/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#define IA5StringApproxFilter approxFilter
/* Change Sequence Number (CSN) - much of this will change */
-#define csnValidate blobValidate
#define csnMatch octetStringMatch
#define csnOrderingMatch octetStringOrderingMatch
#define csnIndexer generalizedTimeIndexer
#define csnFilter generalizedTimeFilter
-/* FIXME: temporary */
#define authzMatch octetStringMatch
unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
unsigned int index_substr_any_len = SLAP_INDEX_SUBSTR_ANY_LEN_DEFAULT;
unsigned int index_substr_any_step = SLAP_INDEX_SUBSTR_ANY_STEP_DEFAULT;
+unsigned int index_intlen = SLAP_INDEX_INTLEN_DEFAULT;
+unsigned int index_intlen_strlen = SLAP_INDEX_INTLEN_STRLEN(
+ SLAP_INDEX_INTLEN_DEFAULT );
+
ldap_pvt_thread_mutex_t ad_undef_mutex;
ldap_pvt_thread_mutex_t oc_undef_mutex;
+static int
+generalizedTimeValidate(
+ Syntax *syntax,
+ struct berval *in );
+
static int
inValidate(
Syntax *syntax,
return LDAP_SUCCESS;
}
+/* X.509 related stuff */
+
+enum {
+ SLAP_X509_V1 = 0,
+ SLAP_X509_V2 = 1,
+ SLAP_X509_V3 = 2
+};
+
+#define SLAP_X509_OPTION (LBER_CLASS_CONTEXT|LBER_CONSTRUCTED)
+
+enum {
+ SLAP_X509_OPT_C_VERSION = SLAP_X509_OPTION + 0,
+ SLAP_X509_OPT_C_ISSUERUNIQUEID = SLAP_X509_OPTION + 1,
+ SLAP_X509_OPT_C_SUBJECTUNIQUEID = SLAP_X509_OPTION + 2,
+ SLAP_X509_OPT_C_EXTENSIONS = SLAP_X509_OPTION + 3
+};
+
+enum {
+ SLAP_X509_OPT_CL_CRLEXTENSIONS = SLAP_X509_OPTION + 0
+};
+
/* X.509 certificate validation */
static int certificateValidate( Syntax *syntax, struct berval *in )
{
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
- ber_int_t i, version = 0;
+ ber_int_t version = SLAP_X509_V1;
ber_init2( ber, in, LBER_USE_DER );
tag = ber_skip_tag( ber, &len ); /* Signed wrapper */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
tag = ber_skip_tag( ber, &len ); /* Sequence */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
- tag = ber_skip_tag( ber, &len );
- if ( tag == 0xa0 ) { /* Optional version */
+ tag = ber_peek_tag( ber, &len );
+ /* Optional version */
+ if ( tag == SLAP_X509_OPT_C_VERSION ) {
+ tag = ber_skip_tag( ber, &len );
tag = ber_get_int( ber, &version );
if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
}
- tag = ber_get_int( ber, &i ); /* Serial */
+ /* NOTE: don't try to parse Serial, because it might be longer
+ * than sizeof(ber_int_t); deferred to certificateExactNormalize() */
+ tag = ber_skip_tag( ber, &len ); /* Serial */
if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
ber_skip_data( ber, len );
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len );
- if ( tag == 0xa1 ) { /* issuerUniqueID */
- if ( version < 1 ) return LDAP_INVALID_SYNTAX;
+ if ( tag == SLAP_X509_OPT_C_ISSUERUNIQUEID ) { /* issuerUniqueID */
+ if ( version < SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len );
}
- if ( tag == 0xa2 ) { /* subjectUniqueID */
- if ( version < 1 ) return LDAP_INVALID_SYNTAX;
+ if ( tag == SLAP_X509_OPT_C_SUBJECTUNIQUEID ) { /* subjectUniqueID */
+ if ( version < SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len );
+ }
+ if ( tag == SLAP_X509_OPT_C_EXTENSIONS ) { /* Extensions */
+ if ( version < SLAP_X509_V3 ) return LDAP_INVALID_SYNTAX;
+ tag = ber_skip_tag( ber, &len );
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len );
+ }
+ /* signatureAlgorithm */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len );
+ /* Signature */
+ if ( tag != LBER_BITSTRING ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len );
+ /* Must be at end now */
+ if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX;
+ return LDAP_SUCCESS;
+}
+
+/* X.509 certificate list validation */
+static int certificateListValidate( Syntax *syntax, struct berval *in )
+{
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
+ ber_tag_t tag;
+ ber_len_t len;
+ ber_int_t version = SLAP_X509_V1;
+
+ ber_init2( ber, in, LBER_USE_DER );
+ tag = ber_skip_tag( ber, &len ); /* Signed wrapper */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ tag = ber_skip_tag( ber, &len ); /* Sequence */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ tag = ber_peek_tag( ber, &len );
+ /* Optional version */
+ if ( tag == LBER_INTEGER ) {
+ tag = ber_get_int( ber, &version );
+ assert( tag == LBER_INTEGER );
+ if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ }
+ tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len ); /* Issuer DN */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len ); /* thisUpdate */
+ /* Time is a CHOICE { UTCTime, GeneralizedTime } */
+ if ( tag != 0x17U && tag != 0x18U ) return LDAP_INVALID_SYNTAX;
+ ber_skip_data( ber, len );
+ /* Optional nextUpdate */
+ tag = ber_skip_tag( ber, &len );
+ if ( tag == 0x17U || tag == 0x18U ) {
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len );
}
- if ( tag == 0xa3 ) { /* Extensions */
- if ( version < 2 ) return LDAP_INVALID_SYNTAX;
+ /* revokedCertificates - Sequence of Sequence, Optional */
+ if ( tag == LBER_SEQUENCE ) {
+ ber_len_t seqlen;
+ if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) {
+ /* Should NOT be empty */
+ ber_skip_data( ber, len );
+ tag = ber_skip_tag( ber, &len );
+ }
+ }
+ /* Optional Extensions */
+ if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */
+ if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
tag = ber_skip_tag( ber, &len );
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
ber_skip_data( ber, len );
return LDAP_SUCCESS;
}
-static int
+int
octetStringOrderingMatch(
int *matchp,
slap_mask_t flags,
In ASN.1, Printable string is just a string of printable characters
and can be empty. In X.500, semantics much like NumericString (see
serialNumber for a like example) excepting uses insignificant space
- handling instead of ignore all spaces.
+ handling instead of ignore all spaces. They must be non-empty.
IA5String
Basically same as PrintableString. There are no examples in X.500,
- but same logic applies. So we require them to be non-empty as
- well.
+ but same logic applies. Empty strings are allowed.
-------------------------------------------------------------------*/
*matchp = match;
return LDAP_SUCCESS;
}
-
+
+/* 10**Chop < 256**Chopbytes and Chop > Chopbytes<<1 (for sign bit and itmp) */
+#define INDEX_INTLEN_CHOP 7
+#define INDEX_INTLEN_CHOPBYTES 3
+
+static int
+integerVal2Key(
+ struct berval *in,
+ struct berval *key,
+ struct berval *tmp,
+ void *ctx )
+{
+ /* index format:
+ * only if too large: one's complement <sign*exponent (chopped bytes)>,
+ * two's complement value (sign-extended or chopped as needed),
+ * however the top <number of exponent-bytes + 1> bits of first byte
+ * above is the inverse sign. The next bit is the sign as delimiter.
+ */
+ ber_slen_t k = index_intlen_strlen;
+ ber_len_t chop = 0;
+ unsigned signmask = ~0x7fU;
+ unsigned char lenbuf[sizeof(k) + 2], *lenp, neg = 0xff;
+ struct berval val = *in, itmp = *tmp;
+
+ if ( val.bv_val[0] != '-' ) {
+ neg = 0;
+ --k;
+ }
+
+ /* Chop least significant digits, increase length instead */
+ if ( val.bv_len > (ber_len_t) k ) {
+ chop = (val.bv_len-k+2)/INDEX_INTLEN_CHOP; /* 2 fewer digits */
+ val.bv_len -= chop * INDEX_INTLEN_CHOP; /* #digits chopped */
+ chop *= INDEX_INTLEN_CHOPBYTES; /* #bytes added */
+ }
+
+ if ( lutil_str2bin( &val, &itmp, ctx )) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ /* Omit leading sign byte */
+ if ( itmp.bv_val[0] == neg ) {
+ itmp.bv_val++;
+ itmp.bv_len--;
+ }
+
+ k = (ber_slen_t) index_intlen - (ber_slen_t) (itmp.bv_len + chop);
+ if ( k > 0 ) {
+ assert( chop == 0 );
+ memset( key->bv_val, neg, k ); /* sign-extend */
+ } else if ( k != 0 || ((itmp.bv_val[0] ^ neg) & 0xc0) ) {
+ lenp = lenbuf + sizeof(lenbuf);
+ chop = - (ber_len_t) k;
+ do {
+ *--lenp = ((unsigned char) chop & 0xff) ^ neg;
+ signmask >>= 1;
+ } while ( (chop >>= 8) != 0 || (signmask >> 1) & (*lenp ^ neg) );
+ /* With n bytes in lenbuf, the top n+1 bits of (signmask&0xff)
+ * are 1, and the top n+2 bits of lenp[] are the sign bit. */
+ k = (lenbuf + sizeof(lenbuf)) - lenp;
+ if ( k > (ber_slen_t) index_intlen )
+ k = index_intlen;
+ memcpy( key->bv_val, lenp, k );
+ itmp.bv_len = index_intlen - k;
+ }
+ memcpy( key->bv_val + k, itmp.bv_val, itmp.bv_len );
+ key->bv_val[0] ^= (unsigned char) signmask & 0xff; /* invert sign */
+ return 0;
+}
+
+/* Index generation function */
+static int
+integerIndexer(
+ slap_mask_t use,
+ slap_mask_t flags,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *prefix,
+ BerVarray values,
+ BerVarray *keysp,
+ void *ctx )
+{
+ char ibuf[64];
+ struct berval itmp;
+ BerVarray keys;
+ ber_len_t vlen;
+ int i, rc;
+ unsigned maxstrlen = index_intlen_strlen + INDEX_INTLEN_CHOP-1;
+
+ /* count the values and find max needed length */
+ vlen = 0;
+ for( i = 0; !BER_BVISNULL( &values[i] ); i++ ) {
+ if ( vlen < values[i].bv_len )
+ vlen = values[i].bv_len;
+ }
+ if ( vlen > maxstrlen )
+ vlen = maxstrlen;
+
+ /* we should have at least one value at this point */
+ assert( i > 0 );
+
+ keys = slap_sl_malloc( sizeof( struct berval ) * (i+1), ctx );
+ for ( i = 0; !BER_BVISNULL( &values[i] ); i++ ) {
+ keys[i].bv_len = index_intlen;
+ keys[i].bv_val = slap_sl_malloc( index_intlen, ctx );
+ }
+ keys[i].bv_len = 0;
+ keys[i].bv_val = NULL;
+
+ if ( vlen > sizeof(ibuf) ) {
+ itmp.bv_val = slap_sl_malloc( vlen, ctx );
+ } else {
+ itmp.bv_val = ibuf;
+ }
+ itmp.bv_len = sizeof(ibuf);
+
+ for ( i=0; !BER_BVISNULL( &values[i] ); i++ ) {
+ if ( itmp.bv_val != ibuf ) {
+ itmp.bv_len = values[i].bv_len;
+ if ( itmp.bv_len <= sizeof(ibuf) )
+ itmp.bv_len = sizeof(ibuf);
+ else if ( itmp.bv_len > maxstrlen )
+ itmp.bv_len = maxstrlen;
+ }
+ rc = integerVal2Key( &values[i], &keys[i], &itmp, ctx );
+ if ( rc )
+ goto leave;
+ }
+ *keysp = keys;
+leave:
+ if ( itmp.bv_val != ibuf ) {
+ slap_sl_free( itmp.bv_val, ctx );
+ }
+ return rc;
+}
+
+/* Index generation function */
+static int
+integerFilter(
+ slap_mask_t use,
+ slap_mask_t flags,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *prefix,
+ void * assertedValue,
+ BerVarray *keysp,
+ void *ctx )
+{
+ char ibuf[64];
+ struct berval iv;
+ BerVarray keys;
+ struct berval *value;
+ int rc;
+
+ value = (struct berval *) assertedValue;
+
+ keys = slap_sl_malloc( sizeof( struct berval ) * 2, ctx );
+
+ keys[0].bv_len = index_intlen;
+ keys[0].bv_val = slap_sl_malloc( index_intlen, ctx );
+
+ iv.bv_len = value->bv_len < index_intlen_strlen + INDEX_INTLEN_CHOP-1
+ ? value->bv_len : index_intlen_strlen + INDEX_INTLEN_CHOP-1;
+ if ( iv.bv_len > (int) sizeof(ibuf) ) {
+ iv.bv_val = slap_sl_malloc( iv.bv_len, ctx );
+ } else {
+ iv.bv_val = ibuf;
+ iv.bv_len = sizeof(ibuf);
+ }
+
+ rc = integerVal2Key( value, keys, &iv, ctx );
+ if ( rc == 0 )
+ *keysp = keys;
+
+ if ( iv.bv_val != ibuf ) {
+ slap_sl_free( iv.bv_val, ctx );
+ }
+ return rc;
+}
+
static int
countryStringValidate(
Syntax *syntax,
unsigned char octet = '\0';
int i;
int j;
+
+ if ( SLAP_MR_IS_DENORMALIZE( usage ) ) {
+ /* NOTE: must be a normalized UUID */
+ assert( val->bv_len == 16 );
+
+ normalized->bv_val = slap_sl_malloc( LDAP_LUTIL_UUIDSTR_BUFSIZE, ctx );
+ normalized->bv_len = lutil_uuidstr_from_normalized( val->bv_val,
+ val->bv_len, normalized->bv_val, LDAP_LUTIL_UUIDSTR_BUFSIZE );
+ assert( normalized->bv_len == STRLENOF( "BADBADBA-DBAD-0123-4567-BADBADBADBAD" ) );
+
+ return LDAP_SUCCESS;
+ }
+
normalized->bv_len = 16;
normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
-static int
+int
numericStringValidate(
Syntax *syntax,
struct berval *in )
}
}
- /* we should have copied no more then is in val */
+ /* we should have copied no more than is in val */
assert( (q - normalized->bv_val) <= (p - val->bv_val) );
/* null terminate */
}
static int
-serialNumberAndIssuerValidate(
- Syntax *syntax,
- struct berval *in )
+serialNumberAndIssuerCheck(
+ struct berval *in,
+ struct berval *sn,
+ struct berval *is,
+ void *ctx
+)
{
- int rc;
- ber_len_t n;
- struct berval sn, i;
-
- Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n",
- in->bv_val, 0, 0 );
+ int is_hex = 0, n;
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
- i.bv_val = ber_bvchr( in, '$' );
- if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+ is->bv_val = ber_bvchr( in, '$' );
+ if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
- sn.bv_val = in->bv_val;
- sn.bv_len = i.bv_val - in->bv_val;
+ sn->bv_val = in->bv_val;
+ sn->bv_len = is->bv_val - in->bv_val;
- i.bv_val++;
- i.bv_len = in->bv_len - (sn.bv_len + 1);
+ is->bv_val++;
+ is->bv_len = in->bv_len - (sn->bv_len + 1);
/* eat leading zeros */
- for( n=0; n < (sn.bv_len-1); n++ ) {
- if( sn.bv_val[n] != '0' ) break;
+ for( n=0; n < (sn->bv_len-1); n++ ) {
+ if( sn->bv_val[n] != '0' ) break;
}
- sn.bv_val += n;
- sn.bv_len -= n;
+ sn->bv_val += n;
+ sn->bv_len -= n;
- for( n=0; n < sn.bv_len; n++ ) {
- if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+ for( n=0; n < sn->bv_len; n++ ) {
+ if( !ASCII_DIGIT(sn->bv_val[n]) ) return LDAP_INVALID_SYNTAX;
}
} else {
/* Parse GSER format */
int havesn=0,haveissuer=0;
struct berval x = *in;
+ struct berval ni;
x.bv_val++;
x.bv_len-=2;
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
-
+
+ /* For backward compatibility, this part is optional */
+ if( !strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:"))) {
+ x.bv_val += STRLENOF("rdnSequence:");
+ x.bv_len -= STRLENOF("rdnSequence:");
+ }
+
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
- i.bv_val = x.bv_val;
- i.bv_len = 0;
+ is->bv_val = x.bv_val;
+ is->bv_len = 0;
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
+ for( ; is->bv_len < x.bv_len; ) {
+ if ( is->bv_val[is->bv_len] != '"' ) {
+ is->bv_len++;
continue;
}
- if ( i.bv_val[i.bv_len+1] == '"' ) {
+ if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */
- i.bv_len+=2;
+ is->bv_len+=2;
continue;
}
break;
}
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
+ x.bv_val += is->bv_len+1;
+ x.bv_len -= is->bv_len+1;
if ( x.bv_len < STRLENOF(",serialNumber 0")) {
return LDAP_INVALID_SYNTAX;
/* empty */;
}
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
+ sn->bv_val = x.bv_val;
+ sn->bv_len = 0;
- if( sn.bv_val[0] == '-' ) {
+ if( sn->bv_val[0] == '-' ) {
neg++;
- sn.bv_len++;
+ sn->bv_len++;
}
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+ if ( sn->bv_val[0] == '0' && ( sn->bv_val[1] == 'x' ||
+ sn->bv_val[1] == 'X' )) {
+ is_hex = 1;
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
+ }
+ } else if ( sn->bv_val[0] == '\'' ) {
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
+ }
+ if ( sn->bv_val[sn->bv_len] == '\'' &&
+ sn->bv_val[sn->bv_len+1] == 'H' )
+ is_hex = 1;
+ else
+ return LDAP_INVALID_SYNTAX;
+ sn->bv_len += 2;
+ } else {
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_DIGIT( sn->bv_val[sn->bv_len] )) break;
+ }
}
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+ if (!( sn->bv_len > neg )) return LDAP_INVALID_SYNTAX;
+ if (( sn->bv_len > 1+neg ) && ( sn->bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
- x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+ x.bv_val += sn->bv_len; x.bv_len -= sn->bv_len;
if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
return LDAP_INVALID_SYNTAX;
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
-
+
+ /* For backward compatibility, this part is optional */
+ if( !strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:"))) {
+ x.bv_val += STRLENOF("rdnSequence:");
+ x.bv_len -= STRLENOF("rdnSequence:");
+ }
+
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
- i.bv_val = x.bv_val;
- i.bv_len = 0;
+ is->bv_val = x.bv_val;
+ is->bv_len = 0;
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
+ for( ; is->bv_len < x.bv_len; ) {
+ if ( is->bv_val[is->bv_len] != '"' ) {
+ is->bv_len++;
continue;
}
- if ( i.bv_val[i.bv_len+1] == '"' ) {
+ if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */
- i.bv_len+=2;
+ is->bv_len+=2;
continue;
}
break;
}
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
+ x.bv_val += is->bv_len+1;
+ x.bv_len -= is->bv_len+1;
} else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 ))
/* empty */;
}
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
+ sn->bv_val = x.bv_val;
+ sn->bv_len = 0;
- if( sn.bv_val[0] == '-' ) {
+ if( sn->bv_val[0] == '-' ) {
neg++;
- sn.bv_len++;
+ sn->bv_len++;
}
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
+ if ( sn->bv_val[0] == '0' && ( sn->bv_val[1] == 'x' ||
+ sn->bv_val[1] == 'X' )) {
+ is_hex = 1;
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
+ }
+ } else if ( sn->bv_val[0] == '\'' ) {
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
+ }
+ if ( sn->bv_val[sn->bv_len] == '\'' &&
+ sn->bv_val[sn->bv_len+1] == 'H' )
+ is_hex = 1;
+ else
+ return LDAP_INVALID_SYNTAX;
+ sn->bv_len += 2;
+ } else {
+ for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
+ if ( !ASCII_DIGIT( sn->bv_val[sn->bv_len] )) break;
+ }
}
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
+ if (!( sn->bv_len > neg )) return LDAP_INVALID_SYNTAX;
+ if (( sn->bv_len > 1+neg ) && ( sn->bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
- x.bv_val += sn.bv_len;
- x.bv_len -= sn.bv_len;
+ x.bv_val += sn->bv_len;
+ x.bv_len -= sn->bv_len;
} else return LDAP_INVALID_SYNTAX;
/* should have no characters left... */
if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+
+ ber_dupbv_x( &ni, is, ctx );
+ *is = ni;
+
+ /* need to handle double dquotes here */
}
+ return 0;
+}
+
+static int
+serialNumberAndIssuerValidate(
+ Syntax *syntax,
+ struct berval *in )
+{
+ int rc;
+ struct berval sn, i;
+
+ Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n",
+ in->bv_val, 0, 0 );
+
+ rc = serialNumberAndIssuerCheck( in, &sn, &i, NULL );
+ if ( rc )
+ return rc;
/* validate DN -- doesn't handle double dquote */
rc = dnValidate( NULL, &i );
- if( rc ) return LDAP_INVALID_SYNTAX;
+ if( rc )
+ rc = LDAP_INVALID_SYNTAX;
+
+ if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+ slap_sl_free( i.bv_val, NULL );
+ }
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n",
- in->bv_val, 0, 0 );
- return LDAP_SUCCESS;
+ 0, 0, 0 );
+ return rc;
}
int
struct berval *out,
void *ctx )
{
- int rc;
- ber_len_t n;
+ int n, rc;
struct berval sn, i, ni;
assert( in != NULL );
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
in->bv_val, 0, 0 );
- if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ rc = serialNumberAndIssuerCheck( in, &sn, &i, ctx );
+ if ( rc )
+ return rc;
- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
- /* Parse old format */
- i.bv_val = ber_bvchr( in, '$' );
- if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+ rc = dnPretty( syntax, &i, &ni, ctx );
- sn.bv_val = in->bv_val;
- sn.bv_len = i.bv_val - in->bv_val;
+ if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
+ slap_sl_free( i.bv_val, ctx );
+ }
- i.bv_val++;
- i.bv_len = in->bv_len - (sn.bv_len + 1);
+ if( rc ) return LDAP_INVALID_SYNTAX;
- /* eat leading zeros */
- for( n=0; n < (sn.bv_len-1); n++ ) {
- if( sn.bv_val[n] != '0' ) break;
- }
- sn.bv_val += n;
- sn.bv_len -= n;
+ /* make room from sn + "$" */
+ out->bv_len = STRLENOF("{ serialNumber , issuer rdnSequence:\"\" }")
+ + sn.bv_len + ni.bv_len;
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
- for( n=0; n < sn.bv_len; n++ ) {
- if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
- }
+ if( out->bv_val == NULL ) {
+ out->bv_len = 0;
+ slap_sl_free( ni.bv_val, ctx );
+ return LDAP_OTHER;
+ }
- } else {
- /* Parse GSER format */
- int havesn=0,haveissuer=0;
- struct berval x = *in;
- x.bv_val++;
- x.bv_len-=2;
+ n = 0;
+ AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
+ STRLENOF("{ serialNumber "));
+ n = STRLENOF("{ serialNumber ");
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
+ AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
+ n += sn.bv_len;
- if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
- return LDAP_INVALID_SYNTAX;
- }
+ AC_MEMCPY( &out->bv_val[n], ", issuer rdnSequence:\"", STRLENOF(", issuer rdnSequence:\""));
+ n += STRLENOF(", issuer rdnSequence:\"");
- /* should be at issuer or serialNumber NamedValue */
- if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
- /* parse issuer */
- x.bv_val += STRLENOF("issuer");
- x.bv_len -= STRLENOF("issuer");
+ AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
+ n += ni.bv_len;
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+ AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
+ n += STRLENOF("\" }");
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- i.bv_val = x.bv_val;
- i.bv_len = 0;
-
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
- continue;
- }
- if ( i.bv_val[i.bv_len+1] == '"' ) {
- /* double dquote */
- i.bv_len+=2;
- continue;
- }
- break;
- }
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
-
- if ( x.bv_len < STRLENOF(",serialNumber 0")) {
- return LDAP_INVALID_SYNTAX;
- }
-
- haveissuer++;
-
- } else if( strncasecmp( x.bv_val, "serialNumber",
- STRLENOF("serialNumber")) == 0 )
- {
- /* parse serialNumber */
- int neg=0;
- x.bv_val += STRLENOF("serialNumber");
- x.bv_len -= STRLENOF("serialNumber");
-
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
-
- if( sn.bv_val[0] == '-' ) {
- neg++;
- sn.bv_len++;
- }
-
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
- }
-
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
- return LDAP_INVALID_SYNTAX;
- }
-
- x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
-
- if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
- return LDAP_INVALID_SYNTAX;
- }
-
- havesn++;
-
- } else return LDAP_INVALID_SYNTAX;
-
- if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- /* eat spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- /* should be at remaining NamedValue */
- if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
- STRLENOF("issuer" )) == 0 ))
- {
- /* parse issuer */
- x.bv_val += STRLENOF("issuer");
- x.bv_len -= STRLENOF("issuer");
-
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- i.bv_val = x.bv_val;
- i.bv_len = 0;
-
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
- continue;
- }
- if ( i.bv_val[i.bv_len+1] == '"' ) {
- /* double dquote */
- i.bv_len+=2;
- continue;
- }
- break;
- }
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
-
- } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
- STRLENOF("serialNumber")) == 0 ))
- {
- /* parse serialNumber */
- int neg=0;
- x.bv_val += STRLENOF("serialNumber");
- x.bv_len -= STRLENOF("serialNumber");
-
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
-
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
-
- if( sn.bv_val[0] == '-' ) {
- neg++;
- sn.bv_len++;
- }
+ out->bv_val[n] = '\0';
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
- }
+ assert( n == out->bv_len );
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
- return LDAP_INVALID_SYNTAX;
- }
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
+ out->bv_val, 0, 0 );
- x.bv_val += sn.bv_len;
- x.bv_len -= sn.bv_len;
+ slap_sl_free( ni.bv_val, ctx );
- } else return LDAP_INVALID_SYNTAX;
+ return LDAP_SUCCESS;
+}
- /* eat trailing spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
+/*
+ * This routine is called by certificateExactNormalize when
+ * certificateExactNormalize receives a search string instead of
+ * a certificate. This routine checks if the search value is valid
+ * and then returns the normalized value
+ */
+static int
+serialNumberAndIssuerNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *in,
+ struct berval *out,
+ void *ctx )
+{
+ struct berval sn, sn2, i, ni;
+ char sbuf[64], *stmp = sbuf;
+ int rc;
+ ber_len_t n;
- /* should have no characters left... */
- if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+ assert( in != NULL );
+ assert( out != NULL );
- ber_dupbv_x( &ni, &i, ctx );
- i = ni;
+ Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
+ in->bv_val, 0, 0 );
- /* need to handle double dquotes here */
- }
+ rc = serialNumberAndIssuerCheck( in, &sn, &i, ctx );
+ if ( rc )
+ return rc;
- rc = dnPretty( syntax, &i, &ni, ctx );
+ rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
slap_sl_free( i.bv_val, ctx );
if( rc ) return LDAP_INVALID_SYNTAX;
- /* make room from sn + "$" */
- out->bv_len = STRLENOF("{ serialNumber , issuer \"\" }")
- + sn.bv_len + ni.bv_len;
+ /* Convert sn to canonical hex */
+ if ( sn.bv_len > sizeof( sbuf )) {
+ stmp = slap_sl_malloc( sn.bv_len, ctx );
+ }
+ sn2.bv_val = stmp;
+ sn2.bv_len = sn.bv_len;
+ if ( lutil_str2bin( &sn, &sn2, ctx )) {
+ rc = LDAP_INVALID_SYNTAX;
+ goto leave;
+ }
+
+ /* make room for sn + "$" */
+ out->bv_len = STRLENOF( "{ serialNumber , issuer rdnSequence:\"\" }" )
+ + ( sn2.bv_len * 2 + 3 ) + ni.bv_len;
out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
if( out->bv_val == NULL ) {
out->bv_len = 0;
slap_sl_free( ni.bv_val, ctx );
- return LDAP_OTHER;
+ rc = LDAP_OTHER;
+ goto leave;
}
n = 0;
AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
- STRLENOF("{ serialNumber "));
- n = STRLENOF("{ serialNumber ");
+ STRLENOF( "{ serialNumber " ));
+ n = STRLENOF( "{ serialNumber " );
AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
- n += sn.bv_len;
+ {
+ int j;
+ unsigned char *v = (unsigned char *)sn2.bv_val;
+ out->bv_val[n++] = '\'';
+ for ( j = 0; j < sn2.bv_len; j++ ) {
+ snprintf( &out->bv_val[n], out->bv_len - n + 1,
+ "%02X", v[j] );
+ n += 2;
+ }
+ out->bv_val[n++] = '\'';
+ out->bv_val[n++] = 'H';
+ }
- AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF(", issuer \""));
- n += STRLENOF(", issuer \"");
+ AC_MEMCPY( &out->bv_val[n], ", issuer rdnSequence:\"", STRLENOF( ", issuer rdnSequence:\"" ));
+ n += STRLENOF( ", issuer rdnSequence:\"" );
AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
n += ni.bv_len;
- AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
- n += STRLENOF("\" }");
+ AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
+ n += STRLENOF( "\" }" );
out->bv_val[n] = '\0';
assert( n == out->bv_len );
- Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
+ Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
out->bv_val, 0, 0 );
+leave:
+ if ( stmp != sbuf )
+ slap_sl_free( stmp, ctx );
slap_sl_free( ni.bv_val, ctx );
- return LDAP_SUCCESS;
+ return rc;
}
-/*
- * This routine is called by certificateExactNormalize when
- * certificateExactNormalize receives a search string instead of
- * a certificate. This routine checks if the search value is valid
- * and then returns the normalized value
- */
static int
-serialNumberAndIssuerNormalize(
+certificateExactNormalize(
slap_mask_t usage,
Syntax *syntax,
MatchingRule *mr,
- struct berval *in,
- struct berval *out,
+ struct berval *val,
+ struct berval *normalized,
void *ctx )
{
- int rc;
- ber_len_t n;
- struct berval sn, i, ni;
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
+ ber_tag_t tag;
+ ber_len_t len;
+ ber_int_t i;
+ char serialbuf[64], *serial = serialbuf;
+ ber_len_t seriallen;
+ struct berval issuer_dn = BER_BVNULL, bvdn;
+ unsigned char *p;
+ int rc = LDAP_INVALID_SYNTAX;
- assert( in != NULL );
- assert( out != NULL );
+ if( BER_BVISEMPTY( val ) ) goto done;
- Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
- in->bv_val, 0, 0 );
+ if( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
+ return serialNumberAndIssuerNormalize(0,NULL,NULL,val,normalized,ctx);
+ }
- if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
- /* Parse old format */
- i.bv_val = ber_bvchr( in, '$' );
- if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
+ ber_init2( ber, val, LBER_USE_DER );
+ tag = ber_skip_tag( ber, &len ); /* Signed Sequence */
+ tag = ber_skip_tag( ber, &len ); /* Sequence */
+ tag = ber_peek_tag( ber, &len ); /* Optional version? */
+ if ( tag == SLAP_X509_OPT_C_VERSION ) {
+ tag = ber_skip_tag( ber, &len );
+ tag = ber_get_int( ber, &i ); /* version */
+ }
- sn.bv_val = in->bv_val;
- sn.bv_len = i.bv_val - in->bv_val;
+ /* NOTE: move the test here from certificateValidate,
+ * so that we can validate certs with serial longer
+ * than sizeof(ber_int_t) */
+ tag = ber_peek_tag( ber, &len ); /* serial */
- i.bv_val++;
- i.bv_len = in->bv_len - (sn.bv_len + 1);
+ /* Use hex format. '123456789abcdef'H
+ */
+ {
+ unsigned char *ptr;
+ char *sptr;
+
+ tag = ber_skip_tag( ber, &len );
+ ptr = (unsigned char *)ber->ber_ptr;
+ ber_skip_data( ber, len );
- /* eat leading zeros */
- for( n=0; n < (sn.bv_len-1); n++ ) {
- if( sn.bv_val[n] != '0' ) break;
+ /* Check for minimal encodings */
+ if ( len > 1 ) {
+ if ( ptr[0] & 0x80 ) {
+ if (( ptr[0] == 0xff ) && ( ptr[1] & 0x80 ))
+ return LDAP_INVALID_SYNTAX;
+ } else if ( ptr[0] == 0 ) {
+ if (!( ptr[1] & 0x80 ))
+ return LDAP_INVALID_SYNTAX;
+ }
}
- sn.bv_val += n;
- sn.bv_len -= n;
- for( n=0; n < sn.bv_len; n++ ) {
- if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
+ seriallen = len * 2 + 4; /* quotes, H, NUL */
+ if ( seriallen > sizeof( serialbuf ))
+ serial = slap_sl_malloc( seriallen, ctx );
+ sptr = serial;
+ *sptr++ = '\'';
+ for ( i = 0; i<len; i++ ) {
+ sprintf( sptr, "%02X", ptr[i] );
+ sptr += 2;
}
+ *sptr++ = '\'';
+ *sptr++ = 'H';
+ seriallen--;
+ }
+ tag = ber_skip_tag( ber, &len ); /* SignatureAlg */
+ ber_skip_data( ber, len );
+ tag = ber_peek_tag( ber, &len ); /* IssuerDN */
+ len = ber_ptrlen( ber );
+ bvdn.bv_val = val->bv_val + len;
+ bvdn.bv_len = val->bv_len - len;
- } else {
- /* Parse GSER format */
- int havesn=0,haveissuer=0;
- struct berval x = *in;
- x.bv_val++;
- x.bv_len-=2;
+ rc = dnX509normalize( &bvdn, &issuer_dn );
+ if( rc != LDAP_SUCCESS ) goto done;
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
+ normalized->bv_len = STRLENOF( "{ serialNumber , issuer rdnSequence:\"\" }" )
+ + seriallen + issuer_dn.bv_len;
+ normalized->bv_val = ch_malloc(normalized->bv_len+1);
+
+ p = (unsigned char *)normalized->bv_val;
+
+ AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
+ p += STRLENOF( "{ serialNumber " );
+
+ AC_MEMCPY(p, serial, seriallen);
+ p += seriallen;
+
+ AC_MEMCPY(p, ", issuer rdnSequence:\"", STRLENOF( ", issuer rdnSequence:\"" ));
+ p += STRLENOF( ", issuer rdnSequence:\"" );
+
+ AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
+ p += issuer_dn.bv_len;
+
+ AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
+ p += STRLENOF( "\" }" );
+
+ *p = '\0';
+
+ Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
+ normalized->bv_val, NULL, NULL );
+
+ rc = LDAP_SUCCESS;
+
+done:
+ if ( issuer_dn.bv_val ) ber_memfree( issuer_dn.bv_val );
+ if ( serial != serialbuf ) ber_memfree_x( serial, ctx );
+
+ return rc;
+}
+
+static int
+hexValidate(
+ Syntax *syntax,
+ struct berval *in )
+{
+ int i;
+
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
+
+ for ( i = 0; i < in->bv_len; i++ ) {
+ if ( !ASCII_HEX( in->bv_val[ i ] ) ) {
+ return LDAP_INVALID_SYNTAX;
}
+ }
- if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
+ return LDAP_SUCCESS;
+}
+
+/* Normalize a SID as used inside a CSN:
+ * three-digit numeric string */
+static int
+hexNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ int i;
+
+ assert( val != NULL );
+ assert( normalized != NULL );
+
+ ber_dupbv_x( normalized, val, ctx );
+
+ for ( i = 0; i < normalized->bv_len; i++ ) {
+ if ( !ASCII_HEX( normalized->bv_val[ i ] ) ) {
+ ber_memfree_x( normalized->bv_val, ctx );
+ BER_BVZERO( normalized );
return LDAP_INVALID_SYNTAX;
}
- /* should be at issuer or serialNumber NamedValue */
- if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
- /* parse issuer */
- x.bv_val += STRLENOF("issuer");
- x.bv_len -= STRLENOF("issuer");
+ normalized->bv_val[ i ] = TOLOWER( normalized->bv_val[ i ] );
+ }
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+ return LDAP_SUCCESS;
+}
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+static int
+sidValidate (
+ Syntax *syntax,
+ struct berval *in )
+{
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
- i.bv_val = x.bv_val;
- i.bv_len = 0;
+ if ( in->bv_len != 3 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
- continue;
- }
- if ( i.bv_val[i.bv_len+1] == '"' ) {
- /* double dquote */
- i.bv_len+=2;
- continue;
- }
- break;
- }
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
+ return hexValidate( NULL, in );
+}
- if ( x.bv_len < STRLENOF(",serialNumber 0")) {
- return LDAP_INVALID_SYNTAX;
- }
+/* Normalize a SID as used inside a CSN:
+ * three-digit numeric string */
+static int
+sidNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ if ( val->bv_len != 3 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- haveissuer++;
+ return hexNormalize( 0, NULL, NULL, val, normalized, ctx );
+}
- } else if( strncasecmp( x.bv_val, "serialNumber",
- STRLENOF("serialNumber")) == 0 )
- {
- /* parse serialNumber */
- int neg=0;
- x.bv_val += STRLENOF("serialNumber");
- x.bv_len -= STRLENOF("serialNumber");
+static int
+sidPretty(
+ Syntax *syntax,
+ struct berval *val,
+ struct berval *out,
+ void *ctx )
+{
+ return sidNormalize( SLAP_MR_VALUE_OF_SYNTAX, NULL, NULL, val, out, ctx );
+}
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+/* Normalize a SID as used inside a CSN, either as-is
+ * (assertion value) or extracted from the CSN
+ * (attribute value) */
+static int
+csnSidNormalize(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ struct berval bv;
+ char *ptr,
+ buf[ 4 ];
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
- if( sn.bv_val[0] == '-' ) {
- neg++;
- sn.bv_len++;
- }
+ if ( BER_BVISEMPTY( val ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
- }
+ if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
+ return sidNormalize( 0, NULL, NULL, val, normalized, ctx );
+ }
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
- return LDAP_INVALID_SYNTAX;
- }
+ assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
- x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
+ ptr = ber_bvchr( val, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
- return LDAP_INVALID_SYNTAX;
- }
+ bv.bv_val = ptr + 1;
+ bv.bv_len = val->bv_len - ( ptr + 1 - val->bv_val );
- havesn++;
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- } else return LDAP_INVALID_SYNTAX;
+ bv.bv_val = ptr + 1;
+ bv.bv_len = val->bv_len - ( ptr + 1 - val->bv_val );
+
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+ bv.bv_len = ptr - bv.bv_val;
- /* eat spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
+ if ( bv.bv_len == 2 ) {
+ /* OpenLDAP 2.3 SID */
+ buf[ 0 ] = '0';
+ buf[ 1 ] = bv.bv_val[ 0 ];
+ buf[ 2 ] = bv.bv_val[ 1 ];
+ buf[ 3 ] = '\0';
- /* should be at remaining NamedValue */
- if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
- STRLENOF("issuer" )) == 0 ))
- {
- /* parse issuer */
- x.bv_val += STRLENOF("issuer");
- x.bv_len -= STRLENOF("issuer");
+ bv.bv_val = buf;
+ bv.bv_len = 3;
+ }
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+ return sidNormalize( 0, NULL, NULL, &bv, normalized, ctx );
+}
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+static int
+csnValidate(
+ Syntax *syntax,
+ struct berval *in )
+{
+ struct berval bv;
+ char *ptr;
+ int rc;
- i.bv_val = x.bv_val;
- i.bv_len = 0;
+ assert( in != NULL );
+ assert( !BER_BVISNULL( in ) );
- for( ; i.bv_len < x.bv_len; ) {
- if ( i.bv_val[i.bv_len] != '"' ) {
- i.bv_len++;
- continue;
- }
- if ( i.bv_val[i.bv_len+1] == '"' ) {
- /* double dquote */
- i.bv_len+=2;
- continue;
- }
- break;
- }
- x.bv_val += i.bv_len+1;
- x.bv_len -= i.bv_len+1;
+ if ( BER_BVISEMPTY( in ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
- STRLENOF("serialNumber")) == 0 ))
- {
- /* parse serialNumber */
- int neg=0;
- x.bv_val += STRLENOF("serialNumber");
- x.bv_len -= STRLENOF("serialNumber");
+ bv = *in;
- if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
- x.bv_val++; x.bv_len--;
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr - bv.bv_val == bv.bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- /* eat leading spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
-
- sn.bv_val = x.bv_val;
- sn.bv_len = 0;
+ bv.bv_len = ptr - bv.bv_val;
+ if ( bv.bv_len != STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ" ) &&
+ bv.bv_len != STRLENOF( "YYYYmmddHHMMSSZ" ) )
+ {
+ return LDAP_INVALID_SYNTAX;
+ }
- if( sn.bv_val[0] == '-' ) {
- neg++;
- sn.bv_len++;
- }
+ rc = generalizedTimeValidate( NULL, &bv );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
- for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
- if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
- }
+ bv.bv_val = ptr + 1;
+ bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
- if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
- if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
- return LDAP_INVALID_SYNTAX;
- }
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr - in->bv_val == in->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- x.bv_val += sn.bv_len;
- x.bv_len -= sn.bv_len;
+ bv.bv_len = ptr - bv.bv_val;
+ if ( bv.bv_len != 6 ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- } else return LDAP_INVALID_SYNTAX;
+ rc = hexValidate( NULL, &bv );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
- /* eat trailing spaces */
- for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
- /* empty */;
- }
+ bv.bv_val = ptr + 1;
+ bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
- /* should have no characters left... */
- if( x.bv_len ) return LDAP_INVALID_SYNTAX;
+ ptr = ber_bvchr( &bv, '#' );
+ if ( ptr == NULL || ptr - in->bv_val == in->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- ber_dupbv_x( &ni, &i, ctx );
- i = ni;
+ bv.bv_len = ptr - bv.bv_val;
+ if ( bv.bv_len == 2 ) {
+ /* tolerate old 2-digit replica-id */
+ rc = hexValidate( NULL, &bv );
- /* need to handle double dquotes here */
+ } else {
+ rc = sidValidate( NULL, &bv );
+ }
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
}
- rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
+ bv.bv_val = ptr + 1;
+ bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
- if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
- slap_sl_free( i.bv_val, ctx );
+ if ( bv.bv_len != 6 ) {
+ return LDAP_INVALID_SYNTAX;
}
- if( rc ) return LDAP_INVALID_SYNTAX;
+ return hexValidate( NULL, &bv );
+}
- /* make room from sn + "$" */
- out->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
- + sn.bv_len + ni.bv_len;
- out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
+/* Normalize a CSN in OpenLDAP 2.3 format */
+static int
+csnNormalize23(
+ slap_mask_t usage,
+ Syntax *syntax,
+ MatchingRule *mr,
+ struct berval *val,
+ struct berval *normalized,
+ void *ctx )
+{
+ struct berval gt, cnt, sid, mod;
+ char *ptr;
+ int i;
- if( out->bv_val == NULL ) {
- out->bv_len = 0;
- slap_sl_free( ni.bv_val, ctx );
- return LDAP_OTHER;
+ assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 );
+ assert( !BER_BVISEMPTY( val ) );
+
+ gt = *val;
+
+ ptr = ber_bvchr( >, '#' );
+ if ( ptr == NULL || ptr - gt.bv_val == gt.bv_len ) {
+ return LDAP_INVALID_SYNTAX;
}
- n = 0;
- AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
- STRLENOF( "{ serialNumber " ));
- n = STRLENOF( "{ serialNumber " );
+ gt.bv_len = ptr - gt.bv_val;
+ assert( gt.bv_len == STRLENOF( "YYYYmmddHHMMSSZ" ) );
- AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
- n += sn.bv_len;
+ cnt.bv_val = ptr + 1;
+ cnt.bv_len = val->bv_len - ( cnt.bv_val - val->bv_val );
+
+ ptr = ber_bvchr( &cnt, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF( ", issuer \"" ));
- n += STRLENOF( ", issuer \"" );
+ cnt.bv_len = ptr - cnt.bv_val;
+ assert( cnt.bv_len == STRLENOF( "000000" ) );
- AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
- n += ni.bv_len;
+ sid.bv_val = ptr + 1;
+ sid.bv_len = val->bv_len - ( sid.bv_val - val->bv_val );
+
+ ptr = ber_bvchr( &sid, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
- n += STRLENOF( "\" }" );
+ sid.bv_len = ptr - sid.bv_val;
+ assert( sid.bv_len == STRLENOF( "00" ) );
- out->bv_val[n] = '\0';
+ mod.bv_val = ptr + 1;
+ mod.bv_len = val->bv_len - ( mod.bv_val - val->bv_val );
+ assert( mod.bv_len == STRLENOF( "000000" ) );
- assert( n == out->bv_len );
+ normalized->bv_len = STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" );
+ normalized->bv_val = ber_memalloc_x( normalized->bv_len + 1, ctx );
- Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
- out->bv_val, 0, 0 );
+ ptr = normalized->bv_val;
+ ptr = lutil_strncopy( ptr, gt.bv_val, gt.bv_len - 1 );
+ ptr = lutil_strcopy( ptr, ".000000Z#" );
+ ptr = lutil_strncopy( ptr, cnt.bv_val, cnt.bv_len );
+ *ptr++ = '#';
+ *ptr++ = '0';
+ for ( i = 0; i < sid.bv_len; i++ ) {
+ *ptr++ = TOLOWER( sid.bv_val[ i ] );
+ }
+ *ptr++ = '#';
+ for ( i = 0; i < mod.bv_len; i++ ) {
+ *ptr++ = TOLOWER( mod.bv_val[ i ] );
+ }
+ *ptr = '\0';
- slap_sl_free( ni.bv_val, ctx );
+ assert( ptr - normalized->bv_val == normalized->bv_len );
return LDAP_SUCCESS;
}
+/* Normalize a CSN */
static int
-certificateExactNormalize(
+csnNormalize(
slap_mask_t usage,
Syntax *syntax,
MatchingRule *mr,
struct berval *normalized,
void *ctx )
{
- BerElementBuffer berbuf;
- BerElement *ber = (BerElement *)&berbuf;
- ber_tag_t tag;
- ber_len_t len;
- ber_int_t i;
- char serial[64];
- ber_len_t seriallen;
- struct berval issuer_dn = BER_BVNULL, bvdn;
- unsigned char *p;
- int rc = LDAP_INVALID_SYNTAX;
+ struct berval cnt, sid, mod;
+ char *ptr;
+ int i;
- if( BER_BVISEMPTY( val ) ) goto done;
+ assert( val != NULL );
+ assert( normalized != NULL );
- if( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
- return serialNumberAndIssuerNormalize(0,NULL,NULL,val,normalized,ctx);
- }
+ assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 );
- assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
+ if ( BER_BVISEMPTY( val ) ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- ber_init2( ber, val, LBER_USE_DER );
- tag = ber_skip_tag( ber, &len ); /* Signed Sequence */
- tag = ber_skip_tag( ber, &len ); /* Sequence */
- tag = ber_skip_tag( ber, &len ); /* Optional version? */
- if ( tag == 0xa0 )
- tag = ber_get_int( ber, &i ); /* version */
- ber_get_int( ber, &i ); /* serial */
+ if ( val->bv_len == STRLENOF( "YYYYmmddHHMMSSZ#SSSSSS#ID#ssssss" ) ) {
+ /* Openldap <= 2.3 */
- seriallen = snprintf( serial, sizeof(serial), "%d", i );
- tag = ber_skip_tag( ber, &len ); /* SignatureAlg */
- ber_skip_data( ber, len );
- tag = ber_peek_tag( ber, &len ); /* IssuerDN */
- len = ber_ptrlen( ber );
- bvdn.bv_val = val->bv_val + len;
- bvdn.bv_len = val->bv_len - len;
+ return csnNormalize23( usage, syntax, mr, val, normalized, ctx );
+ }
- rc = dnX509normalize( &bvdn, &issuer_dn );
- if( rc != LDAP_SUCCESS ) goto done;
+ assert( val->bv_len == STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" ) );
- normalized->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
- + seriallen + issuer_dn.bv_len;
- normalized->bv_val = ch_malloc(normalized->bv_len+1);
+ ptr = ber_bvchr( val, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- p = (unsigned char *)normalized->bv_val;
+ assert( ptr - val->bv_val == STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ" ) );
- AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
- p += STRLENOF( "{ serialNumber " );
+ cnt.bv_val = ptr + 1;
+ cnt.bv_len = val->bv_len - ( cnt.bv_val - val->bv_val );
- AC_MEMCPY(p, serial, seriallen);
- p += seriallen;
+ ptr = ber_bvchr( &cnt, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- AC_MEMCPY(p, ", issuer \"", STRLENOF( ", issuer \"" ));
- p += STRLENOF( ", issuer \"" );
+ assert( ptr - cnt.bv_val == STRLENOF( "000000" ) );
- AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
- p += issuer_dn.bv_len;
+ sid.bv_val = ptr + 1;
+ sid.bv_len = val->bv_len - ( sid.bv_val - val->bv_val );
+
+ ptr = ber_bvchr( &sid, '#' );
+ if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+ return LDAP_INVALID_SYNTAX;
+ }
- AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
- p += STRLENOF( "\" }" );
+ sid.bv_len = ptr - sid.bv_val;
+ assert( sid.bv_len == STRLENOF( "000" ) );
- *p = '\0';
+ mod.bv_val = ptr + 1;
+ mod.bv_len = val->bv_len - ( mod.bv_val - val->bv_val );
- Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
- normalized->bv_val, NULL, NULL );
+ assert( mod.bv_len == STRLENOF( "000000" ) );
- rc = LDAP_SUCCESS;
+ ber_dupbv_x( normalized, val, ctx );
-done:
- if (issuer_dn.bv_val) ber_memfree(issuer_dn.bv_val);
+ for ( i = STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#" );
+ i < normalized->bv_len; i++ )
+ {
+ /* assume it's already validated that's all hex digits */
+ normalized->bv_val[ i ] = TOLOWER( normalized->bv_val[ i ] );
+ }
- return rc;
+ return LDAP_SUCCESS;
}
+static int
+csnPretty(
+ Syntax *syntax,
+ struct berval *val,
+ struct berval *out,
+ void *ctx )
+{
+ return csnNormalize( SLAP_MR_VALUE_OF_SYNTAX, NULL, NULL, val, out, ctx );
+}
#ifndef SUPPORT_OBSOLETE_UTC_SYNTAX
/* slight optimization - does not need the start parameter */
{"( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' "
X_BINARY X_NOT_H_R ")",
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER,
- NULL, sequenceValidate, NULL},
+ NULL, certificateListValidate, NULL},
{"( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' "
X_BINARY X_NOT_H_R ")",
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER,
0, NULL, UUIDValidate, UUIDPretty},
{"( 1.3.6.1.4.1.4203.666.11.2.1 DESC 'CSN' )",
- SLAP_SYNTAX_HIDE, NULL, csnValidate, NULL},
+ SLAP_SYNTAX_HIDE, NULL, csnValidate, csnPretty },
+
+ {"( 1.3.6.1.4.1.4203.666.11.2.4 DESC 'CSN SID' )",
+ SLAP_SYNTAX_HIDE, NULL, sidValidate, sidPretty },
/* OpenLDAP Void Syntax */
{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
{NULL, 0, NULL, NULL, NULL}
};
+char *csnSIDMatchSyntaxes[] = {
+ "1.3.6.1.4.1.4203.666.11.2.1" /* csn */,
+ NULL
+};
char *certificateExactMatchSyntaxes[] = {
"1.3.6.1.4.1.1466.115.121.1.8" /* certificate */,
NULL
{"( 2.5.13.14 NAME 'integerMatch' "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
- SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL,
+ SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_ORDERED_INDEX, NULL,
NULL, NULL, integerMatch,
- octetStringIndexer, octetStringFilter,
+ integerIndexer, integerFilter,
NULL },
{"( 2.5.13.15 NAME 'integerOrderingMatch' "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
- SLAP_MR_ORDERING, NULL,
+ SLAP_MR_ORDERING | SLAP_MR_ORDERED_INDEX, NULL,
NULL, NULL, integerMatch,
NULL, NULL,
"integerMatch" },
{"( 2.5.13.34 NAME 'certificateExactMatch' "
"SYNTAX 1.3.6.1.1.15.1 )",
SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactMatchSyntaxes,
-#ifdef HAVE_TLS
NULL, certificateExactNormalize, octetStringMatch,
octetStringIndexer, octetStringFilter,
-#else
- NULL, NULL, NULL, NULL, NULL,
-#endif
NULL },
{"( 2.5.13.35 NAME 'certificateMatch' "
{"( 1.3.6.1.4.1.4203.666.11.2.2 NAME 'CSNMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 )",
SLAP_MR_HIDE | SLAP_MR_EQUALITY | SLAP_MR_ORDERED_INDEX, NULL,
- NULL, NULL, csnMatch,
+ NULL, csnNormalize, csnMatch,
csnIndexer, csnFilter,
NULL},
NULL, NULL,
"CSNMatch" },
+ {"( 1.3.6.1.4.1.4203.666.11.2.5 NAME 'CSNSIDMatch' "
+ "SYNTAX 1.3.6.1.4.1.4203.666.11.2.4 )",
+ SLAP_MR_HIDE | SLAP_MR_EQUALITY | SLAP_MR_EXT, csnSIDMatchSyntaxes,
+ NULL, csnSidNormalize, octetStringMatch,
+ octetStringIndexer, octetStringFilter,
+ NULL },
+
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
projects / openldap / blobdiff