From 4c64b8626d5b2b26256446dbc29f63ab45b5ec1d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 3 Mar 2006 04:54:49 +0000 Subject: [PATCH] Add support for GSER-encoded certificateExactAsssertion values --- servers/slapd/schema_init.c | 824 +++++++++++++++++++++++++++--- tests/data/certificate.tls | 103 ++-- tests/scripts/test021-certificate | 25 +- 3 files changed, 828 insertions(+), 124 deletions(-) diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index e0a0600542..9b46a5ef93 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -2101,7 +2101,8 @@ IA5StringNormalize( void *ctx ) { char *p, *q; - int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match); + int casefold = !SLAP_MR_ASSOCIATED( mr, + slap_schema.si_mr_caseExactIA5Match ); assert( !BER_BVISEMPTY( val ) ); @@ -2437,94 +2438,522 @@ serialNumberAndIssuerValidate( int rc; ber_len_t n; struct berval sn, i; + + Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n", + in->bv_val, 0, 0 ); + if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; - i.bv_val = ber_bvchr( in, '$' ); - if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; + if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { + /* Parse old format */ + i.bv_val = ber_bvchr( in, '$' ); + if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; + + sn.bv_val = in->bv_val; + sn.bv_len = i.bv_val - in->bv_val; + + i.bv_val++; + i.bv_len = in->bv_len - (sn.bv_len + 1); + + /* eat leading zeros */ + for( n=0; n < (sn.bv_len-1); n++ ) { + if( sn.bv_val[n] != '0' ) break; + } + sn.bv_val += n; + sn.bv_len -= n; + + for( n=0; n < sn.bv_len; n++ ) { + if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX; + } + + } else { + /* Parse GSER format */ + int havesn=0,haveissuer=0; + struct berval x = *in; + x.bv_val++; + x.bv_len-=2; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) { + return LDAP_INVALID_SYNTAX; + } + + /* should be at issuer or serialNumber NamedValue */ + if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + i.bv_val = x.bv_val; + i.bv_len = 0; + + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + if ( x.bv_len < STRLENOF(",serialNumber 0")) { + return LDAP_INVALID_SYNTAX; + } + + haveissuer++; + + } else if( strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 ) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } + + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len; - sn.bv_val = in->bv_val; - sn.bv_len = i.bv_val - in->bv_val; + if ( x.bv_len < STRLENOF( ",issuer \"\"" )) { + return LDAP_INVALID_SYNTAX; + } - i.bv_val++; - i.bv_len = in->bv_len - (sn.bv_len + 1); + havesn++; + + } else return LDAP_INVALID_SYNTAX; + + if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should be at remaining NamedValue */ + if( !haveissuer && (strncasecmp( x.bv_val, "issuer", + STRLENOF("issuer" )) == 0 )) + { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + i.bv_val = x.bv_val; + i.bv_len = 0; + + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 )) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } - /* validate serial number (strict for now) */ - for( n=0; n < sn.bv_len; n++ ) { - if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX; + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val += sn.bv_len; + x.bv_len -= sn.bv_len; + + } else return LDAP_INVALID_SYNTAX; + + /* eat trailing spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should have no characters left... */ + if( x.bv_len ) return LDAP_INVALID_SYNTAX; } - /* validate DN */ + /* validate DN -- doesn't handle double dquote */ rc = dnValidate( NULL, &i ); if( rc ) return LDAP_INVALID_SYNTAX; + Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n", + in->bv_val, 0, 0 ); return LDAP_SUCCESS; } int serialNumberAndIssuerPretty( Syntax *syntax, - struct berval *val, + struct berval *in, struct berval *out, void *ctx ) { int rc; ber_len_t n; - struct berval sn, i, newi; + struct berval sn, i, ni; - assert( val != NULL ); + assert( in != NULL ); assert( out != NULL ); Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n", - val->bv_val, 0, 0 ); + in->bv_val, 0, 0 ); - if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + + if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { + /* Parse old format */ + i.bv_val = ber_bvchr( in, '$' ); + if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; + + sn.bv_val = in->bv_val; + sn.bv_len = i.bv_val - in->bv_val; + + i.bv_val++; + i.bv_len = in->bv_len - (sn.bv_len + 1); + + /* eat leading zeros */ + for( n=0; n < (sn.bv_len-1); n++ ) { + if( sn.bv_val[n] != '0' ) break; + } + sn.bv_val += n; + sn.bv_len -= n; + + for( n=0; n < sn.bv_len; n++ ) { + if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX; + } + + } else { + /* Parse GSER format */ + int havesn=0,haveissuer=0; + struct berval x = *in; + x.bv_val++; + x.bv_len-=2; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) { + return LDAP_INVALID_SYNTAX; + } + + /* should be at issuer or serialNumber NamedValue */ + if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + i.bv_val = x.bv_val; + i.bv_len = 0; + + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + if ( x.bv_len < STRLENOF(",serialNumber 0")) { + return LDAP_INVALID_SYNTAX; + } + + haveissuer++; + + } else if( strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 ) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } + + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len; + + if ( x.bv_len < STRLENOF( ",issuer \"\"" )) { + return LDAP_INVALID_SYNTAX; + } + + havesn++; + + } else return LDAP_INVALID_SYNTAX; + + if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should be at remaining NamedValue */ + if( !haveissuer && (strncasecmp( x.bv_val, "issuer", + STRLENOF("issuer" )) == 0 )) + { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; - i.bv_val = ber_bvchr( val, '$' ); - if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; + i.bv_val = x.bv_val; + i.bv_len = 0; - sn.bv_val = val->bv_val; - sn.bv_len = i.bv_val - val->bv_val; + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 )) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) { + /* empty */; + } + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } + + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } - i.bv_val++; - i.bv_len = val->bv_len - (sn.bv_len + 1); + x.bv_val += sn.bv_len; + x.bv_len -= sn.bv_len; - /* eat leading zeros */ - for( n=0; n < (sn.bv_len-1); n++ ) { - if( sn.bv_val[n] != '0' ) break; + } else return LDAP_INVALID_SYNTAX; + + /* eat trailing spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should have no characters left... */ + if( x.bv_len ) return LDAP_INVALID_SYNTAX; + + ber_dupbv_x( &ni, &i, ctx ); + i = ni; + + /* need to handle double dquotes here */ } - sn.bv_val += n; - sn.bv_len -= n; - for( n=0; n < sn.bv_len; n++ ) { - if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX; + rc = dnPretty( syntax, &i, &ni, ctx ); + + if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) { + slap_sl_free( i.bv_val, ctx ); } - /* pretty DN */ - rc = dnPretty( syntax, &i, &newi, ctx ); if( rc ) return LDAP_INVALID_SYNTAX; /* make room from sn + "$" */ - out->bv_len = sn.bv_len + newi.bv_len + 1; - out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx ); + out->bv_len = STRLENOF("{ serialNumber , issuer \"\" }") + + sn.bv_len + ni.bv_len; + out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); if( out->bv_val == NULL ) { out->bv_len = 0; - slap_sl_free( newi.bv_val, ctx ); + slap_sl_free( ni.bv_val, ctx ); return LDAP_OTHER; } - /* push issuer over */ - AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len ); - /* insert sn and "$" */ - AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len ); - out->bv_val[sn.bv_len] = '$'; - /* terminate */ - out->bv_val[out->bv_len] = '\0'; + n = 0; + AC_MEMCPY( &out->bv_val[n], "{ serialNumber ", + STRLENOF("{ serialNumber ")); + n = STRLENOF("{ serialNumber "); + + AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len ); + n += sn.bv_len; + + AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF(", issuer \"")); + n += STRLENOF(", issuer \""); + + AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len ); + n += ni.bv_len; + + AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }")); + n += STRLENOF("\" }"); + + out->bv_val[n] = '\0'; + + assert( n == out->bv_len ); Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n", out->bv_val, 0, 0 ); - return LDAP_SUCCESS; + slap_sl_free( ni.bv_val, ctx ); + + return LDAP_SUCCESS; } /* @@ -2538,70 +2967,287 @@ serialNumberAndIssuerNormalize( slap_mask_t usage, Syntax *syntax, MatchingRule *mr, - struct berval *val, + struct berval *in, struct berval *out, void *ctx ) { int rc; ber_len_t n; - struct berval sn, i, newi; + struct berval sn, i, ni; - assert( val != NULL ); + assert( in != NULL ); assert( out != NULL ); Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n", - val->bv_val, 0, 0 ); + in->bv_val, 0, 0 ); - if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; - i.bv_val = ber_bvchr( val, '$' ); - if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; + if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { + /* Parse old format */ + i.bv_val = ber_bvchr( in, '$' ); + if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX; - sn.bv_val = val->bv_val; - sn.bv_len = i.bv_val - val->bv_val; + sn.bv_val = in->bv_val; + sn.bv_len = i.bv_val - in->bv_val; - i.bv_val++; - i.bv_len = val->bv_len - (sn.bv_len + 1); + i.bv_val++; + i.bv_len = in->bv_len - (sn.bv_len + 1); - /* eat leading zeros */ - for( n=0; n < (sn.bv_len-1); n++ ) { - if( sn.bv_val[n] != '0' ) break; - } - sn.bv_val += n; - sn.bv_len -= n; + /* eat leading zeros */ + for( n=0; n < (sn.bv_len-1); n++ ) { + if( sn.bv_val[n] != '0' ) break; + } + sn.bv_val += n; + sn.bv_len -= n; + + for( n=0; n < sn.bv_len; n++ ) { + if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX; + } + + } else { + /* Parse GSER format */ + int havesn=0,haveissuer=0; + struct berval x = *in; + x.bv_val++; + x.bv_len-=2; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } - for( n=0; n < sn.bv_len; n++ ) { - if( !ASCII_DIGIT(sn.bv_val[n]) ) { + if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) { return LDAP_INVALID_SYNTAX; } + + /* should be at issuer or serialNumber NamedValue */ + if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + i.bv_val = x.bv_val; + i.bv_len = 0; + + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + if ( x.bv_len < STRLENOF(",serialNumber 0")) { + return LDAP_INVALID_SYNTAX; + } + + haveissuer++; + + } else if( strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 ) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } + + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len; + + if ( x.bv_len < STRLENOF( ",issuer \"\"" )) { + return LDAP_INVALID_SYNTAX; + } + + havesn++; + + } else return LDAP_INVALID_SYNTAX; + + if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should be at remaining NamedValue */ + if( !haveissuer && (strncasecmp( x.bv_val, "issuer", + STRLENOF("issuer" )) == 0 )) + { + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + i.bv_val = x.bv_val; + i.bv_len = 0; + + for( ; i.bv_len < x.bv_len; ) { + if ( i.bv_val[i.bv_len] != '"' ) { + i.bv_len++; + continue; + } + if ( i.bv_val[i.bv_len+1] == '"' ) { + /* double dquote */ + i.bv_len+=2; + continue; + } + break; + } + x.bv_val += i.bv_len+1; + x.bv_len -= i.bv_len+1; + + } else if( !havesn && (strncasecmp( x.bv_val, "serialNumber", + STRLENOF("serialNumber")) == 0 )) + { + /* parse serialNumber */ + int neg=0; + x.bv_val += STRLENOF("serialNumber"); + x.bv_len -= STRLENOF("serialNumber"); + + if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; x.bv_len--; + + /* eat leading spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) { + /* empty */; + } + + sn.bv_val = x.bv_val; + sn.bv_len = 0; + + if( sn.bv_val[0] == '-' ) { + neg++; + sn.bv_len++; + } + + for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) { + if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break; + } + + if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX; + if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val += sn.bv_len; + x.bv_len -= sn.bv_len; + + } else return LDAP_INVALID_SYNTAX; + + /* eat trailing spaces */ + for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) { + /* empty */; + } + + /* should have no characters left... */ + if( x.bv_len ) return LDAP_INVALID_SYNTAX; + + ber_dupbv_x( &ni, &i, ctx ); + i = ni; + + /* need to handle double dquotes here */ + } + + rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx ); + + if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) { + slap_sl_free( i.bv_val, ctx ); } - /* pretty DN */ - rc = dnNormalize( usage, syntax, mr, &i, &newi, ctx ); if( rc ) return LDAP_INVALID_SYNTAX; /* make room from sn + "$" */ - out->bv_len = sn.bv_len + newi.bv_len + 1; - out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx ); + out->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" ) + + sn.bv_len + ni.bv_len; + out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); if( out->bv_val == NULL ) { out->bv_len = 0; - slap_sl_free( newi.bv_val, ctx ); + slap_sl_free( ni.bv_val, ctx ); return LDAP_OTHER; } - /* push issuer over */ - AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len ); - /* insert sn and "$" */ - AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len ); - out->bv_val[sn.bv_len] = '$'; - /* terminate */ - out->bv_val[out->bv_len] = '\0'; + n = 0; + AC_MEMCPY( &out->bv_val[n], "{ serialNumber ", + STRLENOF( "{ serialNumber " )); + n = STRLENOF( "{ serialNumber " ); + + AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len ); + n += sn.bv_len; + + AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF( ", issuer \"" )); + n += STRLENOF( ", issuer \"" ); + + AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len ); + n += ni.bv_len; + + AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" )); + n += STRLENOF( "\" }" ); + + out->bv_val[n] = '\0'; + + assert( n == out->bv_len ); Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n", out->bv_val, 0, 0 ); - return rc; + slap_sl_free( ni.bv_val, ctx ); + + return LDAP_SUCCESS; } #ifdef HAVE_TLS @@ -2646,19 +3292,34 @@ certificateExactNormalize( rc = dnX509normalize( name, &issuer_dn ); if( rc != LDAP_SUCCESS ) goto done; - normalized->bv_len = seriallen + issuer_dn.bv_len + 1; + normalized->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" ) + + seriallen + issuer_dn.bv_len; normalized->bv_val = ch_malloc(normalized->bv_len+1); + p = (unsigned char *)normalized->bv_val; + + AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " )); + p += STRLENOF( "{ serialNumber " ); + AC_MEMCPY(p, serial, seriallen); p += seriallen; - *p++ = '$'; + + AC_MEMCPY(p, ", issuer \"", STRLENOF( ", issuer \"" )); + p += STRLENOF( ", issuer \"" ); + AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len); p += issuer_dn.bv_len; + + AC_MEMCPY(p, "\" }", STRLENOF( "\" }" )); + p += STRLENOF( "\" }" ); + *p = '\0'; Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n", normalized->bv_val, NULL, NULL ); + rc = LDAP_SUCCESS; + done: if (xcert) X509_free(xcert); if (serial) ch_free(serial); @@ -2918,7 +3579,7 @@ generalizedTimeNormalize( return rc; } - len = sizeof("YYYYmmddHHMMSSZ")-1 + fraction.bv_len; + len = STRLENOF("YYYYmmddHHMMSSZ") + fraction.bv_len; normalized->bv_val = slap_sl_malloc( len + 1, ctx ); if ( BER_BVISNULL( normalized ) ) { return LBER_ERROR_MEMORY; @@ -2928,9 +3589,9 @@ generalizedTimeNormalize( parts[0], parts[1], parts[2] + 1, parts[3] + 1, parts[4], parts[5], parts[6] ); if ( !BER_BVISEMPTY( &fraction ) ) { - memcpy( normalized->bv_val + sizeof("YYYYmmddHHMMSSZ")-2, + memcpy( normalized->bv_val + STRLENOF("YYYYmmddHHMMSSZ")-1, fraction.bv_val, fraction.bv_len ); - normalized->bv_val[sizeof("YYYYmmddHHMMSSZ")-2] = '.'; + normalized->bv_val[STRLENOF("YYYYmmddHHMMSSZ")-1] = '.'; } strcpy( normalized->bv_val + len-1, "Z" ); normalized->bv_len = len; @@ -3861,12 +4522,7 @@ static slap_mrule_defs_rec mrule_defs[] = { {"( 2.5.13.35 NAME 'certificateMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, -#ifdef HAVE_TLS - NULL, NULL, octetStringMatch, - octetStringIndexer, octetStringFilter, -#else NULL, NULL, NULL, NULL, NULL, -#endif NULL }, {"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' " diff --git a/tests/data/certificate.tls b/tests/data/certificate.tls index c163fd5c69..8404943a9b 100644 --- a/tests/data/certificate.tls +++ b/tests/data/certificate.tls @@ -71,7 +71,7 @@ dn: dc=example,dc=com objectClass: top objectClass: organization objectClass: domainRelatedObject -objectclass: dcobject +objectClass: dcObject objectClass: extensibleObject dc: example l: Anytown, Michigan @@ -133,6 +133,39 @@ userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV 05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN +# (userCertificate={ serialNumber 2, issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US" }) +dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com +objectClass: OpenLDAPperson +objectClass: strongAuthenticationUser +cn: Ursula Hampster +sn: Hampster +uid: uham +title: Secretary, UM Alumni Association +postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109 +seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com +homePostalAddress: 123 Anystreet $ Anytown, MI 48104 +mail: uham@mail.alumni.example.com +homePhone: +1 313 555 8421 +pager: +1 313 555 2844 +facsimileTelephoneNumber: +1 313 555 9700 +telephoneNumber: +1 313 555 5331 +userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV + QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH + RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc + NMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs + aWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhI + EhhbXBzdGVyMR8wHQYJKoZIhvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQ + UAA4GNADCBiQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJh+q + nsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYmJ0erS3aoimOHLEFi + mmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q + gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUO + iC37EK0Uf0XjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1U + EBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0 + ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAM + A0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESuxLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP + 05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j + ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN + # (userCertificate:certificateExactMatch:=3$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US) dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -169,37 +202,39 @@ userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV 5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3 quqPrpxZ -dn: dc=example,dc=com -objectClass: top -objectClass: organization -objectClass: domainRelatedObject -objectclass: dcobject -objectClass: extensibleObject -dc: example -l: Anytown, Michigan -st: Michigan -o: Example, Inc. -o: EX -o: Ex. -description: The Example, Inc. at Anytown -postalAddress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US -telephoneNumber: +1 313 555 1817 -associatedDomain: example.com -cACertificate;binary:: MIIDVDCCAr2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQ - GEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRk - LjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNM - DMxMDE3MTYzMDQxWhcNMDQxMDE2MTYzMDQxWjB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaW - Zvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSB - DQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ - AoGBANljUGxiisAzEiALukzt3Gj/24MRw1J0AZx6GncXLhpNJsAFyA0bYZdAzgvydKeq/uX0i5o/4 - Byc3G71XAAcbJZxDPtrLwpDAdMNOBvKV2r67yTgnpatFLfGRt/FWazj5EbFYkorWWTe+4eEBd9VPz - ebHdIm+DPHipUfIAzRoNejAgMBAAGjge8wgewwHQYDVR0OBBYEFEtvIRo2JNKQ+UOwU0ctfeHA5pg - jMIGhBgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQGEwJVUzET - MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA - 1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CAQAwDAYDVR0TBA - UwAwEB/zAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQCgXD/+28E - l3GXi/uxMNEKqtnIhQdTnNU4il0fZ6pcmHPFC+61Bddow90ZZZh5Gbg5ZBxFRhDXN8K/fix3ewRSj - ASt40dGlEODkE+FsLMt04sYl6kX7RGKg9a46DkeG+uzZnN/3252uCgh+rjNMFAglueUTERv3EtUB1 - iXEoU3GyA== +# (userCertificate:certificateExactMatch:={ issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US", serialNumber 3 }) +dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com +objectClass: OpenLDAPperson +objectClass: strongAuthenticationUser +cn: Jennifer Smith +cn: Jen Smith +sn: Smith +uid: jen +postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109 +seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com +drink: Sam Adams +homePostalAddress: 1000 Maple #44 $ Anytown, MI 48103 +title: Telemarketer, UM Alumni Association +mail: jen@mail.alumni.example.com +homePhone: +1 313 555 2333 +pager: +1 313 555 6442 +facsimileTelephoneNumber: +1 313 555 2756 +telephoneNumber: +1 313 555 8232 +userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV + QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH + RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc + NMDMxMDE3MTYzNTM1WhcNMDQxMDE2MTYzNTM1WjCBnjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1p + Y2hpZ2FuMR8wHQYDVQQKExZPcGVuTERBUCBFeGFtcGxlLCBMdGQuMRswGQYDVQQLExJBbHVtbmkgQ + XNzb2ljYXRpb24xEjAQBgNVBAMTCUplbiBTbWl0aDEqMCgGCSqGSIb3DQEJARYbamVuQG1haWwuYW + x1bW5pLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpnXWAL0VkROGO1Rg + 8J3u6F4F7yMqQCbUMsV9rxQisYj45+pmqiHV5urogvT4MGD6eLNFZKBn+0KRni++uu7gbartzpmBa + HOlzRII9ZdVMFfrT2xYNgAlkne6pb6IZIN9UONuH/httENCDJ5WEpjZ48D1Lrml/HYO/W+SAMkpEq + QIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIE + NlcnRpZmljYXRlMB0GA1UdDgQWBBTB2saht/od/nis76b9m+pjxfhSPjCBoQYDVR0jBIGZMIGWgBR + LbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju + aWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExH + TAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAIoGPc/AS0 + cNkMRDNoMIzcFdF9lONMduKBiSuFvv+x8nCek+LUdXxF59V2NPKh2V5gFh5xbAchyv6FVBnpVtPdB + 5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3 + quqPrpxZ -# (cAcertificate;binary:certificateMatch:=\30\82\03\54\30\82\02\bd\a0\03\02\01\02\02\01\00\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\1e\17\0d\30\33\31\30\31\37\31\36\33\30\34\31\5a\17\0d\30\34\31\30\31\36\31\36\33\30\34\31\5a\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\81\9f\30\0d\06\09\2a\86\48\86\f7\0d\01\01\01\05\00\03\81\8d\00\30\81\89\02\81\81\00\d9\63\50\6c\62\8a\c0\33\12\20\0b\ba\4c\ed\dc\68\ff\db\83\11\c3\52\74\01\9c\7a\1a\77\17\2e\1a\4d\26\c0\05\c8\0d\1b\61\97\40\ce\0b\f2\74\a7\aa\fe\e5\f4\8b\9a\3f\e0\1c\9c\dc\6e\f5\5c\00\1c\6c\96\71\0c\fb\6b\2f\0a\43\01\d3\0d\38\1b\ca\57\6a\fa\ef\24\e0\9e\96\ad\14\b7\c6\46\df\c5\59\ac\e3\e4\46\c5\62\4a\2b\59\64\de\fb\87\84\05\df\55\3f\37\9b\1d\d2\26\f8\33\c7\8a\95\1f\20\0c\d1\a0\d7\a3\02\03\01\00\01\a3\81\ef\30\81\ec\30\1d\06\03\55\1d\0e\04\16\04\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\30\81\a1\06\03\55\1d\23\04\81\99\30\81\96\80\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\a1\7b\a4\79\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\82\01\00\30\0c\06\03\55\1d\13\04\05\30\03\01\01\ff\30\19\06\03\55\1d\11\04\12\30\10\81\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\03\81\81\00\a0\5c\3f\fe\db\c1\25\dc\65\e2\fe\ec\4c\34\42\aa\b6\72\21\41\d4\e7\35\4e\22\97\47\d9\ea\97\26\1c\f1\42\fb\ad\41\75\da\30\f7\46\59\66\1e\46\6e\0e\59\07\11\51\84\35\cd\f0\af\df\8b\1d\de\c1\14\a3\01\2b\78\d1\d1\a5\10\e0\e4\13\e1\6c\2c\cb\74\e2\c6\25\ea\45\fb\44\62\a0\f5\ae\3a\0e\47\86\fa\ec\d9\9c\df\f7\db\9d\ae\0a\08\7e\ae\33\4c\14\08\25\b9\e5\13\11\1b\f7\12\d5\01\d6\25\c4\a1\4d\c6\c8) diff --git a/tests/scripts/test021-certificate b/tests/scripts/test021-certificate index 85ac28543d..150df453fe 100755 --- a/tests/scripts/test021-certificate +++ b/tests/scripts/test021-certificate @@ -257,7 +257,20 @@ fi SNAI='2$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US' -echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) ...' +echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) [old format] ...' +echo "# (userCertificate=$SNAI)" >> $SEARCHOUT +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ + "(userCertificate=$SNAI)" >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +SNAI='{ serialNumber 2, issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US" }' + +echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) [new format] ...' echo "# (userCertificate=$SNAI)" >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "(userCertificate=$SNAI)" >> $SEARCHOUT 2>&1 @@ -270,7 +283,7 @@ fi SNAI='3$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US' -echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) ...' +echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) [old format] ...' echo "# (userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "(userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT 2>&1 @@ -281,12 +294,12 @@ if test $RC != 0 ; then exit $RC fi -CERT='\30\82\03\54\30\82\02\bd\a0\03\02\01\02\02\01\00\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\1e\17\0d\30\33\31\30\31\37\31\36\33\30\34\31\5a\17\0d\30\34\31\30\31\36\31\36\33\30\34\31\5a\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\81\9f\30\0d\06\09\2a\86\48\86\f7\0d\01\01\01\05\00\03\81\8d\00\30\81\89\02\81\81\00\d9\63\50\6c\62\8a\c0\33\12\20\0b\ba\4c\ed\dc\68\ff\db\83\11\c3\52\74\01\9c\7a\1a\77\17\2e\1a\4d\26\c0\05\c8\0d\1b\61\97\40\ce\0b\f2\74\a7\aa\fe\e5\f4\8b\9a\3f\e0\1c\9c\dc\6e\f5\5c\00\1c\6c\96\71\0c\fb\6b\2f\0a\43\01\d3\0d\38\1b\ca\57\6a\fa\ef\24\e0\9e\96\ad\14\b7\c6\46\df\c5\59\ac\e3\e4\46\c5\62\4a\2b\59\64\de\fb\87\84\05\df\55\3f\37\9b\1d\d2\26\f8\33\c7\8a\95\1f\20\0c\d1\a0\d7\a3\02\03\01\00\01\a3\81\ef\30\81\ec\30\1d\06\03\55\1d\0e\04\16\04\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\30\81\a1\06\03\55\1d\23\04\81\99\30\81\96\80\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\a1\7b\a4\79\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\82\01\00\30\0c\06\03\55\1d\13\04\05\30\03\01\01\ff\30\19\06\03\55\1d\11\04\12\30\10\81\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\03\81\81\00\a0\5c\3f\fe\db\c1\25\dc\65\e2\fe\ec\4c\34\42\aa\b6\72\21\41\d4\e7\35\4e\22\97\47\d9\ea\97\26\1c\f1\42\fb\ad\41\75\da\30\f7\46\59\66\1e\46\6e\0e\59\07\11\51\84\35\cd\f0\af\df\8b\1d\de\c1\14\a3\01\2b\78\d1\d1\a5\10\e0\e4\13\e1\6c\2c\cb\74\e2\c6\25\ea\45\fb\44\62\a0\f5\ae\3a\0e\47\86\fa\ec\d9\9c\df\f7\db\9d\ae\0a\08\7e\ae\33\4c\14\08\25\b9\e5\13\11\1b\f7\12\d5\01\d6\25\c4\a1\4d\c6\c8' +SNAI='{ issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US", serialNumber 3 }' -echo 'Using ldapsearch to retrieve (cAcertificate;binary:certificateMatch:=certificate) ...' -echo '# (cAcertificate;binary:certificateMatch:=--CERTIFICATE--)' >> $SEARCHOUT +echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) [new format]...' +echo "# (userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ - "(cAcertificate;binary:certificateMatch:=$CERT)" >> $SEARCHOUT 2>&1 + "(userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" -- 2.39.5