pcy_map.c 2.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283
  1. /*
  2. * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include <openssl/x509.h>
  11. #include <openssl/x509v3.h>
  12. #include "crypto/x509.h"
  13. #include "pcy_local.h"
  14. /*
  15. * Set policy mapping entries in cache. Note: this modifies the passed
  16. * POLICY_MAPPINGS structure
  17. */
  18. int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
  19. {
  20. POLICY_MAPPING *map;
  21. X509_POLICY_DATA *data;
  22. X509_POLICY_CACHE *cache = x->policy_cache;
  23. int i;
  24. int ret = 0;
  25. if (sk_POLICY_MAPPING_num(maps) == 0) {
  26. ret = -1;
  27. goto bad_mapping;
  28. }
  29. for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
  30. map = sk_POLICY_MAPPING_value(maps, i);
  31. /* Reject if map to or from anyPolicy */
  32. if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
  33. || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
  34. ret = -1;
  35. goto bad_mapping;
  36. }
  37. /* Attempt to find matching policy data */
  38. data = ossl_policy_cache_find_data(cache, map->issuerDomainPolicy);
  39. /* If we don't have anyPolicy can't map */
  40. if (data == NULL && !cache->anyPolicy)
  41. continue;
  42. /* Create a NODE from anyPolicy */
  43. if (data == NULL) {
  44. data = ossl_policy_data_new(NULL, map->issuerDomainPolicy,
  45. cache->anyPolicy->flags
  46. & POLICY_DATA_FLAG_CRITICAL);
  47. if (data == NULL)
  48. goto bad_mapping;
  49. data->qualifier_set = cache->anyPolicy->qualifier_set;
  50. /*
  51. * map->issuerDomainPolicy = NULL;
  52. */
  53. data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
  54. data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
  55. if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
  56. ossl_policy_data_free(data);
  57. goto bad_mapping;
  58. }
  59. } else
  60. data->flags |= POLICY_DATA_FLAG_MAPPED;
  61. if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
  62. map->subjectDomainPolicy))
  63. goto bad_mapping;
  64. map->subjectDomainPolicy = NULL;
  65. }
  66. ret = 1;
  67. bad_mapping:
  68. if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
  69. x->ex_flags |= EXFLAG_INVALID_POLICY;
  70. CRYPTO_THREAD_unlock(x->lock);
  71. }
  72. sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
  73. return ret;
  74. }