = BER_BVNULL;
+ /* Parse GSER format */
+ enum {
+ HAVE_NONE = 0x0,
+ HAVE_ISSUER = 0x1,
+ HAVE_THISUPDATE = 0x2,
+ HAVE_ALL = ( HAVE_ISSUER | HAVE_THISUPDATE )
+ } have = HAVE_NONE;
+
+
+ if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
+
+ if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ x.bv_val++;
+ x.bv_len -= STRLENOF("{}");
+
+ do {
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ /* should be at issuer or thisUpdate */
+ if ( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer") ) == 0 ) {
+ if ( have & HAVE_ISSUER ) return LDAP_INVALID_SYNTAX;
+
+ /* parse issuer */
+ x.bv_val += STRLENOF("issuer");
+ x.bv_len -= STRLENOF("issuer");
+
+ if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+ /* eat leading spaces */
+ for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
+ /* empty */;
+ }
+
+ /* For backward compatibility, this part is optional */
+ if ( strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:") ) != 0 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+ x.bv_val += STRLENOF("rdnSequence:");
+ x.bv_len -= STRLENOF("rdnSequence:");
+
+ if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+ is->bv_val = x.bv_val;
+ is->bv_len = 0;
+
+ for ( ; is->bv_len < x.bv_len; ) {
+ if ( is->bv_val[is->bv_len] != '"' ) {
+ is->bv_len++;
+ continue;
+ }
+ if ( is->bv_val[is->bv_len+1] == '"' ) {
+ /* double dquote */
+ is->bv_len += 2;
+ continue;
+ }