Support for policy constraints.

diff --git a/CHANGES b/CHANGES
index a03875767c533fd2d1d5d4bfaea22790e0c153d5..1cea4962c92ae932a2f5ba945d4e049d15b74960 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.7a and 0.9.8  [xx XXX xxxx]
 
+  *) Support for policyConstraints certificate extension.
+     [Steve Henson]
+
   *) Support for policyMappings certificate extension.
      [Steve Henson]
 

diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index a353fec25b7315eaef59e57dacbe69882c5c1a8a..3167b8ba3e7cab98fb666d9f772c9d6e70973055 100644 (file)
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -26,11 +26,11 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=        v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
 v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o
 
 SRC= $(LIBSRC)
 

diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 4c801c2c1d367ae76008b236ec9a3c4cee8cd7aa..1e005c229c5b3750b261a6d058ec292e7db4c296 100644 (file)
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold;
-extern X509V3_EXT_METHOD v3_policy_mappings;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -105,6 +105,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_serviceloc,
 #endif
 &v3_sinfo,
+&v3_policy_constraints,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_hold,
 #endif

diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index eeb365b081e516fb6f04de2608867b3eba9ad866..7e813db0d79e83eccc5c05b24df915b7aa943255 100644 (file)
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -134,7 +134,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                {
                if(*value == '@') nval = NCONF_get_section(conf, value + 1);
                else nval = X509V3_parse_list(value);
-               if(!nval)
+               if(sk_CONF_VALUE_num(nval) <= 0)
                        {
                        X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
                        ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);

diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
new file mode 100644 (file)
index 0000000..10d2120
--- /dev/null
+++ b/crypto/x509v3/v3_pcons.c
@@ -0,0 +1,136 @@
+/* v3_pcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+                               void *bcons, STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+                               X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_policy_constraints = {
+NID_policy_constraints, 0,
+ASN1_ITEM_ref(POLICY_CONSTRAINTS),
+0,0,0,0,
+0,0,
+i2v_POLICY_CONSTRAINTS,
+v2i_POLICY_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
+       ASN1_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER),
+       ASN1_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+            void *a, STACK_OF(CONF_VALUE) *extlist)
+{
+       POLICY_CONSTRAINTS *pcons = a;
+       X509V3_add_value_int("Require Explicit Policy",
+                       pcons->requireExplicitPolicy, &extlist);
+       X509V3_add_value_int("Inhibit Policy Mapping",
+                       pcons->inhibitPolicyMapping, &extlist);
+       return extlist;
+}
+
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+            X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+       POLICY_CONSTRAINTS *pcons=NULL;
+       CONF_VALUE *val;
+       int i;
+       if(!(pcons = POLICY_CONSTRAINTS_new())) {
+               X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+               return NULL;
+       }
+       for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+               val = sk_CONF_VALUE_value(values, i);
+               if(!strcmp(val->name, "requireExplicitPolicy")) {
+                       if(!X509V3_get_value_int(val,
+                               &pcons->requireExplicitPolicy)) goto err;
+               } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
+                       if(!X509V3_get_value_int(val,
+                               &pcons->inhibitPolicyMapping)) goto err;
+               } else {
+                       X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
+                       X509V3_conf_err(val);
+                       goto err;
+               }
+       }
+       if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
+               X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
+               goto err;
+       }
+
+       return pcons;
+       err:
+       POLICY_CONSTRAINTS_free(pcons);
+       return NULL;
+}
+

diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index 80b821dda161dfb101ba55b217303d377a2549b4..a4c8e59ef1077fb2e818cc1bc69224504b3bba62 100644 (file)
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -98,6 +98,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),    "V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),      "v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),     "v2i_GENERAL_NAMES"},
+{ERR_PACK(0,X509V3_F_V2I_POLICY_CONSTRAINTS,0),        "V2I_POLICY_CONSTRAINTS"},
 {ERR_PACK(0,X509V3_F_V2I_POLICY_MAPPINGS,0),   "V2I_POLICY_MAPPINGS"},
 {ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),  "V3_GENERIC_EXTENSION"},
 {ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0),        "X509V3_ADD_I2D"},
@@ -132,6 +133,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
+{X509V3_R_ILLEGAL_EMPTY_EXTENSION        ,"illegal empty extension"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},

diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 2cbe1b96325b7a61eb9e5ea29924837a4ec4f17d..65c74cbff73b86085dac9c045a3da0892c5a7d9b 100644 (file)
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -295,6 +295,11 @@ DECLARE_STACK_OF(POLICY_MAPPING)
 
 typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
 
+typedef struct POLICY_CONSTRAINTS_st {
+       ASN1_INTEGER *requireExplicitPolicy;
+       ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
@@ -468,6 +473,9 @@ DECLARE_ASN1_ITEM(POLICY_MAPPING)
 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
 DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
 
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -605,6 +613,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
+#define X509V3_F_V2I_POLICY_CONSTRAINTS                         146
 #define X509V3_F_V2I_POLICY_MAPPINGS                    145
 #define X509V3_F_V3_GENERIC_EXTENSION                   116
 #define X509V3_F_X509V3_ADD_I2D                                 140
@@ -636,6 +645,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_NOT_FOUND                    102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED        103
 #define X509V3_R_EXTENSION_VALUE_ERROR                  116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION                151
 #define X509V3_R_ILLEGAL_HEX_DIGIT                      113
 #define X509V3_R_INVALID_BOOLEAN_STRING                         104
 #define X509V3_R_INVALID_EXTENSION_STRING               105