2 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/conf.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
17 #include "x509_local.h"
18 #include "pcy_local.h"
21 DEFINE_STACK_OF(CONF_VALUE)
23 /* Certificate policies extension support: this one is a bit complex... */
25 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
26 BIO *out, int indent);
27 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
28 X509V3_CTX *ctx, const char *value);
29 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
31 static void print_notice(BIO *out, USERNOTICE *notice, int indent);
32 static POLICYINFO *policy_section(X509V3_CTX *ctx,
33 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
34 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
35 STACK_OF(CONF_VALUE) *unot, int ia5org);
36 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
37 static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
38 static int displaytext_get_tag_len(const char *tagstr);
40 const X509V3_EXT_METHOD v3_cpols = {
41 NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
45 (X509V3_EXT_I2R)i2r_certpol,
46 (X509V3_EXT_R2I)r2i_certpol,
50 ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
51 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
52 ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
54 IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
56 ASN1_SEQUENCE(POLICYINFO) = {
57 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
58 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
59 } ASN1_SEQUENCE_END(POLICYINFO)
61 IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
63 ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
65 ASN1_ADB(POLICYQUALINFO) = {
66 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
67 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
68 } ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
70 ASN1_SEQUENCE(POLICYQUALINFO) = {
71 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
72 ASN1_ADB_OBJECT(POLICYQUALINFO)
73 } ASN1_SEQUENCE_END(POLICYQUALINFO)
75 IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
77 ASN1_SEQUENCE(USERNOTICE) = {
78 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
79 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
80 } ASN1_SEQUENCE_END(USERNOTICE)
82 IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
84 ASN1_SEQUENCE(NOTICEREF) = {
85 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
86 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
87 } ASN1_SEQUENCE_END(NOTICEREF)
89 IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
91 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
92 X509V3_CTX *ctx, const char *value)
94 STACK_OF(POLICYINFO) *pols;
98 STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
100 const int num = sk_CONF_VALUE_num(vals);
104 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
108 pols = sk_POLICYINFO_new_reserve(NULL, num);
110 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
115 for (i = 0; i < num; i++) {
116 cnf = sk_CONF_VALUE_value(vals, i);
117 if (cnf->value != NULL || cnf->name == NULL) {
118 X509V3err(X509V3_F_R2I_CERTPOL,
119 X509V3_R_INVALID_POLICY_IDENTIFIER);
120 X509V3_conf_add_error_name_value(cnf);
124 if (strcmp(pstr, "ia5org") == 0) {
127 } else if (*pstr == '@') {
128 STACK_OF(CONF_VALUE) *polsect;
130 polsect = X509V3_get_section(ctx, pstr + 1);
131 if (polsect == NULL) {
132 X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
133 ERR_add_error_data(1, cnf->name);
136 pol = policy_section(ctx, polsect, ia5org);
137 X509V3_section_free(ctx, polsect);
141 if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
142 X509V3err(X509V3_F_R2I_CERTPOL,
143 X509V3_R_INVALID_OBJECT_IDENTIFIER);
144 ERR_add_error_data(1, cnf->name);
147 pol = POLICYINFO_new();
149 ASN1_OBJECT_free(pobj);
150 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
153 pol->policyid = pobj;
155 if (!sk_POLICYINFO_push(pols, pol)) {
156 POLICYINFO_free(pol);
157 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
161 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
164 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
165 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
169 static POLICYINFO *policy_section(X509V3_CTX *ctx,
170 STACK_OF(CONF_VALUE) *polstrs, int ia5org)
175 POLICYQUALINFO *qual;
177 if ((pol = POLICYINFO_new()) == NULL)
179 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
180 cnf = sk_CONF_VALUE_value(polstrs, i);
181 if (strcmp(cnf->name, "policyIdentifier") == 0) {
184 if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
185 X509V3err(X509V3_F_POLICY_SECTION,
186 X509V3_R_INVALID_OBJECT_IDENTIFIER);
187 X509V3_conf_err(cnf);
190 pol->policyid = pobj;
192 } else if (!v3_name_cmp(cnf->name, "CPS")) {
193 if (pol->qualifiers == NULL)
194 pol->qualifiers = sk_POLICYQUALINFO_new_null();
195 if ((qual = POLICYQUALINFO_new()) == NULL)
197 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
199 if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
200 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
203 if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
205 if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
208 } else if (!v3_name_cmp(cnf->name, "userNotice")) {
209 STACK_OF(CONF_VALUE) *unot;
210 if (*cnf->value != '@') {
211 X509V3err(X509V3_F_POLICY_SECTION,
212 X509V3_R_EXPECTED_A_SECTION_NAME);
213 X509V3_conf_err(cnf);
216 unot = X509V3_get_section(ctx, cnf->value + 1);
218 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_SECTION);
220 X509V3_conf_err(cnf);
223 qual = notice_section(ctx, unot, ia5org);
224 X509V3_section_free(ctx, unot);
227 if (pol->qualifiers == NULL)
228 pol->qualifiers = sk_POLICYQUALINFO_new_null();
229 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
232 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
233 X509V3_conf_err(cnf);
237 if (pol->policyid == NULL) {
238 X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_NO_POLICY_IDENTIFIER);
245 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
248 POLICYINFO_free(pol);
252 static int displaytext_get_tag_len(const char *tagstr)
254 char *colon = strchr(tagstr, ':');
256 return (colon == NULL) ? -1 : colon - tagstr;
259 static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
264 len = displaytext_get_tag_len(tagstr);
267 return V_ASN1_VISIBLESTRING;
269 if (len == sizeof("UTF8") - 1 && strncmp(tagstr, "UTF8", len) == 0)
270 return V_ASN1_UTF8STRING;
271 if (len == sizeof("UTF8String") - 1 && strncmp(tagstr, "UTF8String", len) == 0)
272 return V_ASN1_UTF8STRING;
273 if (len == sizeof("BMP") - 1 && strncmp(tagstr, "BMP", len) == 0)
274 return V_ASN1_BMPSTRING;
275 if (len == sizeof("BMPSTRING") - 1 && strncmp(tagstr, "BMPSTRING", len) == 0)
276 return V_ASN1_BMPSTRING;
277 if (len == sizeof("VISIBLE") - 1 && strncmp(tagstr, "VISIBLE", len) == 0)
278 return V_ASN1_VISIBLESTRING;
279 if (len == sizeof("VISIBLESTRING") - 1 && strncmp(tagstr, "VISIBLESTRING", len) == 0)
280 return V_ASN1_VISIBLESTRING;
282 return V_ASN1_VISIBLESTRING;
285 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
286 STACK_OF(CONF_VALUE) *unot, int ia5org)
288 int i, ret, len, tag;
289 unsigned int tag_len;
292 POLICYQUALINFO *qual;
295 if ((qual = POLICYQUALINFO_new()) == NULL)
297 if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
298 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
301 if ((not = USERNOTICE_new()) == NULL)
303 qual->d.usernotice = not;
304 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
305 cnf = sk_CONF_VALUE_value(unot, i);
308 if (strcmp(cnf->name, "explicitText") == 0) {
309 tag = displaytext_str2tag(value, &tag_len);
310 if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL)
313 value += tag_len + 1;
315 if (!ASN1_STRING_set(not->exptext, value, len))
317 } else if (strcmp(cnf->name, "organization") == 0) {
320 if (!not->noticeref) {
321 if ((nref = NOTICEREF_new()) == NULL)
323 not->noticeref = nref;
325 nref = not->noticeref;
327 nref->organization->type = V_ASN1_IA5STRING;
329 nref->organization->type = V_ASN1_VISIBLESTRING;
330 if (!ASN1_STRING_set(nref->organization, cnf->value,
333 } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
336 STACK_OF(CONF_VALUE) *nos;
337 if (!not->noticeref) {
338 if ((nref = NOTICEREF_new()) == NULL)
340 not->noticeref = nref;
342 nref = not->noticeref;
343 nos = X509V3_parse_list(cnf->value);
344 if (!nos || !sk_CONF_VALUE_num(nos)) {
345 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
346 X509V3_conf_add_error_name_value(cnf);
347 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
350 ret = nref_nos(nref->noticenos, nos);
351 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
355 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
356 X509V3_conf_add_error_name_value(cnf);
361 if (not->noticeref &&
362 (!not->noticeref->noticenos || !not->noticeref->organization)) {
363 X509V3err(X509V3_F_NOTICE_SECTION,
364 X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
371 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
374 POLICYQUALINFO_free(qual);
378 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
385 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
386 cnf = sk_CONF_VALUE_value(nos, i);
387 if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
388 X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
391 if (!sk_ASN1_INTEGER_push(nnums, aint))
397 ASN1_INTEGER_free(aint);
398 X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
404 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
405 BIO *out, int indent)
409 /* First print out the policy OIDs */
410 for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
413 pinfo = sk_POLICYINFO_value(pol, i);
414 BIO_printf(out, "%*sPolicy: ", indent, "");
415 i2a_ASN1_OBJECT(out, pinfo->policyid);
416 if (pinfo->qualifiers) {
418 print_qualifiers(out, pinfo->qualifiers, indent + 2);
424 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
427 POLICYQUALINFO *qualinfo;
429 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
432 qualinfo = sk_POLICYQUALINFO_value(quals, i);
433 switch (OBJ_obj2nid(qualinfo->pqualid)) {
435 BIO_printf(out, "%*sCPS: %s", indent, "",
436 qualinfo->d.cpsuri->data);
439 case NID_id_qt_unotice:
440 BIO_printf(out, "%*sUser Notice:\n", indent, "");
441 print_notice(out, qualinfo->d.usernotice, indent + 2);
445 BIO_printf(out, "%*sUnknown Qualifier: ", indent + 2, "");
447 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
453 static void print_notice(BIO *out, USERNOTICE *notice, int indent)
456 if (notice->noticeref) {
458 ref = notice->noticeref;
459 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
460 ref->organization->data);
461 BIO_printf(out, "%*sNumber%s: ", indent, "",
462 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
463 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
466 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
470 BIO_puts(out, "(null)");
472 tmp = i2s_ASN1_INTEGER(NULL, num);
483 BIO_printf(out, "%*sExplicit Text: %s", indent, "",
484 notice->exptext->data);
487 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
489 const X509_POLICY_DATA *dat = node->data;
491 BIO_printf(out, "%*sPolicy: ", indent, "");
493 i2a_ASN1_OBJECT(out, dat->valid_policy);
495 BIO_printf(out, "%*s%s\n", indent + 2, "",
496 node_data_critical(dat) ? "Critical" : "Non Critical");
497 if (dat->qualifier_set) {
498 print_qualifiers(out, dat->qualifier_set, indent + 2);
502 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");