blob: 70536b86bbddc3ebf74f77669caa5aa3eabfb446 [file] [log] [blame]
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <algorithm>
#include "certificate_policies.h"
#include <openssl/base.h>
#include "cert_error_params.h"
#include "cert_errors.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
BSSL_NAMESPACE_BEGIN
namespace {
// ---------------------------------------------------------------
// Errors
// ---------------------------------------------------------------
DEFINE_CERT_ERROR_ID(kPolicyQualifiersEmptySequence,
"The policy qualifiers SEQUENCE is empty");
DEFINE_CERT_ERROR_ID(kUnknownPolicyQualifierOid,
"Unknown policy qualifier OID (not CPS or User Notice)");
DEFINE_CERT_ERROR_ID(kPoliciesEmptySequence, "Policies is an empty SEQUENCE");
DEFINE_CERT_ERROR_ID(kPoliciesDuplicateOid, "Policies contains duplicate OIDs");
DEFINE_CERT_ERROR_ID(kPolicyInformationTrailingData,
"PolicyInformation has trailing data");
DEFINE_CERT_ERROR_ID(kFailedParsingPolicyQualifiers,
"Failed parsing policy qualifiers");
DEFINE_CERT_ERROR_ID(kMissingQualifier,
"PolicyQualifierInfo is missing qualifier");
DEFINE_CERT_ERROR_ID(kPolicyQualifierInfoTrailingData,
"PolicyQualifierInfo has trailing data");
// Minimally parse policyQualifiers, storing in |policy_qualifiers| if non-null.
// If a policy qualifier other than User Notice/CPS is present, parsing
// will fail if |restrict_to_known_qualifiers| was set to true.
bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers,
der::Parser *policy_qualifiers_sequence_parser,
std::vector<PolicyQualifierInfo> *policy_qualifiers,
CertErrors *errors) {
BSSL_CHECK(errors);
// If it is present, the policyQualifiers sequence should have at least 1
// element.
//
// policyQualifiers SEQUENCE SIZE (1..MAX) OF
// PolicyQualifierInfo OPTIONAL }
if (!policy_qualifiers_sequence_parser->HasMore()) {
errors->AddError(kPolicyQualifiersEmptySequence);
return false;
}
while (policy_qualifiers_sequence_parser->HasMore()) {
// PolicyQualifierInfo ::= SEQUENCE {
der::Parser policy_information_parser;
if (!policy_qualifiers_sequence_parser->ReadSequence(
&policy_information_parser)) {
return false;
}
// policyQualifierId PolicyQualifierId,
der::Input qualifier_oid;
if (!policy_information_parser.ReadTag(CBS_ASN1_OBJECT, &qualifier_oid)) {
return false;
}
if (restrict_to_known_qualifiers &&
qualifier_oid != der::Input(kCpsPointerId) &&
qualifier_oid != der::Input(kUserNoticeId)) {
errors->AddError(kUnknownPolicyQualifierOid,
CreateCertErrorParams1Der("oid", qualifier_oid));
return false;
}
// qualifier ANY DEFINED BY policyQualifierId }
der::Input qualifier_tlv;
if (!policy_information_parser.ReadRawTLV(&qualifier_tlv)) {
errors->AddError(kMissingQualifier);
return false;
}
// Should not have trailing data after qualifier.
if (policy_information_parser.HasMore()) {
errors->AddError(kPolicyQualifierInfoTrailingData);
return false;
}
if (policy_qualifiers) {
policy_qualifiers->push_back({qualifier_oid, qualifier_tlv});
}
}
return true;
}
// RFC 5280 section 4.2.1.4. Certificate Policies:
//
// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
//
// PolicyInformation ::= SEQUENCE {
// policyIdentifier CertPolicyId,
// policyQualifiers SEQUENCE SIZE (1..MAX) OF
// PolicyQualifierInfo OPTIONAL }
//
// CertPolicyId ::= OBJECT IDENTIFIER
//
// PolicyQualifierInfo ::= SEQUENCE {
// policyQualifierId PolicyQualifierId,
// qualifier ANY DEFINED BY policyQualifierId }
//
// PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
//
// Qualifier ::= CHOICE {
// cPSuri CPSuri,
// userNotice UserNotice }
//
// CPSuri ::= IA5String
//
// UserNotice ::= SEQUENCE {
// noticeRef NoticeReference OPTIONAL,
// explicitText DisplayText OPTIONAL }
//
// NoticeReference ::= SEQUENCE {
// organization DisplayText,
// noticeNumbers SEQUENCE OF INTEGER }
//
// DisplayText ::= CHOICE {
// ia5String IA5String (SIZE (1..200)),
// visibleString VisibleString (SIZE (1..200)),
// bmpString BMPString (SIZE (1..200)),
// utf8String UTF8String (SIZE (1..200)) }
bool ParseCertificatePoliciesExtensionImpl(
der::Input extension_value, bool fail_parsing_unknown_qualifier_oids,
std::vector<der::Input> *policy_oids,
std::vector<PolicyInformation> *policy_informations, CertErrors *errors) {
BSSL_CHECK(policy_oids);
BSSL_CHECK(errors);
// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
der::Parser extension_parser(extension_value);
der::Parser policies_sequence_parser;
if (!extension_parser.ReadSequence(&policies_sequence_parser)) {
return false;
}
// Should not have trailing data after certificatePolicies sequence.
if (extension_parser.HasMore()) {
return false;
}
// The certificatePolicies sequence should have at least 1 element.
if (!policies_sequence_parser.HasMore()) {
errors->AddError(kPoliciesEmptySequence);
return false;
}
policy_oids->clear();
if (policy_informations) {
policy_informations->clear();
}
while (policies_sequence_parser.HasMore()) {
// PolicyInformation ::= SEQUENCE {
der::Parser policy_information_parser;
if (!policies_sequence_parser.ReadSequence(&policy_information_parser)) {
return false;
}
// policyIdentifier CertPolicyId,
der::Input policy_oid;
if (!policy_information_parser.ReadTag(CBS_ASN1_OBJECT, &policy_oid)) {
return false;
}
policy_oids->push_back(policy_oid);
std::vector<PolicyQualifierInfo> *policy_qualifiers = nullptr;
if (policy_informations) {
policy_informations->emplace_back();
policy_informations->back().policy_oid = policy_oid;
policy_qualifiers = &policy_informations->back().policy_qualifiers;
}
if (!policy_information_parser.HasMore()) {
continue;
}
// policyQualifiers SEQUENCE SIZE (1..MAX) OF
// PolicyQualifierInfo OPTIONAL }
der::Parser policy_qualifiers_sequence_parser;
if (!policy_information_parser.ReadSequence(
&policy_qualifiers_sequence_parser)) {
return false;
}
// Should not have trailing data after policyQualifiers sequence.
if (policy_information_parser.HasMore()) {
errors->AddError(kPolicyInformationTrailingData);
return false;
}
// RFC 5280 section 4.2.1.4: When qualifiers are used with the special
// policy anyPolicy, they MUST be limited to the qualifiers identified in
// this section.
if (!ParsePolicyQualifiers(fail_parsing_unknown_qualifier_oids ||
policy_oid == der::Input(kAnyPolicyOid),
&policy_qualifiers_sequence_parser,
policy_qualifiers, errors)) {
errors->AddError(kFailedParsingPolicyQualifiers);
return false;
}
}
// RFC 5280 section 4.2.1.4: A certificate policy OID MUST NOT appear more
// than once in a certificate policies extension.
std::sort(policy_oids->begin(), policy_oids->end());
auto dupe_policy_iter =
std::adjacent_find(policy_oids->begin(), policy_oids->end());
if (dupe_policy_iter != policy_oids->end()) {
errors->AddError(kPoliciesDuplicateOid,
CreateCertErrorParams1Der("oid", *dupe_policy_iter));
return false;
}
return true;
}
} // namespace
PolicyInformation::PolicyInformation() = default;
PolicyInformation::~PolicyInformation() = default;
PolicyInformation::PolicyInformation(const PolicyInformation &) = default;
PolicyInformation::PolicyInformation(PolicyInformation &&) = default;
bool ParseCertificatePoliciesExtension(der::Input extension_value,
std::vector<PolicyInformation> *policies,
CertErrors *errors) {
std::vector<der::Input> unused_policy_oids;
return ParseCertificatePoliciesExtensionImpl(
extension_value, /*fail_parsing_unknown_qualifier_oids=*/false,
&unused_policy_oids, policies, errors);
}
bool ParseCertificatePoliciesExtensionOids(
der::Input extension_value, bool fail_parsing_unknown_qualifier_oids,
std::vector<der::Input> *policy_oids, CertErrors *errors) {
return ParseCertificatePoliciesExtensionImpl(
extension_value, fail_parsing_unknown_qualifier_oids, policy_oids,
nullptr, errors);
}
// From RFC 5280:
//
// PolicyConstraints ::= SEQUENCE {
// requireExplicitPolicy [0] SkipCerts OPTIONAL,
// inhibitPolicyMapping [1] SkipCerts OPTIONAL }
//
// SkipCerts ::= INTEGER (0..MAX)
bool ParsePolicyConstraints(der::Input policy_constraints_tlv,
ParsedPolicyConstraints *out) {
der::Parser parser(policy_constraints_tlv);
// PolicyConstraints ::= SEQUENCE {
der::Parser sequence_parser;
if (!parser.ReadSequence(&sequence_parser)) {
return false;
}
// RFC 5280 prohibits CAs from issuing PolicyConstraints as an empty sequence:
//
// Conforming CAs MUST NOT issue certificates where policy constraints
// is an empty sequence. That is, either the inhibitPolicyMapping field
// or the requireExplicitPolicy field MUST be present. The behavior of
// clients that encounter an empty policy constraints field is not
// addressed in this profile.
if (!sequence_parser.HasMore()) {
return false;
}
std::optional<der::Input> require_value;
if (!sequence_parser.ReadOptionalTag(CBS_ASN1_CONTEXT_SPECIFIC | 0,
&require_value)) {
return false;
}
if (require_value) {
uint8_t require_explicit_policy;
if (!ParseUint8(require_value.value(), &require_explicit_policy)) {
// TODO(eroman): Surface reason for failure if length was longer than
// uint8.
return false;
}
out->require_explicit_policy = require_explicit_policy;
}
std::optional<der::Input> inhibit_value;
if (!sequence_parser.ReadOptionalTag(CBS_ASN1_CONTEXT_SPECIFIC | 1,
&inhibit_value)) {
return false;
}
if (inhibit_value) {
uint8_t inhibit_policy_mapping;
if (!ParseUint8(inhibit_value.value(), &inhibit_policy_mapping)) {
// TODO(eroman): Surface reason for failure if length was longer than
// uint8.
return false;
}
out->inhibit_policy_mapping = inhibit_policy_mapping;
}
// There should be no remaining data.
if (sequence_parser.HasMore() || parser.HasMore()) {
return false;
}
return true;
}
// From RFC 5280:
//
// InhibitAnyPolicy ::= SkipCerts
//
// SkipCerts ::= INTEGER (0..MAX)
std::optional<uint8_t> ParseInhibitAnyPolicy(
der::Input inhibit_any_policy_tlv) {
der::Parser parser(inhibit_any_policy_tlv);
std::optional<uint8_t> num_certs = std::make_optional<uint8_t>();
// TODO(eroman): Surface reason for failure if length was longer than uint8.
if (!parser.ReadUint8(&num_certs.value())) {
return std::nullopt;
}
// There should be no remaining data.
if (parser.HasMore()) {
return std::nullopt;
}
return num_certs;
}
// From RFC 5280:
//
// PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
// issuerDomainPolicy CertPolicyId,
// subjectDomainPolicy CertPolicyId }
bool ParsePolicyMappings(der::Input policy_mappings_tlv,
std::vector<ParsedPolicyMapping> *mappings) {
mappings->clear();
der::Parser parser(policy_mappings_tlv);
// PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
der::Parser sequence_parser;
if (!parser.ReadSequence(&sequence_parser)) {
return false;
}
// Must be at least 1 mapping.
if (!sequence_parser.HasMore()) {
return false;
}
while (sequence_parser.HasMore()) {
der::Parser mapping_parser;
if (!sequence_parser.ReadSequence(&mapping_parser)) {
return false;
}
ParsedPolicyMapping mapping;
if (!mapping_parser.ReadTag(CBS_ASN1_OBJECT,
&mapping.issuer_domain_policy)) {
return false;
}
if (!mapping_parser.ReadTag(CBS_ASN1_OBJECT,
&mapping.subject_domain_policy)) {
return false;
}
// There shouldn't be extra unconsumed data.
if (mapping_parser.HasMore()) {
return false;
}
mappings->push_back(mapping);
}
// There shouldn't be extra unconsumed data.
if (parser.HasMore()) {
return false;
}
return true;
}
BSSL_NAMESPACE_END