1 | /* |
2 | * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include "internal/cryptlib.h" |
12 | #include <openssl/conf.h> |
13 | #include <openssl/asn1.h> |
14 | #include <openssl/asn1t.h> |
15 | #include <openssl/x509v3.h> |
16 | |
17 | #include "pcy_local.h" |
18 | #include "ext_dat.h" |
19 | |
20 | /* Certificate policies extension support: this one is a bit complex... */ |
21 | |
22 | static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, |
23 | BIO *out, int indent); |
24 | static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, |
25 | X509V3_CTX *ctx, const char *value); |
26 | static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, |
27 | int indent); |
28 | static void print_notice(BIO *out, USERNOTICE *notice, int indent); |
29 | static POLICYINFO *policy_section(X509V3_CTX *ctx, |
30 | STACK_OF(CONF_VALUE) *polstrs, int ia5org); |
31 | static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, |
32 | STACK_OF(CONF_VALUE) *unot, int ia5org); |
33 | static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); |
34 | static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len); |
35 | static int displaytext_get_tag_len(const char *tagstr); |
36 | |
37 | const X509V3_EXT_METHOD v3_cpols = { |
38 | NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES), |
39 | 0, 0, 0, 0, |
40 | 0, 0, |
41 | 0, 0, |
42 | (X509V3_EXT_I2R)i2r_certpol, |
43 | (X509V3_EXT_R2I)r2i_certpol, |
44 | NULL |
45 | }; |
46 | |
47 | ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = |
48 | ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO) |
49 | ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES) |
50 | |
51 | IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES) |
52 | |
53 | ASN1_SEQUENCE(POLICYINFO) = { |
54 | ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT), |
55 | ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO) |
56 | } ASN1_SEQUENCE_END(POLICYINFO) |
57 | |
58 | IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO) |
59 | |
60 | ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY); |
61 | |
62 | ASN1_ADB(POLICYQUALINFO) = { |
63 | ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)), |
64 | ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE)) |
65 | } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL); |
66 | |
67 | ASN1_SEQUENCE(POLICYQUALINFO) = { |
68 | ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT), |
69 | ASN1_ADB_OBJECT(POLICYQUALINFO) |
70 | } ASN1_SEQUENCE_END(POLICYQUALINFO) |
71 | |
72 | IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO) |
73 | |
74 | ASN1_SEQUENCE(USERNOTICE) = { |
75 | ASN1_OPT(USERNOTICE, noticeref, NOTICEREF), |
76 | ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT) |
77 | } ASN1_SEQUENCE_END(USERNOTICE) |
78 | |
79 | IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE) |
80 | |
81 | ASN1_SEQUENCE(NOTICEREF) = { |
82 | ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT), |
83 | ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER) |
84 | } ASN1_SEQUENCE_END(NOTICEREF) |
85 | |
86 | IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF) |
87 | |
88 | static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, |
89 | X509V3_CTX *ctx, const char *value) |
90 | { |
91 | STACK_OF(POLICYINFO) *pols; |
92 | char *pstr; |
93 | POLICYINFO *pol; |
94 | ASN1_OBJECT *pobj; |
95 | STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value); |
96 | CONF_VALUE *cnf; |
97 | const int num = sk_CONF_VALUE_num(vals); |
98 | int i, ia5org; |
99 | |
100 | if (vals == NULL) { |
101 | X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB); |
102 | return NULL; |
103 | } |
104 | |
105 | pols = sk_POLICYINFO_new_reserve(NULL, num); |
106 | if (pols == NULL) { |
107 | X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); |
108 | goto err; |
109 | } |
110 | |
111 | ia5org = 0; |
112 | for (i = 0; i < num; i++) { |
113 | cnf = sk_CONF_VALUE_value(vals, i); |
114 | |
115 | if (cnf->value || !cnf->name) { |
116 | X509V3err(X509V3_F_R2I_CERTPOL, |
117 | X509V3_R_INVALID_POLICY_IDENTIFIER); |
118 | X509V3_conf_err(cnf); |
119 | goto err; |
120 | } |
121 | pstr = cnf->name; |
122 | if (strcmp(pstr, "ia5org" ) == 0) { |
123 | ia5org = 1; |
124 | continue; |
125 | } else if (*pstr == '@') { |
126 | STACK_OF(CONF_VALUE) *polsect; |
127 | |
128 | polsect = X509V3_get_section(ctx, pstr + 1); |
129 | if (polsect == NULL) { |
130 | X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION); |
131 | |
132 | X509V3_conf_err(cnf); |
133 | goto err; |
134 | } |
135 | pol = policy_section(ctx, polsect, ia5org); |
136 | X509V3_section_free(ctx, polsect); |
137 | if (pol == NULL) |
138 | goto err; |
139 | } else { |
140 | if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) { |
141 | X509V3err(X509V3_F_R2I_CERTPOL, |
142 | X509V3_R_INVALID_OBJECT_IDENTIFIER); |
143 | X509V3_conf_err(cnf); |
144 | goto err; |
145 | } |
146 | pol = POLICYINFO_new(); |
147 | if (pol == NULL) { |
148 | ASN1_OBJECT_free(pobj); |
149 | X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); |
150 | goto err; |
151 | } |
152 | pol->policyid = pobj; |
153 | } |
154 | if (!sk_POLICYINFO_push(pols, pol)) { |
155 | POLICYINFO_free(pol); |
156 | X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); |
157 | goto err; |
158 | } |
159 | } |
160 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); |
161 | return pols; |
162 | err: |
163 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); |
164 | sk_POLICYINFO_pop_free(pols, POLICYINFO_free); |
165 | return NULL; |
166 | } |
167 | |
168 | static POLICYINFO *policy_section(X509V3_CTX *ctx, |
169 | STACK_OF(CONF_VALUE) *polstrs, int ia5org) |
170 | { |
171 | int i; |
172 | CONF_VALUE *cnf; |
173 | POLICYINFO *pol; |
174 | POLICYQUALINFO *qual; |
175 | |
176 | if ((pol = POLICYINFO_new()) == NULL) |
177 | goto merr; |
178 | for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { |
179 | cnf = sk_CONF_VALUE_value(polstrs, i); |
180 | if (strcmp(cnf->name, "policyIdentifier" ) == 0) { |
181 | ASN1_OBJECT *pobj; |
182 | if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) { |
183 | X509V3err(X509V3_F_POLICY_SECTION, |
184 | X509V3_R_INVALID_OBJECT_IDENTIFIER); |
185 | X509V3_conf_err(cnf); |
186 | goto err; |
187 | } |
188 | pol->policyid = pobj; |
189 | |
190 | } else if (!v3_name_cmp(cnf->name, "CPS" )) { |
191 | if (pol->qualifiers == NULL) |
192 | pol->qualifiers = sk_POLICYQUALINFO_new_null(); |
193 | if ((qual = POLICYQUALINFO_new()) == NULL) |
194 | goto merr; |
195 | if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) |
196 | goto merr; |
197 | if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) { |
198 | X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR); |
199 | goto err; |
200 | } |
201 | if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL) |
202 | goto merr; |
203 | if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, |
204 | strlen(cnf->value))) |
205 | goto merr; |
206 | } else if (!v3_name_cmp(cnf->name, "userNotice" )) { |
207 | STACK_OF(CONF_VALUE) *unot; |
208 | if (*cnf->value != '@') { |
209 | X509V3err(X509V3_F_POLICY_SECTION, |
210 | X509V3_R_EXPECTED_A_SECTION_NAME); |
211 | X509V3_conf_err(cnf); |
212 | goto err; |
213 | } |
214 | unot = X509V3_get_section(ctx, cnf->value + 1); |
215 | if (!unot) { |
216 | X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_SECTION); |
217 | |
218 | X509V3_conf_err(cnf); |
219 | goto err; |
220 | } |
221 | qual = notice_section(ctx, unot, ia5org); |
222 | X509V3_section_free(ctx, unot); |
223 | if (!qual) |
224 | goto err; |
225 | if (pol->qualifiers == NULL) |
226 | pol->qualifiers = sk_POLICYQUALINFO_new_null(); |
227 | if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) |
228 | goto merr; |
229 | } else { |
230 | X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION); |
231 | |
232 | X509V3_conf_err(cnf); |
233 | goto err; |
234 | } |
235 | } |
236 | if (pol->policyid == NULL) { |
237 | X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_NO_POLICY_IDENTIFIER); |
238 | goto err; |
239 | } |
240 | |
241 | return pol; |
242 | |
243 | merr: |
244 | X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE); |
245 | |
246 | err: |
247 | POLICYINFO_free(pol); |
248 | return NULL; |
249 | } |
250 | |
251 | static int displaytext_get_tag_len(const char *tagstr) |
252 | { |
253 | char *colon = strchr(tagstr, ':'); |
254 | |
255 | return (colon == NULL) ? -1 : colon - tagstr; |
256 | } |
257 | |
258 | static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len) |
259 | { |
260 | int len; |
261 | |
262 | *tag_len = 0; |
263 | len = displaytext_get_tag_len(tagstr); |
264 | |
265 | if (len == -1) |
266 | return V_ASN1_VISIBLESTRING; |
267 | *tag_len = len; |
268 | if (len == sizeof("UTF8" ) - 1 && strncmp(tagstr, "UTF8" , len) == 0) |
269 | return V_ASN1_UTF8STRING; |
270 | if (len == sizeof("UTF8String" ) - 1 && strncmp(tagstr, "UTF8String" , len) == 0) |
271 | return V_ASN1_UTF8STRING; |
272 | if (len == sizeof("BMP" ) - 1 && strncmp(tagstr, "BMP" , len) == 0) |
273 | return V_ASN1_BMPSTRING; |
274 | if (len == sizeof("BMPSTRING" ) - 1 && strncmp(tagstr, "BMPSTRING" , len) == 0) |
275 | return V_ASN1_BMPSTRING; |
276 | if (len == sizeof("VISIBLE" ) - 1 && strncmp(tagstr, "VISIBLE" , len) == 0) |
277 | return V_ASN1_VISIBLESTRING; |
278 | if (len == sizeof("VISIBLESTRING" ) - 1 && strncmp(tagstr, "VISIBLESTRING" , len) == 0) |
279 | return V_ASN1_VISIBLESTRING; |
280 | *tag_len = 0; |
281 | return V_ASN1_VISIBLESTRING; |
282 | } |
283 | |
284 | static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, |
285 | STACK_OF(CONF_VALUE) *unot, int ia5org) |
286 | { |
287 | int i, ret, len, tag; |
288 | unsigned int tag_len; |
289 | CONF_VALUE *cnf; |
290 | USERNOTICE *not; |
291 | POLICYQUALINFO *qual; |
292 | char *value = NULL; |
293 | |
294 | if ((qual = POLICYQUALINFO_new()) == NULL) |
295 | goto merr; |
296 | if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) { |
297 | X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR); |
298 | goto err; |
299 | } |
300 | if ((not = USERNOTICE_new()) == NULL) |
301 | goto merr; |
302 | qual->d.usernotice = not; |
303 | for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { |
304 | cnf = sk_CONF_VALUE_value(unot, i); |
305 | value = cnf->value; |
306 | if (strcmp(cnf->name, "explicitText" ) == 0) { |
307 | tag = displaytext_str2tag(value, &tag_len); |
308 | if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL) |
309 | goto merr; |
310 | if (tag_len != 0) |
311 | value += tag_len + 1; |
312 | len = strlen(value); |
313 | if (!ASN1_STRING_set(not->exptext, value, len)) |
314 | goto merr; |
315 | } else if (strcmp(cnf->name, "organization" ) == 0) { |
316 | NOTICEREF *nref; |
317 | if (!not->noticeref) { |
318 | if ((nref = NOTICEREF_new()) == NULL) |
319 | goto merr; |
320 | not->noticeref = nref; |
321 | } else |
322 | nref = not->noticeref; |
323 | if (ia5org) |
324 | nref->organization->type = V_ASN1_IA5STRING; |
325 | else |
326 | nref->organization->type = V_ASN1_VISIBLESTRING; |
327 | if (!ASN1_STRING_set(nref->organization, cnf->value, |
328 | strlen(cnf->value))) |
329 | goto merr; |
330 | } else if (strcmp(cnf->name, "noticeNumbers" ) == 0) { |
331 | NOTICEREF *nref; |
332 | STACK_OF(CONF_VALUE) *nos; |
333 | if (!not->noticeref) { |
334 | if ((nref = NOTICEREF_new()) == NULL) |
335 | goto merr; |
336 | not->noticeref = nref; |
337 | } else |
338 | nref = not->noticeref; |
339 | nos = X509V3_parse_list(cnf->value); |
340 | if (!nos || !sk_CONF_VALUE_num(nos)) { |
341 | X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS); |
342 | X509V3_conf_err(cnf); |
343 | sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); |
344 | goto err; |
345 | } |
346 | ret = nref_nos(nref->noticenos, nos); |
347 | sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); |
348 | if (!ret) |
349 | goto err; |
350 | } else { |
351 | X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION); |
352 | X509V3_conf_err(cnf); |
353 | goto err; |
354 | } |
355 | } |
356 | |
357 | if (not->noticeref && |
358 | (!not->noticeref->noticenos || !not->noticeref->organization)) { |
359 | X509V3err(X509V3_F_NOTICE_SECTION, |
360 | X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); |
361 | goto err; |
362 | } |
363 | |
364 | return qual; |
365 | |
366 | merr: |
367 | X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE); |
368 | |
369 | err: |
370 | POLICYQUALINFO_free(qual); |
371 | return NULL; |
372 | } |
373 | |
374 | static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) |
375 | { |
376 | CONF_VALUE *cnf; |
377 | ASN1_INTEGER *aint; |
378 | |
379 | int i; |
380 | |
381 | for (i = 0; i < sk_CONF_VALUE_num(nos); i++) { |
382 | cnf = sk_CONF_VALUE_value(nos, i); |
383 | if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) { |
384 | X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER); |
385 | goto err; |
386 | } |
387 | if (!sk_ASN1_INTEGER_push(nnums, aint)) |
388 | goto merr; |
389 | } |
390 | return 1; |
391 | |
392 | merr: |
393 | ASN1_INTEGER_free(aint); |
394 | X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE); |
395 | |
396 | err: |
397 | return 0; |
398 | } |
399 | |
400 | static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, |
401 | BIO *out, int indent) |
402 | { |
403 | int i; |
404 | POLICYINFO *pinfo; |
405 | /* First print out the policy OIDs */ |
406 | for (i = 0; i < sk_POLICYINFO_num(pol); i++) { |
407 | if (i > 0) |
408 | BIO_puts(out, "\n" ); |
409 | pinfo = sk_POLICYINFO_value(pol, i); |
410 | BIO_printf(out, "%*sPolicy: " , indent, "" ); |
411 | i2a_ASN1_OBJECT(out, pinfo->policyid); |
412 | if (pinfo->qualifiers) { |
413 | BIO_puts(out, "\n" ); |
414 | print_qualifiers(out, pinfo->qualifiers, indent + 2); |
415 | } |
416 | } |
417 | return 1; |
418 | } |
419 | |
420 | static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, |
421 | int indent) |
422 | { |
423 | POLICYQUALINFO *qualinfo; |
424 | int i; |
425 | for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) { |
426 | if (i > 0) |
427 | BIO_puts(out, "\n" ); |
428 | qualinfo = sk_POLICYQUALINFO_value(quals, i); |
429 | switch (OBJ_obj2nid(qualinfo->pqualid)) { |
430 | case NID_id_qt_cps: |
431 | BIO_printf(out, "%*sCPS: %s" , indent, "" , |
432 | qualinfo->d.cpsuri->data); |
433 | break; |
434 | |
435 | case NID_id_qt_unotice: |
436 | BIO_printf(out, "%*sUser Notice:\n" , indent, "" ); |
437 | print_notice(out, qualinfo->d.usernotice, indent + 2); |
438 | break; |
439 | |
440 | default: |
441 | BIO_printf(out, "%*sUnknown Qualifier: " , indent + 2, "" ); |
442 | |
443 | i2a_ASN1_OBJECT(out, qualinfo->pqualid); |
444 | break; |
445 | } |
446 | } |
447 | } |
448 | |
449 | static void print_notice(BIO *out, USERNOTICE *notice, int indent) |
450 | { |
451 | int i; |
452 | if (notice->noticeref) { |
453 | NOTICEREF *ref; |
454 | ref = notice->noticeref; |
455 | BIO_printf(out, "%*sOrganization: %s\n" , indent, "" , |
456 | ref->organization->data); |
457 | BIO_printf(out, "%*sNumber%s: " , indent, "" , |
458 | sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "" ); |
459 | for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { |
460 | ASN1_INTEGER *num; |
461 | char *tmp; |
462 | num = sk_ASN1_INTEGER_value(ref->noticenos, i); |
463 | if (i) |
464 | BIO_puts(out, ", " ); |
465 | if (num == NULL) |
466 | BIO_puts(out, "(null)" ); |
467 | else { |
468 | tmp = i2s_ASN1_INTEGER(NULL, num); |
469 | if (tmp == NULL) |
470 | return; |
471 | BIO_puts(out, tmp); |
472 | OPENSSL_free(tmp); |
473 | } |
474 | } |
475 | if (notice->exptext) |
476 | BIO_puts(out, "\n" ); |
477 | } |
478 | if (notice->exptext) |
479 | BIO_printf(out, "%*sExplicit Text: %s" , indent, "" , |
480 | notice->exptext->data); |
481 | } |
482 | |
483 | void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) |
484 | { |
485 | const X509_POLICY_DATA *dat = node->data; |
486 | |
487 | BIO_printf(out, "%*sPolicy: " , indent, "" ); |
488 | |
489 | i2a_ASN1_OBJECT(out, dat->valid_policy); |
490 | BIO_puts(out, "\n" ); |
491 | BIO_printf(out, "%*s%s\n" , indent + 2, "" , |
492 | node_data_critical(dat) ? "Critical" : "Non Critical" ); |
493 | if (dat->qualifier_set) { |
494 | print_qualifiers(out, dat->qualifier_set, indent + 2); |
495 | BIO_puts(out, "\n" ); |
496 | } |
497 | else |
498 | BIO_printf(out, "%*sNo Qualifiers\n" , indent + 2, "" ); |
499 | } |
500 | |