v3_pci.c revision 259065 
1231071Sed/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2231071Sed/* Contributed to the OpenSSL Project 2004
3231071Sed * by Richard Levitte (richard@levitte.org)
4231071Sed */
5231071Sed/* Copyright (c) 2004 Kungliga Tekniska H�gskolan
6231071Sed * (Royal Institute of Technology, Stockholm, Sweden).
7231071Sed * All rights reserved.
8231071Sed *
9231071Sed * Redistribution and use in source and binary forms, with or without
10231071Sed * modification, are permitted provided that the following conditions
11231071Sed * are met:
12231071Sed *
13231071Sed * 1. Redistributions of source code must retain the above copyright
14231071Sed *    notice, this list of conditions and the following disclaimer.
15231071Sed *
16231071Sed * 2. Redistributions in binary form must reproduce the above copyright
17231071Sed *    notice, this list of conditions and the following disclaimer in the
18231071Sed *    documentation and/or other materials provided with the distribution.
19231071Sed *
20231071Sed * 3. Neither the name of the Institute nor the names of its contributors
21231071Sed *    may be used to endorse or promote products derived from this software
22231071Sed *    without specific prior written permission.
23231071Sed *
24231071Sed * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25231071Sed * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26231071Sed * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27231071Sed * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28231071Sed * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29231071Sed * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30231071Sed * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31231071Sed * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32231071Sed * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33231071Sed * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34231071Sed * SUCH DAMAGE.
35231071Sed */
36231071Sed
37231071Sed#include <stdio.h>
38231071Sed#include "cryptlib.h"
39231071Sed#include <openssl/conf.h>
40231071Sed#include <openssl/x509v3.h>
41231071Sed
42231071Sedstatic int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43231071Sed	BIO *out, int indent);
44231071Sedstatic PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45231071Sed	X509V3_CTX *ctx, char *str);
46231071Sed
47231071Sedconst X509V3_EXT_METHOD v3_pci =
48231071Sed	{ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49231071Sed	  0,0,0,0,
50231071Sed	  0,0,
51231071Sed	  NULL, NULL,
52231071Sed	  (X509V3_EXT_I2R)i2r_pci,
53231071Sed	  (X509V3_EXT_R2I)r2i_pci,
54231071Sed	  NULL,
55231071Sed	};
56231071Sed
57231071Sedstatic int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58231071Sed	BIO *out, int indent)
59231071Sed	{
60231071Sed	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61231071Sed	if (pci->pcPathLengthConstraint)
62231071Sed	  i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63231071Sed	else
64231071Sed	  BIO_printf(out, "infinite");
65231071Sed	BIO_puts(out, "\n");
66231071Sed	BIO_printf(out, "%*sPolicy Language: ", indent, "");
67231071Sed	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68231071Sed	BIO_puts(out, "\n");
69231071Sed	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70231071Sed	  BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71231071Sed		     pci->proxyPolicy->policy->data);
72231071Sed	return 1;
73231071Sed	}
74231071Sed
75231071Sedstatic int process_pci_value(CONF_VALUE *val,
76231071Sed	ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77231071Sed	ASN1_OCTET_STRING **policy)
78231071Sed	{
79231071Sed	int free_policy = 0;
80231071Sed
81231071Sed	if (strcmp(val->name, "language") == 0)
82231071Sed		{
83231071Sed		if (*language)
84231071Sed			{
85231071Sed			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86231071Sed			X509V3_conf_err(val);
87231071Sed			return 0;
88231071Sed			}
89231071Sed		if (!(*language = OBJ_txt2obj(val->value, 0)))
90231071Sed			{
91231071Sed			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92231071Sed			X509V3_conf_err(val);
93231071Sed			return 0;
94231071Sed			}
95231071Sed		}
96231071Sed	else if (strcmp(val->name, "pathlen") == 0)
97231071Sed		{
98231071Sed		if (*pathlen)
99231071Sed			{
100231071Sed			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101231071Sed			X509V3_conf_err(val);
102231071Sed			return 0;
103231071Sed			}
104231071Sed		if (!X509V3_get_value_int(val, pathlen))
105231071Sed			{
106231071Sed			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107231071Sed			X509V3_conf_err(val);
108231071Sed			return 0;
109231071Sed			}
110231071Sed		}
111231071Sed	else if (strcmp(val->name, "policy") == 0)
112231071Sed		{
113231098Sed		unsigned char *tmp_data = NULL;
114231071Sed		long val_len;
115231098Sed		if (!*policy)
116231098Sed			{
117231098Sed			*policy = ASN1_OCTET_STRING_new();
118231098Sed			if (!*policy)
119231098Sed				{
120231098Sed				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121231098Sed				X509V3_conf_err(val);
122231098Sed				return 0;
123231098Sed				}
124231098Sed			free_policy = 1;
125231098Sed			}
126231098Sed		if (strncmp(val->value, "hex:", 4) == 0)
127231071Sed			{
128231071Sed			unsigned char *tmp_data2 =
129231071Sed				string_to_hex(val->value + 4, &val_len);
130231071Sed
131231071Sed			if (!tmp_data2)
132231071Sed				{
133231071Sed				X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134231071Sed				X509V3_conf_err(val);
135231071Sed				goto err;
136231071Sed				}
137231071Sed
138231071Sed			tmp_data = OPENSSL_realloc((*policy)->data,
139231071Sed				(*policy)->length + val_len + 1);
140231071Sed			if (tmp_data)
141231071Sed				{
142231071Sed				(*policy)->data = tmp_data;
143231071Sed				memcpy(&(*policy)->data[(*policy)->length],
144231071Sed					tmp_data2, val_len);
145231071Sed				(*policy)->length += val_len;
146231071Sed				(*policy)->data[(*policy)->length] = '\0';
147231071Sed				}
148231071Sed			else
149231071Sed				{
150231071Sed				OPENSSL_free(tmp_data2);
151231071Sed				/* realloc failure implies the original data space is b0rked too! */
152231071Sed				(*policy)->data = NULL;
153231071Sed				(*policy)->length = 0;
154231071Sed				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155231071Sed				X509V3_conf_err(val);
156231071Sed				goto err;
157231071Sed				}
158231071Sed			OPENSSL_free(tmp_data2);
159231071Sed			}
160231071Sed		else if (strncmp(val->value, "file:", 5) == 0)
161231071Sed			{
162231071Sed			unsigned char buf[2048];
163231071Sed			int n;
164231071Sed			BIO *b = BIO_new_file(val->value + 5, "r");
165231071Sed			if (!b)
166231071Sed				{
167231071Sed				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
168231071Sed				X509V3_conf_err(val);
169231071Sed				goto err;
170231071Sed				}
171231071Sed			while((n = BIO_read(b, buf, sizeof(buf))) > 0
172231071Sed				|| (n == 0 && BIO_should_retry(b)))
173231071Sed				{
174231071Sed				if (!n) continue;
175231071Sed
176231071Sed				tmp_data = OPENSSL_realloc((*policy)->data,
177231071Sed					(*policy)->length + n + 1);
178231071Sed
179231071Sed				if (!tmp_data)
180231071Sed					break;
181
182				(*policy)->data = tmp_data;
183				memcpy(&(*policy)->data[(*policy)->length],
184					buf, n);
185				(*policy)->length += n;
186				(*policy)->data[(*policy)->length] = '\0';
187				}
188			BIO_free_all(b);
189
190			if (n < 0)
191				{
192				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
193				X509V3_conf_err(val);
194				goto err;
195				}
196			}
197		else if (strncmp(val->value, "text:", 5) == 0)
198			{
199			val_len = strlen(val->value + 5);
200			tmp_data = OPENSSL_realloc((*policy)->data,
201				(*policy)->length + val_len + 1);
202			if (tmp_data)
203				{
204				(*policy)->data = tmp_data;
205				memcpy(&(*policy)->data[(*policy)->length],
206					val->value + 5, val_len);
207				(*policy)->length += val_len;
208				(*policy)->data[(*policy)->length] = '\0';
209				}
210			else
211				{
212				/* realloc failure implies the original data space is b0rked too! */
213				(*policy)->data = NULL;
214				(*policy)->length = 0;
215				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
216				X509V3_conf_err(val);
217				goto err;
218				}
219			}
220		else
221			{
222			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
223			X509V3_conf_err(val);
224			goto err;
225			}
226		if (!tmp_data)
227			{
228			X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
229			X509V3_conf_err(val);
230			goto err;
231			}
232		}
233	return 1;
234err:
235	if (free_policy)
236		{
237		ASN1_OCTET_STRING_free(*policy);
238		*policy = NULL;
239		}
240	return 0;
241	}
242
243static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
244	X509V3_CTX *ctx, char *value)
245	{
246	PROXY_CERT_INFO_EXTENSION *pci = NULL;
247	STACK_OF(CONF_VALUE) *vals;
248	ASN1_OBJECT *language = NULL;
249	ASN1_INTEGER *pathlen = NULL;
250	ASN1_OCTET_STRING *policy = NULL;
251	int i, j;
252
253	vals = X509V3_parse_list(value);
254	for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
255		{
256		CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
257		if (!cnf->name || (*cnf->name != '@' && !cnf->value))
258			{
259			X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
260			X509V3_conf_err(cnf);
261			goto err;
262			}
263		if (*cnf->name == '@')
264			{
265			STACK_OF(CONF_VALUE) *sect;
266			int success_p = 1;
267
268			sect = X509V3_get_section(ctx, cnf->name + 1);
269			if (!sect)
270				{
271				X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
272				X509V3_conf_err(cnf);
273				goto err;
274				}
275			for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
276				{
277				success_p =
278					process_pci_value(sk_CONF_VALUE_value(sect, j),
279						&language, &pathlen, &policy);
280				}
281			X509V3_section_free(ctx, sect);
282			if (!success_p)
283				goto err;
284			}
285		else
286			{
287			if (!process_pci_value(cnf,
288					&language, &pathlen, &policy))
289				{
290				X509V3_conf_err(cnf);
291				goto err;
292				}
293			}
294		}
295
296	/* Language is mandatory */
297	if (!language)
298		{
299		X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
300		goto err;
301		}
302	i = OBJ_obj2nid(language);
303	if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
304		{
305		X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
306		goto err;
307		}
308
309	pci = PROXY_CERT_INFO_EXTENSION_new();
310	if (!pci)
311		{
312		X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
313		goto err;
314		}
315
316	pci->proxyPolicy->policyLanguage = language; language = NULL;
317	pci->proxyPolicy->policy = policy; policy = NULL;
318	pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
319	goto end;
320err:
321	if (language) { ASN1_OBJECT_free(language); language = NULL; }
322	if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
323	if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
324	if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
325end:
326	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327	return pci;
328	}
329