Home | History | Annotate | Download | only in x509v3
      1 /* v3_conf.c */
      2 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL
      3  * project 1999.
      4  */
      5 /* ====================================================================
      6  * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
      7  *
      8  * Redistribution and use in source and binary forms, with or without
      9  * modification, are permitted provided that the following conditions
     10  * are met:
     11  *
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  *
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in
     17  *    the documentation and/or other materials provided with the
     18  *    distribution.
     19  *
     20  * 3. All advertising materials mentioning features or use of this
     21  *    software must display the following acknowledgment:
     22  *    "This product includes software developed by the OpenSSL Project
     23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     24  *
     25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     26  *    endorse or promote products derived from this software without
     27  *    prior written permission. For written permission, please contact
     28  *    licensing (at) OpenSSL.org.
     29  *
     30  * 5. Products derived from this software may not be called "OpenSSL"
     31  *    nor may "OpenSSL" appear in their names without prior written
     32  *    permission of the OpenSSL Project.
     33  *
     34  * 6. Redistributions of any form whatsoever must retain the following
     35  *    acknowledgment:
     36  *    "This product includes software developed by the OpenSSL Project
     37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     38  *
     39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     50  * OF THE POSSIBILITY OF SUCH DAMAGE.
     51  * ====================================================================
     52  *
     53  * This product includes cryptographic software written by Eric Young
     54  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     55  * Hudson (tjh (at) cryptsoft.com). */
     56 
     57 /* extension creation utilities */
     58 
     59 #include <ctype.h>
     60 #include <stdio.h>
     61 #include <string.h>
     62 
     63 #include <openssl/conf.h>
     64 #include <openssl/err.h>
     65 #include <openssl/mem.h>
     66 #include <openssl/obj.h>
     67 #include <openssl/x509.h>
     68 #include <openssl/x509v3.h>
     69 
     70 #include "../internal.h"
     71 
     72 
     73 static int v3_check_critical(char **value);
     74 static int v3_check_generic(char **value);
     75 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
     76 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
     77 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
     78 				  int crit, void *ext_struc);
     79 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
     80 /* CONF *conf:  Config file    */
     81 /* char *name:  Name    */
     82 /* char *value:  Value    */
     83 X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
     84 				 char *value)
     85 	{
     86 	int crit;
     87 	int ext_type;
     88 	X509_EXTENSION *ret;
     89 	crit = v3_check_critical(&value);
     90 	if ((ext_type = v3_check_generic(&value)))
     91 		return v3_generic_extension(name, value, crit, ext_type, ctx);
     92 	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
     93 	if (!ret)
     94 		{
     95 		OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_nconf, X509V3_R_ERROR_IN_EXTENSION);
     96 		ERR_add_error_data(4,"name=", name, ", value=", value);
     97 		}
     98 	return ret;
     99 	}
    100 
    101 /* CONF *conf:  Config file    */
    102 /* char *value:  Value    */
    103 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
    104 				     char *value)
    105 	{
    106 	int crit;
    107 	int ext_type;
    108 	crit = v3_check_critical(&value);
    109 	if ((ext_type = v3_check_generic(&value)))
    110 		return v3_generic_extension(OBJ_nid2sn(ext_nid),
    111 						 value, crit, ext_type, ctx);
    112 	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
    113 	}
    114 
    115 /* CONF *conf:  Config file    */
    116 /* char *value:  Value    */
    117 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
    118 				    int crit, char *value)
    119 	{
    120 	const X509V3_EXT_METHOD *method;
    121 	X509_EXTENSION *ext;
    122 	STACK_OF(CONF_VALUE) *nval;
    123 	void *ext_struc;
    124 	if (ext_nid == NID_undef)
    125 		{
    126 		OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_UNKNOWN_EXTENSION_NAME);
    127 		return NULL;
    128 		}
    129 	if (!(method = X509V3_EXT_get_nid(ext_nid)))
    130 		{
    131 		OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_UNKNOWN_EXTENSION);
    132 		return NULL;
    133 		}
    134 	/* Now get internal extension representation based on type */
    135 	if (method->v2i)
    136 		{
    137 		if(*value == '@') nval = NCONF_get_section(conf, value + 1);
    138 		else nval = X509V3_parse_list(value);
    139 		if(sk_CONF_VALUE_num(nval) <= 0)
    140 			{
    141 			OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_INVALID_EXTENSION_STRING);
    142 			ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
    143 			return NULL;
    144 			}
    145 		ext_struc = method->v2i(method, ctx, nval);
    146 		if(*value != '@') sk_CONF_VALUE_pop_free(nval,
    147 							 X509V3_conf_free);
    148 		if(!ext_struc) return NULL;
    149 		}
    150 	else if(method->s2i)
    151 		{
    152 		if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
    153 		}
    154 	else if(method->r2i)
    155 		{
    156 		if(!ctx->db || !ctx->db_meth)
    157 			{
    158 			OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_NO_CONFIG_DATABASE);
    159 			return NULL;
    160 			}
    161 		if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
    162 		}
    163 	else
    164 		{
    165 		OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
    166 		ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
    167 		return NULL;
    168 		}
    169 
    170 	ext  = do_ext_i2d(method, ext_nid, crit, ext_struc);
    171 	if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
    172 	else method->ext_free(ext_struc);
    173 	return ext;
    174 
    175 	}
    176 
    177 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
    178 				  int crit, void *ext_struc)
    179 	{
    180 	unsigned char *ext_der;
    181 	int ext_len;
    182 	ASN1_OCTET_STRING *ext_oct;
    183 	X509_EXTENSION *ext;
    184 	/* Convert internal representation to DER */
    185 	if (method->it)
    186 		{
    187 		ext_der = NULL;
    188 		ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
    189 		if (ext_len < 0) goto merr;
    190 		}
    191 	 else
    192 		{
    193 		unsigned char *p;
    194 		ext_len = method->i2d(ext_struc, NULL);
    195 		if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
    196 		p = ext_der;
    197 		method->i2d(ext_struc, &p);
    198 		}
    199 	if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
    200 	ext_oct->data = ext_der;
    201 	ext_oct->length = ext_len;
    202 
    203 	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
    204 	if (!ext) goto merr;
    205 	M_ASN1_OCTET_STRING_free(ext_oct);
    206 
    207 	return ext;
    208 
    209 	merr:
    210 	OPENSSL_PUT_ERROR(X509V3, do_ext_i2d, ERR_R_MALLOC_FAILURE);
    211 	return NULL;
    212 
    213 	}
    214 
    215 /* Given an internal structure, nid and critical flag create an extension */
    216 
    217 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
    218 	{
    219 	const X509V3_EXT_METHOD *method;
    220 	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
    221 		OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_i2d, X509V3_R_UNKNOWN_EXTENSION);
    222 		return NULL;
    223 	}
    224 	return do_ext_i2d(method, ext_nid, crit, ext_struc);
    225 }
    226 
    227 /* Check the extension string for critical flag */
    228 static int v3_check_critical(char **value)
    229 {
    230 	char *p = *value;
    231 	if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
    232 	p+=9;
    233 	while(isspace((unsigned char)*p)) p++;
    234 	*value = p;
    235 	return 1;
    236 }
    237 
    238 /* Check extension string for generic extension and return the type */
    239 static int v3_check_generic(char **value)
    240 {
    241 	int gen_type = 0;
    242 	char *p = *value;
    243 	if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
    244 		{
    245 		p+=4;
    246 		gen_type = 1;
    247 		}
    248 	else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
    249 		{
    250 		p+=5;
    251 		gen_type = 2;
    252 		}
    253 	else
    254 		return 0;
    255 
    256 	while (isspace((unsigned char)*p)) p++;
    257 	*value = p;
    258 	return gen_type;
    259 }
    260 
    261 /* Create a generic extension: for now just handle DER type */
    262 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
    263 					    int crit, int gen_type,
    264 					    X509V3_CTX *ctx)
    265         OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
    266 	{
    267 	unsigned char *ext_der=NULL;
    268 	long ext_len;
    269 	ASN1_OBJECT *obj=NULL;
    270 	ASN1_OCTET_STRING *oct=NULL;
    271 	X509_EXTENSION *extension=NULL;
    272 	if (!(obj = OBJ_txt2obj(ext, 0)))
    273 		{
    274 		OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, X509V3_R_EXTENSION_NAME_ERROR);
    275 		ERR_add_error_data(2, "name=", ext);
    276 		goto err;
    277 		}
    278 
    279 	if (gen_type == 1)
    280 		ext_der = string_to_hex(value, &ext_len);
    281 	else if (gen_type == 2)
    282 		ext_der = generic_asn1(value, ctx, &ext_len);
    283 
    284 	if (ext_der == NULL)
    285 		{
    286 		OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, X509V3_R_EXTENSION_VALUE_ERROR);
    287 		ERR_add_error_data(2, "value=", value);
    288 		goto err;
    289 		}
    290 
    291 	if (!(oct = M_ASN1_OCTET_STRING_new()))
    292 		{
    293 		OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, ERR_R_MALLOC_FAILURE);
    294 		goto err;
    295 		}
    296 
    297 	oct->data = ext_der;
    298 	oct->length = ext_len;
    299 	ext_der = NULL;
    300 
    301 	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
    302 
    303 	err:
    304 	ASN1_OBJECT_free(obj);
    305 	M_ASN1_OCTET_STRING_free(oct);
    306 	if(ext_der) OPENSSL_free(ext_der);
    307 	return extension;
    308 
    309 	}
    310 
    311 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
    312 	{
    313 	ASN1_TYPE *typ;
    314 	unsigned char *ext_der = NULL;
    315 	typ = ASN1_generate_v3(value, ctx);
    316 	if (typ == NULL)
    317 		return NULL;
    318 	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
    319 	ASN1_TYPE_free(typ);
    320 	return ext_der;
    321 	}
    322 
    323 /* This is the main function: add a bunch of extensions based on a config file
    324  * section to an extension STACK.
    325  */
    326 
    327 
    328 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
    329 			    STACK_OF(X509_EXTENSION) **sk)
    330 	{
    331 	X509_EXTENSION *ext;
    332 	STACK_OF(CONF_VALUE) *nval;
    333 	CONF_VALUE *val;
    334 	size_t i;
    335 	if (!(nval = NCONF_get_section(conf, section))) return 0;
    336 	for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
    337 		{
    338 		val = sk_CONF_VALUE_value(nval, i);
    339 		if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
    340 								return 0;
    341 		if (sk) X509v3_add_ext(sk, ext, -1);
    342 		X509_EXTENSION_free(ext);
    343 		}
    344 	return 1;
    345 	}
    346 
    347 /* Convenience functions to add extensions to a certificate, CRL and request */
    348 
    349 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
    350 			 X509 *cert)
    351 	{
    352 	STACK_OF(X509_EXTENSION) **sk = NULL;
    353 	if (cert)
    354 		sk = &cert->cert_info->extensions;
    355 	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
    356 	}
    357 
    358 /* Same as above but for a CRL */
    359 
    360 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
    361 			     X509_CRL *crl)
    362 	{
    363 	STACK_OF(X509_EXTENSION) **sk = NULL;
    364 	if (crl)
    365 		sk = &crl->crl->extensions;
    366 	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
    367 	}
    368 
    369 /* Add extensions to certificate request */
    370 
    371 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
    372 	     X509_REQ *req)
    373 	{
    374 	STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
    375 	int i;
    376 	if (req)
    377 		sk = &extlist;
    378 	i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
    379 	if (!i || !sk)
    380 		return i;
    381 	i = X509_REQ_add_extensions(req, extlist);
    382 	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
    383 	return i;
    384 	}
    385 
    386 /* Config database functions */
    387 
    388 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
    389 	{
    390 	if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
    391 		{
    392 		OPENSSL_PUT_ERROR(X509V3, X509V3_get_string, X509V3_R_OPERATION_NOT_DEFINED);
    393 		return NULL;
    394 		}
    395 	if (ctx->db_meth->get_string)
    396 			return ctx->db_meth->get_string(ctx->db, name, section);
    397 	return NULL;
    398 	}
    399 
    400 STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
    401 	{
    402 	if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
    403 		{
    404 		OPENSSL_PUT_ERROR(X509V3, X509V3_get_section, X509V3_R_OPERATION_NOT_DEFINED);
    405 		return NULL;
    406 		}
    407 	if (ctx->db_meth->get_section)
    408 			return ctx->db_meth->get_section(ctx->db, section);
    409 	return NULL;
    410 	}
    411 
    412 void X509V3_string_free(X509V3_CTX *ctx, char *str)
    413 	{
    414 	if (!str) return;
    415 	if (ctx->db_meth->free_string)
    416 			ctx->db_meth->free_string(ctx->db, str);
    417 	}
    418 
    419 void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
    420 	{
    421 	if (!section) return;
    422 	if (ctx->db_meth->free_section)
    423 			ctx->db_meth->free_section(ctx->db, section);
    424 	}
    425 
    426 static char *nconf_get_string(void *db, char *section, char *value)
    427 	{
    428         /* TODO(fork): this should return a const value. */
    429 	return (char *) NCONF_get_string(db, section, value);
    430 	}
    431 
    432 static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
    433 	{
    434 	return NCONF_get_section(db, section);
    435 	}
    436 
    437 static const X509V3_CONF_METHOD nconf_method = {
    438 nconf_get_string,
    439 nconf_get_section,
    440 NULL,
    441 NULL
    442 };
    443 
    444 void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
    445 	{
    446 	ctx->db_meth = &nconf_method;
    447 	ctx->db = conf;
    448 	}
    449 
    450 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
    451 		    X509_CRL *crl, int flags)
    452 	{
    453 	ctx->issuer_cert = issuer;
    454 	ctx->subject_cert = subj;
    455 	ctx->crl = crl;
    456 	ctx->subject_req = req;
    457 	ctx->flags = flags;
    458 	}
    459 
    460