summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r--src/lib/libcrypto/x509/ext_dat.h133
-rw-r--r--src/lib/libcrypto/x509/pcy_cache.c271
-rw-r--r--src/lib/libcrypto/x509/pcy_data.c129
-rw-r--r--src/lib/libcrypto/x509/pcy_int.h209
-rw-r--r--src/lib/libcrypto/x509/pcy_lib.c157
-rw-r--r--src/lib/libcrypto/x509/pcy_map.c126
-rw-r--r--src/lib/libcrypto/x509/pcy_node.c200
-rw-r--r--src/lib/libcrypto/x509/pcy_tree.c770
-rw-r--r--src/lib/libcrypto/x509/v3err.c226
-rw-r--r--src/lib/libcrypto/x509/x509_akey.c237
-rw-r--r--src/lib/libcrypto/x509/x509_akeya.c124
-rw-r--r--src/lib/libcrypto/x509/x509_alt.c699
-rw-r--r--src/lib/libcrypto/x509/x509_bcons.c199
-rw-r--r--src/lib/libcrypto/x509/x509_bitst.c187
-rw-r--r--src/lib/libcrypto/x509/x509_conf.c570
-rw-r--r--src/lib/libcrypto/x509/x509_cpols.c763
-rw-r--r--src/lib/libcrypto/x509/x509_crld.c809
-rw-r--r--src/lib/libcrypto/x509/x509_enum.c107
-rw-r--r--src/lib/libcrypto/x509/x509_extku.c217
-rw-r--r--src/lib/libcrypto/x509/x509_genn.c474
-rw-r--r--src/lib/libcrypto/x509/x509_ia5.c238
-rw-r--r--src/lib/libcrypto/x509/x509_info.c308
-rw-r--r--src/lib/libcrypto/x509/x509_int.c110
-rw-r--r--src/lib/libcrypto/x509/x509_lib.c358
-rw-r--r--src/lib/libcrypto/x509/x509_ncons.c556
-rw-r--r--src/lib/libcrypto/x509/x509_ocsp.c380
-rw-r--r--src/lib/libcrypto/x509/x509_pci.c310
-rw-r--r--src/lib/libcrypto/x509/x509_pcia.c145
-rw-r--r--src/lib/libcrypto/x509/x509_pcons.c194
-rw-r--r--src/lib/libcrypto/x509/x509_pku.c154
-rw-r--r--src/lib/libcrypto/x509/x509_pmaps.c235
-rw-r--r--src/lib/libcrypto/x509/x509_prn.c225
-rw-r--r--src/lib/libcrypto/x509/x509_purp.c893
-rw-r--r--src/lib/libcrypto/x509/x509_skey.c161
-rw-r--r--src/lib/libcrypto/x509/x509_sxnet.c383
-rw-r--r--src/lib/libcrypto/x509/x509_utl.c1387
-rw-r--r--src/lib/libcrypto/x509/x509v3.h992
37 files changed, 13636 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/ext_dat.h b/src/lib/libcrypto/x509/ext_dat.h
new file mode 100644
index 0000000000..1a7ae6e1ae
--- /dev/null
+++ b/src/lib/libcrypto/x509/ext_dat.h
@@ -0,0 +1,133 @@
1/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61__BEGIN_HIDDEN_DECLS
62
63/* This file contains a table of "standard" extensions */
64
65extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
66extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
67extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
68extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
69extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
70extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
71extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
72extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
73extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
74extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
75extern X509V3_EXT_METHOD v3_addr, v3_asid;
76
77/* This table will be searched using OBJ_bsearch so it *must* kept in
78 * order of the ext_nid values.
79 */
80
81static const X509V3_EXT_METHOD *standard_exts[] = {
82 &v3_nscert,
83 &v3_ns_ia5_list[0],
84 &v3_ns_ia5_list[1],
85 &v3_ns_ia5_list[2],
86 &v3_ns_ia5_list[3],
87 &v3_ns_ia5_list[4],
88 &v3_ns_ia5_list[5],
89 &v3_ns_ia5_list[6],
90 &v3_skey_id,
91 &v3_key_usage,
92 &v3_pkey_usage_period,
93 &v3_alt[0],
94 &v3_alt[1],
95 &v3_bcons,
96 &v3_crl_num,
97 &v3_cpols,
98 &v3_akey_id,
99 &v3_crld,
100 &v3_ext_ku,
101 &v3_delta_crl,
102 &v3_crl_reason,
103#ifndef OPENSSL_NO_OCSP
104 &v3_crl_invdate,
105#endif
106 &v3_sxnet,
107 &v3_info,
108#ifndef OPENSSL_NO_OCSP
109 &v3_ocsp_nonce,
110 &v3_ocsp_crlid,
111 &v3_ocsp_accresp,
112 &v3_ocsp_nocheck,
113 &v3_ocsp_acutoff,
114 &v3_ocsp_serviceloc,
115#endif
116 &v3_sinfo,
117 &v3_policy_constraints,
118#ifndef OPENSSL_NO_OCSP
119 &v3_crl_hold,
120#endif
121 &v3_pci,
122 &v3_name_constraints,
123 &v3_policy_mappings,
124 &v3_inhibit_anyp,
125 &v3_idp,
126 &v3_alt[2],
127 &v3_freshest_crl,
128};
129
130/* Number of standard extensions */
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
133__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/pcy_cache.c b/src/lib/libcrypto/x509/pcy_cache.c
new file mode 100644
index 0000000000..896ba7d59e
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_cache.c
@@ -0,0 +1,271 @@
1/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64static int policy_data_cmp(const X509_POLICY_DATA * const *a,
65 const X509_POLICY_DATA * const *b);
66static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
67
68/* Set cache entry according to CertificatePolicies extension.
69 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
70 */
71
72static int
73policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
74{
75 int i;
76 int ret = 0;
77 X509_POLICY_CACHE *cache = x->policy_cache;
78 X509_POLICY_DATA *data = NULL;
79 POLICYINFO *policy;
80
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
87 policy = sk_POLICYINFO_value(policies, i);
88 data = policy_data_new(policy, NULL, crit);
89 if (!data)
90 goto bad_policy;
91 /* Duplicate policy OIDs are illegal: reject if matches
92 * found.
93 */
94 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
95 if (cache->anyPolicy) {
96 ret = -1;
97 goto bad_policy;
98 }
99 cache->anyPolicy = data;
100 } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
101 ret = -1;
102 goto bad_policy;
103 } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
104 goto bad_policy;
105 data = NULL;
106 }
107 ret = 1;
108
109bad_policy:
110 if (ret == -1)
111 x->ex_flags |= EXFLAG_INVALID_POLICY;
112 if (data)
113 policy_data_free(data);
114 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
115 if (ret <= 0) {
116 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
117 cache->data = NULL;
118 }
119 return ret;
120}
121
122static int
123policy_cache_new(X509 *x)
124{
125 X509_POLICY_CACHE *cache;
126 ASN1_INTEGER *ext_any = NULL;
127 POLICY_CONSTRAINTS *ext_pcons = NULL;
128 CERTIFICATEPOLICIES *ext_cpols = NULL;
129 POLICY_MAPPINGS *ext_pmaps = NULL;
130 int i;
131
132 cache = malloc(sizeof(X509_POLICY_CACHE));
133 if (!cache)
134 return 0;
135 cache->anyPolicy = NULL;
136 cache->data = NULL;
137 cache->any_skip = -1;
138 cache->explicit_skip = -1;
139 cache->map_skip = -1;
140
141 x->policy_cache = cache;
142
143 /* Handle requireExplicitPolicy *first*. Need to process this
144 * even if we don't have any policies.
145 */
146 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
147
148 if (!ext_pcons) {
149 if (i != -1)
150 goto bad_cache;
151 } else {
152 if (!ext_pcons->requireExplicitPolicy &&
153 !ext_pcons->inhibitPolicyMapping)
154 goto bad_cache;
155 if (!policy_cache_set_int(&cache->explicit_skip,
156 ext_pcons->requireExplicitPolicy))
157 goto bad_cache;
158 if (!policy_cache_set_int(&cache->map_skip,
159 ext_pcons->inhibitPolicyMapping))
160 goto bad_cache;
161 }
162
163 /* Process CertificatePolicies */
164
165 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
166 /* If no CertificatePolicies extension or problem decoding then
167 * there is no point continuing because the valid policies will be
168 * NULL.
169 */
170 if (!ext_cpols) {
171 /* If not absent some problem with extension */
172 if (i != -1)
173 goto bad_cache;
174 return 1;
175 }
176
177 i = policy_cache_create(x, ext_cpols, i);
178
179 /* NB: ext_cpols freed by policy_cache_set_policies */
180
181 if (i <= 0)
182 return i;
183
184 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
185
186 if (!ext_pmaps) {
187 /* If not absent some problem with extension */
188 if (i != -1)
189 goto bad_cache;
190 } else {
191 i = policy_cache_set_mapping(x, ext_pmaps);
192 if (i <= 0)
193 goto bad_cache;
194 }
195
196 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
197
198 if (!ext_any) {
199 if (i != -1)
200 goto bad_cache;
201 } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
202 goto bad_cache;
203
204 if (0) {
205bad_cache:
206 x->ex_flags |= EXFLAG_INVALID_POLICY;
207 }
208
209 if (ext_pcons)
210 POLICY_CONSTRAINTS_free(ext_pcons);
211
212 if (ext_any)
213 ASN1_INTEGER_free(ext_any);
214
215 return 1;
216}
217
218void
219policy_cache_free(X509_POLICY_CACHE *cache)
220{
221 if (!cache)
222 return;
223 if (cache->anyPolicy)
224 policy_data_free(cache->anyPolicy);
225 if (cache->data)
226 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
227 free(cache);
228}
229
230const X509_POLICY_CACHE *
231policy_cache_set(X509 *x)
232{
233 if (x->policy_cache == NULL) {
234 CRYPTO_w_lock(CRYPTO_LOCK_X509);
235 policy_cache_new(x);
236 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
237 }
238
239 return x->policy_cache;
240}
241
242X509_POLICY_DATA *
243policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
244{
245 int idx;
246 X509_POLICY_DATA tmp;
247
248 tmp.valid_policy = (ASN1_OBJECT *)id;
249 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
250 if (idx == -1)
251 return NULL;
252 return sk_X509_POLICY_DATA_value(cache->data, idx);
253}
254
255static int
256policy_data_cmp(const X509_POLICY_DATA * const *a,
257 const X509_POLICY_DATA * const *b)
258{
259 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
260}
261
262static int
263policy_cache_set_int(long *out, ASN1_INTEGER *value)
264{
265 if (value == NULL)
266 return 1;
267 if (value->type == V_ASN1_NEG_INTEGER)
268 return 0;
269 *out = ASN1_INTEGER_get(value);
270 return 1;
271}
diff --git a/src/lib/libcrypto/x509/pcy_data.c b/src/lib/libcrypto/x509/pcy_data.c
new file mode 100644
index 0000000000..dadacb5266
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_data.c
@@ -0,0 +1,129 @@
1/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Policy Node routines */
65
66void
67policy_data_free(X509_POLICY_DATA *data)
68{
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 free(data);
76}
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *
86policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
87{
88 X509_POLICY_DATA *ret = NULL;
89 ASN1_OBJECT *id = NULL;
90
91 if (policy == NULL && cid == NULL)
92 return NULL;
93 if (cid != NULL) {
94 id = OBJ_dup(cid);
95 if (id == NULL)
96 return NULL;
97 }
98 ret = malloc(sizeof(X509_POLICY_DATA));
99 if (ret == NULL)
100 goto err;
101 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
102 if (ret->expected_policy_set == NULL)
103 goto err;
104
105 if (crit)
106 ret->flags = POLICY_DATA_FLAG_CRITICAL;
107 else
108 ret->flags = 0;
109
110 if (id != NULL)
111 ret->valid_policy = id;
112 else {
113 ret->valid_policy = policy->policyid;
114 policy->policyid = NULL;
115 }
116
117 if (policy != NULL) {
118 ret->qualifier_set = policy->qualifiers;
119 policy->qualifiers = NULL;
120 } else
121 ret->qualifier_set = NULL;
122
123 return ret;
124
125err:
126 free(ret);
127 ASN1_OBJECT_free(id);
128 return NULL;
129}
diff --git a/src/lib/libcrypto/x509/pcy_int.h b/src/lib/libcrypto/x509/pcy_int.h
new file mode 100644
index 0000000000..6632b787fa
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_int.h
@@ -0,0 +1,209 @@
1/* $OpenBSD: pcy_int.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59__BEGIN_HIDDEN_DECLS
60
61typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
62
63DECLARE_STACK_OF(X509_POLICY_DATA)
64
65/* Internal structures */
66
67/* This structure and the field names correspond to the Policy 'node' of
68 * RFC3280. NB this structure contains no pointers to parent or child
69 * data: X509_POLICY_NODE contains that. This means that the main policy data
70 * can be kept static and cached with the certificate.
71 */
72
73struct X509_POLICY_DATA_st {
74 unsigned int flags;
75 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79};
80
81/* X509_POLICY_DATA flags values */
82
83/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted.
85 */
86
87#define POLICY_DATA_FLAG_MAPPED 0x1
88
89/* This flag indicates the data doesn't correspond to a policy in Certificate
90 * Policies: it has been mapped to any policy.
91 */
92
93#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
94
95/* AND with flags to see if any mapping has occurred */
96
97#define POLICY_DATA_FLAG_MAP_MASK 0x3
98
99/* qualifiers are shared and shouldn't be freed */
100
101#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
102
103/* Parent node is an extra node and should be freed */
104
105#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
106
107/* Corresponding CertificatePolicies is critical */
108
109#define POLICY_DATA_FLAG_CRITICAL 0x10
110
111/* This structure is cached with a certificate */
112
113struct X509_POLICY_CACHE_st {
114 /* anyPolicy data or NULL if no anyPolicy */
115 X509_POLICY_DATA *anyPolicy;
116 /* other policy data */
117 STACK_OF(X509_POLICY_DATA) *data;
118 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
119 long any_skip;
120 /* If policyConstraints and requireExplicitPolicy present this is its
121 * value or -1 if absent.
122 */
123 long explicit_skip;
124 /* If policyConstraints and policyMapping present this is its
125 * value or -1 if absent.
126 */
127 long map_skip;
128};
129
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131
132/* This structure represents the relationship between nodes */
133
134struct X509_POLICY_NODE_st {
135 /* node data this refers to */
136 const X509_POLICY_DATA *data;
137 /* Parent node */
138 X509_POLICY_NODE *parent;
139 /* Number of child nodes */
140 int nchild;
141};
142
143struct X509_POLICY_LEVEL_st {
144 /* Cert for this level */
145 X509 *cert;
146 /* nodes at this level */
147 STACK_OF(X509_POLICY_NODE) *nodes;
148 /* anyPolicy node */
149 X509_POLICY_NODE *anyPolicy;
150 /* Extra data */
151 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
152 unsigned int flags;
153};
154
155struct X509_POLICY_TREE_st {
156 /* This is the tree 'level' data */
157 X509_POLICY_LEVEL *levels;
158 int nlevel;
159 /* Extra policy data when additional nodes (not from the certificate)
160 * are required.
161 */
162 STACK_OF(X509_POLICY_DATA) *extra_data;
163 /* This is the authority constained policy set */
164 STACK_OF(X509_POLICY_NODE) *auth_policies;
165 STACK_OF(X509_POLICY_NODE) *user_policies;
166 unsigned int flags;
167};
168
169/* Set if anyPolicy present in user policies */
170#define POLICY_FLAG_ANY_POLICY 0x2
171
172/* Useful macros */
173
174#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
175#define node_critical(node) node_data_critical(node->data)
176
177/* Internal functions */
178
179X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
180 int crit);
181void policy_data_free(X509_POLICY_DATA *data);
182
183X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
184 const ASN1_OBJECT *id);
185int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
186
187
188STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
189
190void policy_cache_init(void);
191
192void policy_cache_free(X509_POLICY_CACHE *cache);
193
194X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
195 const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
196
197X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
198 const ASN1_OBJECT *id);
199
200int level_add_node(X509_POLICY_LEVEL *level,
201 const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
202 X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep);
203void policy_node_free(X509_POLICY_NODE *node);
204int policy_node_match(const X509_POLICY_LEVEL *lvl,
205 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
206
207const X509_POLICY_CACHE *policy_cache_set(X509 *x);
208
209__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/pcy_lib.c b/src/lib/libcrypto/x509/pcy_lib.c
new file mode 100644
index 0000000000..3d5c58d710
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_lib.c
@@ -0,0 +1,157 @@
1/* $OpenBSD: pcy_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* accessor functions */
65
66/* X509_POLICY_TREE stuff */
67
68int
69X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
70{
71 if (!tree)
72 return 0;
73 return tree->nlevel;
74}
75
76X509_POLICY_LEVEL *
77X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
78{
79 if (!tree || (i < 0) || (i >= tree->nlevel))
80 return NULL;
81 return tree->levels + i;
82}
83
84STACK_OF(X509_POLICY_NODE) *
85X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
86{
87 if (!tree)
88 return NULL;
89 return tree->auth_policies;
90}
91
92STACK_OF(X509_POLICY_NODE) *
93X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
94{
95 if (!tree)
96 return NULL;
97 if (tree->flags & POLICY_FLAG_ANY_POLICY)
98 return tree->auth_policies;
99 else
100 return tree->user_policies;
101}
102
103/* X509_POLICY_LEVEL stuff */
104
105int
106X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107{
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118}
119
120X509_POLICY_NODE *
121X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
122{
123 if (!level)
124 return NULL;
125 if (level->anyPolicy) {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131}
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *
136X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
137{
138 if (!node)
139 return NULL;
140 return node->data->valid_policy;
141}
142
143STACK_OF(POLICYQUALINFO) *
144X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
145{
146 if (!node)
147 return NULL;
148 return node->data->qualifier_set;
149}
150
151const X509_POLICY_NODE *
152X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
153{
154 if (!node)
155 return NULL;
156 return node->parent;
157}
diff --git a/src/lib/libcrypto/x509/pcy_map.c b/src/lib/libcrypto/x509/pcy_map.c
new file mode 100644
index 0000000000..287a430c2c
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_map.c
@@ -0,0 +1,126 @@
1/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Set policy mapping entries in cache.
65 * Note: this modifies the passed POLICY_MAPPINGS structure
66 */
67
68int
69policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70{
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76
77 if (sk_POLICY_MAPPING_num(maps) == 0) {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
82 map = sk_POLICY_MAPPING_value(maps, i);
83 /* Reject if map to or from anyPolicy */
84 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
85 (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
86 ret = -1;
87 goto bad_mapping;
88 }
89
90 /* Attempt to find matching policy data */
91 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
92 /* If we don't have anyPolicy can't map */
93 if (!data && !cache->anyPolicy)
94 continue;
95
96 /* Create a NODE from anyPolicy */
97 if (!data) {
98 data = policy_data_new(NULL, map->issuerDomainPolicy,
99 cache->anyPolicy->flags &
100 POLICY_DATA_FLAG_CRITICAL);
101 if (!data)
102 goto bad_mapping;
103 data->qualifier_set = cache->anyPolicy->qualifier_set;
104 /*map->issuerDomainPolicy = NULL;*/
105 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
106 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
107 if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
108 policy_data_free(data);
109 goto bad_mapping;
110 }
111 } else
112 data->flags |= POLICY_DATA_FLAG_MAPPED;
113 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
114 map->subjectDomainPolicy))
115 goto bad_mapping;
116 map->subjectDomainPolicy = NULL;
117 }
118
119 ret = 1;
120
121bad_mapping:
122 if (ret == -1)
123 x->ex_flags |= EXFLAG_INVALID_POLICY;
124 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
125 return ret;
126}
diff --git a/src/lib/libcrypto/x509/pcy_node.c b/src/lib/libcrypto/x509/pcy_node.c
new file mode 100644
index 0000000000..3a0f230bb3
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_node.c
@@ -0,0 +1,200 @@
1/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int
66node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
67{
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69}
70
71STACK_OF(X509_POLICY_NODE) *
72policy_node_cmp_new(void)
73{
74 return sk_X509_POLICY_NODE_new(node_cmp);
75}
76
77X509_POLICY_NODE *
78tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
79{
80 X509_POLICY_DATA n;
81 X509_POLICY_NODE l;
82 int idx;
83
84 n.valid_policy = (ASN1_OBJECT *)id;
85 l.data = &n;
86
87 idx = sk_X509_POLICY_NODE_find(nodes, &l);
88 if (idx == -1)
89 return NULL;
90
91 return sk_X509_POLICY_NODE_value(nodes, idx);
92}
93
94X509_POLICY_NODE *
95level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
96 const ASN1_OBJECT *id)
97{
98 X509_POLICY_NODE *node;
99 int i;
100
101 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent) {
104 if (!OBJ_cmp(node->data->valid_policy, id))
105 return node;
106 }
107 }
108 return NULL;
109}
110
111
112int
113level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent, X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep)
115{
116 X509_POLICY_NODE *node = NULL;
117
118 if (level) {
119 node = malloc(sizeof(X509_POLICY_NODE));
120 if (!node)
121 goto node_error;
122 node->data = data;
123 node->parent = parent;
124 node->nchild = 0;
125 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
126 if (level->anyPolicy)
127 goto node_error;
128 level->anyPolicy = node;
129 if (parent)
130 parent->nchild++;
131 } else {
132
133 if (!level->nodes)
134 level->nodes = policy_node_cmp_new();
135 if (!level->nodes)
136 goto node_error;
137 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
138 goto node_error;
139 if (parent)
140 parent->nchild++;
141 }
142 }
143
144 if (tree) {
145 if (!tree->extra_data)
146 tree->extra_data = sk_X509_POLICY_DATA_new_null();
147 if (!tree->extra_data)
148 goto node_error_cond;
149 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
150 goto node_error_cond;
151 }
152
153 if (nodep)
154 *nodep = node;
155
156 return 1;
157
158node_error_cond:
159 if (level)
160 node = NULL;
161node_error:
162 policy_node_free(node);
163 node = NULL;
164 if (nodep)
165 *nodep = node;
166 return 0;
167}
168
169void
170policy_node_free(X509_POLICY_NODE *node)
171{
172 free(node);
173}
174
175/* See if a policy node matches a policy OID. If mapping enabled look through
176 * expected policy set otherwise just valid policy.
177 */
178
179int
180policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
181 const ASN1_OBJECT *oid)
182{
183 int i;
184 ASN1_OBJECT *policy_oid;
185 const X509_POLICY_DATA *x = node->data;
186
187 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
188 !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
189 if (!OBJ_cmp(x->valid_policy, oid))
190 return 1;
191 return 0;
192 }
193
194 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
195 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
196 if (!OBJ_cmp(policy_oid, oid))
197 return 1;
198 }
199 return 0;
200}
diff --git a/src/lib/libcrypto/x509/pcy_tree.c b/src/lib/libcrypto/x509/pcy_tree.c
new file mode 100644
index 0000000000..d0f7cd1ada
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_tree.c
@@ -0,0 +1,770 @@
1/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Enable this to print out the complete policy tree at various point during
65 * evaluation.
66 */
67
68/*#define OPENSSL_POLICY_DEBUG*/
69
70#ifdef OPENSSL_POLICY_DEBUG
71
72static void
73expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
74 int indent)
75{
76 if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
77 !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else {
80 int i;
81 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
82 ASN1_OBJECT *oid;
83 BIO_puts(err, " Expected: ");
84 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
85 oid = sk_ASN1_OBJECT_value(pset, i);
86 if (i)
87 BIO_puts(err, ", ");
88 i2a_ASN1_OBJECT(err, oid);
89 }
90 BIO_puts(err, "\n");
91 }
92}
93
94static void
95tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
96{
97 X509_POLICY_LEVEL *plev;
98 X509_POLICY_NODE *node;
99 int i;
100 BIO *err;
101
102 if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL)
103 return;
104
105 if (!curr)
106 curr = tree->levels + tree->nlevel;
107 else
108 curr++;
109 BIO_printf(err, "Level print after %s\n", str);
110 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
111 for (plev = tree->levels; plev != curr; plev++) {
112 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
115 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
116 X509_POLICY_NODE_print(err, node, 2);
117 expected_print(err, plev, node, 2);
118 BIO_printf(err, " Flags: %x\n", node->data->flags);
119 }
120 if (plev->anyPolicy)
121 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
122 }
123
124 BIO_free(err);
125}
126#else
127
128#define tree_print(a,b,c) /* */
129
130#endif
131
132/* Initialize policy tree. Return values:
133 * 0 Some internal error occured.
134 * -1 Inconsistent or invalid extensions in certificates.
135 * 1 Tree initialized OK.
136 * 2 Policy tree is empty.
137 * 5 Tree OK and requireExplicitPolicy true.
138 * 6 Tree empty and requireExplicitPolicy true.
139 */
140
141static int
142tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
143{
144 X509_POLICY_TREE *tree;
145 X509_POLICY_LEVEL *level;
146 const X509_POLICY_CACHE *cache;
147 X509_POLICY_DATA *data = NULL;
148 X509 *x;
149 int ret = 1;
150 int i, n;
151 int explicit_policy;
152 int any_skip;
153 int map_skip;
154
155 *ptree = NULL;
156 n = sk_X509_num(certs);
157
158 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
159 explicit_policy = 0;
160 else
161 explicit_policy = n + 1;
162
163 if (flags & X509_V_FLAG_INHIBIT_ANY)
164 any_skip = 0;
165 else
166 any_skip = n + 1;
167
168 if (flags & X509_V_FLAG_INHIBIT_MAP)
169 map_skip = 0;
170 else
171 map_skip = n + 1;
172
173 /* Can't do anything with just a trust anchor */
174 if (n == 1)
175 return 1;
176 /* First setup policy cache in all certificates apart from the
177 * trust anchor. Note any bad cache results on the way. Also can
178 * calculate explicit_policy value at this point.
179 */
180 for (i = n - 2; i >= 0; i--) {
181 x = sk_X509_value(certs, i);
182 X509_check_purpose(x, -1, -1);
183 cache = policy_cache_set(x);
184 /* If cache NULL something bad happened: return immediately */
185 if (cache == NULL)
186 return 0;
187 /* If inconsistent extensions keep a note of it but continue */
188 if (x->ex_flags & EXFLAG_INVALID_POLICY)
189 ret = -1;
190 /* Otherwise if we have no data (hence no CertificatePolicies)
191 * and haven't already set an inconsistent code note it.
192 */
193 else if ((ret == 1) && !cache->data)
194 ret = 2;
195 if (explicit_policy > 0) {
196 if (!(x->ex_flags & EXFLAG_SI))
197 explicit_policy--;
198 if ((cache->explicit_skip != -1) &&
199 (cache->explicit_skip < explicit_policy))
200 explicit_policy = cache->explicit_skip;
201 }
202 }
203
204 if (ret != 1) {
205 if (ret == 2 && !explicit_policy)
206 return 6;
207 return ret;
208 }
209
210
211 /* If we get this far initialize the tree */
212
213 tree = malloc(sizeof(X509_POLICY_TREE));
214
215 if (!tree)
216 return 0;
217
218 tree->flags = 0;
219 tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL));
220 tree->nlevel = 0;
221 tree->extra_data = NULL;
222 tree->auth_policies = NULL;
223 tree->user_policies = NULL;
224
225 if (!tree->levels) {
226 free(tree);
227 return 0;
228 }
229
230 tree->nlevel = n;
231
232 level = tree->levels;
233
234 /* Root data: initialize to anyPolicy */
235
236 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
237
238 if (!data || !level_add_node(level, data, NULL, tree, NULL))
239 goto bad_tree;
240
241 for (i = n - 2; i >= 0; i--) {
242 level++;
243 x = sk_X509_value(certs, i);
244 cache = policy_cache_set(x);
245 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
246 level->cert = x;
247
248 if (!cache->anyPolicy)
249 level->flags |= X509_V_FLAG_INHIBIT_ANY;
250
251 /* Determine inhibit any and inhibit map flags */
252 if (any_skip == 0) {
253 /* Any matching allowed if certificate is self
254 * issued and not the last in the chain.
255 */
256 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
257 level->flags |= X509_V_FLAG_INHIBIT_ANY;
258 } else {
259 if (!(x->ex_flags & EXFLAG_SI))
260 any_skip--;
261 if ((cache->any_skip >= 0) &&
262 (cache->any_skip < any_skip))
263 any_skip = cache->any_skip;
264 }
265
266 if (map_skip == 0)
267 level->flags |= X509_V_FLAG_INHIBIT_MAP;
268 else {
269 if (!(x->ex_flags & EXFLAG_SI))
270 map_skip--;
271 if ((cache->map_skip >= 0) &&
272 (cache->map_skip < map_skip))
273 map_skip = cache->map_skip;
274 }
275
276 }
277
278 *ptree = tree;
279
280 if (explicit_policy)
281 return 1;
282 else
283 return 5;
284
285bad_tree:
286 X509_policy_tree_free(tree);
287
288 return 0;
289}
290
291static int
292tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
293{
294 X509_POLICY_LEVEL *last = curr - 1;
295 X509_POLICY_NODE *node;
296 int i, matched = 0;
297
298 /* Iterate through all in nodes linking matches */
299 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
300 node = sk_X509_POLICY_NODE_value(last->nodes, i);
301 if (policy_node_match(last, node, data->valid_policy)) {
302 if (!level_add_node(curr, data, node, NULL, NULL))
303 return 0;
304 matched = 1;
305 }
306 }
307 if (!matched && last->anyPolicy) {
308 if (!level_add_node(curr, data, last->anyPolicy, NULL, NULL))
309 return 0;
310 }
311 return 1;
312}
313
314/* This corresponds to RFC3280 6.1.3(d)(1):
315 * link any data from CertificatePolicies onto matching parent
316 * or anyPolicy if no match.
317 */
318
319static int
320tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
321{
322 int i;
323 X509_POLICY_DATA *data;
324
325 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
326 data = sk_X509_POLICY_DATA_value(cache->data, i);
327 /* Look for matching nodes in previous level */
328 if (!tree_link_matching_nodes(curr, data))
329 return 0;
330 }
331 return 1;
332}
333
334/* This corresponds to RFC3280 6.1.3(d)(2):
335 * Create new data for any unmatched policies in the parent and link
336 * to anyPolicy.
337 */
338
339static int
340tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
341 const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
342{
343 X509_POLICY_DATA *data;
344
345 if (id == NULL)
346 id = node->data->valid_policy;
347 /* Create a new node with qualifiers from anyPolicy and
348 * id from unmatched node.
349 */
350 data = policy_data_new(NULL, id, node_critical(node));
351
352 if (data == NULL)
353 return 0;
354 /* Curr may not have anyPolicy */
355 data->qualifier_set = cache->anyPolicy->qualifier_set;
356 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
357 if (!level_add_node(curr, data, node, tree, NULL)) {
358 policy_data_free(data);
359 return 0;
360 }
361
362 return 1;
363}
364
365static int
366tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
367 X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
368{
369 const X509_POLICY_LEVEL *last = curr - 1;
370 int i;
371
372 if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
373 !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
374 /* If no policy mapping: matched if one child present */
375 if (node->nchild)
376 return 1;
377 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
378 return 0;
379 /* Add it */
380 } else {
381 /* If mapping: matched if one child per expected policy set */
382 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
383 if (node->nchild == sk_ASN1_OBJECT_num(expset))
384 return 1;
385 /* Locate unmatched nodes */
386 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
387 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
388 if (level_find_node(curr, node, oid))
389 continue;
390 if (!tree_add_unmatched(curr, cache, oid, node, tree))
391 return 0;
392 }
393 }
394
395 return 1;
396}
397
398static int
399tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
400 X509_POLICY_TREE *tree)
401{
402 int i;
403 X509_POLICY_NODE *node;
404 X509_POLICY_LEVEL *last = curr - 1;
405
406 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
407 node = sk_X509_POLICY_NODE_value(last->nodes, i);
408
409 if (!tree_link_unmatched(curr, cache, node, tree))
410 return 0;
411 }
412 /* Finally add link to anyPolicy */
413 if (last->anyPolicy) {
414 if (!level_add_node(curr, cache->anyPolicy,
415 last->anyPolicy, NULL, NULL))
416 return 0;
417 }
418 return 1;
419}
420
421/* Prune the tree: delete any child mapped child data on the current level
422 * then proceed up the tree deleting any data with no children. If we ever
423 * have no data on a level we can halt because the tree will be empty.
424 */
425
426static int
427tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
428{
429 STACK_OF(X509_POLICY_NODE) *nodes;
430 X509_POLICY_NODE *node;
431 int i;
432
433 nodes = curr->nodes;
434 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
435 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
436 node = sk_X509_POLICY_NODE_value(nodes, i);
437 /* Delete any mapped data: see RFC3280 XXXX */
438 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
439 node->parent->nchild--;
440 free(node);
441 (void)sk_X509_POLICY_NODE_delete(nodes, i);
442 }
443 }
444 }
445
446 for (;;) {
447 --curr;
448 nodes = curr->nodes;
449 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
450 node = sk_X509_POLICY_NODE_value(nodes, i);
451 if (node->nchild == 0) {
452 node->parent->nchild--;
453 free(node);
454 (void)sk_X509_POLICY_NODE_delete(nodes, i);
455 }
456 }
457 if (curr->anyPolicy && !curr->anyPolicy->nchild) {
458 if (curr->anyPolicy->parent)
459 curr->anyPolicy->parent->nchild--;
460 free(curr->anyPolicy);
461 curr->anyPolicy = NULL;
462 }
463 if (curr == tree->levels) {
464 /* If we zapped anyPolicy at top then tree is empty */
465 if (!curr->anyPolicy)
466 return 2;
467 return 1;
468 }
469 }
470
471 return 1;
472}
473
474static int
475tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
476{
477 if (!*pnodes) {
478 *pnodes = policy_node_cmp_new();
479 if (!*pnodes)
480 return 0;
481 } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
482 return 1;
483
484 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
485 return 0;
486
487 return 1;
488}
489
490/* Calculate the authority set based on policy tree.
491 * The 'pnodes' parameter is used as a store for the set of policy nodes
492 * used to calculate the user set. If the authority set is not anyPolicy
493 * then pnodes will just point to the authority set. If however the authority
494 * set is anyPolicy then the set of valid policies (other than anyPolicy)
495 * is store in pnodes. The return value of '2' is used in this case to indicate
496 * that pnodes should be freed.
497 */
498
499static int
500tree_calculate_authority_set(X509_POLICY_TREE *tree,
501 STACK_OF(X509_POLICY_NODE) **pnodes)
502{
503 X509_POLICY_LEVEL *curr;
504 X509_POLICY_NODE *node, *anyptr;
505 STACK_OF(X509_POLICY_NODE) **addnodes;
506 int i, j;
507
508 curr = tree->levels + tree->nlevel - 1;
509
510 /* If last level contains anyPolicy set is anyPolicy */
511 if (curr->anyPolicy) {
512 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
513 return 0;
514 addnodes = pnodes;
515 } else
516 /* Add policies to authority set */
517 addnodes = &tree->auth_policies;
518
519 curr = tree->levels;
520 for (i = 1; i < tree->nlevel; i++) {
521 /* If no anyPolicy node on this this level it can't
522 * appear on lower levels so end search.
523 */
524 if (!(anyptr = curr->anyPolicy))
525 break;
526 curr++;
527 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
528 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
529 if ((node->parent == anyptr) &&
530 !tree_add_auth_node(addnodes, node))
531 return 0;
532 }
533 }
534
535 if (addnodes == pnodes)
536 return 2;
537
538 *pnodes = tree->auth_policies;
539
540 return 1;
541}
542
543static int
544tree_calculate_user_set(X509_POLICY_TREE *tree,
545 STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
546{
547 int i;
548 X509_POLICY_NODE *node;
549 ASN1_OBJECT *oid;
550 X509_POLICY_NODE *anyPolicy;
551 X509_POLICY_DATA *extra;
552
553 /* Check if anyPolicy present in authority constrained policy set:
554 * this will happen if it is a leaf node.
555 */
556
557 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
558 return 1;
559
560 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
561
562 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
563 oid = sk_ASN1_OBJECT_value(policy_oids, i);
564 if (OBJ_obj2nid(oid) == NID_any_policy) {
565 tree->flags |= POLICY_FLAG_ANY_POLICY;
566 return 1;
567 }
568 }
569
570 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
571 oid = sk_ASN1_OBJECT_value(policy_oids, i);
572 node = tree_find_sk(auth_nodes, oid);
573 if (!node) {
574 if (!anyPolicy)
575 continue;
576 /* Create a new node with policy ID from user set
577 * and qualifiers from anyPolicy.
578 */
579 extra = policy_data_new(NULL, oid,
580 node_critical(anyPolicy));
581 if (!extra)
582 return 0;
583 extra->qualifier_set = anyPolicy->data->qualifier_set;
584 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
585 POLICY_DATA_FLAG_EXTRA_NODE;
586 (void) level_add_node(NULL, extra, anyPolicy->parent,
587 tree, &node);
588 }
589 if (!tree->user_policies) {
590 tree->user_policies = sk_X509_POLICY_NODE_new_null();
591 if (!tree->user_policies)
592 return 1;
593 }
594 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
595 return 0;
596 }
597 return 1;
598}
599
600static int
601tree_evaluate(X509_POLICY_TREE *tree)
602{
603 int ret, i;
604 X509_POLICY_LEVEL *curr = tree->levels + 1;
605 const X509_POLICY_CACHE *cache;
606
607 for (i = 1; i < tree->nlevel; i++, curr++) {
608 cache = policy_cache_set(curr->cert);
609 if (!tree_link_nodes(curr, cache))
610 return 0;
611
612 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
613 !tree_link_any(curr, cache, tree))
614 return 0;
615 tree_print("before tree_prune()", tree, curr);
616 ret = tree_prune(tree, curr);
617 if (ret != 1)
618 return ret;
619 }
620
621 return 1;
622}
623
624static void
625exnode_free(X509_POLICY_NODE *node)
626{
627 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
628 free(node);
629}
630
631void
632X509_policy_tree_free(X509_POLICY_TREE *tree)
633{
634 X509_POLICY_LEVEL *curr;
635 int i;
636
637 if (!tree)
638 return;
639
640 sk_X509_POLICY_NODE_free(tree->auth_policies);
641 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
642
643 for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
644 X509_free(curr->cert);
645 if (curr->nodes)
646 sk_X509_POLICY_NODE_pop_free(curr->nodes,
647 policy_node_free);
648 if (curr->anyPolicy)
649 policy_node_free(curr->anyPolicy);
650 }
651
652 if (tree->extra_data)
653 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
654 policy_data_free);
655
656 free(tree->levels);
657 free(tree);
658}
659
660/* Application policy checking function.
661 * Return codes:
662 * 0 Internal Error.
663 * 1 Successful.
664 * -1 One or more certificates contain invalid or inconsistent extensions
665 * -2 User constrained policy set empty and requireExplicit true.
666 */
667
668int
669X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
670 STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
671 unsigned int flags)
672{
673 int ret, ret2;
674 X509_POLICY_TREE *tree = NULL;
675 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
676
677 *ptree = NULL;
678 *pexplicit_policy = 0;
679 ret = tree_init(&tree, certs, flags);
680
681 switch (ret) {
682
683 /* Tree empty requireExplicit False: OK */
684 case 2:
685 return 1;
686
687 /* Some internal error */
688 case -1:
689 return -1;
690
691 /* Some internal error */
692 case 0:
693 return 0;
694
695 /* Tree empty requireExplicit True: Error */
696
697 case 6:
698 *pexplicit_policy = 1;
699 return -2;
700
701 /* Tree OK requireExplicit True: OK and continue */
702 case 5:
703 *pexplicit_policy = 1;
704 break;
705
706 /* Tree OK: continue */
707
708 case 1:
709 if (!tree)
710 /*
711 * tree_init() returns success and a null tree
712 * if it's just looking at a trust anchor.
713 * I'm not sure that returning success here is
714 * correct, but I'm sure that reporting this
715 * as an internal error which our caller
716 * interprets as a malloc failure is wrong.
717 */
718 return 1;
719 break;
720 }
721
722 if (!tree)
723 goto error;
724 ret = tree_evaluate(tree);
725
726 tree_print("tree_evaluate()", tree, NULL);
727
728 if (ret <= 0)
729 goto error;
730
731 /* Return value 2 means tree empty */
732 if (ret == 2) {
733 X509_policy_tree_free(tree);
734 if (*pexplicit_policy)
735 return -2;
736 else
737 return 1;
738 }
739
740 /* Tree is not empty: continue */
741
742 ret = tree_calculate_authority_set(tree, &auth_nodes);
743 if (ret == 0)
744 goto error;
745
746 ret2 = tree_calculate_user_set(tree, policy_oids, auth_nodes);
747
748 /* Return value 2 means auth_nodes needs to be freed */
749 if (ret == 2)
750 sk_X509_POLICY_NODE_free(auth_nodes);
751
752 if (ret2 == 0)
753 goto error;
754
755 if (tree)
756 *ptree = tree;
757
758 if (*pexplicit_policy) {
759 nodes = X509_policy_tree_get0_user_policies(tree);
760 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
761 return -2;
762 }
763
764 return 1;
765
766error:
767 X509_policy_tree_free(tree);
768
769 return 0;
770}
diff --git a/src/lib/libcrypto/x509/v3err.c b/src/lib/libcrypto/x509/v3err.c
new file mode 100644
index 0000000000..f7850effb1
--- /dev/null
+++ b/src/lib/libcrypto/x509/v3err.c
@@ -0,0 +1,226 @@
1/* $OpenBSD: v3err.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
73
74static ERR_STRING_DATA X509V3_str_functs[] = {
75 {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
76 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
77 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
78 {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
79 {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
80 {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
81 {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
82 {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
83 {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
84 {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
85 {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
86 {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
87 {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
88 {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
89 {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
90 {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
91 {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
92 {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
93 {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
94 {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
95 {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
96 {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
97 {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
98 {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
99 {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
100 {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
101 {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
102 {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
103 {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
104 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
105 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
106 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
107 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
108 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
109 {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
110 {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
111 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
112 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
113 {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
114 {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
115 {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
116 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
117 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
118 {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
119 {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
120 {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
121 {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
122 {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
123 {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
124 {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
125 {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
126 {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
127 {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
128 {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
129 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
130 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
131 {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
132 {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
133 {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
134 {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
135 {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
136 {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
137 {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
138 {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
139 {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
140 {0, NULL}
141};
142
143static ERR_STRING_DATA X509V3_str_reasons[] = {
144 {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"},
145 {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"},
146 {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"},
147 {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"},
148 {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"},
149 {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
150 {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"},
151 {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
152 {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"},
153 {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"},
154 {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
155 {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"},
156 {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
157 {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
158 {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"},
159 {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
160 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
161 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"},
162 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"},
163 {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
164 {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"},
165 {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"},
166 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
167 {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"},
168 {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
169 {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"},
170 {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"},
171 {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
172 {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"},
173 {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"},
174 {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"},
175 {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"},
176 {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"},
177 {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"},
178 {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"},
179 {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"},
180 {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"},
181 {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"},
182 {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"},
183 {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"},
184 {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
185 {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"},
186 {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"},
187 {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"},
188 {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
189 {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"},
190 {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
191 {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"},
192 {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"},
193 {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"},
194 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
195 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
196 {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"},
197 {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"},
198 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"},
199 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"},
200 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"},
201 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"},
202 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"},
203 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"},
204 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"},
205 {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"},
206 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"},
207 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
208 {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"},
209 {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"},
210 {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"},
211 {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"},
212 {0, NULL}
213};
214
215#endif
216
217void
218ERR_load_X509V3_strings(void)
219{
220#ifndef OPENSSL_NO_ERR
221 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
222 ERR_load_strings(0, X509V3_str_functs);
223 ERR_load_strings(0, X509V3_str_reasons);
224 }
225#endif
226}
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
new file mode 100644
index 0000000000..f8c7113350
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -0,0 +1,237 @@
1/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
70static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_akey_id = {
74 .ext_nid = NID_authority_key_identifier,
75 .ext_flags = X509V3_EXT_MULTILINE,
76 .it = &AUTHORITY_KEYID_it,
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
84 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
85 .i2r = NULL,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90static STACK_OF(CONF_VALUE) *
91i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
92 STACK_OF(CONF_VALUE) *extlist)
93{
94 STACK_OF(CONF_VALUE) *free_extlist = NULL;
95 char *tmpstr = NULL;
96
97 if (extlist == NULL) {
98 if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
99 return NULL;
100 }
101
102 if (akeyid->keyid != NULL) {
103 if ((tmpstr = hex_to_string(akeyid->keyid->data,
104 akeyid->keyid->length)) == NULL)
105 goto err;
106 if (!X509V3_add_value("keyid", tmpstr, &extlist))
107 goto err;
108 free(tmpstr);
109 tmpstr = NULL;
110 }
111
112 if (akeyid->issuer != NULL) {
113 if ((extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer,
114 extlist)) == NULL)
115 goto err;
116 }
117
118 if (akeyid->serial != NULL) {
119 if ((tmpstr = hex_to_string(akeyid->serial->data,
120 akeyid->serial->length)) == NULL)
121 goto err;
122 if (!X509V3_add_value("serial", tmpstr, &extlist))
123 goto err;
124 free(tmpstr);
125 tmpstr = NULL;
126 }
127
128 if (sk_CONF_VALUE_num(extlist) <= 0)
129 goto err;
130
131 return extlist;
132
133 err:
134 free(tmpstr);
135 sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
136
137 return NULL;
138}
139
140/*
141 * Currently two options:
142 * keyid: use the issuers subject keyid, the value 'always' means its is
143 * an error if the issuer certificate doesn't have a key id.
144 * issuer: use the issuers cert issuer and serial number. The default is
145 * to only use this if keyid is not present. With the option 'always'
146 * this is always included.
147 */
148static AUTHORITY_KEYID *
149v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
150 STACK_OF(CONF_VALUE) *values)
151{
152 char keyid = 0, issuer = 0;
153 int i;
154 CONF_VALUE *cnf;
155 ASN1_OCTET_STRING *ikeyid = NULL;
156 X509_NAME *isname = NULL;
157 STACK_OF(GENERAL_NAME) *gens = NULL;
158 GENERAL_NAME *gen = NULL;
159 ASN1_INTEGER *serial = NULL;
160 X509_EXTENSION *ext;
161 X509 *cert;
162 AUTHORITY_KEYID *akeyid = NULL;
163
164 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
165 cnf = sk_CONF_VALUE_value(values, i);
166 if (!strcmp(cnf->name, "keyid")) {
167 keyid = 1;
168 if (cnf->value && !strcmp(cnf->value, "always"))
169 keyid = 2;
170 } else if (!strcmp(cnf->name, "issuer")) {
171 issuer = 1;
172 if (cnf->value && !strcmp(cnf->value, "always"))
173 issuer = 2;
174 } else {
175 X509V3error(X509V3_R_UNKNOWN_OPTION);
176 ERR_asprintf_error_data("name=%s", cnf->name);
177 return NULL;
178 }
179 }
180
181 if (!ctx || !ctx->issuer_cert) {
182 if (ctx && (ctx->flags == CTX_TEST))
183 return AUTHORITY_KEYID_new();
184 X509V3error(X509V3_R_NO_ISSUER_CERTIFICATE);
185 return NULL;
186 }
187
188 cert = ctx->issuer_cert;
189
190 if (keyid) {
191 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
192 if ((i >= 0) && (ext = X509_get_ext(cert, i)))
193 ikeyid = X509V3_EXT_d2i(ext);
194 if (keyid == 2 && !ikeyid) {
195 X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
196 return NULL;
197 }
198 }
199
200 if ((issuer && !ikeyid) || (issuer == 2)) {
201 isname = X509_NAME_dup(X509_get_issuer_name(cert));
202 serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
203 if (!isname || !serial) {
204 X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
205 goto err;
206 }
207 }
208
209 if (!(akeyid = AUTHORITY_KEYID_new()))
210 goto err;
211
212 if (isname) {
213 if (!(gens = sk_GENERAL_NAME_new_null()) ||
214 !(gen = GENERAL_NAME_new()) ||
215 !sk_GENERAL_NAME_push(gens, gen)) {
216 X509V3error(ERR_R_MALLOC_FAILURE);
217 goto err;
218 }
219 gen->type = GEN_DIRNAME;
220 gen->d.dirn = isname;
221 }
222
223 akeyid->issuer = gens;
224 akeyid->serial = serial;
225 akeyid->keyid = ikeyid;
226
227 return akeyid;
228
229 err:
230 AUTHORITY_KEYID_free(akeyid);
231 GENERAL_NAME_free(gen);
232 sk_GENERAL_NAME_free(gens);
233 X509_NAME_free(isname);
234 ASN1_INTEGER_free(serial);
235 ASN1_OCTET_STRING_free(ikeyid);
236 return NULL;
237}
diff --git a/src/lib/libcrypto/x509/x509_akeya.c b/src/lib/libcrypto/x509/x509_akeya.c
new file mode 100644
index 0000000000..aba8923caa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_akeya.c
@@ -0,0 +1,124 @@
1/* $OpenBSD: x509_akeya.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static const ASN1_TEMPLATE AUTHORITY_KEYID_seq_tt[] = {
67 {
68 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
69 .tag = 0,
70 .offset = offsetof(AUTHORITY_KEYID, keyid),
71 .field_name = "keyid",
72 .item = &ASN1_OCTET_STRING_it,
73 },
74 {
75 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
76 .tag = 1,
77 .offset = offsetof(AUTHORITY_KEYID, issuer),
78 .field_name = "issuer",
79 .item = &GENERAL_NAME_it,
80 },
81 {
82 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
83 .tag = 2,
84 .offset = offsetof(AUTHORITY_KEYID, serial),
85 .field_name = "serial",
86 .item = &ASN1_INTEGER_it,
87 },
88};
89
90const ASN1_ITEM AUTHORITY_KEYID_it = {
91 .itype = ASN1_ITYPE_SEQUENCE,
92 .utype = V_ASN1_SEQUENCE,
93 .templates = AUTHORITY_KEYID_seq_tt,
94 .tcount = sizeof(AUTHORITY_KEYID_seq_tt) / sizeof(ASN1_TEMPLATE),
95 .funcs = NULL,
96 .size = sizeof(AUTHORITY_KEYID),
97 .sname = "AUTHORITY_KEYID",
98};
99
100
101AUTHORITY_KEYID *
102d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len)
103{
104 return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
105 &AUTHORITY_KEYID_it);
106}
107
108int
109i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out)
110{
111 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it);
112}
113
114AUTHORITY_KEYID *
115AUTHORITY_KEYID_new(void)
116{
117 return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it);
118}
119
120void
121AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
122{
123 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it);
124}
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
new file mode 100644
index 0000000000..45aaec24c0
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -0,0 +1,699 @@
1/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
71static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
72static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
73static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
74
75const X509V3_EXT_METHOD v3_alt[] = {
76 {
77 .ext_nid = NID_subject_alt_name,
78 .ext_flags = 0,
79 .it = &GENERAL_NAMES_it,
80 .ext_new = NULL,
81 .ext_free = NULL,
82 .d2i = NULL,
83 .i2d = NULL,
84 .i2s = NULL,
85 .s2i = NULL,
86 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
87 .v2i = (X509V3_EXT_V2I)v2i_subject_alt,
88 .i2r = NULL,
89 .r2i = NULL,
90 .usr_data = NULL,
91 },
92 {
93 .ext_nid = NID_issuer_alt_name,
94 .ext_flags = 0,
95 .it = &GENERAL_NAMES_it,
96 .ext_new = NULL,
97 .ext_free = NULL,
98 .d2i = NULL,
99 .i2d = NULL,
100 .i2s = NULL,
101 .s2i = NULL,
102 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
103 .v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
104 .i2r = NULL,
105 .r2i = NULL,
106 .usr_data = NULL,
107 },
108 {
109 .ext_nid = NID_certificate_issuer,
110 .ext_flags = 0,
111 .it = &GENERAL_NAMES_it,
112 .ext_new = NULL,
113 .ext_free = NULL,
114 .d2i = NULL,
115 .i2d = NULL,
116 .i2s = NULL,
117 .s2i = NULL,
118 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
119 .v2i = NULL,
120 .i2r = NULL,
121 .r2i = NULL,
122 .usr_data = NULL,
123 },
124};
125
126STACK_OF(CONF_VALUE) *
127i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
128 STACK_OF(CONF_VALUE) *ret)
129{
130 STACK_OF(CONF_VALUE) *free_ret = NULL;
131 GENERAL_NAME *gen;
132 int i;
133
134 if (ret == NULL) {
135 if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
136 return NULL;
137 }
138
139 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
140 if ((gen = sk_GENERAL_NAME_value(gens, i)) == NULL)
141 goto err;
142 if ((ret = i2v_GENERAL_NAME(method, gen, ret)) == NULL)
143 goto err;
144 }
145
146 return ret;
147
148 err:
149 sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
150
151 return NULL;
152}
153
154STACK_OF(CONF_VALUE) *
155i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen,
156 STACK_OF(CONF_VALUE) *ret)
157{
158 STACK_OF(CONF_VALUE) *free_ret = NULL;
159 unsigned char *p;
160 char oline[256], htmp[5];
161 int i;
162
163 if (ret == NULL) {
164 if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
165 return NULL;
166 }
167
168 switch (gen->type) {
169 case GEN_OTHERNAME:
170 if (!X509V3_add_value("othername", "<unsupported>", &ret))
171 goto err;
172 break;
173
174 case GEN_X400:
175 if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
176 goto err;
177 break;
178
179 case GEN_EDIPARTY:
180 if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
181 goto err;
182 break;
183
184 case GEN_EMAIL:
185 if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
186 goto err;
187 break;
188
189 case GEN_DNS:
190 if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
191 goto err;
192 break;
193
194 case GEN_URI:
195 if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
196 goto err;
197 break;
198
199 case GEN_DIRNAME:
200 if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL)
201 goto err;
202 if (!X509V3_add_value("DirName", oline, &ret))
203 goto err;
204 break;
205
206 case GEN_IPADD: /* XXX */
207 p = gen->d.ip->data;
208 if (gen->d.ip->length == 4)
209 (void) snprintf(oline, sizeof oline,
210 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
211 else if (gen->d.ip->length == 16) {
212 oline[0] = 0;
213 for (i = 0; i < 8; i++) {
214 (void) snprintf(htmp, sizeof htmp,
215 "%X", p[0] << 8 | p[1]);
216 p += 2;
217 strlcat(oline, htmp, sizeof(oline));
218 if (i != 7)
219 strlcat(oline, ":", sizeof(oline));
220 }
221 } else {
222 if (!X509V3_add_value("IP Address", "<invalid>", &ret))
223 goto err;
224 break;
225 }
226 if (!X509V3_add_value("IP Address", oline, &ret))
227 goto err;
228 break;
229
230 case GEN_RID:
231 if (!i2t_ASN1_OBJECT(oline, 256, gen->d.rid))
232 goto err;
233 if (!X509V3_add_value("Registered ID", oline, &ret))
234 goto err;
235 break;
236 }
237
238 return ret;
239
240 err:
241 sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
242
243 return NULL;
244}
245
246int
247GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
248{
249 unsigned char *p;
250 int i;
251
252 switch (gen->type) {
253 case GEN_OTHERNAME:
254 BIO_printf(out, "othername:<unsupported>");
255 break;
256
257 case GEN_X400:
258 BIO_printf(out, "X400Name:<unsupported>");
259 break;
260
261 case GEN_EDIPARTY:
262 /* Maybe fix this: it is supported now */
263 BIO_printf(out, "EdiPartyName:<unsupported>");
264 break;
265
266 case GEN_EMAIL:
267 BIO_printf(out, "email:%s", gen->d.ia5->data);
268 break;
269
270 case GEN_DNS:
271 BIO_printf(out, "DNS:%s", gen->d.ia5->data);
272 break;
273
274 case GEN_URI:
275 BIO_printf(out, "URI:%s", gen->d.ia5->data);
276 break;
277
278 case GEN_DIRNAME:
279 BIO_printf(out, "DirName: ");
280 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
281 break;
282
283 case GEN_IPADD:
284 p = gen->d.ip->data;
285 if (gen->d.ip->length == 4)
286 BIO_printf(out, "IP Address:%d.%d.%d.%d",
287 p[0], p[1], p[2], p[3]);
288 else if (gen->d.ip->length == 16) {
289 BIO_printf(out, "IP Address");
290 for (i = 0; i < 8; i++) {
291 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
292 p += 2;
293 }
294 BIO_puts(out, "\n");
295 } else {
296 BIO_printf(out, "IP Address:<invalid>");
297 break;
298 }
299 break;
300
301 case GEN_RID:
302 BIO_printf(out, "Registered ID");
303 i2a_ASN1_OBJECT(out, gen->d.rid);
304 break;
305 }
306 return 1;
307}
308
309static GENERAL_NAMES *
310v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
311 STACK_OF(CONF_VALUE) *nval)
312{
313 GENERAL_NAMES *gens = NULL;
314 CONF_VALUE *cnf;
315 int i;
316
317 if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
318 X509V3error(ERR_R_MALLOC_FAILURE);
319 return NULL;
320 }
321 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
322 cnf = sk_CONF_VALUE_value(nval, i);
323 if (name_cmp(cnf->name, "issuer") == 0 && cnf->value != NULL &&
324 strcmp(cnf->value, "copy") == 0) {
325 if (!copy_issuer(ctx, gens))
326 goto err;
327 } else {
328 GENERAL_NAME *gen;
329 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
330 goto err;
331 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
332 GENERAL_NAME_free(gen);
333 goto err;
334 }
335 }
336 }
337 return gens;
338
339err:
340 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
341 return NULL;
342}
343
344/* Append subject altname of issuer to issuer alt name of subject */
345
346static int
347copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
348{
349 GENERAL_NAMES *ialt;
350 GENERAL_NAME *gen;
351 X509_EXTENSION *ext;
352 int i;
353
354 if (ctx && (ctx->flags == CTX_TEST))
355 return 1;
356 if (!ctx || !ctx->issuer_cert) {
357 X509V3error(X509V3_R_NO_ISSUER_DETAILS);
358 goto err;
359 }
360 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
361 if (i < 0)
362 return 1;
363 if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
364 !(ialt = X509V3_EXT_d2i(ext))) {
365 X509V3error(X509V3_R_ISSUER_DECODE_ERROR);
366 goto err;
367 }
368
369 for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
370 gen = sk_GENERAL_NAME_value(ialt, i);
371 if (!sk_GENERAL_NAME_push(gens, gen)) {
372 X509V3error(ERR_R_MALLOC_FAILURE);
373 goto err;
374 }
375 }
376 sk_GENERAL_NAME_free(ialt);
377
378 return 1;
379
380err:
381 return 0;
382
383}
384
385static GENERAL_NAMES *
386v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
387 STACK_OF(CONF_VALUE) *nval)
388{
389 GENERAL_NAMES *gens = NULL;
390 CONF_VALUE *cnf;
391 int i;
392
393 if (!(gens = sk_GENERAL_NAME_new_null())) {
394 X509V3error(ERR_R_MALLOC_FAILURE);
395 return NULL;
396 }
397 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
398 cnf = sk_CONF_VALUE_value(nval, i);
399 if (!name_cmp(cnf->name, "email") && cnf->value &&
400 !strcmp(cnf->value, "copy")) {
401 if (!copy_email(ctx, gens, 0))
402 goto err;
403 } else if (!name_cmp(cnf->name, "email") && cnf->value &&
404 !strcmp(cnf->value, "move")) {
405 if (!copy_email(ctx, gens, 1))
406 goto err;
407 } else {
408 GENERAL_NAME *gen;
409 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
410 goto err;
411 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
412 GENERAL_NAME_free(gen);
413 goto err;
414 }
415 }
416 }
417 return gens;
418
419err:
420 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
421 return NULL;
422}
423
424/* Copy any email addresses in a certificate or request to
425 * GENERAL_NAMES
426 */
427
428static int
429copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
430{
431 X509_NAME *nm;
432 ASN1_IA5STRING *email = NULL;
433 X509_NAME_ENTRY *ne;
434 GENERAL_NAME *gen = NULL;
435 int i;
436
437 if (ctx != NULL && ctx->flags == CTX_TEST)
438 return 1;
439 if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
440 X509V3error(X509V3_R_NO_SUBJECT_DETAILS);
441 goto err;
442 }
443 /* Find the subject name */
444 if (ctx->subject_cert)
445 nm = X509_get_subject_name(ctx->subject_cert);
446 else
447 nm = X509_REQ_get_subject_name(ctx->subject_req);
448
449 /* Now add any email address(es) to STACK */
450 i = -1;
451 while ((i = X509_NAME_get_index_by_NID(nm,
452 NID_pkcs9_emailAddress, i)) >= 0) {
453 ne = X509_NAME_get_entry(nm, i);
454 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
455 if (move_p) {
456 X509_NAME_delete_entry(nm, i);
457 X509_NAME_ENTRY_free(ne);
458 i--;
459 }
460 if (!email || !(gen = GENERAL_NAME_new())) {
461 X509V3error(ERR_R_MALLOC_FAILURE);
462 goto err;
463 }
464 gen->d.ia5 = email;
465 email = NULL;
466 gen->type = GEN_EMAIL;
467 if (!sk_GENERAL_NAME_push(gens, gen)) {
468 X509V3error(ERR_R_MALLOC_FAILURE);
469 goto err;
470 }
471 gen = NULL;
472 }
473
474 return 1;
475
476err:
477 GENERAL_NAME_free(gen);
478 ASN1_IA5STRING_free(email);
479 return 0;
480}
481
482GENERAL_NAMES *
483v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
484 STACK_OF(CONF_VALUE) *nval)
485{
486 GENERAL_NAME *gen;
487 GENERAL_NAMES *gens = NULL;
488 CONF_VALUE *cnf;
489 int i;
490
491 if (!(gens = sk_GENERAL_NAME_new_null())) {
492 X509V3error(ERR_R_MALLOC_FAILURE);
493 return NULL;
494 }
495 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
496 cnf = sk_CONF_VALUE_value(nval, i);
497 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
498 goto err;
499 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
500 GENERAL_NAME_free(gen);
501 goto err;
502 }
503 }
504 return gens;
505
506err:
507 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
508 return NULL;
509}
510
511GENERAL_NAME *
512v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
513 CONF_VALUE *cnf)
514{
515 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
516}
517
518GENERAL_NAME *
519a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
520 X509V3_CTX *ctx, int gen_type, const char *value, int is_nc)
521{
522 char is_string = 0;
523 GENERAL_NAME *gen = NULL;
524
525 if (!value) {
526 X509V3error(X509V3_R_MISSING_VALUE);
527 return NULL;
528 }
529
530 if (out)
531 gen = out;
532 else {
533 gen = GENERAL_NAME_new();
534 if (gen == NULL) {
535 X509V3error(ERR_R_MALLOC_FAILURE);
536 return NULL;
537 }
538 }
539
540 switch (gen_type) {
541 case GEN_URI:
542 case GEN_EMAIL:
543 case GEN_DNS:
544 is_string = 1;
545 break;
546
547 case GEN_RID:
548 {
549 ASN1_OBJECT *obj;
550 if (!(obj = OBJ_txt2obj(value, 0))) {
551 X509V3error(X509V3_R_BAD_OBJECT);
552 ERR_asprintf_error_data("value=%s", value);
553 goto err;
554 }
555 gen->d.rid = obj;
556 }
557 break;
558
559 case GEN_IPADD:
560 if (is_nc)
561 gen->d.ip = a2i_IPADDRESS_NC(value);
562 else
563 gen->d.ip = a2i_IPADDRESS(value);
564 if (gen->d.ip == NULL) {
565 X509V3error(X509V3_R_BAD_IP_ADDRESS);
566 ERR_asprintf_error_data("value=%s", value);
567 goto err;
568 }
569 break;
570
571 case GEN_DIRNAME:
572 if (!do_dirname(gen, value, ctx)) {
573 X509V3error(X509V3_R_DIRNAME_ERROR);
574 goto err;
575 }
576 break;
577
578 case GEN_OTHERNAME:
579 if (!do_othername(gen, value, ctx)) {
580 X509V3error(X509V3_R_OTHERNAME_ERROR);
581 goto err;
582 }
583 break;
584
585 default:
586 X509V3error(X509V3_R_UNSUPPORTED_TYPE);
587 goto err;
588 }
589
590 if (is_string) {
591 if (!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
592 !ASN1_STRING_set(gen->d.ia5, value, strlen(value))) {
593 X509V3error(ERR_R_MALLOC_FAILURE);
594 goto err;
595 }
596 }
597
598 gen->type = gen_type;
599
600 return gen;
601
602err:
603 if (out == NULL)
604 GENERAL_NAME_free(gen);
605 return NULL;
606}
607
608GENERAL_NAME *
609v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
610 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
611{
612 int type;
613 char *name, *value;
614
615 name = cnf->name;
616 value = cnf->value;
617
618 if (!value) {
619 X509V3error(X509V3_R_MISSING_VALUE);
620 return NULL;
621 }
622
623 if (!name_cmp(name, "email"))
624 type = GEN_EMAIL;
625 else if (!name_cmp(name, "URI"))
626 type = GEN_URI;
627 else if (!name_cmp(name, "DNS"))
628 type = GEN_DNS;
629 else if (!name_cmp(name, "RID"))
630 type = GEN_RID;
631 else if (!name_cmp(name, "IP"))
632 type = GEN_IPADD;
633 else if (!name_cmp(name, "dirName"))
634 type = GEN_DIRNAME;
635 else if (!name_cmp(name, "otherName"))
636 type = GEN_OTHERNAME;
637 else {
638 X509V3error(X509V3_R_UNSUPPORTED_OPTION);
639 ERR_asprintf_error_data("name=%s", name);
640 return NULL;
641 }
642
643 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
644}
645
646static int
647do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
648{
649 char *objtmp = NULL, *p;
650 int objlen;
651
652 if (!(p = strchr(value, ';')))
653 return 0;
654 if (!(gen->d.otherName = OTHERNAME_new()))
655 return 0;
656 /* Free this up because we will overwrite it.
657 * no need to free type_id because it is static
658 */
659 ASN1_TYPE_free(gen->d.otherName->value);
660 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
661 return 0;
662 objlen = p - value;
663 objtmp = malloc(objlen + 1);
664 if (objtmp) {
665 strlcpy(objtmp, value, objlen + 1);
666 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
667 free(objtmp);
668 } else
669 gen->d.otherName->type_id = NULL;
670 if (!gen->d.otherName->type_id)
671 return 0;
672 return 1;
673}
674
675static int
676do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
677{
678 int ret;
679 STACK_OF(CONF_VALUE) *sk;
680 X509_NAME *nm;
681
682 if (!(nm = X509_NAME_new()))
683 return 0;
684 sk = X509V3_get_section(ctx, value);
685 if (!sk) {
686 X509V3error(X509V3_R_SECTION_NOT_FOUND);
687 ERR_asprintf_error_data("section=%s", value);
688 X509_NAME_free(nm);
689 return 0;
690 }
691 /* FIXME: should allow other character types... */
692 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
693 if (!ret)
694 X509_NAME_free(nm);
695 gen->d.dirn = nm;
696 X509V3_section_free(ctx, sk);
697
698 return ret;
699}
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
new file mode 100644
index 0000000000..48ce7d6087
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -0,0 +1,199 @@
1/* $OpenBSD: x509_bcons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
69 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
70static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_bcons = {
74 .ext_nid = NID_basic_constraints,
75 .ext_flags = 0,
76 .it = &BASIC_CONSTRAINTS_it,
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
84 .v2i = (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
85 .i2r = NULL,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
91 {
92 .flags = ASN1_TFLG_OPTIONAL,
93 .tag = 0,
94 .offset = offsetof(BASIC_CONSTRAINTS, ca),
95 .field_name = "ca",
96 .item = &ASN1_FBOOLEAN_it,
97 },
98 {
99 .flags = ASN1_TFLG_OPTIONAL,
100 .tag = 0,
101 .offset = offsetof(BASIC_CONSTRAINTS, pathlen),
102 .field_name = "pathlen",
103 .item = &ASN1_INTEGER_it,
104 },
105};
106
107const ASN1_ITEM BASIC_CONSTRAINTS_it = {
108 .itype = ASN1_ITYPE_SEQUENCE,
109 .utype = V_ASN1_SEQUENCE,
110 .templates = BASIC_CONSTRAINTS_seq_tt,
111 .tcount = sizeof(BASIC_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
112 .funcs = NULL,
113 .size = sizeof(BASIC_CONSTRAINTS),
114 .sname = "BASIC_CONSTRAINTS",
115};
116
117
118BASIC_CONSTRAINTS *
119d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len)
120{
121 return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
122 &BASIC_CONSTRAINTS_it);
123}
124
125int
126i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
127{
128 return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
129}
130
131BASIC_CONSTRAINTS *
132BASIC_CONSTRAINTS_new(void)
133{
134 return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it);
135}
136
137void
138BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
139{
140 ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it);
141}
142
143
144static STACK_OF(CONF_VALUE) *
145i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons,
146 STACK_OF(CONF_VALUE) *extlist)
147{
148 STACK_OF(CONF_VALUE) *free_extlist = NULL;
149
150 if (extlist == NULL) {
151 if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
152 return NULL;
153 }
154
155 if (!X509V3_add_value_bool("CA", bcons->ca, &extlist))
156 goto err;
157 if (!X509V3_add_value_int("pathlen", bcons->pathlen, &extlist))
158 goto err;
159
160 return extlist;
161
162 err:
163 sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
164
165 return NULL;
166}
167
168static BASIC_CONSTRAINTS *
169v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
170 STACK_OF(CONF_VALUE) *values)
171{
172 BASIC_CONSTRAINTS *bcons = NULL;
173 CONF_VALUE *val;
174 int i;
175
176 if (!(bcons = BASIC_CONSTRAINTS_new())) {
177 X509V3error(ERR_R_MALLOC_FAILURE);
178 return NULL;
179 }
180 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
181 val = sk_CONF_VALUE_value(values, i);
182 if (!strcmp(val->name, "CA")) {
183 if (!X509V3_get_value_bool(val, &bcons->ca))
184 goto err;
185 } else if (!strcmp(val->name, "pathlen")) {
186 if (!X509V3_get_value_int(val, &bcons->pathlen))
187 goto err;
188 } else {
189 X509V3error(X509V3_R_INVALID_NAME);
190 X509V3_conf_err(val);
191 goto err;
192 }
193 }
194 return bcons;
195
196err:
197 BASIC_CONSTRAINTS_free(bcons);
198 return NULL;
199}
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
new file mode 100644
index 0000000000..3d998188e8
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -0,0 +1,187 @@
1/* $OpenBSD: x509_bitst.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static BIT_STRING_BITNAME ns_cert_type_table[] = {
67 {0, "SSL Client", "client"},
68 {1, "SSL Server", "server"},
69 {2, "S/MIME", "email"},
70 {3, "Object Signing", "objsign"},
71 {4, "Unused", "reserved"},
72 {5, "SSL CA", "sslCA"},
73 {6, "S/MIME CA", "emailCA"},
74 {7, "Object Signing CA", "objCA"},
75 {-1, NULL, NULL}
76};
77
78static BIT_STRING_BITNAME key_usage_type_table[] = {
79 {0, "Digital Signature", "digitalSignature"},
80 {1, "Non Repudiation", "nonRepudiation"},
81 {2, "Key Encipherment", "keyEncipherment"},
82 {3, "Data Encipherment", "dataEncipherment"},
83 {4, "Key Agreement", "keyAgreement"},
84 {5, "Certificate Sign", "keyCertSign"},
85 {6, "CRL Sign", "cRLSign"},
86 {7, "Encipher Only", "encipherOnly"},
87 {8, "Decipher Only", "decipherOnly"},
88 {-1, NULL, NULL}
89};
90
91const X509V3_EXT_METHOD v3_nscert = {
92 .ext_nid = NID_netscape_cert_type,
93 .ext_flags = 0,
94 .it = &ASN1_BIT_STRING_it,
95 .ext_new = NULL,
96 .ext_free = NULL,
97 .d2i = NULL,
98 .i2d = NULL,
99 .i2s = NULL,
100 .s2i = NULL,
101 .i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
102 .v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
103 .i2r = NULL,
104 .r2i = NULL,
105 .usr_data = ns_cert_type_table,
106};
107
108const X509V3_EXT_METHOD v3_key_usage = {
109 .ext_nid = NID_key_usage,
110 .ext_flags = 0,
111 .it = &ASN1_BIT_STRING_it,
112 .ext_new = NULL,
113 .ext_free = NULL,
114 .d2i = NULL,
115 .i2d = NULL,
116 .i2s = NULL,
117 .s2i = NULL,
118 .i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
119 .v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
120 .i2r = NULL,
121 .r2i = NULL,
122 .usr_data = key_usage_type_table,
123};
124
125STACK_OF(CONF_VALUE) *
126i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
127 STACK_OF(CONF_VALUE) *ret)
128{
129 BIT_STRING_BITNAME *bnam;
130 STACK_OF(CONF_VALUE) *free_ret = NULL;
131
132 if (ret == NULL) {
133 if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
134 return NULL;
135 }
136
137 for (bnam = method->usr_data; bnam->lname != NULL; bnam++) {
138 if (!ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
139 continue;
140 if (!X509V3_add_value(bnam->lname, NULL, &ret))
141 goto err;
142 }
143
144 return ret;
145
146 err:
147 sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
148
149 return NULL;
150}
151
152ASN1_BIT_STRING *
153v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
154 STACK_OF(CONF_VALUE) *nval)
155{
156 CONF_VALUE *val;
157 ASN1_BIT_STRING *bs;
158 int i;
159 BIT_STRING_BITNAME *bnam;
160
161 if (!(bs = ASN1_BIT_STRING_new())) {
162 X509V3error(ERR_R_MALLOC_FAILURE);
163 return NULL;
164 }
165 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
166 val = sk_CONF_VALUE_value(nval, i);
167 for (bnam = method->usr_data; bnam->lname; bnam++) {
168 if (!strcmp(bnam->sname, val->name) ||
169 !strcmp(bnam->lname, val->name) ) {
170 if (!ASN1_BIT_STRING_set_bit(bs,
171 bnam->bitnum, 1)) {
172 X509V3error(ERR_R_MALLOC_FAILURE);
173 ASN1_BIT_STRING_free(bs);
174 return NULL;
175 }
176 break;
177 }
178 }
179 if (!bnam->lname) {
180 X509V3error(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
181 X509V3_conf_err(val);
182 ASN1_BIT_STRING_free(bs);
183 return NULL;
184 }
185 }
186 return bs;
187}
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
new file mode 100644
index 0000000000..8bf2d10b9f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -0,0 +1,570 @@
1/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(const char **value);
70static int v3_check_generic(const char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
72 int crit, const char *value);
73static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
74 int crit, int type, X509V3_CTX *ctx);
75static char *conf_lhash_get_string(void *db, const char *section,
76 const char *value);
77static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db,
78 const char *section);
79static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
80 int crit, void *ext_struc);
81static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
82 long *ext_len);
83
84/* CONF *conf: Config file */
85/* char *name: Name */
86/* char *value: Value */
87X509_EXTENSION *
88X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
89 const char *value)
90{
91 int crit;
92 int ext_type;
93 X509_EXTENSION *ret;
94
95 crit = v3_check_critical(&value);
96 if ((ext_type = v3_check_generic(&value)))
97 return v3_generic_extension(name, value, crit, ext_type, ctx);
98 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
99 if (!ret) {
100 X509V3error(X509V3_R_ERROR_IN_EXTENSION);
101 ERR_asprintf_error_data("name=%s, value=%s", name, value);
102 }
103 return ret;
104}
105
106/* CONF *conf: Config file */
107/* char *value: Value */
108X509_EXTENSION *
109X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
110 const char *value)
111{
112 int crit;
113 int ext_type;
114
115 crit = v3_check_critical(&value);
116 if ((ext_type = v3_check_generic(&value)))
117 return v3_generic_extension(OBJ_nid2sn(ext_nid),
118 value, crit, ext_type, ctx);
119 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
120}
121
122/* CONF *conf: Config file */
123/* char *value: Value */
124static X509_EXTENSION *
125do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit,
126 const char *value)
127{
128 const X509V3_EXT_METHOD *method;
129 X509_EXTENSION *ext;
130 void *ext_struc;
131
132 if (ext_nid == NID_undef) {
133 X509V3error(X509V3_R_UNKNOWN_EXTENSION_NAME);
134 return NULL;
135 }
136 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
137 X509V3error(X509V3_R_UNKNOWN_EXTENSION);
138 return NULL;
139 }
140 /* Now get internal extension representation based on type */
141 if (method->v2i) {
142 STACK_OF(CONF_VALUE) *nval;
143
144 if (*value == '@')
145 nval = NCONF_get_section(conf, value + 1);
146 else
147 nval = X509V3_parse_list(value);
148 if (sk_CONF_VALUE_num(nval) <= 0) {
149 X509V3error(X509V3_R_INVALID_EXTENSION_STRING);
150 ERR_asprintf_error_data("name=%s,section=%s",
151 OBJ_nid2sn(ext_nid), value);
152 if (*value != '@')
153 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
154 return NULL;
155 }
156 ext_struc = method->v2i(method, ctx, nval);
157 if (*value != '@')
158 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
159 } else if (method->s2i) {
160 ext_struc = method->s2i(method, ctx, value);
161 } else if (method->r2i) {
162 if (!ctx->db || !ctx->db_meth) {
163 X509V3error(X509V3_R_NO_CONFIG_DATABASE);
164 return NULL;
165 }
166 ext_struc = method->r2i(method, ctx, value);
167 } else {
168 X509V3error(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
169 ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
170 return NULL;
171 }
172 if (ext_struc == NULL)
173 return NULL;
174
175 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
176 if (method->it)
177 ASN1_item_free(ext_struc, method->it);
178 else
179 method->ext_free(ext_struc);
180 return ext;
181}
182
183static X509_EXTENSION *
184do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
185 void *ext_struc)
186{
187 unsigned char *ext_der;
188 int ext_len;
189 ASN1_OCTET_STRING *ext_oct = NULL;
190 X509_EXTENSION *ext;
191
192 /* Convert internal representation to DER */
193 if (method->it) {
194 ext_der = NULL;
195 ext_len = ASN1_item_i2d(ext_struc, &ext_der,
196 method->it);
197 if (ext_len < 0)
198 goto merr;
199 } else {
200 unsigned char *p;
201 ext_len = method->i2d(ext_struc, NULL);
202 if (!(ext_der = malloc(ext_len)))
203 goto merr;
204 p = ext_der;
205 method->i2d(ext_struc, &p);
206 }
207 if (!(ext_oct = ASN1_OCTET_STRING_new()))
208 goto merr;
209 ext_oct->data = ext_der;
210 ext_oct->length = ext_len;
211
212 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
213 if (!ext)
214 goto merr;
215 ASN1_OCTET_STRING_free(ext_oct);
216
217 return ext;
218
219merr:
220 ASN1_OCTET_STRING_free(ext_oct);
221 X509V3error(ERR_R_MALLOC_FAILURE);
222 return NULL;
223
224}
225
226/* Given an internal structure, nid and critical flag create an extension */
227
228X509_EXTENSION *
229X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
230{
231 const X509V3_EXT_METHOD *method;
232
233 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
234 X509V3error(X509V3_R_UNKNOWN_EXTENSION);
235 return NULL;
236 }
237 return do_ext_i2d(method, ext_nid, crit, ext_struc);
238}
239
240/* Check the extension string for critical flag */
241static int
242v3_check_critical(const char **value)
243{
244 const char *p = *value;
245
246 if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
247 return 0;
248 p += 9;
249 while (isspace((unsigned char)*p)) p++;
250 *value = p;
251 return 1;
252}
253
254/* Check extension string for generic extension and return the type */
255static int
256v3_check_generic(const char **value)
257{
258 int gen_type = 0;
259 const char *p = *value;
260
261 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
262 p += 4;
263 gen_type = 1;
264 } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
265 p += 5;
266 gen_type = 2;
267 } else
268 return 0;
269
270 while (isspace((unsigned char)*p))
271 p++;
272 *value = p;
273 return gen_type;
274}
275
276/* Create a generic extension: for now just handle DER type */
277static X509_EXTENSION *
278v3_generic_extension(const char *ext, const char *value, int crit, int gen_type,
279 X509V3_CTX *ctx)
280{
281 unsigned char *ext_der = NULL;
282 long ext_len = 0;
283 ASN1_OBJECT *obj = NULL;
284 ASN1_OCTET_STRING *oct = NULL;
285 X509_EXTENSION *extension = NULL;
286
287 if (!(obj = OBJ_txt2obj(ext, 0))) {
288 X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
289 ERR_asprintf_error_data("name=%s", ext);
290 goto err;
291 }
292
293 if (gen_type == 1)
294 ext_der = string_to_hex(value, &ext_len);
295 else if (gen_type == 2)
296 ext_der = generic_asn1(value, ctx, &ext_len);
297 else {
298 ERR_asprintf_error_data("Unexpected generic extension type %d", gen_type);
299 goto err;
300 }
301
302 if (ext_der == NULL) {
303 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
304 ERR_asprintf_error_data("value=%s", value);
305 goto err;
306 }
307
308 if (!(oct = ASN1_OCTET_STRING_new())) {
309 X509V3error(ERR_R_MALLOC_FAILURE);
310 goto err;
311 }
312
313 oct->data = ext_der;
314 oct->length = ext_len;
315 ext_der = NULL;
316
317 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
318
319err:
320 ASN1_OBJECT_free(obj);
321 ASN1_OCTET_STRING_free(oct);
322 free(ext_der);
323 return extension;
324}
325
326static unsigned char *
327generic_asn1(const char *value, X509V3_CTX *ctx, long *ext_len)
328{
329 ASN1_TYPE *typ;
330 unsigned char *ext_der = NULL;
331
332 typ = ASN1_generate_v3(value, ctx);
333 if (typ == NULL)
334 return NULL;
335 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
336 ASN1_TYPE_free(typ);
337 return ext_der;
338}
339
340/* This is the main function: add a bunch of extensions based on a config file
341 * section to an extension STACK.
342 */
343
344int
345X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
346 STACK_OF(X509_EXTENSION) **sk)
347{
348 X509_EXTENSION *ext;
349 STACK_OF(CONF_VALUE) *nval;
350 CONF_VALUE *val;
351 int i;
352
353 if (!(nval = NCONF_get_section(conf, section)))
354 return 0;
355 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
356 val = sk_CONF_VALUE_value(nval, i);
357 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
358 return 0;
359 if (sk)
360 X509v3_add_ext(sk, ext, -1);
361 X509_EXTENSION_free(ext);
362 }
363 return 1;
364}
365
366/* Convenience functions to add extensions to a certificate, CRL and request */
367
368int
369X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
370 X509 *cert)
371{
372 STACK_OF(X509_EXTENSION) **sk = NULL;
373
374 if (cert)
375 sk = &cert->cert_info->extensions;
376 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
377}
378
379/* Same as above but for a CRL */
380
381int
382X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
383 X509_CRL *crl)
384{
385 STACK_OF(X509_EXTENSION) **sk = NULL;
386
387 if (crl)
388 sk = &crl->crl->extensions;
389 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
390}
391
392/* Add extensions to certificate request */
393
394int
395X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
396 X509_REQ *req)
397{
398 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
399 int i;
400
401 if (req)
402 sk = &extlist;
403 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
404 if (!i || !sk)
405 return i;
406 i = X509_REQ_add_extensions(req, extlist);
407 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
408 return i;
409}
410
411/* Config database functions */
412
413char *
414X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
415{
416 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
417 X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
418 return NULL;
419 }
420 return ctx->db_meth->get_string(ctx->db, name, section);
421}
422
423STACK_OF(CONF_VALUE) *
424X509V3_get_section(X509V3_CTX *ctx, const char *section)
425{
426 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
427 X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
428 return NULL;
429 }
430 return ctx->db_meth->get_section(ctx->db, section);
431}
432
433void
434X509V3_string_free(X509V3_CTX *ctx, char *str)
435{
436 if (!str)
437 return;
438 if (ctx->db_meth->free_string)
439 ctx->db_meth->free_string(ctx->db, str);
440}
441
442void
443X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
444{
445 if (!section)
446 return;
447 if (ctx->db_meth->free_section)
448 ctx->db_meth->free_section(ctx->db, section);
449}
450
451static char *
452nconf_get_string(void *db, const char *section, const char *value)
453{
454 return NCONF_get_string(db, section, value);
455}
456
457static STACK_OF(CONF_VALUE) *
458nconf_get_section(void *db, const char *section)
459{
460 return NCONF_get_section(db, section);
461}
462
463static X509V3_CONF_METHOD nconf_method = {
464 nconf_get_string,
465 nconf_get_section,
466 NULL,
467 NULL
468};
469
470void
471X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
472{
473 ctx->db_meth = &nconf_method;
474 ctx->db = conf;
475}
476
477void
478X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
479 X509_CRL *crl, int flags)
480{
481 ctx->issuer_cert = issuer;
482 ctx->subject_cert = subj;
483 ctx->crl = crl;
484 ctx->subject_req = req;
485 ctx->flags = flags;
486}
487
488/* Old conf compatibility functions */
489
490X509_EXTENSION *
491X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name,
492 const char *value)
493{
494 CONF ctmp;
495
496 CONF_set_nconf(&ctmp, conf);
497 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
498}
499
500/* LHASH *conf: Config file */
501/* char *value: Value */
502X509_EXTENSION *
503X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
504 const char *value)
505{
506 CONF ctmp;
507
508 CONF_set_nconf(&ctmp, conf);
509 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
510}
511
512static char *
513conf_lhash_get_string(void *db, const char *section, const char *value)
514{
515 return CONF_get_string(db, section, value);
516}
517
518static STACK_OF(CONF_VALUE) *
519conf_lhash_get_section(void *db, const char *section)
520{
521 return CONF_get_section(db, section);
522}
523
524static X509V3_CONF_METHOD conf_lhash_method = {
525 conf_lhash_get_string,
526 conf_lhash_get_section,
527 NULL,
528 NULL
529};
530
531void
532X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
533{
534 ctx->db_meth = &conf_lhash_method;
535 ctx->db = lhash;
536}
537
538int
539X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
540 const char *section, X509 *cert)
541{
542 CONF ctmp;
543
544 CONF_set_nconf(&ctmp, conf);
545 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
546}
547
548/* Same as above but for a CRL */
549
550int
551X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
552 const char *section, X509_CRL *crl)
553{
554 CONF ctmp;
555
556 CONF_set_nconf(&ctmp, conf);
557 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
558}
559
560/* Add extensions to certificate request */
561
562int
563X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
564 const char *section, X509_REQ *req)
565{
566 CONF ctmp;
567
568 CONF_set_nconf(&ctmp, conf);
569 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
570}
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
new file mode 100644
index 0000000000..4b6c13cfbe
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -0,0 +1,763 @@
1/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68#include "pcy_int.h"
69
70/* Certificate policies extension support: this one is a bit complex... */
71
72static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
73 BIO *out, int indent);
74static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
75 X509V3_CTX *ctx, char *value);
76static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
77 int indent);
78static void print_notice(BIO *out, USERNOTICE *notice, int indent);
79static POLICYINFO *policy_section(X509V3_CTX *ctx,
80 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
81static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
82 STACK_OF(CONF_VALUE) *unot, int ia5org);
83static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
84
85const X509V3_EXT_METHOD v3_cpols = {
86 .ext_nid = NID_certificate_policies,
87 .ext_flags = 0,
88 .it = &CERTIFICATEPOLICIES_it,
89 .ext_new = NULL,
90 .ext_free = NULL,
91 .d2i = NULL,
92 .i2d = NULL,
93 .i2s = NULL,
94 .s2i = NULL,
95 .i2v = NULL,
96 .v2i = NULL,
97 .i2r = (X509V3_EXT_I2R)i2r_certpol,
98 .r2i = (X509V3_EXT_R2I)r2i_certpol,
99 .usr_data = NULL,
100};
101
102static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
103 .flags = ASN1_TFLG_SEQUENCE_OF,
104 .tag = 0,
105 .offset = 0,
106 .field_name = "CERTIFICATEPOLICIES",
107 .item = &POLICYINFO_it,
108};
109
110const ASN1_ITEM CERTIFICATEPOLICIES_it = {
111 .itype = ASN1_ITYPE_PRIMITIVE,
112 .utype = -1,
113 .templates = &CERTIFICATEPOLICIES_item_tt,
114 .tcount = 0,
115 .funcs = NULL,
116 .size = 0,
117 .sname = "CERTIFICATEPOLICIES",
118};
119
120
121CERTIFICATEPOLICIES *
122d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len)
123{
124 return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
125 &CERTIFICATEPOLICIES_it);
126}
127
128int
129i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out)
130{
131 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it);
132}
133
134CERTIFICATEPOLICIES *
135CERTIFICATEPOLICIES_new(void)
136{
137 return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it);
138}
139
140void
141CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a)
142{
143 ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it);
144}
145
146static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = {
147 {
148 .flags = 0,
149 .tag = 0,
150 .offset = offsetof(POLICYINFO, policyid),
151 .field_name = "policyid",
152 .item = &ASN1_OBJECT_it,
153 },
154 {
155 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
156 .tag = 0,
157 .offset = offsetof(POLICYINFO, qualifiers),
158 .field_name = "qualifiers",
159 .item = &POLICYQUALINFO_it,
160 },
161};
162
163const ASN1_ITEM POLICYINFO_it = {
164 .itype = ASN1_ITYPE_SEQUENCE,
165 .utype = V_ASN1_SEQUENCE,
166 .templates = POLICYINFO_seq_tt,
167 .tcount = sizeof(POLICYINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
168 .funcs = NULL,
169 .size = sizeof(POLICYINFO),
170 .sname = "POLICYINFO",
171};
172
173
174POLICYINFO *
175d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len)
176{
177 return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
178 &POLICYINFO_it);
179}
180
181int
182i2d_POLICYINFO(POLICYINFO *a, unsigned char **out)
183{
184 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it);
185}
186
187POLICYINFO *
188POLICYINFO_new(void)
189{
190 return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it);
191}
192
193void
194POLICYINFO_free(POLICYINFO *a)
195{
196 ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it);
197}
198
199static const ASN1_TEMPLATE policydefault_tt = {
200 .flags = 0,
201 .tag = 0,
202 .offset = offsetof(POLICYQUALINFO, d.other),
203 .field_name = "d.other",
204 .item = &ASN1_ANY_it,
205};
206
207static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = {
208 {
209 .value = NID_id_qt_cps,
210 .tt = {
211 .flags = 0,
212 .tag = 0,
213 .offset = offsetof(POLICYQUALINFO, d.cpsuri),
214 .field_name = "d.cpsuri",
215 .item = &ASN1_IA5STRING_it,
216 },
217
218 },
219 {
220 .value = NID_id_qt_unotice,
221 .tt = {
222 .flags = 0,
223 .tag = 0,
224 .offset = offsetof(POLICYQUALINFO, d.usernotice),
225 .field_name = "d.usernotice",
226 .item = &USERNOTICE_it,
227 },
228
229 },
230};
231
232static const ASN1_ADB POLICYQUALINFO_adb = {
233 .flags = 0,
234 .offset = offsetof(POLICYQUALINFO, pqualid),
235 .app_items = 0,
236 .tbl = POLICYQUALINFO_adbtbl,
237 .tblcount = sizeof(POLICYQUALINFO_adbtbl) / sizeof(ASN1_ADB_TABLE),
238 .default_tt = &policydefault_tt,
239 .null_tt = NULL,
240};
241
242static const ASN1_TEMPLATE POLICYQUALINFO_seq_tt[] = {
243 {
244 .flags = 0,
245 .tag = 0,
246 .offset = offsetof(POLICYQUALINFO, pqualid),
247 .field_name = "pqualid",
248 .item = &ASN1_OBJECT_it,
249 },
250 {
251 .flags = ASN1_TFLG_ADB_OID,
252 .tag = -1,
253 .offset = 0,
254 .field_name = "POLICYQUALINFO",
255 .item = (const ASN1_ITEM *)&POLICYQUALINFO_adb,
256 },
257};
258
259const ASN1_ITEM POLICYQUALINFO_it = {
260 .itype = ASN1_ITYPE_SEQUENCE,
261 .utype = V_ASN1_SEQUENCE,
262 .templates = POLICYQUALINFO_seq_tt,
263 .tcount = sizeof(POLICYQUALINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
264 .funcs = NULL,
265 .size = sizeof(POLICYQUALINFO),
266 .sname = "POLICYQUALINFO",
267};
268
269
270POLICYQUALINFO *
271d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len)
272{
273 return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
274 &POLICYQUALINFO_it);
275}
276
277int
278i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out)
279{
280 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it);
281}
282
283POLICYQUALINFO *
284POLICYQUALINFO_new(void)
285{
286 return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it);
287}
288
289void
290POLICYQUALINFO_free(POLICYQUALINFO *a)
291{
292 ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it);
293}
294
295static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = {
296 {
297 .flags = ASN1_TFLG_OPTIONAL,
298 .tag = 0,
299 .offset = offsetof(USERNOTICE, noticeref),
300 .field_name = "noticeref",
301 .item = &NOTICEREF_it,
302 },
303 {
304 .flags = ASN1_TFLG_OPTIONAL,
305 .tag = 0,
306 .offset = offsetof(USERNOTICE, exptext),
307 .field_name = "exptext",
308 .item = &DISPLAYTEXT_it,
309 },
310};
311
312const ASN1_ITEM USERNOTICE_it = {
313 .itype = ASN1_ITYPE_SEQUENCE,
314 .utype = V_ASN1_SEQUENCE,
315 .templates = USERNOTICE_seq_tt,
316 .tcount = sizeof(USERNOTICE_seq_tt) / sizeof(ASN1_TEMPLATE),
317 .funcs = NULL,
318 .size = sizeof(USERNOTICE),
319 .sname = "USERNOTICE",
320};
321
322
323USERNOTICE *
324d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len)
325{
326 return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
327 &USERNOTICE_it);
328}
329
330int
331i2d_USERNOTICE(USERNOTICE *a, unsigned char **out)
332{
333 return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it);
334}
335
336USERNOTICE *
337USERNOTICE_new(void)
338{
339 return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it);
340}
341
342void
343USERNOTICE_free(USERNOTICE *a)
344{
345 ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it);
346}
347
348static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = {
349 {
350 .flags = 0,
351 .tag = 0,
352 .offset = offsetof(NOTICEREF, organization),
353 .field_name = "organization",
354 .item = &DISPLAYTEXT_it,
355 },
356 {
357 .flags = ASN1_TFLG_SEQUENCE_OF,
358 .tag = 0,
359 .offset = offsetof(NOTICEREF, noticenos),
360 .field_name = "noticenos",
361 .item = &ASN1_INTEGER_it,
362 },
363};
364
365const ASN1_ITEM NOTICEREF_it = {
366 .itype = ASN1_ITYPE_SEQUENCE,
367 .utype = V_ASN1_SEQUENCE,
368 .templates = NOTICEREF_seq_tt,
369 .tcount = sizeof(NOTICEREF_seq_tt) / sizeof(ASN1_TEMPLATE),
370 .funcs = NULL,
371 .size = sizeof(NOTICEREF),
372 .sname = "NOTICEREF",
373};
374
375
376NOTICEREF *
377d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len)
378{
379 return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
380 &NOTICEREF_it);
381}
382
383int
384i2d_NOTICEREF(NOTICEREF *a, unsigned char **out)
385{
386 return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it);
387}
388
389NOTICEREF *
390NOTICEREF_new(void)
391{
392 return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it);
393}
394
395void
396NOTICEREF_free(NOTICEREF *a)
397{
398 ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it);
399}
400
401static STACK_OF(POLICYINFO) *
402r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
403{
404 STACK_OF(POLICYINFO) *pols = NULL;
405 char *pstr;
406 POLICYINFO *pol;
407 ASN1_OBJECT *pobj;
408 STACK_OF(CONF_VALUE) *vals;
409 CONF_VALUE *cnf;
410 int i, ia5org;
411
412 pols = sk_POLICYINFO_new_null();
413 if (pols == NULL) {
414 X509V3error(ERR_R_MALLOC_FAILURE);
415 return NULL;
416 }
417 vals = X509V3_parse_list(value);
418 if (vals == NULL) {
419 X509V3error(ERR_R_X509V3_LIB);
420 goto err;
421 }
422 ia5org = 0;
423 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
424 cnf = sk_CONF_VALUE_value(vals, i);
425 if (cnf->value || !cnf->name) {
426 X509V3error(X509V3_R_INVALID_POLICY_IDENTIFIER);
427 X509V3_conf_err(cnf);
428 goto err;
429 }
430 pstr = cnf->name;
431 if (!strcmp(pstr, "ia5org")) {
432 ia5org = 1;
433 continue;
434 } else if (*pstr == '@') {
435 STACK_OF(CONF_VALUE) *polsect;
436 polsect = X509V3_get_section(ctx, pstr + 1);
437 if (!polsect) {
438 X509V3error(X509V3_R_INVALID_SECTION);
439 X509V3_conf_err(cnf);
440 goto err;
441 }
442 pol = policy_section(ctx, polsect, ia5org);
443 X509V3_section_free(ctx, polsect);
444 if (!pol)
445 goto err;
446 } else {
447 if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
448 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
449 X509V3_conf_err(cnf);
450 goto err;
451 }
452 pol = POLICYINFO_new();
453 pol->policyid = pobj;
454 }
455 if (!sk_POLICYINFO_push(pols, pol)){
456 POLICYINFO_free(pol);
457 X509V3error(ERR_R_MALLOC_FAILURE);
458 goto err;
459 }
460 }
461 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
462 return pols;
463
464err:
465 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
466 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
467 return NULL;
468}
469
470static POLICYINFO *
471policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
472{
473 int i;
474 CONF_VALUE *cnf;
475 POLICYINFO *pol;
476 POLICYQUALINFO *nqual = NULL;
477
478 if ((pol = POLICYINFO_new()) == NULL)
479 goto merr;
480 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
481 cnf = sk_CONF_VALUE_value(polstrs, i);
482 if (strcmp(cnf->name, "policyIdentifier") == 0) {
483 ASN1_OBJECT *pobj;
484
485 if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
486 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
487 X509V3_conf_err(cnf);
488 goto err;
489 }
490 pol->policyid = pobj;
491 } else if (name_cmp(cnf->name, "CPS") == 0) {
492 if ((nqual = POLICYQUALINFO_new()) == NULL)
493 goto merr;
494 nqual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
495 nqual->d.cpsuri = ASN1_IA5STRING_new();
496 if (nqual->d.cpsuri == NULL)
497 goto merr;
498 if (ASN1_STRING_set(nqual->d.cpsuri, cnf->value,
499 strlen(cnf->value)) == 0)
500 goto merr;
501
502 if (pol->qualifiers == NULL) {
503 pol->qualifiers = sk_POLICYQUALINFO_new_null();
504 if (pol->qualifiers == NULL)
505 goto merr;
506 }
507 if (sk_POLICYQUALINFO_push(pol->qualifiers, nqual) == 0)
508 goto merr;
509 nqual = NULL;
510 } else if (name_cmp(cnf->name, "userNotice") == 0) {
511 STACK_OF(CONF_VALUE) *unot;
512 POLICYQUALINFO *qual;
513
514 if (*cnf->value != '@') {
515 X509V3error(X509V3_R_EXPECTED_A_SECTION_NAME);
516 X509V3_conf_err(cnf);
517 goto err;
518 }
519 unot = X509V3_get_section(ctx, cnf->value + 1);
520 if (unot == NULL) {
521 X509V3error(X509V3_R_INVALID_SECTION);
522 X509V3_conf_err(cnf);
523 goto err;
524 }
525 qual = notice_section(ctx, unot, ia5org);
526 X509V3_section_free(ctx, unot);
527 if (qual == NULL)
528 goto err;
529
530 if (pol->qualifiers == NULL) {
531 pol->qualifiers = sk_POLICYQUALINFO_new_null();
532 if (pol->qualifiers == NULL)
533 goto merr;
534 }
535 if (sk_POLICYQUALINFO_push(pol->qualifiers, qual) == 0)
536 goto merr;
537 } else {
538 X509V3error(X509V3_R_INVALID_OPTION);
539 X509V3_conf_err(cnf);
540 goto err;
541 }
542 }
543 if (pol->policyid == NULL) {
544 X509V3error(X509V3_R_NO_POLICY_IDENTIFIER);
545 goto err;
546 }
547
548 return pol;
549
550merr:
551 X509V3error(ERR_R_MALLOC_FAILURE);
552
553err:
554 POLICYQUALINFO_free(nqual);
555 POLICYINFO_free(pol);
556 return NULL;
557}
558
559static POLICYQUALINFO *
560notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
561{
562 int i, ret;
563 CONF_VALUE *cnf;
564 USERNOTICE *not;
565 POLICYQUALINFO *qual;
566
567 if (!(qual = POLICYQUALINFO_new()))
568 goto merr;
569 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
570 if (!(not = USERNOTICE_new()))
571 goto merr;
572 qual->d.usernotice = not;
573 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
574 cnf = sk_CONF_VALUE_value(unot, i);
575 if (!strcmp(cnf->name, "explicitText")) {
576 if (not->exptext == NULL) {
577 not->exptext = ASN1_VISIBLESTRING_new();
578 if (not->exptext == NULL)
579 goto merr;
580 }
581 if (!ASN1_STRING_set(not->exptext, cnf->value,
582 strlen(cnf->value)))
583 goto merr;
584 } else if (!strcmp(cnf->name, "organization")) {
585 NOTICEREF *nref;
586 if (!not->noticeref) {
587 if (!(nref = NOTICEREF_new()))
588 goto merr;
589 not->noticeref = nref;
590 } else
591 nref = not->noticeref;
592 if (ia5org)
593 nref->organization->type = V_ASN1_IA5STRING;
594 else
595 nref->organization->type = V_ASN1_VISIBLESTRING;
596 if (!ASN1_STRING_set(nref->organization, cnf->value,
597 strlen(cnf->value)))
598 goto merr;
599 } else if (!strcmp(cnf->name, "noticeNumbers")) {
600 NOTICEREF *nref;
601 STACK_OF(CONF_VALUE) *nos;
602 if (!not->noticeref) {
603 if (!(nref = NOTICEREF_new()))
604 goto merr;
605 not->noticeref = nref;
606 } else
607 nref = not->noticeref;
608 nos = X509V3_parse_list(cnf->value);
609 if (!nos || !sk_CONF_VALUE_num(nos)) {
610 X509V3error(X509V3_R_INVALID_NUMBERS);
611 X509V3_conf_err(cnf);
612 if (nos != NULL)
613 sk_CONF_VALUE_pop_free(nos,
614 X509V3_conf_free);
615 goto err;
616 }
617 ret = nref_nos(nref->noticenos, nos);
618 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
619 if (!ret)
620 goto err;
621 } else {
622 X509V3error(X509V3_R_INVALID_OPTION);
623 X509V3_conf_err(cnf);
624 goto err;
625 }
626 }
627
628 if (not->noticeref &&
629 (!not->noticeref->noticenos || !not->noticeref->organization)) {
630 X509V3error(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
631 goto err;
632 }
633
634 return qual;
635
636merr:
637 X509V3error(ERR_R_MALLOC_FAILURE);
638
639err:
640 POLICYQUALINFO_free(qual);
641 return NULL;
642}
643
644static int
645nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
646{
647 CONF_VALUE *cnf;
648 ASN1_INTEGER *aint;
649 int i;
650
651 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
652 cnf = sk_CONF_VALUE_value(nos, i);
653 if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
654 X509V3error(X509V3_R_INVALID_NUMBER);
655 goto err;
656 }
657 if (!sk_ASN1_INTEGER_push(nnums, aint))
658 goto merr;
659 }
660 return 1;
661
662merr:
663 X509V3error(ERR_R_MALLOC_FAILURE);
664
665err:
666 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
667 return 0;
668}
669
670static int
671i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out,
672 int indent)
673{
674 int i;
675 POLICYINFO *pinfo;
676
677 /* First print out the policy OIDs */
678 for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
679 pinfo = sk_POLICYINFO_value(pol, i);
680 BIO_printf(out, "%*sPolicy: ", indent, "");
681 i2a_ASN1_OBJECT(out, pinfo->policyid);
682 BIO_puts(out, "\n");
683 if (pinfo->qualifiers)
684 print_qualifiers(out, pinfo->qualifiers, indent + 2);
685 }
686 return 1;
687}
688
689static void
690print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
691{
692 POLICYQUALINFO *qualinfo;
693 int i;
694
695 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
696 qualinfo = sk_POLICYQUALINFO_value(quals, i);
697 switch (OBJ_obj2nid(qualinfo->pqualid)) {
698 case NID_id_qt_cps:
699 BIO_printf(out, "%*sCPS: %s\n", indent, "",
700 qualinfo->d.cpsuri->data);
701 break;
702
703 case NID_id_qt_unotice:
704 BIO_printf(out, "%*sUser Notice:\n", indent, "");
705 print_notice(out, qualinfo->d.usernotice, indent + 2);
706 break;
707
708 default:
709 BIO_printf(out, "%*sUnknown Qualifier: ",
710 indent + 2, "");
711
712 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
713 BIO_puts(out, "\n");
714 break;
715 }
716 }
717}
718
719static void
720print_notice(BIO *out, USERNOTICE *notice, int indent)
721{
722 int i;
723
724 if (notice->noticeref) {
725 NOTICEREF *ref;
726 ref = notice->noticeref;
727 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
728 ref->organization->data);
729 BIO_printf(out, "%*sNumber%s: ", indent, "",
730 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
731 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
732 ASN1_INTEGER *num;
733 char *tmp;
734 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
735 if (i)
736 BIO_puts(out, ", ");
737 tmp = i2s_ASN1_INTEGER(NULL, num);
738 BIO_puts(out, tmp);
739 free(tmp);
740 }
741 BIO_puts(out, "\n");
742 }
743 if (notice->exptext)
744 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
745 notice->exptext->data);
746}
747
748void
749X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
750{
751 const X509_POLICY_DATA *dat = node->data;
752
753 BIO_printf(out, "%*sPolicy: ", indent, "");
754
755 i2a_ASN1_OBJECT(out, dat->valid_policy);
756 BIO_puts(out, "\n");
757 BIO_printf(out, "%*s%s\n", indent + 2, "",
758 node_data_critical(dat) ? "Critical" : "Non Critical");
759 if (dat->qualifier_set)
760 print_qualifiers(out, dat->qualifier_set, indent + 2);
761 else
762 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
763}
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
new file mode 100644
index 0000000000..ff60a880fa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -0,0 +1,809 @@
1/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static void *v2i_crld(const X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
71 int indent);
72
73const X509V3_EXT_METHOD v3_crld = {
74 .ext_nid = NID_crl_distribution_points,
75 .ext_flags = 0,
76 .it = &CRL_DIST_POINTS_it,
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = NULL,
84 .v2i = v2i_crld,
85 .i2r = i2r_crldp,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90const X509V3_EXT_METHOD v3_freshest_crl = {
91 .ext_nid = NID_freshest_crl,
92 .ext_flags = 0,
93 .it = &CRL_DIST_POINTS_it,
94 .ext_new = NULL,
95 .ext_free = NULL,
96 .d2i = NULL,
97 .i2d = NULL,
98 .i2s = NULL,
99 .s2i = NULL,
100 .i2v = NULL,
101 .v2i = v2i_crld,
102 .i2r = i2r_crldp,
103 .r2i = NULL,
104 .usr_data = NULL,
105};
106
107static STACK_OF(GENERAL_NAME) *
108gnames_from_sectname(X509V3_CTX *ctx, char *sect)
109{
110 STACK_OF(CONF_VALUE) *gnsect;
111 STACK_OF(GENERAL_NAME) *gens;
112
113 if (*sect == '@')
114 gnsect = X509V3_get_section(ctx, sect + 1);
115 else
116 gnsect = X509V3_parse_list(sect);
117 if (!gnsect) {
118 X509V3error(X509V3_R_SECTION_NOT_FOUND);
119 return NULL;
120 }
121 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
122 if (*sect == '@')
123 X509V3_section_free(ctx, gnsect);
124 else
125 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
126 return gens;
127}
128
129static int
130set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
131{
132 STACK_OF(GENERAL_NAME) *fnm = NULL;
133 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
134
135 if (!strncmp(cnf->name, "fullname", 9)) {
136 fnm = gnames_from_sectname(ctx, cnf->value);
137 if (!fnm)
138 goto err;
139 } else if (!strcmp(cnf->name, "relativename")) {
140 int ret;
141 STACK_OF(CONF_VALUE) *dnsect;
142 X509_NAME *nm;
143 nm = X509_NAME_new();
144 if (!nm)
145 return -1;
146 dnsect = X509V3_get_section(ctx, cnf->value);
147 if (!dnsect) {
148 X509V3error(X509V3_R_SECTION_NOT_FOUND);
149 X509_NAME_free(nm);
150 return -1;
151 }
152 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
153 X509V3_section_free(ctx, dnsect);
154 rnm = nm->entries;
155 nm->entries = NULL;
156 X509_NAME_free(nm);
157 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
158 goto err;
159 /* Since its a name fragment can't have more than one
160 * RDNSequence
161 */
162 if (sk_X509_NAME_ENTRY_value(rnm,
163 sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
164 X509V3error(X509V3_R_INVALID_MULTIPLE_RDNS);
165 goto err;
166 }
167 } else
168 return 0;
169
170 if (*pdp) {
171 X509V3error(X509V3_R_DISTPOINT_ALREADY_SET);
172 goto err;
173 }
174
175 *pdp = DIST_POINT_NAME_new();
176 if (!*pdp)
177 goto err;
178 if (fnm) {
179 (*pdp)->type = 0;
180 (*pdp)->name.fullname = fnm;
181 } else {
182 (*pdp)->type = 1;
183 (*pdp)->name.relativename = rnm;
184 }
185
186 return 1;
187
188err:
189 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
190 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
191 return -1;
192}
193
194static const BIT_STRING_BITNAME reason_flags[] = {
195 {0, "Unused", "unused"},
196 {1, "Key Compromise", "keyCompromise"},
197 {2, "CA Compromise", "CACompromise"},
198 {3, "Affiliation Changed", "affiliationChanged"},
199 {4, "Superseded", "superseded"},
200 {5, "Cessation Of Operation", "cessationOfOperation"},
201 {6, "Certificate Hold", "certificateHold"},
202 {7, "Privilege Withdrawn", "privilegeWithdrawn"},
203 {8, "AA Compromise", "AACompromise"},
204 {-1, NULL, NULL}
205};
206
207static int
208set_reasons(ASN1_BIT_STRING **preas, char *value)
209{
210 STACK_OF(CONF_VALUE) *rsk = NULL;
211 const BIT_STRING_BITNAME *pbn;
212 const char *bnam;
213 int i, ret = 0;
214
215 if (*preas != NULL)
216 return 0;
217 rsk = X509V3_parse_list(value);
218 if (rsk == NULL)
219 return 0;
220 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
221 bnam = sk_CONF_VALUE_value(rsk, i)->name;
222 if (!*preas) {
223 *preas = ASN1_BIT_STRING_new();
224 if (!*preas)
225 goto err;
226 }
227 for (pbn = reason_flags; pbn->lname; pbn++) {
228 if (!strcmp(pbn->sname, bnam)) {
229 if (!ASN1_BIT_STRING_set_bit(*preas,
230 pbn->bitnum, 1))
231 goto err;
232 break;
233 }
234 }
235 if (!pbn->lname)
236 goto err;
237 }
238 ret = 1;
239
240err:
241 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
242 return ret;
243}
244
245static int
246print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
247{
248 int first = 1;
249 const BIT_STRING_BITNAME *pbn;
250
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++) {
253 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
254 if (first)
255 first = 0;
256 else
257 BIO_puts(out, ", ");
258 BIO_puts(out, pbn->lname);
259 }
260 }
261 if (first)
262 BIO_puts(out, "<EMPTY>\n");
263 else
264 BIO_puts(out, "\n");
265 return 1;
266}
267
268static DIST_POINT *
269crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
270{
271 int i;
272 CONF_VALUE *cnf;
273 DIST_POINT *point = NULL;
274
275 point = DIST_POINT_new();
276 if (!point)
277 goto err;
278 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
279 int ret;
280 cnf = sk_CONF_VALUE_value(nval, i);
281 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
282 if (ret > 0)
283 continue;
284 if (ret < 0)
285 goto err;
286 if (!strcmp(cnf->name, "reasons")) {
287 if (!set_reasons(&point->reasons, cnf->value))
288 goto err;
289 }
290 else if (!strcmp(cnf->name, "CRLissuer")) {
291 point->CRLissuer =
292 gnames_from_sectname(ctx, cnf->value);
293 if (!point->CRLissuer)
294 goto err;
295 }
296 }
297
298 return point;
299
300err:
301 DIST_POINT_free(point);
302 return NULL;
303}
304
305static void *
306v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
307 STACK_OF(CONF_VALUE) *nval)
308{
309 STACK_OF(DIST_POINT) *crld = NULL;
310 GENERAL_NAMES *gens = NULL;
311 GENERAL_NAME *gen = NULL;
312 CONF_VALUE *cnf;
313 int i;
314
315 if (!(crld = sk_DIST_POINT_new_null()))
316 goto merr;
317 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
318 DIST_POINT *point;
319 cnf = sk_CONF_VALUE_value(nval, i);
320 if (!cnf->value) {
321 STACK_OF(CONF_VALUE) *dpsect;
322 dpsect = X509V3_get_section(ctx, cnf->name);
323 if (!dpsect)
324 goto err;
325 point = crldp_from_section(ctx, dpsect);
326 X509V3_section_free(ctx, dpsect);
327 if (!point)
328 goto err;
329 if (!sk_DIST_POINT_push(crld, point)) {
330 DIST_POINT_free(point);
331 goto merr;
332 }
333 } else {
334 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
335 goto err;
336 if (!(gens = GENERAL_NAMES_new()))
337 goto merr;
338 if (!sk_GENERAL_NAME_push(gens, gen))
339 goto merr;
340 gen = NULL;
341 if (!(point = DIST_POINT_new()))
342 goto merr;
343 if (!sk_DIST_POINT_push(crld, point)) {
344 DIST_POINT_free(point);
345 goto merr;
346 }
347 if (!(point->distpoint = DIST_POINT_NAME_new()))
348 goto merr;
349 point->distpoint->name.fullname = gens;
350 point->distpoint->type = 0;
351 gens = NULL;
352 }
353 }
354 return crld;
355
356merr:
357 X509V3error(ERR_R_MALLOC_FAILURE);
358err:
359 GENERAL_NAME_free(gen);
360 GENERAL_NAMES_free(gens);
361 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
362 return NULL;
363}
364
365static int
366dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
367{
368 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
369
370 switch (operation) {
371 case ASN1_OP_NEW_POST:
372 dpn->dpname = NULL;
373 break;
374
375 case ASN1_OP_FREE_POST:
376 if (dpn->dpname)
377 X509_NAME_free(dpn->dpname);
378 break;
379 }
380 return 1;
381}
382
383
384static const ASN1_AUX DIST_POINT_NAME_aux = {
385 .app_data = NULL,
386 .flags = 0,
387 .ref_offset = 0,
388 .ref_lock = 0,
389 .asn1_cb = dpn_cb,
390 .enc_offset = 0,
391};
392static const ASN1_TEMPLATE DIST_POINT_NAME_ch_tt[] = {
393 {
394 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
395 .tag = 0,
396 .offset = offsetof(DIST_POINT_NAME, name.fullname),
397 .field_name = "name.fullname",
398 .item = &GENERAL_NAME_it,
399 },
400 {
401 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF,
402 .tag = 1,
403 .offset = offsetof(DIST_POINT_NAME, name.relativename),
404 .field_name = "name.relativename",
405 .item = &X509_NAME_ENTRY_it,
406 },
407};
408
409const ASN1_ITEM DIST_POINT_NAME_it = {
410 .itype = ASN1_ITYPE_CHOICE,
411 .utype = offsetof(DIST_POINT_NAME, type),
412 .templates = DIST_POINT_NAME_ch_tt,
413 .tcount = sizeof(DIST_POINT_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
414 .funcs = &DIST_POINT_NAME_aux,
415 .size = sizeof(DIST_POINT_NAME),
416 .sname = "DIST_POINT_NAME",
417};
418
419
420
421DIST_POINT_NAME *
422d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
423{
424 return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
425 &DIST_POINT_NAME_it);
426}
427
428int
429i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
430{
431 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
432}
433
434DIST_POINT_NAME *
435DIST_POINT_NAME_new(void)
436{
437 return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
438}
439
440void
441DIST_POINT_NAME_free(DIST_POINT_NAME *a)
442{
443 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
444}
445
446static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = {
447 {
448 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
449 .tag = 0,
450 .offset = offsetof(DIST_POINT, distpoint),
451 .field_name = "distpoint",
452 .item = &DIST_POINT_NAME_it,
453 },
454 {
455 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
456 .tag = 1,
457 .offset = offsetof(DIST_POINT, reasons),
458 .field_name = "reasons",
459 .item = &ASN1_BIT_STRING_it,
460 },
461 {
462 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
463 .tag = 2,
464 .offset = offsetof(DIST_POINT, CRLissuer),
465 .field_name = "CRLissuer",
466 .item = &GENERAL_NAME_it,
467 },
468};
469
470const ASN1_ITEM DIST_POINT_it = {
471 .itype = ASN1_ITYPE_SEQUENCE,
472 .utype = V_ASN1_SEQUENCE,
473 .templates = DIST_POINT_seq_tt,
474 .tcount = sizeof(DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
475 .funcs = NULL,
476 .size = sizeof(DIST_POINT),
477 .sname = "DIST_POINT",
478};
479
480
481DIST_POINT *
482d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
483{
484 return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
485 &DIST_POINT_it);
486}
487
488int
489i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
490{
491 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
492}
493
494DIST_POINT *
495DIST_POINT_new(void)
496{
497 return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
498}
499
500void
501DIST_POINT_free(DIST_POINT *a)
502{
503 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
504}
505
506static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = {
507 .flags = ASN1_TFLG_SEQUENCE_OF,
508 .tag = 0,
509 .offset = 0,
510 .field_name = "CRLDistributionPoints",
511 .item = &DIST_POINT_it,
512};
513
514const ASN1_ITEM CRL_DIST_POINTS_it = {
515 .itype = ASN1_ITYPE_PRIMITIVE,
516 .utype = -1,
517 .templates = &CRL_DIST_POINTS_item_tt,
518 .tcount = 0,
519 .funcs = NULL,
520 .size = 0,
521 .sname = "CRL_DIST_POINTS",
522};
523
524
525CRL_DIST_POINTS *
526d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
527{
528 return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
529 &CRL_DIST_POINTS_it);
530}
531
532int
533i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
534{
535 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
536}
537
538CRL_DIST_POINTS *
539CRL_DIST_POINTS_new(void)
540{
541 return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
542}
543
544void
545CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
546{
547 ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
548}
549
550static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = {
551 {
552 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
553 .tag = 0,
554 .offset = offsetof(ISSUING_DIST_POINT, distpoint),
555 .field_name = "distpoint",
556 .item = &DIST_POINT_NAME_it,
557 },
558 {
559 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
560 .tag = 1,
561 .offset = offsetof(ISSUING_DIST_POINT, onlyuser),
562 .field_name = "onlyuser",
563 .item = &ASN1_FBOOLEAN_it,
564 },
565 {
566 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
567 .tag = 2,
568 .offset = offsetof(ISSUING_DIST_POINT, onlyCA),
569 .field_name = "onlyCA",
570 .item = &ASN1_FBOOLEAN_it,
571 },
572 {
573 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
574 .tag = 3,
575 .offset = offsetof(ISSUING_DIST_POINT, onlysomereasons),
576 .field_name = "onlysomereasons",
577 .item = &ASN1_BIT_STRING_it,
578 },
579 {
580 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
581 .tag = 4,
582 .offset = offsetof(ISSUING_DIST_POINT, indirectCRL),
583 .field_name = "indirectCRL",
584 .item = &ASN1_FBOOLEAN_it,
585 },
586 {
587 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
588 .tag = 5,
589 .offset = offsetof(ISSUING_DIST_POINT, onlyattr),
590 .field_name = "onlyattr",
591 .item = &ASN1_FBOOLEAN_it,
592 },
593};
594
595const ASN1_ITEM ISSUING_DIST_POINT_it = {
596 .itype = ASN1_ITYPE_SEQUENCE,
597 .utype = V_ASN1_SEQUENCE,
598 .templates = ISSUING_DIST_POINT_seq_tt,
599 .tcount = sizeof(ISSUING_DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
600 .funcs = NULL,
601 .size = sizeof(ISSUING_DIST_POINT),
602 .sname = "ISSUING_DIST_POINT",
603};
604
605
606ISSUING_DIST_POINT *
607d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
608{
609 return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
610 &ISSUING_DIST_POINT_it);
611}
612
613int
614i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
615{
616 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
617}
618
619ISSUING_DIST_POINT *
620ISSUING_DIST_POINT_new(void)
621{
622 return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
623}
624
625void
626ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
627{
628 ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
629}
630
631static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
632 int indent);
633static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
634 STACK_OF(CONF_VALUE) *nval);
635
636const X509V3_EXT_METHOD v3_idp = {
637 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
638 &ISSUING_DIST_POINT_it,
639 0, 0, 0, 0,
640 0, 0,
641 0,
642 v2i_idp,
643 i2r_idp, 0,
644 NULL
645};
646
647static void *
648v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
649 STACK_OF(CONF_VALUE) *nval)
650{
651 ISSUING_DIST_POINT *idp = NULL;
652 CONF_VALUE *cnf;
653 char *name, *val;
654 int i, ret;
655
656 idp = ISSUING_DIST_POINT_new();
657 if (!idp)
658 goto merr;
659 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
660 cnf = sk_CONF_VALUE_value(nval, i);
661 name = cnf->name;
662 val = cnf->value;
663 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
664 if (ret > 0)
665 continue;
666 if (ret < 0)
667 goto err;
668 if (!strcmp(name, "onlyuser")) {
669 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
670 goto err;
671 }
672 else if (!strcmp(name, "onlyCA")) {
673 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
674 goto err;
675 }
676 else if (!strcmp(name, "onlyAA")) {
677 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
678 goto err;
679 }
680 else if (!strcmp(name, "indirectCRL")) {
681 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
682 goto err;
683 }
684 else if (!strcmp(name, "onlysomereasons")) {
685 if (!set_reasons(&idp->onlysomereasons, val))
686 goto err;
687 } else {
688 X509V3error(X509V3_R_INVALID_NAME);
689 X509V3_conf_err(cnf);
690 goto err;
691 }
692 }
693 return idp;
694
695merr:
696 X509V3error(ERR_R_MALLOC_FAILURE);
697err:
698 ISSUING_DIST_POINT_free(idp);
699 return NULL;
700}
701
702static int
703print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
704{
705 int i;
706
707 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
708 BIO_printf(out, "%*s", indent + 2, "");
709 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
710 BIO_puts(out, "\n");
711 }
712 return 1;
713}
714
715static int
716print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
717{
718 if (dpn->type == 0) {
719 BIO_printf(out, "%*sFull Name:\n", indent, "");
720 print_gens(out, dpn->name.fullname, indent);
721 } else {
722 X509_NAME ntmp;
723 ntmp.entries = dpn->name.relativename;
724 BIO_printf(out, "%*sRelative Name:\n%*s",
725 indent, "", indent + 2, "");
726 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
727 BIO_puts(out, "\n");
728 }
729 return 1;
730}
731
732static int
733i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
734{
735 ISSUING_DIST_POINT *idp = pidp;
736
737 if (idp->distpoint)
738 print_distpoint(out, idp->distpoint, indent);
739 if (idp->onlyuser > 0)
740 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
741 if (idp->onlyCA > 0)
742 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
743 if (idp->indirectCRL > 0)
744 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
745 if (idp->onlysomereasons)
746 print_reasons(out, "Only Some Reasons",
747 idp->onlysomereasons, indent);
748 if (idp->onlyattr > 0)
749 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
750 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
751 (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
752 (idp->onlyattr <= 0))
753 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
754
755 return 1;
756}
757
758static int
759i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
760{
761 STACK_OF(DIST_POINT) *crld = pcrldp;
762 DIST_POINT *point;
763 int i;
764
765 for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
766 BIO_puts(out, "\n");
767 point = sk_DIST_POINT_value(crld, i);
768 if (point->distpoint)
769 print_distpoint(out, point->distpoint, indent);
770 if (point->reasons)
771 print_reasons(out, "Reasons", point->reasons,
772 indent);
773 if (point->CRLissuer) {
774 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
775 print_gens(out, point->CRLissuer, indent);
776 }
777 }
778 return 1;
779}
780
781int
782DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
783{
784 int i;
785 STACK_OF(X509_NAME_ENTRY) *frag;
786 X509_NAME_ENTRY *ne;
787
788 if (!dpn || (dpn->type != 1))
789 return 1;
790 frag = dpn->name.relativename;
791 dpn->dpname = X509_NAME_dup(iname);
792 if (!dpn->dpname)
793 return 0;
794 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
795 ne = sk_X509_NAME_ENTRY_value(frag, i);
796 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
797 X509_NAME_free(dpn->dpname);
798 dpn->dpname = NULL;
799 return 0;
800 }
801 }
802 /* generate cached encoding of name */
803 if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
804 X509_NAME_free(dpn->dpname);
805 dpn->dpname = NULL;
806 return 0;
807 }
808 return 1;
809}
diff --git a/src/lib/libcrypto/x509/x509_enum.c b/src/lib/libcrypto/x509/x509_enum.c
new file mode 100644
index 0000000000..f18eea535f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_enum.c
@@ -0,0 +1,107 @@
1/* $OpenBSD: x509_enum.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64 {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65 {CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66 {CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67 {CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68 {CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69 {CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71 {CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72 {CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73 {CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74 {CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75 {-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79 .ext_nid = NID_crl_reason,
80 .ext_flags = 0,
81 .it = &ASN1_ENUMERATED_it,
82 .ext_new = NULL,
83 .ext_free = NULL,
84 .d2i = NULL,
85 .i2d = NULL,
86 .i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
87 .s2i = NULL,
88 .i2v = NULL,
89 .v2i = NULL,
90 .i2r = NULL,
91 .r2i = NULL,
92 .usr_data = crl_reasons,
93};
94
95char *
96i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e)
97{
98 ENUMERATED_NAMES *enam;
99 long strval;
100
101 strval = ASN1_ENUMERATED_get(e);
102 for (enam = method->usr_data; enam->lname; enam++) {
103 if (strval == enam->bitnum)
104 return strdup(enam->lname);
105 }
106 return i2s_ASN1_ENUMERATED(method, e);
107}
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
new file mode 100644
index 0000000000..09bec675ac
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -0,0 +1,217 @@
1/* $OpenBSD: x509_extku.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
69 const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
70
71const X509V3_EXT_METHOD v3_ext_ku = {
72 .ext_nid = NID_ext_key_usage,
73 .ext_flags = 0,
74 .it = &EXTENDED_KEY_USAGE_it,
75 .ext_new = NULL,
76 .ext_free = NULL,
77 .d2i = NULL,
78 .i2d = NULL,
79 .i2s = NULL,
80 .s2i = NULL,
81 .i2v = i2v_EXTENDED_KEY_USAGE,
82 .v2i = v2i_EXTENDED_KEY_USAGE,
83 .i2r = NULL,
84 .r2i = NULL,
85 .usr_data = NULL,
86};
87
88/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
89const X509V3_EXT_METHOD v3_ocsp_accresp = {
90 .ext_nid = NID_id_pkix_OCSP_acceptableResponses,
91 .ext_flags = 0,
92 .it = &EXTENDED_KEY_USAGE_it,
93 .ext_new = NULL,
94 .ext_free = NULL,
95 .d2i = NULL,
96 .i2d = NULL,
97 .i2s = NULL,
98 .s2i = NULL,
99 .i2v = i2v_EXTENDED_KEY_USAGE,
100 .v2i = v2i_EXTENDED_KEY_USAGE,
101 .i2r = NULL,
102 .r2i = NULL,
103 .usr_data = NULL,
104};
105
106static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
107 .flags = ASN1_TFLG_SEQUENCE_OF,
108 .tag = 0,
109 .offset = 0,
110 .field_name = "EXTENDED_KEY_USAGE",
111 .item = &ASN1_OBJECT_it,
112};
113
114const ASN1_ITEM EXTENDED_KEY_USAGE_it = {
115 .itype = ASN1_ITYPE_PRIMITIVE,
116 .utype = -1,
117 .templates = &EXTENDED_KEY_USAGE_item_tt,
118 .tcount = 0,
119 .funcs = NULL,
120 .size = 0,
121 .sname = "EXTENDED_KEY_USAGE",
122};
123
124
125EXTENDED_KEY_USAGE *
126d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len)
127{
128 return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
129 &EXTENDED_KEY_USAGE_it);
130}
131
132int
133i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out)
134{
135 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it);
136}
137
138EXTENDED_KEY_USAGE *
139EXTENDED_KEY_USAGE_new(void)
140{
141 return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it);
142}
143
144void
145EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a)
146{
147 ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it);
148}
149
150static STACK_OF(CONF_VALUE) *
151i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
152 STACK_OF(CONF_VALUE) *extlist)
153{
154 ASN1_OBJECT *obj;
155 EXTENDED_KEY_USAGE *eku = a;
156 STACK_OF(CONF_VALUE) *free_extlist = NULL;
157 char obj_tmp[80];
158 int i;
159
160 if (extlist == NULL) {
161 if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
162 return NULL;
163 }
164
165 for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
166 if ((obj = sk_ASN1_OBJECT_value(eku, i)) == NULL)
167 goto err;
168 if (!i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, obj))
169 goto err;
170 if (!X509V3_add_value(NULL, obj_tmp, &extlist))
171 goto err;
172 }
173
174 return extlist;
175
176 err:
177 sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
178
179 return NULL;
180}
181
182static void *
183v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
184 STACK_OF(CONF_VALUE) *nval)
185{
186 EXTENDED_KEY_USAGE *extku;
187 char *extval;
188 ASN1_OBJECT *objtmp;
189 CONF_VALUE *val;
190 int i;
191
192 if (!(extku = sk_ASN1_OBJECT_new_null())) {
193 X509V3error(ERR_R_MALLOC_FAILURE);
194 return NULL;
195 }
196
197 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
198 val = sk_CONF_VALUE_value(nval, i);
199 if (val->value)
200 extval = val->value;
201 else
202 extval = val->name;
203 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
204 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
205 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
206 X509V3_conf_err(val);
207 return NULL;
208 }
209 if (sk_ASN1_OBJECT_push(extku, objtmp) == 0) {
210 ASN1_OBJECT_free(objtmp);
211 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
212 X509V3error(ERR_R_MALLOC_FAILURE);
213 return NULL;
214 }
215 }
216 return extku;
217}
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
new file mode 100644
index 0000000000..848006acf4
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -0,0 +1,474 @@
1/* $OpenBSD: x509_genn.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
67 {
68 .flags = 0,
69 .tag = 0,
70 .offset = offsetof(OTHERNAME, type_id),
71 .field_name = "type_id",
72 .item = &ASN1_OBJECT_it,
73 },
74 /* Maybe have a true ANY DEFINED BY later */
75 {
76 .flags = ASN1_TFLG_EXPLICIT,
77 .tag = 0,
78 .offset = offsetof(OTHERNAME, value),
79 .field_name = "value",
80 .item = &ASN1_ANY_it,
81 },
82};
83
84const ASN1_ITEM OTHERNAME_it = {
85 .itype = ASN1_ITYPE_SEQUENCE,
86 .utype = V_ASN1_SEQUENCE,
87 .templates = OTHERNAME_seq_tt,
88 .tcount = sizeof(OTHERNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
89 .funcs = NULL,
90 .size = sizeof(OTHERNAME),
91 .sname = "OTHERNAME",
92};
93
94
95OTHERNAME *
96d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len)
97{
98 return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
99 &OTHERNAME_it);
100}
101
102int
103i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
104{
105 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
106}
107
108OTHERNAME *
109OTHERNAME_new(void)
110{
111 return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it);
112}
113
114void
115OTHERNAME_free(OTHERNAME *a)
116{
117 ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
118}
119
120static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = {
121 {
122 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
123 .tag = 0,
124 .offset = offsetof(EDIPARTYNAME, nameAssigner),
125 .field_name = "nameAssigner",
126 .item = &DIRECTORYSTRING_it,
127 },
128 {
129 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
130 .tag = 1,
131 .offset = offsetof(EDIPARTYNAME, partyName),
132 .field_name = "partyName",
133 .item = &DIRECTORYSTRING_it,
134 },
135};
136
137const ASN1_ITEM EDIPARTYNAME_it = {
138 .itype = ASN1_ITYPE_SEQUENCE,
139 .utype = V_ASN1_SEQUENCE,
140 .templates = EDIPARTYNAME_seq_tt,
141 .tcount = sizeof(EDIPARTYNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
142 .funcs = NULL,
143 .size = sizeof(EDIPARTYNAME),
144 .sname = "EDIPARTYNAME",
145};
146
147
148EDIPARTYNAME *
149d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len)
150{
151 return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
152 &EDIPARTYNAME_it);
153}
154
155int
156i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
157{
158 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
159}
160
161EDIPARTYNAME *
162EDIPARTYNAME_new(void)
163{
164 return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it);
165}
166
167void
168EDIPARTYNAME_free(EDIPARTYNAME *a)
169{
170 ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it);
171}
172
173static const ASN1_TEMPLATE GENERAL_NAME_ch_tt[] = {
174 {
175 .flags = ASN1_TFLG_IMPLICIT,
176 .tag = GEN_OTHERNAME,
177 .offset = offsetof(GENERAL_NAME, d.otherName),
178 .field_name = "d.otherName",
179 .item = &OTHERNAME_it,
180 },
181 {
182 .flags = ASN1_TFLG_IMPLICIT,
183 .tag = GEN_EMAIL,
184 .offset = offsetof(GENERAL_NAME, d.rfc822Name),
185 .field_name = "d.rfc822Name",
186 .item = &ASN1_IA5STRING_it,
187 },
188 {
189 .flags = ASN1_TFLG_IMPLICIT,
190 .tag = GEN_DNS,
191 .offset = offsetof(GENERAL_NAME, d.dNSName),
192 .field_name = "d.dNSName",
193 .item = &ASN1_IA5STRING_it,
194 },
195 /* Don't decode this */
196 {
197 .flags = ASN1_TFLG_IMPLICIT,
198 .tag = GEN_X400,
199 .offset = offsetof(GENERAL_NAME, d.x400Address),
200 .field_name = "d.x400Address",
201 .item = &ASN1_SEQUENCE_it,
202 },
203 /* X509_NAME is a CHOICE type so use EXPLICIT */
204 {
205 .flags = ASN1_TFLG_EXPLICIT,
206 .tag = GEN_DIRNAME,
207 .offset = offsetof(GENERAL_NAME, d.directoryName),
208 .field_name = "d.directoryName",
209 .item = &X509_NAME_it,
210 },
211 {
212 .flags = ASN1_TFLG_IMPLICIT,
213 .tag = GEN_EDIPARTY,
214 .offset = offsetof(GENERAL_NAME, d.ediPartyName),
215 .field_name = "d.ediPartyName",
216 .item = &EDIPARTYNAME_it,
217 },
218 {
219 .flags = ASN1_TFLG_IMPLICIT,
220 .tag = GEN_URI,
221 .offset = offsetof(GENERAL_NAME, d.uniformResourceIdentifier),
222 .field_name = "d.uniformResourceIdentifier",
223 .item = &ASN1_IA5STRING_it,
224 },
225 {
226 .flags = ASN1_TFLG_IMPLICIT,
227 .tag = GEN_IPADD,
228 .offset = offsetof(GENERAL_NAME, d.iPAddress),
229 .field_name = "d.iPAddress",
230 .item = &ASN1_OCTET_STRING_it,
231 },
232 {
233 .flags = ASN1_TFLG_IMPLICIT,
234 .tag = GEN_RID,
235 .offset = offsetof(GENERAL_NAME, d.registeredID),
236 .field_name = "d.registeredID",
237 .item = &ASN1_OBJECT_it,
238 },
239};
240
241const ASN1_ITEM GENERAL_NAME_it = {
242 .itype = ASN1_ITYPE_CHOICE,
243 .utype = offsetof(GENERAL_NAME, type),
244 .templates = GENERAL_NAME_ch_tt,
245 .tcount = sizeof(GENERAL_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
246 .funcs = NULL,
247 .size = sizeof(GENERAL_NAME),
248 .sname = "GENERAL_NAME",
249};
250
251
252GENERAL_NAME *
253d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len)
254{
255 return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
256 &GENERAL_NAME_it);
257}
258
259int
260i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out)
261{
262 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it);
263}
264
265GENERAL_NAME *
266GENERAL_NAME_new(void)
267{
268 return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it);
269}
270
271void
272GENERAL_NAME_free(GENERAL_NAME *a)
273{
274 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it);
275}
276
277static const ASN1_TEMPLATE GENERAL_NAMES_item_tt = {
278 .flags = ASN1_TFLG_SEQUENCE_OF,
279 .tag = 0,
280 .offset = 0,
281 .field_name = "GeneralNames",
282 .item = &GENERAL_NAME_it,
283};
284
285const ASN1_ITEM GENERAL_NAMES_it = {
286 .itype = ASN1_ITYPE_PRIMITIVE,
287 .utype = -1,
288 .templates = &GENERAL_NAMES_item_tt,
289 .tcount = 0,
290 .funcs = NULL,
291 .size = 0,
292 .sname = "GENERAL_NAMES",
293};
294
295
296GENERAL_NAMES *
297d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len)
298{
299 return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
300 &GENERAL_NAMES_it);
301}
302
303int
304i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
305{
306 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
307}
308
309GENERAL_NAMES *
310GENERAL_NAMES_new(void)
311{
312 return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it);
313}
314
315void
316GENERAL_NAMES_free(GENERAL_NAMES *a)
317{
318 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it);
319}
320
321GENERAL_NAME *
322GENERAL_NAME_dup(GENERAL_NAME *a)
323{
324 return ASN1_item_dup(&GENERAL_NAME_it, a);
325}
326
327/* Returns 0 if they are equal, != 0 otherwise. */
328int
329GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
330{
331 int result = -1;
332
333 if (!a || !b || a->type != b->type)
334 return -1;
335 switch (a->type) {
336 case GEN_X400:
337 case GEN_EDIPARTY:
338 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
339 break;
340
341 case GEN_OTHERNAME:
342 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
343 break;
344
345 case GEN_EMAIL:
346 case GEN_DNS:
347 case GEN_URI:
348 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
349 break;
350
351 case GEN_DIRNAME:
352 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
353 break;
354
355 case GEN_IPADD:
356 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
357 break;
358
359 case GEN_RID:
360 result = OBJ_cmp(a->d.rid, b->d.rid);
361 break;
362 }
363 return result;
364}
365
366/* Returns 0 if they are equal, != 0 otherwise. */
367int
368OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
369{
370 int result = -1;
371
372 if (!a || !b)
373 return -1;
374 /* Check their type first. */
375 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
376 return result;
377 /* Check the value. */
378 result = ASN1_TYPE_cmp(a->value, b->value);
379 return result;
380}
381
382void
383GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
384{
385 switch (type) {
386 case GEN_X400:
387 case GEN_EDIPARTY:
388 a->d.other = value;
389 break;
390
391 case GEN_OTHERNAME:
392 a->d.otherName = value;
393 break;
394
395 case GEN_EMAIL:
396 case GEN_DNS:
397 case GEN_URI:
398 a->d.ia5 = value;
399 break;
400
401 case GEN_DIRNAME:
402 a->d.dirn = value;
403 break;
404
405 case GEN_IPADD:
406 a->d.ip = value;
407 break;
408
409 case GEN_RID:
410 a->d.rid = value;
411 break;
412 }
413 a->type = type;
414}
415
416void *
417GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
418{
419 if (ptype)
420 *ptype = a->type;
421 switch (a->type) {
422 case GEN_X400:
423 case GEN_EDIPARTY:
424 return a->d.other;
425
426 case GEN_OTHERNAME:
427 return a->d.otherName;
428
429 case GEN_EMAIL:
430 case GEN_DNS:
431 case GEN_URI:
432 return a->d.ia5;
433
434 case GEN_DIRNAME:
435 return a->d.dirn;
436
437 case GEN_IPADD:
438 return a->d.ip;
439
440 case GEN_RID:
441 return a->d.rid;
442
443 default:
444 return NULL;
445 }
446}
447
448int
449GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
450 ASN1_TYPE *value)
451{
452 OTHERNAME *oth;
453
454 oth = OTHERNAME_new();
455 if (!oth)
456 return 0;
457 oth->type_id = oid;
458 oth->value = value;
459 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
460 return 1;
461}
462
463int
464GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid,
465 ASN1_TYPE **pvalue)
466{
467 if (gen->type != GEN_OTHERNAME)
468 return 0;
469 if (poid)
470 *poid = gen->d.otherName->type_id;
471 if (pvalue)
472 *pvalue = gen->d.otherName->value;
473 return 1;
474}
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
new file mode 100644
index 0000000000..4113c3d3b3
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -0,0 +1,238 @@
1/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
68static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, char *str);
70
71const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
72 {
73 .ext_nid = NID_netscape_base_url,
74 .ext_flags = 0,
75 .it = &ASN1_IA5STRING_it,
76 .ext_new = NULL,
77 .ext_free = NULL,
78 .d2i = NULL,
79 .i2d = NULL,
80 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
81 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
82 .i2v = NULL,
83 .v2i = NULL,
84 .i2r = NULL,
85 .r2i = NULL,
86 .usr_data = NULL,
87 },
88 {
89 .ext_nid = NID_netscape_revocation_url,
90 .ext_flags = 0,
91 .it = &ASN1_IA5STRING_it,
92 .ext_new = NULL,
93 .ext_free = NULL,
94 .d2i = NULL,
95 .i2d = NULL,
96 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
97 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
98 .i2v = NULL,
99 .v2i = NULL,
100 .i2r = NULL,
101 .r2i = NULL,
102 .usr_data = NULL,
103 },
104 {
105 .ext_nid = NID_netscape_ca_revocation_url,
106 .ext_flags = 0,
107 .it = &ASN1_IA5STRING_it,
108 .ext_new = NULL,
109 .ext_free = NULL,
110 .d2i = NULL,
111 .i2d = NULL,
112 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
113 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
114 .i2v = NULL,
115 .v2i = NULL,
116 .i2r = NULL,
117 .r2i = NULL,
118 .usr_data = NULL,
119 },
120 {
121 .ext_nid = NID_netscape_renewal_url,
122 .ext_flags = 0,
123 .it = &ASN1_IA5STRING_it,
124 .ext_new = NULL,
125 .ext_free = NULL,
126 .d2i = NULL,
127 .i2d = NULL,
128 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
129 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
130 .i2v = NULL,
131 .v2i = NULL,
132 .i2r = NULL,
133 .r2i = NULL,
134 .usr_data = NULL,
135 },
136 {
137 .ext_nid = NID_netscape_ca_policy_url,
138 .ext_flags = 0,
139 .it = &ASN1_IA5STRING_it,
140 .ext_new = NULL,
141 .ext_free = NULL,
142 .d2i = NULL,
143 .i2d = NULL,
144 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
145 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
146 .i2v = NULL,
147 .v2i = NULL,
148 .i2r = NULL,
149 .r2i = NULL,
150 .usr_data = NULL,
151 },
152 {
153 .ext_nid = NID_netscape_ssl_server_name,
154 .ext_flags = 0,
155 .it = &ASN1_IA5STRING_it,
156 .ext_new = NULL,
157 .ext_free = NULL,
158 .d2i = NULL,
159 .i2d = NULL,
160 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
161 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
162 .i2v = NULL,
163 .v2i = NULL,
164 .i2r = NULL,
165 .r2i = NULL,
166 .usr_data = NULL,
167 },
168 {
169 .ext_nid = NID_netscape_comment,
170 .ext_flags = 0,
171 .it = &ASN1_IA5STRING_it,
172 .ext_new = NULL,
173 .ext_free = NULL,
174 .d2i = NULL,
175 .i2d = NULL,
176 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
177 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
178 .i2v = NULL,
179 .v2i = NULL,
180 .i2r = NULL,
181 .r2i = NULL,
182 .usr_data = NULL,
183 },
184 {
185 .ext_nid = -1,
186 .ext_flags = 0,
187 .it = NULL,
188 .ext_new = NULL,
189 .ext_free = NULL,
190 .d2i = NULL,
191 .i2d = NULL,
192 .i2s = NULL,
193 .s2i = NULL,
194 .i2v = NULL,
195 .v2i = NULL,
196 .i2r = NULL,
197 .r2i = NULL,
198 .usr_data = NULL,
199 },
200};
201
202static char *
203i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
204{
205 char *tmp;
206
207 if (!ia5 || !ia5->length)
208 return NULL;
209 if (!(tmp = malloc(ia5->length + 1))) {
210 X509V3error(ERR_R_MALLOC_FAILURE);
211 return NULL;
212 }
213 memcpy(tmp, ia5->data, ia5->length);
214 tmp[ia5->length] = 0;
215 return tmp;
216}
217
218static ASN1_IA5STRING *
219s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
220{
221 ASN1_IA5STRING *ia5;
222 if (!str) {
223 X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
224 return NULL;
225 }
226 if (!(ia5 = ASN1_IA5STRING_new()))
227 goto err;
228 if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
229 strlen(str))) {
230 ASN1_IA5STRING_free(ia5);
231 goto err;
232 }
233 return ia5;
234
235err:
236 X509V3error(ERR_R_MALLOC_FAILURE);
237 return NULL;
238}
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
new file mode 100644
index 0000000000..86ed6fadfa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -0,0 +1,308 @@
1/* $OpenBSD: x509_info.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
69 X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
70 STACK_OF(CONF_VALUE) *ret);
71static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
72 X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
73
74const X509V3_EXT_METHOD v3_info = {
75 .ext_nid = NID_info_access,
76 .ext_flags = X509V3_EXT_MULTILINE,
77 .it = &AUTHORITY_INFO_ACCESS_it,
78 .ext_new = NULL,
79 .ext_free = NULL,
80 .d2i = NULL,
81 .i2d = NULL,
82 .i2s = NULL,
83 .s2i = NULL,
84 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
85 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
86 .i2r = NULL,
87 .r2i = NULL,
88 .usr_data = NULL,
89};
90
91const X509V3_EXT_METHOD v3_sinfo = {
92 .ext_nid = NID_sinfo_access,
93 .ext_flags = X509V3_EXT_MULTILINE,
94 .it = &AUTHORITY_INFO_ACCESS_it,
95 .ext_new = NULL,
96 .ext_free = NULL,
97 .d2i = NULL,
98 .i2d = NULL,
99 .i2s = NULL,
100 .s2i = NULL,
101 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
102 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
103 .i2r = NULL,
104 .r2i = NULL,
105 .usr_data = NULL,
106};
107
108static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
109 {
110 .flags = 0,
111 .tag = 0,
112 .offset = offsetof(ACCESS_DESCRIPTION, method),
113 .field_name = "method",
114 .item = &ASN1_OBJECT_it,
115 },
116 {
117 .flags = 0,
118 .tag = 0,
119 .offset = offsetof(ACCESS_DESCRIPTION, location),
120 .field_name = "location",
121 .item = &GENERAL_NAME_it,
122 },
123};
124
125const ASN1_ITEM ACCESS_DESCRIPTION_it = {
126 .itype = ASN1_ITYPE_SEQUENCE,
127 .utype = V_ASN1_SEQUENCE,
128 .templates = ACCESS_DESCRIPTION_seq_tt,
129 .tcount = sizeof(ACCESS_DESCRIPTION_seq_tt) / sizeof(ASN1_TEMPLATE),
130 .funcs = NULL,
131 .size = sizeof(ACCESS_DESCRIPTION),
132 .sname = "ACCESS_DESCRIPTION",
133};
134
135
136ACCESS_DESCRIPTION *
137d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len)
138{
139 return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
140 &ACCESS_DESCRIPTION_it);
141}
142
143int
144i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out)
145{
146 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it);
147}
148
149ACCESS_DESCRIPTION *
150ACCESS_DESCRIPTION_new(void)
151{
152 return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it);
153}
154
155void
156ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
157{
158 ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it);
159}
160
161static const ASN1_TEMPLATE AUTHORITY_INFO_ACCESS_item_tt = {
162 .flags = ASN1_TFLG_SEQUENCE_OF,
163 .tag = 0,
164 .offset = 0,
165 .field_name = "GeneralNames",
166 .item = &ACCESS_DESCRIPTION_it,
167};
168
169const ASN1_ITEM AUTHORITY_INFO_ACCESS_it = {
170 .itype = ASN1_ITYPE_PRIMITIVE,
171 .utype = -1,
172 .templates = &AUTHORITY_INFO_ACCESS_item_tt,
173 .tcount = 0,
174 .funcs = NULL,
175 .size = 0,
176 .sname = "AUTHORITY_INFO_ACCESS",
177};
178
179
180AUTHORITY_INFO_ACCESS *
181d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len)
182{
183 return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
184 &AUTHORITY_INFO_ACCESS_it);
185}
186
187int
188i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out)
189{
190 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it);
191}
192
193AUTHORITY_INFO_ACCESS *
194AUTHORITY_INFO_ACCESS_new(void)
195{
196 return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it);
197}
198
199void
200AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
201{
202 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it);
203}
204
205static STACK_OF(CONF_VALUE) *
206i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
207 AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret)
208{
209 ACCESS_DESCRIPTION *desc;
210 CONF_VALUE *vtmp;
211 STACK_OF(CONF_VALUE) *free_ret = NULL;
212 char objtmp[80], *ntmp;
213 int i;
214
215 if (ret == NULL) {
216 if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
217 return NULL;
218 }
219
220 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
221 if ((desc = sk_ACCESS_DESCRIPTION_value(ainfo, i)) == NULL)
222 goto err;
223 if ((ret = i2v_GENERAL_NAME(method, desc->location,
224 ret)) == NULL)
225 goto err;
226 if ((vtmp = sk_CONF_VALUE_value(ret, i)) == NULL)
227 goto err;
228 if (!i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method))
229 goto err;
230 if (asprintf(&ntmp, "%s - %s", objtmp, vtmp->name) == -1) {
231 ntmp = NULL;
232 X509V3error(ERR_R_MALLOC_FAILURE);
233 goto err;
234 }
235 free(vtmp->name);
236 vtmp->name = ntmp;
237 }
238
239 return ret;
240
241 err:
242 sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
243
244 return NULL;
245}
246
247static AUTHORITY_INFO_ACCESS *
248v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
249 STACK_OF(CONF_VALUE) *nval)
250{
251 AUTHORITY_INFO_ACCESS *ainfo = NULL;
252 CONF_VALUE *cnf, ctmp;
253 ACCESS_DESCRIPTION *acc;
254 int i, objlen;
255 char *objtmp, *ptmp;
256
257 if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
258 X509V3error(ERR_R_MALLOC_FAILURE);
259 return NULL;
260 }
261 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
262 cnf = sk_CONF_VALUE_value(nval, i);
263 if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
264 X509V3error(ERR_R_MALLOC_FAILURE);
265 goto err;
266 }
267 if (sk_ACCESS_DESCRIPTION_push(ainfo, acc) == 0) {
268 ACCESS_DESCRIPTION_free(acc);
269 X509V3error(ERR_R_MALLOC_FAILURE);
270 goto err;
271 }
272 ptmp = strchr(cnf->name, ';');
273 if (!ptmp) {
274 X509V3error(X509V3_R_INVALID_SYNTAX);
275 goto err;
276 }
277 objlen = ptmp - cnf->name;
278 ctmp.name = ptmp + 1;
279 ctmp.value = cnf->value;
280 if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
281 goto err;
282 if (!(objtmp = malloc(objlen + 1))) {
283 X509V3error(ERR_R_MALLOC_FAILURE);
284 goto err;
285 }
286 strlcpy(objtmp, cnf->name, objlen + 1);
287 acc->method = OBJ_txt2obj(objtmp, 0);
288 if (!acc->method) {
289 X509V3error(X509V3_R_BAD_OBJECT);
290 ERR_asprintf_error_data("value=%s", objtmp);
291 free(objtmp);
292 goto err;
293 }
294 free(objtmp);
295 }
296 return ainfo;
297
298err:
299 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
300 return NULL;
301}
302
303int
304i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a)
305{
306 i2a_ASN1_OBJECT(bp, a->method);
307 return 2;
308}
diff --git a/src/lib/libcrypto/x509/x509_int.c b/src/lib/libcrypto/x509/x509_int.c
new file mode 100644
index 0000000000..35c8853c13
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_int.c
@@ -0,0 +1,110 @@
1/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 .ext_nid = NID_crl_number,
65 .ext_flags = 0,
66 .it = &ASN1_INTEGER_it,
67 .ext_new = NULL,
68 .ext_free = NULL,
69 .d2i = NULL,
70 .i2d = NULL,
71 .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
72 .s2i = NULL,
73 .i2v = NULL,
74 .v2i = NULL,
75 .i2r = NULL,
76 .r2i = NULL,
77 .usr_data = NULL,
78};
79
80const X509V3_EXT_METHOD v3_delta_crl = {
81 .ext_nid = NID_delta_crl,
82 .ext_flags = 0,
83 .it = &ASN1_INTEGER_it,
84 .ext_new = NULL,
85 .ext_free = NULL,
86 .d2i = NULL,
87 .i2d = NULL,
88 .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
89 .s2i = NULL,
90 .i2v = NULL,
91 .v2i = NULL,
92 .i2r = NULL,
93 .r2i = NULL,
94 .usr_data = NULL,
95};
96
97static void *
98s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
99{
100 return s2i_ASN1_INTEGER(meth, value);
101}
102
103const X509V3_EXT_METHOD v3_inhibit_anyp = {
104 NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
105 0, 0, 0, 0,
106 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
107 (X509V3_EXT_S2I)s2i_asn1_int,
108 0, 0, 0, 0,
109 NULL
110};
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
new file mode 100644
index 0000000000..3af090fde6
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -0,0 +1,358 @@
1/* $OpenBSD: x509_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66#include "ext_dat.h"
67
68static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
69
70static int ext_cmp(const X509V3_EXT_METHOD * const *a,
71 const X509V3_EXT_METHOD * const *b);
72static void ext_list_free(X509V3_EXT_METHOD *ext);
73
74int
75X509V3_EXT_add(X509V3_EXT_METHOD *ext)
76{
77 if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
78 X509V3error(ERR_R_MALLOC_FAILURE);
79 return 0;
80 }
81 if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
82 X509V3error(ERR_R_MALLOC_FAILURE);
83 return 0;
84 }
85 return 1;
86}
87
88static int
89ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
90{
91 return ((*a)->ext_nid - (*b)->ext_nid);
92}
93
94static int ext_cmp_BSEARCH_CMP_FN(const void *, const void *);
95static int ext_cmp(const X509V3_EXT_METHOD * const *, const X509V3_EXT_METHOD * const *);
96static const X509V3_EXT_METHOD * *OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num);
97
98static int
99ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
100{
101 const X509V3_EXT_METHOD * const *a = a_;
102 const X509V3_EXT_METHOD * const *b = b_;
103 return ext_cmp(a, b);
104}
105
106static const X509V3_EXT_METHOD **
107OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
108 const X509V3_EXT_METHOD *const *base, int num)
109{
110 return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
111 sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
112}
113
114const X509V3_EXT_METHOD *
115X509V3_EXT_get_nid(int nid)
116{
117 X509V3_EXT_METHOD tmp;
118 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
119 int idx;
120
121 if (nid < 0)
122 return NULL;
123 tmp.ext_nid = nid;
124 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
125 if (ret)
126 return *ret;
127 if (!ext_list)
128 return NULL;
129 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
130 if (idx == -1)
131 return NULL;
132 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
133}
134
135const X509V3_EXT_METHOD *
136X509V3_EXT_get(X509_EXTENSION *ext)
137{
138 int nid;
139
140 if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
141 return NULL;
142 return X509V3_EXT_get_nid(nid);
143}
144
145int
146X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
147{
148 for (; extlist->ext_nid!=-1; extlist++)
149 if (!X509V3_EXT_add(extlist))
150 return 0;
151 return 1;
152}
153
154int
155X509V3_EXT_add_alias(int nid_to, int nid_from)
156{
157 const X509V3_EXT_METHOD *ext;
158 X509V3_EXT_METHOD *tmpext;
159
160 if (!(ext = X509V3_EXT_get_nid(nid_from))) {
161 X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
162 return 0;
163 }
164 if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
165 X509V3error(ERR_R_MALLOC_FAILURE);
166 return 0;
167 }
168 *tmpext = *ext;
169 tmpext->ext_nid = nid_to;
170 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
171 return X509V3_EXT_add(tmpext);
172}
173
174void
175X509V3_EXT_cleanup(void)
176{
177 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
178 ext_list = NULL;
179}
180
181static void
182ext_list_free(X509V3_EXT_METHOD *ext)
183{
184 if (ext->ext_flags & X509V3_EXT_DYNAMIC)
185 free(ext);
186}
187
188/* Legacy function: we don't need to add standard extensions
189 * any more because they are now kept in ext_dat.h.
190 */
191
192int
193X509V3_add_standard_extensions(void)
194{
195 return 1;
196}
197
198/* Return an extension internal structure */
199
200void *
201X509V3_EXT_d2i(X509_EXTENSION *ext)
202{
203 const X509V3_EXT_METHOD *method;
204 const unsigned char *p;
205
206 if (!(method = X509V3_EXT_get(ext)))
207 return NULL;
208 p = ext->value->data;
209 if (method->it)
210 return ASN1_item_d2i(NULL, &p, ext->value->length,
211 method->it);
212 return method->d2i(NULL, &p, ext->value->length);
213}
214
215/* Get critical flag and decoded version of extension from a NID.
216 * The "idx" variable returns the last found extension and can
217 * be used to retrieve multiple extensions of the same NID.
218 * However multiple extensions with the same NID is usually
219 * due to a badly encoded certificate so if idx is NULL we
220 * choke if multiple extensions exist.
221 * The "crit" variable is set to the critical value.
222 * The return value is the decoded extension or NULL on
223 * error. The actual error can have several different causes,
224 * the value of *crit reflects the cause:
225 * >= 0, extension found but not decoded (reflects critical value).
226 * -1 extension not found.
227 * -2 extension occurs more than once.
228 */
229
230void *
231X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
232{
233 int lastpos, i;
234 X509_EXTENSION *ex, *found_ex = NULL;
235
236 if (!x) {
237 if (idx)
238 *idx = -1;
239 if (crit)
240 *crit = -1;
241 return NULL;
242 }
243 if (idx)
244 lastpos = *idx + 1;
245 else
246 lastpos = 0;
247 if (lastpos < 0)
248 lastpos = 0;
249 for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
250 ex = sk_X509_EXTENSION_value(x, i);
251 if (OBJ_obj2nid(ex->object) == nid) {
252 if (idx) {
253 *idx = i;
254 found_ex = ex;
255 break;
256 } else if (found_ex) {
257 /* Found more than one */
258 if (crit)
259 *crit = -2;
260 return NULL;
261 }
262 found_ex = ex;
263 }
264 }
265 if (found_ex) {
266 /* Found it */
267 if (crit)
268 *crit = X509_EXTENSION_get_critical(found_ex);
269 return X509V3_EXT_d2i(found_ex);
270 }
271
272 /* Extension not found */
273 if (idx)
274 *idx = -1;
275 if (crit)
276 *crit = -1;
277 return NULL;
278}
279
280/* This function is a general extension append, replace and delete utility.
281 * The precise operation is governed by the 'flags' value. The 'crit' and
282 * 'value' arguments (if relevant) are the extensions internal structure.
283 */
284
285int
286X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
287 int crit, unsigned long flags)
288{
289 int extidx = -1;
290 int errcode;
291 X509_EXTENSION *ext, *extmp;
292 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
293
294 /* If appending we don't care if it exists, otherwise
295 * look for existing extension.
296 */
297 if (ext_op != X509V3_ADD_APPEND)
298 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
299
300 /* See if extension exists */
301 if (extidx >= 0) {
302 /* If keep existing, nothing to do */
303 if (ext_op == X509V3_ADD_KEEP_EXISTING)
304 return 1;
305 /* If default then its an error */
306 if (ext_op == X509V3_ADD_DEFAULT) {
307 errcode = X509V3_R_EXTENSION_EXISTS;
308 goto err;
309 }
310 /* If delete, just delete it */
311 if (ext_op == X509V3_ADD_DELETE) {
312 if (!sk_X509_EXTENSION_delete(*x, extidx))
313 return -1;
314 return 1;
315 }
316 } else {
317 /* If replace existing or delete, error since
318 * extension must exist
319 */
320 if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
321 (ext_op == X509V3_ADD_DELETE)) {
322 errcode = X509V3_R_EXTENSION_NOT_FOUND;
323 goto err;
324 }
325 }
326
327 /* If we get this far then we have to create an extension:
328 * could have some flags for alternative encoding schemes...
329 */
330
331 ext = X509V3_EXT_i2d(nid, crit, value);
332
333 if (!ext) {
334 X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
335 return 0;
336 }
337
338 /* If extension exists replace it.. */
339 if (extidx >= 0) {
340 extmp = sk_X509_EXTENSION_value(*x, extidx);
341 X509_EXTENSION_free(extmp);
342 if (!sk_X509_EXTENSION_set(*x, extidx, ext))
343 return -1;
344 return 1;
345 }
346
347 if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
348 return -1;
349 if (!sk_X509_EXTENSION_push(*x, ext))
350 return -1;
351
352 return 1;
353
354err:
355 if (!(flags & X509V3_ADD_SILENT))
356 X509V3error(errcode);
357 return 0;
358}
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
new file mode 100644
index 0000000000..86b54513c7
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -0,0 +1,556 @@
1/* $OpenBSD: x509_ncons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
70 void *a, BIO *bp, int ind);
71static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
72 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 .ext_nid = NID_name_constraints,
84 .ext_flags = 0,
85 .it = &NAME_CONSTRAINTS_it,
86 .ext_new = NULL,
87 .ext_free = NULL,
88 .d2i = NULL,
89 .i2d = NULL,
90 .i2s = NULL,
91 .s2i = NULL,
92 .i2v = NULL,
93 .v2i = v2i_NAME_CONSTRAINTS,
94 .i2r = i2r_NAME_CONSTRAINTS,
95 .r2i = NULL,
96 .usr_data = NULL,
97};
98
99static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
100 {
101 .flags = 0,
102 .tag = 0,
103 .offset = offsetof(GENERAL_SUBTREE, base),
104 .field_name = "base",
105 .item = &GENERAL_NAME_it,
106 },
107 {
108 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
109 .tag = 0,
110 .offset = offsetof(GENERAL_SUBTREE, minimum),
111 .field_name = "minimum",
112 .item = &ASN1_INTEGER_it,
113 },
114 {
115 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
116 .tag = 1,
117 .offset = offsetof(GENERAL_SUBTREE, maximum),
118 .field_name = "maximum",
119 .item = &ASN1_INTEGER_it,
120 },
121};
122
123const ASN1_ITEM GENERAL_SUBTREE_it = {
124 .itype = ASN1_ITYPE_SEQUENCE,
125 .utype = V_ASN1_SEQUENCE,
126 .templates = GENERAL_SUBTREE_seq_tt,
127 .tcount = sizeof(GENERAL_SUBTREE_seq_tt) / sizeof(ASN1_TEMPLATE),
128 .funcs = NULL,
129 .size = sizeof(GENERAL_SUBTREE),
130 .sname = "GENERAL_SUBTREE",
131};
132
133static const ASN1_TEMPLATE NAME_CONSTRAINTS_seq_tt[] = {
134 {
135 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
136 .tag = 0,
137 .offset = offsetof(NAME_CONSTRAINTS, permittedSubtrees),
138 .field_name = "permittedSubtrees",
139 .item = &GENERAL_SUBTREE_it,
140 },
141 {
142 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
143 .tag = 1,
144 .offset = offsetof(NAME_CONSTRAINTS, excludedSubtrees),
145 .field_name = "excludedSubtrees",
146 .item = &GENERAL_SUBTREE_it,
147 },
148};
149
150const ASN1_ITEM NAME_CONSTRAINTS_it = {
151 .itype = ASN1_ITYPE_SEQUENCE,
152 .utype = V_ASN1_SEQUENCE,
153 .templates = NAME_CONSTRAINTS_seq_tt,
154 .tcount = sizeof(NAME_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
155 .funcs = NULL,
156 .size = sizeof(NAME_CONSTRAINTS),
157 .sname = "NAME_CONSTRAINTS",
158};
159
160
161GENERAL_SUBTREE *
162GENERAL_SUBTREE_new(void)
163{
164 return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it);
165}
166
167void
168GENERAL_SUBTREE_free(GENERAL_SUBTREE *a)
169{
170 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it);
171}
172
173NAME_CONSTRAINTS *
174NAME_CONSTRAINTS_new(void)
175{
176 return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it);
177}
178
179void
180NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a)
181{
182 ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it);
183}
184
185static void *
186v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
187 STACK_OF(CONF_VALUE) *nval)
188{
189 int i;
190 CONF_VALUE tval, *val;
191 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
192 NAME_CONSTRAINTS *ncons = NULL;
193 GENERAL_SUBTREE *sub = NULL;
194
195 ncons = NAME_CONSTRAINTS_new();
196 if (!ncons)
197 goto memerr;
198 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
199 val = sk_CONF_VALUE_value(nval, i);
200 if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
201 ptree = &ncons->permittedSubtrees;
202 tval.name = val->name + 10;
203 } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
204 ptree = &ncons->excludedSubtrees;
205 tval.name = val->name + 9;
206 } else {
207 X509V3error(X509V3_R_INVALID_SYNTAX);
208 goto err;
209 }
210 tval.value = val->value;
211 sub = GENERAL_SUBTREE_new();
212 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
213 goto err;
214 if (!*ptree)
215 *ptree = sk_GENERAL_SUBTREE_new_null();
216 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
217 goto memerr;
218 sub = NULL;
219 }
220
221 return ncons;
222
223memerr:
224 X509V3error(ERR_R_MALLOC_FAILURE);
225err:
226 NAME_CONSTRAINTS_free(ncons);
227 GENERAL_SUBTREE_free(sub);
228 return NULL;
229}
230
231static int
232i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
233{
234 NAME_CONSTRAINTS *ncons = a;
235
236 do_i2r_name_constraints(method, ncons->permittedSubtrees,
237 bp, ind, "Permitted");
238 do_i2r_name_constraints(method, ncons->excludedSubtrees,
239 bp, ind, "Excluded");
240 return 1;
241}
242
243static int
244do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
245 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
246{
247 GENERAL_SUBTREE *tree;
248 int i;
249
250 if (sk_GENERAL_SUBTREE_num(trees) > 0)
251 BIO_printf(bp, "%*s%s:\n", ind, "", name);
252 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
253 tree = sk_GENERAL_SUBTREE_value(trees, i);
254 BIO_printf(bp, "%*s", ind + 2, "");
255 if (tree->base->type == GEN_IPADD)
256 print_nc_ipadd(bp, tree->base->d.ip);
257 else
258 GENERAL_NAME_print(bp, tree->base);
259 BIO_puts(bp, "\n");
260 }
261 return 1;
262}
263
264static int
265print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
266{
267 int i, len;
268 unsigned char *p;
269
270 p = ip->data;
271 len = ip->length;
272 BIO_puts(bp, "IP:");
273 if (len == 8) {
274 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
275 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
276 } else if (len == 32) {
277 for (i = 0; i < 16; i++) {
278 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
279 p += 2;
280 if (i == 7)
281 BIO_puts(bp, "/");
282 else if (i != 15)
283 BIO_puts(bp, ":");
284 }
285 } else
286 BIO_printf(bp, "IP Address:<invalid>");
287 return 1;
288}
289
290/* Check a certificate conforms to a specified set of constraints.
291 * Return values:
292 * X509_V_OK: All constraints obeyed.
293 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
294 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
295 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
296 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
297 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
298 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
299 */
300
301int
302NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
303{
304 int r, i;
305 X509_NAME *nm;
306
307 nm = X509_get_subject_name(x);
308
309 if (X509_NAME_entry_count(nm) > 0) {
310 GENERAL_NAME gntmp;
311 gntmp.type = GEN_DIRNAME;
312 gntmp.d.directoryName = nm;
313
314 r = nc_match(&gntmp, nc);
315
316 if (r != X509_V_OK)
317 return r;
318
319 gntmp.type = GEN_EMAIL;
320
321 /* Process any email address attributes in subject name */
322
323 for (i = -1;;) {
324 X509_NAME_ENTRY *ne;
325 i = X509_NAME_get_index_by_NID(nm,
326 NID_pkcs9_emailAddress, i);
327 if (i == -1)
328 break;
329 ne = X509_NAME_get_entry(nm, i);
330 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
331 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
332 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
333
334 r = nc_match(&gntmp, nc);
335
336 if (r != X509_V_OK)
337 return r;
338 }
339
340 }
341
342 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
343 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
344 r = nc_match(gen, nc);
345 if (r != X509_V_OK)
346 return r;
347 }
348
349 return X509_V_OK;
350}
351
352static int
353nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
354{
355 GENERAL_SUBTREE *sub;
356 int i, r, match = 0;
357
358 /* Permitted subtrees: if any subtrees exist of matching the type
359 * at least one subtree must match.
360 */
361
362 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
363 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
364 if (gen->type != sub->base->type)
365 continue;
366 if (sub->minimum || sub->maximum)
367 return X509_V_ERR_SUBTREE_MINMAX;
368 /* If we already have a match don't bother trying any more */
369 if (match == 2)
370 continue;
371 if (match == 0)
372 match = 1;
373 r = nc_match_single(gen, sub->base);
374 if (r == X509_V_OK)
375 match = 2;
376 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
377 return r;
378 }
379
380 if (match == 1)
381 return X509_V_ERR_PERMITTED_VIOLATION;
382
383 /* Excluded subtrees: must not match any of these */
384
385 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
386 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
387 if (gen->type != sub->base->type)
388 continue;
389 if (sub->minimum || sub->maximum)
390 return X509_V_ERR_SUBTREE_MINMAX;
391
392 r = nc_match_single(gen, sub->base);
393 if (r == X509_V_OK)
394 return X509_V_ERR_EXCLUDED_VIOLATION;
395 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
396 return r;
397
398 }
399
400 return X509_V_OK;
401}
402
403static int
404nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
405{
406 switch (base->type) {
407 case GEN_DIRNAME:
408 return nc_dn(gen->d.directoryName, base->d.directoryName);
409
410 case GEN_DNS:
411 return nc_dns(gen->d.dNSName, base->d.dNSName);
412
413 case GEN_EMAIL:
414 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
415
416 case GEN_URI:
417 return nc_uri(gen->d.uniformResourceIdentifier,
418 base->d.uniformResourceIdentifier);
419
420 default:
421 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
422 }
423}
424
425/* directoryName name constraint matching.
426 * The canonical encoding of X509_NAME makes this comparison easy. It is
427 * matched if the subtree is a subset of the name.
428 */
429
430static int
431nc_dn(X509_NAME *nm, X509_NAME *base)
432{
433 /* Ensure canonical encodings are up to date. */
434 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
435 return X509_V_ERR_OUT_OF_MEM;
436 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
437 return X509_V_ERR_OUT_OF_MEM;
438 if (base->canon_enclen > nm->canon_enclen)
439 return X509_V_ERR_PERMITTED_VIOLATION;
440 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
441 return X509_V_ERR_PERMITTED_VIOLATION;
442 return X509_V_OK;
443}
444
445static int
446nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
447{
448 char *baseptr = (char *)base->data;
449 char *dnsptr = (char *)dns->data;
450
451 /* Empty matches everything */
452 if (!*baseptr)
453 return X509_V_OK;
454 /* Otherwise can add zero or more components on the left so
455 * compare RHS and if dns is longer and expect '.' as preceding
456 * character.
457 */
458 if (dns->length > base->length) {
459 dnsptr += dns->length - base->length;
460 if (baseptr[0] != '.' && dnsptr[-1] != '.')
461 return X509_V_ERR_PERMITTED_VIOLATION;
462 }
463
464 if (strcasecmp(baseptr, dnsptr))
465 return X509_V_ERR_PERMITTED_VIOLATION;
466
467 return X509_V_OK;
468}
469
470static int
471nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
472{
473 const char *baseptr = (char *)base->data;
474 const char *emlptr = (char *)eml->data;
475 const char *baseat = strchr(baseptr, '@');
476 const char *emlat = strchr(emlptr, '@');
477
478 if (!emlat)
479 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
480 /* Special case: inital '.' is RHS match */
481 if (!baseat && (*baseptr == '.')) {
482 if (eml->length > base->length) {
483 emlptr += eml->length - base->length;
484 if (!strcasecmp(baseptr, emlptr))
485 return X509_V_OK;
486 }
487 return X509_V_ERR_PERMITTED_VIOLATION;
488 }
489
490 /* If we have anything before '@' match local part */
491
492 if (baseat) {
493 if (baseat != baseptr) {
494 if ((baseat - baseptr) != (emlat - emlptr))
495 return X509_V_ERR_PERMITTED_VIOLATION;
496 /* Case sensitive match of local part */
497 if (strncmp(baseptr, emlptr, emlat - emlptr))
498 return X509_V_ERR_PERMITTED_VIOLATION;
499 }
500 /* Position base after '@' */
501 baseptr = baseat + 1;
502 }
503 emlptr = emlat + 1;
504 /* Just have hostname left to match: case insensitive */
505 if (strcasecmp(baseptr, emlptr))
506 return X509_V_ERR_PERMITTED_VIOLATION;
507
508 return X509_V_OK;
509}
510
511static int
512nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
513{
514 const char *baseptr = (char *)base->data;
515 const char *hostptr = (char *)uri->data;
516 const char *p = strchr(hostptr, ':');
517 int hostlen;
518
519 /* Check for foo:// and skip past it */
520 if (!p || (p[1] != '/') || (p[2] != '/'))
521 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
522 hostptr = p + 3;
523
524 /* Determine length of hostname part of URI */
525
526 /* Look for a port indicator as end of hostname first */
527
528 p = strchr(hostptr, ':');
529 /* Otherwise look for trailing slash */
530 if (!p)
531 p = strchr(hostptr, '/');
532
533 if (!p)
534 hostlen = strlen(hostptr);
535 else
536 hostlen = p - hostptr;
537
538 if (hostlen == 0)
539 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
540
541 /* Special case: inital '.' is RHS match */
542 if (*baseptr == '.') {
543 if (hostlen > base->length) {
544 p = hostptr + hostlen - base->length;
545 if (!strncasecmp(p, baseptr, base->length))
546 return X509_V_OK;
547 }
548 return X509_V_ERR_PERMITTED_VIOLATION;
549 }
550
551 if ((base->length != (int)hostlen) ||
552 strncasecmp(hostptr, baseptr, hostlen))
553 return X509_V_ERR_PERMITTED_VIOLATION;
554
555 return X509_V_OK;
556}
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
new file mode 100644
index 0000000000..59a2e972ca
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -0,0 +1,380 @@
1/* $OpenBSD: x509_ocsp.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#ifndef OPENSSL_NO_OCSP
65
66#include <openssl/asn1.h>
67#include <openssl/conf.h>
68#include <openssl/err.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509v3.h>
71
72/* OCSP extensions and a couple of CRL entry extensions
73 */
74
75static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
76 BIO *out, int indent);
77static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
78 BIO *out, int indent);
79static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
80 int indent);
81
82static void *ocsp_nonce_new(void);
83static int i2d_ocsp_nonce(void *a, unsigned char **pp);
84static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
85static void ocsp_nonce_free(void *a);
86static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
87 BIO *out, int indent);
88
89static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
90 void *nocheck, BIO *out, int indent);
91static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
92 const char *str);
93static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
94 BIO *bp, int ind);
95
96const X509V3_EXT_METHOD v3_ocsp_crlid = {
97 .ext_nid = NID_id_pkix_OCSP_CrlID,
98 .ext_flags = 0,
99 .it = &OCSP_CRLID_it,
100 .ext_new = NULL,
101 .ext_free = NULL,
102 .d2i = NULL,
103 .i2d = NULL,
104 .i2s = NULL,
105 .s2i = NULL,
106 .i2v = NULL,
107 .v2i = NULL,
108 .i2r = i2r_ocsp_crlid,
109 .r2i = NULL,
110 .usr_data = NULL,
111};
112
113const X509V3_EXT_METHOD v3_ocsp_acutoff = {
114 .ext_nid = NID_id_pkix_OCSP_archiveCutoff,
115 .ext_flags = 0,
116 .it = &ASN1_GENERALIZEDTIME_it,
117 .ext_new = NULL,
118 .ext_free = NULL,
119 .d2i = NULL,
120 .i2d = NULL,
121 .i2s = NULL,
122 .s2i = NULL,
123 .i2v = NULL,
124 .v2i = NULL,
125 .i2r = i2r_ocsp_acutoff,
126 .r2i = NULL,
127 .usr_data = NULL,
128};
129
130const X509V3_EXT_METHOD v3_crl_invdate = {
131 .ext_nid = NID_invalidity_date,
132 .ext_flags = 0,
133 .it = &ASN1_GENERALIZEDTIME_it,
134 .ext_new = NULL,
135 .ext_free = NULL,
136 .d2i = NULL,
137 .i2d = NULL,
138 .i2s = NULL,
139 .s2i = NULL,
140 .i2v = NULL,
141 .v2i = NULL,
142 .i2r = i2r_ocsp_acutoff,
143 .r2i = NULL,
144 .usr_data = NULL,
145};
146
147const X509V3_EXT_METHOD v3_crl_hold = {
148 .ext_nid = NID_hold_instruction_code,
149 .ext_flags = 0,
150 .it = &ASN1_OBJECT_it,
151 .ext_new = NULL,
152 .ext_free = NULL,
153 .d2i = NULL,
154 .i2d = NULL,
155 .i2s = NULL,
156 .s2i = NULL,
157 .i2v = NULL,
158 .v2i = NULL,
159 .i2r = i2r_object,
160 .r2i = NULL,
161 .usr_data = NULL,
162};
163
164const X509V3_EXT_METHOD v3_ocsp_nonce = {
165 .ext_nid = NID_id_pkix_OCSP_Nonce,
166 .ext_flags = 0,
167 .it = NULL,
168 .ext_new = ocsp_nonce_new,
169 .ext_free = ocsp_nonce_free,
170 .d2i = d2i_ocsp_nonce,
171 .i2d = i2d_ocsp_nonce,
172 .i2s = NULL,
173 .s2i = NULL,
174 .i2v = NULL,
175 .v2i = NULL,
176 .i2r = i2r_ocsp_nonce,
177 .r2i = NULL,
178 .usr_data = NULL,
179};
180
181const X509V3_EXT_METHOD v3_ocsp_nocheck = {
182 .ext_nid = NID_id_pkix_OCSP_noCheck,
183 .ext_flags = 0,
184 .it = &ASN1_NULL_it,
185 .ext_new = NULL,
186 .ext_free = NULL,
187 .d2i = NULL,
188 .i2d = NULL,
189 .i2s = NULL,
190 .s2i = s2i_ocsp_nocheck,
191 .i2v = NULL,
192 .v2i = NULL,
193 .i2r = i2r_ocsp_nocheck,
194 .r2i = NULL,
195 .usr_data = NULL,
196};
197
198const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
199 .ext_nid = NID_id_pkix_OCSP_serviceLocator,
200 .ext_flags = 0,
201 .it = &OCSP_SERVICELOC_it,
202 .ext_new = NULL,
203 .ext_free = NULL,
204 .d2i = NULL,
205 .i2d = NULL,
206 .i2s = NULL,
207 .s2i = NULL,
208 .i2v = NULL,
209 .v2i = NULL,
210 .i2r = i2r_ocsp_serviceloc,
211 .r2i = NULL,
212 .usr_data = NULL,
213};
214
215static int
216i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
217{
218 OCSP_CRLID *a = in;
219 if (a->crlUrl) {
220 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
221 goto err;
222 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
223 goto err;
224 if (BIO_write(bp, "\n", 1) <= 0)
225 goto err;
226 }
227 if (a->crlNum) {
228 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
229 goto err;
230 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
231 goto err;
232 if (BIO_write(bp, "\n", 1) <= 0)
233 goto err;
234 }
235 if (a->crlTime) {
236 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
237 goto err;
238 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
239 goto err;
240 if (BIO_write(bp, "\n", 1) <= 0)
241 goto err;
242 }
243 return 1;
244
245err:
246 return 0;
247}
248
249static int
250i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
251 int ind)
252{
253 if (BIO_printf(bp, "%*s", ind, "") <= 0)
254 return 0;
255 if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
256 return 0;
257 return 1;
258}
259
260static int
261i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
262{
263 if (BIO_printf(bp, "%*s", ind, "") <= 0)
264 return 0;
265 if (i2a_ASN1_OBJECT(bp, oid) <= 0)
266 return 0;
267 return 1;
268}
269
270/* OCSP nonce. This is needs special treatment because it doesn't have
271 * an ASN1 encoding at all: it just contains arbitrary data.
272 */
273
274static void *
275ocsp_nonce_new(void)
276{
277 return ASN1_OCTET_STRING_new();
278}
279
280static int
281i2d_ocsp_nonce(void *a, unsigned char **pp)
282{
283 ASN1_OCTET_STRING *os = a;
284
285 if (pp) {
286 memcpy(*pp, os->data, os->length);
287 *pp += os->length;
288 }
289 return os->length;
290}
291
292static void *
293d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
294{
295 ASN1_OCTET_STRING *os, **pos;
296
297 pos = a;
298 if (pos == NULL || *pos == NULL) {
299 os = ASN1_OCTET_STRING_new();
300 if (os == NULL)
301 goto err;
302 } else
303 os = *pos;
304 if (ASN1_OCTET_STRING_set(os, *pp, length) == 0)
305 goto err;
306
307 *pp += length;
308
309 if (pos != NULL)
310 *pos = os;
311 return os;
312
313err:
314 if (pos == NULL || *pos != os)
315 ASN1_OCTET_STRING_free(os);
316 OCSPerror(ERR_R_MALLOC_FAILURE);
317 return NULL;
318}
319
320static void
321ocsp_nonce_free(void *a)
322{
323 ASN1_OCTET_STRING_free(a);
324}
325
326static int
327i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
328 int indent)
329{
330 if (BIO_printf(out, "%*s", indent, "") <= 0)
331 return 0;
332 if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
333 return 0;
334 return 1;
335}
336
337/* Nocheck is just a single NULL. Don't print anything and always set it */
338
339static int
340i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
341 int indent)
342{
343 return 1;
344}
345
346static void *
347s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
348 const char *str)
349{
350 return ASN1_NULL_new();
351}
352
353static int
354i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
355{
356 int i;
357 OCSP_SERVICELOC *a = in;
358 ACCESS_DESCRIPTION *ad;
359
360 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
361 goto err;
362 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
363 goto err;
364 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
365 ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
366 if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
367 goto err;
368 if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
369 goto err;
370 if (BIO_puts(bp, " - ") <= 0)
371 goto err;
372 if (GENERAL_NAME_print(bp, ad->location) <= 0)
373 goto err;
374 }
375 return 1;
376
377err:
378 return 0;
379}
380#endif
diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c
new file mode 100644
index 0000000000..8997f0cec8
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pci.c
@@ -0,0 +1,310 @@
1/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include <string.h>
39
40#include <openssl/conf.h>
41#include <openssl/err.h>
42#include <openssl/x509v3.h>
43
44static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
45 BIO *out, int indent);
46static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
47 X509V3_CTX *ctx, char *str);
48
49const X509V3_EXT_METHOD v3_pci = {
50 .ext_nid = NID_proxyCertInfo,
51 .ext_flags = 0,
52 .it = &PROXY_CERT_INFO_EXTENSION_it,
53 .ext_new = NULL,
54 .ext_free = NULL,
55 .d2i = NULL,
56 .i2d = NULL,
57 .i2s = NULL,
58 .s2i = NULL,
59 .i2v = NULL,
60 .v2i = NULL,
61 .i2r = (X509V3_EXT_I2R)i2r_pci,
62 .r2i = (X509V3_EXT_R2I)r2i_pci,
63 .usr_data = NULL,
64};
65
66static int
67i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
68 int indent)
69{
70 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
71 if (pci->pcPathLengthConstraint)
72 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
73 else
74 BIO_printf(out, "infinite");
75 BIO_puts(out, "\n");
76 BIO_printf(out, "%*sPolicy Language: ", indent, "");
77 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
78 BIO_puts(out, "\n");
79 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
80 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
81 pci->proxyPolicy->policy->data);
82 return 1;
83}
84
85static int
86process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
87 ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
88{
89 int free_policy = 0;
90
91 if (strcmp(val->name, "language") == 0) {
92 if (*language) {
93 X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
94 X509V3_conf_err(val);
95 return 0;
96 }
97 if (!(*language = OBJ_txt2obj(val->value, 0))) {
98 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
99 X509V3_conf_err(val);
100 return 0;
101 }
102 }
103 else if (strcmp(val->name, "pathlen") == 0) {
104 if (*pathlen) {
105 X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
106 X509V3_conf_err(val);
107 return 0;
108 }
109 if (!X509V3_get_value_int(val, pathlen)) {
110 X509V3error(X509V3_R_POLICY_PATH_LENGTH);
111 X509V3_conf_err(val);
112 return 0;
113 }
114 }
115 else if (strcmp(val->name, "policy") == 0) {
116 unsigned char *tmp_data = NULL;
117 long val_len;
118 if (!*policy) {
119 *policy = ASN1_OCTET_STRING_new();
120 if (!*policy) {
121 X509V3error(ERR_R_MALLOC_FAILURE);
122 X509V3_conf_err(val);
123 return 0;
124 }
125 free_policy = 1;
126 }
127 if (strncmp(val->value, "hex:", 4) == 0) {
128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len);
130
131 if (!tmp_data2) {
132 X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
133 X509V3_conf_err(val);
134 goto err;
135 }
136
137 tmp_data = realloc((*policy)->data,
138 (*policy)->length + val_len + 1);
139 if (tmp_data) {
140 (*policy)->data = tmp_data;
141 memcpy(&(*policy)->data[(*policy)->length],
142 tmp_data2, val_len);
143 (*policy)->length += val_len;
144 (*policy)->data[(*policy)->length] = '\0';
145 } else {
146 free(tmp_data2);
147 free((*policy)->data);
148 (*policy)->data = NULL;
149 (*policy)->length = 0;
150 X509V3error(ERR_R_MALLOC_FAILURE);
151 X509V3_conf_err(val);
152 goto err;
153 }
154 free(tmp_data2);
155 }
156 else if (strncmp(val->value, "file:", 5) == 0) {
157 unsigned char buf[2048];
158 int n;
159 BIO *b = BIO_new_file(val->value + 5, "r");
160 if (!b) {
161 X509V3error(ERR_R_BIO_LIB);
162 X509V3_conf_err(val);
163 goto err;
164 }
165 while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
166 (n == 0 && BIO_should_retry(b))) {
167 if (!n)
168 continue;
169
170 tmp_data = realloc((*policy)->data,
171 (*policy)->length + n + 1);
172
173 if (!tmp_data)
174 break;
175
176 (*policy)->data = tmp_data;
177 memcpy(&(*policy)->data[(*policy)->length],
178 buf, n);
179 (*policy)->length += n;
180 (*policy)->data[(*policy)->length] = '\0';
181 }
182 BIO_free_all(b);
183
184 if (n < 0) {
185 X509V3error(ERR_R_BIO_LIB);
186 X509V3_conf_err(val);
187 goto err;
188 }
189 }
190 else if (strncmp(val->value, "text:", 5) == 0) {
191 val_len = strlen(val->value + 5);
192 tmp_data = realloc((*policy)->data,
193 (*policy)->length + val_len + 1);
194 if (tmp_data) {
195 (*policy)->data = tmp_data;
196 memcpy(&(*policy)->data[(*policy)->length],
197 val->value + 5, val_len);
198 (*policy)->length += val_len;
199 (*policy)->data[(*policy)->length] = '\0';
200 } else {
201 free((*policy)->data);
202 (*policy)->data = NULL;
203 (*policy)->length = 0;
204 X509V3error(ERR_R_MALLOC_FAILURE);
205 X509V3_conf_err(val);
206 goto err;
207 }
208 } else {
209 X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
210 X509V3_conf_err(val);
211 goto err;
212 }
213 if (!tmp_data) {
214 X509V3error(ERR_R_MALLOC_FAILURE);
215 X509V3_conf_err(val);
216 goto err;
217 }
218 }
219 return 1;
220
221err:
222 if (free_policy) {
223 ASN1_OCTET_STRING_free(*policy);
224 *policy = NULL;
225 }
226 return 0;
227}
228
229static PROXY_CERT_INFO_EXTENSION *
230r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
231{
232 PROXY_CERT_INFO_EXTENSION *pci = NULL;
233 STACK_OF(CONF_VALUE) *vals;
234 ASN1_OBJECT *language = NULL;
235 ASN1_INTEGER *pathlen = NULL;
236 ASN1_OCTET_STRING *policy = NULL;
237 int i, j;
238
239 vals = X509V3_parse_list(value);
240 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
241 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
242 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
243 X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
244 X509V3_conf_err(cnf);
245 goto err;
246 }
247 if (*cnf->name == '@') {
248 STACK_OF(CONF_VALUE) *sect;
249 int success_p = 1;
250
251 sect = X509V3_get_section(ctx, cnf->name + 1);
252 if (!sect) {
253 X509V3error(X509V3_R_INVALID_SECTION);
254 X509V3_conf_err(cnf);
255 goto err;
256 }
257 for (j = 0; success_p &&
258 j < sk_CONF_VALUE_num(sect); j++) {
259 success_p = process_pci_value(
260 sk_CONF_VALUE_value(sect, j),
261 &language, &pathlen, &policy);
262 }
263 X509V3_section_free(ctx, sect);
264 if (!success_p)
265 goto err;
266 } else {
267 if (!process_pci_value(cnf,
268 &language, &pathlen, &policy)) {
269 X509V3_conf_err(cnf);
270 goto err;
271 }
272 }
273 }
274
275 /* Language is mandatory */
276 if (!language) {
277 X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
278 goto err;
279 }
280 i = OBJ_obj2nid(language);
281 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
282 X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
283 goto err;
284 }
285
286 pci = PROXY_CERT_INFO_EXTENSION_new();
287 if (!pci) {
288 X509V3error(ERR_R_MALLOC_FAILURE);
289 goto err;
290 }
291
292 pci->proxyPolicy->policyLanguage = language;
293 language = NULL;
294 pci->proxyPolicy->policy = policy;
295 policy = NULL;
296 pci->pcPathLengthConstraint = pathlen;
297 pathlen = NULL;
298 goto end;
299
300err:
301 ASN1_OBJECT_free(language);
302 language = NULL;
303 ASN1_INTEGER_free(pathlen);
304 pathlen = NULL;
305 ASN1_OCTET_STRING_free(policy);
306 policy = NULL;
307end:
308 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
309 return pci;
310}
diff --git a/src/lib/libcrypto/x509/x509_pcia.c b/src/lib/libcrypto/x509/x509_pcia.c
new file mode 100644
index 0000000000..b639aa336d
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pcia.c
@@ -0,0 +1,145 @@
1/* $OpenBSD: x509_pcia.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
42 {
43 .flags = 0,
44 .tag = 0,
45 .offset = offsetof(PROXY_POLICY, policyLanguage),
46 .field_name = "policyLanguage",
47 .item = &ASN1_OBJECT_it,
48 },
49 {
50 .flags = ASN1_TFLG_OPTIONAL,
51 .tag = 0,
52 .offset = offsetof(PROXY_POLICY, policy),
53 .field_name = "policy",
54 .item = &ASN1_OCTET_STRING_it,
55 },
56};
57
58const ASN1_ITEM PROXY_POLICY_it = {
59 .itype = ASN1_ITYPE_SEQUENCE,
60 .utype = V_ASN1_SEQUENCE,
61 .templates = PROXY_POLICY_seq_tt,
62 .tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
63 .funcs = NULL,
64 .size = sizeof(PROXY_POLICY),
65 .sname = "PROXY_POLICY",
66};
67
68
69PROXY_POLICY *
70d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
71{
72 return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
73 &PROXY_POLICY_it);
74}
75
76int
77i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
78{
79 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
80}
81
82PROXY_POLICY *
83PROXY_POLICY_new(void)
84{
85 return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
86}
87
88void
89PROXY_POLICY_free(PROXY_POLICY *a)
90{
91 ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
92}
93
94static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
95 {
96 .flags = ASN1_TFLG_OPTIONAL,
97 .tag = 0,
98 .offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
99 .field_name = "pcPathLengthConstraint",
100 .item = &ASN1_INTEGER_it,
101 },
102 {
103 .flags = 0,
104 .tag = 0,
105 .offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
106 .field_name = "proxyPolicy",
107 .item = &PROXY_POLICY_it,
108 },
109};
110
111const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
112 .itype = ASN1_ITYPE_SEQUENCE,
113 .utype = V_ASN1_SEQUENCE,
114 .templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
115 .tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
116 .funcs = NULL,
117 .size = sizeof(PROXY_CERT_INFO_EXTENSION),
118 .sname = "PROXY_CERT_INFO_EXTENSION",
119};
120
121
122PROXY_CERT_INFO_EXTENSION *
123d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
124{
125 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
126 &PROXY_CERT_INFO_EXTENSION_it);
127}
128
129int
130i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
131{
132 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
133}
134
135PROXY_CERT_INFO_EXTENSION *
136PROXY_CERT_INFO_EXTENSION_new(void)
137{
138 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
139}
140
141void
142PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
143{
144 ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
145}
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
new file mode 100644
index 0000000000..69bf43377f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -0,0 +1,194 @@
1/* $OpenBSD: x509_pcons.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
70 STACK_OF(CONF_VALUE) *extlist);
71static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
72 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75 .ext_nid = NID_policy_constraints,
76 .ext_flags = 0,
77 .it = &POLICY_CONSTRAINTS_it,
78 .ext_new = NULL,
79 .ext_free = NULL,
80 .d2i = NULL,
81 .i2d = NULL,
82 .i2s = NULL,
83 .s2i = NULL,
84 .i2v = i2v_POLICY_CONSTRAINTS,
85 .v2i = v2i_POLICY_CONSTRAINTS,
86 .i2r = NULL,
87 .r2i = NULL,
88 .usr_data = NULL,
89};
90
91static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
92 {
93 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
94 .tag = 0,
95 .offset = offsetof(POLICY_CONSTRAINTS, requireExplicitPolicy),
96 .field_name = "requireExplicitPolicy",
97 .item = &ASN1_INTEGER_it,
98 },
99 {
100 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
101 .tag = 1,
102 .offset = offsetof(POLICY_CONSTRAINTS, inhibitPolicyMapping),
103 .field_name = "inhibitPolicyMapping",
104 .item = &ASN1_INTEGER_it,
105 },
106};
107
108const ASN1_ITEM POLICY_CONSTRAINTS_it = {
109 .itype = ASN1_ITYPE_SEQUENCE,
110 .utype = V_ASN1_SEQUENCE,
111 .templates = POLICY_CONSTRAINTS_seq_tt,
112 .tcount = sizeof(POLICY_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
113 .funcs = NULL,
114 .size = sizeof(POLICY_CONSTRAINTS),
115 .sname = "POLICY_CONSTRAINTS",
116};
117
118
119POLICY_CONSTRAINTS *
120POLICY_CONSTRAINTS_new(void)
121{
122 return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it);
123}
124
125void
126POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it);
129}
130
131static STACK_OF(CONF_VALUE) *
132i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
133 STACK_OF(CONF_VALUE) *extlist)
134{
135 POLICY_CONSTRAINTS *pcons = a;
136 STACK_OF(CONF_VALUE) *free_extlist = NULL;
137
138 if (extlist == NULL) {
139 if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
140 return NULL;
141 }
142
143 if (!X509V3_add_value_int("Require Explicit Policy",
144 pcons->requireExplicitPolicy, &extlist))
145 goto err;
146 if (!X509V3_add_value_int("Inhibit Policy Mapping",
147 pcons->inhibitPolicyMapping, &extlist))
148 goto err;
149
150 return extlist;
151
152 err:
153 sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
154
155 return NULL;
156}
157
158static void *
159v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
160 STACK_OF(CONF_VALUE) *values)
161{
162 POLICY_CONSTRAINTS *pcons = NULL;
163 CONF_VALUE *val;
164 int i;
165
166 if (!(pcons = POLICY_CONSTRAINTS_new())) {
167 X509V3error(ERR_R_MALLOC_FAILURE);
168 return NULL;
169 }
170 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
171 val = sk_CONF_VALUE_value(values, i);
172 if (!strcmp(val->name, "requireExplicitPolicy")) {
173 if (!X509V3_get_value_int(val,
174 &pcons->requireExplicitPolicy)) goto err;
175 } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
176 if (!X509V3_get_value_int(val,
177 &pcons->inhibitPolicyMapping)) goto err;
178 } else {
179 X509V3error(X509V3_R_INVALID_NAME);
180 X509V3_conf_err(val);
181 goto err;
182 }
183 }
184 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
185 X509V3error(X509V3_R_ILLEGAL_EMPTY_EXTENSION);
186 goto err;
187 }
188
189 return pcons;
190
191err:
192 POLICY_CONSTRAINTS_free(pcons);
193 return NULL;
194}
diff --git a/src/lib/libcrypto/x509/x509_pku.c b/src/lib/libcrypto/x509/x509_pku.c
new file mode 100644
index 0000000000..9b82ad3d5f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pku.c
@@ -0,0 +1,154 @@
1/* $OpenBSD: x509_pku.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
66 PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
67
68const X509V3_EXT_METHOD v3_pkey_usage_period = {
69 .ext_nid = NID_private_key_usage_period,
70 .ext_flags = 0,
71 .it = &PKEY_USAGE_PERIOD_it,
72 .ext_new = NULL,
73 .ext_free = NULL,
74 .d2i = NULL,
75 .i2d = NULL,
76 .i2s = NULL,
77 .s2i = NULL,
78 .i2v = NULL,
79 .v2i = NULL,
80 .i2r = (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD,
81 .r2i = NULL,
82 .usr_data = NULL,
83};
84
85static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
86 {
87 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
88 .tag = 0,
89 .offset = offsetof(PKEY_USAGE_PERIOD, notBefore),
90 .field_name = "notBefore",
91 .item = &ASN1_GENERALIZEDTIME_it,
92 },
93 {
94 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
95 .tag = 1,
96 .offset = offsetof(PKEY_USAGE_PERIOD, notAfter),
97 .field_name = "notAfter",
98 .item = &ASN1_GENERALIZEDTIME_it,
99 },
100};
101
102const ASN1_ITEM PKEY_USAGE_PERIOD_it = {
103 .itype = ASN1_ITYPE_SEQUENCE,
104 .utype = V_ASN1_SEQUENCE,
105 .templates = PKEY_USAGE_PERIOD_seq_tt,
106 .tcount = sizeof(PKEY_USAGE_PERIOD_seq_tt) / sizeof(ASN1_TEMPLATE),
107 .funcs = NULL,
108 .size = sizeof(PKEY_USAGE_PERIOD),
109 .sname = "PKEY_USAGE_PERIOD",
110};
111
112
113PKEY_USAGE_PERIOD *
114d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len)
115{
116 return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
117 &PKEY_USAGE_PERIOD_it);
118}
119
120int
121i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out)
122{
123 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it);
124}
125
126PKEY_USAGE_PERIOD *
127PKEY_USAGE_PERIOD_new(void)
128{
129 return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it);
130}
131
132void
133PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
134{
135 ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it);
136}
137
138static int
139i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
140 BIO *out, int indent)
141{
142 BIO_printf(out, "%*s", indent, "");
143 if (usage->notBefore) {
144 BIO_write(out, "Not Before: ", 12);
145 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
146 if (usage->notAfter)
147 BIO_write(out, ", ", 2);
148 }
149 if (usage->notAfter) {
150 BIO_write(out, "Not After: ", 11);
151 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
152 }
153 return 1;
154}
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
new file mode 100644
index 0000000000..352f85a025
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -0,0 +1,235 @@
1/* $OpenBSD: x509_pmaps.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
70 const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 .ext_nid = NID_policy_mappings,
74 .ext_flags = 0,
75 .it = &POLICY_MAPPINGS_it,
76 .ext_new = NULL,
77 .ext_free = NULL,
78 .d2i = NULL,
79 .i2d = NULL,
80 .i2s = NULL,
81 .s2i = NULL,
82 .i2v = i2v_POLICY_MAPPINGS,
83 .v2i = v2i_POLICY_MAPPINGS,
84 .i2r = NULL,
85 .r2i = NULL,
86 .usr_data = NULL,
87};
88
89static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
90 {
91 .flags = 0,
92 .tag = 0,
93 .offset = offsetof(POLICY_MAPPING, issuerDomainPolicy),
94 .field_name = "issuerDomainPolicy",
95 .item = &ASN1_OBJECT_it,
96 },
97 {
98 .flags = 0,
99 .tag = 0,
100 .offset = offsetof(POLICY_MAPPING, subjectDomainPolicy),
101 .field_name = "subjectDomainPolicy",
102 .item = &ASN1_OBJECT_it,
103 },
104};
105
106const ASN1_ITEM POLICY_MAPPING_it = {
107 .itype = ASN1_ITYPE_SEQUENCE,
108 .utype = V_ASN1_SEQUENCE,
109 .templates = POLICY_MAPPING_seq_tt,
110 .tcount = sizeof(POLICY_MAPPING_seq_tt) / sizeof(ASN1_TEMPLATE),
111 .funcs = NULL,
112 .size = sizeof(POLICY_MAPPING),
113 .sname = "POLICY_MAPPING",
114};
115
116static const ASN1_TEMPLATE POLICY_MAPPINGS_item_tt = {
117 .flags = ASN1_TFLG_SEQUENCE_OF,
118 .tag = 0,
119 .offset = 0,
120 .field_name = "POLICY_MAPPINGS",
121 .item = &POLICY_MAPPING_it,
122};
123
124const ASN1_ITEM POLICY_MAPPINGS_it = {
125 .itype = ASN1_ITYPE_PRIMITIVE,
126 .utype = -1,
127 .templates = &POLICY_MAPPINGS_item_tt,
128 .tcount = 0,
129 .funcs = NULL,
130 .size = 0,
131 .sname = "POLICY_MAPPINGS",
132};
133
134
135POLICY_MAPPING *
136POLICY_MAPPING_new(void)
137{
138 return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it);
139}
140
141void
142POLICY_MAPPING_free(POLICY_MAPPING *a)
143{
144 ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it);
145}
146
147static STACK_OF(CONF_VALUE) *
148i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
149 STACK_OF(CONF_VALUE) *extlist)
150{
151 STACK_OF(CONF_VALUE) *free_extlist = NULL;
152 POLICY_MAPPINGS *pmaps = a;
153 POLICY_MAPPING *pmap;
154 char issuer[80], subject[80];
155 int i;
156
157 if (extlist == NULL) {
158 if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
159 return NULL;
160 }
161
162 for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
163 if ((pmap = sk_POLICY_MAPPING_value(pmaps, i)) == NULL)
164 goto err;
165 if (!i2t_ASN1_OBJECT(issuer, sizeof issuer,
166 pmap->issuerDomainPolicy))
167 goto err;
168 if (!i2t_ASN1_OBJECT(subject, sizeof subject,
169 pmap->subjectDomainPolicy))
170 goto err;
171 if (!X509V3_add_value(issuer, subject, &extlist))
172 goto err;
173 }
174
175 return extlist;
176
177 err:
178 sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
179
180 return NULL;
181}
182
183static void *
184v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
185 STACK_OF(CONF_VALUE) *nval)
186{
187 POLICY_MAPPINGS *pmaps = NULL;
188 POLICY_MAPPING *pmap = NULL;
189 ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
190 CONF_VALUE *val;
191 int i, rc;
192
193 if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
194 X509V3error(ERR_R_MALLOC_FAILURE);
195 return NULL;
196 }
197
198 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
199 val = sk_CONF_VALUE_value(nval, i);
200 if (!val->value || !val->name) {
201 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
202 goto err;
203 }
204 obj1 = OBJ_txt2obj(val->name, 0);
205 obj2 = OBJ_txt2obj(val->value, 0);
206 if (!obj1 || !obj2) {
207 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
208 goto err;
209 }
210 pmap = POLICY_MAPPING_new();
211 if (!pmap) {
212 rc = ERR_R_MALLOC_FAILURE;
213 goto err;
214 }
215 pmap->issuerDomainPolicy = obj1;
216 pmap->subjectDomainPolicy = obj2;
217 obj1 = obj2 = NULL;
218 if (sk_POLICY_MAPPING_push(pmaps, pmap) == 0) {
219 rc = ERR_R_MALLOC_FAILURE;
220 goto err;
221 }
222 pmap = NULL;
223 }
224 return pmaps;
225
226err:
227 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
228 X509V3error(rc);
229 if (rc == X509V3_R_INVALID_OBJECT_IDENTIFIER)
230 X509V3_conf_err(val);
231 ASN1_OBJECT_free(obj1);
232 ASN1_OBJECT_free(obj2);
233 POLICY_MAPPING_free(pmap);
234 return NULL;
235}
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
new file mode 100644
index 0000000000..5c15cc390f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -0,0 +1,225 @@
1/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
68 int indent, int supported);
69
70/* Print out a name+value stack */
71
72void
73X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
74{
75 int i;
76 CONF_VALUE *nval;
77
78 if (!val)
79 return;
80 if (!ml || !sk_CONF_VALUE_num(val)) {
81 BIO_printf(out, "%*s", indent, "");
82 if (!sk_CONF_VALUE_num(val))
83 BIO_puts(out, "<EMPTY>\n");
84 }
85 for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
86 if (ml)
87 BIO_printf(out, "%*s", indent, "");
88 else if (i > 0) BIO_printf(out, ", ");
89 nval = sk_CONF_VALUE_value(val, i);
90 if (!nval->name)
91 BIO_puts(out, nval->value);
92 else if (!nval->value)
93 BIO_puts(out, nval->name);
94 else
95 BIO_printf(out, "%s:%s", nval->name, nval->value);
96 if (ml)
97 BIO_puts(out, "\n");
98 }
99}
100
101/* Main routine: print out a general extension */
102
103int
104X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
105{
106 void *ext_str = NULL;
107 char *value = NULL;
108 const unsigned char *p;
109 const X509V3_EXT_METHOD *method;
110 STACK_OF(CONF_VALUE) *nval = NULL;
111 int ok = 1;
112
113 if (!(method = X509V3_EXT_get(ext)))
114 return unknown_ext_print(out, ext, flag, indent, 0);
115 p = ext->value->data;
116 if (method->it)
117 ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
118 method->it);
119 else
120 ext_str = method->d2i(NULL, &p, ext->value->length);
121
122 if (!ext_str)
123 return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if (method->i2s) {
126 if (!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130 BIO_printf(out, "%*s%s", indent, "", value);
131 } else if (method->i2v) {
132 if (!(nval = method->i2v(method, ext_str, NULL))) {
133 ok = 0;
134 goto err;
135 }
136 X509V3_EXT_val_prn(out, nval, indent,
137 method->ext_flags & X509V3_EXT_MULTILINE);
138 } else if (method->i2r) {
139 if (!method->i2r(method, ext_str, out, indent))
140 ok = 0;
141 } else
142 ok = 0;
143
144err:
145 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
146 free(value);
147 if (method->it)
148 ASN1_item_free(ext_str, method->it);
149 else
150 method->ext_free(ext_str);
151 return ok;
152}
153
154int
155X509V3_extensions_print(BIO *bp, const char *title,
156 const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
157{
158 int i, j;
159
160 if (sk_X509_EXTENSION_num(exts) <= 0)
161 return 1;
162
163 if (title) {
164 BIO_printf(bp, "%*s%s:\n",indent, "", title);
165 indent += 4;
166 }
167
168 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
169 ASN1_OBJECT *obj;
170 X509_EXTENSION *ex;
171 ex = sk_X509_EXTENSION_value(exts, i);
172 if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
173 return 0;
174 obj = X509_EXTENSION_get_object(ex);
175 i2a_ASN1_OBJECT(bp, obj);
176 j = X509_EXTENSION_get_critical(ex);
177 if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
178 return 0;
179 if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
180 BIO_printf(bp, "%*s", indent + 4, "");
181 ASN1_STRING_print(bp, ex->value);
182 }
183 if (BIO_write(bp, "\n",1) <= 0)
184 return 0;
185 }
186 return 1;
187}
188
189static int
190unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
191 int indent, int supported)
192{
193 switch (flag & X509V3_EXT_UNKNOWN_MASK) {
194 case X509V3_EXT_DEFAULT:
195 return 0;
196 case X509V3_EXT_ERROR_UNKNOWN:
197 if (supported)
198 BIO_printf(out, "%*s<Parse Error>", indent, "");
199 else
200 BIO_printf(out, "%*s<Not Supported>", indent, "");
201 return 1;
202 case X509V3_EXT_PARSE_UNKNOWN:
203 return ASN1_parse_dump(out,
204 ext->value->data, ext->value->length, indent, -1);
205 case X509V3_EXT_DUMP_UNKNOWN:
206 return BIO_dump_indent(out, (char *)ext->value->data,
207 ext->value->length, indent);
208 default:
209 return 1;
210 }
211}
212
213
214int
215X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
216{
217 BIO *bio_tmp;
218 int ret;
219
220 if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
221 return 0;
222 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
223 BIO_free(bio_tmp);
224 return ret;
225}
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
new file mode 100644
index 0000000000..62b3bcfe3a
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -0,0 +1,893 @@
1/* $OpenBSD: x509_purp.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66#include <openssl/x509_vfy.h>
67
68#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
69#define ku_reject(x, usage) \
70 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
71#define xku_reject(x, usage) \
72 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
73#define ns_reject(x, usage) \
74 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
75
76static void x509v3_cache_extensions(X509 *x);
77
78static int check_ssl_ca(const X509 *x);
79static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
80 int ca);
81static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
82 int ca);
83static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
84 int ca);
85static int purpose_smime(const X509 *x, int ca);
86static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
87 int ca);
88static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
89 int ca);
90static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
91 int ca);
92static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
93 int ca);
94static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
95static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
96
97static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
98static void xptable_free(X509_PURPOSE *p);
99
100static X509_PURPOSE xstandard[] = {
101 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
102 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
103 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
104 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
105 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
106 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
107 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
108 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
109 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
110};
111
112#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
113
114static STACK_OF(X509_PURPOSE) *xptable = NULL;
115
116static int
117xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
118{
119 return (*a)->purpose - (*b)->purpose;
120}
121
122/* As much as I'd like to make X509_check_purpose use a "const" X509*
123 * I really can't because it does recalculate hashes and do other non-const
124 * things. */
125int
126X509_check_purpose(X509 *x, int id, int ca)
127{
128 int idx;
129 const X509_PURPOSE *pt;
130
131 if (!(x->ex_flags & EXFLAG_SET)) {
132 CRYPTO_w_lock(CRYPTO_LOCK_X509);
133 x509v3_cache_extensions(x);
134 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
135 }
136 if (id == -1)
137 return 1;
138 idx = X509_PURPOSE_get_by_id(id);
139 if (idx == -1)
140 return -1;
141 pt = X509_PURPOSE_get0(idx);
142 return pt->check_purpose(pt, x, ca);
143}
144
145int
146X509_PURPOSE_set(int *p, int purpose)
147{
148 if (X509_PURPOSE_get_by_id(purpose) == -1) {
149 X509V3error(X509V3_R_INVALID_PURPOSE);
150 return 0;
151 }
152 *p = purpose;
153 return 1;
154}
155
156int
157X509_PURPOSE_get_count(void)
158{
159 if (!xptable)
160 return X509_PURPOSE_COUNT;
161 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
162}
163
164X509_PURPOSE *
165X509_PURPOSE_get0(int idx)
166{
167 if (idx < 0)
168 return NULL;
169 if (idx < (int)X509_PURPOSE_COUNT)
170 return xstandard + idx;
171 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
172}
173
174int
175X509_PURPOSE_get_by_sname(const char *sname)
176{
177 int i;
178 X509_PURPOSE *xptmp;
179
180 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
181 xptmp = X509_PURPOSE_get0(i);
182 if (!strcmp(xptmp->sname, sname))
183 return i;
184 }
185 return -1;
186}
187
188int
189X509_PURPOSE_get_by_id(int purpose)
190{
191 X509_PURPOSE tmp;
192 int idx;
193
194 if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
195 return purpose - X509_PURPOSE_MIN;
196 tmp.purpose = purpose;
197 if (!xptable)
198 return -1;
199 idx = sk_X509_PURPOSE_find(xptable, &tmp);
200 if (idx == -1)
201 return -1;
202 return idx + X509_PURPOSE_COUNT;
203}
204
205int
206X509_PURPOSE_add(int id, int trust, int flags,
207 int (*ck)(const X509_PURPOSE *, const X509 *, int), const char *name,
208 const char *sname, void *arg)
209{
210 int idx;
211 X509_PURPOSE *ptmp;
212 char *name_dup, *sname_dup;
213
214 name_dup = sname_dup = NULL;
215
216 if (name == NULL || sname == NULL) {
217 X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
218 return 0;
219 }
220
221 /* This is set according to what we change: application can't set it */
222 flags &= ~X509_PURPOSE_DYNAMIC;
223 /* This will always be set for application modified trust entries */
224 flags |= X509_PURPOSE_DYNAMIC_NAME;
225 /* Get existing entry if any */
226 idx = X509_PURPOSE_get_by_id(id);
227 /* Need a new entry */
228 if (idx == -1) {
229 if ((ptmp = malloc(sizeof(X509_PURPOSE))) == NULL) {
230 X509V3error(ERR_R_MALLOC_FAILURE);
231 return 0;
232 }
233 ptmp->flags = X509_PURPOSE_DYNAMIC;
234 } else
235 ptmp = X509_PURPOSE_get0(idx);
236
237 if ((name_dup = strdup(name)) == NULL)
238 goto err;
239 if ((sname_dup = strdup(sname)) == NULL)
240 goto err;
241
242 /* free existing name if dynamic */
243 if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
244 free(ptmp->name);
245 free(ptmp->sname);
246 }
247 /* dup supplied name */
248 ptmp->name = name_dup;
249 ptmp->sname = sname_dup;
250 /* Keep the dynamic flag of existing entry */
251 ptmp->flags &= X509_PURPOSE_DYNAMIC;
252 /* Set all other flags */
253 ptmp->flags |= flags;
254
255 ptmp->purpose = id;
256 ptmp->trust = trust;
257 ptmp->check_purpose = ck;
258 ptmp->usr_data = arg;
259
260 /* If its a new entry manage the dynamic table */
261 if (idx == -1) {
262 if (xptable == NULL &&
263 (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL)
264 goto err;
265 if (sk_X509_PURPOSE_push(xptable, ptmp) == 0)
266 goto err;
267 }
268 return 1;
269
270err:
271 free(name_dup);
272 free(sname_dup);
273 if (idx == -1)
274 free(ptmp);
275 X509V3error(ERR_R_MALLOC_FAILURE);
276 return 0;
277}
278
279static void
280xptable_free(X509_PURPOSE *p)
281{
282 if (!p)
283 return;
284 if (p->flags & X509_PURPOSE_DYNAMIC) {
285 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
286 free(p->name);
287 free(p->sname);
288 }
289 free(p);
290 }
291}
292
293void
294X509_PURPOSE_cleanup(void)
295{
296 unsigned int i;
297
298 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
299 for(i = 0; i < X509_PURPOSE_COUNT; i++)
300 xptable_free(xstandard + i);
301 xptable = NULL;
302}
303
304int
305X509_PURPOSE_get_id(const X509_PURPOSE *xp)
306{
307 return xp->purpose;
308}
309
310char *
311X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
312{
313 return xp->name;
314}
315
316char *
317X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
318{
319 return xp->sname;
320}
321
322int
323X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
324{
325 return xp->trust;
326}
327
328static int
329nid_cmp(const int *a, const int *b)
330{
331 return *a - *b;
332}
333
334static int nid_cmp_BSEARCH_CMP_FN(const void *, const void *);
335static int nid_cmp(int const *, int const *);
336static int *OBJ_bsearch_nid(int *key, int const *base, int num);
337
338static int
339nid_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
340{
341 int const *a = a_;
342 int const *b = b_;
343 return nid_cmp(a, b);
344}
345
346static int *
347OBJ_bsearch_nid(int *key, int const *base, int num)
348{
349 return (int *)OBJ_bsearch_(key, base, num, sizeof(int),
350 nid_cmp_BSEARCH_CMP_FN);
351}
352
353int
354X509_supported_extension(X509_EXTENSION *ex)
355{
356 /* This table is a list of the NIDs of supported extensions:
357 * that is those which are used by the verify process. If
358 * an extension is critical and doesn't appear in this list
359 * then the verify process will normally reject the certificate.
360 * The list must be kept in numerical order because it will be
361 * searched using bsearch.
362 */
363
364 static const int supported_nids[] = {
365 NID_netscape_cert_type, /* 71 */
366 NID_key_usage, /* 83 */
367 NID_subject_alt_name, /* 85 */
368 NID_basic_constraints, /* 87 */
369 NID_certificate_policies, /* 89 */
370 NID_ext_key_usage, /* 126 */
371 NID_policy_constraints, /* 401 */
372 NID_proxyCertInfo, /* 663 */
373 NID_name_constraints, /* 666 */
374 NID_policy_mappings, /* 747 */
375 NID_inhibit_any_policy /* 748 */
376 };
377
378 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
379
380 if (ex_nid == NID_undef)
381 return 0;
382
383 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
384 sizeof(supported_nids) / sizeof(int)))
385 return 1;
386 return 0;
387}
388
389static void
390setup_dp(X509 *x, DIST_POINT *dp)
391{
392 X509_NAME *iname = NULL;
393 int i;
394
395 if (dp->reasons) {
396 if (dp->reasons->length > 0)
397 dp->dp_reasons = dp->reasons->data[0];
398 if (dp->reasons->length > 1)
399 dp->dp_reasons |= (dp->reasons->data[1] << 8);
400 dp->dp_reasons &= CRLDP_ALL_REASONS;
401 } else
402 dp->dp_reasons = CRLDP_ALL_REASONS;
403 if (!dp->distpoint || (dp->distpoint->type != 1))
404 return;
405 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
406 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
407 if (gen->type == GEN_DIRNAME) {
408 iname = gen->d.directoryName;
409 break;
410 }
411 }
412 if (!iname)
413 iname = X509_get_issuer_name(x);
414
415 DIST_POINT_set_dpname(dp->distpoint, iname);
416
417}
418
419static void
420setup_crldp(X509 *x)
421{
422 int i;
423
424 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
425 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
426 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
427}
428
429static void
430x509v3_cache_extensions(X509 *x)
431{
432 BASIC_CONSTRAINTS *bs;
433 PROXY_CERT_INFO_EXTENSION *pci;
434 ASN1_BIT_STRING *usage;
435 ASN1_BIT_STRING *ns;
436 EXTENDED_KEY_USAGE *extusage;
437 X509_EXTENSION *ex;
438 int i;
439
440 if (x->ex_flags & EXFLAG_SET)
441 return;
442
443#ifndef OPENSSL_NO_SHA
444 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
445#endif
446
447 /* V1 should mean no extensions ... */
448 if (!X509_get_version(x))
449 x->ex_flags |= EXFLAG_V1;
450
451 /* Handle basic constraints */
452 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
453 if (bs->ca)
454 x->ex_flags |= EXFLAG_CA;
455 if (bs->pathlen) {
456 if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
457 !bs->ca) {
458 x->ex_flags |= EXFLAG_INVALID;
459 x->ex_pathlen = 0;
460 } else
461 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
462 } else
463 x->ex_pathlen = -1;
464 BASIC_CONSTRAINTS_free(bs);
465 x->ex_flags |= EXFLAG_BCONS;
466 }
467
468 /* Handle proxy certificates */
469 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
470 if (x->ex_flags & EXFLAG_CA ||
471 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
472 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
473 x->ex_flags |= EXFLAG_INVALID;
474 }
475 if (pci->pcPathLengthConstraint) {
476 if (pci->pcPathLengthConstraint->type ==
477 V_ASN1_NEG_INTEGER) {
478 x->ex_flags |= EXFLAG_INVALID;
479 x->ex_pcpathlen = 0;
480 } else
481 x->ex_pcpathlen =
482 ASN1_INTEGER_get(pci->
483 pcPathLengthConstraint);
484 } else
485 x->ex_pcpathlen = -1;
486 PROXY_CERT_INFO_EXTENSION_free(pci);
487 x->ex_flags |= EXFLAG_PROXY;
488 }
489
490 /* Handle key usage */
491 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
492 if (usage->length > 0) {
493 x->ex_kusage = usage->data[0];
494 if (usage->length > 1)
495 x->ex_kusage |= usage->data[1] << 8;
496 } else
497 x->ex_kusage = 0;
498 x->ex_flags |= EXFLAG_KUSAGE;
499 ASN1_BIT_STRING_free(usage);
500 }
501 x->ex_xkusage = 0;
502 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
503 x->ex_flags |= EXFLAG_XKUSAGE;
504 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
505 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
506 case NID_server_auth:
507 x->ex_xkusage |= XKU_SSL_SERVER;
508 break;
509
510 case NID_client_auth:
511 x->ex_xkusage |= XKU_SSL_CLIENT;
512 break;
513
514 case NID_email_protect:
515 x->ex_xkusage |= XKU_SMIME;
516 break;
517
518 case NID_code_sign:
519 x->ex_xkusage |= XKU_CODE_SIGN;
520 break;
521
522 case NID_ms_sgc:
523 case NID_ns_sgc:
524 x->ex_xkusage |= XKU_SGC;
525 break;
526
527 case NID_OCSP_sign:
528 x->ex_xkusage |= XKU_OCSP_SIGN;
529 break;
530
531 case NID_time_stamp:
532 x->ex_xkusage |= XKU_TIMESTAMP;
533 break;
534
535 case NID_dvcs:
536 x->ex_xkusage |= XKU_DVCS;
537 break;
538 }
539 }
540 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
541 }
542
543 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
544 if (ns->length > 0)
545 x->ex_nscert = ns->data[0];
546 else
547 x->ex_nscert = 0;
548 x->ex_flags |= EXFLAG_NSCERT;
549 ASN1_BIT_STRING_free(ns);
550 }
551
552 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
553 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
554
555 /* Does subject name match issuer? */
556 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
557 x->ex_flags |= EXFLAG_SI;
558 /* If SKID matches AKID also indicate self signed. */
559 if (X509_check_akid(x, x->akid) == X509_V_OK &&
560 !ku_reject(x, KU_KEY_CERT_SIGN))
561 x->ex_flags |= EXFLAG_SS;
562 }
563
564 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
565 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
566 if (!x->nc && (i != -1))
567 x->ex_flags |= EXFLAG_INVALID;
568 setup_crldp(x);
569
570 for (i = 0; i < X509_get_ext_count(x); i++) {
571 ex = X509_get_ext(x, i);
572 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
573 NID_freshest_crl)
574 x->ex_flags |= EXFLAG_FRESHEST;
575 if (!X509_EXTENSION_get_critical(ex))
576 continue;
577 if (!X509_supported_extension(ex)) {
578 x->ex_flags |= EXFLAG_CRITICAL;
579 break;
580 }
581 }
582 x->ex_flags |= EXFLAG_SET;
583}
584
585/* CA checks common to all purposes
586 * return codes:
587 * 0 not a CA
588 * 1 is a CA
589 * 2 basicConstraints absent so "maybe" a CA
590 * 3 basicConstraints absent but self signed V1.
591 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
592 */
593
594static int
595check_ca(const X509 *x)
596{
597 /* keyUsage if present should allow cert signing */
598 if (ku_reject(x, KU_KEY_CERT_SIGN))
599 return 0;
600 if (x->ex_flags & EXFLAG_BCONS) {
601 if (x->ex_flags & EXFLAG_CA)
602 return 1;
603 /* If basicConstraints says not a CA then say so */
604 else
605 return 0;
606 } else {
607 /* we support V1 roots for... uh, I don't really know why. */
608 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
609 return 3;
610 /* If key usage present it must have certSign so tolerate it */
611 else if (x->ex_flags & EXFLAG_KUSAGE)
612 return 4;
613 /* Older certificates could have Netscape-specific CA types */
614 else if (x->ex_flags & EXFLAG_NSCERT &&
615 x->ex_nscert & NS_ANY_CA)
616 return 5;
617 /* can this still be regarded a CA certificate? I doubt it */
618 return 0;
619 }
620}
621
622int
623X509_check_ca(X509 *x)
624{
625 if (!(x->ex_flags & EXFLAG_SET)) {
626 CRYPTO_w_lock(CRYPTO_LOCK_X509);
627 x509v3_cache_extensions(x);
628 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
629 }
630
631 return check_ca(x);
632}
633
634/* Check SSL CA: common checks for SSL client and server */
635static int
636check_ssl_ca(const X509 *x)
637{
638 int ca_ret;
639
640 ca_ret = check_ca(x);
641 if (!ca_ret)
642 return 0;
643 /* check nsCertType if present */
644 if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
645 return ca_ret;
646 else
647 return 0;
648}
649
650static int
651check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
652{
653 if (xku_reject(x, XKU_SSL_CLIENT))
654 return 0;
655 if (ca)
656 return check_ssl_ca(x);
657 /* We need to do digital signatures with it */
658 if (ku_reject(x, KU_DIGITAL_SIGNATURE))
659 return 0;
660 /* nsCertType if present should allow SSL client use */
661 if (ns_reject(x, NS_SSL_CLIENT))
662 return 0;
663 return 1;
664}
665
666static int
667check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
668{
669 if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
670 return 0;
671 if (ca)
672 return check_ssl_ca(x);
673
674 if (ns_reject(x, NS_SSL_SERVER))
675 return 0;
676 /* Now as for keyUsage: we'll at least need to sign OR encipher */
677 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
678 return 0;
679
680 return 1;
681}
682
683static int
684check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
685{
686 int ret;
687
688 ret = check_purpose_ssl_server(xp, x, ca);
689 if (!ret || ca)
690 return ret;
691 /* We need to encipher or Netscape complains */
692 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
693 return 0;
694 return ret;
695}
696
697/* common S/MIME checks */
698static int
699purpose_smime(const X509 *x, int ca)
700{
701 if (xku_reject(x, XKU_SMIME))
702 return 0;
703 if (ca) {
704 int ca_ret;
705 ca_ret = check_ca(x);
706 if (!ca_ret)
707 return 0;
708 /* check nsCertType if present */
709 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
710 return ca_ret;
711 else
712 return 0;
713 }
714 if (x->ex_flags & EXFLAG_NSCERT) {
715 if (x->ex_nscert & NS_SMIME)
716 return 1;
717 /* Workaround for some buggy certificates */
718 if (x->ex_nscert & NS_SSL_CLIENT)
719 return 2;
720 return 0;
721 }
722 return 1;
723}
724
725static int
726check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
727{
728 int ret;
729
730 ret = purpose_smime(x, ca);
731 if (!ret || ca)
732 return ret;
733 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
734 return 0;
735 return ret;
736}
737
738static int
739check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
740{
741 int ret;
742
743 ret = purpose_smime(x, ca);
744 if (!ret || ca)
745 return ret;
746 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
747 return 0;
748 return ret;
749}
750
751static int
752check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
753{
754 if (ca) {
755 int ca_ret;
756 if ((ca_ret = check_ca(x)) != 2)
757 return ca_ret;
758 else
759 return 0;
760 }
761 if (ku_reject(x, KU_CRL_SIGN))
762 return 0;
763 return 1;
764}
765
766/* OCSP helper: this is *not* a full OCSP check. It just checks that
767 * each CA is valid. Additional checks must be made on the chain.
768 */
769static int
770ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
771{
772 /* Must be a valid CA. Should we really support the "I don't know"
773 value (2)? */
774 if (ca)
775 return check_ca(x);
776 /* leaf certificate is checked in OCSP_verify() */
777 return 1;
778}
779
780static int
781check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
782{
783 int i_ext;
784
785 /* If ca is true we must return if this is a valid CA certificate. */
786 if (ca)
787 return check_ca(x);
788
789 /*
790 * Check the optional key usage field:
791 * if Key Usage is present, it must be one of digitalSignature
792 * and/or nonRepudiation (other values are not consistent and shall
793 * be rejected).
794 */
795 if ((x->ex_flags & EXFLAG_KUSAGE) &&
796 ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
797 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
798 return 0;
799
800 /* Only time stamp key usage is permitted and it's required. */
801 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
802 return 0;
803
804 /* Extended Key Usage MUST be critical */
805 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
806 if (i_ext >= 0) {
807 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
808 if (!X509_EXTENSION_get_critical(ext))
809 return 0;
810 }
811
812 return 1;
813}
814
815static int
816no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
817{
818 return 1;
819}
820
821/* Various checks to see if one certificate issued the second.
822 * This can be used to prune a set of possible issuer certificates
823 * which have been looked up using some simple method such as by
824 * subject name.
825 * These are:
826 * 1. Check issuer_name(subject) == subject_name(issuer)
827 * 2. If akid(subject) exists check it matches issuer
828 * 3. If key_usage(issuer) exists check it supports certificate signing
829 * returns 0 for OK, positive for reason for mismatch, reasons match
830 * codes for X509_verify_cert()
831 */
832
833int
834X509_check_issued(X509 *issuer, X509 *subject)
835{
836 if (X509_NAME_cmp(X509_get_subject_name(issuer),
837 X509_get_issuer_name(subject)))
838 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
839 x509v3_cache_extensions(issuer);
840 x509v3_cache_extensions(subject);
841
842 if (subject->akid) {
843 int ret = X509_check_akid(issuer, subject->akid);
844 if (ret != X509_V_OK)
845 return ret;
846 }
847
848 if (subject->ex_flags & EXFLAG_PROXY) {
849 if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
850 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
851 } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
852 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
853 return X509_V_OK;
854}
855
856int
857X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
858{
859 if (!akid)
860 return X509_V_OK;
861
862 /* Check key ids (if present) */
863 if (akid->keyid && issuer->skid &&
864 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
865 return X509_V_ERR_AKID_SKID_MISMATCH;
866 /* Check serial number */
867 if (akid->serial &&
868 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
869 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
870 /* Check issuer name */
871 if (akid->issuer) {
872 /* Ugh, for some peculiar reason AKID includes
873 * SEQUENCE OF GeneralName. So look for a DirName.
874 * There may be more than one but we only take any
875 * notice of the first.
876 */
877 GENERAL_NAMES *gens;
878 GENERAL_NAME *gen;
879 X509_NAME *nm = NULL;
880 int i;
881 gens = akid->issuer;
882 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
883 gen = sk_GENERAL_NAME_value(gens, i);
884 if (gen->type == GEN_DIRNAME) {
885 nm = gen->d.dirn;
886 break;
887 }
888 }
889 if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
890 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
891 }
892 return X509_V_OK;
893}
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
new file mode 100644
index 0000000000..a906427378
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -0,0 +1,161 @@
1/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
66 X509V3_CTX *ctx, char *str);
67
68const X509V3_EXT_METHOD v3_skey_id = {
69 .ext_nid = NID_subject_key_identifier,
70 .ext_flags = 0,
71 .it = &ASN1_OCTET_STRING_it,
72 .ext_new = NULL,
73 .ext_free = NULL,
74 .d2i = NULL,
75 .i2d = NULL,
76 .i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
77 .s2i = (X509V3_EXT_S2I)s2i_skey_id,
78 .i2v = NULL,
79 .v2i = NULL,
80 .i2r = NULL,
81 .r2i = NULL,
82 .usr_data = NULL,
83};
84
85char *
86i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
87{
88 return hex_to_string(oct->data, oct->length);
89}
90
91ASN1_OCTET_STRING *
92s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
93 const char *str)
94{
95 ASN1_OCTET_STRING *oct;
96 long length;
97
98 if (!(oct = ASN1_OCTET_STRING_new())) {
99 X509V3error(ERR_R_MALLOC_FAILURE);
100 return NULL;
101 }
102
103 if (!(oct->data = string_to_hex(str, &length))) {
104 ASN1_OCTET_STRING_free(oct);
105 return NULL;
106 }
107
108 oct->length = length;
109
110 return oct;
111}
112
113static ASN1_OCTET_STRING *
114s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
115{
116 ASN1_OCTET_STRING *oct;
117 ASN1_BIT_STRING *pk;
118 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
119 unsigned int diglen;
120
121 if (strcmp(str, "hash"))
122 return s2i_ASN1_OCTET_STRING(method, ctx, str);
123
124 if (!(oct = ASN1_OCTET_STRING_new())) {
125 X509V3error(ERR_R_MALLOC_FAILURE);
126 return NULL;
127 }
128
129 if (ctx && (ctx->flags == CTX_TEST))
130 return oct;
131
132 if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
133 X509V3error(X509V3_R_NO_PUBLIC_KEY);
134 goto err;
135 }
136
137 if (ctx->subject_req)
138 pk = ctx->subject_req->req_info->pubkey->public_key;
139 else
140 pk = ctx->subject_cert->cert_info->key->public_key;
141
142 if (!pk) {
143 X509V3error(X509V3_R_NO_PUBLIC_KEY);
144 goto err;
145 }
146
147 if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen,
148 EVP_sha1(), NULL))
149 goto err;
150
151 if (!ASN1_STRING_set(oct, pkey_dig, diglen)) {
152 X509V3error(ERR_R_MALLOC_FAILURE);
153 goto err;
154 }
155
156 return oct;
157
158err:
159 ASN1_OCTET_STRING_free(oct);
160 return NULL;
161}
diff --git a/src/lib/libcrypto/x509/x509_sxnet.c b/src/lib/libcrypto/x509/x509_sxnet.c
new file mode 100644
index 0000000000..e5e98bcecc
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_sxnet.c
@@ -0,0 +1,383 @@
1/* $OpenBSD: x509_sxnet.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* Support for Thawte strong extranet extension */
69
70#define SXNET_TEST
71
72static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
73 int indent);
74#ifdef SXNET_TEST
75static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
76 STACK_OF(CONF_VALUE) *nval);
77#endif
78
79const X509V3_EXT_METHOD v3_sxnet = {
80 .ext_nid = NID_sxnet,
81 .ext_flags = X509V3_EXT_MULTILINE,
82 .it = &SXNET_it,
83 .ext_new = NULL,
84 .ext_free = NULL,
85 .d2i = NULL,
86 .i2d = NULL,
87 .i2s = NULL,
88 .s2i = NULL,
89 .i2v = NULL,
90#ifdef SXNET_TEST
91 .v2i = (X509V3_EXT_V2I)sxnet_v2i,
92#else
93 .v2i = NULL,
94#endif
95 .i2r = (X509V3_EXT_I2R)sxnet_i2r,
96 .r2i = NULL,
97 .usr_data = NULL,
98};
99
100static const ASN1_TEMPLATE SXNETID_seq_tt[] = {
101 {
102 .flags = 0,
103 .tag = 0,
104 .offset = offsetof(SXNETID, zone),
105 .field_name = "zone",
106 .item = &ASN1_INTEGER_it,
107 },
108 {
109 .flags = 0,
110 .tag = 0,
111 .offset = offsetof(SXNETID, user),
112 .field_name = "user",
113 .item = &ASN1_OCTET_STRING_it,
114 },
115};
116
117const ASN1_ITEM SXNETID_it = {
118 .itype = ASN1_ITYPE_SEQUENCE,
119 .utype = V_ASN1_SEQUENCE,
120 .templates = SXNETID_seq_tt,
121 .tcount = sizeof(SXNETID_seq_tt) / sizeof(ASN1_TEMPLATE),
122 .funcs = NULL,
123 .size = sizeof(SXNETID),
124 .sname = "SXNETID",
125};
126
127
128SXNETID *
129d2i_SXNETID(SXNETID **a, const unsigned char **in, long len)
130{
131 return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
132 &SXNETID_it);
133}
134
135int
136i2d_SXNETID(SXNETID *a, unsigned char **out)
137{
138 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it);
139}
140
141SXNETID *
142SXNETID_new(void)
143{
144 return (SXNETID *)ASN1_item_new(&SXNETID_it);
145}
146
147void
148SXNETID_free(SXNETID *a)
149{
150 ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it);
151}
152
153static const ASN1_TEMPLATE SXNET_seq_tt[] = {
154 {
155 .flags = 0,
156 .tag = 0,
157 .offset = offsetof(SXNET, version),
158 .field_name = "version",
159 .item = &ASN1_INTEGER_it,
160 },
161 {
162 .flags = ASN1_TFLG_SEQUENCE_OF,
163 .tag = 0,
164 .offset = offsetof(SXNET, ids),
165 .field_name = "ids",
166 .item = &SXNETID_it,
167 },
168};
169
170const ASN1_ITEM SXNET_it = {
171 .itype = ASN1_ITYPE_SEQUENCE,
172 .utype = V_ASN1_SEQUENCE,
173 .templates = SXNET_seq_tt,
174 .tcount = sizeof(SXNET_seq_tt) / sizeof(ASN1_TEMPLATE),
175 .funcs = NULL,
176 .size = sizeof(SXNET),
177 .sname = "SXNET",
178};
179
180
181SXNET *
182d2i_SXNET(SXNET **a, const unsigned char **in, long len)
183{
184 return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
185 &SXNET_it);
186}
187
188int
189i2d_SXNET(SXNET *a, unsigned char **out)
190{
191 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it);
192}
193
194SXNET *
195SXNET_new(void)
196{
197 return (SXNET *)ASN1_item_new(&SXNET_it);
198}
199
200void
201SXNET_free(SXNET *a)
202{
203 ASN1_item_free((ASN1_VALUE *)a, &SXNET_it);
204}
205
206static int
207sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
208{
209 long v;
210 char *tmp;
211 SXNETID *id;
212 int i;
213
214 v = ASN1_INTEGER_get(sx->version);
215 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
216 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
217 id = sk_SXNETID_value(sx->ids, i);
218 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
219 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
220 free(tmp);
221 ASN1_STRING_print(out, id->user);
222 }
223 return 1;
224}
225
226#ifdef SXNET_TEST
227
228/* NBB: this is used for testing only. It should *not* be used for anything
229 * else because it will just take static IDs from the configuration file and
230 * they should really be separate values for each user.
231 */
232
233static SXNET *
234sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
235 STACK_OF(CONF_VALUE) *nval)
236{
237 CONF_VALUE *cnf;
238 SXNET *sx = NULL;
239 int i;
240
241 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
242 cnf = sk_CONF_VALUE_value(nval, i);
243 if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
244 return NULL;
245 }
246 return sx;
247}
248
249#endif
250
251/* Strong Extranet utility functions */
252
253/* Add an id given the zone as an ASCII number */
254
255int
256SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen)
257{
258 ASN1_INTEGER *izone = NULL;
259
260 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
261 X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
262 return 0;
263 }
264 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
265}
266
267/* Add an id given the zone as an unsigned long */
268
269int
270SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
271 int userlen)
272{
273 ASN1_INTEGER *izone = NULL;
274
275 if (!(izone = ASN1_INTEGER_new()) ||
276 !ASN1_INTEGER_set(izone, lzone)) {
277 X509V3error(ERR_R_MALLOC_FAILURE);
278 ASN1_INTEGER_free(izone);
279 return 0;
280 }
281 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
282}
283
284/* Add an id given the zone as an ASN1_INTEGER.
285 * Note this version uses the passed integer and doesn't make a copy so don't
286 * free it up afterwards.
287 */
288
289int
290SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
291 int userlen)
292{
293 SXNET *sx = NULL;
294 SXNETID *id = NULL;
295
296 if (!psx || !zone || !user) {
297 X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
298 return 0;
299 }
300 if (userlen == -1)
301 userlen = strlen(user);
302 if (userlen > 64) {
303 X509V3error(X509V3_R_USER_TOO_LONG);
304 return 0;
305 }
306 if (!*psx) {
307 if (!(sx = SXNET_new()))
308 goto err;
309 if (!ASN1_INTEGER_set(sx->version, 0))
310 goto err;
311 *psx = sx;
312 } else
313 sx = *psx;
314 if (SXNET_get_id_INTEGER(sx, zone)) {
315 X509V3error(X509V3_R_DUPLICATE_ZONE_ID);
316 return 0;
317 }
318
319 if (!(id = SXNETID_new()))
320 goto err;
321 if (userlen == -1)
322 userlen = strlen(user);
323
324 if (!ASN1_STRING_set(id->user, user, userlen))
325 goto err;
326 if (!sk_SXNETID_push(sx->ids, id))
327 goto err;
328 id->zone = zone;
329 return 1;
330
331err:
332 X509V3error(ERR_R_MALLOC_FAILURE);
333 SXNETID_free(id);
334 SXNET_free(sx);
335 *psx = NULL;
336 return 0;
337}
338
339ASN1_OCTET_STRING *
340SXNET_get_id_asc(SXNET *sx, const char *zone)
341{
342 ASN1_INTEGER *izone = NULL;
343 ASN1_OCTET_STRING *oct;
344
345 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
346 X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
347 return NULL;
348 }
349 oct = SXNET_get_id_INTEGER(sx, izone);
350 ASN1_INTEGER_free(izone);
351 return oct;
352}
353
354ASN1_OCTET_STRING *
355SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
356{
357 ASN1_INTEGER *izone = NULL;
358 ASN1_OCTET_STRING *oct;
359
360 if (!(izone = ASN1_INTEGER_new()) ||
361 !ASN1_INTEGER_set(izone, lzone)) {
362 X509V3error(ERR_R_MALLOC_FAILURE);
363 ASN1_INTEGER_free(izone);
364 return NULL;
365 }
366 oct = SXNET_get_id_INTEGER(sx, izone);
367 ASN1_INTEGER_free(izone);
368 return oct;
369}
370
371ASN1_OCTET_STRING *
372SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
373{
374 SXNETID *id;
375 int i;
376
377 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
378 id = sk_SXNETID_value(sx->ids, i);
379 if (!ASN1_INTEGER_cmp(id->zone, zone))
380 return id->user;
381 }
382 return NULL;
383}
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
new file mode 100644
index 0000000000..4641152f74
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -0,0 +1,1387 @@
1/* $OpenBSD: x509_utl.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/bn.h>
65#include <openssl/conf.h>
66#include <openssl/err.h>
67#include <openssl/x509v3.h>
68
69char *bn_to_string(const BIGNUM *bn);
70static char *strip_spaces(char *name);
71static int sk_strcmp(const char * const *a, const char * const *b);
72static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
73 GENERAL_NAMES *gens);
74static void str_free(OPENSSL_STRING str);
75static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
76
77static int ipv4_from_asc(unsigned char *v4, const char *in);
78static int ipv6_from_asc(unsigned char *v6, const char *in);
79static int ipv6_cb(const char *elem, int len, void *usr);
80static int ipv6_hex(unsigned char *out, const char *in, int inlen);
81
82/* Add a CONF_VALUE name-value pair to stack. */
83int
84X509V3_add_value(const char *name, const char *value,
85 STACK_OF(CONF_VALUE) **extlist)
86{
87 CONF_VALUE *vtmp = NULL;
88 STACK_OF(CONF_VALUE) *free_exts = NULL;
89
90 if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL)
91 goto err;
92 if (name != NULL) {
93 if ((vtmp->name = strdup(name)) == NULL)
94 goto err;
95 }
96 if (value != NULL) {
97 if ((vtmp->value = strdup(value)) == NULL)
98 goto err;
99 }
100
101 if (*extlist == NULL) {
102 if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL)
103 goto err;
104 }
105
106 if (!sk_CONF_VALUE_push(*extlist, vtmp))
107 goto err;
108
109 return 1;
110
111 err:
112 X509V3error(ERR_R_MALLOC_FAILURE);
113 X509V3_conf_free(vtmp);
114 if (free_exts != NULL) {
115 sk_CONF_VALUE_free(*extlist);
116 *extlist = NULL;
117 }
118 return 0;
119}
120
121int
122X509V3_add_value_uchar(const char *name, const unsigned char *value,
123 STACK_OF(CONF_VALUE) **extlist)
124{
125 return X509V3_add_value(name, (const char *)value, extlist);
126}
127
128/* Free function for STACK_OF(CONF_VALUE) */
129
130void
131X509V3_conf_free(CONF_VALUE *conf)
132{
133 if (!conf)
134 return;
135 free(conf->name);
136 free(conf->value);
137 free(conf->section);
138 free(conf);
139}
140
141int
142X509V3_add_value_bool(const char *name, int asn1_bool,
143 STACK_OF(CONF_VALUE) **extlist)
144{
145 if (asn1_bool)
146 return X509V3_add_value(name, "TRUE", extlist);
147 return X509V3_add_value(name, "FALSE", extlist);
148}
149
150int
151X509V3_add_value_bool_nf(const char *name, int asn1_bool,
152 STACK_OF(CONF_VALUE) **extlist)
153{
154 if (asn1_bool)
155 return X509V3_add_value(name, "TRUE", extlist);
156 return 1;
157}
158
159char *
160bn_to_string(const BIGNUM *bn)
161{
162 const char *sign = "";
163 char *bnstr, *hex;
164 char *ret = NULL;
165
166 /* Only display small numbers in decimal, as conversion is quadratic. */
167 if (BN_num_bits(bn) < 128)
168 return BN_bn2dec(bn);
169
170 if ((hex = bnstr = BN_bn2hex(bn)) == NULL)
171 goto err;
172
173 if (BN_is_negative(bn)) {
174 sign = "-";
175 hex++;
176 }
177
178 if (asprintf(&ret, "%s0x%s", sign, hex) == -1)
179 ret = NULL;
180
181 err:
182 free(bnstr);
183 return ret;
184}
185
186char *
187i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
188{
189 BIGNUM *bntmp;
190 char *strtmp = NULL;
191
192 if (a == NULL)
193 return NULL;
194 if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL ||
195 (strtmp = bn_to_string(bntmp)) == NULL)
196 X509V3error(ERR_R_MALLOC_FAILURE);
197 BN_free(bntmp);
198 return strtmp;
199}
200
201char *
202i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
203{
204 BIGNUM *bntmp;
205 char *strtmp = NULL;
206
207 if (a == NULL)
208 return NULL;
209 if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL ||
210 (strtmp = bn_to_string(bntmp)) == NULL)
211 X509V3error(ERR_R_MALLOC_FAILURE);
212 BN_free(bntmp);
213 return strtmp;
214}
215
216ASN1_INTEGER *
217s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
218{
219 BIGNUM *bn = NULL;
220 ASN1_INTEGER *aint;
221 int isneg, ishex;
222 int ret;
223
224 if (!value) {
225 X509V3error(X509V3_R_INVALID_NULL_VALUE);
226 return 0;
227 }
228 bn = BN_new();
229 if (value[0] == '-') {
230 value++;
231 isneg = 1;
232 } else
233 isneg = 0;
234
235 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
236 value += 2;
237 ishex = 1;
238 } else
239 ishex = 0;
240
241 if (ishex)
242 ret = BN_hex2bn(&bn, value);
243 else
244 ret = BN_dec2bn(&bn, value);
245
246 if (!ret || value[ret]) {
247 BN_free(bn);
248 X509V3error(X509V3_R_BN_DEC2BN_ERROR);
249 return 0;
250 }
251
252 if (isneg && BN_is_zero(bn))
253 isneg = 0;
254
255 aint = BN_to_ASN1_INTEGER(bn, NULL);
256 BN_free(bn);
257 if (!aint) {
258 X509V3error(X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
259 return 0;
260 }
261 if (isneg)
262 aint->type |= V_ASN1_NEG;
263 return aint;
264}
265
266int
267X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
268 STACK_OF(CONF_VALUE) **extlist)
269{
270 char *strtmp;
271 int ret;
272
273 if (!aint)
274 return 1;
275 if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
276 return 0;
277 ret = X509V3_add_value(name, strtmp, extlist);
278 free(strtmp);
279 return ret;
280}
281
282int
283X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
284{
285 char *btmp;
286
287 if (!(btmp = value->value))
288 goto err;
289 if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") ||
290 !strcmp(btmp, "Y") || !strcmp(btmp, "y") ||
291 !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
292 *asn1_bool = 0xff;
293 return 1;
294 } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") ||
295 !strcmp(btmp, "N") || !strcmp(btmp, "n") ||
296 !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
297 *asn1_bool = 0;
298 return 1;
299 }
300
301 err:
302 X509V3error(X509V3_R_INVALID_BOOLEAN_STRING);
303 X509V3_conf_err(value);
304 return 0;
305}
306
307int
308X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
309{
310 ASN1_INTEGER *itmp;
311
312 if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
313 X509V3_conf_err(value);
314 return 0;
315 }
316 *aint = itmp;
317 return 1;
318}
319
320#define HDR_NAME 1
321#define HDR_VALUE 2
322
323/*#define DEBUG*/
324
325STACK_OF(CONF_VALUE) *
326X509V3_parse_list(const char *line)
327{
328 char *p, *q, c;
329 char *ntmp, *vtmp;
330 STACK_OF(CONF_VALUE) *values = NULL;
331 char *linebuf;
332 int state;
333
334 /* We are going to modify the line so copy it first */
335 if ((linebuf = strdup(line)) == NULL) {
336 X509V3error(ERR_R_MALLOC_FAILURE);
337 goto err;
338 }
339 state = HDR_NAME;
340 ntmp = NULL;
341
342 /* Go through all characters */
343 for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') &&
344 (c != '\n'); p++) {
345
346 switch (state) {
347 case HDR_NAME:
348 if (c == ':') {
349 state = HDR_VALUE;
350 *p = 0;
351 ntmp = strip_spaces(q);
352 if (!ntmp) {
353 X509V3error(X509V3_R_INVALID_NULL_NAME);
354 goto err;
355 }
356 q = p + 1;
357 } else if (c == ',') {
358 *p = 0;
359 ntmp = strip_spaces(q);
360 q = p + 1;
361 if (!ntmp) {
362 X509V3error(X509V3_R_INVALID_NULL_NAME);
363 goto err;
364 }
365 X509V3_add_value(ntmp, NULL, &values);
366 }
367 break;
368
369 case HDR_VALUE:
370 if (c == ',') {
371 state = HDR_NAME;
372 *p = 0;
373 vtmp = strip_spaces(q);
374 if (!vtmp) {
375 X509V3error(X509V3_R_INVALID_NULL_VALUE);
376 goto err;
377 }
378 X509V3_add_value(ntmp, vtmp, &values);
379 ntmp = NULL;
380 q = p + 1;
381 }
382
383 }
384 }
385
386 if (state == HDR_VALUE) {
387 vtmp = strip_spaces(q);
388 if (!vtmp) {
389 X509V3error(X509V3_R_INVALID_NULL_VALUE);
390 goto err;
391 }
392 X509V3_add_value(ntmp, vtmp, &values);
393 } else {
394 ntmp = strip_spaces(q);
395 if (!ntmp) {
396 X509V3error(X509V3_R_INVALID_NULL_NAME);
397 goto err;
398 }
399 X509V3_add_value(ntmp, NULL, &values);
400 }
401 free(linebuf);
402 return values;
403
404 err:
405 free(linebuf);
406 sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
407 return NULL;
408
409}
410
411/* Delete leading and trailing spaces from a string */
412static char *
413strip_spaces(char *name)
414{
415 char *p, *q;
416
417 /* Skip over leading spaces */
418 p = name;
419 while (*p && isspace((unsigned char)*p))
420 p++;
421 if (!*p)
422 return NULL;
423 q = p + strlen(p) - 1;
424 while ((q != p) && isspace((unsigned char)*q))
425 q--;
426 if (p != q)
427 q[1] = 0;
428 if (!*p)
429 return NULL;
430 return p;
431}
432
433/* hex string utilities */
434
435/* Given a buffer of length 'len' return a malloc'ed string with its
436 * hex representation
437 */
438char *
439hex_to_string(const unsigned char *buffer, long len)
440{
441 char *tmp, *q;
442 const unsigned char *p;
443 int i;
444 static const char hexdig[] = "0123456789ABCDEF";
445
446 if (!buffer || !len)
447 return NULL;
448 if (!(tmp = malloc(len * 3 + 1))) {
449 X509V3error(ERR_R_MALLOC_FAILURE);
450 return NULL;
451 }
452 q = tmp;
453 for (i = 0, p = buffer; i < len; i++, p++) {
454 *q++ = hexdig[(*p >> 4) & 0xf];
455 *q++ = hexdig[*p & 0xf];
456 *q++ = ':';
457 }
458 q[-1] = 0;
459 return tmp;
460}
461
462/* Give a string of hex digits convert to
463 * a buffer
464 */
465
466unsigned char *
467string_to_hex(const char *str, long *len)
468{
469 unsigned char *hexbuf, *q;
470 unsigned char ch, cl, *p;
471 if (!str) {
472 X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
473 return NULL;
474 }
475 if (!(hexbuf = malloc(strlen(str) >> 1)))
476 goto err;
477 for (p = (unsigned char *)str, q = hexbuf; *p; ) {
478 ch = *p++;
479 if (ch == ':')
480 continue;
481 cl = *p++;
482 if (!cl) {
483 X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS);
484 free(hexbuf);
485 return NULL;
486 }
487 ch = tolower(ch);
488 cl = tolower(cl);
489
490 if ((ch >= '0') && (ch <= '9'))
491 ch -= '0';
492 else if ((ch >= 'a') && (ch <= 'f'))
493 ch -= 'a' - 10;
494 else
495 goto badhex;
496
497 if ((cl >= '0') && (cl <= '9'))
498 cl -= '0';
499 else if ((cl >= 'a') && (cl <= 'f'))
500 cl -= 'a' - 10;
501 else
502 goto badhex;
503
504 *q++ = (ch << 4) | cl;
505 }
506
507 if (len)
508 *len = q - hexbuf;
509
510 return hexbuf;
511
512 err:
513 free(hexbuf);
514 X509V3error(ERR_R_MALLOC_FAILURE);
515 return NULL;
516
517 badhex:
518 free(hexbuf);
519 X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
520 return NULL;
521}
522
523/* V2I name comparison function: returns zero if 'name' matches
524 * cmp or cmp.*
525 */
526
527int
528name_cmp(const char *name, const char *cmp)
529{
530 int len, ret;
531 char c;
532
533 len = strlen(cmp);
534 if ((ret = strncmp(name, cmp, len)))
535 return ret;
536 c = name[len];
537 if (!c || (c=='.'))
538 return 0;
539 return 1;
540}
541
542static int
543sk_strcmp(const char * const *a, const char * const *b)
544{
545 return strcmp(*a, *b);
546}
547
548STACK_OF(OPENSSL_STRING) *
549X509_get1_email(X509 *x)
550{
551 GENERAL_NAMES *gens;
552 STACK_OF(OPENSSL_STRING) *ret;
553
554 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
555 ret = get_email(X509_get_subject_name(x), gens);
556 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
557 return ret;
558}
559
560STACK_OF(OPENSSL_STRING) *
561X509_get1_ocsp(X509 *x)
562{
563 AUTHORITY_INFO_ACCESS *info;
564 STACK_OF(OPENSSL_STRING) *ret = NULL;
565 int i;
566
567 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
568 if (!info)
569 return NULL;
570 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
571 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
572 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
573 if (ad->location->type == GEN_URI) {
574 if (!append_ia5(&ret,
575 ad->location->d.uniformResourceIdentifier))
576 break;
577 }
578 }
579 }
580 AUTHORITY_INFO_ACCESS_free(info);
581 return ret;
582}
583
584STACK_OF(OPENSSL_STRING) *
585X509_REQ_get1_email(X509_REQ *x)
586{
587 GENERAL_NAMES *gens;
588 STACK_OF(X509_EXTENSION) *exts;
589 STACK_OF(OPENSSL_STRING) *ret;
590
591 exts = X509_REQ_get_extensions(x);
592 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
593 ret = get_email(X509_REQ_get_subject_name(x), gens);
594 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
595 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
596 return ret;
597}
598
599
600static STACK_OF(OPENSSL_STRING) *
601get_email(X509_NAME *name, GENERAL_NAMES *gens)
602{
603 STACK_OF(OPENSSL_STRING) *ret = NULL;
604 X509_NAME_ENTRY *ne;
605 ASN1_IA5STRING *email;
606 GENERAL_NAME *gen;
607 int i;
608
609 /* Now add any email address(es) to STACK */
610 i = -1;
611
612 /* First supplied X509_NAME */
613 while ((i = X509_NAME_get_index_by_NID(name,
614 NID_pkcs9_emailAddress, i)) >= 0) {
615 ne = X509_NAME_get_entry(name, i);
616 email = X509_NAME_ENTRY_get_data(ne);
617 if (!append_ia5(&ret, email))
618 return NULL;
619 }
620 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
621 gen = sk_GENERAL_NAME_value(gens, i);
622 if (gen->type != GEN_EMAIL)
623 continue;
624 if (!append_ia5(&ret, gen->d.ia5))
625 return NULL;
626 }
627 return ret;
628}
629
630static void
631str_free(OPENSSL_STRING str)
632{
633 free(str);
634}
635
636static int
637append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
638{
639 char *emtmp;
640
641 /* First some sanity checks */
642 if (email->type != V_ASN1_IA5STRING)
643 return 1;
644 if (!email->data || !email->length)
645 return 1;
646 if (!*sk)
647 *sk = sk_OPENSSL_STRING_new(sk_strcmp);
648 if (!*sk)
649 return 0;
650 /* Don't add duplicates */
651 if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
652 return 1;
653 emtmp = strdup((char *)email->data);
654 if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
655 X509_email_free(*sk);
656 *sk = NULL;
657 return 0;
658 }
659 return 1;
660}
661
662void
663X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
664{
665 sk_OPENSSL_STRING_pop_free(sk, str_free);
666}
667
668typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
669 const unsigned char *subject, size_t subject_len, unsigned int flags);
670
671/* Skip pattern prefix to match "wildcard" subject */
672static void
673skip_prefix(const unsigned char **p, size_t *plen, const unsigned char *subject,
674 size_t subject_len, unsigned int flags)
675{
676 const unsigned char *pattern = *p;
677 size_t pattern_len = *plen;
678
679 /*
680 * If subject starts with a leading '.' followed by more octets, and
681 * pattern is longer, compare just an equal-length suffix with the
682 * full subject (starting at the '.'), provided the prefix contains
683 * no NULs.
684 */
685 if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
686 return;
687
688 while (pattern_len > subject_len && *pattern) {
689 if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
690 *pattern == '.')
691 break;
692 ++pattern;
693 --pattern_len;
694 }
695
696 /* Skip if entire prefix acceptable */
697 if (pattern_len == subject_len) {
698 *p = pattern;
699 *plen = pattern_len;
700 }
701}
702
703/*
704 * Open/BoringSSL uses memcmp for "equal_case" while their
705 * "equal_nocase" function is a hand-rolled strncasecmp that does not
706 * allow \0 in the pattern. Since an embedded \0 is likely a sign of
707 * problems, we simply don't allow it in either case, and then we use
708 * standard libc funcitons.
709 */
710
711/* Compare using strncasecmp */
712static int
713equal_nocase(const unsigned char *pattern, size_t pattern_len,
714 const unsigned char *subject, size_t subject_len, unsigned int flags)
715{
716 if (memchr(pattern, '\0', pattern_len) != NULL)
717 return 0;
718 if (memchr(subject, '\0', subject_len) != NULL)
719 return 0;
720 skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
721 if (pattern_len != subject_len)
722 return 0;
723 return (strncasecmp(pattern, subject, pattern_len) == 0);
724}
725
726/* Compare using strncmp. */
727static int
728equal_case(const unsigned char *pattern, size_t pattern_len,
729 const unsigned char *subject, size_t subject_len, unsigned int flags)
730{
731 if (memchr(pattern, 0, pattern_len) != NULL)
732 return 0;
733 if (memchr(subject, 0, subject_len) != NULL)
734 return 0;
735 skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
736 if (pattern_len != subject_len)
737 return 0;
738 return (strncmp(pattern, subject, pattern_len) == 0);
739}
740
741/*
742 * RFC 5280, section 7.5, requires that only the domain is compared in a
743 * case-insensitive manner.
744 */
745static int
746equal_email(const unsigned char *a, size_t a_len, const unsigned char *b,
747 size_t b_len, unsigned int unused_flags)
748{
749 size_t pos = a_len;
750 if (a_len != b_len)
751 return 0;
752 /*
753 * We search backwards for the '@' character, so that we do not have to
754 * deal with quoted local-parts. The domain part is compared in a
755 * case-insensitive manner.
756 */
757 while (pos > 0) {
758 pos--;
759 if (a[pos] == '@' || b[pos] == '@') {
760 if (!equal_nocase(a + pos, a_len - pos, b + pos,
761 a_len - pos, 0))
762 return 0;
763 break;
764 }
765 }
766 if (pos == 0)
767 pos = a_len;
768 return equal_case(a, pos, b, pos, 0);
769}
770
771/*
772 * Compare the prefix and suffix with the subject, and check that the
773 * characters in-between are valid.
774 */
775static int
776wildcard_match(const unsigned char *prefix, size_t prefix_len,
777 const unsigned char *suffix, size_t suffix_len,
778 const unsigned char *subject, size_t subject_len, unsigned int flags)
779{
780 const unsigned char *wildcard_start;
781 const unsigned char *wildcard_end;
782 const unsigned char *p;
783 int allow_multi = 0;
784 int allow_idna = 0;
785
786 if (subject_len < prefix_len + suffix_len)
787 return 0;
788 if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
789 return 0;
790 wildcard_start = subject + prefix_len;
791 wildcard_end = subject + (subject_len - suffix_len);
792 if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
793 return 0;
794 /*
795 * If the wildcard makes up the entire first label, it must match at
796 * least one character.
797 */
798 if (prefix_len == 0 && *suffix == '.') {
799 if (wildcard_start == wildcard_end)
800 return 0;
801 allow_idna = 1;
802 if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
803 allow_multi = 1;
804 }
805 /* IDNA labels cannot match partial wildcards */
806 if (!allow_idna &&
807 subject_len >= 4
808 && strncasecmp((char *)subject, "xn--", 4) == 0)
809 return 0;
810 /* The wildcard may match a literal '*' */
811 if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
812 return 1;
813 /*
814 * Check that the part matched by the wildcard contains only
815 * permitted characters and only matches a single label unless
816 * allow_multi is set.
817 */
818 for (p = wildcard_start; p != wildcard_end; ++p)
819 if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') ||
820 ('a' <= *p && *p <= 'z') || *p == '-' ||
821 (allow_multi && *p == '.')))
822 return 0;
823 return 1;
824}
825
826#define LABEL_START (1 << 0)
827#define LABEL_END (1 << 1)
828#define LABEL_HYPHEN (1 << 2)
829#define LABEL_IDNA (1 << 3)
830
831static const unsigned char *
832valid_star(const unsigned char *p, size_t len, unsigned int flags)
833{
834 const unsigned char *star = 0;
835 size_t i;
836 int state = LABEL_START;
837 int dots = 0;
838 for (i = 0; i < len; ++i) {
839 /*
840 * Locate first and only legal wildcard, either at the start
841 * or end of a non-IDNA first and not final label.
842 */
843 if (p[i] == '*') {
844 int atstart = (state & LABEL_START);
845 int atend = (i == len - 1 || p[i + 1] == '.');
846 /*
847 * At most one wildcard per pattern.
848 * No wildcards in IDNA labels.
849 * No wildcards after the first label.
850 */
851 if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
852 return NULL;
853 /* Only full-label '*.example.com' wildcards? */
854 if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
855 && (!atstart || !atend))
856 return NULL;
857 /* No 'foo*bar' wildcards */
858 if (!atstart && !atend)
859 return NULL;
860 star = &p[i];
861 state &= ~LABEL_START;
862 } else if ((state & LABEL_START) != 0) {
863 /*
864 * At the start of a label, skip any "xn--" and
865 * remain in the LABEL_START state, but set the
866 * IDNA label state
867 */
868 if ((state & LABEL_IDNA) == 0 && len - i >= 4
869 && strncasecmp((char *)&p[i], "xn--", 4) == 0) {
870 i += 3;
871 state |= LABEL_IDNA;
872 continue;
873 }
874 /* Labels must start with a letter or digit */
875 state &= ~LABEL_START;
876 if (('a' <= p[i] && p[i] <= 'z')
877 || ('A' <= p[i] && p[i] <= 'Z')
878 || ('0' <= p[i] && p[i] <= '9'))
879 continue;
880 return NULL;
881 } else if (('a' <= p[i] && p[i] <= 'z')
882 || ('A' <= p[i] && p[i] <= 'Z')
883 || ('0' <= p[i] && p[i] <= '9')) {
884 state &= LABEL_IDNA;
885 continue;
886 } else if (p[i] == '.') {
887 if (state & (LABEL_HYPHEN | LABEL_START))
888 return NULL;
889 state = LABEL_START;
890 ++dots;
891 } else if (p[i] == '-') {
892 /* no domain/subdomain starts with '-' */
893 if ((state & LABEL_START) != 0)
894 return NULL;
895 state |= LABEL_HYPHEN;
896 } else
897 return NULL;
898 }
899
900 /*
901 * The final label must not end in a hyphen or ".", and
902 * there must be at least two dots after the star.
903 */
904 if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
905 return NULL;
906 return star;
907}
908
909/* Compare using wildcards. */
910static int
911equal_wildcard(const unsigned char *pattern, size_t pattern_len,
912 const unsigned char *subject, size_t subject_len, unsigned int flags)
913{
914 const unsigned char *star = NULL;
915
916 /*
917 * Subject names starting with '.' can only match a wildcard pattern
918 * via a subject sub-domain pattern suffix match.
919 */
920 if (!(subject_len > 1 && subject[0] == '.'))
921 star = valid_star(pattern, pattern_len, flags);
922 if (star == NULL)
923 return equal_nocase(pattern, pattern_len,
924 subject, subject_len, flags);
925 return wildcard_match(pattern, star - pattern,
926 star + 1, (pattern + pattern_len) - star - 1,
927 subject, subject_len, flags);
928}
929
930/*
931 * Compare an ASN1_STRING to a supplied string. If they match return 1. If
932 * cmp_type > 0 only compare if string matches the type, otherwise convert it
933 * to UTF8.
934 */
935
936static int
937do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
938 unsigned int flags, const char *b, size_t blen, char **peername)
939{
940 int rv = 0;
941
942 if (!a->data || !a->length)
943 return 0;
944 if (cmp_type > 0) {
945 if (cmp_type != a->type)
946 return 0;
947 if (cmp_type == V_ASN1_IA5STRING)
948 rv = equal(a->data, a->length, (unsigned char *)b,
949 blen, flags);
950 else if (a->length == (int)blen && !memcmp(a->data, b, blen))
951 rv = 1;
952 if (rv > 0 && peername &&
953 (*peername = strndup((char *)a->data, a->length)) == NULL)
954 rv = -1;
955 } else {
956 int astrlen;
957 unsigned char *astr;
958 astrlen = ASN1_STRING_to_UTF8(&astr, a);
959 if (astrlen < 0)
960 return -1;
961 rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
962 if (rv > 0 && peername &&
963 (*peername = strndup((char *)astr, astrlen)) == NULL)
964 rv = -1;
965 free(astr);
966 }
967 return rv;
968}
969
970static int
971do_x509_check(X509 *x, const char *chk, size_t chklen, unsigned int flags,
972 int check_type, char **peername)
973{
974 GENERAL_NAMES *gens = NULL;
975 X509_NAME *name = NULL;
976 size_t i;
977 int j;
978 int cnid = NID_undef;
979 int alt_type;
980 int san_present = 0;
981 int rv = 0;
982 equal_fn equal;
983
984 /* See below, this flag is internal-only */
985 flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
986 if (check_type == GEN_EMAIL) {
987 cnid = NID_pkcs9_emailAddress;
988 alt_type = V_ASN1_IA5STRING;
989 equal = equal_email;
990 } else if (check_type == GEN_DNS) {
991 cnid = NID_commonName;
992 /* Implicit client-side DNS sub-domain pattern */
993 if (chklen > 1 && chk[0] == '.')
994 flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
995 alt_type = V_ASN1_IA5STRING;
996 if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
997 equal = equal_nocase;
998 else
999 equal = equal_wildcard;
1000 } else {
1001 alt_type = V_ASN1_OCTET_STRING;
1002 equal = equal_case;
1003 }
1004
1005 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
1006 if (gens != NULL) {
1007 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1008 GENERAL_NAME *gen;
1009 ASN1_STRING *cstr;
1010 gen = sk_GENERAL_NAME_value(gens, i);
1011 if (gen->type != check_type)
1012 continue;
1013 san_present = 1;
1014 if (check_type == GEN_EMAIL)
1015 cstr = gen->d.rfc822Name;
1016 else if (check_type == GEN_DNS)
1017 cstr = gen->d.dNSName;
1018 else
1019 cstr = gen->d.iPAddress;
1020 /* Positive on success, negative on error! */
1021 if ((rv = do_check_string(cstr, alt_type, equal, flags,
1022 chk, chklen, peername)) != 0)
1023 break;
1024 }
1025 GENERAL_NAMES_free(gens);
1026 if (rv != 0)
1027 return rv;
1028 if (cnid == NID_undef ||
1029 (san_present &&
1030 !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
1031 return 0;
1032 }
1033
1034 /* We're done if CN-ID is not pertinent */
1035 if (cnid == NID_undef)
1036 return 0;
1037
1038 j = -1;
1039 name = X509_get_subject_name(x);
1040 while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
1041 X509_NAME_ENTRY *ne;
1042 ASN1_STRING *str;
1043 if ((ne = X509_NAME_get_entry(name, j)) == NULL)
1044 return -1;
1045 if ((str = X509_NAME_ENTRY_get_data(ne)) == NULL)
1046 return -1;
1047 /* Positive on success, negative on error! */
1048 if ((rv = do_check_string(str, -1, equal, flags,
1049 chk, chklen, peername)) != 0)
1050 return rv;
1051 }
1052 return 0;
1053}
1054
1055int
1056X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
1057 char **peername)
1058{
1059 if (chk == NULL)
1060 return -2;
1061 if (chklen == 0)
1062 chklen = strlen(chk);
1063 else if (memchr(chk, '\0', chklen))
1064 return -2;
1065 return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
1066}
1067
1068int
1069X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags)
1070{
1071 if (chk == NULL)
1072 return -2;
1073 if (chklen == 0)
1074 chklen = strlen(chk);
1075 else if (memchr(chk, '\0', chklen))
1076 return -2;
1077 return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
1078}
1079
1080int
1081X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
1082 unsigned int flags)
1083{
1084 if (chk == NULL)
1085 return -2;
1086 return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
1087}
1088
1089int
1090X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
1091{
1092 unsigned char ipout[16];
1093 size_t iplen;
1094
1095 if (ipasc == NULL)
1096 return -2;
1097 iplen = (size_t)a2i_ipadd(ipout, ipasc);
1098 if (iplen == 0)
1099 return -2;
1100 return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
1101}
1102
1103/* Convert IP addresses both IPv4 and IPv6 into an
1104 * OCTET STRING compatible with RFC3280.
1105 */
1106
1107ASN1_OCTET_STRING *
1108a2i_IPADDRESS(const char *ipasc)
1109{
1110 unsigned char ipout[16];
1111 ASN1_OCTET_STRING *ret;
1112 int iplen;
1113
1114 /* If string contains a ':' assume IPv6 */
1115
1116 iplen = a2i_ipadd(ipout, ipasc);
1117
1118 if (!iplen)
1119 return NULL;
1120
1121 ret = ASN1_OCTET_STRING_new();
1122 if (!ret)
1123 return NULL;
1124 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
1125 ASN1_OCTET_STRING_free(ret);
1126 return NULL;
1127 }
1128 return ret;
1129}
1130
1131ASN1_OCTET_STRING *
1132a2i_IPADDRESS_NC(const char *ipasc)
1133{
1134 ASN1_OCTET_STRING *ret = NULL;
1135 unsigned char ipout[32];
1136 char *iptmp = NULL, *p;
1137 int iplen1, iplen2;
1138
1139 p = strchr(ipasc, '/');
1140 if (!p)
1141 return NULL;
1142 iptmp = strdup(ipasc);
1143 if (!iptmp)
1144 return NULL;
1145 p = iptmp + (p - ipasc);
1146 *p++ = 0;
1147
1148 iplen1 = a2i_ipadd(ipout, iptmp);
1149
1150 if (!iplen1)
1151 goto err;
1152
1153 iplen2 = a2i_ipadd(ipout + iplen1, p);
1154
1155 free(iptmp);
1156 iptmp = NULL;
1157
1158 if (!iplen2 || (iplen1 != iplen2))
1159 goto err;
1160
1161 ret = ASN1_OCTET_STRING_new();
1162 if (!ret)
1163 goto err;
1164 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
1165 goto err;
1166
1167 return ret;
1168
1169 err:
1170 free(iptmp);
1171 if (ret)
1172 ASN1_OCTET_STRING_free(ret);
1173 return NULL;
1174}
1175
1176
1177int
1178a2i_ipadd(unsigned char *ipout, const char *ipasc)
1179{
1180 /* If string contains a ':' assume IPv6 */
1181
1182 if (strchr(ipasc, ':')) {
1183 if (!ipv6_from_asc(ipout, ipasc))
1184 return 0;
1185 return 16;
1186 } else {
1187 if (!ipv4_from_asc(ipout, ipasc))
1188 return 0;
1189 return 4;
1190 }
1191}
1192
1193static int
1194ipv4_from_asc(unsigned char *v4, const char *in)
1195{
1196 int a0, a1, a2, a3;
1197 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
1198 return 0;
1199 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) ||
1200 (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
1201 return 0;
1202 v4[0] = a0;
1203 v4[1] = a1;
1204 v4[2] = a2;
1205 v4[3] = a3;
1206 return 1;
1207}
1208
1209typedef struct {
1210 /* Temporary store for IPV6 output */
1211 unsigned char tmp[16];
1212 /* Total number of bytes in tmp */
1213 int total;
1214 /* The position of a zero (corresponding to '::') */
1215 int zero_pos;
1216 /* Number of zeroes */
1217 int zero_cnt;
1218} IPV6_STAT;
1219
1220
1221static int
1222ipv6_from_asc(unsigned char *v6, const char *in)
1223{
1224 IPV6_STAT v6stat;
1225
1226 v6stat.total = 0;
1227 v6stat.zero_pos = -1;
1228 v6stat.zero_cnt = 0;
1229
1230 /* Treat the IPv6 representation as a list of values
1231 * separated by ':'. The presence of a '::' will parse
1232 * as one, two or three zero length elements.
1233 */
1234 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
1235 return 0;
1236
1237 /* Now for some sanity checks */
1238
1239 if (v6stat.zero_pos == -1) {
1240 /* If no '::' must have exactly 16 bytes */
1241 if (v6stat.total != 16)
1242 return 0;
1243 } else {
1244 /* If '::' must have less than 16 bytes */
1245 if (v6stat.total == 16)
1246 return 0;
1247 /* More than three zeroes is an error */
1248 if (v6stat.zero_cnt > 3)
1249 return 0;
1250 /* Can only have three zeroes if nothing else present */
1251 else if (v6stat.zero_cnt == 3) {
1252 if (v6stat.total > 0)
1253 return 0;
1254 }
1255 /* Can only have two zeroes if at start or end */
1256 else if (v6stat.zero_cnt == 2) {
1257 if ((v6stat.zero_pos != 0) &&
1258 (v6stat.zero_pos != v6stat.total))
1259 return 0;
1260 } else
1261 /* Can only have one zero if *not* start or end */
1262 {
1263 if ((v6stat.zero_pos == 0) ||
1264 (v6stat.zero_pos == v6stat.total))
1265 return 0;
1266 }
1267 }
1268
1269 /* Format result */
1270
1271 if (v6stat.zero_pos >= 0) {
1272 /* Copy initial part */
1273 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
1274 /* Zero middle */
1275 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
1276 /* Copy final part */
1277 if (v6stat.total != v6stat.zero_pos)
1278 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
1279 v6stat.tmp + v6stat.zero_pos,
1280 v6stat.total - v6stat.zero_pos);
1281 } else
1282 memcpy(v6, v6stat.tmp, 16);
1283
1284 return 1;
1285}
1286
1287static int
1288ipv6_cb(const char *elem, int len, void *usr)
1289{
1290 IPV6_STAT *s = usr;
1291
1292 /* Error if 16 bytes written */
1293 if (s->total == 16)
1294 return 0;
1295 if (len == 0) {
1296 /* Zero length element, corresponds to '::' */
1297 if (s->zero_pos == -1)
1298 s->zero_pos = s->total;
1299 /* If we've already got a :: its an error */
1300 else if (s->zero_pos != s->total)
1301 return 0;
1302 s->zero_cnt++;
1303 } else {
1304 /* If more than 4 characters could be final a.b.c.d form */
1305 if (len > 4) {
1306 /* Need at least 4 bytes left */
1307 if (s->total > 12)
1308 return 0;
1309 /* Must be end of string */
1310 if (elem[len])
1311 return 0;
1312 if (!ipv4_from_asc(s->tmp + s->total, elem))
1313 return 0;
1314 s->total += 4;
1315 } else {
1316 if (!ipv6_hex(s->tmp + s->total, elem, len))
1317 return 0;
1318 s->total += 2;
1319 }
1320 }
1321 return 1;
1322}
1323
1324/* Convert a string of up to 4 hex digits into the corresponding
1325 * IPv6 form.
1326 */
1327
1328static int
1329ipv6_hex(unsigned char *out, const char *in, int inlen)
1330{
1331 unsigned char c;
1332 unsigned int num = 0;
1333
1334 if (inlen > 4)
1335 return 0;
1336 while (inlen--) {
1337 c = *in++;
1338 num <<= 4;
1339 if ((c >= '0') && (c <= '9'))
1340 num |= c - '0';
1341 else if ((c >= 'A') && (c <= 'F'))
1342 num |= c - 'A' + 10;
1343 else if ((c >= 'a') && (c <= 'f'))
1344 num |= c - 'a' + 10;
1345 else
1346 return 0;
1347 }
1348 out[0] = num >> 8;
1349 out[1] = num & 0xff;
1350 return 1;
1351}
1352
1353int
1354X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
1355 unsigned long chtype)
1356{
1357 CONF_VALUE *v;
1358 int i, mval;
1359 char *p, *type;
1360
1361 if (!nm)
1362 return 0;
1363
1364 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1365 v = sk_CONF_VALUE_value(dn_sk, i);
1366 type = v->name;
1367 /* Skip past any leading X. X: X, etc to allow for
1368 * multiple instances
1369 */
1370 for (p = type; *p; p++)
1371 if ((*p == ':') || (*p == ',') || (*p == '.')) {
1372 p++;
1373 if (*p)
1374 type = p;
1375 break;
1376 }
1377 if (*type == '+') {
1378 mval = -1;
1379 type++;
1380 } else
1381 mval = 0;
1382 if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
1383 (unsigned char *) v->value, -1, -1, mval))
1384 return 0;
1385 }
1386 return 1;
1387}
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
new file mode 100644
index 0000000000..8f7f5c5794
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -0,0 +1,992 @@
1/* $OpenBSD: x509v3.h,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bio.h>
64#include <openssl/x509.h>
65#include <openssl/conf.h>
66
67#ifdef __cplusplus
68extern "C" {
69#endif
70
71/* Forward reference */
72struct v3_ext_method;
73struct v3_ext_ctx;
74
75/* Useful typedefs */
76
77typedef void * (*X509V3_EXT_NEW)(void);
78typedef void (*X509V3_EXT_FREE)(void *);
79typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
80typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
81typedef STACK_OF(CONF_VALUE) *
82 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
83 STACK_OF(CONF_VALUE) *extlist);
84typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
85 struct v3_ext_ctx *ctx,
86 STACK_OF(CONF_VALUE) *values);
87typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
88typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
89 struct v3_ext_ctx *ctx, const char *str);
90typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
91 BIO *out, int indent);
92typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
93 struct v3_ext_ctx *ctx, const char *str);
94
95/* V3 extension structure */
96
97struct v3_ext_method {
98int ext_nid;
99int ext_flags;
100/* If this is set the following four fields are ignored */
101ASN1_ITEM_EXP *it;
102/* Old style ASN1 calls */
103X509V3_EXT_NEW ext_new;
104X509V3_EXT_FREE ext_free;
105X509V3_EXT_D2I d2i;
106X509V3_EXT_I2D i2d;
107
108/* The following pair is used for string extensions */
109X509V3_EXT_I2S i2s;
110X509V3_EXT_S2I s2i;
111
112/* The following pair is used for multi-valued extensions */
113X509V3_EXT_I2V i2v;
114X509V3_EXT_V2I v2i;
115
116/* The following are used for raw extensions */
117X509V3_EXT_I2R i2r;
118X509V3_EXT_R2I r2i;
119
120void *usr_data; /* Any extension specific data */
121};
122
123typedef struct X509V3_CONF_METHOD_st {
124char *(*get_string)(void *db, const char *section, const char *value);
125STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section);
126void (*free_string)(void *db, char *string);
127void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
128} X509V3_CONF_METHOD;
129
130/* Context specific info */
131struct v3_ext_ctx {
132#define CTX_TEST 0x1
133int flags;
134X509 *issuer_cert;
135X509 *subject_cert;
136X509_REQ *subject_req;
137X509_CRL *crl;
138X509V3_CONF_METHOD *db_meth;
139void *db;
140/* Maybe more here */
141};
142
143typedef struct v3_ext_method X509V3_EXT_METHOD;
144
145DECLARE_STACK_OF(X509V3_EXT_METHOD)
146
147/* ext_flags values */
148#define X509V3_EXT_DYNAMIC 0x1
149#define X509V3_EXT_CTX_DEP 0x2
150#define X509V3_EXT_MULTILINE 0x4
151
152typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
153
154typedef struct BASIC_CONSTRAINTS_st {
155int ca;
156ASN1_INTEGER *pathlen;
157} BASIC_CONSTRAINTS;
158
159
160typedef struct PKEY_USAGE_PERIOD_st {
161ASN1_GENERALIZEDTIME *notBefore;
162ASN1_GENERALIZEDTIME *notAfter;
163} PKEY_USAGE_PERIOD;
164
165typedef struct otherName_st {
166ASN1_OBJECT *type_id;
167ASN1_TYPE *value;
168} OTHERNAME;
169
170typedef struct EDIPartyName_st {
171 ASN1_STRING *nameAssigner;
172 ASN1_STRING *partyName;
173} EDIPARTYNAME;
174
175typedef struct GENERAL_NAME_st {
176
177#define GEN_OTHERNAME 0
178#define GEN_EMAIL 1
179#define GEN_DNS 2
180#define GEN_X400 3
181#define GEN_DIRNAME 4
182#define GEN_EDIPARTY 5
183#define GEN_URI 6
184#define GEN_IPADD 7
185#define GEN_RID 8
186
187int type;
188union {
189 char *ptr;
190 OTHERNAME *otherName; /* otherName */
191 ASN1_IA5STRING *rfc822Name;
192 ASN1_IA5STRING *dNSName;
193 ASN1_TYPE *x400Address;
194 X509_NAME *directoryName;
195 EDIPARTYNAME *ediPartyName;
196 ASN1_IA5STRING *uniformResourceIdentifier;
197 ASN1_OCTET_STRING *iPAddress;
198 ASN1_OBJECT *registeredID;
199
200 /* Old names */
201 ASN1_OCTET_STRING *ip; /* iPAddress */
202 X509_NAME *dirn; /* dirn */
203 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
204 ASN1_OBJECT *rid; /* registeredID */
205 ASN1_TYPE *other; /* x400Address */
206} d;
207} GENERAL_NAME;
208
209typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
210
211typedef struct ACCESS_DESCRIPTION_st {
212 ASN1_OBJECT *method;
213 GENERAL_NAME *location;
214} ACCESS_DESCRIPTION;
215
216typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
217
218typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
219
220DECLARE_STACK_OF(GENERAL_NAME)
221
222DECLARE_STACK_OF(ACCESS_DESCRIPTION)
223
224typedef struct DIST_POINT_NAME_st {
225int type;
226union {
227 GENERAL_NAMES *fullname;
228 STACK_OF(X509_NAME_ENTRY) *relativename;
229} name;
230/* If relativename then this contains the full distribution point name */
231X509_NAME *dpname;
232} DIST_POINT_NAME;
233/* All existing reasons */
234#define CRLDP_ALL_REASONS 0x807f
235
236#define CRL_REASON_NONE -1
237#define CRL_REASON_UNSPECIFIED 0
238#define CRL_REASON_KEY_COMPROMISE 1
239#define CRL_REASON_CA_COMPROMISE 2
240#define CRL_REASON_AFFILIATION_CHANGED 3
241#define CRL_REASON_SUPERSEDED 4
242#define CRL_REASON_CESSATION_OF_OPERATION 5
243#define CRL_REASON_CERTIFICATE_HOLD 6
244#define CRL_REASON_REMOVE_FROM_CRL 8
245#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
246#define CRL_REASON_AA_COMPROMISE 10
247
248struct DIST_POINT_st {
249DIST_POINT_NAME *distpoint;
250ASN1_BIT_STRING *reasons;
251GENERAL_NAMES *CRLissuer;
252int dp_reasons;
253};
254
255typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
256
257DECLARE_STACK_OF(DIST_POINT)
258
259struct AUTHORITY_KEYID_st {
260ASN1_OCTET_STRING *keyid;
261GENERAL_NAMES *issuer;
262ASN1_INTEGER *serial;
263};
264
265/* Strong extranet structures */
266
267typedef struct SXNET_ID_st {
268 ASN1_INTEGER *zone;
269 ASN1_OCTET_STRING *user;
270} SXNETID;
271
272DECLARE_STACK_OF(SXNETID)
273
274typedef struct SXNET_st {
275 ASN1_INTEGER *version;
276 STACK_OF(SXNETID) *ids;
277} SXNET;
278
279typedef struct NOTICEREF_st {
280 ASN1_STRING *organization;
281 STACK_OF(ASN1_INTEGER) *noticenos;
282} NOTICEREF;
283
284typedef struct USERNOTICE_st {
285 NOTICEREF *noticeref;
286 ASN1_STRING *exptext;
287} USERNOTICE;
288
289typedef struct POLICYQUALINFO_st {
290 ASN1_OBJECT *pqualid;
291 union {
292 ASN1_IA5STRING *cpsuri;
293 USERNOTICE *usernotice;
294 ASN1_TYPE *other;
295 } d;
296} POLICYQUALINFO;
297
298DECLARE_STACK_OF(POLICYQUALINFO)
299
300typedef struct POLICYINFO_st {
301 ASN1_OBJECT *policyid;
302 STACK_OF(POLICYQUALINFO) *qualifiers;
303} POLICYINFO;
304
305typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
306
307DECLARE_STACK_OF(POLICYINFO)
308
309typedef struct POLICY_MAPPING_st {
310 ASN1_OBJECT *issuerDomainPolicy;
311 ASN1_OBJECT *subjectDomainPolicy;
312} POLICY_MAPPING;
313
314DECLARE_STACK_OF(POLICY_MAPPING)
315
316typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
317
318typedef struct GENERAL_SUBTREE_st {
319 GENERAL_NAME *base;
320 ASN1_INTEGER *minimum;
321 ASN1_INTEGER *maximum;
322} GENERAL_SUBTREE;
323
324DECLARE_STACK_OF(GENERAL_SUBTREE)
325
326struct NAME_CONSTRAINTS_st {
327 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
328 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
329};
330
331typedef struct POLICY_CONSTRAINTS_st {
332 ASN1_INTEGER *requireExplicitPolicy;
333 ASN1_INTEGER *inhibitPolicyMapping;
334} POLICY_CONSTRAINTS;
335
336/* Proxy certificate structures, see RFC 3820 */
337typedef struct PROXY_POLICY_st
338 {
339 ASN1_OBJECT *policyLanguage;
340 ASN1_OCTET_STRING *policy;
341 } PROXY_POLICY;
342
343typedef struct PROXY_CERT_INFO_EXTENSION_st
344 {
345 ASN1_INTEGER *pcPathLengthConstraint;
346 PROXY_POLICY *proxyPolicy;
347 } PROXY_CERT_INFO_EXTENSION;
348
349PROXY_POLICY *PROXY_POLICY_new(void);
350void PROXY_POLICY_free(PROXY_POLICY *a);
351PROXY_POLICY *d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len);
352int i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out);
353extern const ASN1_ITEM PROXY_POLICY_it;
354PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void);
355void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a);
356PROXY_CERT_INFO_EXTENSION *d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len);
357int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out);
358extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it;
359
360struct ISSUING_DIST_POINT_st
361 {
362 DIST_POINT_NAME *distpoint;
363 int onlyuser;
364 int onlyCA;
365 ASN1_BIT_STRING *onlysomereasons;
366 int indirectCRL;
367 int onlyattr;
368 };
369
370/* Values in idp_flags field */
371/* IDP present */
372#define IDP_PRESENT 0x1
373/* IDP values inconsistent */
374#define IDP_INVALID 0x2
375/* onlyuser true */
376#define IDP_ONLYUSER 0x4
377/* onlyCA true */
378#define IDP_ONLYCA 0x8
379/* onlyattr true */
380#define IDP_ONLYATTR 0x10
381/* indirectCRL true */
382#define IDP_INDIRECT 0x20
383/* onlysomereasons present */
384#define IDP_REASONS 0x40
385
386#define X509V3_conf_err(val) ERR_asprintf_error_data( \
387 "section:%s,name:%s,value:%s", val->section, \
388 val->name, val->value);
389
390#define X509V3_set_ctx_test(ctx) \
391 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
392#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
393
394#define EXT_BITSTRING(nid, table) { nid, 0, &ASN1_BIT_STRING_it, \
395 0,0,0,0, \
396 0,0, \
397 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
398 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
399 NULL, NULL, \
400 table}
401
402#define EXT_IA5STRING(nid) { nid, 0, &ASN1_IA5STRING_it, \
403 0,0,0,0, \
404 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
405 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
406 0,0,0,0, \
407 NULL}
408
409#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
410
411
412/* X509_PURPOSE stuff */
413
414#define EXFLAG_BCONS 0x0001
415#define EXFLAG_KUSAGE 0x0002
416#define EXFLAG_XKUSAGE 0x0004
417#define EXFLAG_NSCERT 0x0008
418
419#define EXFLAG_CA 0x0010
420#define EXFLAG_SI 0x0020 /* Self issued. */
421#define EXFLAG_V1 0x0040
422#define EXFLAG_INVALID 0x0080
423#define EXFLAG_SET 0x0100
424#define EXFLAG_CRITICAL 0x0200
425#define EXFLAG_PROXY 0x0400
426#define EXFLAG_INVALID_POLICY 0x0800
427#define EXFLAG_FRESHEST 0x1000
428#define EXFLAG_SS 0x2000 /* Self signed. */
429
430#define KU_DIGITAL_SIGNATURE 0x0080
431#define KU_NON_REPUDIATION 0x0040
432#define KU_KEY_ENCIPHERMENT 0x0020
433#define KU_DATA_ENCIPHERMENT 0x0010
434#define KU_KEY_AGREEMENT 0x0008
435#define KU_KEY_CERT_SIGN 0x0004
436#define KU_CRL_SIGN 0x0002
437#define KU_ENCIPHER_ONLY 0x0001
438#define KU_DECIPHER_ONLY 0x8000
439
440#define NS_SSL_CLIENT 0x80
441#define NS_SSL_SERVER 0x40
442#define NS_SMIME 0x20
443#define NS_OBJSIGN 0x10
444#define NS_SSL_CA 0x04
445#define NS_SMIME_CA 0x02
446#define NS_OBJSIGN_CA 0x01
447#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
448
449#define XKU_SSL_SERVER 0x1
450#define XKU_SSL_CLIENT 0x2
451#define XKU_SMIME 0x4
452#define XKU_CODE_SIGN 0x8
453#define XKU_SGC 0x10
454#define XKU_OCSP_SIGN 0x20
455#define XKU_TIMESTAMP 0x40
456#define XKU_DVCS 0x80
457
458#define X509_PURPOSE_DYNAMIC 0x1
459#define X509_PURPOSE_DYNAMIC_NAME 0x2
460
461typedef struct x509_purpose_st {
462 int purpose;
463 int trust; /* Default trust ID */
464 int flags;
465 int (*check_purpose)(const struct x509_purpose_st *,
466 const X509 *, int);
467 char *name;
468 char *sname;
469 void *usr_data;
470} X509_PURPOSE;
471
472#define X509_PURPOSE_SSL_CLIENT 1
473#define X509_PURPOSE_SSL_SERVER 2
474#define X509_PURPOSE_NS_SSL_SERVER 3
475#define X509_PURPOSE_SMIME_SIGN 4
476#define X509_PURPOSE_SMIME_ENCRYPT 5
477#define X509_PURPOSE_CRL_SIGN 6
478#define X509_PURPOSE_ANY 7
479#define X509_PURPOSE_OCSP_HELPER 8
480#define X509_PURPOSE_TIMESTAMP_SIGN 9
481
482#define X509_PURPOSE_MIN 1
483#define X509_PURPOSE_MAX 9
484
485/* Flags for X509V3_EXT_print() */
486
487#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
488/* Return error for unknown extensions */
489#define X509V3_EXT_DEFAULT 0
490/* Print error for unknown extensions */
491#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
492/* ASN1 parse unknown extensions */
493#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
494/* BIO_dump unknown extensions */
495#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
496
497/* Flags for X509V3_add1_i2d */
498
499#define X509V3_ADD_OP_MASK 0xfL
500#define X509V3_ADD_DEFAULT 0L
501#define X509V3_ADD_APPEND 1L
502#define X509V3_ADD_REPLACE 2L
503#define X509V3_ADD_REPLACE_EXISTING 3L
504#define X509V3_ADD_KEEP_EXISTING 4L
505#define X509V3_ADD_DELETE 5L
506#define X509V3_ADD_SILENT 0x10
507
508DECLARE_STACK_OF(X509_PURPOSE)
509
510BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
511void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a);
512BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len);
513int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out);
514extern const ASN1_ITEM BASIC_CONSTRAINTS_it;
515
516SXNET *SXNET_new(void);
517void SXNET_free(SXNET *a);
518SXNET *d2i_SXNET(SXNET **a, const unsigned char **in, long len);
519int i2d_SXNET(SXNET *a, unsigned char **out);
520extern const ASN1_ITEM SXNET_it;
521SXNETID *SXNETID_new(void);
522void SXNETID_free(SXNETID *a);
523SXNETID *d2i_SXNETID(SXNETID **a, const unsigned char **in, long len);
524int i2d_SXNETID(SXNETID *a, unsigned char **out);
525extern const ASN1_ITEM SXNETID_it;
526
527int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user,
528 int userlen);
529int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
530 int userlen);
531int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
532 int userlen);
533
534ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
535ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
536ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
537
538AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
539void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
540AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len);
541int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out);
542extern const ASN1_ITEM AUTHORITY_KEYID_it;
543
544PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
545void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
546PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len);
547int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out);
548extern const ASN1_ITEM PKEY_USAGE_PERIOD_it;
549
550GENERAL_NAME *GENERAL_NAME_new(void);
551void GENERAL_NAME_free(GENERAL_NAME *a);
552GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len);
553int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out);
554extern const ASN1_ITEM GENERAL_NAME_it;
555GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
556int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
557
558
559
560ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
561 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
562STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
563 ASN1_BIT_STRING *bits,
564 STACK_OF(CONF_VALUE) *extlist);
565
566STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
567int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
568
569GENERAL_NAMES *GENERAL_NAMES_new(void);
570void GENERAL_NAMES_free(GENERAL_NAMES *a);
571GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len);
572int i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out);
573extern const ASN1_ITEM GENERAL_NAMES_it;
574
575STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
576 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
577GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
578 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
579
580OTHERNAME *OTHERNAME_new(void);
581void OTHERNAME_free(OTHERNAME *a);
582OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len);
583int i2d_OTHERNAME(OTHERNAME *a, unsigned char **out);
584extern const ASN1_ITEM OTHERNAME_it;
585EDIPARTYNAME *EDIPARTYNAME_new(void);
586void EDIPARTYNAME_free(EDIPARTYNAME *a);
587EDIPARTYNAME *d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len);
588int i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out);
589extern const ASN1_ITEM EDIPARTYNAME_it;
590int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
591void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
592void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
593int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
594 ASN1_OBJECT *oid, ASN1_TYPE *value);
595int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
596 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
597
598char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
599 const ASN1_OCTET_STRING *ia5);
600ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
601 X509V3_CTX *ctx, const char *str);
602
603EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void);
604void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a);
605EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len);
606int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out);
607extern const ASN1_ITEM EXTENDED_KEY_USAGE_it;
608int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a);
609
610CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void);
611void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a);
612CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len);
613int i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out);
614extern const ASN1_ITEM CERTIFICATEPOLICIES_it;
615POLICYINFO *POLICYINFO_new(void);
616void POLICYINFO_free(POLICYINFO *a);
617POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len);
618int i2d_POLICYINFO(POLICYINFO *a, unsigned char **out);
619extern const ASN1_ITEM POLICYINFO_it;
620POLICYQUALINFO *POLICYQUALINFO_new(void);
621void POLICYQUALINFO_free(POLICYQUALINFO *a);
622POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len);
623int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out);
624extern const ASN1_ITEM POLICYQUALINFO_it;
625USERNOTICE *USERNOTICE_new(void);
626void USERNOTICE_free(USERNOTICE *a);
627USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len);
628int i2d_USERNOTICE(USERNOTICE *a, unsigned char **out);
629extern const ASN1_ITEM USERNOTICE_it;
630NOTICEREF *NOTICEREF_new(void);
631void NOTICEREF_free(NOTICEREF *a);
632NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len);
633int i2d_NOTICEREF(NOTICEREF *a, unsigned char **out);
634extern const ASN1_ITEM NOTICEREF_it;
635
636CRL_DIST_POINTS *CRL_DIST_POINTS_new(void);
637void CRL_DIST_POINTS_free(CRL_DIST_POINTS *a);
638CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len);
639int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out);
640extern const ASN1_ITEM CRL_DIST_POINTS_it;
641DIST_POINT *DIST_POINT_new(void);
642void DIST_POINT_free(DIST_POINT *a);
643DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len);
644int i2d_DIST_POINT(DIST_POINT *a, unsigned char **out);
645extern const ASN1_ITEM DIST_POINT_it;
646DIST_POINT_NAME *DIST_POINT_NAME_new(void);
647void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
648DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len);
649int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out);
650extern const ASN1_ITEM DIST_POINT_NAME_it;
651ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void);
652void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a);
653ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len);
654int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out);
655extern const ASN1_ITEM ISSUING_DIST_POINT_it;
656
657int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
658
659int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
660
661ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
662void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
663ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len);
664int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out);
665extern const ASN1_ITEM ACCESS_DESCRIPTION_it;
666AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void);
667void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a);
668AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len);
669int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out);
670extern const ASN1_ITEM AUTHORITY_INFO_ACCESS_it;
671
672extern const ASN1_ITEM POLICY_MAPPING_it;
673POLICY_MAPPING *POLICY_MAPPING_new(void);
674void POLICY_MAPPING_free(POLICY_MAPPING *a);
675extern const ASN1_ITEM POLICY_MAPPINGS_it;
676
677extern const ASN1_ITEM GENERAL_SUBTREE_it;
678GENERAL_SUBTREE *GENERAL_SUBTREE_new(void);
679void GENERAL_SUBTREE_free(GENERAL_SUBTREE *a);
680
681extern const ASN1_ITEM NAME_CONSTRAINTS_it;
682NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void);
683void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a);
684
685POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);
686void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a);
687extern const ASN1_ITEM POLICY_CONSTRAINTS_it;
688
689GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
690 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
691 int gen_type, const char *value, int is_nc);
692
693#ifdef HEADER_CONF_H
694GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
695 CONF_VALUE *cnf);
696GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
697 const X509V3_EXT_METHOD *method,
698 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
699void X509V3_conf_free(CONF_VALUE *val);
700
701X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
702 const char *value);
703X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
704 const char *value);
705int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
706 STACK_OF(X509_EXTENSION) **sk);
707int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
708 X509 *cert);
709int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
710 X509_REQ *req);
711int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
712 X509_CRL *crl);
713
714X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
715 int ext_nid, const char *value);
716X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
717 const char *name, const char *value);
718int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
719 const char *section, X509 *cert);
720int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
721 const char *section, X509_REQ *req);
722int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
723 const char *section, X509_CRL *crl);
724
725int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
726 STACK_OF(CONF_VALUE) **extlist);
727int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
728int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
729void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
730void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
731#endif
732
733char *X509V3_get_string(X509V3_CTX *ctx, const char *name,
734 const char *section);
735STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
736void X509V3_string_free(X509V3_CTX *ctx, char *str);
737void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
738void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
739 X509_REQ *req, X509_CRL *crl, int flags);
740
741int X509V3_add_value(const char *name, const char *value,
742 STACK_OF(CONF_VALUE) **extlist);
743int X509V3_add_value_uchar(const char *name, const unsigned char *value,
744 STACK_OF(CONF_VALUE) **extlist);
745int X509V3_add_value_bool(const char *name, int asn1_bool,
746 STACK_OF(CONF_VALUE) **extlist);
747int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
748 STACK_OF(CONF_VALUE) **extlist);
749char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
750ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
751char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
752char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
753 const ASN1_ENUMERATED *aint);
754int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
755int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
756int X509V3_EXT_add_alias(int nid_to, int nid_from);
757void X509V3_EXT_cleanup(void);
758
759const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
760const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
761int X509V3_add_standard_extensions(void);
762STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
763void *X509V3_EXT_d2i(X509_EXTENSION *ext);
764void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
765 int *idx);
766
767
768X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
769int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
770
771char *hex_to_string(const unsigned char *buffer, long len);
772unsigned char *string_to_hex(const char *str, long *len);
773int name_cmp(const char *name, const char *cmp);
774
775void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
776 int ml);
777int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
778int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
779
780int X509V3_extensions_print(BIO *out, const char *title,
781 const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
782
783int X509_check_ca(X509 *x);
784int X509_check_purpose(X509 *x, int id, int ca);
785int X509_supported_extension(X509_EXTENSION *ex);
786int X509_PURPOSE_set(int *p, int purpose);
787int X509_check_issued(X509 *issuer, X509 *subject);
788int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
789int X509_PURPOSE_get_count(void);
790X509_PURPOSE * X509_PURPOSE_get0(int idx);
791int X509_PURPOSE_get_by_sname(const char *sname);
792int X509_PURPOSE_get_by_id(int id);
793int X509_PURPOSE_add(int id, int trust, int flags,
794 int (*ck)(const X509_PURPOSE *, const X509 *, int),
795 const char *name, const char *sname, void *arg);
796char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
797char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
798int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
799void X509_PURPOSE_cleanup(void);
800int X509_PURPOSE_get_id(const X509_PURPOSE *);
801
802STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
803STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
804void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
805STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
806
807/* Flags for X509_check_* functions */
808/* Always check subject name for host match even if subject alt names present */
809#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
810/* Disable wildcard matching for dnsName fields and common name. */
811#define X509_CHECK_FLAG_NO_WILDCARDS 0x2
812/* Wildcards must not match a partial label. */
813#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
814/* Allow (non-partial) wildcards to match multiple labels. */
815#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
816/* Constraint verifier subdomain patterns to match a single labels. */
817#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
818
819/*
820 * Match reference identifiers starting with "." to any sub-domain.
821 * This is a non-public flag, turned on implicitly when the subject
822 * reference identity is a DNS name.
823 */
824#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
825
826int X509_check_host(X509 *x, const char *chk, size_t chklen,
827 unsigned int flags, char **peername);
828int X509_check_email(X509 *x, const char *chk, size_t chklen,
829 unsigned int flags);
830int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
831 unsigned int flags);
832int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
833
834ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
835ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
836int a2i_ipadd(unsigned char *ipout, const char *ipasc);
837int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
838 unsigned long chtype);
839
840void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
841DECLARE_STACK_OF(X509_POLICY_NODE)
842
843
844/* BEGIN ERROR CODES */
845/* The following lines are auto generated by the script mkerr.pl. Any changes
846 * made after this point may be overwritten when the script is next run.
847 */
848void ERR_load_X509V3_strings(void);
849
850/* Error codes for the X509V3 functions. */
851
852/* Function codes. */
853#define X509V3_F_A2I_GENERAL_NAME 164
854#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
855#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
856#define X509V3_F_COPY_EMAIL 122
857#define X509V3_F_COPY_ISSUER 123
858#define X509V3_F_DO_DIRNAME 144
859#define X509V3_F_DO_EXT_CONF 124
860#define X509V3_F_DO_EXT_I2D 135
861#define X509V3_F_DO_EXT_NCONF 151
862#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
863#define X509V3_F_GNAMES_FROM_SECTNAME 156
864#define X509V3_F_HEX_TO_STRING 111
865#define X509V3_F_I2S_ASN1_ENUMERATED 121
866#define X509V3_F_I2S_ASN1_IA5STRING 149
867#define X509V3_F_I2S_ASN1_INTEGER 120
868#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
869#define X509V3_F_NOTICE_SECTION 132
870#define X509V3_F_NREF_NOS 133
871#define X509V3_F_POLICY_SECTION 131
872#define X509V3_F_PROCESS_PCI_VALUE 150
873#define X509V3_F_R2I_CERTPOL 130
874#define X509V3_F_R2I_PCI 155
875#define X509V3_F_S2I_ASN1_IA5STRING 100
876#define X509V3_F_S2I_ASN1_INTEGER 108
877#define X509V3_F_S2I_ASN1_OCTET_STRING 112
878#define X509V3_F_S2I_ASN1_SKEY_ID 114
879#define X509V3_F_S2I_SKEY_ID 115
880#define X509V3_F_SET_DIST_POINT_NAME 158
881#define X509V3_F_STRING_TO_HEX 113
882#define X509V3_F_SXNET_ADD_ID_ASC 125
883#define X509V3_F_SXNET_ADD_ID_INTEGER 126
884#define X509V3_F_SXNET_ADD_ID_ULONG 127
885#define X509V3_F_SXNET_GET_ID_ASC 128
886#define X509V3_F_SXNET_GET_ID_ULONG 129
887#define X509V3_F_V2I_ASIDENTIFIERS 163
888#define X509V3_F_V2I_ASN1_BIT_STRING 101
889#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
890#define X509V3_F_V2I_AUTHORITY_KEYID 119
891#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
892#define X509V3_F_V2I_CRLD 134
893#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
894#define X509V3_F_V2I_GENERAL_NAMES 118
895#define X509V3_F_V2I_GENERAL_NAME_EX 117
896#define X509V3_F_V2I_IDP 157
897#define X509V3_F_V2I_IPADDRBLOCKS 159
898#define X509V3_F_V2I_ISSUER_ALT 153
899#define X509V3_F_V2I_NAME_CONSTRAINTS 147
900#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
901#define X509V3_F_V2I_POLICY_MAPPINGS 145
902#define X509V3_F_V2I_SUBJECT_ALT 154
903#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
904#define X509V3_F_V3_GENERIC_EXTENSION 116
905#define X509V3_F_X509V3_ADD1_I2D 140
906#define X509V3_F_X509V3_ADD_VALUE 105
907#define X509V3_F_X509V3_EXT_ADD 104
908#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
909#define X509V3_F_X509V3_EXT_CONF 107
910#define X509V3_F_X509V3_EXT_I2D 136
911#define X509V3_F_X509V3_EXT_NCONF 152
912#define X509V3_F_X509V3_GET_SECTION 142
913#define X509V3_F_X509V3_GET_STRING 143
914#define X509V3_F_X509V3_GET_VALUE_BOOL 110
915#define X509V3_F_X509V3_PARSE_LIST 109
916#define X509V3_F_X509_PURPOSE_ADD 137
917#define X509V3_F_X509_PURPOSE_SET 141
918
919/* Reason codes. */
920#define X509V3_R_BAD_IP_ADDRESS 118
921#define X509V3_R_BAD_OBJECT 119
922#define X509V3_R_BN_DEC2BN_ERROR 100
923#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
924#define X509V3_R_DIRNAME_ERROR 149
925#define X509V3_R_DISTPOINT_ALREADY_SET 160
926#define X509V3_R_DUPLICATE_ZONE_ID 133
927#define X509V3_R_ERROR_CONVERTING_ZONE 131
928#define X509V3_R_ERROR_CREATING_EXTENSION 144
929#define X509V3_R_ERROR_IN_EXTENSION 128
930#define X509V3_R_EXPECTED_A_SECTION_NAME 137
931#define X509V3_R_EXTENSION_EXISTS 145
932#define X509V3_R_EXTENSION_NAME_ERROR 115
933#define X509V3_R_EXTENSION_NOT_FOUND 102
934#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
935#define X509V3_R_EXTENSION_VALUE_ERROR 116
936#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
937#define X509V3_R_ILLEGAL_HEX_DIGIT 113
938#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
939#define X509V3_R_INVALID_MULTIPLE_RDNS 161
940#define X509V3_R_INVALID_ASNUMBER 162
941#define X509V3_R_INVALID_ASRANGE 163
942#define X509V3_R_INVALID_BOOLEAN_STRING 104
943#define X509V3_R_INVALID_EXTENSION_STRING 105
944#define X509V3_R_INVALID_INHERITANCE 165
945#define X509V3_R_INVALID_IPADDRESS 166
946#define X509V3_R_INVALID_NAME 106
947#define X509V3_R_INVALID_NULL_ARGUMENT 107
948#define X509V3_R_INVALID_NULL_NAME 108
949#define X509V3_R_INVALID_NULL_VALUE 109
950#define X509V3_R_INVALID_NUMBER 140
951#define X509V3_R_INVALID_NUMBERS 141
952#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
953#define X509V3_R_INVALID_OPTION 138
954#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
955#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
956#define X509V3_R_INVALID_PURPOSE 146
957#define X509V3_R_INVALID_SAFI 164
958#define X509V3_R_INVALID_SECTION 135
959#define X509V3_R_INVALID_SYNTAX 143
960#define X509V3_R_ISSUER_DECODE_ERROR 126
961#define X509V3_R_MISSING_VALUE 124
962#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
963#define X509V3_R_NO_CONFIG_DATABASE 136
964#define X509V3_R_NO_ISSUER_CERTIFICATE 121
965#define X509V3_R_NO_ISSUER_DETAILS 127
966#define X509V3_R_NO_POLICY_IDENTIFIER 139
967#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
968#define X509V3_R_NO_PUBLIC_KEY 114
969#define X509V3_R_NO_SUBJECT_DETAILS 125
970#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
971#define X509V3_R_OPERATION_NOT_DEFINED 148
972#define X509V3_R_OTHERNAME_ERROR 147
973#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
974#define X509V3_R_POLICY_PATH_LENGTH 156
975#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
976#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
977#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
978#define X509V3_R_SECTION_NOT_FOUND 150
979#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
980#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
981#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
982#define X509V3_R_UNKNOWN_EXTENSION 129
983#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
984#define X509V3_R_UNKNOWN_OPTION 120
985#define X509V3_R_UNSUPPORTED_OPTION 117
986#define X509V3_R_UNSUPPORTED_TYPE 167
987#define X509V3_R_USER_TOO_LONG 132
988
989#ifdef __cplusplus
990}
991#endif
992#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-31 20:46:56 +0000