v3_cpols.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504
  1. /*
  2. * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/conf.h>
  12. #include <openssl/asn1.h>
  13. #include <openssl/asn1t.h>
  14. #include <openssl/x509v3.h>
  15. #include "pcy_local.h"
  16. #include "ext_dat.h"
  17. DEFINE_STACK_OF(CONF_VALUE)
  18. DEFINE_STACK_OF(POLICYINFO)
  19. DEFINE_STACK_OF(POLICYQUALINFO)
  20. DEFINE_STACK_OF(ASN1_INTEGER)
  21. /* Certificate policies extension support: this one is a bit complex... */
  22. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  23. BIO *out, int indent);
  24. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  25. X509V3_CTX *ctx, const char *value);
  26. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  27. int indent);
  28. static void print_notice(BIO *out, USERNOTICE *notice, int indent);
  29. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  30. STACK_OF(CONF_VALUE) *polstrs, int ia5org);
  31. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  32. STACK_OF(CONF_VALUE) *unot, int ia5org);
  33. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
  34. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
  35. static int displaytext_get_tag_len(const char *tagstr);
  36. const X509V3_EXT_METHOD v3_cpols = {
  37. NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
  38. 0, 0, 0, 0,
  39. 0, 0,
  40. 0, 0,
  41. (X509V3_EXT_I2R)i2r_certpol,
  42. (X509V3_EXT_R2I)r2i_certpol,
  43. NULL
  44. };
  45. ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
  46. ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
  47. ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
  48. IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
  49. ASN1_SEQUENCE(POLICYINFO) = {
  50. ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
  51. ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
  52. } ASN1_SEQUENCE_END(POLICYINFO)
  53. IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
  54. ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
  55. ASN1_ADB(POLICYQUALINFO) = {
  56. ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
  57. ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
  58. } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
  59. ASN1_SEQUENCE(POLICYQUALINFO) = {
  60. ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
  61. ASN1_ADB_OBJECT(POLICYQUALINFO)
  62. } ASN1_SEQUENCE_END(POLICYQUALINFO)
  63. IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
  64. ASN1_SEQUENCE(USERNOTICE) = {
  65. ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
  66. ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
  67. } ASN1_SEQUENCE_END(USERNOTICE)
  68. IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
  69. ASN1_SEQUENCE(NOTICEREF) = {
  70. ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
  71. ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
  72. } ASN1_SEQUENCE_END(NOTICEREF)
  73. IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
  74. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  75. X509V3_CTX *ctx, const char *value)
  76. {
  77. STACK_OF(POLICYINFO) *pols;
  78. char *pstr;
  79. POLICYINFO *pol;
  80. ASN1_OBJECT *pobj;
  81. STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
  82. CONF_VALUE *cnf;
  83. const int num = sk_CONF_VALUE_num(vals);
  84. int i, ia5org;
  85. if (vals == NULL) {
  86. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
  87. return NULL;
  88. }
  89. pols = sk_POLICYINFO_new_reserve(NULL, num);
  90. if (pols == NULL) {
  91. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  92. goto err;
  93. }
  94. ia5org = 0;
  95. for (i = 0; i < num; i++) {
  96. cnf = sk_CONF_VALUE_value(vals, i);
  97. if (cnf->value || !cnf->name) {
  98. X509V3err(X509V3_F_R2I_CERTPOL,
  99. X509V3_R_INVALID_POLICY_IDENTIFIER);
  100. X509V3_conf_err(cnf);
  101. goto err;
  102. }
  103. pstr = cnf->name;
  104. if (strcmp(pstr, "ia5org") == 0) {
  105. ia5org = 1;
  106. continue;
  107. } else if (*pstr == '@') {
  108. STACK_OF(CONF_VALUE) *polsect;
  109. polsect = X509V3_get_section(ctx, pstr + 1);
  110. if (polsect == NULL) {
  111. X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
  112. X509V3_conf_err(cnf);
  113. goto err;
  114. }
  115. pol = policy_section(ctx, polsect, ia5org);
  116. X509V3_section_free(ctx, polsect);
  117. if (pol == NULL)
  118. goto err;
  119. } else {
  120. if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
  121. X509V3err(X509V3_F_R2I_CERTPOL,
  122. X509V3_R_INVALID_OBJECT_IDENTIFIER);
  123. X509V3_conf_err(cnf);
  124. goto err;
  125. }
  126. pol = POLICYINFO_new();
  127. if (pol == NULL) {
  128. ASN1_OBJECT_free(pobj);
  129. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  130. goto err;
  131. }
  132. pol->policyid = pobj;
  133. }
  134. if (!sk_POLICYINFO_push(pols, pol)) {
  135. POLICYINFO_free(pol);
  136. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  137. goto err;
  138. }
  139. }
  140. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  141. return pols;
  142. err:
  143. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  144. sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
  145. return NULL;
  146. }
  147. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  148. STACK_OF(CONF_VALUE) *polstrs, int ia5org)
  149. {
  150. int i;
  151. CONF_VALUE *cnf;
  152. POLICYINFO *pol;
  153. POLICYQUALINFO *qual;
  154. if ((pol = POLICYINFO_new()) == NULL)
  155. goto merr;
  156. for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
  157. cnf = sk_CONF_VALUE_value(polstrs, i);
  158. if (strcmp(cnf->name, "policyIdentifier") == 0) {
  159. ASN1_OBJECT *pobj;
  160. if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
  161. X509V3err(X509V3_F_POLICY_SECTION,
  162. X509V3_R_INVALID_OBJECT_IDENTIFIER);
  163. X509V3_conf_err(cnf);
  164. goto err;
  165. }
  166. pol->policyid = pobj;
  167. } else if (!v3_name_cmp(cnf->name, "CPS")) {
  168. if (pol->qualifiers == NULL)
  169. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  170. if ((qual = POLICYQUALINFO_new()) == NULL)
  171. goto merr;
  172. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
  173. goto merr;
  174. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
  175. X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
  176. goto err;
  177. }
  178. if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
  179. goto merr;
  180. if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
  181. strlen(cnf->value)))
  182. goto merr;
  183. } else if (!v3_name_cmp(cnf->name, "userNotice")) {
  184. STACK_OF(CONF_VALUE) *unot;
  185. if (*cnf->value != '@') {
  186. X509V3err(X509V3_F_POLICY_SECTION,
  187. X509V3_R_EXPECTED_A_SECTION_NAME);
  188. X509V3_conf_err(cnf);
  189. goto err;
  190. }
  191. unot = X509V3_get_section(ctx, cnf->value + 1);
  192. if (!unot) {
  193. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_SECTION);
  194. X509V3_conf_err(cnf);
  195. goto err;
  196. }
  197. qual = notice_section(ctx, unot, ia5org);
  198. X509V3_section_free(ctx, unot);
  199. if (!qual)
  200. goto err;
  201. if (pol->qualifiers == NULL)
  202. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  203. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
  204. goto merr;
  205. } else {
  206. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
  207. X509V3_conf_err(cnf);
  208. goto err;
  209. }
  210. }
  211. if (pol->policyid == NULL) {
  212. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_NO_POLICY_IDENTIFIER);
  213. goto err;
  214. }
  215. return pol;
  216. merr:
  217. X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
  218. err:
  219. POLICYINFO_free(pol);
  220. return NULL;
  221. }
  222. static int displaytext_get_tag_len(const char *tagstr)
  223. {
  224. char *colon = strchr(tagstr, ':');
  225. return (colon == NULL) ? -1 : colon - tagstr;
  226. }
  227. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
  228. {
  229. int len;
  230. *tag_len = 0;
  231. len = displaytext_get_tag_len(tagstr);
  232. if (len == -1)
  233. return V_ASN1_VISIBLESTRING;
  234. *tag_len = len;
  235. if (len == sizeof("UTF8") - 1 && strncmp(tagstr, "UTF8", len) == 0)
  236. return V_ASN1_UTF8STRING;
  237. if (len == sizeof("UTF8String") - 1 && strncmp(tagstr, "UTF8String", len) == 0)
  238. return V_ASN1_UTF8STRING;
  239. if (len == sizeof("BMP") - 1 && strncmp(tagstr, "BMP", len) == 0)
  240. return V_ASN1_BMPSTRING;
  241. if (len == sizeof("BMPSTRING") - 1 && strncmp(tagstr, "BMPSTRING", len) == 0)
  242. return V_ASN1_BMPSTRING;
  243. if (len == sizeof("VISIBLE") - 1 && strncmp(tagstr, "VISIBLE", len) == 0)
  244. return V_ASN1_VISIBLESTRING;
  245. if (len == sizeof("VISIBLESTRING") - 1 && strncmp(tagstr, "VISIBLESTRING", len) == 0)
  246. return V_ASN1_VISIBLESTRING;
  247. *tag_len = 0;
  248. return V_ASN1_VISIBLESTRING;
  249. }
  250. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  251. STACK_OF(CONF_VALUE) *unot, int ia5org)
  252. {
  253. int i, ret, len, tag;
  254. unsigned int tag_len;
  255. CONF_VALUE *cnf;
  256. USERNOTICE *not;
  257. POLICYQUALINFO *qual;
  258. char *value = NULL;
  259. if ((qual = POLICYQUALINFO_new()) == NULL)
  260. goto merr;
  261. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
  262. X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
  263. goto err;
  264. }
  265. if ((not = USERNOTICE_new()) == NULL)
  266. goto merr;
  267. qual->d.usernotice = not;
  268. for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
  269. cnf = sk_CONF_VALUE_value(unot, i);
  270. value = cnf->value;
  271. if (strcmp(cnf->name, "explicitText") == 0) {
  272. tag = displaytext_str2tag(value, &tag_len);
  273. if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL)
  274. goto merr;
  275. if (tag_len != 0)
  276. value += tag_len + 1;
  277. len = strlen(value);
  278. if (!ASN1_STRING_set(not->exptext, value, len))
  279. goto merr;
  280. } else if (strcmp(cnf->name, "organization") == 0) {
  281. NOTICEREF *nref;
  282. if (!not->noticeref) {
  283. if ((nref = NOTICEREF_new()) == NULL)
  284. goto merr;
  285. not->noticeref = nref;
  286. } else
  287. nref = not->noticeref;
  288. if (ia5org)
  289. nref->organization->type = V_ASN1_IA5STRING;
  290. else
  291. nref->organization->type = V_ASN1_VISIBLESTRING;
  292. if (!ASN1_STRING_set(nref->organization, cnf->value,
  293. strlen(cnf->value)))
  294. goto merr;
  295. } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
  296. NOTICEREF *nref;
  297. STACK_OF(CONF_VALUE) *nos;
  298. if (!not->noticeref) {
  299. if ((nref = NOTICEREF_new()) == NULL)
  300. goto merr;
  301. not->noticeref = nref;
  302. } else
  303. nref = not->noticeref;
  304. nos = X509V3_parse_list(cnf->value);
  305. if (!nos || !sk_CONF_VALUE_num(nos)) {
  306. X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
  307. X509V3_conf_err(cnf);
  308. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  309. goto err;
  310. }
  311. ret = nref_nos(nref->noticenos, nos);
  312. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  313. if (!ret)
  314. goto err;
  315. } else {
  316. X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
  317. X509V3_conf_err(cnf);
  318. goto err;
  319. }
  320. }
  321. if (not->noticeref &&
  322. (!not->noticeref->noticenos || !not->noticeref->organization)) {
  323. X509V3err(X509V3_F_NOTICE_SECTION,
  324. X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
  325. goto err;
  326. }
  327. return qual;
  328. merr:
  329. X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
  330. err:
  331. POLICYQUALINFO_free(qual);
  332. return NULL;
  333. }
  334. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
  335. {
  336. CONF_VALUE *cnf;
  337. ASN1_INTEGER *aint;
  338. int i;
  339. for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
  340. cnf = sk_CONF_VALUE_value(nos, i);
  341. if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
  342. X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
  343. goto err;
  344. }
  345. if (!sk_ASN1_INTEGER_push(nnums, aint))
  346. goto merr;
  347. }
  348. return 1;
  349. merr:
  350. ASN1_INTEGER_free(aint);
  351. X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
  352. err:
  353. return 0;
  354. }
  355. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  356. BIO *out, int indent)
  357. {
  358. int i;
  359. POLICYINFO *pinfo;
  360. /* First print out the policy OIDs */
  361. for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
  362. if (i > 0)
  363. BIO_puts(out, "\n");
  364. pinfo = sk_POLICYINFO_value(pol, i);
  365. BIO_printf(out, "%*sPolicy: ", indent, "");
  366. i2a_ASN1_OBJECT(out, pinfo->policyid);
  367. if (pinfo->qualifiers) {
  368. BIO_puts(out, "\n");
  369. print_qualifiers(out, pinfo->qualifiers, indent + 2);
  370. }
  371. }
  372. return 1;
  373. }
  374. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  375. int indent)
  376. {
  377. POLICYQUALINFO *qualinfo;
  378. int i;
  379. for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
  380. if (i > 0)
  381. BIO_puts(out, "\n");
  382. qualinfo = sk_POLICYQUALINFO_value(quals, i);
  383. switch (OBJ_obj2nid(qualinfo->pqualid)) {
  384. case NID_id_qt_cps:
  385. BIO_printf(out, "%*sCPS: %s", indent, "",
  386. qualinfo->d.cpsuri->data);
  387. break;
  388. case NID_id_qt_unotice:
  389. BIO_printf(out, "%*sUser Notice:\n", indent, "");
  390. print_notice(out, qualinfo->d.usernotice, indent + 2);
  391. break;
  392. default:
  393. BIO_printf(out, "%*sUnknown Qualifier: ", indent + 2, "");
  394. i2a_ASN1_OBJECT(out, qualinfo->pqualid);
  395. break;
  396. }
  397. }
  398. }
  399. static void print_notice(BIO *out, USERNOTICE *notice, int indent)
  400. {
  401. int i;
  402. if (notice->noticeref) {
  403. NOTICEREF *ref;
  404. ref = notice->noticeref;
  405. BIO_printf(out, "%*sOrganization: %s\n", indent, "",
  406. ref->organization->data);
  407. BIO_printf(out, "%*sNumber%s: ", indent, "",
  408. sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
  409. for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
  410. ASN1_INTEGER *num;
  411. char *tmp;
  412. num = sk_ASN1_INTEGER_value(ref->noticenos, i);
  413. if (i)
  414. BIO_puts(out, ", ");
  415. if (num == NULL)
  416. BIO_puts(out, "(null)");
  417. else {
  418. tmp = i2s_ASN1_INTEGER(NULL, num);
  419. if (tmp == NULL)
  420. return;
  421. BIO_puts(out, tmp);
  422. OPENSSL_free(tmp);
  423. }
  424. }
  425. if (notice->exptext)
  426. BIO_puts(out, "\n");
  427. }
  428. if (notice->exptext)
  429. BIO_printf(out, "%*sExplicit Text: %s", indent, "",
  430. notice->exptext->data);
  431. }
  432. void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
  433. {
  434. const X509_POLICY_DATA *dat = node->data;
  435. BIO_printf(out, "%*sPolicy: ", indent, "");
  436. i2a_ASN1_OBJECT(out, dat->valid_policy);
  437. BIO_puts(out, "\n");
  438. BIO_printf(out, "%*s%s\n", indent + 2, "",
  439. node_data_critical(dat) ? "Critical" : "Non Critical");
  440. if (dat->qualifier_set) {
  441. print_qualifiers(out, dat->qualifier_set, indent + 2);
  442. BIO_puts(out, "\n");
  443. }
  444. else
  445. BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
  446. }