1/*
2 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "internal/cryptlib.h"
12#include <openssl/conf.h>
13#include <openssl/asn1.h>
14#include <openssl/asn1t.h>
15#include <openssl/x509v3.h>
16
17#include "pcy_local.h"
18#include "ext_dat.h"
19
20/* Certificate policies extension support: this one is a bit complex... */
21
22static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
23 BIO *out, int indent);
24static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
25 X509V3_CTX *ctx, const char *value);
26static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
27 int indent);
28static void print_notice(BIO *out, USERNOTICE *notice, int indent);
29static POLICYINFO *policy_section(X509V3_CTX *ctx,
30 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
31static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
32 STACK_OF(CONF_VALUE) *unot, int ia5org);
33static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
34static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
35static int displaytext_get_tag_len(const char *tagstr);
36
37const X509V3_EXT_METHOD v3_cpols = {
38 NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
39 0, 0, 0, 0,
40 0, 0,
41 0, 0,
42 (X509V3_EXT_I2R)i2r_certpol,
43 (X509V3_EXT_R2I)r2i_certpol,
44 NULL
45};
46
47ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
48 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
49ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
50
51IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
52
53ASN1_SEQUENCE(POLICYINFO) = {
54 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
55 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
56} ASN1_SEQUENCE_END(POLICYINFO)
57
58IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
59
60ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
61
62ASN1_ADB(POLICYQUALINFO) = {
63 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
64 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
65} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
66
67ASN1_SEQUENCE(POLICYQUALINFO) = {
68 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
69 ASN1_ADB_OBJECT(POLICYQUALINFO)
70} ASN1_SEQUENCE_END(POLICYQUALINFO)
71
72IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
73
74ASN1_SEQUENCE(USERNOTICE) = {
75 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
76 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
77} ASN1_SEQUENCE_END(USERNOTICE)
78
79IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
80
81ASN1_SEQUENCE(NOTICEREF) = {
82 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
83 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(NOTICEREF)
85
86IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
87
88static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
89 X509V3_CTX *ctx, const char *value)
90{
91 STACK_OF(POLICYINFO) *pols;
92 char *pstr;
93 POLICYINFO *pol;
94 ASN1_OBJECT *pobj;
95 STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
96 CONF_VALUE *cnf;
97 const int num = sk_CONF_VALUE_num(vals);
98 int i, ia5org;
99
100 if (vals == NULL) {
101 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
102 return NULL;
103 }
104
105 pols = sk_POLICYINFO_new_reserve(NULL, num);
106 if (pols == NULL) {
107 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
108 goto err;
109 }
110
111 ia5org = 0;
112 for (i = 0; i < num; i++) {
113 cnf = sk_CONF_VALUE_value(vals, i);
114
115 if (cnf->value || !cnf->name) {
116 X509V3err(X509V3_F_R2I_CERTPOL,
117 X509V3_R_INVALID_POLICY_IDENTIFIER);
118 X509V3_conf_err(cnf);
119 goto err;
120 }
121 pstr = cnf->name;
122 if (strcmp(pstr, "ia5org") == 0) {
123 ia5org = 1;
124 continue;
125 } else if (*pstr == '@') {
126 STACK_OF(CONF_VALUE) *polsect;
127
128 polsect = X509V3_get_section(ctx, pstr + 1);
129 if (polsect == NULL) {
130 X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
131
132 X509V3_conf_err(cnf);
133 goto err;
134 }
135 pol = policy_section(ctx, polsect, ia5org);
136 X509V3_section_free(ctx, polsect);
137 if (pol == NULL)
138 goto err;
139 } else {
140 if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
141 X509V3err(X509V3_F_R2I_CERTPOL,
142 X509V3_R_INVALID_OBJECT_IDENTIFIER);
143 X509V3_conf_err(cnf);
144 goto err;
145 }
146 pol = POLICYINFO_new();
147 if (pol == NULL) {
148 ASN1_OBJECT_free(pobj);
149 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
150 goto err;
151 }
152 pol->policyid = pobj;
153 }
154 if (!sk_POLICYINFO_push(pols, pol)) {
155 POLICYINFO_free(pol);
156 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
157 goto err;
158 }
159 }
160 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
161 return pols;
162 err:
163 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
164 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
165 return NULL;
166}
167
168static POLICYINFO *policy_section(X509V3_CTX *ctx,
169 STACK_OF(CONF_VALUE) *polstrs, int ia5org)
170{
171 int i;
172 CONF_VALUE *cnf;
173 POLICYINFO *pol;
174 POLICYQUALINFO *qual;
175
176 if ((pol = POLICYINFO_new()) == NULL)
177 goto merr;
178 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
179 cnf = sk_CONF_VALUE_value(polstrs, i);
180 if (strcmp(cnf->name, "policyIdentifier") == 0) {
181 ASN1_OBJECT *pobj;
182 if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
183 X509V3err(X509V3_F_POLICY_SECTION,
184 X509V3_R_INVALID_OBJECT_IDENTIFIER);
185 X509V3_conf_err(cnf);
186 goto err;
187 }
188 pol->policyid = pobj;
189
190 } else if (!v3_name_cmp(cnf->name, "CPS")) {
191 if (pol->qualifiers == NULL)
192 pol->qualifiers = sk_POLICYQUALINFO_new_null();
193 if ((qual = POLICYQUALINFO_new()) == NULL)
194 goto merr;
195 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
196 goto merr;
197 if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
198 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
199 goto err;
200 }
201 if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
202 goto merr;
203 if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
204 strlen(cnf->value)))
205 goto merr;
206 } else if (!v3_name_cmp(cnf->name, "userNotice")) {
207 STACK_OF(CONF_VALUE) *unot;
208 if (*cnf->value != '@') {
209 X509V3err(X509V3_F_POLICY_SECTION,
210 X509V3_R_EXPECTED_A_SECTION_NAME);
211 X509V3_conf_err(cnf);
212 goto err;
213 }
214 unot = X509V3_get_section(ctx, cnf->value + 1);
215 if (!unot) {
216 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_SECTION);
217
218 X509V3_conf_err(cnf);
219 goto err;
220 }
221 qual = notice_section(ctx, unot, ia5org);
222 X509V3_section_free(ctx, unot);
223 if (!qual)
224 goto err;
225 if (pol->qualifiers == NULL)
226 pol->qualifiers = sk_POLICYQUALINFO_new_null();
227 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
228 goto merr;
229 } else {
230 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
231
232 X509V3_conf_err(cnf);
233 goto err;
234 }
235 }
236 if (pol->policyid == NULL) {
237 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_NO_POLICY_IDENTIFIER);
238 goto err;
239 }
240
241 return pol;
242
243 merr:
244 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
245
246 err:
247 POLICYINFO_free(pol);
248 return NULL;
249}
250
251static int displaytext_get_tag_len(const char *tagstr)
252{
253 char *colon = strchr(tagstr, ':');
254
255 return (colon == NULL) ? -1 : colon - tagstr;
256}
257
258static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
259{
260 int len;
261
262 *tag_len = 0;
263 len = displaytext_get_tag_len(tagstr);
264
265 if (len == -1)
266 return V_ASN1_VISIBLESTRING;
267 *tag_len = len;
268 if (len == sizeof("UTF8") - 1 && strncmp(tagstr, "UTF8", len) == 0)
269 return V_ASN1_UTF8STRING;
270 if (len == sizeof("UTF8String") - 1 && strncmp(tagstr, "UTF8String", len) == 0)
271 return V_ASN1_UTF8STRING;
272 if (len == sizeof("BMP") - 1 && strncmp(tagstr, "BMP", len) == 0)
273 return V_ASN1_BMPSTRING;
274 if (len == sizeof("BMPSTRING") - 1 && strncmp(tagstr, "BMPSTRING", len) == 0)
275 return V_ASN1_BMPSTRING;
276 if (len == sizeof("VISIBLE") - 1 && strncmp(tagstr, "VISIBLE", len) == 0)
277 return V_ASN1_VISIBLESTRING;
278 if (len == sizeof("VISIBLESTRING") - 1 && strncmp(tagstr, "VISIBLESTRING", len) == 0)
279 return V_ASN1_VISIBLESTRING;
280 *tag_len = 0;
281 return V_ASN1_VISIBLESTRING;
282}
283
284static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
285 STACK_OF(CONF_VALUE) *unot, int ia5org)
286{
287 int i, ret, len, tag;
288 unsigned int tag_len;
289 CONF_VALUE *cnf;
290 USERNOTICE *not;
291 POLICYQUALINFO *qual;
292 char *value = NULL;
293
294 if ((qual = POLICYQUALINFO_new()) == NULL)
295 goto merr;
296 if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
297 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
298 goto err;
299 }
300 if ((not = USERNOTICE_new()) == NULL)
301 goto merr;
302 qual->d.usernotice = not;
303 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
304 cnf = sk_CONF_VALUE_value(unot, i);
305 value = cnf->value;
306 if (strcmp(cnf->name, "explicitText") == 0) {
307 tag = displaytext_str2tag(value, &tag_len);
308 if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL)
309 goto merr;
310 if (tag_len != 0)
311 value += tag_len + 1;
312 len = strlen(value);
313 if (!ASN1_STRING_set(not->exptext, value, len))
314 goto merr;
315 } else if (strcmp(cnf->name, "organization") == 0) {
316 NOTICEREF *nref;
317 if (!not->noticeref) {
318 if ((nref = NOTICEREF_new()) == NULL)
319 goto merr;
320 not->noticeref = nref;
321 } else
322 nref = not->noticeref;
323 if (ia5org)
324 nref->organization->type = V_ASN1_IA5STRING;
325 else
326 nref->organization->type = V_ASN1_VISIBLESTRING;
327 if (!ASN1_STRING_set(nref->organization, cnf->value,
328 strlen(cnf->value)))
329 goto merr;
330 } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
331 NOTICEREF *nref;
332 STACK_OF(CONF_VALUE) *nos;
333 if (!not->noticeref) {
334 if ((nref = NOTICEREF_new()) == NULL)
335 goto merr;
336 not->noticeref = nref;
337 } else
338 nref = not->noticeref;
339 nos = X509V3_parse_list(cnf->value);
340 if (!nos || !sk_CONF_VALUE_num(nos)) {
341 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
342 X509V3_conf_err(cnf);
343 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
344 goto err;
345 }
346 ret = nref_nos(nref->noticenos, nos);
347 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
348 if (!ret)
349 goto err;
350 } else {
351 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
352 X509V3_conf_err(cnf);
353 goto err;
354 }
355 }
356
357 if (not->noticeref &&
358 (!not->noticeref->noticenos || !not->noticeref->organization)) {
359 X509V3err(X509V3_F_NOTICE_SECTION,
360 X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
361 goto err;
362 }
363
364 return qual;
365
366 merr:
367 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
368
369 err:
370 POLICYQUALINFO_free(qual);
371 return NULL;
372}
373
374static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
375{
376 CONF_VALUE *cnf;
377 ASN1_INTEGER *aint;
378
379 int i;
380
381 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
382 cnf = sk_CONF_VALUE_value(nos, i);
383 if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
384 X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
385 goto err;
386 }
387 if (!sk_ASN1_INTEGER_push(nnums, aint))
388 goto merr;
389 }
390 return 1;
391
392 merr:
393 ASN1_INTEGER_free(aint);
394 X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
395
396 err:
397 return 0;
398}
399
400static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
401 BIO *out, int indent)
402{
403 int i;
404 POLICYINFO *pinfo;
405 /* First print out the policy OIDs */
406 for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
407 if (i > 0)
408 BIO_puts(out, "\n");
409 pinfo = sk_POLICYINFO_value(pol, i);
410 BIO_printf(out, "%*sPolicy: ", indent, "");
411 i2a_ASN1_OBJECT(out, pinfo->policyid);
412 if (pinfo->qualifiers) {
413 BIO_puts(out, "\n");
414 print_qualifiers(out, pinfo->qualifiers, indent + 2);
415 }
416 }
417 return 1;
418}
419
420static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
421 int indent)
422{
423 POLICYQUALINFO *qualinfo;
424 int i;
425 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
426 if (i > 0)
427 BIO_puts(out, "\n");
428 qualinfo = sk_POLICYQUALINFO_value(quals, i);
429 switch (OBJ_obj2nid(qualinfo->pqualid)) {
430 case NID_id_qt_cps:
431 BIO_printf(out, "%*sCPS: %s", indent, "",
432 qualinfo->d.cpsuri->data);
433 break;
434
435 case NID_id_qt_unotice:
436 BIO_printf(out, "%*sUser Notice:\n", indent, "");
437 print_notice(out, qualinfo->d.usernotice, indent + 2);
438 break;
439
440 default:
441 BIO_printf(out, "%*sUnknown Qualifier: ", indent + 2, "");
442
443 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
444 break;
445 }
446 }
447}
448
449static void print_notice(BIO *out, USERNOTICE *notice, int indent)
450{
451 int i;
452 if (notice->noticeref) {
453 NOTICEREF *ref;
454 ref = notice->noticeref;
455 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
456 ref->organization->data);
457 BIO_printf(out, "%*sNumber%s: ", indent, "",
458 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
459 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
460 ASN1_INTEGER *num;
461 char *tmp;
462 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
463 if (i)
464 BIO_puts(out, ", ");
465 if (num == NULL)
466 BIO_puts(out, "(null)");
467 else {
468 tmp = i2s_ASN1_INTEGER(NULL, num);
469 if (tmp == NULL)
470 return;
471 BIO_puts(out, tmp);
472 OPENSSL_free(tmp);
473 }
474 }
475 if (notice->exptext)
476 BIO_puts(out, "\n");
477 }
478 if (notice->exptext)
479 BIO_printf(out, "%*sExplicit Text: %s", indent, "",
480 notice->exptext->data);
481}
482
483void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
484{
485 const X509_POLICY_DATA *dat = node->data;
486
487 BIO_printf(out, "%*sPolicy: ", indent, "");
488
489 i2a_ASN1_OBJECT(out, dat->valid_policy);
490 BIO_puts(out, "\n");
491 BIO_printf(out, "%*s%s\n", indent + 2, "",
492 node_data_critical(dat) ? "Critical" : "Non Critical");
493 if (dat->qualifier_set) {
494 print_qualifiers(out, dat->qualifier_set, indent + 2);
495 BIO_puts(out, "\n");
496 }
497 else
498 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
499}
500