sl@0: /* v3_cpols.c */ sl@0: /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL sl@0: * project 1999. sl@0: */ sl@0: /* ==================================================================== sl@0: * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. sl@0: * sl@0: * Redistribution and use in source and binary forms, with or without sl@0: * modification, are permitted provided that the following conditions sl@0: * are met: sl@0: * sl@0: * 1. Redistributions of source code must retain the above copyright sl@0: * notice, this list of conditions and the following disclaimer. sl@0: * sl@0: * 2. Redistributions in binary form must reproduce the above copyright sl@0: * notice, this list of conditions and the following disclaimer in sl@0: * the documentation and/or other materials provided with the sl@0: * distribution. sl@0: * sl@0: * 3. All advertising materials mentioning features or use of this sl@0: * software must display the following acknowledgment: sl@0: * "This product includes software developed by the OpenSSL Project sl@0: * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" sl@0: * sl@0: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to sl@0: * endorse or promote products derived from this software without sl@0: * prior written permission. For written permission, please contact sl@0: * licensing@OpenSSL.org. sl@0: * sl@0: * 5. Products derived from this software may not be called "OpenSSL" sl@0: * nor may "OpenSSL" appear in their names without prior written sl@0: * permission of the OpenSSL Project. sl@0: * sl@0: * 6. Redistributions of any form whatsoever must retain the following sl@0: * acknowledgment: sl@0: * "This product includes software developed by the OpenSSL Project sl@0: * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" sl@0: * sl@0: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY sl@0: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE sl@0: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR sl@0: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR sl@0: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, sl@0: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT sl@0: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; sl@0: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) sl@0: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, sl@0: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) sl@0: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED sl@0: * OF THE POSSIBILITY OF SUCH DAMAGE. sl@0: * ==================================================================== sl@0: * sl@0: * This product includes cryptographic software written by Eric Young sl@0: * (eay@cryptsoft.com). This product includes software written by Tim sl@0: * Hudson (tjh@cryptsoft.com). sl@0: * sl@0: */ sl@0: /* sl@0: © Portions copyright (c) 2006 Nokia Corporation. All rights reserved. sl@0: */ sl@0: sl@0: sl@0: #include sl@0: #include "cryptlib.h" sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: sl@0: #include "pcy_int.h" sl@0: #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__))) sl@0: #include "libcrypto_wsd_macros.h" sl@0: #include "libcrypto_wsd.h" sl@0: #endif sl@0: sl@0: /* Certificate policies extension support: this one is a bit complex... */ sl@0: sl@0: static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent); sl@0: static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value); sl@0: static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent); sl@0: static void print_notice(BIO *out, USERNOTICE *notice, int indent); sl@0: static POLICYINFO *policy_section(X509V3_CTX *ctx, sl@0: STACK_OF(CONF_VALUE) *polstrs, int ia5org); sl@0: static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, sl@0: STACK_OF(CONF_VALUE) *unot, int ia5org); sl@0: static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); sl@0: sl@0: #ifndef EMULATOR sl@0: X509V3_EXT_METHOD v3_cpols = { sl@0: NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), sl@0: 0,0,0,0, sl@0: 0,0, sl@0: 0,0, sl@0: (X509V3_EXT_I2R)i2r_certpol, sl@0: (X509V3_EXT_R2I)r2i_certpol, sl@0: NULL sl@0: }; sl@0: #else sl@0: const X509V3_EXT_METHOD v3_cpols = { sl@0: NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), sl@0: 0,0,0,0, sl@0: 0,0, sl@0: 0,0, sl@0: (X509V3_EXT_I2R)i2r_certpol, sl@0: (X509V3_EXT_R2I)r2i_certpol, sl@0: NULL sl@0: }; sl@0: #endif sl@0: ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = sl@0: ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO) sl@0: ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES) sl@0: sl@0: IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES) sl@0: sl@0: ASN1_SEQUENCE(POLICYINFO) = { sl@0: ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT), sl@0: ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO) sl@0: } ASN1_SEQUENCE_END(POLICYINFO) sl@0: sl@0: IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO) sl@0: sl@0: ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY); sl@0: sl@0: ASN1_ADB(POLICYQUALINFO) = { sl@0: ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)), sl@0: ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE)) sl@0: } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL); sl@0: sl@0: ASN1_SEQUENCE(POLICYQUALINFO) = { sl@0: ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT), sl@0: ASN1_ADB_OBJECT(POLICYQUALINFO) sl@0: } ASN1_SEQUENCE_END(POLICYQUALINFO) sl@0: sl@0: IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO) sl@0: sl@0: ASN1_SEQUENCE(USERNOTICE) = { sl@0: ASN1_OPT(USERNOTICE, noticeref, NOTICEREF), sl@0: ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT) sl@0: } ASN1_SEQUENCE_END(USERNOTICE) sl@0: sl@0: IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE) sl@0: sl@0: ASN1_SEQUENCE(NOTICEREF) = { sl@0: ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT), sl@0: ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER) sl@0: } ASN1_SEQUENCE_END(NOTICEREF) sl@0: sl@0: IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF) sl@0: sl@0: static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, sl@0: X509V3_CTX *ctx, char *value) sl@0: { sl@0: STACK_OF(POLICYINFO) *pols = NULL; sl@0: char *pstr; sl@0: POLICYINFO *pol; sl@0: ASN1_OBJECT *pobj; sl@0: STACK_OF(CONF_VALUE) *vals; sl@0: CONF_VALUE *cnf; sl@0: int i, ia5org; sl@0: pols = sk_POLICYINFO_new_null(); sl@0: if (pols == NULL) { sl@0: X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); sl@0: return NULL; sl@0: } sl@0: vals = X509V3_parse_list(value); sl@0: if (vals == NULL) { sl@0: X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB); sl@0: goto err; sl@0: } sl@0: ia5org = 0; sl@0: for(i = 0; i < sk_CONF_VALUE_num(vals); i++) { sl@0: cnf = sk_CONF_VALUE_value(vals, i); sl@0: if(cnf->value || !cnf->name ) { sl@0: X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: pstr = cnf->name; sl@0: if(!strcmp(pstr,"ia5org")) { sl@0: ia5org = 1; sl@0: continue; sl@0: } else if(*pstr == '@') { sl@0: STACK_OF(CONF_VALUE) *polsect; sl@0: polsect = X509V3_get_section(ctx, pstr + 1); sl@0: if(!polsect) { sl@0: X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION); sl@0: sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: pol = policy_section(ctx, polsect, ia5org); sl@0: X509V3_section_free(ctx, polsect); sl@0: if(!pol) goto err; sl@0: } else { sl@0: if(!(pobj = OBJ_txt2obj(cnf->name, 0))) { sl@0: X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: pol = POLICYINFO_new(); sl@0: pol->policyid = pobj; sl@0: } sl@0: sk_POLICYINFO_push(pols, pol); sl@0: } sl@0: sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); sl@0: return pols; sl@0: err: sl@0: sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); sl@0: sk_POLICYINFO_pop_free(pols, POLICYINFO_free); sl@0: return NULL; sl@0: } sl@0: sl@0: static POLICYINFO *policy_section(X509V3_CTX *ctx, sl@0: STACK_OF(CONF_VALUE) *polstrs, int ia5org) sl@0: { sl@0: int i; sl@0: CONF_VALUE *cnf; sl@0: POLICYINFO *pol; sl@0: POLICYQUALINFO *qual; sl@0: if(!(pol = POLICYINFO_new())) goto merr; sl@0: for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { sl@0: cnf = sk_CONF_VALUE_value(polstrs, i); sl@0: if(!strcmp(cnf->name, "policyIdentifier")) { sl@0: ASN1_OBJECT *pobj; sl@0: if(!(pobj = OBJ_txt2obj(cnf->value, 0))) { sl@0: X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: pol->policyid = pobj; sl@0: sl@0: } else if(!name_cmp(cnf->name, "CPS")) { sl@0: if(!pol->qualifiers) pol->qualifiers = sl@0: sk_POLICYQUALINFO_new_null(); sl@0: if(!(qual = POLICYQUALINFO_new())) goto merr; sl@0: if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) sl@0: goto merr; sl@0: qual->pqualid = OBJ_nid2obj(NID_id_qt_cps); sl@0: qual->d.cpsuri = M_ASN1_IA5STRING_new(); sl@0: if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value, sl@0: strlen(cnf->value))) goto merr; sl@0: } else if(!name_cmp(cnf->name, "userNotice")) { sl@0: STACK_OF(CONF_VALUE) *unot; sl@0: if(*cnf->value != '@') { sl@0: X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: unot = X509V3_get_section(ctx, cnf->value + 1); sl@0: if(!unot) { sl@0: X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION); sl@0: sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: qual = notice_section(ctx, unot, ia5org); sl@0: X509V3_section_free(ctx, unot); sl@0: if(!qual) goto err; sl@0: if(!pol->qualifiers) pol->qualifiers = sl@0: sk_POLICYQUALINFO_new_null(); sl@0: if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) sl@0: goto merr; sl@0: } else { sl@0: X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION); sl@0: sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: } sl@0: if(!pol->policyid) { sl@0: X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER); sl@0: goto err; sl@0: } sl@0: sl@0: return pol; sl@0: sl@0: merr: sl@0: X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE); sl@0: sl@0: err: sl@0: POLICYINFO_free(pol); sl@0: return NULL; sl@0: sl@0: sl@0: } sl@0: sl@0: static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, sl@0: STACK_OF(CONF_VALUE) *unot, int ia5org) sl@0: { sl@0: int i, ret; sl@0: CONF_VALUE *cnf; sl@0: USERNOTICE *not; sl@0: POLICYQUALINFO *qual; sl@0: if(!(qual = POLICYQUALINFO_new())) goto merr; sl@0: qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice); sl@0: if(!(not = USERNOTICE_new())) goto merr; sl@0: qual->d.usernotice = not; sl@0: for(i = 0; i < sk_CONF_VALUE_num(unot); i++) { sl@0: cnf = sk_CONF_VALUE_value(unot, i); sl@0: if(!strcmp(cnf->name, "explicitText")) { sl@0: not->exptext = M_ASN1_VISIBLESTRING_new(); sl@0: if(!ASN1_STRING_set(not->exptext, cnf->value, sl@0: strlen(cnf->value))) goto merr; sl@0: } else if(!strcmp(cnf->name, "organization")) { sl@0: NOTICEREF *nref; sl@0: if(!not->noticeref) { sl@0: if(!(nref = NOTICEREF_new())) goto merr; sl@0: not->noticeref = nref; sl@0: } else nref = not->noticeref; sl@0: if(ia5org) nref->organization->type = V_ASN1_IA5STRING; sl@0: else nref->organization->type = V_ASN1_VISIBLESTRING; sl@0: if(!ASN1_STRING_set(nref->organization, cnf->value, sl@0: strlen(cnf->value))) goto merr; sl@0: } else if(!strcmp(cnf->name, "noticeNumbers")) { sl@0: NOTICEREF *nref; sl@0: STACK_OF(CONF_VALUE) *nos; sl@0: if(!not->noticeref) { sl@0: if(!(nref = NOTICEREF_new())) goto merr; sl@0: not->noticeref = nref; sl@0: } else nref = not->noticeref; sl@0: nos = X509V3_parse_list(cnf->value); sl@0: if(!nos || !sk_CONF_VALUE_num(nos)) { sl@0: X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: ret = nref_nos(nref->noticenos, nos); sl@0: sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); sl@0: if (!ret) sl@0: goto err; sl@0: } else { sl@0: X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION); sl@0: X509V3_conf_err(cnf); sl@0: goto err; sl@0: } sl@0: } sl@0: sl@0: if(not->noticeref && sl@0: (!not->noticeref->noticenos || !not->noticeref->organization)) { sl@0: X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); sl@0: goto err; sl@0: } sl@0: sl@0: return qual; sl@0: sl@0: merr: sl@0: X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); sl@0: sl@0: err: sl@0: POLICYQUALINFO_free(qual); sl@0: return NULL; sl@0: } sl@0: sl@0: static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) sl@0: { sl@0: CONF_VALUE *cnf; sl@0: ASN1_INTEGER *aint; sl@0: sl@0: int i; sl@0: sl@0: for(i = 0; i < sk_CONF_VALUE_num(nos); i++) { sl@0: cnf = sk_CONF_VALUE_value(nos, i); sl@0: if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) { sl@0: X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER); sl@0: goto err; sl@0: } sl@0: if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr; sl@0: } sl@0: return 1; sl@0: sl@0: merr: sl@0: X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE); sl@0: sl@0: err: sl@0: sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); sl@0: return 0; sl@0: } sl@0: sl@0: sl@0: static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, sl@0: BIO *out, int indent) sl@0: { sl@0: int i; sl@0: POLICYINFO *pinfo; sl@0: /* First print out the policy OIDs */ sl@0: for(i = 0; i < sk_POLICYINFO_num(pol); i++) { sl@0: pinfo = sk_POLICYINFO_value(pol, i); sl@0: BIO_printf(out, "%*sPolicy: ", indent, ""); sl@0: i2a_ASN1_OBJECT(out, pinfo->policyid); sl@0: BIO_puts(out, "\n"); sl@0: if(pinfo->qualifiers) sl@0: print_qualifiers(out, pinfo->qualifiers, indent + 2); sl@0: } sl@0: return 1; sl@0: } sl@0: sl@0: static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, sl@0: int indent) sl@0: { sl@0: POLICYQUALINFO *qualinfo; sl@0: int i; sl@0: for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) { sl@0: qualinfo = sk_POLICYQUALINFO_value(quals, i); sl@0: switch(OBJ_obj2nid(qualinfo->pqualid)) sl@0: { sl@0: case NID_id_qt_cps: sl@0: BIO_printf(out, "%*sCPS: %s\n", indent, "", sl@0: qualinfo->d.cpsuri->data); sl@0: break; sl@0: sl@0: case NID_id_qt_unotice: sl@0: BIO_printf(out, "%*sUser Notice:\n", indent, ""); sl@0: print_notice(out, qualinfo->d.usernotice, indent + 2); sl@0: break; sl@0: sl@0: default: sl@0: BIO_printf(out, "%*sUnknown Qualifier: ", sl@0: indent + 2, ""); sl@0: sl@0: i2a_ASN1_OBJECT(out, qualinfo->pqualid); sl@0: BIO_puts(out, "\n"); sl@0: break; sl@0: } sl@0: } sl@0: } sl@0: sl@0: static void print_notice(BIO *out, USERNOTICE *notice, int indent) sl@0: { sl@0: int i; sl@0: if(notice->noticeref) { sl@0: NOTICEREF *ref; sl@0: ref = notice->noticeref; sl@0: BIO_printf(out, "%*sOrganization: %s\n", indent, "", sl@0: ref->organization->data); sl@0: BIO_printf(out, "%*sNumber%s: ", indent, "", sl@0: sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); sl@0: for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { sl@0: ASN1_INTEGER *num; sl@0: char *tmp; sl@0: num = sk_ASN1_INTEGER_value(ref->noticenos, i); sl@0: if(i) BIO_puts(out, ", "); sl@0: tmp = i2s_ASN1_INTEGER(NULL, num); sl@0: BIO_puts(out, tmp); sl@0: OPENSSL_free(tmp); sl@0: } sl@0: BIO_puts(out, "\n"); sl@0: } sl@0: if(notice->exptext) sl@0: BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", sl@0: notice->exptext->data); sl@0: } sl@0: sl@0: EXPORT_C void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) sl@0: { sl@0: const X509_POLICY_DATA *dat = node->data; sl@0: sl@0: BIO_printf(out, "%*sPolicy: ", indent, ""); sl@0: sl@0: i2a_ASN1_OBJECT(out, dat->valid_policy); sl@0: BIO_puts(out, "\n"); sl@0: BIO_printf(out, "%*s%s\n", indent + 2, "", sl@0: node_data_critical(dat) ? "Critical" : "Non Critical"); sl@0: if (dat->qualifier_set) sl@0: print_qualifiers(out, dat->qualifier_set, indent + 2); sl@0: else sl@0: BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); sl@0: } sl@0: