Finish off support for Certificate Policies extension.

diff --git a/CHANGES b/CHANGES
index a18f428e9bf2c9747a34acf2b8600105cd5283c4..4e58f2d35738f0d2c3f851b8174c8b2001b3955c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -14,9 +14,8 @@
   *) SPARC v8 assembler BIGNUM implementation.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
-  *) Initial support for Certificate Policies extension: print works but
-     setting doesn't work fully (yet). Also various additions to support
-     the r2i method this extension will use.
+  *) Support for Certificate Policies extension: both print and set.
+     Various additions to support the r2i method this extension will use.
      [Steve Henson]
 
   *) A lot of constification, and fix a bug in X509_NAME_oneline() that could

diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index c9340046d71f834d4f7cc01bd7c4529ebd17b57a..cb6d0b0f9cdfb6b07f427e8d202bdbbb439d43a7 100644 (file)
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -70,6 +70,8 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *
 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
 static void print_notice(BIO *out, USERNOTICE *notice, int indent);
 static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot);
+static STACK *nref_nos(STACK *nos);
 
 X509V3_EXT_METHOD v3_cpols = {
 NID_certificate_policies, 0,
@@ -154,9 +156,168 @@ STACK *polstrs;
 {
        int i;
        CONF_VALUE *cnf;
+       POLICYINFO *pol;
+       POLICYQUALINFO *qual;
+       if(!(pol = POLICYINFO_new())) goto merr;
        for(i = 0; i < sk_num(polstrs); i++) {
                cnf = (CONF_VALUE *)sk_value(polstrs, i);
+               if(!strcmp(cnf->name, "policyIdentifier")) {
+                       ASN1_OBJECT *pobj;
+                       if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
+                               X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                               X509V3_conf_err(cnf);
+                               goto err;
+                       }
+                       pol->policyid = pobj;
+
+               } else if(!name_cmp(cnf->name, "CPS")) {
+                       if(!pol->qualifiers) pol->qualifiers =
+                                                sk_POLICYQUALINFO_new_null();
+                       if(!(qual = POLICYQUALINFO_new())) goto merr;
+                       if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                goto merr;
+                       qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
+                       qual->d.cpsuri = ASN1_IA5STRING_new();
+                       if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
+                                                strlen(cnf->value))) goto merr;
+               } else if(!name_cmp(cnf->name, "userNotice")) {
+                       STACK *unot;
+                       if(*cnf->value != '@') {
+                               X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
+                               X509V3_conf_err(cnf);
+                               goto err;
+                       }
+                       unot = X509V3_get_section(ctx, cnf->value + 1);
+                       if(!unot) {
+                               X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
+
+                               X509V3_conf_err(cnf);
+                               goto err;
+                       }
+                       qual = notice_section(ctx, unot);
+                       X509V3_section_free(ctx, unot);
+                       if(!qual) goto err;
+                       if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                goto merr;
+               } else {
+                       X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
+
+                       X509V3_conf_err(cnf);
+                       goto err;
+               }
+       }
+       if(!pol->policyid) {
+               X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
+               goto err;
+       }
+
+       return pol;
+
+       err:
+       POLICYINFO_free(pol);
+       return NULL;
+       
+       merr:
+       X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+       POLICYINFO_free(pol);
+       return NULL;
+       
+}
+
+static POLICYQUALINFO *notice_section(ctx, unot)
+X509V3_CTX *ctx;
+STACK *unot;
+{
+       int i;
+       CONF_VALUE *cnf;
+       USERNOTICE *not;
+       POLICYQUALINFO *qual;
+       if(!(qual = POLICYQUALINFO_new())) goto merr;
+       qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+       if(!(not = USERNOTICE_new())) goto merr;
+       qual->d.usernotice = not;
+       for(i = 0; i < sk_num(unot); i++) {
+               cnf = (CONF_VALUE *)sk_value(unot, i);
+               if(!strcmp(cnf->name, "explicitText")) {
+                       not->exptext = ASN1_VISIBLESTRING_new();
+                       if(!ASN1_STRING_set(not->exptext, cnf->value,
+                                                strlen(cnf->value))) goto merr;
+               } else if(!strcmp(cnf->name, "organization")) {
+                       NOTICEREF *nref;
+                       if(!not->noticeref) {
+                               if(!(nref = NOTICEREF_new())) goto merr;
+                               not->noticeref = nref;
+                       } else nref = not->noticeref;
+                       nref->organization = ASN1_VISIBLESTRING_new();
+                       if(!ASN1_STRING_set(nref->organization, cnf->value,
+                                                strlen(cnf->value))) goto merr;
+               } else if(!strcmp(cnf->name, "noticeNumbers")) {
+                       NOTICEREF *nref;
+                       STACK *nos;
+                       if(!not->noticeref) {
+                               if(!(nref = NOTICEREF_new())) goto merr;
+                               not->noticeref = nref;
+                       } else nref = not->noticeref;
+                       nos = X509V3_parse_list(cnf->value);
+                       if(!nos || !sk_num(nos)) {
+                               X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
+                               X509V3_conf_err(cnf);
+                               goto err;
+                       }
+                       nref->noticenos = nref_nos(nos);
+                       sk_pop_free(nos, X509V3_conf_free);
+                       if(!nref->noticenos) goto err;
+               } else {
+                       X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
+
+                       X509V3_conf_err(cnf);
+                       goto err;
+               }
+       }
+
+       if(not->noticeref && 
+             (!not->noticeref->noticenos || !not->noticeref->organization)) {
+                       X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
+                       goto err;
        }
+
+       return qual;
+
+       err:
+       POLICYQUALINFO_free(qual);
+       return NULL;
+
+       merr:
+       X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+       POLICYQUALINFO_free(qual);
+       return NULL;
+}
+
+static STACK *nref_nos(nos)
+STACK *nos;
+{
+       STACK *nnums;
+       CONF_VALUE *cnf;
+       ASN1_INTEGER *aint;
+       int i;
+       if(!(nnums = sk_new_null())) goto merr;
+       for(i = 0; i < sk_num(nos); i++) {
+               cnf = (CONF_VALUE *)sk_value(nos, i);
+               if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+                       X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
+                       goto err;
+               }
+               if(!sk_push(nnums, (char *)aint)) goto merr;
+       }
+       return nnums;
+
+       err:
+       sk_pop_free(nnums, ASN1_STRING_free);
+       return NULL;
+
+       merr:
+       X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+       sk_pop_free(nnums, ASN1_STRING_free);
        return NULL;
 }
 
@@ -326,7 +487,7 @@ int indent;
                BIO_puts(out, "\n");
        }
        if(notice->exptext)
-               BIO_printf(out, "%*sNotice Reference: %s\n", indent, "",
+               BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
                                                         notice->exptext->data);
 }
                

diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index 4a8297ceb32a17fcdc5f2da60c9534d4c2913adf..2f6ed4346b13716b69c7b85454c3e6703e167277 100644 (file)
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -69,6 +69,9 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),   "i2s_ASN1_ENUMERATED"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),      "i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),        "NOTICE_SECTION"},
+{ERR_PACK(0,X509V3_F_NREF_NOS,0),      "NREF_NOS"},
+{ERR_PACK(0,X509V3_F_POLICY_SECTION,0),        "POLICY_SECTION"},
 {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),   "R2I_CERTPOL"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),    "S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),      "s2i_ASN1_INTEGER"},
@@ -106,6 +109,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
 {X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
 {X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
+{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
 {X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
 {X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
@@ -117,14 +121,19 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
 {X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
 {X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
+{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
+{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
 {X509V3_R_MISSING_VALUE                  ,"missing value"},
+{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
 {X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
+{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},

diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err
index 2c027813fef76daff1a0abdcbb2510f5be01603e..bdb68d140cc4823d2562f775658a9e7d504c2bf6 100644 (file)
--- a/crypto/x509v3/x509v3.err
+++ b/crypto/x509v3/x509v3.err
@@ -7,6 +7,9 @@
 #define X509V3_F_HEX_TO_STRING                          111
 #define X509V3_F_I2S_ASN1_ENUMERATED                    121
 #define X509V3_F_I2S_ASN1_INTEGER                       120
+#define X509V3_F_NOTICE_SECTION                                 132
+#define X509V3_F_NREF_NOS                               133
+#define X509V3_F_POLICY_SECTION                                 131
 #define X509V3_F_R2I_CERTPOL                            130
 #define X509V3_F_S2I_ASN1_IA5STRING                     100
 #define X509V3_F_S2I_ASN1_INTEGER                       108
@@ -41,6 +44,7 @@
 #define X509V3_R_DUPLICATE_ZONE_ID                      133
 #define X509V3_R_ERROR_CONVERTING_ZONE                  131
 #define X509V3_R_ERROR_IN_EXTENSION                     128
+#define X509V3_R_EXPECTED_A_SECTION_NAME                137
 #define X509V3_R_EXTENSION_NAME_ERROR                   115
 #define X509V3_R_EXTENSION_NOT_FOUND                    102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED        103
@@ -52,14 +56,19 @@
 #define X509V3_R_INVALID_NULL_ARGUMENT                  107
 #define X509V3_R_INVALID_NULL_NAME                      108
 #define X509V3_R_INVALID_NULL_VALUE                     109
+#define X509V3_R_INVALID_NUMBER                                 140
+#define X509V3_R_INVALID_NUMBERS                        141
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER              110
+#define X509V3_R_INVALID_OPTION                                 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER              134
 #define X509V3_R_INVALID_SECTION                        135
 #define X509V3_R_ISSUER_DECODE_ERROR                    126
 #define X509V3_R_MISSING_VALUE                          124
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS          142
 #define X509V3_R_NO_CONFIG_DATABASE                     136
 #define X509V3_R_NO_ISSUER_CERTIFICATE                  121
 #define X509V3_R_NO_ISSUER_DETAILS                      127
+#define X509V3_R_NO_POLICY_IDENTIFIER                   139
 #define X509V3_R_NO_PUBLIC_KEY                          114
 #define X509V3_R_NO_SUBJECT_DETAILS                     125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                   112

diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 8ebbea2ed0d651ff6acf55d6ba5a2c249367fb2d..6c3937d0f361dd4b266915b4f22ba2e927455ffa 100644 (file)
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -515,6 +515,9 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_HEX_TO_STRING                          111
 #define X509V3_F_I2S_ASN1_ENUMERATED                    121
 #define X509V3_F_I2S_ASN1_INTEGER                       120
+#define X509V3_F_NOTICE_SECTION                                 132
+#define X509V3_F_NREF_NOS                               133
+#define X509V3_F_POLICY_SECTION                                 131
 #define X509V3_F_R2I_CERTPOL                            130
 #define X509V3_F_S2I_ASN1_IA5STRING                     100
 #define X509V3_F_S2I_ASN1_INTEGER                       108
@@ -549,6 +552,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_R_DUPLICATE_ZONE_ID                      133
 #define X509V3_R_ERROR_CONVERTING_ZONE                  131
 #define X509V3_R_ERROR_IN_EXTENSION                     128
+#define X509V3_R_EXPECTED_A_SECTION_NAME                137
 #define X509V3_R_EXTENSION_NAME_ERROR                   115
 #define X509V3_R_EXTENSION_NOT_FOUND                    102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED        103
@@ -560,14 +564,19 @@ int X509V3_EXT_print_fp();
 #define X509V3_R_INVALID_NULL_ARGUMENT                  107
 #define X509V3_R_INVALID_NULL_NAME                      108
 #define X509V3_R_INVALID_NULL_VALUE                     109
+#define X509V3_R_INVALID_NUMBER                                 140
+#define X509V3_R_INVALID_NUMBERS                        141
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER              110
+#define X509V3_R_INVALID_OPTION                                 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER              134
 #define X509V3_R_INVALID_SECTION                        135
 #define X509V3_R_ISSUER_DECODE_ERROR                    126
 #define X509V3_R_MISSING_VALUE                          124
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS          142
 #define X509V3_R_NO_CONFIG_DATABASE                     136
 #define X509V3_R_NO_ISSUER_CERTIFICATE                  121
 #define X509V3_R_NO_ISSUER_DETAILS                      127
+#define X509V3_R_NO_POLICY_IDENTIFIER                   139
 #define X509V3_R_NO_PUBLIC_KEY                          114
 #define X509V3_R_NO_SUBJECT_DETAILS                     125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                   112