Home | History | Annotate | Download | only in x509v3
      1 /* pcy_int.h */
      2 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL
      3  * project 2004.
      4  */
      5 /* ====================================================================
      6  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
      7  *
      8  * Redistribution and use in source and binary forms, with or without
      9  * modification, are permitted provided that the following conditions
     10  * are met:
     11  *
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  *
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in
     17  *    the documentation and/or other materials provided with the
     18  *    distribution.
     19  *
     20  * 3. All advertising materials mentioning features or use of this
     21  *    software must display the following acknowledgment:
     22  *    "This product includes software developed by the OpenSSL Project
     23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     24  *
     25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     26  *    endorse or promote products derived from this software without
     27  *    prior written permission. For written permission, please contact
     28  *    licensing (at) OpenSSL.org.
     29  *
     30  * 5. Products derived from this software may not be called "OpenSSL"
     31  *    nor may "OpenSSL" appear in their names without prior written
     32  *    permission of the OpenSSL Project.
     33  *
     34  * 6. Redistributions of any form whatsoever must retain the following
     35  *    acknowledgment:
     36  *    "This product includes software developed by the OpenSSL Project
     37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     38  *
     39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     50  * OF THE POSSIBILITY OF SUCH DAMAGE.
     51  * ====================================================================
     52  *
     53  * This product includes cryptographic software written by Eric Young
     54  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     55  * Hudson (tjh (at) cryptsoft.com).
     56  *
     57  */
     58 
     59 DECLARE_STACK_OF(X509_POLICY_DATA)
     60 DECLARE_STACK_OF(X509_POLICY_REF)
     61 DECLARE_STACK_OF(X509_POLICY_NODE)
     62 
     63 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
     64 typedef struct X509_POLICY_REF_st X509_POLICY_REF;
     65 
     66 /* Internal structures */
     67 
     68 /* This structure and the field names correspond to the Policy 'node' of
     69  * RFC3280. NB this structure contains no pointers to parent or child
     70  * data: X509_POLICY_NODE contains that. This means that the main policy data
     71  * can be kept static and cached with the certificate.
     72  */
     73 
     74 struct X509_POLICY_DATA_st
     75 	{
     76 	unsigned int flags;
     77 	/* Policy OID and qualifiers for this data */
     78 	ASN1_OBJECT *valid_policy;
     79 	STACK_OF(POLICYQUALINFO) *qualifier_set;
     80 	STACK_OF(ASN1_OBJECT) *expected_policy_set;
     81 	};
     82 
     83 /* X509_POLICY_DATA flags values */
     84 
     85 /* This flag indicates the structure has been mapped using a policy mapping
     86  * extension. If policy mapping is not active its references get deleted.
     87  */
     88 
     89 #define POLICY_DATA_FLAG_MAPPED			0x1
     90 
     91 /* This flag indicates the data doesn't correspond to a policy in Certificate
     92  * Policies: it has been mapped to any policy.
     93  */
     94 
     95 #define POLICY_DATA_FLAG_MAPPED_ANY		0x2
     96 
     97 /* AND with flags to see if any mapping has occurred */
     98 
     99 #define POLICY_DATA_FLAG_MAP_MASK		0x3
    100 
    101 /* qualifiers are shared and shouldn't be freed */
    102 
    103 #define POLICY_DATA_FLAG_SHARED_QUALIFIERS	0x4
    104 
    105 /* Parent node is an extra node and should be freed */
    106 
    107 #define POLICY_DATA_FLAG_EXTRA_NODE		0x8
    108 
    109 /* Corresponding CertificatePolicies is critical */
    110 
    111 #define POLICY_DATA_FLAG_CRITICAL		0x10
    112 
    113 /* This structure is an entry from a table of mapped policies which
    114  * cross reference the policy it refers to.
    115  */
    116 
    117 struct X509_POLICY_REF_st
    118 	{
    119 	ASN1_OBJECT *subjectDomainPolicy;
    120 	const X509_POLICY_DATA *data;
    121 	};
    122 
    123 /* This structure is cached with a certificate */
    124 
    125 struct X509_POLICY_CACHE_st {
    126 	/* anyPolicy data or NULL if no anyPolicy */
    127 	X509_POLICY_DATA *anyPolicy;
    128 	/* other policy data */
    129 	STACK_OF(X509_POLICY_DATA) *data;
    130 	/* If policyMappings extension present a table of mapped policies */
    131 	STACK_OF(X509_POLICY_REF) *maps;
    132 	/* If InhibitAnyPolicy present this is its value or -1 if absent. */
    133 	long any_skip;
    134 	/* If policyConstraints and requireExplicitPolicy present this is its
    135 	 * value or -1 if absent.
    136 	 */
    137 	long explicit_skip;
    138 	/* If policyConstraints and policyMapping present this is its
    139 	 * value or -1 if absent.
    140          */
    141 	long map_skip;
    142 	};
    143 
    144 /*#define POLICY_CACHE_FLAG_CRITICAL		POLICY_DATA_FLAG_CRITICAL*/
    145 
    146 /* This structure represents the relationship between nodes */
    147 
    148 struct X509_POLICY_NODE_st
    149 	{
    150 	/* node data this refers to */
    151 	const X509_POLICY_DATA *data;
    152 	/* Parent node */
    153 	X509_POLICY_NODE *parent;
    154 	/* Number of child nodes */
    155 	int nchild;
    156 	};
    157 
    158 struct X509_POLICY_LEVEL_st
    159 	{
    160 	/* Cert for this level */
    161 	X509 *cert;
    162 	/* nodes at this level */
    163 	STACK_OF(X509_POLICY_NODE) *nodes;
    164 	/* anyPolicy node */
    165 	X509_POLICY_NODE *anyPolicy;
    166 	/* Extra data */
    167 	/*STACK_OF(X509_POLICY_DATA) *extra_data;*/
    168 	unsigned int flags;
    169 	};
    170 
    171 struct X509_POLICY_TREE_st
    172 	{
    173 	/* This is the tree 'level' data */
    174 	X509_POLICY_LEVEL *levels;
    175 	int nlevel;
    176 	/* Extra policy data when additional nodes (not from the certificate)
    177 	 * are required.
    178 	 */
    179 	STACK_OF(X509_POLICY_DATA) *extra_data;
    180 	/* This is the authority constained policy set */
    181 	STACK_OF(X509_POLICY_NODE) *auth_policies;
    182 	STACK_OF(X509_POLICY_NODE) *user_policies;
    183 	unsigned int flags;
    184 	};
    185 
    186 /* Set if anyPolicy present in user policies */
    187 #define POLICY_FLAG_ANY_POLICY		0x2
    188 
    189 /* Useful macros */
    190 
    191 #define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
    192 #define node_critical(node) node_data_critical(node->data)
    193 
    194 /* Internal functions */
    195 
    196 X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id,
    197 								int crit);
    198 void policy_data_free(X509_POLICY_DATA *data);
    199 
    200 X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
    201 							const ASN1_OBJECT *id);
    202 int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
    203 
    204 
    205 STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
    206 
    207 void policy_cache_init(void);
    208 
    209 void policy_cache_free(X509_POLICY_CACHE *cache);
    210 
    211 X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
    212 					const ASN1_OBJECT *id);
    213 
    214 X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
    215 						const ASN1_OBJECT *id);
    216 
    217 X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
    218 			X509_POLICY_DATA *data,
    219 			X509_POLICY_NODE *parent,
    220 			X509_POLICY_TREE *tree);
    221 void policy_node_free(X509_POLICY_NODE *node);
    222 
    223 const X509_POLICY_CACHE *policy_cache_set(X509 *x);
    224