Tweak privateKeyValidate

[openldap] / servers / slapd / schema_init.c

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index fe3db715c8b5ee715c349d5e01c45f2d9c136921..875422f2961b52fbf92472583f002cc285e6096b 100644 (file)
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2015 The OpenLDAP Foundation.
+ * Copyright 1998-2017 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -593,6 +593,41 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in )
        return LDAP_SUCCESS;
 }
 
+/* accept a PKCS#8 private key */
+static int
+privateKeyValidate(
+       Syntax          *syntax,
+       struct berval   *val )
+{
+       BerElementBuffer berbuf;
+       BerElement *ber = (BerElement *)&berbuf;
+       ber_tag_t tag;
+       ber_len_t len;
+       ber_int_t version;
+
+       ber_init2( ber, val, LBER_USE_DER );
+       tag = ber_skip_tag( ber, &len );        /* Sequence */
+       if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+       tag = ber_peek_tag( ber, &len );
+       if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
+       tag = ber_get_int( ber, &version );
+       tag = ber_skip_tag( ber, &len );        /* AlgorithmIdentifier */
+       if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+       ber_skip_data( ber, len );
+       tag = ber_skip_tag( ber, &len );        /* PrivateKey */
+       if ( tag != LBER_OCTETSTRING ) return LDAP_INVALID_SYNTAX;
+       ber_skip_data( ber, len );
+       tag = ber_skip_tag( ber, &len );
+       if ( tag == LBER_SET ) {                        /* Optional Attributes */
+               ber_skip_data( ber, len );
+               tag = ber_skip_tag( ber, &len );
+       }
+
+       /* Must be at end now */
+       if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX;
+       return LDAP_SUCCESS;
+}
+
 int
 octetStringMatch(
        int *matchp,
@@ -6364,6 +6399,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
        {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
                SLAP_SYNTAX_HIDE, NULL, authzValidate, authzPretty},
 
+       /* PKCS#8 Private Keys for X.509 certificates */
+       {"( 1.3.6.1.4.1.4203.666.2.13 DESC 'OpenLDAP privateKey' )",
+               SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, privateKeyValidate, NULL},
        {NULL, 0, NULL, NULL, NULL}
 };
 
@@ -6851,6 +6889,13 @@ static slap_mrule_defs_rec mrule_defs[] = {
                NULL, NULL,
                NULL},
 
+       {"( 1.3.6.1.4.1.4203.666.4.13 NAME 'privateKeyMatch' "
+               "SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", /* OpenLDAP privateKey */
+               SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
+               NULL, NULL, octetStringMatch,
+               NULL, NULL,
+               NULL},
+
        {NULL, SLAP_MR_NONE, NULL,
                NULL, NULL, NULL, NULL, NULL,
                NULL }