v3_cpols.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494
  1. /*
  2. * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/conf.h>
  12. #include <openssl/asn1.h>
  13. #include <openssl/asn1t.h>
  14. #include <openssl/x509v3.h>
  15. #include "pcy_local.h"
  16. #include "ext_dat.h"
  17. /* Certificate policies extension support: this one is a bit complex... */
  18. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  19. BIO *out, int indent);
  20. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  21. X509V3_CTX *ctx, const char *value);
  22. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  23. int indent);
  24. static void print_notice(BIO *out, USERNOTICE *notice, int indent);
  25. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  26. STACK_OF(CONF_VALUE) *polstrs, int ia5org);
  27. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  28. STACK_OF(CONF_VALUE) *unot, int ia5org);
  29. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
  30. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
  31. static int displaytext_get_tag_len(const char *tagstr);
  32. const X509V3_EXT_METHOD v3_cpols = {
  33. NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
  34. 0, 0, 0, 0,
  35. 0, 0,
  36. 0, 0,
  37. (X509V3_EXT_I2R)i2r_certpol,
  38. (X509V3_EXT_R2I)r2i_certpol,
  39. NULL
  40. };
  41. ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
  42. ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
  43. ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
  44. IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
  45. ASN1_SEQUENCE(POLICYINFO) = {
  46. ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
  47. ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
  48. } ASN1_SEQUENCE_END(POLICYINFO)
  49. IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
  50. ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
  51. ASN1_ADB(POLICYQUALINFO) = {
  52. ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
  53. ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
  54. } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
  55. ASN1_SEQUENCE(POLICYQUALINFO) = {
  56. ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
  57. ASN1_ADB_OBJECT(POLICYQUALINFO)
  58. } ASN1_SEQUENCE_END(POLICYQUALINFO)
  59. IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
  60. ASN1_SEQUENCE(USERNOTICE) = {
  61. ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
  62. ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
  63. } ASN1_SEQUENCE_END(USERNOTICE)
  64. IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
  65. ASN1_SEQUENCE(NOTICEREF) = {
  66. ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
  67. ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
  68. } ASN1_SEQUENCE_END(NOTICEREF)
  69. IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
  70. static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
  71. X509V3_CTX *ctx, const char *value)
  72. {
  73. STACK_OF(POLICYINFO) *pols;
  74. char *pstr;
  75. POLICYINFO *pol;
  76. ASN1_OBJECT *pobj;
  77. STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
  78. CONF_VALUE *cnf;
  79. const int num = sk_CONF_VALUE_num(vals);
  80. int i, ia5org;
  81. if (vals == NULL) {
  82. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
  83. return NULL;
  84. }
  85. pols = sk_POLICYINFO_new_reserve(NULL, num);
  86. if (pols == NULL) {
  87. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  88. goto err;
  89. }
  90. ia5org = 0;
  91. for (i = 0; i < num; i++) {
  92. cnf = sk_CONF_VALUE_value(vals, i);
  93. if (cnf->value || !cnf->name) {
  94. X509V3err(X509V3_F_R2I_CERTPOL,
  95. X509V3_R_INVALID_POLICY_IDENTIFIER);
  96. X509V3_conf_err(cnf);
  97. goto err;
  98. }
  99. pstr = cnf->name;
  100. if (strcmp(pstr, "ia5org") == 0) {
  101. ia5org = 1;
  102. continue;
  103. } else if (*pstr == '@') {
  104. STACK_OF(CONF_VALUE) *polsect;
  105. polsect = X509V3_get_section(ctx, pstr + 1);
  106. if (!polsect) {
  107. X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
  108. X509V3_conf_err(cnf);
  109. goto err;
  110. }
  111. pol = policy_section(ctx, polsect, ia5org);
  112. X509V3_section_free(ctx, polsect);
  113. if (pol == NULL)
  114. goto err;
  115. } else {
  116. if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
  117. X509V3err(X509V3_F_R2I_CERTPOL,
  118. X509V3_R_INVALID_OBJECT_IDENTIFIER);
  119. X509V3_conf_err(cnf);
  120. goto err;
  121. }
  122. pol = POLICYINFO_new();
  123. if (pol == NULL) {
  124. ASN1_OBJECT_free(pobj);
  125. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  126. goto err;
  127. }
  128. pol->policyid = pobj;
  129. }
  130. if (!sk_POLICYINFO_push(pols, pol)) {
  131. POLICYINFO_free(pol);
  132. X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
  133. goto err;
  134. }
  135. }
  136. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  137. return pols;
  138. err:
  139. sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
  140. sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
  141. return NULL;
  142. }
  143. static POLICYINFO *policy_section(X509V3_CTX *ctx,
  144. STACK_OF(CONF_VALUE) *polstrs, int ia5org)
  145. {
  146. int i;
  147. CONF_VALUE *cnf;
  148. POLICYINFO *pol;
  149. POLICYQUALINFO *qual;
  150. if ((pol = POLICYINFO_new()) == NULL)
  151. goto merr;
  152. for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
  153. cnf = sk_CONF_VALUE_value(polstrs, i);
  154. if (strcmp(cnf->name, "policyIdentifier") == 0) {
  155. ASN1_OBJECT *pobj;
  156. if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
  157. X509V3err(X509V3_F_POLICY_SECTION,
  158. X509V3_R_INVALID_OBJECT_IDENTIFIER);
  159. X509V3_conf_err(cnf);
  160. goto err;
  161. }
  162. pol->policyid = pobj;
  163. } else if (!name_cmp(cnf->name, "CPS")) {
  164. if (pol->qualifiers == NULL)
  165. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  166. if ((qual = POLICYQUALINFO_new()) == NULL)
  167. goto merr;
  168. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
  169. goto merr;
  170. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
  171. X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
  172. goto err;
  173. }
  174. if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
  175. goto merr;
  176. if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
  177. strlen(cnf->value)))
  178. goto merr;
  179. } else if (!name_cmp(cnf->name, "userNotice")) {
  180. STACK_OF(CONF_VALUE) *unot;
  181. if (*cnf->value != '@') {
  182. X509V3err(X509V3_F_POLICY_SECTION,
  183. X509V3_R_EXPECTED_A_SECTION_NAME);
  184. X509V3_conf_err(cnf);
  185. goto err;
  186. }
  187. unot = X509V3_get_section(ctx, cnf->value + 1);
  188. if (!unot) {
  189. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_SECTION);
  190. X509V3_conf_err(cnf);
  191. goto err;
  192. }
  193. qual = notice_section(ctx, unot, ia5org);
  194. X509V3_section_free(ctx, unot);
  195. if (!qual)
  196. goto err;
  197. if (!pol->qualifiers)
  198. pol->qualifiers = sk_POLICYQUALINFO_new_null();
  199. if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
  200. goto merr;
  201. } else {
  202. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
  203. X509V3_conf_err(cnf);
  204. goto err;
  205. }
  206. }
  207. if (!pol->policyid) {
  208. X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_NO_POLICY_IDENTIFIER);
  209. goto err;
  210. }
  211. return pol;
  212. merr:
  213. X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
  214. err:
  215. POLICYINFO_free(pol);
  216. return NULL;
  217. }
  218. static int displaytext_get_tag_len(const char *tagstr)
  219. {
  220. char *colon = strchr(tagstr, ':');
  221. return (colon == NULL) ? -1 : colon - tagstr;
  222. }
  223. static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
  224. {
  225. int len;
  226. *tag_len = 0;
  227. len = displaytext_get_tag_len(tagstr);
  228. if (len == -1)
  229. return V_ASN1_VISIBLESTRING;
  230. *tag_len = len;
  231. if (len == sizeof("UTF8") - 1 && strncmp(tagstr, "UTF8", len) == 0)
  232. return V_ASN1_UTF8STRING;
  233. if (len == sizeof("UTF8String") - 1 && strncmp(tagstr, "UTF8String", len) == 0)
  234. return V_ASN1_UTF8STRING;
  235. if (len == sizeof("BMP") - 1 && strncmp(tagstr, "BMP", len) == 0)
  236. return V_ASN1_BMPSTRING;
  237. if (len == sizeof("BMPSTRING") - 1 && strncmp(tagstr, "BMPSTRING", len) == 0)
  238. return V_ASN1_BMPSTRING;
  239. if (len == sizeof("VISIBLE") - 1 && strncmp(tagstr, "VISIBLE", len) == 0)
  240. return V_ASN1_VISIBLESTRING;
  241. if (len == sizeof("VISIBLESTRING") - 1 && strncmp(tagstr, "VISIBLESTRING", len) == 0)
  242. return V_ASN1_VISIBLESTRING;
  243. *tag_len = 0;
  244. return V_ASN1_VISIBLESTRING;
  245. }
  246. static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
  247. STACK_OF(CONF_VALUE) *unot, int ia5org)
  248. {
  249. int i, ret, len, tag;
  250. unsigned int tag_len;
  251. CONF_VALUE *cnf;
  252. USERNOTICE *not;
  253. POLICYQUALINFO *qual;
  254. char *value = NULL;
  255. if ((qual = POLICYQUALINFO_new()) == NULL)
  256. goto merr;
  257. if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
  258. X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
  259. goto err;
  260. }
  261. if ((not = USERNOTICE_new()) == NULL)
  262. goto merr;
  263. qual->d.usernotice = not;
  264. for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
  265. cnf = sk_CONF_VALUE_value(unot, i);
  266. value = cnf->value;
  267. if (strcmp(cnf->name, "explicitText") == 0) {
  268. tag = displaytext_str2tag(value, &tag_len);
  269. if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL)
  270. goto merr;
  271. if (tag_len != 0)
  272. value += tag_len + 1;
  273. len = strlen(value);
  274. if (!ASN1_STRING_set(not->exptext, value, len))
  275. goto merr;
  276. } else if (strcmp(cnf->name, "organization") == 0) {
  277. NOTICEREF *nref;
  278. if (!not->noticeref) {
  279. if ((nref = NOTICEREF_new()) == NULL)
  280. goto merr;
  281. not->noticeref = nref;
  282. } else
  283. nref = not->noticeref;
  284. if (ia5org)
  285. nref->organization->type = V_ASN1_IA5STRING;
  286. else
  287. nref->organization->type = V_ASN1_VISIBLESTRING;
  288. if (!ASN1_STRING_set(nref->organization, cnf->value,
  289. strlen(cnf->value)))
  290. goto merr;
  291. } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
  292. NOTICEREF *nref;
  293. STACK_OF(CONF_VALUE) *nos;
  294. if (!not->noticeref) {
  295. if ((nref = NOTICEREF_new()) == NULL)
  296. goto merr;
  297. not->noticeref = nref;
  298. } else
  299. nref = not->noticeref;
  300. nos = X509V3_parse_list(cnf->value);
  301. if (!nos || !sk_CONF_VALUE_num(nos)) {
  302. X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
  303. X509V3_conf_err(cnf);
  304. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  305. goto err;
  306. }
  307. ret = nref_nos(nref->noticenos, nos);
  308. sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
  309. if (!ret)
  310. goto err;
  311. } else {
  312. X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
  313. X509V3_conf_err(cnf);
  314. goto err;
  315. }
  316. }
  317. if (not->noticeref &&
  318. (!not->noticeref->noticenos || !not->noticeref->organization)) {
  319. X509V3err(X509V3_F_NOTICE_SECTION,
  320. X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
  321. goto err;
  322. }
  323. return qual;
  324. merr:
  325. X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
  326. err:
  327. POLICYQUALINFO_free(qual);
  328. return NULL;
  329. }
  330. static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
  331. {
  332. CONF_VALUE *cnf;
  333. ASN1_INTEGER *aint;
  334. int i;
  335. for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
  336. cnf = sk_CONF_VALUE_value(nos, i);
  337. if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
  338. X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
  339. goto err;
  340. }
  341. if (!sk_ASN1_INTEGER_push(nnums, aint))
  342. goto merr;
  343. }
  344. return 1;
  345. merr:
  346. ASN1_INTEGER_free(aint);
  347. X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
  348. err:
  349. return 0;
  350. }
  351. static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
  352. BIO *out, int indent)
  353. {
  354. int i;
  355. POLICYINFO *pinfo;
  356. /* First print out the policy OIDs */
  357. for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
  358. pinfo = sk_POLICYINFO_value(pol, i);
  359. BIO_printf(out, "%*sPolicy: ", indent, "");
  360. i2a_ASN1_OBJECT(out, pinfo->policyid);
  361. BIO_puts(out, "\n");
  362. if (pinfo->qualifiers)
  363. print_qualifiers(out, pinfo->qualifiers, indent + 2);
  364. }
  365. return 1;
  366. }
  367. static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
  368. int indent)
  369. {
  370. POLICYQUALINFO *qualinfo;
  371. int i;
  372. for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
  373. qualinfo = sk_POLICYQUALINFO_value(quals, i);
  374. switch (OBJ_obj2nid(qualinfo->pqualid)) {
  375. case NID_id_qt_cps:
  376. BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
  377. qualinfo->d.cpsuri->length,
  378. qualinfo->d.cpsuri->data);
  379. break;
  380. case NID_id_qt_unotice:
  381. BIO_printf(out, "%*sUser Notice:\n", indent, "");
  382. print_notice(out, qualinfo->d.usernotice, indent + 2);
  383. break;
  384. default:
  385. BIO_printf(out, "%*sUnknown Qualifier: ", indent + 2, "");
  386. i2a_ASN1_OBJECT(out, qualinfo->pqualid);
  387. BIO_puts(out, "\n");
  388. break;
  389. }
  390. }
  391. }
  392. static void print_notice(BIO *out, USERNOTICE *notice, int indent)
  393. {
  394. int i;
  395. if (notice->noticeref) {
  396. NOTICEREF *ref;
  397. ref = notice->noticeref;
  398. BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
  399. ref->organization->length,
  400. ref->organization->data);
  401. BIO_printf(out, "%*sNumber%s: ", indent, "",
  402. sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
  403. for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
  404. ASN1_INTEGER *num;
  405. char *tmp;
  406. num = sk_ASN1_INTEGER_value(ref->noticenos, i);
  407. if (i)
  408. BIO_puts(out, ", ");
  409. if (num == NULL)
  410. BIO_puts(out, "(null)");
  411. else {
  412. tmp = i2s_ASN1_INTEGER(NULL, num);
  413. if (tmp == NULL)
  414. return;
  415. BIO_puts(out, tmp);
  416. OPENSSL_free(tmp);
  417. }
  418. }
  419. BIO_puts(out, "\n");
  420. }
  421. if (notice->exptext)
  422. BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
  423. notice->exptext->length,
  424. notice->exptext->data);
  425. }
  426. void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
  427. {
  428. const X509_POLICY_DATA *dat = node->data;
  429. BIO_printf(out, "%*sPolicy: ", indent, "");
  430. i2a_ASN1_OBJECT(out, dat->valid_policy);
  431. BIO_puts(out, "\n");
  432. BIO_printf(out, "%*s%s\n", indent + 2, "",
  433. node_data_critical(dat) ? "Critical" : "Non Critical");
  434. if (dat->qualifier_set)
  435. print_qualifiers(out, dat->qualifier_set, indent + 2);
  436. else
  437. BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
  438. }