1 | /* |
2 | * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include "internal/cryptlib.h" |
12 | #include <openssl/conf.h> |
13 | #include <openssl/asn1.h> |
14 | #include <openssl/asn1t.h> |
15 | #include <openssl/x509v3.h> |
16 | #include "ext_dat.h" |
17 | |
18 | static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, |
19 | AUTHORITY_KEYID *akeyid, |
20 | STACK_OF(CONF_VALUE) |
21 | *extlist); |
22 | static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, |
23 | X509V3_CTX *ctx, |
24 | STACK_OF(CONF_VALUE) *values); |
25 | |
26 | const X509V3_EXT_METHOD v3_akey_id = { |
27 | NID_authority_key_identifier, |
28 | X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), |
29 | 0, 0, 0, 0, |
30 | 0, 0, |
31 | (X509V3_EXT_I2V) i2v_AUTHORITY_KEYID, |
32 | (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID, |
33 | 0, 0, |
34 | NULL |
35 | }; |
36 | |
37 | static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, |
38 | AUTHORITY_KEYID *akeyid, |
39 | STACK_OF(CONF_VALUE) |
40 | *extlist) |
41 | { |
42 | char *tmp; |
43 | if (akeyid->keyid) { |
44 | tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length); |
45 | if (tmp == NULL) { |
46 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
47 | return NULL; |
48 | } |
49 | X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL, |
50 | tmp, &extlist); |
51 | OPENSSL_free(tmp); |
52 | } |
53 | if (akeyid->issuer) |
54 | extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); |
55 | if (akeyid->serial) { |
56 | tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length); |
57 | if (tmp == NULL) { |
58 | ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); |
59 | return NULL; |
60 | } |
61 | X509V3_add_value("serial" , tmp, &extlist); |
62 | OPENSSL_free(tmp); |
63 | } |
64 | return extlist; |
65 | } |
66 | |
67 | /*- |
68 | * Currently two options: |
69 | * keyid: use the issuers subject keyid, the value 'always' means its is |
70 | * an error if the issuer certificate doesn't have a key id. |
71 | * issuer: use the issuers cert issuer and serial number. The default is |
72 | * to only use this if keyid is not present. With the option 'always' |
73 | * this is always included. |
74 | */ |
75 | |
76 | static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, |
77 | X509V3_CTX *ctx, |
78 | STACK_OF(CONF_VALUE) *values) |
79 | { |
80 | char keyid = 0, issuer = 0; |
81 | int i; |
82 | CONF_VALUE *cnf; |
83 | ASN1_OCTET_STRING *ikeyid = NULL; |
84 | X509_NAME *isname = NULL; |
85 | GENERAL_NAMES *gens = NULL; |
86 | GENERAL_NAME *gen = NULL; |
87 | ASN1_INTEGER *serial = NULL; |
88 | X509_EXTENSION *ext; |
89 | X509 *cert; |
90 | AUTHORITY_KEYID *akeyid; |
91 | |
92 | for (i = 0; i < sk_CONF_VALUE_num(values); i++) { |
93 | cnf = sk_CONF_VALUE_value(values, i); |
94 | if (strcmp(cnf->name, "keyid" ) == 0) { |
95 | keyid = 1; |
96 | if (cnf->value && strcmp(cnf->value, "always" ) == 0) |
97 | keyid = 2; |
98 | } else if (strcmp(cnf->name, "issuer" ) == 0) { |
99 | issuer = 1; |
100 | if (cnf->value && strcmp(cnf->value, "always" ) == 0) |
101 | issuer = 2; |
102 | } else { |
103 | X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, X509V3_R_UNKNOWN_OPTION); |
104 | ERR_add_error_data(2, "name=" , cnf->name); |
105 | return NULL; |
106 | } |
107 | } |
108 | |
109 | if (!ctx || !ctx->issuer_cert) { |
110 | if (ctx && (ctx->flags == CTX_TEST)) |
111 | return AUTHORITY_KEYID_new(); |
112 | X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, |
113 | X509V3_R_NO_ISSUER_CERTIFICATE); |
114 | return NULL; |
115 | } |
116 | |
117 | cert = ctx->issuer_cert; |
118 | |
119 | if (keyid) { |
120 | i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); |
121 | if ((i >= 0) && (ext = X509_get_ext(cert, i))) |
122 | ikeyid = X509V3_EXT_d2i(ext); |
123 | if (keyid == 2 && !ikeyid) { |
124 | X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, |
125 | X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); |
126 | return NULL; |
127 | } |
128 | } |
129 | |
130 | if ((issuer && !ikeyid) || (issuer == 2)) { |
131 | isname = X509_NAME_dup(X509_get_issuer_name(cert)); |
132 | serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert)); |
133 | if (!isname || !serial) { |
134 | X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, |
135 | X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); |
136 | goto err; |
137 | } |
138 | } |
139 | |
140 | if ((akeyid = AUTHORITY_KEYID_new()) == NULL) |
141 | goto err; |
142 | |
143 | if (isname) { |
144 | if ((gens = sk_GENERAL_NAME_new_null()) == NULL |
145 | || (gen = GENERAL_NAME_new()) == NULL |
146 | || !sk_GENERAL_NAME_push(gens, gen)) { |
147 | X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE); |
148 | goto err; |
149 | } |
150 | gen->type = GEN_DIRNAME; |
151 | gen->d.dirn = isname; |
152 | } |
153 | |
154 | akeyid->issuer = gens; |
155 | gen = NULL; |
156 | gens = NULL; |
157 | akeyid->serial = serial; |
158 | akeyid->keyid = ikeyid; |
159 | |
160 | return akeyid; |
161 | |
162 | err: |
163 | sk_GENERAL_NAME_free(gens); |
164 | GENERAL_NAME_free(gen); |
165 | X509_NAME_free(isname); |
166 | ASN1_INTEGER_free(serial); |
167 | ASN1_OCTET_STRING_free(ikeyid); |
168 | return NULL; |
169 | } |
170 | |