1 files changed, 310 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c
new file mode 100644
index 0000000000..8997f0cec8
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pci.c
@@ -0,0 +1,310 @@
+/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
+    BIO *out, int indent);
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, char *str);
+const X509V3_EXT_METHOD v3_pci = {
+        .ext_nid = NID_proxyCertInfo,
+        .ext_flags = 0,
+        .it = &PROXY_CERT_INFO_EXTENSION_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = NULL,
+        .s2i = NULL,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = (X509V3_EXT_I2R)i2r_pci,
+        .r2i = (X509V3_EXT_R2I)r2i_pci,
+        .usr_data = NULL,
+};
+static int
+i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
+    int indent)
+{
+        BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
+        if (pci->pcPathLengthConstraint)
+                i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+        else
+                BIO_printf(out, "infinite");
+        BIO_puts(out, "\n");
+        BIO_printf(out, "%*sPolicy Language: ", indent, "");
+        i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+        BIO_puts(out, "\n");
+        if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+                BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+                    pci->proxyPolicy->policy->data);
+        return 1;
+}
+static int
+process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
+    ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
+{
+        int free_policy = 0;
+        if (strcmp(val->name, "language") == 0) {
+                if (*language) {
+                        X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
+                        X509V3_conf_err(val);
+                        return 0;
+                }
+                if (!(*language = OBJ_txt2obj(val->value, 0))) {
+                        X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                        X509V3_conf_err(val);
+                        return 0;
+                }
+        }
+        else if (strcmp(val->name, "pathlen") == 0) {
+                if (*pathlen) {
+                        X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
+                        X509V3_conf_err(val);
+                        return 0;
+                }
+                if (!X509V3_get_value_int(val, pathlen)) {
+                        X509V3error(X509V3_R_POLICY_PATH_LENGTH);
+                        X509V3_conf_err(val);
+                        return 0;
+                }
+        }
+        else if (strcmp(val->name, "policy") == 0) {
+                unsigned char *tmp_data = NULL;
+                long val_len;
+                if (!*policy) {
+                        *policy = ASN1_OCTET_STRING_new();
+                        if (!*policy) {
+                                X509V3error(ERR_R_MALLOC_FAILURE);
+                                X509V3_conf_err(val);
+                                return 0;
+                        }
+                        free_policy = 1;
+                }
+                if (strncmp(val->value, "hex:", 4) == 0) {
+                        unsigned char *tmp_data2 =
+                            string_to_hex(val->value + 4, &val_len);
+                        if (!tmp_data2) {
+                                X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                        tmp_data = realloc((*policy)->data,
+                            (*policy)->length + val_len + 1);
+                        if (tmp_data) {
+                                (*policy)->data = tmp_data;
+                                memcpy(&(*policy)->data[(*policy)->length],
+                                    tmp_data2, val_len);
+                                (*policy)->length += val_len;
+                                (*policy)->data[(*policy)->length] = '\0';
+                        } else {
+                                free(tmp_data2);
+                                free((*policy)->data);
+                                (*policy)->data = NULL;
+                                (*policy)->length = 0;
+                                X509V3error(ERR_R_MALLOC_FAILURE);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                        free(tmp_data2);
+                }
+                else if (strncmp(val->value, "file:", 5) == 0) {
+                        unsigned char buf[2048];
+                        int n;
+                        BIO *b = BIO_new_file(val->value + 5, "r");
+                        if (!b) {
+                                X509V3error(ERR_R_BIO_LIB);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                        while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
+                            (n == 0 && BIO_should_retry(b))) {
+                                if (!n)
+                                        continue;
+                                tmp_data = realloc((*policy)->data,
+                                    (*policy)->length + n + 1);
+                                if (!tmp_data)
+                                        break;
+                                (*policy)->data = tmp_data;
+                                memcpy(&(*policy)->data[(*policy)->length],
+                                    buf, n);
+                                (*policy)->length += n;
+                                (*policy)->data[(*policy)->length] = '\0';
+                        }
+                        BIO_free_all(b);
+                        if (n < 0) {
+                                X509V3error(ERR_R_BIO_LIB);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                }
+                else if (strncmp(val->value, "text:", 5) == 0) {
+                        val_len = strlen(val->value + 5);
+                        tmp_data = realloc((*policy)->data,
+                            (*policy)->length + val_len + 1);
+                        if (tmp_data) {
+                                (*policy)->data = tmp_data;
+                                memcpy(&(*policy)->data[(*policy)->length],
+                                    val->value + 5, val_len);
+                                (*policy)->length += val_len;
+                                (*policy)->data[(*policy)->length] = '\0';
+                        } else {
+                                free((*policy)->data);
+                                (*policy)->data = NULL;
+                                (*policy)->length = 0;
+                                X509V3error(ERR_R_MALLOC_FAILURE);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                } else {
+                        X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+                        X509V3_conf_err(val);
+                        goto err;
+                }
+                if (!tmp_data) {
+                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        X509V3_conf_err(val);
+                        goto err;
+                }
+        }
+        return 1;
+err:
+        if (free_policy) {
+                ASN1_OCTET_STRING_free(*policy);
+                *policy = NULL;
+        }
+        return 0;
+}
+static PROXY_CERT_INFO_EXTENSION *
+r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
+{
+        PROXY_CERT_INFO_EXTENSION *pci = NULL;
+        STACK_OF(CONF_VALUE) *vals;
+        ASN1_OBJECT *language = NULL;
+        ASN1_INTEGER *pathlen = NULL;
+        ASN1_OCTET_STRING *policy = NULL;
+        int i, j;
+        vals = X509V3_parse_list(value);
+        for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+                CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+                if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
+                        X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+                if (*cnf->name == '@') {
+                        STACK_OF(CONF_VALUE) *sect;
+                        int success_p = 1;
+                        sect = X509V3_get_section(ctx, cnf->name + 1);
+                        if (!sect) {
+                                X509V3error(X509V3_R_INVALID_SECTION);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        for (j = 0; success_p &&
+                            j < sk_CONF_VALUE_num(sect); j++) {
+                                success_p = process_pci_value(
+                                    sk_CONF_VALUE_value(sect, j),
+                                    &language, &pathlen, &policy);
+                        }
+                        X509V3_section_free(ctx, sect);
+                        if (!success_p)
+                                goto err;
+                } else {
+                        if (!process_pci_value(cnf,
+                            &language, &pathlen, &policy)) {
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                }
+        }
+        /* Language is mandatory */
+        if (!language) {
+                X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
+                goto err;
+        }
+        i = OBJ_obj2nid(language);
+        if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
+                X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
+                goto err;
+        }
+        pci = PROXY_CERT_INFO_EXTENSION_new();
+        if (!pci) {
+                X509V3error(ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        pci->proxyPolicy->policyLanguage = language;
+        language = NULL;
+        pci->proxyPolicy->policy = policy;
+        policy = NULL;
+        pci->pcPathLengthConstraint = pathlen;
+        pathlen = NULL;
+        goto end;
+err:
+        ASN1_OBJECT_free(language);
+        language = NULL;
+        ASN1_INTEGER_free(pathlen);
+        pathlen = NULL;
+        ASN1_OCTET_STRING_free(policy);
+        policy = NULL;
+end:
+        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+        return pci;
+}

diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c new file mode 100644 index 0000000000..8997f0cec8 --- /dev/null +++ b/src/lib/libcrypto/x509/x509_pci.c
@@ -0,0 +1,310 @@
	1	/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
	2	/* Contributed to the OpenSSL Project 2004
	3	* by Richard Levitte (richard@levitte.org)
	4	*/
	5	/* Copyright (c) 2004 Kungliga Tekniska Högskolan
	6	* (Royal Institute of Technology, Stockholm, Sweden).
	7	* All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	*
	13	* 1. Redistributions of source code must retain the above copyright
	14	* notice, this list of conditions and the following disclaimer.
	15	*
	16	* 2. Redistributions in binary form must reproduce the above copyright
	17	* notice, this list of conditions and the following disclaimer in the
	18	* documentation and/or other materials provided with the distribution.
	19	*
	20	* 3. Neither the name of the Institute nor the names of its contributors
	21	* may be used to endorse or promote products derived from this software
	22	* without specific prior written permission.
	23	*
	24	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
	25	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	26	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	27	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
	28	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	29	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	30	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	31	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	32	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	33	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	34	* SUCH DAMAGE.
	35	*/
	36
	37	#include <stdio.h>
	38	#include <string.h>
	39
	40	#include <openssl/conf.h>
	41	#include <openssl/err.h>
	42	#include <openssl/x509v3.h>
	43
	44	static int i2r_pci(X509V3_EXT_METHOD method, PROXY_CERT_INFO_EXTENSION ext,
	45	BIO *out, int indent);
	46	static PROXY_CERT_INFO_EXTENSION r2i_pci(X509V3_EXT_METHOD method,
	47	X509V3_CTX ctx, char str);
	48
	49	const X509V3_EXT_METHOD v3_pci = {
	50	.ext_nid = NID_proxyCertInfo,
	51	.ext_flags = 0,
	52	.it = &PROXY_CERT_INFO_EXTENSION_it,
	53	.ext_new = NULL,
	54	.ext_free = NULL,
	55	.d2i = NULL,
	56	.i2d = NULL,
	57	.i2s = NULL,
	58	.s2i = NULL,
	59	.i2v = NULL,
	60	.v2i = NULL,
	61	.i2r = (X509V3_EXT_I2R)i2r_pci,
	62	.r2i = (X509V3_EXT_R2I)r2i_pci,
	63	.usr_data = NULL,
	64	};
	65
	66	static int
	67	i2r_pci(X509V3_EXT_METHOD method, PROXY_CERT_INFO_EXTENSION pci, BIO *out,
	68	int indent)
	69	{
	70	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
	71	if (pci->pcPathLengthConstraint)
	72	i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
	73	else
	74	BIO_printf(out, "infinite");
	75	BIO_puts(out, "\n");
	76	BIO_printf(out, "%*sPolicy Language: ", indent, "");
	77	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
	78	BIO_puts(out, "\n");
	79	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
	80	BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
	81	pci->proxyPolicy->policy->data);
	82	return 1;
	83	}
	84
	85	static int
	86	process_pci_value(CONF_VALUE val, ASN1_OBJECT *language,
	87	ASN1_INTEGER pathlen, ASN1_OCTET_STRING policy)
	88	{
	89	int free_policy = 0;
	90
	91	if (strcmp(val->name, "language") == 0) {
	92	if (*language) {
	93	X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
	94	X509V3_conf_err(val);
	95	return 0;
	96	}
	97	if (!(*language = OBJ_txt2obj(val->value, 0))) {
	98	X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
	99	X509V3_conf_err(val);
	100	return 0;
	101	}
	102	}
	103	else if (strcmp(val->name, "pathlen") == 0) {
	104	if (*pathlen) {
	105	X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
	106	X509V3_conf_err(val);
	107	return 0;
	108	}
	109	if (!X509V3_get_value_int(val, pathlen)) {
	110	X509V3error(X509V3_R_POLICY_PATH_LENGTH);
	111	X509V3_conf_err(val);
	112	return 0;
	113	}
	114	}
	115	else if (strcmp(val->name, "policy") == 0) {
	116	unsigned char *tmp_data = NULL;
	117	long val_len;
	118	if (!*policy) {
	119	*policy = ASN1_OCTET_STRING_new();
	120	if (!*policy) {
	121	X509V3error(ERR_R_MALLOC_FAILURE);
	122	X509V3_conf_err(val);
	123	return 0;
	124	}
	125	free_policy = 1;
	126	}
	127	if (strncmp(val->value, "hex:", 4) == 0) {
	128	unsigned char *tmp_data2 =
	129	string_to_hex(val->value + 4, &val_len);
	130
	131	if (!tmp_data2) {
	132	X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
	133	X509V3_conf_err(val);
	134	goto err;
	135	}
	136
	137	tmp_data = realloc((*policy)->data,
	138	(*policy)->length + val_len + 1);
	139	if (tmp_data) {
	140	(*policy)->data = tmp_data;
	141	memcpy(&(policy)->data[(policy)->length],
	142	tmp_data2, val_len);
	143	(*policy)->length += val_len;
	144	(policy)->data[(policy)->length] = '\0';
	145	} else {
	146	free(tmp_data2);
	147	free((*policy)->data);
	148	(*policy)->data = NULL;
	149	(*policy)->length = 0;
	150	X509V3error(ERR_R_MALLOC_FAILURE);
	151	X509V3_conf_err(val);
	152	goto err;
	153	}
	154	free(tmp_data2);
	155	}
	156	else if (strncmp(val->value, "file:", 5) == 0) {
	157	unsigned char buf[2048];
	158	int n;
	159	BIO *b = BIO_new_file(val->value + 5, "r");
	160	if (!b) {
	161	X509V3error(ERR_R_BIO_LIB);
	162	X509V3_conf_err(val);
	163	goto err;
	164	}
	165	while ((n = BIO_read(b, buf, sizeof(buf))) > 0 \|\|
	166	(n == 0 && BIO_should_retry(b))) {
	167	if (!n)
	168	continue;
	169
	170	tmp_data = realloc((*policy)->data,
	171	(*policy)->length + n + 1);
	172
	173	if (!tmp_data)
	174	break;
	175
	176	(*policy)->data = tmp_data;
	177	memcpy(&(policy)->data[(policy)->length],
	178	buf, n);
	179	(*policy)->length += n;
	180	(policy)->data[(policy)->length] = '\0';
	181	}
	182	BIO_free_all(b);
	183
	184	if (n < 0) {
	185	X509V3error(ERR_R_BIO_LIB);
	186	X509V3_conf_err(val);
	187	goto err;
	188	}
	189	}
	190	else if (strncmp(val->value, "text:", 5) == 0) {
	191	val_len = strlen(val->value + 5);
	192	tmp_data = realloc((*policy)->data,
	193	(*policy)->length + val_len + 1);
	194	if (tmp_data) {
	195	(*policy)->data = tmp_data;
	196	memcpy(&(policy)->data[(policy)->length],
	197	val->value + 5, val_len);
	198	(*policy)->length += val_len;
	199	(policy)->data[(policy)->length] = '\0';
	200	} else {
	201	free((*policy)->data);
	202	(*policy)->data = NULL;
	203	(*policy)->length = 0;
	204	X509V3error(ERR_R_MALLOC_FAILURE);
	205	X509V3_conf_err(val);
	206	goto err;
	207	}
	208	} else {
	209	X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
	210	X509V3_conf_err(val);
	211	goto err;
	212	}
	213	if (!tmp_data) {
	214	X509V3error(ERR_R_MALLOC_FAILURE);
	215	X509V3_conf_err(val);
	216	goto err;
	217	}
	218	}
	219	return 1;
	220
	221	err:
	222	if (free_policy) {
	223	ASN1_OCTET_STRING_free(*policy);
	224	*policy = NULL;
	225	}
	226	return 0;
	227	}
	228
	229	static PROXY_CERT_INFO_EXTENSION *
	230	r2i_pci(X509V3_EXT_METHOD method, X509V3_CTX ctx, char *value)
	231	{
	232	PROXY_CERT_INFO_EXTENSION *pci = NULL;
	233	STACK_OF(CONF_VALUE) *vals;
	234	ASN1_OBJECT *language = NULL;
	235	ASN1_INTEGER *pathlen = NULL;
	236	ASN1_OCTET_STRING *policy = NULL;
	237	int i, j;
	238
	239	vals = X509V3_parse_list(value);
	240	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
	241	CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
	242	if (!cnf->name \|\| (*cnf->name != '@' && !cnf->value)) {
	243	X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
	244	X509V3_conf_err(cnf);
	245	goto err;
	246	}
	247	if (*cnf->name == '@') {
	248	STACK_OF(CONF_VALUE) *sect;
	249	int success_p = 1;
	250
	251	sect = X509V3_get_section(ctx, cnf->name + 1);
	252	if (!sect) {
	253	X509V3error(X509V3_R_INVALID_SECTION);
	254	X509V3_conf_err(cnf);
	255	goto err;
	256	}
	257	for (j = 0; success_p &&
	258	j < sk_CONF_VALUE_num(sect); j++) {
	259	success_p = process_pci_value(
	260	sk_CONF_VALUE_value(sect, j),
	261	&language, &pathlen, &policy);
	262	}
	263	X509V3_section_free(ctx, sect);
	264	if (!success_p)
	265	goto err;
	266	} else {
	267	if (!process_pci_value(cnf,
	268	&language, &pathlen, &policy)) {
	269	X509V3_conf_err(cnf);
	270	goto err;
	271	}
	272	}
	273	}
	274
	275	/* Language is mandatory */
	276	if (!language) {
	277	X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
	278	goto err;
	279	}
	280	i = OBJ_obj2nid(language);
	281	if ((i == NID_Independent \|\| i == NID_id_ppl_inheritAll) && policy) {
	282	X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
	283	goto err;
	284	}
	285
	286	pci = PROXY_CERT_INFO_EXTENSION_new();
	287	if (!pci) {
	288	X509V3error(ERR_R_MALLOC_FAILURE);
	289	goto err;
	290	}
	291
	292	pci->proxyPolicy->policyLanguage = language;
	293	language = NULL;
	294	pci->proxyPolicy->policy = policy;
	295	policy = NULL;
	296	pci->pcPathLengthConstraint = pathlen;
	297	pathlen = NULL;
	298	goto end;
	299
	300	err:
	301	ASN1_OBJECT_free(language);
	302	language = NULL;
	303	ASN1_INTEGER_free(pathlen);
	304	pathlen = NULL;
	305	ASN1_OCTET_STRING_free(policy);
	306	policy = NULL;
	307	end:
	308	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
	309	return pci;
	310	}