v3_ncons.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505
  1. /* v3_ncons.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * (eay@cryptsoft.com). This product includes software written by Tim
  55. * Hudson (tjh@cryptsoft.com).
  56. *
  57. */
  58. #include <stdio.h>
  59. #include "cryptlib.h"
  60. #include <openssl/asn1t.h>
  61. #include <openssl/conf.h>
  62. #include <openssl/x509v3.h>
  63. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  64. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
  65. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  66. void *a, BIO *bp, int ind);
  67. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  68. STACK_OF(GENERAL_SUBTREE) *trees,
  69. BIO *bp, int ind, char *name);
  70. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
  71. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
  72. static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
  73. static int nc_dn(X509_NAME *sub, X509_NAME *nm);
  74. static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
  75. static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
  76. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
  77. const X509V3_EXT_METHOD v3_name_constraints = {
  78. NID_name_constraints, 0,
  79. ASN1_ITEM_ref(NAME_CONSTRAINTS),
  80. 0,0,0,0,
  81. 0,0,
  82. 0, v2i_NAME_CONSTRAINTS,
  83. i2r_NAME_CONSTRAINTS,0,
  84. NULL
  85. };
  86. ASN1_SEQUENCE(GENERAL_SUBTREE) = {
  87. ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
  88. ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
  89. ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
  90. } ASN1_SEQUENCE_END(GENERAL_SUBTREE)
  91. ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
  92. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
  93. GENERAL_SUBTREE, 0),
  94. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
  95. GENERAL_SUBTREE, 1),
  96. } ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
  97. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
  98. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
  99. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  100. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
  101. {
  102. int i;
  103. CONF_VALUE tval, *val;
  104. STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
  105. NAME_CONSTRAINTS *ncons = NULL;
  106. GENERAL_SUBTREE *sub = NULL;
  107. ncons = NAME_CONSTRAINTS_new();
  108. if (!ncons)
  109. goto memerr;
  110. for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
  111. {
  112. val = sk_CONF_VALUE_value(nval, i);
  113. if (!strncmp(val->name, "permitted", 9) && val->name[9])
  114. {
  115. ptree = &ncons->permittedSubtrees;
  116. tval.name = val->name + 10;
  117. }
  118. else if (!strncmp(val->name, "excluded", 8) && val->name[8])
  119. {
  120. ptree = &ncons->excludedSubtrees;
  121. tval.name = val->name + 9;
  122. }
  123. else
  124. {
  125. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
  126. goto err;
  127. }
  128. tval.value = val->value;
  129. sub = GENERAL_SUBTREE_new();
  130. if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
  131. goto err;
  132. if (!*ptree)
  133. *ptree = sk_GENERAL_SUBTREE_new_null();
  134. if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
  135. goto memerr;
  136. sub = NULL;
  137. }
  138. return ncons;
  139. memerr:
  140. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
  141. err:
  142. if (ncons)
  143. NAME_CONSTRAINTS_free(ncons);
  144. if (sub)
  145. GENERAL_SUBTREE_free(sub);
  146. return NULL;
  147. }
  148. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
  149. BIO *bp, int ind)
  150. {
  151. NAME_CONSTRAINTS *ncons = a;
  152. do_i2r_name_constraints(method, ncons->permittedSubtrees,
  153. bp, ind, "Permitted");
  154. do_i2r_name_constraints(method, ncons->excludedSubtrees,
  155. bp, ind, "Excluded");
  156. return 1;
  157. }
  158. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  159. STACK_OF(GENERAL_SUBTREE) *trees,
  160. BIO *bp, int ind, char *name)
  161. {
  162. GENERAL_SUBTREE *tree;
  163. int i;
  164. if (sk_GENERAL_SUBTREE_num(trees) > 0)
  165. BIO_printf(bp, "%*s%s:\n", ind, "", name);
  166. for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
  167. {
  168. tree = sk_GENERAL_SUBTREE_value(trees, i);
  169. BIO_printf(bp, "%*s", ind + 2, "");
  170. if (tree->base->type == GEN_IPADD)
  171. print_nc_ipadd(bp, tree->base->d.ip);
  172. else
  173. GENERAL_NAME_print(bp, tree->base);
  174. BIO_puts(bp, "\n");
  175. }
  176. return 1;
  177. }
  178. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
  179. {
  180. int i, len;
  181. unsigned char *p;
  182. p = ip->data;
  183. len = ip->length;
  184. BIO_puts(bp, "IP:");
  185. if(len == 8)
  186. {
  187. BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
  188. p[0], p[1], p[2], p[3],
  189. p[4], p[5], p[6], p[7]);
  190. }
  191. else if(len == 32)
  192. {
  193. for (i = 0; i < 16; i++)
  194. {
  195. BIO_printf(bp, "%X", p[0] << 8 | p[1]);
  196. p += 2;
  197. if (i == 7)
  198. BIO_puts(bp, "/");
  199. else if (i != 15)
  200. BIO_puts(bp, ":");
  201. }
  202. }
  203. else
  204. BIO_printf(bp, "IP Address:<invalid>");
  205. return 1;
  206. }
  207. /* Check a certificate conforms to a specified set of constraints.
  208. * Return values:
  209. * X509_V_OK: All constraints obeyed.
  210. * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
  211. * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
  212. * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
  213. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
  214. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
  215. * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
  216. */
  217. int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
  218. {
  219. int r, i;
  220. X509_NAME *nm;
  221. nm = X509_get_subject_name(x);
  222. if (X509_NAME_entry_count(nm) > 0)
  223. {
  224. GENERAL_NAME gntmp;
  225. gntmp.type = GEN_DIRNAME;
  226. gntmp.d.directoryName = nm;
  227. r = nc_match(&gntmp, nc);
  228. if (r != X509_V_OK)
  229. return r;
  230. gntmp.type = GEN_EMAIL;
  231. /* Process any email address attributes in subject name */
  232. for (i = -1;;)
  233. {
  234. X509_NAME_ENTRY *ne;
  235. i = X509_NAME_get_index_by_NID(nm,
  236. NID_pkcs9_emailAddress,
  237. i);
  238. if (i == -1)
  239. break;
  240. ne = X509_NAME_get_entry(nm, i);
  241. gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
  242. if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
  243. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  244. r = nc_match(&gntmp, nc);
  245. if (r != X509_V_OK)
  246. return r;
  247. }
  248. }
  249. for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++)
  250. {
  251. GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
  252. r = nc_match(gen, nc);
  253. if (r != X509_V_OK)
  254. return r;
  255. }
  256. return X509_V_OK;
  257. }
  258. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
  259. {
  260. GENERAL_SUBTREE *sub;
  261. int i, r, match = 0;
  262. /* Permitted subtrees: if any subtrees exist of matching the type
  263. * at least one subtree must match.
  264. */
  265. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
  266. {
  267. sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
  268. if (gen->type != sub->base->type)
  269. continue;
  270. if (sub->minimum || sub->maximum)
  271. return X509_V_ERR_SUBTREE_MINMAX;
  272. /* If we already have a match don't bother trying any more */
  273. if (match == 2)
  274. continue;
  275. if (match == 0)
  276. match = 1;
  277. r = nc_match_single(gen, sub->base);
  278. if (r == X509_V_OK)
  279. match = 2;
  280. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  281. return r;
  282. }
  283. if (match == 1)
  284. return X509_V_ERR_PERMITTED_VIOLATION;
  285. /* Excluded subtrees: must not match any of these */
  286. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++)
  287. {
  288. sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
  289. if (gen->type != sub->base->type)
  290. continue;
  291. if (sub->minimum || sub->maximum)
  292. return X509_V_ERR_SUBTREE_MINMAX;
  293. r = nc_match_single(gen, sub->base);
  294. if (r == X509_V_OK)
  295. return X509_V_ERR_EXCLUDED_VIOLATION;
  296. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  297. return r;
  298. }
  299. return X509_V_OK;
  300. }
  301. static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
  302. {
  303. switch(base->type)
  304. {
  305. case GEN_DIRNAME:
  306. return nc_dn(gen->d.directoryName, base->d.directoryName);
  307. case GEN_DNS:
  308. return nc_dns(gen->d.dNSName, base->d.dNSName);
  309. case GEN_EMAIL:
  310. return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
  311. case GEN_URI:
  312. return nc_uri(gen->d.uniformResourceIdentifier,
  313. base->d.uniformResourceIdentifier);
  314. default:
  315. return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
  316. }
  317. }
  318. /* directoryName name constraint matching.
  319. * The canonical encoding of X509_NAME makes this comparison easy. It is
  320. * matched if the subtree is a subset of the name.
  321. */
  322. static int nc_dn(X509_NAME *nm, X509_NAME *base)
  323. {
  324. /* Ensure canonical encodings are up to date. */
  325. if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
  326. return X509_V_ERR_OUT_OF_MEM;
  327. if (base->modified && i2d_X509_NAME(base, NULL) < 0)
  328. return X509_V_ERR_OUT_OF_MEM;
  329. if (base->canon_enclen > nm->canon_enclen)
  330. return X509_V_ERR_PERMITTED_VIOLATION;
  331. if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
  332. return X509_V_ERR_PERMITTED_VIOLATION;
  333. return X509_V_OK;
  334. }
  335. static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
  336. {
  337. char *baseptr = (char *)base->data;
  338. char *dnsptr = (char *)dns->data;
  339. /* Empty matches everything */
  340. if (!*baseptr)
  341. return X509_V_OK;
  342. /* Otherwise can add zero or more components on the left so
  343. * compare RHS and if dns is longer and expect '.' as preceding
  344. * character.
  345. */
  346. if (dns->length > base->length)
  347. {
  348. dnsptr += dns->length - base->length;
  349. if (dnsptr[-1] != '.')
  350. return X509_V_ERR_PERMITTED_VIOLATION;
  351. }
  352. if (strcasecmp(baseptr, dnsptr))
  353. return X509_V_ERR_PERMITTED_VIOLATION;
  354. return X509_V_OK;
  355. }
  356. static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
  357. {
  358. const char *baseptr = (char *)base->data;
  359. const char *emlptr = (char *)eml->data;
  360. const char *baseat = strchr(baseptr, '@');
  361. const char *emlat = strchr(emlptr, '@');
  362. if (!emlat)
  363. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  364. /* Special case: inital '.' is RHS match */
  365. if (!baseat && (*baseptr == '.'))
  366. {
  367. if (eml->length > base->length)
  368. {
  369. emlptr += eml->length - base->length;
  370. if (!strcasecmp(baseptr, emlptr))
  371. return X509_V_OK;
  372. }
  373. return X509_V_ERR_PERMITTED_VIOLATION;
  374. }
  375. /* If we have anything before '@' match local part */
  376. if (baseat)
  377. {
  378. if (baseat != baseptr)
  379. {
  380. if ((baseat - baseptr) != (emlat - emlptr))
  381. return X509_V_ERR_PERMITTED_VIOLATION;
  382. /* Case sensitive match of local part */
  383. if (strncmp(baseptr, emlptr, emlat - emlptr))
  384. return X509_V_ERR_PERMITTED_VIOLATION;
  385. }
  386. /* Position base after '@' */
  387. baseptr = baseat + 1;
  388. }
  389. emlptr = emlat + 1;
  390. /* Just have hostname left to match: case insensitive */
  391. if (strcasecmp(baseptr, emlptr))
  392. return X509_V_ERR_PERMITTED_VIOLATION;
  393. return X509_V_OK;
  394. }
  395. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
  396. {
  397. const char *baseptr = (char *)base->data;
  398. const char *hostptr = (char *)uri->data;
  399. const char *p = strchr(hostptr, ':');
  400. int hostlen;
  401. /* Check for foo:// and skip past it */
  402. if (!p || (p[1] != '/') || (p[2] != '/'))
  403. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  404. hostptr = p + 3;
  405. /* Determine length of hostname part of URI */
  406. /* Look for a port indicator as end of hostname first */
  407. p = strchr(hostptr, ':');
  408. /* Otherwise look for trailing slash */
  409. if (!p)
  410. p = strchr(hostptr, '/');
  411. if (!p)
  412. hostlen = strlen(hostptr);
  413. else
  414. hostlen = p - hostptr;
  415. if (hostlen == 0)
  416. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  417. /* Special case: inital '.' is RHS match */
  418. if (*baseptr == '.')
  419. {
  420. if (hostlen > base->length)
  421. {
  422. p = hostptr + hostlen - base->length;
  423. if (!strncasecmp(p, baseptr, base->length))
  424. return X509_V_OK;
  425. }
  426. return X509_V_ERR_PERMITTED_VIOLATION;
  427. }
  428. if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen))
  429. return X509_V_ERR_PERMITTED_VIOLATION;
  430. return X509_V_OK;
  431. }