blob: 27e81258ea93b235117e87707c84c5d3674fac68 [file] [log] [blame]
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
* 1999.
*/
/* ====================================================================
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
#include <stdio.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/x509.h>
#include "internal.h"
static void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const STACK_OF(CONF_VALUE) *nval);
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
int indent);
const X509V3_EXT_METHOD v3_crld = {
NID_crl_distribution_points,
0,
ASN1_ITEM_ref(CRL_DIST_POINTS),
0,
0,
0,
0,
0,
0,
0,
v2i_crld,
i2r_crldp,
0,
NULL,
};
const X509V3_EXT_METHOD v3_freshest_crl = {
NID_freshest_crl,
0,
ASN1_ITEM_ref(CRL_DIST_POINTS),
0,
0,
0,
0,
0,
0,
0,
v2i_crld,
i2r_crldp,
0,
NULL,
};
static STACK_OF(GENERAL_NAME) *gnames_from_sectname(const X509V3_CTX *ctx,
char *sect) {
const STACK_OF(CONF_VALUE) *gnsect;
STACK_OF(CONF_VALUE) *gnsect_owned = NULL;
if (*sect == '@') {
gnsect = X509V3_get_section(ctx, sect + 1);
} else {
gnsect_owned = X509V3_parse_list(sect);
gnsect = gnsect_owned;
}
if (!gnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
return NULL;
}
STACK_OF(GENERAL_NAME) *gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
sk_CONF_VALUE_pop_free(gnsect_owned, X509V3_conf_free);
return gens;
}
// set_dist_point_name decodes a DistributionPointName from |cnf| and writes the
// result in |*pdp|. It returns 1 on success, -1 on error, and 0 if |cnf| used
// an unrecognized input type. The zero return can be used by callers to support
// additional syntax.
static int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx,
const CONF_VALUE *cnf) {
STACK_OF(GENERAL_NAME) *fnm = NULL;
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
if (!strncmp(cnf->name, "fullname", 9)) {
// If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i
// function, |cnf->value| may be NULL.
if (cnf->value == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
return -1;
}
fnm = gnames_from_sectname(ctx, cnf->value);
if (!fnm) {
goto err;
}
} else if (!strcmp(cnf->name, "relativename")) {
// If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i
// function, |cnf->value| may be NULL.
if (cnf->value == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
return -1;
}
const STACK_OF(CONF_VALUE) *dnsect = X509V3_get_section(ctx, cnf->value);
if (!dnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
return -1;
}
X509_NAME *nm = X509_NAME_new();
if (!nm) {
return -1;
}
int ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
rnm = nm->entries;
nm->entries = NULL;
X509_NAME_free(nm);
if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0) {
goto err;
}
// There can only be one RDN in nameRelativeToCRLIssuer.
if (sk_X509_NAME_ENTRY_value(rnm, sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_MULTIPLE_RDNS);
goto err;
}
} else {
return 0;
}
if (*pdp) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_DISTPOINT_ALREADY_SET);
goto err;
}
*pdp = DIST_POINT_NAME_new();
if (!*pdp) {
goto err;
}
if (fnm) {
(*pdp)->type = 0;
(*pdp)->name.fullname = fnm;
} else {
(*pdp)->type = 1;
(*pdp)->name.relativename = rnm;
}
return 1;
err:
sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
return -1;
}
static const BIT_STRING_BITNAME reason_flags[] = {
{0, "Unused", "unused"},
{1, "Key Compromise", "keyCompromise"},
{2, "CA Compromise", "CACompromise"},
{3, "Affiliation Changed", "affiliationChanged"},
{4, "Superseded", "superseded"},
{5, "Cessation Of Operation", "cessationOfOperation"},
{6, "Certificate Hold", "certificateHold"},
{7, "Privilege Withdrawn", "privilegeWithdrawn"},
{8, "AA Compromise", "AACompromise"},
{-1, NULL, NULL}};
static int set_reasons(ASN1_BIT_STRING **preas, const char *value) {
if (*preas) {
// Duplicate "reasons" or "onlysomereasons" key.
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);
return 0;
}
int ret = 0;
STACK_OF(CONF_VALUE) *rsk = X509V3_parse_list(value);
if (!rsk) {
return 0;
}
for (size_t i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
const char *bnam = sk_CONF_VALUE_value(rsk, i)->name;
if (!*preas) {
*preas = ASN1_BIT_STRING_new();
if (!*preas) {
goto err;
}
}
const BIT_STRING_BITNAME *pbn;
for (pbn = reason_flags; pbn->lname; pbn++) {
if (!strcmp(pbn->sname, bnam)) {
if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1)) {
goto err;
}
break;
}
}
if (!pbn->lname) {
goto err;
}
}
ret = 1;
err:
sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
return ret;
}
static int print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags,
int indent) {
int first = 1;
const BIT_STRING_BITNAME *pbn;
BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
for (pbn = reason_flags; pbn->lname; pbn++) {
if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
if (first) {
first = 0;
} else {
BIO_puts(out, ", ");
}
BIO_puts(out, pbn->lname);
}
}
if (first) {
BIO_puts(out, "<EMPTY>\n");
} else {
BIO_puts(out, "\n");
}
return 1;
}
static DIST_POINT *crldp_from_section(const X509V3_CTX *ctx,
const STACK_OF(CONF_VALUE) *nval) {
DIST_POINT *point = NULL;
point = DIST_POINT_new();
if (!point) {
goto err;
}
for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
int ret = set_dist_point_name(&point->distpoint, ctx, cnf);
if (ret > 0) {
continue;
}
if (ret < 0) {
goto err;
}
if (!strcmp(cnf->name, "reasons")) {
if (!set_reasons(&point->reasons, cnf->value)) {
goto err;
}
} else if (!strcmp(cnf->name, "CRLissuer")) {
GENERAL_NAMES_free(point->CRLissuer);
point->CRLissuer = gnames_from_sectname(ctx, cnf->value);
if (!point->CRLissuer) {
goto err;
}
}
}
return point;
err:
DIST_POINT_free(point);
return NULL;
}
static void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const STACK_OF(CONF_VALUE) *nval) {
STACK_OF(DIST_POINT) *crld = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
if (!(crld = sk_DIST_POINT_new_null())) {
goto err;
}
for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
DIST_POINT *point;
const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (!cnf->value) {
const STACK_OF(CONF_VALUE) *dpsect = X509V3_get_section(ctx, cnf->name);
if (!dpsect) {
goto err;
}
point = crldp_from_section(ctx, dpsect);
if (!point) {
goto err;
}
if (!sk_DIST_POINT_push(crld, point)) {
DIST_POINT_free(point);
goto err;
}
} else {
if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
goto err;
}
if (!(gens = GENERAL_NAMES_new())) {
goto err;
}
if (!sk_GENERAL_NAME_push(gens, gen)) {
goto err;
}
gen = NULL;
if (!(point = DIST_POINT_new())) {
goto err;
}
if (!sk_DIST_POINT_push(crld, point)) {
DIST_POINT_free(point);
goto err;
}
if (!(point->distpoint = DIST_POINT_NAME_new())) {
goto err;
}
point->distpoint->name.fullname = gens;
point->distpoint->type = 0;
gens = NULL;
}
}
return crld;
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
return NULL;
}
static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
switch (operation) {
case ASN1_OP_NEW_POST:
dpn->dpname = NULL;
break;
case ASN1_OP_FREE_POST:
X509_NAME_free(dpn->dpname);
break;
}
return 1;
}
ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1),
} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT_NAME)
ASN1_SEQUENCE(DIST_POINT) = {
ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2),
} ASN1_SEQUENCE_END(DIST_POINT)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT)
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = ASN1_EX_TEMPLATE_TYPE(
ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5),
} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
int indent);
static void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const STACK_OF(CONF_VALUE) *nval);
const X509V3_EXT_METHOD v3_idp = {
NID_issuing_distribution_point,
X509V3_EXT_MULTILINE,
ASN1_ITEM_ref(ISSUING_DIST_POINT),
0,
0,
0,
0,
0,
0,
0,
v2i_idp,
i2r_idp,
0,
NULL,
};
static void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const STACK_OF(CONF_VALUE) *nval) {
ISSUING_DIST_POINT *idp = ISSUING_DIST_POINT_new();
if (!idp) {
goto err;
}
for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
const char *name = cnf->name;
const char *val = cnf->value;
int ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
if (ret > 0) {
continue;
}
if (ret < 0) {
goto err;
}
if (!strcmp(name, "onlyuser")) {
if (!X509V3_get_value_bool(cnf, &idp->onlyuser)) {
goto err;
}
} else if (!strcmp(name, "onlyCA")) {
if (!X509V3_get_value_bool(cnf, &idp->onlyCA)) {
goto err;
}
} else if (!strcmp(name, "onlyAA")) {
if (!X509V3_get_value_bool(cnf, &idp->onlyattr)) {
goto err;
}
} else if (!strcmp(name, "indirectCRL")) {
if (!X509V3_get_value_bool(cnf, &idp->indirectCRL)) {
goto err;
}
} else if (!strcmp(name, "onlysomereasons")) {
if (!set_reasons(&idp->onlysomereasons, val)) {
goto err;
}
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);
X509V3_conf_err(cnf);
goto err;
}
}
return idp;
err:
ISSUING_DIST_POINT_free(idp);
return NULL;
}
static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent) {
size_t i;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
BIO_printf(out, "%*s", indent + 2, "");
GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
BIO_puts(out, "\n");
}
return 1;
}
static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent) {
if (dpn->type == 0) {
BIO_printf(out, "%*sFull Name:\n", indent, "");
print_gens(out, dpn->name.fullname, indent);
} else {
X509_NAME ntmp;
ntmp.entries = dpn->name.relativename;
BIO_printf(out, "%*sRelative Name:\n%*s", indent, "", indent + 2, "");
X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
BIO_puts(out, "\n");
}
return 1;
}
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
int indent) {
ISSUING_DIST_POINT *idp = pidp;
if (idp->distpoint) {
print_distpoint(out, idp->distpoint, indent);
}
if (idp->onlyuser > 0) {
BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
}
if (idp->onlyCA > 0) {
BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
}
if (idp->indirectCRL > 0) {
BIO_printf(out, "%*sIndirect CRL\n", indent, "");
}
if (idp->onlysomereasons) {
print_reasons(out, "Only Some Reasons", idp->onlysomereasons, indent);
}
if (idp->onlyattr > 0) {
BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
}
if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
(idp->indirectCRL <= 0) && !idp->onlysomereasons &&
(idp->onlyattr <= 0)) {
BIO_printf(out, "%*s<EMPTY>\n", indent, "");
}
return 1;
}
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
int indent) {
STACK_OF(DIST_POINT) *crld = pcrldp;
DIST_POINT *point;
size_t i;
for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
BIO_puts(out, "\n");
point = sk_DIST_POINT_value(crld, i);
if (point->distpoint) {
print_distpoint(out, point->distpoint, indent);
}
if (point->reasons) {
print_reasons(out, "Reasons", point->reasons, indent);
}
if (point->CRLissuer) {
BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
print_gens(out, point->CRLissuer, indent);
}
}
return 1;
}
int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname) {
size_t i;
STACK_OF(X509_NAME_ENTRY) *frag;
X509_NAME_ENTRY *ne;
if (!dpn || (dpn->type != 1)) {
return 1;
}
frag = dpn->name.relativename;
dpn->dpname = X509_NAME_dup(iname);
if (!dpn->dpname) {
return 0;
}
for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
ne = sk_X509_NAME_ENTRY_value(frag, i);
if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
X509_NAME_free(dpn->dpname);
dpn->dpname = NULL;
return 0;
}
}
// generate cached encoding of name
if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
X509_NAME_free(dpn->dpname);
dpn->dpname = NULL;
return 0;
}
return 1;
}