1 /* v3_cpols.c */ 2 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 3 * project 1999. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing (at) OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 * 57 */ 58 59 #include <stdio.h> 60 #include <string.h> 61 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/conf.h> 65 #include <openssl/err.h> 66 #include <openssl/mem.h> 67 #include <openssl/obj.h> 68 #include <openssl/stack.h> 69 #include <openssl/x509v3.h> 70 71 #include "pcy_int.h" 72 73 /* Certificate policies extension support: this one is a bit complex... */ 74 75 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent); 76 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value); 77 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent); 78 static void print_notice(BIO *out, USERNOTICE *notice, int indent); 79 static POLICYINFO *policy_section(X509V3_CTX *ctx, 80 STACK_OF(CONF_VALUE) *polstrs, int ia5org); 81 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, 82 STACK_OF(CONF_VALUE) *unot, int ia5org); 83 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); 84 85 const X509V3_EXT_METHOD v3_cpols = { 86 NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), 87 0,0,0,0, 88 0,0, 89 0,0, 90 (X509V3_EXT_I2R)i2r_certpol, 91 (X509V3_EXT_R2I)r2i_certpol, 92 NULL 93 }; 94 95 ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = 96 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO) 97 ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES) 98 99 IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES) 100 101 ASN1_SEQUENCE(POLICYINFO) = { 102 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT), 103 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO) 104 } ASN1_SEQUENCE_END(POLICYINFO) 105 106 IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO) 107 108 ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY); 109 110 ASN1_ADB(POLICYQUALINFO) = { 111 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)), 112 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE)) 113 } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL); 114 115 ASN1_SEQUENCE(POLICYQUALINFO) = { 116 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT), 117 ASN1_ADB_OBJECT(POLICYQUALINFO) 118 } ASN1_SEQUENCE_END(POLICYQUALINFO) 119 120 IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO) 121 122 ASN1_SEQUENCE(USERNOTICE) = { 123 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF), 124 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT) 125 } ASN1_SEQUENCE_END(USERNOTICE) 126 127 IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE) 128 129 ASN1_SEQUENCE(NOTICEREF) = { 130 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT), 131 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER) 132 } ASN1_SEQUENCE_END(NOTICEREF) 133 134 IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF) 135 136 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, 137 X509V3_CTX *ctx, char *value) 138 { 139 STACK_OF(POLICYINFO) *pols = NULL; 140 char *pstr; 141 POLICYINFO *pol; 142 ASN1_OBJECT *pobj; 143 STACK_OF(CONF_VALUE) *vals; 144 CONF_VALUE *cnf; 145 size_t i; 146 int ia5org; 147 pols = sk_POLICYINFO_new_null(); 148 if (pols == NULL) { 149 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 150 return NULL; 151 } 152 vals = X509V3_parse_list(value); 153 if (vals == NULL) { 154 OPENSSL_PUT_ERROR(X509V3, ERR_R_X509V3_LIB); 155 goto err; 156 } 157 ia5org = 0; 158 for(i = 0; i < sk_CONF_VALUE_num(vals); i++) { 159 cnf = sk_CONF_VALUE_value(vals, i); 160 if(cnf->value || !cnf->name ) { 161 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER); 162 X509V3_conf_err(cnf); 163 goto err; 164 } 165 pstr = cnf->name; 166 if(!strcmp(pstr,"ia5org")) { 167 ia5org = 1; 168 continue; 169 } else if(*pstr == '@') { 170 STACK_OF(CONF_VALUE) *polsect; 171 polsect = X509V3_get_section(ctx, pstr + 1); 172 if(!polsect) { 173 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION); 174 175 X509V3_conf_err(cnf); 176 goto err; 177 } 178 pol = policy_section(ctx, polsect, ia5org); 179 X509V3_section_free(ctx, polsect); 180 if(!pol) goto err; 181 } else { 182 if(!(pobj = OBJ_txt2obj(cnf->name, 0))) { 183 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER); 184 X509V3_conf_err(cnf); 185 goto err; 186 } 187 pol = POLICYINFO_new(); 188 pol->policyid = pobj; 189 } 190 if (!sk_POLICYINFO_push(pols, pol)){ 191 POLICYINFO_free(pol); 192 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 193 goto err; 194 } 195 } 196 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 197 return pols; 198 err: 199 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 200 sk_POLICYINFO_pop_free(pols, POLICYINFO_free); 201 return NULL; 202 } 203 204 static POLICYINFO *policy_section(X509V3_CTX *ctx, 205 STACK_OF(CONF_VALUE) *polstrs, int ia5org) 206 { 207 size_t i; 208 CONF_VALUE *cnf; 209 POLICYINFO *pol; 210 POLICYQUALINFO *qual; 211 if(!(pol = POLICYINFO_new())) goto merr; 212 for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { 213 cnf = sk_CONF_VALUE_value(polstrs, i); 214 if(!strcmp(cnf->name, "policyIdentifier")) { 215 ASN1_OBJECT *pobj; 216 if(!(pobj = OBJ_txt2obj(cnf->value, 0))) { 217 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER); 218 X509V3_conf_err(cnf); 219 goto err; 220 } 221 pol->policyid = pobj; 222 223 } else if(!name_cmp(cnf->name, "CPS")) { 224 if(!pol->qualifiers) pol->qualifiers = 225 sk_POLICYQUALINFO_new_null(); 226 if(!(qual = POLICYQUALINFO_new())) goto merr; 227 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) 228 goto merr; 229 /* TODO(fork): const correctness */ 230 qual->pqualid = (ASN1_OBJECT*) OBJ_nid2obj(NID_id_qt_cps); 231 if (qual->pqualid == NULL) { 232 OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR); 233 goto err; 234 } 235 qual->d.cpsuri = M_ASN1_IA5STRING_new(); 236 if (qual->d.cpsuri == NULL) { 237 goto err; 238 } 239 if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value, 240 strlen(cnf->value))) goto merr; 241 } else if(!name_cmp(cnf->name, "userNotice")) { 242 STACK_OF(CONF_VALUE) *unot; 243 if(*cnf->value != '@') { 244 OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXPECTED_A_SECTION_NAME); 245 X509V3_conf_err(cnf); 246 goto err; 247 } 248 unot = X509V3_get_section(ctx, cnf->value + 1); 249 if(!unot) { 250 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION); 251 252 X509V3_conf_err(cnf); 253 goto err; 254 } 255 qual = notice_section(ctx, unot, ia5org); 256 X509V3_section_free(ctx, unot); 257 if(!qual) goto err; 258 if(!pol->qualifiers) pol->qualifiers = 259 sk_POLICYQUALINFO_new_null(); 260 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) 261 goto merr; 262 } else { 263 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION); 264 265 X509V3_conf_err(cnf); 266 goto err; 267 } 268 } 269 if(!pol->policyid) { 270 OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_POLICY_IDENTIFIER); 271 goto err; 272 } 273 274 return pol; 275 276 merr: 277 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 278 279 err: 280 POLICYINFO_free(pol); 281 return NULL; 282 283 284 } 285 286 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, 287 STACK_OF(CONF_VALUE) *unot, int ia5org) 288 { 289 size_t i; 290 int ret; 291 CONF_VALUE *cnf; 292 USERNOTICE *not; 293 POLICYQUALINFO *qual; 294 if(!(qual = POLICYQUALINFO_new())) goto merr; 295 /* TODO(fork): const correctness */ 296 qual->pqualid = (ASN1_OBJECT *) OBJ_nid2obj(NID_id_qt_unotice); 297 if (qual->pqualid == NULL) 298 { 299 OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR); 300 goto err; 301 } 302 if(!(not = USERNOTICE_new())) goto merr; 303 qual->d.usernotice = not; 304 for(i = 0; i < sk_CONF_VALUE_num(unot); i++) { 305 cnf = sk_CONF_VALUE_value(unot, i); 306 if(!strcmp(cnf->name, "explicitText")) { 307 not->exptext = M_ASN1_VISIBLESTRING_new(); 308 if (not->exptext == NULL) 309 goto merr; 310 if(!ASN1_STRING_set(not->exptext, cnf->value, 311 strlen(cnf->value))) goto merr; 312 } else if(!strcmp(cnf->name, "organization")) { 313 NOTICEREF *nref; 314 if(!not->noticeref) { 315 if(!(nref = NOTICEREF_new())) goto merr; 316 not->noticeref = nref; 317 } else nref = not->noticeref; 318 if(ia5org) nref->organization->type = V_ASN1_IA5STRING; 319 else nref->organization->type = V_ASN1_VISIBLESTRING; 320 if(!ASN1_STRING_set(nref->organization, cnf->value, 321 strlen(cnf->value))) goto merr; 322 } else if(!strcmp(cnf->name, "noticeNumbers")) { 323 NOTICEREF *nref; 324 STACK_OF(CONF_VALUE) *nos; 325 if(!not->noticeref) { 326 if(!(nref = NOTICEREF_new())) goto merr; 327 not->noticeref = nref; 328 } else nref = not->noticeref; 329 nos = X509V3_parse_list(cnf->value); 330 if(!nos || !sk_CONF_VALUE_num(nos)) { 331 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBERS); 332 X509V3_conf_err(cnf); 333 goto err; 334 } 335 ret = nref_nos(nref->noticenos, nos); 336 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); 337 if (!ret) 338 goto err; 339 } else { 340 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION); 341 X509V3_conf_err(cnf); 342 goto err; 343 } 344 } 345 346 if(not->noticeref && 347 (!not->noticeref->noticenos || !not->noticeref->organization)) { 348 OPENSSL_PUT_ERROR(X509V3, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); 349 goto err; 350 } 351 352 return qual; 353 354 merr: 355 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 356 357 err: 358 POLICYQUALINFO_free(qual); 359 return NULL; 360 } 361 362 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) 363 { 364 CONF_VALUE *cnf; 365 ASN1_INTEGER *aint; 366 367 size_t i; 368 369 for(i = 0; i < sk_CONF_VALUE_num(nos); i++) { 370 cnf = sk_CONF_VALUE_value(nos, i); 371 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) { 372 OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER); 373 goto err; 374 } 375 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr; 376 } 377 return 1; 378 379 merr: 380 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 381 382 err: 383 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); 384 return 0; 385 } 386 387 388 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, 389 BIO *out, int indent) 390 { 391 size_t i; 392 POLICYINFO *pinfo; 393 /* First print out the policy OIDs */ 394 for(i = 0; i < sk_POLICYINFO_num(pol); i++) { 395 pinfo = sk_POLICYINFO_value(pol, i); 396 BIO_printf(out, "%*sPolicy: ", indent, ""); 397 i2a_ASN1_OBJECT(out, pinfo->policyid); 398 BIO_puts(out, "\n"); 399 if(pinfo->qualifiers) 400 print_qualifiers(out, pinfo->qualifiers, indent + 2); 401 } 402 return 1; 403 } 404 405 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, 406 int indent) 407 { 408 POLICYQUALINFO *qualinfo; 409 size_t i; 410 for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) { 411 qualinfo = sk_POLICYQUALINFO_value(quals, i); 412 switch(OBJ_obj2nid(qualinfo->pqualid)) 413 { 414 case NID_id_qt_cps: 415 BIO_printf(out, "%*sCPS: %s\n", indent, "", 416 qualinfo->d.cpsuri->data); 417 break; 418 419 case NID_id_qt_unotice: 420 BIO_printf(out, "%*sUser Notice:\n", indent, ""); 421 print_notice(out, qualinfo->d.usernotice, indent + 2); 422 break; 423 424 default: 425 BIO_printf(out, "%*sUnknown Qualifier: ", 426 indent + 2, ""); 427 428 i2a_ASN1_OBJECT(out, qualinfo->pqualid); 429 BIO_puts(out, "\n"); 430 break; 431 } 432 } 433 } 434 435 static void print_notice(BIO *out, USERNOTICE *notice, int indent) 436 { 437 size_t i; 438 if(notice->noticeref) { 439 NOTICEREF *ref; 440 ref = notice->noticeref; 441 BIO_printf(out, "%*sOrganization: %s\n", indent, "", 442 ref->organization->data); 443 BIO_printf(out, "%*sNumber%s: ", indent, "", 444 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); 445 for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { 446 ASN1_INTEGER *num; 447 char *tmp; 448 num = sk_ASN1_INTEGER_value(ref->noticenos, i); 449 if(i) BIO_puts(out, ", "); 450 tmp = i2s_ASN1_INTEGER(NULL, num); 451 BIO_puts(out, tmp); 452 OPENSSL_free(tmp); 453 } 454 BIO_puts(out, "\n"); 455 } 456 if(notice->exptext) 457 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", 458 notice->exptext->data); 459 } 460 461 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) 462 { 463 const X509_POLICY_DATA *dat = node->data; 464 465 BIO_printf(out, "%*sPolicy: ", indent, ""); 466 467 i2a_ASN1_OBJECT(out, dat->valid_policy); 468 BIO_puts(out, "\n"); 469 BIO_printf(out, "%*s%s\n", indent + 2, "", 470 node_data_critical(dat) ? "Critical" : "Non Critical"); 471 if (dat->qualifier_set) 472 print_qualifiers(out, dat->qualifier_set, indent + 2); 473 else 474 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); 475 } 476
