2
0

v3_alt.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592
  1. /*
  2. * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/conf.h>
  12. #include <openssl/x509v3.h>
  13. #include "ext_dat.h"
  14. static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
  15. X509V3_CTX *ctx,
  16. STACK_OF(CONF_VALUE) *nval);
  17. static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
  18. X509V3_CTX *ctx,
  19. STACK_OF(CONF_VALUE) *nval);
  20. static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
  21. static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
  22. static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
  23. static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
  24. const X509V3_EXT_METHOD v3_alt[3] = {
  25. {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
  26. 0, 0, 0, 0,
  27. 0, 0,
  28. (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
  29. (X509V3_EXT_V2I)v2i_subject_alt,
  30. NULL, NULL, NULL},
  31. {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
  32. 0, 0, 0, 0,
  33. 0, 0,
  34. (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
  35. (X509V3_EXT_V2I)v2i_issuer_alt,
  36. NULL, NULL, NULL},
  37. {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
  38. 0, 0, 0, 0,
  39. 0, 0,
  40. (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
  41. NULL, NULL, NULL, NULL},
  42. };
  43. STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
  44. GENERAL_NAMES *gens,
  45. STACK_OF(CONF_VALUE) *ret)
  46. {
  47. int i;
  48. GENERAL_NAME *gen;
  49. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  50. gen = sk_GENERAL_NAME_value(gens, i);
  51. ret = i2v_GENERAL_NAME(method, gen, ret);
  52. }
  53. if (!ret)
  54. return sk_CONF_VALUE_new_null();
  55. return ret;
  56. }
  57. STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
  58. GENERAL_NAME *gen,
  59. STACK_OF(CONF_VALUE) *ret)
  60. {
  61. unsigned char *p;
  62. char oline[256], htmp[5];
  63. int i;
  64. switch (gen->type) {
  65. case GEN_OTHERNAME:
  66. if (!X509V3_add_value("othername", "<unsupported>", &ret))
  67. return NULL;
  68. break;
  69. case GEN_X400:
  70. if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
  71. return NULL;
  72. break;
  73. case GEN_EDIPARTY:
  74. if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
  75. return NULL;
  76. break;
  77. case GEN_EMAIL:
  78. if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
  79. return NULL;
  80. break;
  81. case GEN_DNS:
  82. if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
  83. return NULL;
  84. break;
  85. case GEN_URI:
  86. if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
  87. return NULL;
  88. break;
  89. case GEN_DIRNAME:
  90. if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
  91. || !X509V3_add_value("DirName", oline, &ret))
  92. return NULL;
  93. break;
  94. case GEN_IPADD:
  95. p = gen->d.ip->data;
  96. if (gen->d.ip->length == 4)
  97. BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d",
  98. p[0], p[1], p[2], p[3]);
  99. else if (gen->d.ip->length == 16) {
  100. oline[0] = 0;
  101. for (i = 0; i < 8; i++) {
  102. BIO_snprintf(htmp, sizeof(htmp), "%X", p[0] << 8 | p[1]);
  103. p += 2;
  104. strcat(oline, htmp);
  105. if (i != 7)
  106. strcat(oline, ":");
  107. }
  108. } else {
  109. if (!X509V3_add_value("IP Address", "<invalid>", &ret))
  110. return NULL;
  111. break;
  112. }
  113. if (!X509V3_add_value("IP Address", oline, &ret))
  114. return NULL;
  115. break;
  116. case GEN_RID:
  117. i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
  118. if (!X509V3_add_value("Registered ID", oline, &ret))
  119. return NULL;
  120. break;
  121. }
  122. return ret;
  123. }
  124. int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
  125. {
  126. unsigned char *p;
  127. int i;
  128. switch (gen->type) {
  129. case GEN_OTHERNAME:
  130. BIO_printf(out, "othername:<unsupported>");
  131. break;
  132. case GEN_X400:
  133. BIO_printf(out, "X400Name:<unsupported>");
  134. break;
  135. case GEN_EDIPARTY:
  136. /* Maybe fix this: it is supported now */
  137. BIO_printf(out, "EdiPartyName:<unsupported>");
  138. break;
  139. case GEN_EMAIL:
  140. BIO_printf(out, "email:%s", gen->d.ia5->data);
  141. break;
  142. case GEN_DNS:
  143. BIO_printf(out, "DNS:%s", gen->d.ia5->data);
  144. break;
  145. case GEN_URI:
  146. BIO_printf(out, "URI:%s", gen->d.ia5->data);
  147. break;
  148. case GEN_DIRNAME:
  149. BIO_printf(out, "DirName:");
  150. X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
  151. break;
  152. case GEN_IPADD:
  153. p = gen->d.ip->data;
  154. if (gen->d.ip->length == 4)
  155. BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
  156. else if (gen->d.ip->length == 16) {
  157. BIO_printf(out, "IP Address");
  158. for (i = 0; i < 8; i++) {
  159. BIO_printf(out, ":%X", p[0] << 8 | p[1]);
  160. p += 2;
  161. }
  162. BIO_puts(out, "\n");
  163. } else {
  164. BIO_printf(out, "IP Address:<invalid>");
  165. break;
  166. }
  167. break;
  168. case GEN_RID:
  169. BIO_printf(out, "Registered ID:");
  170. i2a_ASN1_OBJECT(out, gen->d.rid);
  171. break;
  172. }
  173. return 1;
  174. }
  175. static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
  176. X509V3_CTX *ctx,
  177. STACK_OF(CONF_VALUE) *nval)
  178. {
  179. const int num = sk_CONF_VALUE_num(nval);
  180. GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
  181. int i;
  182. if (gens == NULL) {
  183. X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
  184. sk_GENERAL_NAME_free(gens);
  185. return NULL;
  186. }
  187. for (i = 0; i < num; i++) {
  188. CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
  189. if (!name_cmp(cnf->name, "issuer")
  190. && cnf->value && strcmp(cnf->value, "copy") == 0) {
  191. if (!copy_issuer(ctx, gens))
  192. goto err;
  193. } else {
  194. GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
  195. if (gen == NULL)
  196. goto err;
  197. sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
  198. }
  199. }
  200. return gens;
  201. err:
  202. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  203. return NULL;
  204. }
  205. /* Append subject altname of issuer to issuer alt name of subject */
  206. static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
  207. {
  208. GENERAL_NAMES *ialt;
  209. GENERAL_NAME *gen;
  210. X509_EXTENSION *ext;
  211. int i, num;
  212. if (ctx && (ctx->flags == CTX_TEST))
  213. return 1;
  214. if (!ctx || !ctx->issuer_cert) {
  215. X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
  216. goto err;
  217. }
  218. i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
  219. if (i < 0)
  220. return 1;
  221. if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
  222. || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
  223. X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
  224. goto err;
  225. }
  226. num = sk_GENERAL_NAME_num(ialt);
  227. if (!sk_GENERAL_NAME_reserve(gens, num)) {
  228. X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
  229. goto err;
  230. }
  231. for (i = 0; i < num; i++) {
  232. gen = sk_GENERAL_NAME_value(ialt, i);
  233. sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
  234. }
  235. sk_GENERAL_NAME_free(ialt);
  236. return 1;
  237. err:
  238. return 0;
  239. }
  240. static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
  241. X509V3_CTX *ctx,
  242. STACK_OF(CONF_VALUE) *nval)
  243. {
  244. GENERAL_NAMES *gens;
  245. CONF_VALUE *cnf;
  246. const int num = sk_CONF_VALUE_num(nval);
  247. int i;
  248. gens = sk_GENERAL_NAME_new_reserve(NULL, num);
  249. if (gens == NULL) {
  250. X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
  251. sk_GENERAL_NAME_free(gens);
  252. return NULL;
  253. }
  254. for (i = 0; i < num; i++) {
  255. cnf = sk_CONF_VALUE_value(nval, i);
  256. if (!name_cmp(cnf->name, "email")
  257. && cnf->value && strcmp(cnf->value, "copy") == 0) {
  258. if (!copy_email(ctx, gens, 0))
  259. goto err;
  260. } else if (!name_cmp(cnf->name, "email")
  261. && cnf->value && strcmp(cnf->value, "move") == 0) {
  262. if (!copy_email(ctx, gens, 1))
  263. goto err;
  264. } else {
  265. GENERAL_NAME *gen;
  266. if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
  267. goto err;
  268. sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
  269. }
  270. }
  271. return gens;
  272. err:
  273. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  274. return NULL;
  275. }
  276. /*
  277. * Copy any email addresses in a certificate or request to GENERAL_NAMES
  278. */
  279. static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
  280. {
  281. X509_NAME *nm;
  282. ASN1_IA5STRING *email = NULL;
  283. X509_NAME_ENTRY *ne;
  284. GENERAL_NAME *gen = NULL;
  285. int i = -1;
  286. if (ctx != NULL && ctx->flags == CTX_TEST)
  287. return 1;
  288. if (ctx == NULL
  289. || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
  290. X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
  291. goto err;
  292. }
  293. /* Find the subject name */
  294. if (ctx->subject_cert)
  295. nm = X509_get_subject_name(ctx->subject_cert);
  296. else
  297. nm = X509_REQ_get_subject_name(ctx->subject_req);
  298. /* Now add any email address(es) to STACK */
  299. while ((i = X509_NAME_get_index_by_NID(nm,
  300. NID_pkcs9_emailAddress, i)) >= 0) {
  301. ne = X509_NAME_get_entry(nm, i);
  302. email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
  303. if (move_p) {
  304. X509_NAME_delete_entry(nm, i);
  305. X509_NAME_ENTRY_free(ne);
  306. i--;
  307. }
  308. if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
  309. X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
  310. goto err;
  311. }
  312. gen->d.ia5 = email;
  313. email = NULL;
  314. gen->type = GEN_EMAIL;
  315. if (!sk_GENERAL_NAME_push(gens, gen)) {
  316. X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
  317. goto err;
  318. }
  319. gen = NULL;
  320. }
  321. return 1;
  322. err:
  323. GENERAL_NAME_free(gen);
  324. ASN1_IA5STRING_free(email);
  325. return 0;
  326. }
  327. GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
  328. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
  329. {
  330. GENERAL_NAME *gen;
  331. GENERAL_NAMES *gens;
  332. CONF_VALUE *cnf;
  333. const int num = sk_CONF_VALUE_num(nval);
  334. int i;
  335. gens = sk_GENERAL_NAME_new_reserve(NULL, num);
  336. if (gens == NULL) {
  337. X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
  338. sk_GENERAL_NAME_free(gens);
  339. return NULL;
  340. }
  341. for (i = 0; i < num; i++) {
  342. cnf = sk_CONF_VALUE_value(nval, i);
  343. if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
  344. goto err;
  345. sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
  346. }
  347. return gens;
  348. err:
  349. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  350. return NULL;
  351. }
  352. GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
  353. X509V3_CTX *ctx, CONF_VALUE *cnf)
  354. {
  355. return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
  356. }
  357. GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
  358. const X509V3_EXT_METHOD *method,
  359. X509V3_CTX *ctx, int gen_type, const char *value,
  360. int is_nc)
  361. {
  362. char is_string = 0;
  363. GENERAL_NAME *gen = NULL;
  364. if (!value) {
  365. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
  366. return NULL;
  367. }
  368. if (out)
  369. gen = out;
  370. else {
  371. gen = GENERAL_NAME_new();
  372. if (gen == NULL) {
  373. X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
  374. return NULL;
  375. }
  376. }
  377. switch (gen_type) {
  378. case GEN_URI:
  379. case GEN_EMAIL:
  380. case GEN_DNS:
  381. is_string = 1;
  382. break;
  383. case GEN_RID:
  384. {
  385. ASN1_OBJECT *obj;
  386. if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
  387. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
  388. ERR_add_error_data(2, "value=", value);
  389. goto err;
  390. }
  391. gen->d.rid = obj;
  392. }
  393. break;
  394. case GEN_IPADD:
  395. if (is_nc)
  396. gen->d.ip = a2i_IPADDRESS_NC(value);
  397. else
  398. gen->d.ip = a2i_IPADDRESS(value);
  399. if (gen->d.ip == NULL) {
  400. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_IP_ADDRESS);
  401. ERR_add_error_data(2, "value=", value);
  402. goto err;
  403. }
  404. break;
  405. case GEN_DIRNAME:
  406. if (!do_dirname(gen, value, ctx)) {
  407. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_DIRNAME_ERROR);
  408. goto err;
  409. }
  410. break;
  411. case GEN_OTHERNAME:
  412. if (!do_othername(gen, value, ctx)) {
  413. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_OTHERNAME_ERROR);
  414. goto err;
  415. }
  416. break;
  417. default:
  418. X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
  419. goto err;
  420. }
  421. if (is_string) {
  422. if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
  423. !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
  424. strlen(value))) {
  425. X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
  426. goto err;
  427. }
  428. }
  429. gen->type = gen_type;
  430. return gen;
  431. err:
  432. if (!out)
  433. GENERAL_NAME_free(gen);
  434. return NULL;
  435. }
  436. GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
  437. const X509V3_EXT_METHOD *method,
  438. X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
  439. {
  440. int type;
  441. char *name, *value;
  442. name = cnf->name;
  443. value = cnf->value;
  444. if (!value) {
  445. X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
  446. return NULL;
  447. }
  448. if (!name_cmp(name, "email"))
  449. type = GEN_EMAIL;
  450. else if (!name_cmp(name, "URI"))
  451. type = GEN_URI;
  452. else if (!name_cmp(name, "DNS"))
  453. type = GEN_DNS;
  454. else if (!name_cmp(name, "RID"))
  455. type = GEN_RID;
  456. else if (!name_cmp(name, "IP"))
  457. type = GEN_IPADD;
  458. else if (!name_cmp(name, "dirName"))
  459. type = GEN_DIRNAME;
  460. else if (!name_cmp(name, "otherName"))
  461. type = GEN_OTHERNAME;
  462. else {
  463. X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_UNSUPPORTED_OPTION);
  464. ERR_add_error_data(2, "name=", name);
  465. return NULL;
  466. }
  467. return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
  468. }
  469. static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
  470. {
  471. char *objtmp = NULL, *p;
  472. int objlen;
  473. if ((p = strchr(value, ';')) == NULL)
  474. return 0;
  475. if ((gen->d.otherName = OTHERNAME_new()) == NULL)
  476. return 0;
  477. /*
  478. * Free this up because we will overwrite it. no need to free type_id
  479. * because it is static
  480. */
  481. ASN1_TYPE_free(gen->d.otherName->value);
  482. if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
  483. return 0;
  484. objlen = p - value;
  485. objtmp = OPENSSL_strndup(value, objlen);
  486. if (objtmp == NULL)
  487. return 0;
  488. gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
  489. OPENSSL_free(objtmp);
  490. if (!gen->d.otherName->type_id)
  491. return 0;
  492. return 1;
  493. }
  494. static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
  495. {
  496. int ret = 0;
  497. STACK_OF(CONF_VALUE) *sk = NULL;
  498. X509_NAME *nm;
  499. if ((nm = X509_NAME_new()) == NULL)
  500. goto err;
  501. sk = X509V3_get_section(ctx, value);
  502. if (!sk) {
  503. X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
  504. ERR_add_error_data(2, "section=", value);
  505. goto err;
  506. }
  507. /* FIXME: should allow other character types... */
  508. ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
  509. if (!ret)
  510. goto err;
  511. gen->d.dirn = nm;
  512. err:
  513. if (ret == 0)
  514. X509_NAME_free(nm);
  515. X509V3_section_free(ctx, sk);
  516. return ret;
  517. }