v3_pci.c 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. /* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
  2. /* Contributed to the OpenSSL Project 2004
  3. * by Richard Levitte (richard@levitte.org)
  4. */
  5. /* Copyright (c) 2004 Kungliga Tekniska Högskolan
  6. * (Royal Institute of Technology, Stockholm, Sweden).
  7. * All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in the
  18. * documentation and/or other materials provided with the distribution.
  19. *
  20. * 3. Neither the name of the Institute nor the names of its contributors
  21. * may be used to endorse or promote products derived from this software
  22. * without specific prior written permission.
  23. *
  24. * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  25. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  26. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  27. * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  28. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  29. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  30. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  31. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  32. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  33. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  34. * SUCH DAMAGE.
  35. */
  36. #include <stdio.h>
  37. #include "cryptlib.h"
  38. #include <openssl/conf.h>
  39. #include <openssl/x509v3.h>
  40. static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
  41. BIO *out, int indent);
  42. static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
  43. X509V3_CTX *ctx, char *str);
  44. const X509V3_EXT_METHOD v3_pci =
  45. { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
  46. 0,0,0,0,
  47. 0,0,
  48. NULL, NULL,
  49. (X509V3_EXT_I2R)i2r_pci,
  50. (X509V3_EXT_R2I)r2i_pci,
  51. NULL,
  52. };
  53. static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
  54. BIO *out, int indent)
  55. {
  56. BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
  57. if (pci->pcPathLengthConstraint)
  58. i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
  59. else
  60. BIO_printf(out, "infinite");
  61. BIO_puts(out, "\n");
  62. BIO_printf(out, "%*sPolicy Language: ", indent, "");
  63. i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
  64. BIO_puts(out, "\n");
  65. if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
  66. BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
  67. pci->proxyPolicy->policy->data);
  68. return 1;
  69. }
  70. static int process_pci_value(CONF_VALUE *val,
  71. ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
  72. ASN1_OCTET_STRING **policy)
  73. {
  74. int free_policy = 0;
  75. if (strcmp(val->name, "language") == 0)
  76. {
  77. if (*language)
  78. {
  79. X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
  80. X509V3_conf_err(val);
  81. return 0;
  82. }
  83. if (!(*language = OBJ_txt2obj(val->value, 0)))
  84. {
  85. X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
  86. X509V3_conf_err(val);
  87. return 0;
  88. }
  89. }
  90. else if (strcmp(val->name, "pathlen") == 0)
  91. {
  92. if (*pathlen)
  93. {
  94. X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
  95. X509V3_conf_err(val);
  96. return 0;
  97. }
  98. if (!X509V3_get_value_int(val, pathlen))
  99. {
  100. X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
  101. X509V3_conf_err(val);
  102. return 0;
  103. }
  104. }
  105. else if (strcmp(val->name, "policy") == 0)
  106. {
  107. unsigned char *tmp_data = NULL;
  108. long val_len;
  109. if (!*policy)
  110. {
  111. *policy = ASN1_OCTET_STRING_new();
  112. if (!*policy)
  113. {
  114. X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
  115. X509V3_conf_err(val);
  116. return 0;
  117. }
  118. free_policy = 1;
  119. }
  120. if (strncmp(val->value, "hex:", 4) == 0)
  121. {
  122. unsigned char *tmp_data2 =
  123. string_to_hex(val->value + 4, &val_len);
  124. if (!tmp_data2) goto err;
  125. tmp_data = OPENSSL_realloc((*policy)->data,
  126. (*policy)->length + val_len + 1);
  127. if (tmp_data)
  128. {
  129. (*policy)->data = tmp_data;
  130. memcpy(&(*policy)->data[(*policy)->length],
  131. tmp_data2, val_len);
  132. (*policy)->length += val_len;
  133. (*policy)->data[(*policy)->length] = '\0';
  134. }
  135. }
  136. else if (strncmp(val->value, "file:", 5) == 0)
  137. {
  138. unsigned char buf[2048];
  139. int n;
  140. BIO *b = BIO_new_file(val->value + 5, "r");
  141. if (!b)
  142. {
  143. X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
  144. X509V3_conf_err(val);
  145. goto err;
  146. }
  147. while((n = BIO_read(b, buf, sizeof(buf))) > 0
  148. || (n == 0 && BIO_should_retry(b)))
  149. {
  150. if (!n) continue;
  151. tmp_data = OPENSSL_realloc((*policy)->data,
  152. (*policy)->length + n + 1);
  153. if (!tmp_data)
  154. break;
  155. (*policy)->data = tmp_data;
  156. memcpy(&(*policy)->data[(*policy)->length],
  157. buf, n);
  158. (*policy)->length += n;
  159. (*policy)->data[(*policy)->length] = '\0';
  160. }
  161. if (n < 0)
  162. {
  163. X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
  164. X509V3_conf_err(val);
  165. goto err;
  166. }
  167. }
  168. else if (strncmp(val->value, "text:", 5) == 0)
  169. {
  170. val_len = strlen(val->value + 5);
  171. tmp_data = OPENSSL_realloc((*policy)->data,
  172. (*policy)->length + val_len + 1);
  173. if (tmp_data)
  174. {
  175. (*policy)->data = tmp_data;
  176. memcpy(&(*policy)->data[(*policy)->length],
  177. val->value + 5, val_len);
  178. (*policy)->length += val_len;
  179. (*policy)->data[(*policy)->length] = '\0';
  180. }
  181. }
  182. else
  183. {
  184. X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
  185. X509V3_conf_err(val);
  186. goto err;
  187. }
  188. if (!tmp_data)
  189. {
  190. X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
  191. X509V3_conf_err(val);
  192. goto err;
  193. }
  194. }
  195. return 1;
  196. err:
  197. if (free_policy)
  198. {
  199. ASN1_OCTET_STRING_free(*policy);
  200. *policy = NULL;
  201. }
  202. return 0;
  203. }
  204. static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
  205. X509V3_CTX *ctx, char *value)
  206. {
  207. PROXY_CERT_INFO_EXTENSION *pci = NULL;
  208. STACK_OF(CONF_VALUE) *vals;
  209. ASN1_OBJECT *language = NULL;
  210. ASN1_INTEGER *pathlen = NULL;
  211. ASN1_OCTET_STRING *policy = NULL;
  212. int i, j;
  213. vals = X509V3_parse_list(value);
  214. for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
  215. {
  216. CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
  217. if (!cnf->name || (*cnf->name != '@' && !cnf->value))
  218. {
  219. X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
  220. X509V3_conf_err(cnf);
  221. goto err;
  222. }
  223. if (*cnf->name == '@')
  224. {
  225. STACK_OF(CONF_VALUE) *sect;
  226. int success_p = 1;
  227. sect = X509V3_get_section(ctx, cnf->name + 1);
  228. if (!sect)
  229. {
  230. X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
  231. X509V3_conf_err(cnf);
  232. goto err;
  233. }
  234. for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
  235. {
  236. success_p =
  237. process_pci_value(sk_CONF_VALUE_value(sect, j),
  238. &language, &pathlen, &policy);
  239. }
  240. X509V3_section_free(ctx, sect);
  241. if (!success_p)
  242. goto err;
  243. }
  244. else
  245. {
  246. if (!process_pci_value(cnf,
  247. &language, &pathlen, &policy))
  248. {
  249. X509V3_conf_err(cnf);
  250. goto err;
  251. }
  252. }
  253. }
  254. /* Language is mandatory */
  255. if (!language)
  256. {
  257. X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
  258. goto err;
  259. }
  260. i = OBJ_obj2nid(language);
  261. if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
  262. {
  263. X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
  264. goto err;
  265. }
  266. pci = PROXY_CERT_INFO_EXTENSION_new();
  267. if (!pci)
  268. {
  269. X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
  270. goto err;
  271. }
  272. pci->proxyPolicy->policyLanguage = language; language = NULL;
  273. pci->proxyPolicy->policy = policy; policy = NULL;
  274. pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
  275. goto end;
  276. err:
  277. if (language) { ASN1_OBJECT_free(language); language = NULL; }
  278. if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
  279. if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
  280. if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
  281. end:
  282. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  283. return pci;
  284. }