| // Copyright 2015 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <algorithm> |
| |
| #include "certificate_policies.h" |
| |
| #include <openssl/base.h> |
| #include "cert_error_params.h" |
| #include "cert_errors.h" |
| #include "input.h" |
| #include "parse_values.h" |
| #include "parser.h" |
| |
| namespace bssl { |
| |
| namespace { |
| |
| // --------------------------------------------------------------- |
| // Errors |
| // --------------------------------------------------------------- |
| |
| DEFINE_CERT_ERROR_ID(kPolicyQualifiersEmptySequence, |
| "The policy qualifiers SEQUENCE is empty"); |
| DEFINE_CERT_ERROR_ID(kUnknownPolicyQualifierOid, |
| "Unknown policy qualifier OID (not CPS or User Notice)"); |
| DEFINE_CERT_ERROR_ID(kPoliciesEmptySequence, "Policies is an empty SEQUENCE"); |
| DEFINE_CERT_ERROR_ID(kPoliciesDuplicateOid, "Policies contains duplicate OIDs"); |
| DEFINE_CERT_ERROR_ID(kPolicyInformationTrailingData, |
| "PolicyInformation has trailing data"); |
| DEFINE_CERT_ERROR_ID(kFailedParsingPolicyQualifiers, |
| "Failed parsing policy qualifiers"); |
| DEFINE_CERT_ERROR_ID(kMissingQualifier, |
| "PolicyQualifierInfo is missing qualifier"); |
| DEFINE_CERT_ERROR_ID(kPolicyQualifierInfoTrailingData, |
| "PolicyQualifierInfo has trailing data"); |
| |
| // Minimally parse policyQualifiers, storing in |policy_qualifiers| if non-null. |
| // If a policy qualifier other than User Notice/CPS is present, parsing |
| // will fail if |restrict_to_known_qualifiers| was set to true. |
| bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers, |
| der::Parser *policy_qualifiers_sequence_parser, |
| std::vector<PolicyQualifierInfo> *policy_qualifiers, |
| CertErrors *errors) { |
| BSSL_CHECK(errors); |
| |
| // If it is present, the policyQualifiers sequence should have at least 1 |
| // element. |
| // |
| // policyQualifiers SEQUENCE SIZE (1..MAX) OF |
| // PolicyQualifierInfo OPTIONAL } |
| if (!policy_qualifiers_sequence_parser->HasMore()) { |
| errors->AddError(kPolicyQualifiersEmptySequence); |
| return false; |
| } |
| while (policy_qualifiers_sequence_parser->HasMore()) { |
| // PolicyQualifierInfo ::= SEQUENCE { |
| der::Parser policy_information_parser; |
| if (!policy_qualifiers_sequence_parser->ReadSequence( |
| &policy_information_parser)) { |
| return false; |
| } |
| // policyQualifierId PolicyQualifierId, |
| der::Input qualifier_oid; |
| if (!policy_information_parser.ReadTag(CBS_ASN1_OBJECT, &qualifier_oid)) { |
| return false; |
| } |
| if (restrict_to_known_qualifiers && |
| qualifier_oid != der::Input(kCpsPointerId) && |
| qualifier_oid != der::Input(kUserNoticeId)) { |
| errors->AddError(kUnknownPolicyQualifierOid, |
| CreateCertErrorParams1Der("oid", qualifier_oid)); |
| return false; |
| } |
| // qualifier ANY DEFINED BY policyQualifierId } |
| der::Input qualifier_tlv; |
| if (!policy_information_parser.ReadRawTLV(&qualifier_tlv)) { |
| errors->AddError(kMissingQualifier); |
| return false; |
| } |
| // Should not have trailing data after qualifier. |
| if (policy_information_parser.HasMore()) { |
| errors->AddError(kPolicyQualifierInfoTrailingData); |
| return false; |
| } |
| |
| if (policy_qualifiers) { |
| policy_qualifiers->push_back({qualifier_oid, qualifier_tlv}); |
| } |
| } |
| return true; |
| } |
| |
| // RFC 5280 section 4.2.1.4. Certificate Policies: |
| // |
| // certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation |
| // |
| // PolicyInformation ::= SEQUENCE { |
| // policyIdentifier CertPolicyId, |
| // policyQualifiers SEQUENCE SIZE (1..MAX) OF |
| // PolicyQualifierInfo OPTIONAL } |
| // |
| // CertPolicyId ::= OBJECT IDENTIFIER |
| // |
| // PolicyQualifierInfo ::= SEQUENCE { |
| // policyQualifierId PolicyQualifierId, |
| // qualifier ANY DEFINED BY policyQualifierId } |
| // |
| // PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) |
| // |
| // Qualifier ::= CHOICE { |
| // cPSuri CPSuri, |
| // userNotice UserNotice } |
| // |
| // CPSuri ::= IA5String |
| // |
| // UserNotice ::= SEQUENCE { |
| // noticeRef NoticeReference OPTIONAL, |
| // explicitText DisplayText OPTIONAL } |
| // |
| // NoticeReference ::= SEQUENCE { |
| // organization DisplayText, |
| // noticeNumbers SEQUENCE OF INTEGER } |
| // |
| // DisplayText ::= CHOICE { |
| // ia5String IA5String (SIZE (1..200)), |
| // visibleString VisibleString (SIZE (1..200)), |
| // bmpString BMPString (SIZE (1..200)), |
| // utf8String UTF8String (SIZE (1..200)) } |
| bool ParseCertificatePoliciesExtensionImpl( |
| der::Input extension_value, bool fail_parsing_unknown_qualifier_oids, |
| std::vector<der::Input> *policy_oids, |
| std::vector<PolicyInformation> *policy_informations, CertErrors *errors) { |
| BSSL_CHECK(policy_oids); |
| BSSL_CHECK(errors); |
| // certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation |
| der::Parser extension_parser(extension_value); |
| der::Parser policies_sequence_parser; |
| if (!extension_parser.ReadSequence(&policies_sequence_parser)) { |
| return false; |
| } |
| // Should not have trailing data after certificatePolicies sequence. |
| if (extension_parser.HasMore()) { |
| return false; |
| } |
| // The certificatePolicies sequence should have at least 1 element. |
| if (!policies_sequence_parser.HasMore()) { |
| errors->AddError(kPoliciesEmptySequence); |
| return false; |
| } |
| |
| policy_oids->clear(); |
| if (policy_informations) { |
| policy_informations->clear(); |
| } |
| |
| while (policies_sequence_parser.HasMore()) { |
| // PolicyInformation ::= SEQUENCE { |
| der::Parser policy_information_parser; |
| if (!policies_sequence_parser.ReadSequence(&policy_information_parser)) { |
| return false; |
| } |
| // policyIdentifier CertPolicyId, |
| der::Input policy_oid; |
| if (!policy_information_parser.ReadTag(CBS_ASN1_OBJECT, &policy_oid)) { |
| return false; |
| } |
| |
| policy_oids->push_back(policy_oid); |
| |
| std::vector<PolicyQualifierInfo> *policy_qualifiers = nullptr; |
| if (policy_informations) { |
| policy_informations->emplace_back(); |
| policy_informations->back().policy_oid = policy_oid; |
| policy_qualifiers = &policy_informations->back().policy_qualifiers; |
| } |
| |
| if (!policy_information_parser.HasMore()) { |
| continue; |
| } |
| |
| // policyQualifiers SEQUENCE SIZE (1..MAX) OF |
| // PolicyQualifierInfo OPTIONAL } |
| der::Parser policy_qualifiers_sequence_parser; |
| if (!policy_information_parser.ReadSequence( |
| &policy_qualifiers_sequence_parser)) { |
| return false; |
| } |
| // Should not have trailing data after policyQualifiers sequence. |
| if (policy_information_parser.HasMore()) { |
| errors->AddError(kPolicyInformationTrailingData); |
| return false; |
| } |
| |
| // RFC 5280 section 4.2.1.4: When qualifiers are used with the special |
| // policy anyPolicy, they MUST be limited to the qualifiers identified in |
| // this section. |
| if (!ParsePolicyQualifiers(fail_parsing_unknown_qualifier_oids || |
| policy_oid == der::Input(kAnyPolicyOid), |
| &policy_qualifiers_sequence_parser, |
| policy_qualifiers, errors)) { |
| errors->AddError(kFailedParsingPolicyQualifiers); |
| return false; |
| } |
| } |
| |
| // RFC 5280 section 4.2.1.4: A certificate policy OID MUST NOT appear more |
| // than once in a certificate policies extension. |
| std::sort(policy_oids->begin(), policy_oids->end()); |
| auto dupe_policy_iter = |
| std::adjacent_find(policy_oids->begin(), policy_oids->end()); |
| if (dupe_policy_iter != policy_oids->end()) { |
| errors->AddError(kPoliciesDuplicateOid, |
| CreateCertErrorParams1Der("oid", *dupe_policy_iter)); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| } // namespace |
| |
| PolicyInformation::PolicyInformation() = default; |
| PolicyInformation::~PolicyInformation() = default; |
| PolicyInformation::PolicyInformation(const PolicyInformation &) = default; |
| PolicyInformation::PolicyInformation(PolicyInformation &&) = default; |
| |
| bool ParseCertificatePoliciesExtension(der::Input extension_value, |
| std::vector<PolicyInformation> *policies, |
| CertErrors *errors) { |
| std::vector<der::Input> unused_policy_oids; |
| return ParseCertificatePoliciesExtensionImpl( |
| extension_value, /*fail_parsing_unknown_qualifier_oids=*/false, |
| &unused_policy_oids, policies, errors); |
| } |
| |
| bool ParseCertificatePoliciesExtensionOids( |
| der::Input extension_value, bool fail_parsing_unknown_qualifier_oids, |
| std::vector<der::Input> *policy_oids, CertErrors *errors) { |
| return ParseCertificatePoliciesExtensionImpl( |
| extension_value, fail_parsing_unknown_qualifier_oids, policy_oids, |
| nullptr, errors); |
| } |
| |
| // From RFC 5280: |
| // |
| // PolicyConstraints ::= SEQUENCE { |
| // requireExplicitPolicy [0] SkipCerts OPTIONAL, |
| // inhibitPolicyMapping [1] SkipCerts OPTIONAL } |
| // |
| // SkipCerts ::= INTEGER (0..MAX) |
| bool ParsePolicyConstraints(der::Input policy_constraints_tlv, |
| ParsedPolicyConstraints *out) { |
| der::Parser parser(policy_constraints_tlv); |
| |
| // PolicyConstraints ::= SEQUENCE { |
| der::Parser sequence_parser; |
| if (!parser.ReadSequence(&sequence_parser)) { |
| return false; |
| } |
| |
| // RFC 5280 prohibits CAs from issuing PolicyConstraints as an empty sequence: |
| // |
| // Conforming CAs MUST NOT issue certificates where policy constraints |
| // is an empty sequence. That is, either the inhibitPolicyMapping field |
| // or the requireExplicitPolicy field MUST be present. The behavior of |
| // clients that encounter an empty policy constraints field is not |
| // addressed in this profile. |
| if (!sequence_parser.HasMore()) { |
| return false; |
| } |
| |
| std::optional<der::Input> require_value; |
| if (!sequence_parser.ReadOptionalTag(CBS_ASN1_CONTEXT_SPECIFIC | 0, |
| &require_value)) { |
| return false; |
| } |
| |
| if (require_value) { |
| uint8_t require_explicit_policy; |
| if (!ParseUint8(require_value.value(), &require_explicit_policy)) { |
| // TODO(eroman): Surface reason for failure if length was longer than |
| // uint8. |
| return false; |
| } |
| out->require_explicit_policy = require_explicit_policy; |
| } |
| |
| std::optional<der::Input> inhibit_value; |
| if (!sequence_parser.ReadOptionalTag(CBS_ASN1_CONTEXT_SPECIFIC | 1, |
| &inhibit_value)) { |
| return false; |
| } |
| |
| if (inhibit_value) { |
| uint8_t inhibit_policy_mapping; |
| if (!ParseUint8(inhibit_value.value(), &inhibit_policy_mapping)) { |
| // TODO(eroman): Surface reason for failure if length was longer than |
| // uint8. |
| return false; |
| } |
| out->inhibit_policy_mapping = inhibit_policy_mapping; |
| } |
| |
| // There should be no remaining data. |
| if (sequence_parser.HasMore() || parser.HasMore()) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| // From RFC 5280: |
| // |
| // InhibitAnyPolicy ::= SkipCerts |
| // |
| // SkipCerts ::= INTEGER (0..MAX) |
| std::optional<uint8_t> ParseInhibitAnyPolicy( |
| der::Input inhibit_any_policy_tlv) { |
| der::Parser parser(inhibit_any_policy_tlv); |
| std::optional<uint8_t> num_certs = std::make_optional<uint8_t>(); |
| |
| // TODO(eroman): Surface reason for failure if length was longer than uint8. |
| if (!parser.ReadUint8(&num_certs.value())) { |
| return std::nullopt; |
| } |
| |
| // There should be no remaining data. |
| if (parser.HasMore()) { |
| return std::nullopt; |
| } |
| |
| return num_certs; |
| } |
| |
| // From RFC 5280: |
| // |
| // PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { |
| // issuerDomainPolicy CertPolicyId, |
| // subjectDomainPolicy CertPolicyId } |
| bool ParsePolicyMappings(der::Input policy_mappings_tlv, |
| std::vector<ParsedPolicyMapping> *mappings) { |
| mappings->clear(); |
| |
| der::Parser parser(policy_mappings_tlv); |
| |
| // PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { |
| der::Parser sequence_parser; |
| if (!parser.ReadSequence(&sequence_parser)) { |
| return false; |
| } |
| |
| // Must be at least 1 mapping. |
| if (!sequence_parser.HasMore()) { |
| return false; |
| } |
| |
| while (sequence_parser.HasMore()) { |
| der::Parser mapping_parser; |
| if (!sequence_parser.ReadSequence(&mapping_parser)) { |
| return false; |
| } |
| |
| ParsedPolicyMapping mapping; |
| if (!mapping_parser.ReadTag(CBS_ASN1_OBJECT, |
| &mapping.issuer_domain_policy)) { |
| return false; |
| } |
| if (!mapping_parser.ReadTag(CBS_ASN1_OBJECT, |
| &mapping.subject_domain_policy)) { |
| return false; |
| } |
| |
| // There shouldn't be extra unconsumed data. |
| if (mapping_parser.HasMore()) { |
| return false; |
| } |
| |
| mappings->push_back(mapping); |
| } |
| |
| // There shouldn't be extra unconsumed data. |
| if (parser.HasMore()) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| } // namespace bssl |