1 /* v3_lib.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL project 4 * 1999. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing (at) OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay (at) cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh (at) cryptsoft.com). 57 * 58 */ 59 /* X509 v3 extension utilities */ 60 61 #include <stdio.h> 62 63 #include <openssl/conf.h> 64 #include <openssl/err.h> 65 #include <openssl/mem.h> 66 #include <openssl/obj.h> 67 #include <openssl/x509v3.h> 68 69 #include "ext_dat.h" 70 static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; 71 72 static void ext_list_free(X509V3_EXT_METHOD *ext); 73 74 static int ext_stack_cmp(const X509V3_EXT_METHOD **a, 75 const X509V3_EXT_METHOD **b) 76 { 77 return ((*a)->ext_nid - (*b)->ext_nid); 78 } 79 80 int X509V3_EXT_add(X509V3_EXT_METHOD *ext) 81 { 82 if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_stack_cmp))) { 83 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 84 ext_list_free(ext); 85 return 0; 86 } 87 if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) { 88 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 89 ext_list_free(ext); 90 return 0; 91 } 92 return 1; 93 } 94 95 static int ext_cmp(const void *void_a, const void *void_b) 96 { 97 const X509V3_EXT_METHOD **a = (const X509V3_EXT_METHOD **)void_a; 98 const X509V3_EXT_METHOD **b = (const X509V3_EXT_METHOD **)void_b; 99 return ext_stack_cmp(a, b); 100 } 101 102 const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) 103 { 104 X509V3_EXT_METHOD tmp; 105 const X509V3_EXT_METHOD *t = &tmp, *const *ret; 106 size_t idx; 107 108 if (nid < 0) 109 return NULL; 110 tmp.ext_nid = nid; 111 ret = 112 bsearch(&t, standard_exts, STANDARD_EXTENSION_COUNT, 113 sizeof(X509V3_EXT_METHOD *), ext_cmp); 114 if (ret) 115 return *ret; 116 if (!ext_list) 117 return NULL; 118 119 if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp)) 120 return NULL; 121 return sk_X509V3_EXT_METHOD_value(ext_list, idx); 122 } 123 124 const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext) 125 { 126 int nid; 127 if ((nid = OBJ_obj2nid(ext->object)) == NID_undef) 128 return NULL; 129 return X509V3_EXT_get_nid(nid); 130 } 131 132 int X509V3_EXT_free(int nid, void *ext_data) 133 { 134 const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid); 135 if (ext_method == NULL) { 136 OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION); 137 return 0; 138 } 139 140 if (ext_method->it != NULL) 141 ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it)); 142 else if (ext_method->ext_free != NULL) 143 ext_method->ext_free(ext_data); 144 else { 145 OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION); 146 return 0; 147 } 148 149 return 1; 150 } 151 152 int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) 153 { 154 for (; extlist->ext_nid != -1; extlist++) 155 if (!X509V3_EXT_add(extlist)) 156 return 0; 157 return 1; 158 } 159 160 int X509V3_EXT_add_alias(int nid_to, int nid_from) 161 { 162 const X509V3_EXT_METHOD *ext; 163 X509V3_EXT_METHOD *tmpext; 164 165 if (!(ext = X509V3_EXT_get_nid(nid_from))) { 166 OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_NOT_FOUND); 167 return 0; 168 } 169 if (! 170 (tmpext = 171 (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) { 172 OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); 173 return 0; 174 } 175 *tmpext = *ext; 176 tmpext->ext_nid = nid_to; 177 tmpext->ext_flags |= X509V3_EXT_DYNAMIC; 178 return X509V3_EXT_add(tmpext); 179 } 180 181 void X509V3_EXT_cleanup(void) 182 { 183 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free); 184 ext_list = NULL; 185 } 186 187 static void ext_list_free(X509V3_EXT_METHOD *ext) 188 { 189 if (ext->ext_flags & X509V3_EXT_DYNAMIC) 190 OPENSSL_free(ext); 191 } 192 193 /* 194 * Legacy function: we don't need to add standard extensions any more because 195 * they are now kept in ext_dat.h. 196 */ 197 198 int X509V3_add_standard_extensions(void) 199 { 200 return 1; 201 } 202 203 /* Return an extension internal structure */ 204 205 void *X509V3_EXT_d2i(X509_EXTENSION *ext) 206 { 207 const X509V3_EXT_METHOD *method; 208 const unsigned char *p; 209 210 if (!(method = X509V3_EXT_get(ext))) 211 return NULL; 212 p = ext->value->data; 213 if (method->it) 214 return ASN1_item_d2i(NULL, &p, ext->value->length, 215 ASN1_ITEM_ptr(method->it)); 216 return method->d2i(NULL, &p, ext->value->length); 217 } 218 219 /* 220 * Get critical flag and decoded version of extension from a NID. The "idx" 221 * variable returns the last found extension and can be used to retrieve 222 * multiple extensions of the same NID. However multiple extensions with the 223 * same NID is usually due to a badly encoded certificate so if idx is NULL 224 * we choke if multiple extensions exist. The "crit" variable is set to the 225 * critical value. The return value is the decoded extension or NULL on 226 * error. The actual error can have several different causes, the value of 227 * *crit reflects the cause: >= 0, extension found but not decoded (reflects 228 * critical value). -1 extension not found. -2 extension occurs more than 229 * once. 230 */ 231 232 void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, 233 int *idx) 234 { 235 int lastpos; 236 size_t i; 237 X509_EXTENSION *ex, *found_ex = NULL; 238 if (!x) { 239 if (idx) 240 *idx = -1; 241 if (crit) 242 *crit = -1; 243 return NULL; 244 } 245 if (idx) 246 lastpos = *idx + 1; 247 else 248 lastpos = 0; 249 if (lastpos < 0) 250 lastpos = 0; 251 for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) { 252 ex = sk_X509_EXTENSION_value(x, i); 253 if (OBJ_obj2nid(ex->object) == nid) { 254 if (idx) { 255 *idx = i; 256 found_ex = ex; 257 break; 258 } else if (found_ex) { 259 /* Found more than one */ 260 if (crit) 261 *crit = -2; 262 return NULL; 263 } 264 found_ex = ex; 265 } 266 } 267 if (found_ex) { 268 /* Found it */ 269 if (crit) 270 *crit = X509_EXTENSION_get_critical(found_ex); 271 return X509V3_EXT_d2i(found_ex); 272 } 273 274 /* Extension not found */ 275 if (idx) 276 *idx = -1; 277 if (crit) 278 *crit = -1; 279 return NULL; 280 } 281 282 /* 283 * This function is a general extension append, replace and delete utility. 284 * The precise operation is governed by the 'flags' value. The 'crit' and 285 * 'value' arguments (if relevant) are the extensions internal structure. 286 */ 287 288 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, 289 int crit, unsigned long flags) 290 { 291 int errcode, extidx = -1; 292 X509_EXTENSION *ext = NULL, *extmp; 293 STACK_OF(X509_EXTENSION) *ret = NULL; 294 unsigned long ext_op = flags & X509V3_ADD_OP_MASK; 295 296 /* 297 * If appending we don't care if it exists, otherwise look for existing 298 * extension. 299 */ 300 if (ext_op != X509V3_ADD_APPEND) 301 extidx = X509v3_get_ext_by_NID(*x, nid, -1); 302 303 /* See if extension exists */ 304 if (extidx >= 0) { 305 /* If keep existing, nothing to do */ 306 if (ext_op == X509V3_ADD_KEEP_EXISTING) 307 return 1; 308 /* If default then its an error */ 309 if (ext_op == X509V3_ADD_DEFAULT) { 310 errcode = X509V3_R_EXTENSION_EXISTS; 311 goto err; 312 } 313 /* If delete, just delete it */ 314 if (ext_op == X509V3_ADD_DELETE) { 315 if (!sk_X509_EXTENSION_delete(*x, extidx)) 316 return -1; 317 return 1; 318 } 319 } else { 320 /* 321 * If replace existing or delete, error since extension must exist 322 */ 323 if ((ext_op == X509V3_ADD_REPLACE_EXISTING) || 324 (ext_op == X509V3_ADD_DELETE)) { 325 errcode = X509V3_R_EXTENSION_NOT_FOUND; 326 goto err; 327 } 328 } 329 330 /* 331 * If we get this far then we have to create an extension: could have 332 * some flags for alternative encoding schemes... 333 */ 334 335 ext = X509V3_EXT_i2d(nid, crit, value); 336 337 if (!ext) { 338 OPENSSL_PUT_ERROR(X509V3, X509V3_R_ERROR_CREATING_EXTENSION); 339 return 0; 340 } 341 342 /* If extension exists replace it.. */ 343 if (extidx >= 0) { 344 extmp = sk_X509_EXTENSION_value(*x, extidx); 345 X509_EXTENSION_free(extmp); 346 if (!sk_X509_EXTENSION_set(*x, extidx, ext)) 347 return -1; 348 return 1; 349 } 350 351 if ((ret = *x) == NULL 352 && (ret = sk_X509_EXTENSION_new_null()) == NULL) 353 goto m_fail; 354 if (!sk_X509_EXTENSION_push(ret, ext)) 355 goto m_fail; 356 357 *x = ret; 358 return 1; 359 360 m_fail: 361 if (ret != *x) 362 sk_X509_EXTENSION_free(ret); 363 X509_EXTENSION_free(ext); 364 return -1; 365 366 err: 367 if (!(flags & X509V3_ADD_SILENT)) 368 OPENSSL_PUT_ERROR(X509V3, errcode); 369 return 0; 370 } 371
