v3_cpols.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516
  1. /*
  2. * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/conf.h>
  12. #include <openssl/asn1.h>
  13. #include <openssl/asn1t.h>
  14. #include <openssl/x509v3.h>
  15. #include "x509_local.h"
  16. #include "pcy_local.h"
  17. #include "ext_dat.h"
  18. /* Certificate policies extension support: this one is a bit complex... */
  19. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  20. BIO *out, int indent);
  21. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  22. X509V3_CTX *ctx, const char *value);
  23. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  24. int indent);
  25. static void print_notice(BIO *out, USERNOTICE *notice, int indent);
  26. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  27. STACK_OF(CONF_VALUE) *polstrs, int ia5org);
  28. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  29. STACK_OF(CONF_VALUE) *unot, int ia5org);
  30. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
  31. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
  32. static int displaytext_get_tag_len(const char *tagstr);
  33. const X509V3_EXT_METHOD ossl_v3_cpols = {
  34. NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
  35. 0, 0, 0, 0,
  36. 0, 0,
  37. 0, 0,
  38. (X509V3_EXT_I2R)i2r_certpol,
  39. (X509V3_EXT_R2I)r2i_certpol,
  40. NULL
  41. };
  42. ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
  43. ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
  44. ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
  45. IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
  46. ASN1_SEQUENCE(POLICYINFO) = {
  47. ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
  48. ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
  49. } ASN1_SEQUENCE_END(POLICYINFO)
  50. IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
  51. ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
  52. ASN1_ADB(POLICYQUALINFO) = {
  53. ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
  54. ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
  55. } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
  56. ASN1_SEQUENCE(POLICYQUALINFO) = {
  57. ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
  58. ASN1_ADB_OBJECT(POLICYQUALINFO)
  59. } ASN1_SEQUENCE_END(POLICYQUALINFO)
  60. IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
  61. ASN1_SEQUENCE(USERNOTICE) = {
  62. ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
  63. ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
  64. } ASN1_SEQUENCE_END(USERNOTICE)
  65. IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
  66. ASN1_SEQUENCE(NOTICEREF) = {
  67. ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
  68. ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
  69. } ASN1_SEQUENCE_END(NOTICEREF)
  70. IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
  71. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  72. X509V3_CTX *ctx, const char *value)
  73. {
  74. STACK_OF(POLICYINFO) *pols;
  75. char *pstr;
  76. POLICYINFO *pol;
  77. ASN1_OBJECT *pobj;
  78. STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
  79. CONF_VALUE *cnf;
  80. const int num = sk_CONF_VALUE_num(vals);
  81. int i, ia5org;
  82. if (vals == NULL) {
  83. ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
  84. return NULL;
  85. }
  86. pols = sk_POLICYINFO_new_reserve(NULL, num);
  87. if (pols == NULL) {
  88. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  89. goto err;
  90. }
  91. ia5org = 0;
  92. for (i = 0; i < num; i++) {
  93. cnf = sk_CONF_VALUE_value(vals, i);
  94. if (cnf->value != NULL || cnf->name == NULL) {
  95. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER);
  96. X509V3_conf_add_error_name_value(cnf);
  97. goto err;
  98. }
  99. pstr = cnf->name;
  100. if (strcmp(pstr, "ia5org") == 0) {
  101. ia5org = 1;
  102. continue;
  103. } else if (*pstr == '@') {
  104. STACK_OF(CONF_VALUE) *polsect;
  105. polsect = X509V3_get_section(ctx, pstr + 1);
  106. if (polsect == NULL) {
  107. ERR_raise_data(ERR_LIB_X509V3, X509V3_R_INVALID_SECTION,
  108. "%s", cnf->name);
  109. goto err;
  110. }
  111. pol = policy_section(ctx, polsect, ia5org);
  112. X509V3_section_free(ctx, polsect);
  113. if (pol == NULL)
  114. goto err;
  115. } else {
  116. if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
  117. ERR_raise_data(ERR_LIB_X509V3,
  118. X509V3_R_INVALID_OBJECT_IDENTIFIER,
  119. "%s", cnf->name);
  120. goto err;
  121. }
  122. pol = POLICYINFO_new();
  123. if (pol == NULL) {
  124. ASN1_OBJECT_free(pobj);
  125. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  126. goto err;
  127. }
  128. pol->policyid = pobj;
  129. }
  130. if (!sk_POLICYINFO_push(pols, pol)) {
  131. POLICYINFO_free(pol);
  132. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  133. goto err;
  134. }
  135. }
  136. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  137. return pols;
  138. err:
  139. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  140. sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
  141. return NULL;
  142. }
  143. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  144. STACK_OF(CONF_VALUE) *polstrs, int ia5org)
  145. {
  146. int i;
  147. CONF_VALUE *cnf;
  148. POLICYINFO *pol;
  149. POLICYQUALINFO *qual;
  150. if ((pol = POLICYINFO_new()) == NULL) {
  151. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  152. goto err;
  153. }
  154. for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
  155. cnf = sk_CONF_VALUE_value(polstrs, i);
  156. if (strcmp(cnf->name, "policyIdentifier") == 0) {
  157. ASN1_OBJECT *pobj;
  158. if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
  159. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
  160. X509V3_conf_err(cnf);
  161. goto err;
  162. }
  163. pol->policyid = pobj;
  164. } else if (!ossl_v3_name_cmp(cnf->name, "CPS")) {
  165. if (pol->qualifiers == NULL)
  166. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  167. if ((qual = POLICYQUALINFO_new()) == NULL) {
  168. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  169. goto err;
  170. }
  171. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
  172. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  173. goto err;
  174. }
  175. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
  176. ERR_raise(ERR_LIB_X509V3, ERR_R_INTERNAL_ERROR);
  177. goto err;
  178. }
  179. if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL) {
  180. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  181. goto err;
  182. }
  183. if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
  184. strlen(cnf->value))) {
  185. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  186. goto err;
  187. }
  188. } else if (!ossl_v3_name_cmp(cnf->name, "userNotice")) {
  189. STACK_OF(CONF_VALUE) *unot;
  190. if (*cnf->value != '@') {
  191. ERR_raise(ERR_LIB_X509V3, X509V3_R_EXPECTED_A_SECTION_NAME);
  192. X509V3_conf_err(cnf);
  193. goto err;
  194. }
  195. unot = X509V3_get_section(ctx, cnf->value + 1);
  196. if (!unot) {
  197. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_SECTION);
  198. X509V3_conf_err(cnf);
  199. goto err;
  200. }
  201. qual = notice_section(ctx, unot, ia5org);
  202. X509V3_section_free(ctx, unot);
  203. if (!qual)
  204. goto err;
  205. if (pol->qualifiers == NULL)
  206. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  207. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
  208. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  209. goto err;
  210. }
  211. } else {
  212. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_OPTION);
  213. X509V3_conf_err(cnf);
  214. goto err;
  215. }
  216. }
  217. if (pol->policyid == NULL) {
  218. ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_POLICY_IDENTIFIER);
  219. goto err;
  220. }
  221. return pol;
  222. err:
  223. POLICYINFO_free(pol);
  224. return NULL;
  225. }
  226. static int displaytext_get_tag_len(const char *tagstr)
  227. {
  228. char *colon = strchr(tagstr, ':');
  229. return (colon == NULL) ? -1 : colon - tagstr;
  230. }
  231. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
  232. {
  233. int len;
  234. *tag_len = 0;
  235. len = displaytext_get_tag_len(tagstr);
  236. if (len == -1)
  237. return V_ASN1_VISIBLESTRING;
  238. *tag_len = len;
  239. if (len == sizeof("UTF8") - 1 && HAS_PREFIX(tagstr, "UTF8"))
  240. return V_ASN1_UTF8STRING;
  241. if (len == sizeof("UTF8String") - 1 && HAS_PREFIX(tagstr, "UTF8String"))
  242. return V_ASN1_UTF8STRING;
  243. if (len == sizeof("BMP") - 1 && HAS_PREFIX(tagstr, "BMP"))
  244. return V_ASN1_BMPSTRING;
  245. if (len == sizeof("BMPSTRING") - 1 && HAS_PREFIX(tagstr, "BMPSTRING"))
  246. return V_ASN1_BMPSTRING;
  247. if (len == sizeof("VISIBLE") - 1 && HAS_PREFIX(tagstr, "VISIBLE"))
  248. return V_ASN1_VISIBLESTRING;
  249. if (len == sizeof("VISIBLESTRING") - 1 && HAS_PREFIX(tagstr, "VISIBLESTRING"))
  250. return V_ASN1_VISIBLESTRING;
  251. *tag_len = 0;
  252. return V_ASN1_VISIBLESTRING;
  253. }
  254. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  255. STACK_OF(CONF_VALUE) *unot, int ia5org)
  256. {
  257. int i, ret, len, tag;
  258. unsigned int tag_len;
  259. CONF_VALUE *cnf;
  260. USERNOTICE *not;
  261. POLICYQUALINFO *qual;
  262. char *value = NULL;
  263. if ((qual = POLICYQUALINFO_new()) == NULL) {
  264. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  265. goto err;
  266. }
  267. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
  268. ERR_raise(ERR_LIB_X509V3, ERR_R_INTERNAL_ERROR);
  269. goto err;
  270. }
  271. if ((not = USERNOTICE_new()) == NULL) {
  272. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  273. goto err;
  274. }
  275. qual->d.usernotice = not;
  276. for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
  277. cnf = sk_CONF_VALUE_value(unot, i);
  278. value = cnf->value;
  279. if (strcmp(cnf->name, "explicitText") == 0) {
  280. tag = displaytext_str2tag(value, &tag_len);
  281. if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL) {
  282. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  283. goto err;
  284. }
  285. if (tag_len != 0)
  286. value += tag_len + 1;
  287. len = strlen(value);
  288. if (!ASN1_STRING_set(not->exptext, value, len)) {
  289. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  290. goto err;
  291. }
  292. } else if (strcmp(cnf->name, "organization") == 0) {
  293. NOTICEREF *nref;
  294. if (!not->noticeref) {
  295. if ((nref = NOTICEREF_new()) == NULL) {
  296. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  297. goto err;
  298. }
  299. not->noticeref = nref;
  300. } else
  301. nref = not->noticeref;
  302. if (ia5org)
  303. nref->organization->type = V_ASN1_IA5STRING;
  304. else
  305. nref->organization->type = V_ASN1_VISIBLESTRING;
  306. if (!ASN1_STRING_set(nref->organization, cnf->value,
  307. strlen(cnf->value))) {
  308. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  309. goto err;
  310. }
  311. } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
  312. NOTICEREF *nref;
  313. STACK_OF(CONF_VALUE) *nos;
  314. if (!not->noticeref) {
  315. if ((nref = NOTICEREF_new()) == NULL) {
  316. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  317. goto err;
  318. }
  319. not->noticeref = nref;
  320. } else
  321. nref = not->noticeref;
  322. nos = X509V3_parse_list(cnf->value);
  323. if (!nos || !sk_CONF_VALUE_num(nos)) {
  324. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NUMBERS);
  325. X509V3_conf_add_error_name_value(cnf);
  326. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  327. goto err;
  328. }
  329. ret = nref_nos(nref->noticenos, nos);
  330. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  331. if (!ret)
  332. goto err;
  333. } else {
  334. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_OPTION);
  335. X509V3_conf_add_error_name_value(cnf);
  336. goto err;
  337. }
  338. }
  339. if (not->noticeref &&
  340. (!not->noticeref->noticenos || !not->noticeref->organization)) {
  341. ERR_raise(ERR_LIB_X509V3, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
  342. goto err;
  343. }
  344. return qual;
  345. err:
  346. POLICYQUALINFO_free(qual);
  347. return NULL;
  348. }
  349. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
  350. {
  351. CONF_VALUE *cnf;
  352. ASN1_INTEGER *aint;
  353. int i;
  354. for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
  355. cnf = sk_CONF_VALUE_value(nos, i);
  356. if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
  357. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NUMBER);
  358. return 0;
  359. }
  360. if (!sk_ASN1_INTEGER_push(nnums, aint)) {
  361. ASN1_INTEGER_free(aint);
  362. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  363. return 0;
  364. }
  365. }
  366. return 1;
  367. }
  368. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  369. BIO *out, int indent)
  370. {
  371. int i;
  372. POLICYINFO *pinfo;
  373. /* First print out the policy OIDs */
  374. for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
  375. if (i > 0)
  376. BIO_puts(out, "\n");
  377. pinfo = sk_POLICYINFO_value(pol, i);
  378. BIO_printf(out, "%*sPolicy: ", indent, "");
  379. i2a_ASN1_OBJECT(out, pinfo->policyid);
  380. if (pinfo->qualifiers) {
  381. BIO_puts(out, "\n");
  382. print_qualifiers(out, pinfo->qualifiers, indent + 2);
  383. }
  384. }
  385. return 1;
  386. }
  387. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  388. int indent)
  389. {
  390. POLICYQUALINFO *qualinfo;
  391. int i;
  392. for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
  393. if (i > 0)
  394. BIO_puts(out, "\n");
  395. qualinfo = sk_POLICYQUALINFO_value(quals, i);
  396. switch (OBJ_obj2nid(qualinfo->pqualid)) {
  397. case NID_id_qt_cps:
  398. BIO_printf(out, "%*sCPS: %.*s", indent, "",
  399. qualinfo->d.cpsuri->length,
  400. qualinfo->d.cpsuri->data);
  401. break;
  402. case NID_id_qt_unotice:
  403. BIO_printf(out, "%*sUser Notice:\n", indent, "");
  404. print_notice(out, qualinfo->d.usernotice, indent + 2);
  405. break;
  406. default:
  407. BIO_printf(out, "%*sUnknown Qualifier: ", indent + 2, "");
  408. i2a_ASN1_OBJECT(out, qualinfo->pqualid);
  409. break;
  410. }
  411. }
  412. }
  413. static void print_notice(BIO *out, USERNOTICE *notice, int indent)
  414. {
  415. int i;
  416. if (notice->noticeref) {
  417. NOTICEREF *ref;
  418. ref = notice->noticeref;
  419. BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
  420. ref->organization->length,
  421. ref->organization->data);
  422. BIO_printf(out, "%*sNumber%s: ", indent, "",
  423. sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
  424. for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
  425. ASN1_INTEGER *num;
  426. char *tmp;
  427. num = sk_ASN1_INTEGER_value(ref->noticenos, i);
  428. if (i)
  429. BIO_puts(out, ", ");
  430. if (num == NULL)
  431. BIO_puts(out, "(null)");
  432. else {
  433. tmp = i2s_ASN1_INTEGER(NULL, num);
  434. if (tmp == NULL)
  435. return;
  436. BIO_puts(out, tmp);
  437. OPENSSL_free(tmp);
  438. }
  439. }
  440. if (notice->exptext)
  441. BIO_puts(out, "\n");
  442. }
  443. if (notice->exptext)
  444. BIO_printf(out, "%*sExplicit Text: %.*s", indent, "",
  445. notice->exptext->length,
  446. notice->exptext->data);
  447. }
  448. void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
  449. {
  450. const X509_POLICY_DATA *dat = node->data;
  451. BIO_printf(out, "%*sPolicy: ", indent, "");
  452. i2a_ASN1_OBJECT(out, dat->valid_policy);
  453. BIO_puts(out, "\n");
  454. BIO_printf(out, "%*s%s\n", indent + 2, "",
  455. node_data_critical(dat) ? "Critical" : "Non Critical");
  456. if (dat->qualifier_set) {
  457. print_qualifiers(out, dat->qualifier_set, indent + 2);
  458. BIO_puts(out, "\n");
  459. }
  460. else
  461. BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
  462. }