Symaptic: os/ossrv/ssl/libcrypto/src/crypto/x509v3/v3

sl@0	1	/* v3_purp.c */
sl@0	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
sl@0	3	* project 2001.
sl@0	4	*/
sl@0	5	/* ====================================================================
sl@0	6	* Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
sl@0	7	*
sl@0	8	* Redistribution and use in source and binary forms, with or without
sl@0	9	* modification, are permitted provided that the following conditions
sl@0	10	* are met:
sl@0	11	*
sl@0	12	* 1. Redistributions of source code must retain the above copyright
sl@0	13	* notice, this list of conditions and the following disclaimer.
sl@0	14	*
sl@0	15	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	16	* notice, this list of conditions and the following disclaimer in
sl@0	17	* the documentation and/or other materials provided with the
sl@0	18	* distribution.
sl@0	19	*
sl@0	20	* 3. All advertising materials mentioning features or use of this
sl@0	21	* software must display the following acknowledgment:
sl@0	22	* "This product includes software developed by the OpenSSL Project
sl@0	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0	24	*
sl@0	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	26	* endorse or promote products derived from this software without
sl@0	27	* prior written permission. For written permission, please contact
sl@0	28	* licensing@OpenSSL.org.
sl@0	29	*
sl@0	30	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	31	* nor may "OpenSSL" appear in their names without prior written
sl@0	32	* permission of the OpenSSL Project.
sl@0	33	*
sl@0	34	* 6. Redistributions of any form whatsoever must retain the following
sl@0	35	* acknowledgment:
sl@0	36	* "This product includes software developed by the OpenSSL Project
sl@0	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0	38	*
sl@0	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	51	* ====================================================================
sl@0	52	*
sl@0	53	* This product includes cryptographic software written by Eric Young
sl@0	54	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	55	* Hudson (tjh@cryptsoft.com).
sl@0	56	*
sl@0	57	*/
sl@0	58
sl@0	59	/*
sl@0	60	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	61	*/
sl@0	62
sl@0	63
sl@0	64	#include <stdio.h>
sl@0	65	#include "cryptlib.h"
sl@0	66	#include <openssl/x509v3.h>
sl@0	67	#include <openssl/x509_vfy.h>
sl@0	68	#if (defined(SYMBIAN) && (defined(__WINSCW__) \|\| defined(__WINS__)))
sl@0	69	#include "libcrypto_wsd_macros.h"
sl@0	70	#include "libcrypto_wsd.h"
sl@0	71	#endif
sl@0	72
sl@0	73	static void x509v3_cache_extensions(X509 *x);
sl@0	74
sl@0	75	static int check_ssl_ca(const X509 *x);
sl@0	76	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	77	static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	78	static int check_purpose_ns_ssl_server(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	79	static int purpose_smime(const X509 *x, int ca);
sl@0	80	static int check_purpose_smime_sign(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	81	static int check_purpose_smime_encrypt(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	82	static int check_purpose_crl_sign(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	83	static int no_check(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	84	static int ocsp_helper(const X509_PURPOSE xp, const X509 x, int ca);
sl@0	85
sl@0	86	static int xp_cmp(const X509_PURPOSE * const *a,
sl@0	87	const X509_PURPOSE * const *b);
sl@0	88	static void xptable_free(X509_PURPOSE *p);
sl@0	89
sl@0	90	#ifndef EMULATOR
sl@0	91	static X509_PURPOSE xstandard[] = {
sl@0	92	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
sl@0	93	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
sl@0	94	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
sl@0	95	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
sl@0	96	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
sl@0	97	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
sl@0	98	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
sl@0	99	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
sl@0	100	};
sl@0	101	#else
sl@0	102	static const X509_PURPOSE xstandard[] = {
sl@0	103	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
sl@0	104	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
sl@0	105	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
sl@0	106	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
sl@0	107	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
sl@0	108	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
sl@0	109	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
sl@0	110	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
sl@0	111	};
sl@0	112	#endif
sl@0	113	#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
sl@0	114
sl@0	115	IMPLEMENT_STACK_OF(X509_PURPOSE)
sl@0	116
sl@0	117	#ifndef EMULATOR
sl@0	118	static STACK_OF(X509_PURPOSE) *xptable = NULL;
sl@0	119	#else
sl@0	120	GET_STATIC_VAR_FROM_TLS(xptable,v3_purp,STACK_OF(X509_PURPOSE)*)
sl@0	121	#define xptable (*GET_WSD_VAR_NAME(xptable,v3_purp, s)())
sl@0	122	#endif
sl@0	123
sl@0	124	static int xp_cmp(const X509_PURPOSE * const *a,
sl@0	125	const X509_PURPOSE * const *b)
sl@0	126	{
sl@0	127	return (a)->purpose - (b)->purpose;
sl@0	128	}
sl@0	129
sl@0	130	/* As much as I'd like to make X509_check_purpose use a "const" X509*
sl@0	131	* I really can't because it does recalculate hashes and do other non-const
sl@0	132	* things. */
sl@0	133	EXPORT_C int X509_check_purpose(X509 *x, int id, int ca)
sl@0	134	{
sl@0	135	int idx;
sl@0	136	const X509_PURPOSE *pt;
sl@0	137	if(!(x->ex_flags & EXFLAG_SET)) {
sl@0	138	CRYPTO_w_lock(CRYPTO_LOCK_X509);
sl@0	139	x509v3_cache_extensions(x);
sl@0	140	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
sl@0	141	}
sl@0	142	if(id == -1) return 1;
sl@0	143	idx = X509_PURPOSE_get_by_id(id);
sl@0	144	if(idx == -1) return -1;
sl@0	145	pt = X509_PURPOSE_get0(idx);
sl@0	146	return pt->check_purpose(pt, x, ca);
sl@0	147	}
sl@0	148
sl@0	149	EXPORT_C int X509_PURPOSE_set(int *p, int purpose)
sl@0	150	{
sl@0	151	if(X509_PURPOSE_get_by_id(purpose) == -1) {
sl@0	152	X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
sl@0	153	return 0;
sl@0	154	}
sl@0	155	*p = purpose;
sl@0	156	return 1;
sl@0	157	}
sl@0	158
sl@0	159	EXPORT_C int X509_PURPOSE_get_count(void)
sl@0	160	{
sl@0	161	if(!xptable) return X509_PURPOSE_COUNT;
sl@0	162	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
sl@0	163	}
sl@0	164
sl@0	165	EXPORT_C X509_PURPOSE * X509_PURPOSE_get0(int idx)
sl@0	166	{
sl@0	167	if(idx < 0) return NULL;
sl@0	168	if(idx < (int)X509_PURPOSE_COUNT) return ((X509_PURPOSE *)xstandard + idx);
sl@0	169	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
sl@0	170	}
sl@0	171
sl@0	172	EXPORT_C int X509_PURPOSE_get_by_sname(char *sname)
sl@0	173	{
sl@0	174	int i;
sl@0	175	X509_PURPOSE *xptmp;
sl@0	176	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
sl@0	177	xptmp = X509_PURPOSE_get0(i);
sl@0	178	if(!strcmp(xptmp->sname, sname)) return i;
sl@0	179	}
sl@0	180	return -1;
sl@0	181	}
sl@0	182
sl@0	183	EXPORT_C int X509_PURPOSE_get_by_id(int purpose)
sl@0	184	{
sl@0	185	X509_PURPOSE tmp;
sl@0	186	int idx;
sl@0	187	if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
sl@0	188	return purpose - X509_PURPOSE_MIN;
sl@0	189	tmp.purpose = purpose;
sl@0	190	if(!xptable) return -1;
sl@0	191	idx = sk_X509_PURPOSE_find(xptable, &tmp);
sl@0	192	if(idx == -1) return -1;
sl@0	193	return idx + X509_PURPOSE_COUNT;
sl@0	194	}
sl@0	195
sl@0	196	EXPORT_C int X509_PURPOSE_add(int id, int trust, int flags,
sl@0	197	int (ck)(const X509_PURPOSE , const X509 *, int),
sl@0	198	char name, char sname, void *arg)
sl@0	199	{
sl@0	200	int idx;
sl@0	201	X509_PURPOSE *ptmp;
sl@0	202	/* This is set according to what we change: application can't set it */
sl@0	203	flags &= ~X509_PURPOSE_DYNAMIC;
sl@0	204	/* This will always be set for application modified trust entries */
sl@0	205	flags \|= X509_PURPOSE_DYNAMIC_NAME;
sl@0	206	/* Get existing entry if any */
sl@0	207	idx = X509_PURPOSE_get_by_id(id);
sl@0	208	/* Need a new entry */
sl@0	209	if(idx == -1) {
sl@0	210	if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
sl@0	211	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
sl@0	212	return 0;
sl@0	213	}
sl@0	214	ptmp->flags = X509_PURPOSE_DYNAMIC;
sl@0	215	} else ptmp = X509_PURPOSE_get0(idx);
sl@0	216
sl@0	217	/* OPENSSL_free existing name if dynamic */
sl@0	218	if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
sl@0	219	OPENSSL_free(ptmp->name);
sl@0	220	OPENSSL_free(ptmp->sname);
sl@0	221	}
sl@0	222	/* dup supplied name */
sl@0	223	ptmp->name = BUF_strdup(name);
sl@0	224	ptmp->sname = BUF_strdup(sname);
sl@0	225	if(!ptmp->name \|\| !ptmp->sname) {
sl@0	226	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
sl@0	227	return 0;
sl@0	228	}
sl@0	229	/* Keep the dynamic flag of existing entry */
sl@0	230	ptmp->flags &= X509_PURPOSE_DYNAMIC;
sl@0	231	/* Set all other flags */
sl@0	232	ptmp->flags \|= flags;
sl@0	233
sl@0	234	ptmp->purpose = id;
sl@0	235	ptmp->trust = trust;
sl@0	236	ptmp->check_purpose = ck;
sl@0	237	ptmp->usr_data = arg;
sl@0	238
sl@0	239	/* If its a new entry manage the dynamic table */
sl@0	240	if(idx == -1) {
sl@0	241	if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
sl@0	242	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
sl@0	243	return 0;
sl@0	244	}
sl@0	245	if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
sl@0	246	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
sl@0	247	return 0;
sl@0	248	}
sl@0	249	}
sl@0	250	return 1;
sl@0	251	}
sl@0	252
sl@0	253	static void xptable_free(X509_PURPOSE *p)
sl@0	254	{
sl@0	255	if(!p) return;
sl@0	256	if (p->flags & X509_PURPOSE_DYNAMIC)
sl@0	257	{
sl@0	258	if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
sl@0	259	OPENSSL_free(p->name);
sl@0	260	OPENSSL_free(p->sname);
sl@0	261	}
sl@0	262	OPENSSL_free(p);
sl@0	263	}
sl@0	264	}
sl@0	265
sl@0	266	EXPORT_C void X509_PURPOSE_cleanup(void)
sl@0	267	{
sl@0	268	unsigned int i;
sl@0	269	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
sl@0	270	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free((X509_PURPOSE *)xstandard + i);
sl@0	271	xptable = NULL;
sl@0	272	}
sl@0	273
sl@0	274	EXPORT_C int X509_PURPOSE_get_id(X509_PURPOSE *xp)
sl@0	275	{
sl@0	276	return xp->purpose;
sl@0	277	}
sl@0	278
sl@0	279	EXPORT_C char X509_PURPOSE_get0_name(X509_PURPOSE xp)
sl@0	280	{
sl@0	281	return xp->name;
sl@0	282	}
sl@0	283
sl@0	284	EXPORT_C char X509_PURPOSE_get0_sname(X509_PURPOSE xp)
sl@0	285	{
sl@0	286	return xp->sname;
sl@0	287	}
sl@0	288
sl@0	289	EXPORT_C int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
sl@0	290	{
sl@0	291	return xp->trust;
sl@0	292	}
sl@0	293
sl@0	294	static int nid_cmp(int a, int b)
sl@0	295	{
sl@0	296	return a - b;
sl@0	297	}
sl@0	298
sl@0	299	EXPORT_C int X509_supported_extension(X509_EXTENSION *ex)
sl@0	300	{
sl@0	301	/* This table is a list of the NIDs of supported extensions:
sl@0	302	* that is those which are used by the verify process. If
sl@0	303	* an extension is critical and doesn't appear in this list
sl@0	304	* then the verify process will normally reject the certificate.
sl@0	305	* The list must be kept in numerical order because it will be
sl@0	306	* searched using bsearch.
sl@0	307	*/
sl@0	308	#ifndef EMULATOR
sl@0	309	static int supported_nids[] = {
sl@0	310	NID_netscape_cert_type, /* 71 */
sl@0	311	NID_key_usage, /* 83 */
sl@0	312	NID_subject_alt_name, /* 85 */
sl@0	313	NID_basic_constraints, /* 87 */
sl@0	314	NID_certificate_policies, /* 89 */
sl@0	315	NID_ext_key_usage, /* 126 */
sl@0	316	NID_proxyCertInfo /* 661 */
sl@0	317	};
sl@0	318	#else
sl@0	319	static const int supported_nids[] = {
sl@0	320	NID_netscape_cert_type, /* 71 */
sl@0	321	NID_key_usage, /* 83 */
sl@0	322	NID_subject_alt_name, /* 85 */
sl@0	323	NID_basic_constraints, /* 87 */
sl@0	324	NID_ext_key_usage, /* 126 */
sl@0	325
sl@0	326	NID_proxyCertInfo /* 661 */
sl@0	327	};
sl@0	328	#endif
sl@0	329	int ex_nid;
sl@0	330
sl@0	331	ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
sl@0	332
sl@0	333	if (ex_nid == NID_undef)
sl@0	334	return 0;
sl@0	335
sl@0	336	if (OBJ_bsearch((char )&ex_nid, (char )supported_nids,
sl@0	337	sizeof(supported_nids)/sizeof(int), sizeof(int),
sl@0	338	(int ()(const void , const void *))nid_cmp))
sl@0	339	return 1;
sl@0	340	return 0;
sl@0	341	}
sl@0	342
sl@0	343
sl@0	344	static void x509v3_cache_extensions(X509 *x)
sl@0	345	{
sl@0	346	BASIC_CONSTRAINTS *bs;
sl@0	347	PROXY_CERT_INFO_EXTENSION *pci;
sl@0	348	ASN1_BIT_STRING *usage;
sl@0	349	ASN1_BIT_STRING *ns;
sl@0	350	EXTENDED_KEY_USAGE *extusage;
sl@0	351	X509_EXTENSION *ex;
sl@0	352
sl@0	353	int i;
sl@0	354	if(x->ex_flags & EXFLAG_SET) return;
sl@0	355	#ifndef OPENSSL_NO_SHA
sl@0	356	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
sl@0	357	#endif
sl@0	358	/* Does subject name match issuer ? */
sl@0	359	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
sl@0	360	x->ex_flags \|= EXFLAG_SS;
sl@0	361	/* V1 should mean no extensions ... */
sl@0	362	if(!X509_get_version(x)) x->ex_flags \|= EXFLAG_V1;
sl@0	363	/* Handle basic constraints */
sl@0	364	if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
sl@0	365	if(bs->ca) x->ex_flags \|= EXFLAG_CA;
sl@0	366	if(bs->pathlen) {
sl@0	367	if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
sl@0	368	\|\| !bs->ca) {
sl@0	369	x->ex_flags \|= EXFLAG_INVALID;
sl@0	370	x->ex_pathlen = 0;
sl@0	371	} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
sl@0	372	} else x->ex_pathlen = -1;
sl@0	373	BASIC_CONSTRAINTS_free(bs);
sl@0	374	x->ex_flags \|= EXFLAG_BCONS;
sl@0	375	}
sl@0	376	/* Handle proxy certificates */
sl@0	377	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
sl@0	378	if (x->ex_flags & EXFLAG_CA
sl@0	379	\|\| X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
sl@0	380	\|\| X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
sl@0	381	x->ex_flags \|= EXFLAG_INVALID;
sl@0	382	}
sl@0	383	if (pci->pcPathLengthConstraint) {
sl@0	384	x->ex_pcpathlen =
sl@0	385	ASN1_INTEGER_get(pci->pcPathLengthConstraint);
sl@0	386	} else x->ex_pcpathlen = -1;
sl@0	387	PROXY_CERT_INFO_EXTENSION_free(pci);
sl@0	388	x->ex_flags \|= EXFLAG_PROXY;
sl@0	389	}
sl@0	390	/* Handle key usage */
sl@0	391	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
sl@0	392	if(usage->length > 0) {
sl@0	393	x->ex_kusage = usage->data[0];
sl@0	394	if(usage->length > 1)
sl@0	395	x->ex_kusage \|= usage->data[1] << 8;
sl@0	396	} else x->ex_kusage = 0;
sl@0	397	x->ex_flags \|= EXFLAG_KUSAGE;
sl@0	398	ASN1_BIT_STRING_free(usage);
sl@0	399	}
sl@0	400	x->ex_xkusage = 0;
sl@0	401	if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
sl@0	402	x->ex_flags \|= EXFLAG_XKUSAGE;
sl@0	403	for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
sl@0	404	switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
sl@0	405	case NID_server_auth:
sl@0	406	x->ex_xkusage \|= XKU_SSL_SERVER;
sl@0	407	break;
sl@0	408
sl@0	409	case NID_client_auth:
sl@0	410	x->ex_xkusage \|= XKU_SSL_CLIENT;
sl@0	411	break;
sl@0	412
sl@0	413	case NID_email_protect:
sl@0	414	x->ex_xkusage \|= XKU_SMIME;
sl@0	415	break;
sl@0	416
sl@0	417	case NID_code_sign:
sl@0	418	x->ex_xkusage \|= XKU_CODE_SIGN;
sl@0	419	break;
sl@0	420
sl@0	421	case NID_ms_sgc:
sl@0	422	case NID_ns_sgc:
sl@0	423	x->ex_xkusage \|= XKU_SGC;
sl@0	424	break;
sl@0	425
sl@0	426	case NID_OCSP_sign:
sl@0	427	x->ex_xkusage \|= XKU_OCSP_SIGN;
sl@0	428	break;
sl@0	429
sl@0	430	case NID_time_stamp:
sl@0	431	x->ex_xkusage \|= XKU_TIMESTAMP;
sl@0	432	break;
sl@0	433
sl@0	434	case NID_dvcs:
sl@0	435	x->ex_xkusage \|= XKU_DVCS;
sl@0	436	break;
sl@0	437	}
sl@0	438	}
sl@0	439	sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
sl@0	440	}
sl@0	441
sl@0	442	if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
sl@0	443	if(ns->length > 0) x->ex_nscert = ns->data[0];
sl@0	444	else x->ex_nscert = 0;
sl@0	445	x->ex_flags \|= EXFLAG_NSCERT;
sl@0	446	ASN1_BIT_STRING_free(ns);
sl@0	447	}
sl@0	448	x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
sl@0	449	x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
sl@0	450	for (i = 0; i < X509_get_ext_count(x); i++)
sl@0	451	{
sl@0	452	ex = X509_get_ext(x, i);
sl@0	453	if (!X509_EXTENSION_get_critical(ex))
sl@0	454	continue;
sl@0	455	if (!X509_supported_extension(ex))
sl@0	456	{
sl@0	457	x->ex_flags \|= EXFLAG_CRITICAL;
sl@0	458	break;
sl@0	459	}
sl@0	460	}
sl@0	461	x->ex_flags \|= EXFLAG_SET;
sl@0	462	}
sl@0	463
sl@0	464	/* CA checks common to all purposes
sl@0	465	* return codes:
sl@0	466	* 0 not a CA
sl@0	467	* 1 is a CA
sl@0	468	* 2 basicConstraints absent so "maybe" a CA
sl@0	469	* 3 basicConstraints absent but self signed V1.
sl@0	470	* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
sl@0	471	*/
sl@0	472
sl@0	473	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
sl@0	474	#define ku_reject(x, usage) \
sl@0	475	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
sl@0	476	#define xku_reject(x, usage) \
sl@0	477	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
sl@0	478	#define ns_reject(x, usage) \
sl@0	479	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
sl@0	480
sl@0	481	static int check_ca(const X509 *x)
sl@0	482	{
sl@0	483	/* keyUsage if present should allow cert signing */
sl@0	484	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
sl@0	485	if(x->ex_flags & EXFLAG_BCONS) {
sl@0	486	if(x->ex_flags & EXFLAG_CA) return 1;
sl@0	487	/* If basicConstraints says not a CA then say so */
sl@0	488	else return 0;
sl@0	489	} else {
sl@0	490	/* we support V1 roots for... uh, I don't really know why. */
sl@0	491	if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
sl@0	492	/* If key usage present it must have certSign so tolerate it */
sl@0	493	else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
sl@0	494	/* Older certificates could have Netscape-specific CA types */
sl@0	495	else if (x->ex_flags & EXFLAG_NSCERT
sl@0	496	&& x->ex_nscert & NS_ANY_CA) return 5;
sl@0	497	/* can this still be regarded a CA certificate? I doubt it */
sl@0	498	return 0;
sl@0	499	}
sl@0	500	}
sl@0	501
sl@0	502	EXPORT_C int X509_check_ca(X509 *x)
sl@0	503	{
sl@0	504	if(!(x->ex_flags & EXFLAG_SET)) {
sl@0	505	CRYPTO_w_lock(CRYPTO_LOCK_X509);
sl@0	506	x509v3_cache_extensions(x);
sl@0	507	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
sl@0	508	}
sl@0	509
sl@0	510	return check_ca(x);
sl@0	511	}
sl@0	512
sl@0	513	/* Check SSL CA: common checks for SSL client and server */
sl@0	514	static int check_ssl_ca(const X509 *x)
sl@0	515	{
sl@0	516	int ca_ret;
sl@0	517	ca_ret = check_ca(x);
sl@0	518	if(!ca_ret) return 0;
sl@0	519	/* check nsCertType if present */
sl@0	520	if(ca_ret != 5 \|\| x->ex_nscert & NS_SSL_CA) return ca_ret;
sl@0	521	else return 0;
sl@0	522	}
sl@0	523
sl@0	524
sl@0	525	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	526	{
sl@0	527	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
sl@0	528	if(ca) return check_ssl_ca(x);
sl@0	529	/* We need to do digital signatures with it */
sl@0	530	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
sl@0	531	/* nsCertType if present should allow SSL client use */
sl@0	532	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
sl@0	533	return 1;
sl@0	534	}
sl@0	535
sl@0	536	static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	537	{
sl@0	538	if(xku_reject(x,XKU_SSL_SERVER\|XKU_SGC)) return 0;
sl@0	539	if(ca) return check_ssl_ca(x);
sl@0	540
sl@0	541	if(ns_reject(x, NS_SSL_SERVER)) return 0;
sl@0	542	/* Now as for keyUsage: we'll at least need to sign OR encipher */
sl@0	543	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_KEY_ENCIPHERMENT)) return 0;
sl@0	544
sl@0	545	return 1;
sl@0	546
sl@0	547	}
sl@0	548
sl@0	549	static int check_purpose_ns_ssl_server(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	550	{
sl@0	551	int ret;
sl@0	552	ret = check_purpose_ssl_server(xp, x, ca);
sl@0	553	if(!ret \|\| ca) return ret;
sl@0	554	/* We need to encipher or Netscape complains */
sl@0	555	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
sl@0	556	return ret;
sl@0	557	}
sl@0	558
sl@0	559	/* common S/MIME checks */
sl@0	560	static int purpose_smime(const X509 *x, int ca)
sl@0	561	{
sl@0	562	if(xku_reject(x,XKU_SMIME)) return 0;
sl@0	563	if(ca) {
sl@0	564	int ca_ret;
sl@0	565	ca_ret = check_ca(x);
sl@0	566	if(!ca_ret) return 0;
sl@0	567	/* check nsCertType if present */
sl@0	568	if(ca_ret != 5 \|\| x->ex_nscert & NS_SMIME_CA) return ca_ret;
sl@0	569	else return 0;
sl@0	570	}
sl@0	571	if(x->ex_flags & EXFLAG_NSCERT) {
sl@0	572	if(x->ex_nscert & NS_SMIME) return 1;
sl@0	573	/* Workaround for some buggy certificates */
sl@0	574	if(x->ex_nscert & NS_SSL_CLIENT) return 2;
sl@0	575	return 0;
sl@0	576	}
sl@0	577	return 1;
sl@0	578	}
sl@0	579
sl@0	580	static int check_purpose_smime_sign(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	581	{
sl@0	582	int ret;
sl@0	583	ret = purpose_smime(x, ca);
sl@0	584	if(!ret \|\| ca) return ret;
sl@0	585	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_NON_REPUDIATION)) return 0;
sl@0	586	return ret;
sl@0	587	}
sl@0	588
sl@0	589	static int check_purpose_smime_encrypt(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	590	{
sl@0	591	int ret;
sl@0	592	ret = purpose_smime(x, ca);
sl@0	593	if(!ret \|\| ca) return ret;
sl@0	594	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
sl@0	595	return ret;
sl@0	596	}
sl@0	597
sl@0	598	static int check_purpose_crl_sign(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	599	{
sl@0	600	if(ca) {
sl@0	601	int ca_ret;
sl@0	602	if((ca_ret = check_ca(x)) != 2) return ca_ret;
sl@0	603	else return 0;
sl@0	604	}
sl@0	605	if(ku_reject(x, KU_CRL_SIGN)) return 0;
sl@0	606	return 1;
sl@0	607	}
sl@0	608
sl@0	609	/* OCSP helper: this is not a full OCSP check. It just checks that
sl@0	610	* each CA is valid. Additional checks must be made on the chain.
sl@0	611	*/
sl@0	612
sl@0	613	static int ocsp_helper(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	614	{
sl@0	615	/* Must be a valid CA. Should we really support the "I don't know"
sl@0	616	value (2)? */
sl@0	617	if(ca) return check_ca(x);
sl@0	618	/* leaf certificate is checked in OCSP_verify() */
sl@0	619	return 1;
sl@0	620	}
sl@0	621
sl@0	622	static int no_check(const X509_PURPOSE xp, const X509 x, int ca)
sl@0	623	{
sl@0	624	return 1;
sl@0	625	}
sl@0	626
sl@0	627	/* Various checks to see if one certificate issued the second.
sl@0	628	* This can be used to prune a set of possible issuer certificates
sl@0	629	* which have been looked up using some simple method such as by
sl@0	630	* subject name.
sl@0	631	* These are:
sl@0	632	* 1. Check issuer_name(subject) == subject_name(issuer)
sl@0	633	* 2. If akid(subject) exists check it matches issuer
sl@0	634	* 3. If key_usage(issuer) exists check it supports certificate signing
sl@0	635	* returns 0 for OK, positive for reason for mismatch, reasons match
sl@0	636	* codes for X509_verify_cert()
sl@0	637	*/
sl@0	638
sl@0	639	EXPORT_C int X509_check_issued(X509 issuer, X509 subject)
sl@0	640	{
sl@0	641	if(X509_NAME_cmp(X509_get_subject_name(issuer),
sl@0	642	X509_get_issuer_name(subject)))
sl@0	643	return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
sl@0	644	x509v3_cache_extensions(issuer);
sl@0	645	x509v3_cache_extensions(subject);
sl@0	646	if(subject->akid) {
sl@0	647	/* Check key ids (if present) */
sl@0	648	if(subject->akid->keyid && issuer->skid &&
sl@0	649	ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
sl@0	650	return X509_V_ERR_AKID_SKID_MISMATCH;
sl@0	651	/* Check serial number */
sl@0	652	if(subject->akid->serial &&
sl@0	653	ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
sl@0	654	subject->akid->serial))
sl@0	655	return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
sl@0	656	/* Check issuer name */
sl@0	657	if(subject->akid->issuer) {
sl@0	658	/* Ugh, for some peculiar reason AKID includes
sl@0	659	* SEQUENCE OF GeneralName. So look for a DirName.
sl@0	660	* There may be more than one but we only take any
sl@0	661	* notice of the first.
sl@0	662	*/
sl@0	663	GENERAL_NAMES *gens;
sl@0	664	GENERAL_NAME *gen;
sl@0	665	X509_NAME *nm = NULL;
sl@0	666	int i;
sl@0	667	gens = subject->akid->issuer;
sl@0	668	for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
sl@0	669	gen = sk_GENERAL_NAME_value(gens, i);
sl@0	670	if(gen->type == GEN_DIRNAME) {
sl@0	671	nm = gen->d.dirn;
sl@0	672	break;
sl@0	673	}
sl@0	674	}
sl@0	675	if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
sl@0	676	return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
sl@0	677	}
sl@0	678	}
sl@0	679	if(subject->ex_flags & EXFLAG_PROXY)
sl@0	680	{
sl@0	681	if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
sl@0	682	return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
sl@0	683	}
sl@0	684	else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
sl@0	685	return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
sl@0	686	return X509_V_OK;
sl@0	687	}
sl@0	688

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--