1 /* v3_conf.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com). */
56
57 /* extension creation utilities */
58
59 #include <stdio.h>
60 #include <ctype.h>
61
62 #include <openssl/conf.h>
63 #include <openssl/err.h>
64 #include <openssl/mem.h>
65 #include <openssl/obj.h>
66 #include <openssl/x509.h>
67 #include <openssl/x509v3.h>
68
69
70 static int v3_check_critical(char **value);
71 static int v3_check_generic(char **value);
72 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
73 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
74 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
75 int crit, void *ext_struc);
76 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
77 /* CONF *conf: Config file */
78 /* char *name: Name */
79 /* char *value: Value */
X509V3_EXT_nconf(CONF * conf,X509V3_CTX * ctx,char * name,char * value)80 X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
81 char *value)
82 {
83 int crit;
84 int ext_type;
85 X509_EXTENSION *ret;
86 crit = v3_check_critical(&value);
87 if ((ext_type = v3_check_generic(&value)))
88 return v3_generic_extension(name, value, crit, ext_type, ctx);
89 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
90 if (!ret)
91 {
92 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_nconf, X509V3_R_ERROR_IN_EXTENSION);
93 ERR_add_error_data(4,"name=", name, ", value=", value);
94 }
95 return ret;
96 }
97
98 /* CONF *conf: Config file */
99 /* char *value: Value */
X509V3_EXT_nconf_nid(CONF * conf,X509V3_CTX * ctx,int ext_nid,char * value)100 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
101 char *value)
102 {
103 int crit;
104 int ext_type;
105 crit = v3_check_critical(&value);
106 if ((ext_type = v3_check_generic(&value)))
107 return v3_generic_extension(OBJ_nid2sn(ext_nid),
108 value, crit, ext_type, ctx);
109 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
110 }
111
112 /* CONF *conf: Config file */
113 /* char *value: Value */
do_ext_nconf(CONF * conf,X509V3_CTX * ctx,int ext_nid,int crit,char * value)114 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
115 int crit, char *value)
116 {
117 const X509V3_EXT_METHOD *method;
118 X509_EXTENSION *ext;
119 STACK_OF(CONF_VALUE) *nval;
120 void *ext_struc;
121 if (ext_nid == NID_undef)
122 {
123 OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_UNKNOWN_EXTENSION_NAME);
124 return NULL;
125 }
126 if (!(method = X509V3_EXT_get_nid(ext_nid)))
127 {
128 OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_UNKNOWN_EXTENSION);
129 return NULL;
130 }
131 /* Now get internal extension representation based on type */
132 if (method->v2i)
133 {
134 if(*value == '@') nval = NCONF_get_section(conf, value + 1);
135 else nval = X509V3_parse_list(value);
136 if(sk_CONF_VALUE_num(nval) <= 0)
137 {
138 OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_INVALID_EXTENSION_STRING);
139 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
140 return NULL;
141 }
142 ext_struc = method->v2i(method, ctx, nval);
143 if(*value != '@') sk_CONF_VALUE_pop_free(nval,
144 X509V3_conf_free);
145 if(!ext_struc) return NULL;
146 }
147 else if(method->s2i)
148 {
149 if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
150 }
151 else if(method->r2i)
152 {
153 if(!ctx->db || !ctx->db_meth)
154 {
155 OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_NO_CONFIG_DATABASE);
156 return NULL;
157 }
158 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
159 }
160 else
161 {
162 OPENSSL_PUT_ERROR(X509V3, do_ext_nconf, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
163 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
164 return NULL;
165 }
166
167 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
168 if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
169 else method->ext_free(ext_struc);
170 return ext;
171
172 }
173
do_ext_i2d(const X509V3_EXT_METHOD * method,int ext_nid,int crit,void * ext_struc)174 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
175 int crit, void *ext_struc)
176 {
177 unsigned char *ext_der;
178 int ext_len;
179 ASN1_OCTET_STRING *ext_oct;
180 X509_EXTENSION *ext;
181 /* Convert internal representation to DER */
182 if (method->it)
183 {
184 ext_der = NULL;
185 ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
186 if (ext_len < 0) goto merr;
187 }
188 else
189 {
190 unsigned char *p;
191 ext_len = method->i2d(ext_struc, NULL);
192 if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
193 p = ext_der;
194 method->i2d(ext_struc, &p);
195 }
196 if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
197 ext_oct->data = ext_der;
198 ext_oct->length = ext_len;
199
200 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
201 if (!ext) goto merr;
202 M_ASN1_OCTET_STRING_free(ext_oct);
203
204 return ext;
205
206 merr:
207 OPENSSL_PUT_ERROR(X509V3, do_ext_i2d, ERR_R_MALLOC_FAILURE);
208 return NULL;
209
210 }
211
212 /* Given an internal structure, nid and critical flag create an extension */
213
X509V3_EXT_i2d(int ext_nid,int crit,void * ext_struc)214 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
215 {
216 const X509V3_EXT_METHOD *method;
217 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
218 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_i2d, X509V3_R_UNKNOWN_EXTENSION);
219 return NULL;
220 }
221 return do_ext_i2d(method, ext_nid, crit, ext_struc);
222 }
223
224 /* Check the extension string for critical flag */
v3_check_critical(char ** value)225 static int v3_check_critical(char **value)
226 {
227 char *p = *value;
228 if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
229 p+=9;
230 while(isspace((unsigned char)*p)) p++;
231 *value = p;
232 return 1;
233 }
234
235 /* Check extension string for generic extension and return the type */
v3_check_generic(char ** value)236 static int v3_check_generic(char **value)
237 {
238 int gen_type = 0;
239 char *p = *value;
240 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
241 {
242 p+=4;
243 gen_type = 1;
244 }
245 else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
246 {
247 p+=5;
248 gen_type = 2;
249 }
250 else
251 return 0;
252
253 while (isspace((unsigned char)*p)) p++;
254 *value = p;
255 return gen_type;
256 }
257
258 /* Create a generic extension: for now just handle DER type */
v3_generic_extension(const char * ext,char * value,int crit,int gen_type,X509V3_CTX * ctx)259 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
260 int crit, int gen_type,
261 X509V3_CTX *ctx)
262 {
263 unsigned char *ext_der=NULL;
264 long ext_len;
265 ASN1_OBJECT *obj=NULL;
266 ASN1_OCTET_STRING *oct=NULL;
267 X509_EXTENSION *extension=NULL;
268 if (!(obj = OBJ_txt2obj(ext, 0)))
269 {
270 OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, X509V3_R_EXTENSION_NAME_ERROR);
271 ERR_add_error_data(2, "name=", ext);
272 goto err;
273 }
274
275 if (gen_type == 1)
276 ext_der = string_to_hex(value, &ext_len);
277 else if (gen_type == 2)
278 ext_der = generic_asn1(value, ctx, &ext_len);
279
280 if (ext_der == NULL)
281 {
282 OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, X509V3_R_EXTENSION_VALUE_ERROR);
283 ERR_add_error_data(2, "value=", value);
284 goto err;
285 }
286
287 if (!(oct = M_ASN1_OCTET_STRING_new()))
288 {
289 OPENSSL_PUT_ERROR(X509V3, v3_generic_extension, ERR_R_MALLOC_FAILURE);
290 goto err;
291 }
292
293 oct->data = ext_der;
294 oct->length = ext_len;
295 ext_der = NULL;
296
297 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
298
299 err:
300 ASN1_OBJECT_free(obj);
301 M_ASN1_OCTET_STRING_free(oct);
302 if(ext_der) OPENSSL_free(ext_der);
303 return extension;
304
305 }
306
generic_asn1(char * value,X509V3_CTX * ctx,long * ext_len)307 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
308 {
309 ASN1_TYPE *typ;
310 unsigned char *ext_der = NULL;
311 typ = ASN1_generate_v3(value, ctx);
312 if (typ == NULL)
313 return NULL;
314 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
315 ASN1_TYPE_free(typ);
316 return ext_der;
317 }
318
319 /* This is the main function: add a bunch of extensions based on a config file
320 * section to an extension STACK.
321 */
322
323
X509V3_EXT_add_nconf_sk(CONF * conf,X509V3_CTX * ctx,char * section,STACK_OF (X509_EXTENSION)** sk)324 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
325 STACK_OF(X509_EXTENSION) **sk)
326 {
327 X509_EXTENSION *ext;
328 STACK_OF(CONF_VALUE) *nval;
329 CONF_VALUE *val;
330 size_t i;
331 if (!(nval = NCONF_get_section(conf, section))) return 0;
332 for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
333 {
334 val = sk_CONF_VALUE_value(nval, i);
335 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
336 return 0;
337 if (sk) X509v3_add_ext(sk, ext, -1);
338 X509_EXTENSION_free(ext);
339 }
340 return 1;
341 }
342
343 /* Convenience functions to add extensions to a certificate, CRL and request */
344
X509V3_EXT_add_nconf(CONF * conf,X509V3_CTX * ctx,char * section,X509 * cert)345 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
346 X509 *cert)
347 {
348 STACK_OF(X509_EXTENSION) **sk = NULL;
349 if (cert)
350 sk = &cert->cert_info->extensions;
351 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
352 }
353
354 /* Same as above but for a CRL */
355
X509V3_EXT_CRL_add_nconf(CONF * conf,X509V3_CTX * ctx,char * section,X509_CRL * crl)356 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
357 X509_CRL *crl)
358 {
359 STACK_OF(X509_EXTENSION) **sk = NULL;
360 if (crl)
361 sk = &crl->crl->extensions;
362 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
363 }
364
365 /* Add extensions to certificate request */
366
X509V3_EXT_REQ_add_nconf(CONF * conf,X509V3_CTX * ctx,char * section,X509_REQ * req)367 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
368 X509_REQ *req)
369 {
370 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
371 int i;
372 if (req)
373 sk = &extlist;
374 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
375 if (!i || !sk)
376 return i;
377 i = X509_REQ_add_extensions(req, extlist);
378 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
379 return i;
380 }
381
382 /* Config database functions */
383
X509V3_get_string(X509V3_CTX * ctx,char * name,char * section)384 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
385 {
386 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
387 {
388 OPENSSL_PUT_ERROR(X509V3, X509V3_get_string, X509V3_R_OPERATION_NOT_DEFINED);
389 return NULL;
390 }
391 if (ctx->db_meth->get_string)
392 return ctx->db_meth->get_string(ctx->db, name, section);
393 return NULL;
394 }
395
STACK_OF(CONF_VALUE)396 STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
397 {
398 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
399 {
400 OPENSSL_PUT_ERROR(X509V3, X509V3_get_section, X509V3_R_OPERATION_NOT_DEFINED);
401 return NULL;
402 }
403 if (ctx->db_meth->get_section)
404 return ctx->db_meth->get_section(ctx->db, section);
405 return NULL;
406 }
407
X509V3_string_free(X509V3_CTX * ctx,char * str)408 void X509V3_string_free(X509V3_CTX *ctx, char *str)
409 {
410 if (!str) return;
411 if (ctx->db_meth->free_string)
412 ctx->db_meth->free_string(ctx->db, str);
413 }
414
X509V3_section_free(X509V3_CTX * ctx,STACK_OF (CONF_VALUE)* section)415 void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
416 {
417 if (!section) return;
418 if (ctx->db_meth->free_section)
419 ctx->db_meth->free_section(ctx->db, section);
420 }
421
nconf_get_string(void * db,char * section,char * value)422 static char *nconf_get_string(void *db, char *section, char *value)
423 {
424 /* TODO(fork): this should return a const value. */
425 return (char *) NCONF_get_string(db, section, value);
426 }
427
STACK_OF(CONF_VALUE)428 static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
429 {
430 return NCONF_get_section(db, section);
431 }
432
433 static X509V3_CONF_METHOD nconf_method = {
434 nconf_get_string,
435 nconf_get_section,
436 NULL,
437 NULL
438 };
439
X509V3_set_nconf(X509V3_CTX * ctx,CONF * conf)440 void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
441 {
442 ctx->db_meth = &nconf_method;
443 ctx->db = conf;
444 }
445
X509V3_set_ctx(X509V3_CTX * ctx,X509 * issuer,X509 * subj,X509_REQ * req,X509_CRL * crl,int flags)446 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
447 X509_CRL *crl, int flags)
448 {
449 ctx->issuer_cert = issuer;
450 ctx->subject_cert = subj;
451 ctx->crl = crl;
452 ctx->subject_req = req;
453 ctx->flags = flags;
454 }
455
456 /* TODO(fork): remove */
457 #if 0
458 /* Old conf compatibility functions */
459
460 X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
461 char *name, char *value)
462 {
463 CONF ctmp;
464 CONF_set_nconf(&ctmp, conf);
465 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
466 }
467
468 /* LHASH *conf: Config file */
469 /* char *value: Value */
470 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
471 int ext_nid, char *value)
472 {
473 CONF ctmp;
474 CONF_set_nconf(&ctmp, conf);
475 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
476 }
477
478 static char *conf_lhash_get_string(void *db, char *section, char *value)
479 {
480 return CONF_get_string(db, section, value);
481 }
482
483 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
484 {
485 return CONF_get_section(db, section);
486 }
487
488 static X509V3_CONF_METHOD conf_lhash_method = {
489 conf_lhash_get_string,
490 conf_lhash_get_section,
491 NULL,
492 NULL
493 };
494
495 void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
496 {
497 ctx->db_meth = &conf_lhash_method;
498 ctx->db = lhash;
499 }
500
501 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
502 char *section, X509 *cert)
503 {
504 CONF ctmp;
505 CONF_set_nconf(&ctmp, conf);
506 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
507 }
508
509 /* Same as above but for a CRL */
510
511 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
512 char *section, X509_CRL *crl)
513 {
514 CONF ctmp;
515 CONF_set_nconf(&ctmp, conf);
516 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
517 }
518
519 /* Add extensions to certificate request */
520
521 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
522 char *section, X509_REQ *req)
523 {
524 CONF ctmp;
525 CONF_set_nconf(&ctmp, conf);
526 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
527 }
528 #endif
529