1 | /*
|
---|
2 | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include "internal/cryptlib.h"
|
---|
11 | #include <openssl/x509.h>
|
---|
12 | #include <openssl/x509v3.h>
|
---|
13 | #include "internal/x509_int.h"
|
---|
14 |
|
---|
15 | #include "pcy_int.h"
|
---|
16 |
|
---|
17 | static int policy_data_cmp(const X509_POLICY_DATA *const *a,
|
---|
18 | const X509_POLICY_DATA *const *b);
|
---|
19 | static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
|
---|
20 |
|
---|
21 | /*
|
---|
22 | * Set cache entry according to CertificatePolicies extension. Note: this
|
---|
23 | * destroys the passed CERTIFICATEPOLICIES structure.
|
---|
24 | */
|
---|
25 |
|
---|
26 | static int policy_cache_create(X509 *x,
|
---|
27 | CERTIFICATEPOLICIES *policies, int crit)
|
---|
28 | {
|
---|
29 | int i;
|
---|
30 | int ret = 0;
|
---|
31 | X509_POLICY_CACHE *cache = x->policy_cache;
|
---|
32 | X509_POLICY_DATA *data = NULL;
|
---|
33 | POLICYINFO *policy;
|
---|
34 | if (sk_POLICYINFO_num(policies) == 0)
|
---|
35 | goto bad_policy;
|
---|
36 | cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
|
---|
37 | if (cache->data == NULL)
|
---|
38 | goto bad_policy;
|
---|
39 | for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
|
---|
40 | policy = sk_POLICYINFO_value(policies, i);
|
---|
41 | data = policy_data_new(policy, NULL, crit);
|
---|
42 | if (data == NULL)
|
---|
43 | goto bad_policy;
|
---|
44 | /*
|
---|
45 | * Duplicate policy OIDs are illegal: reject if matches found.
|
---|
46 | */
|
---|
47 | if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
---|
48 | if (cache->anyPolicy) {
|
---|
49 | ret = -1;
|
---|
50 | goto bad_policy;
|
---|
51 | }
|
---|
52 | cache->anyPolicy = data;
|
---|
53 | } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
|
---|
54 | ret = -1;
|
---|
55 | goto bad_policy;
|
---|
56 | } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
|
---|
57 | goto bad_policy;
|
---|
58 | data = NULL;
|
---|
59 | }
|
---|
60 | ret = 1;
|
---|
61 | bad_policy:
|
---|
62 | if (ret == -1)
|
---|
63 | x->ex_flags |= EXFLAG_INVALID_POLICY;
|
---|
64 | policy_data_free(data);
|
---|
65 | sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
|
---|
66 | if (ret <= 0) {
|
---|
67 | sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
|
---|
68 | cache->data = NULL;
|
---|
69 | }
|
---|
70 | return ret;
|
---|
71 | }
|
---|
72 |
|
---|
73 | static int policy_cache_new(X509 *x)
|
---|
74 | {
|
---|
75 | X509_POLICY_CACHE *cache;
|
---|
76 | ASN1_INTEGER *ext_any = NULL;
|
---|
77 | POLICY_CONSTRAINTS *ext_pcons = NULL;
|
---|
78 | CERTIFICATEPOLICIES *ext_cpols = NULL;
|
---|
79 | POLICY_MAPPINGS *ext_pmaps = NULL;
|
---|
80 | int i;
|
---|
81 |
|
---|
82 | if (x->policy_cache != NULL)
|
---|
83 | return 1;
|
---|
84 | cache = OPENSSL_malloc(sizeof(*cache));
|
---|
85 | if (cache == NULL)
|
---|
86 | return 0;
|
---|
87 | cache->anyPolicy = NULL;
|
---|
88 | cache->data = NULL;
|
---|
89 | cache->any_skip = -1;
|
---|
90 | cache->explicit_skip = -1;
|
---|
91 | cache->map_skip = -1;
|
---|
92 |
|
---|
93 | x->policy_cache = cache;
|
---|
94 |
|
---|
95 | /*
|
---|
96 | * Handle requireExplicitPolicy *first*. Need to process this even if we
|
---|
97 | * don't have any policies.
|
---|
98 | */
|
---|
99 | ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
|
---|
100 |
|
---|
101 | if (!ext_pcons) {
|
---|
102 | if (i != -1)
|
---|
103 | goto bad_cache;
|
---|
104 | } else {
|
---|
105 | if (!ext_pcons->requireExplicitPolicy
|
---|
106 | && !ext_pcons->inhibitPolicyMapping)
|
---|
107 | goto bad_cache;
|
---|
108 | if (!policy_cache_set_int(&cache->explicit_skip,
|
---|
109 | ext_pcons->requireExplicitPolicy))
|
---|
110 | goto bad_cache;
|
---|
111 | if (!policy_cache_set_int(&cache->map_skip,
|
---|
112 | ext_pcons->inhibitPolicyMapping))
|
---|
113 | goto bad_cache;
|
---|
114 | }
|
---|
115 |
|
---|
116 | /* Process CertificatePolicies */
|
---|
117 |
|
---|
118 | ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
|
---|
119 | /*
|
---|
120 | * If no CertificatePolicies extension or problem decoding then there is
|
---|
121 | * no point continuing because the valid policies will be NULL.
|
---|
122 | */
|
---|
123 | if (!ext_cpols) {
|
---|
124 | /* If not absent some problem with extension */
|
---|
125 | if (i != -1)
|
---|
126 | goto bad_cache;
|
---|
127 | return 1;
|
---|
128 | }
|
---|
129 |
|
---|
130 | i = policy_cache_create(x, ext_cpols, i);
|
---|
131 |
|
---|
132 | /* NB: ext_cpols freed by policy_cache_set_policies */
|
---|
133 |
|
---|
134 | if (i <= 0)
|
---|
135 | return i;
|
---|
136 |
|
---|
137 | ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
|
---|
138 |
|
---|
139 | if (!ext_pmaps) {
|
---|
140 | /* If not absent some problem with extension */
|
---|
141 | if (i != -1)
|
---|
142 | goto bad_cache;
|
---|
143 | } else {
|
---|
144 | i = policy_cache_set_mapping(x, ext_pmaps);
|
---|
145 | if (i <= 0)
|
---|
146 | goto bad_cache;
|
---|
147 | }
|
---|
148 |
|
---|
149 | ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
|
---|
150 |
|
---|
151 | if (!ext_any) {
|
---|
152 | if (i != -1)
|
---|
153 | goto bad_cache;
|
---|
154 | } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
|
---|
155 | goto bad_cache;
|
---|
156 | goto just_cleanup;
|
---|
157 |
|
---|
158 | bad_cache:
|
---|
159 | x->ex_flags |= EXFLAG_INVALID_POLICY;
|
---|
160 |
|
---|
161 | just_cleanup:
|
---|
162 | POLICY_CONSTRAINTS_free(ext_pcons);
|
---|
163 | ASN1_INTEGER_free(ext_any);
|
---|
164 | return 1;
|
---|
165 |
|
---|
166 | }
|
---|
167 |
|
---|
168 | void policy_cache_free(X509_POLICY_CACHE *cache)
|
---|
169 | {
|
---|
170 | if (!cache)
|
---|
171 | return;
|
---|
172 | policy_data_free(cache->anyPolicy);
|
---|
173 | sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
|
---|
174 | OPENSSL_free(cache);
|
---|
175 | }
|
---|
176 |
|
---|
177 | const X509_POLICY_CACHE *policy_cache_set(X509 *x)
|
---|
178 | {
|
---|
179 |
|
---|
180 | if (x->policy_cache == NULL) {
|
---|
181 | CRYPTO_THREAD_write_lock(x->lock);
|
---|
182 | policy_cache_new(x);
|
---|
183 | CRYPTO_THREAD_unlock(x->lock);
|
---|
184 | }
|
---|
185 |
|
---|
186 | return x->policy_cache;
|
---|
187 |
|
---|
188 | }
|
---|
189 |
|
---|
190 | X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
|
---|
191 | const ASN1_OBJECT *id)
|
---|
192 | {
|
---|
193 | int idx;
|
---|
194 | X509_POLICY_DATA tmp;
|
---|
195 | tmp.valid_policy = (ASN1_OBJECT *)id;
|
---|
196 | idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
|
---|
197 | if (idx == -1)
|
---|
198 | return NULL;
|
---|
199 | return sk_X509_POLICY_DATA_value(cache->data, idx);
|
---|
200 | }
|
---|
201 |
|
---|
202 | static int policy_data_cmp(const X509_POLICY_DATA *const *a,
|
---|
203 | const X509_POLICY_DATA *const *b)
|
---|
204 | {
|
---|
205 | return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
|
---|
206 | }
|
---|
207 |
|
---|
208 | static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
|
---|
209 | {
|
---|
210 | if (value == NULL)
|
---|
211 | return 1;
|
---|
212 | if (value->type == V_ASN1_NEG_INTEGER)
|
---|
213 | return 0;
|
---|
214 | *out = ASN1_INTEGER_get(value);
|
---|
215 | return 1;
|
---|
216 | }
|
---|