Support for certificate status TLS extension.
[openssl.git] / crypto / x509v3 / v3_pci.c
1 /* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2 /* Contributed to the OpenSSL Project 2004
3  * by Richard Levitte (richard@levitte.org)
4  */
5 /* Copyright (c) 2004 Kungliga Tekniska Högskolan
6  * (Royal Institute of Technology, Stockholm, Sweden).
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  *
20  * 3. Neither the name of the Institute nor the names of its contributors
21  *    may be used to endorse or promote products derived from this software
22  *    without specific prior written permission.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  */
36
37 #include <stdio.h>
38 #include "cryptlib.h"
39 #include <openssl/conf.h>
40 #include <openssl/x509v3.h>
41
42 static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43         BIO *out, int indent);
44 static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45         X509V3_CTX *ctx, char *str);
46
47 const X509V3_EXT_METHOD v3_pci =
48         { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49           0,0,0,0,
50           0,0,
51           NULL, NULL,
52           (X509V3_EXT_I2R)i2r_pci,
53           (X509V3_EXT_R2I)r2i_pci,
54           NULL,
55         };
56
57 static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58         BIO *out, int indent)
59         {
60         BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61         if (pci->pcPathLengthConstraint)
62           i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63         else
64           BIO_printf(out, "infinite");
65         BIO_puts(out, "\n");
66         BIO_printf(out, "%*sPolicy Language: ", indent, "");
67         i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68         BIO_puts(out, "\n");
69         if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70           BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71                      pci->proxyPolicy->policy->data);
72         return 1;
73         }
74
75 static int process_pci_value(CONF_VALUE *val,
76         ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77         ASN1_OCTET_STRING **policy)
78         {
79         int free_policy = 0;
80
81         if (strcmp(val->name, "language") == 0)
82                 {
83                 if (*language)
84                         {
85                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
86                         X509V3_conf_err(val);
87                         return 0;
88                         }
89                 if (!(*language = OBJ_txt2obj(val->value, 0)))
90                         {
91                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92                         X509V3_conf_err(val);
93                         return 0;
94                         }
95                 }
96         else if (strcmp(val->name, "pathlen") == 0)
97                 {
98                 if (*pathlen)
99                         {
100                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
101                         X509V3_conf_err(val);
102                         return 0;
103                         }
104                 if (!X509V3_get_value_int(val, pathlen))
105                         {
106                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107                         X509V3_conf_err(val);
108                         return 0;
109                         }
110                 }
111         else if (strcmp(val->name, "policy") == 0)
112                 {
113                 unsigned char *tmp_data = NULL;
114                 long val_len;
115                 if (!*policy)
116                         {
117                         *policy = ASN1_OCTET_STRING_new();
118                         if (!*policy)
119                                 {
120                                 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121                                 X509V3_conf_err(val);
122                                 return 0;
123                                 }
124                         free_policy = 1;
125                         }
126                 if (strncmp(val->value, "hex:", 4) == 0)
127                         {
128                         unsigned char *tmp_data2 =
129                                 string_to_hex(val->value + 4, &val_len);
130
131                         if (!tmp_data2) goto err;
132
133                         tmp_data = OPENSSL_realloc((*policy)->data,
134                                 (*policy)->length + val_len + 1);
135                         if (tmp_data)
136                                 {
137                                 (*policy)->data = tmp_data;
138                                 memcpy(&(*policy)->data[(*policy)->length],
139                                         tmp_data2, val_len);
140                                 (*policy)->length += val_len;
141                                 (*policy)->data[(*policy)->length] = '\0';
142                                 }
143                         }
144                 else if (strncmp(val->value, "file:", 5) == 0)
145                         {
146                         unsigned char buf[2048];
147                         int n;
148                         BIO *b = BIO_new_file(val->value + 5, "r");
149                         if (!b)
150                                 {
151                                 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
152                                 X509V3_conf_err(val);
153                                 goto err;
154                                 }
155                         while((n = BIO_read(b, buf, sizeof(buf))) > 0
156                                 || (n == 0 && BIO_should_retry(b)))
157                                 {
158                                 if (!n) continue;
159
160                                 tmp_data = OPENSSL_realloc((*policy)->data,
161                                         (*policy)->length + n + 1);
162
163                                 if (!tmp_data)
164                                         break;
165
166                                 (*policy)->data = tmp_data;
167                                 memcpy(&(*policy)->data[(*policy)->length],
168                                         buf, n);
169                                 (*policy)->length += n;
170                                 (*policy)->data[(*policy)->length] = '\0';
171                                 }
172
173                         if (n < 0)
174                                 {
175                                 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
176                                 X509V3_conf_err(val);
177                                 goto err;
178                                 }
179                         }
180                 else if (strncmp(val->value, "text:", 5) == 0)
181                         {
182                         val_len = strlen(val->value + 5);
183                         tmp_data = OPENSSL_realloc((*policy)->data,
184                                 (*policy)->length + val_len + 1);
185                         if (tmp_data)
186                                 {
187                                 (*policy)->data = tmp_data;
188                                 memcpy(&(*policy)->data[(*policy)->length],
189                                         val->value + 5, val_len);
190                                 (*policy)->length += val_len;
191                                 (*policy)->data[(*policy)->length] = '\0';
192                                 }
193                         }
194                 else
195                         {
196                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
197                         X509V3_conf_err(val);
198                         goto err;
199                         }
200                 if (!tmp_data)
201                         {
202                         X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
203                         X509V3_conf_err(val);
204                         goto err;
205                         }
206                 }
207         return 1;
208 err:
209         if (free_policy)
210                 {
211                 ASN1_OCTET_STRING_free(*policy);
212                 *policy = NULL;
213                 }
214         return 0;
215         }
216
217 static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
218         X509V3_CTX *ctx, char *value)
219         {
220         PROXY_CERT_INFO_EXTENSION *pci = NULL;
221         STACK_OF(CONF_VALUE) *vals;
222         ASN1_OBJECT *language = NULL;
223         ASN1_INTEGER *pathlen = NULL;
224         ASN1_OCTET_STRING *policy = NULL;
225         int i, j;
226
227         vals = X509V3_parse_list(value);
228         for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
229                 {
230                 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
231                 if (!cnf->name || (*cnf->name != '@' && !cnf->value))
232                         {
233                         X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
234                         X509V3_conf_err(cnf);
235                         goto err;
236                         }
237                 if (*cnf->name == '@')
238                         {
239                         STACK_OF(CONF_VALUE) *sect;
240                         int success_p = 1;
241
242                         sect = X509V3_get_section(ctx, cnf->name + 1);
243                         if (!sect)
244                                 {
245                                 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
246                                 X509V3_conf_err(cnf);
247                                 goto err;
248                                 }
249                         for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
250                                 {
251                                 success_p =
252                                         process_pci_value(sk_CONF_VALUE_value(sect, j),
253                                                 &language, &pathlen, &policy);
254                                 }
255                         X509V3_section_free(ctx, sect);
256                         if (!success_p)
257                                 goto err;
258                         }
259                 else
260                         {
261                         if (!process_pci_value(cnf,
262                                         &language, &pathlen, &policy))
263                                 {
264                                 X509V3_conf_err(cnf);
265                                 goto err;
266                                 }
267                         }
268                 }
269
270         /* Language is mandatory */
271         if (!language)
272                 {
273                 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
274                 goto err;
275                 }
276         i = OBJ_obj2nid(language);
277         if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
278                 {
279                 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
280                 goto err;
281                 }
282
283         pci = PROXY_CERT_INFO_EXTENSION_new();
284         if (!pci)
285                 {
286                 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
287                 goto err;
288                 }
289
290         pci->proxyPolicy->policyLanguage = language; language = NULL;
291         pci->proxyPolicy->policy = policy; policy = NULL;
292         pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
293         goto end;
294 err:
295         if (language) { ASN1_OBJECT_free(language); language = NULL; }
296         if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
297         if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
298         if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
299 end:
300         sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
301         return pci;
302         }