pcy_cache.c revision 296341 
1/* pcy_cache.c */
2/*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4 * 2004.
5 */
6/* ====================================================================
7 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in
18 *    the documentation and/or other materials provided with the
19 *    distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 *    software must display the following acknowledgment:
23 *    "This product includes software developed by the OpenSSL Project
24 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 *    endorse or promote products derived from this software without
28 *    prior written permission. For written permission, please contact
29 *    licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 *    nor may "OpenSSL" appear in their names without prior written
33 *    permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 *    acknowledgment:
37 *    "This product includes software developed by the OpenSSL Project
38 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com).  This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66static int policy_data_cmp(const X509_POLICY_DATA *const *a,
67                           const X509_POLICY_DATA *const *b);
68static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
69
70/*
71 * Set cache entry according to CertificatePolicies extension. Note: this
72 * destroys the passed CERTIFICATEPOLICIES structure.
73 */
74
75static int policy_cache_create(X509 *x,
76                               CERTIFICATEPOLICIES *policies, int crit)
77{
78    int i;
79    int ret = 0;
80    X509_POLICY_CACHE *cache = x->policy_cache;
81    X509_POLICY_DATA *data = NULL;
82    POLICYINFO *policy;
83    if (sk_POLICYINFO_num(policies) == 0)
84        goto bad_policy;
85    cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
86    if (!cache->data)
87        goto bad_policy;
88    for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
89        policy = sk_POLICYINFO_value(policies, i);
90        data = policy_data_new(policy, NULL, crit);
91        if (!data)
92            goto bad_policy;
93        /*
94         * Duplicate policy OIDs are illegal: reject if matches found.
95         */
96        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
97            if (cache->anyPolicy) {
98                ret = -1;
99                goto bad_policy;
100            }
101            cache->anyPolicy = data;
102        } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
103            ret = -1;
104            goto bad_policy;
105        } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
106            goto bad_policy;
107        data = NULL;
108    }
109    ret = 1;
110 bad_policy:
111    if (ret == -1)
112        x->ex_flags |= EXFLAG_INVALID_POLICY;
113    if (data)
114        policy_data_free(data);
115    sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
116    if (ret <= 0) {
117        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
118        cache->data = NULL;
119    }
120    return ret;
121}
122
123static int policy_cache_new(X509 *x)
124{
125    X509_POLICY_CACHE *cache;
126    ASN1_INTEGER *ext_any = NULL;
127    POLICY_CONSTRAINTS *ext_pcons = NULL;
128    CERTIFICATEPOLICIES *ext_cpols = NULL;
129    POLICY_MAPPINGS *ext_pmaps = NULL;
130    int i;
131    cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
132    if (!cache)
133        return 0;
134    cache->anyPolicy = NULL;
135    cache->data = NULL;
136    cache->any_skip = -1;
137    cache->explicit_skip = -1;
138    cache->map_skip = -1;
139
140    x->policy_cache = cache;
141
142    /*
143     * Handle requireExplicitPolicy *first*. Need to process this even if we
144     * don't have any policies.
145     */
146    ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
147
148    if (!ext_pcons) {
149        if (i != -1)
150            goto bad_cache;
151    } else {
152        if (!ext_pcons->requireExplicitPolicy
153            && !ext_pcons->inhibitPolicyMapping)
154            goto bad_cache;
155        if (!policy_cache_set_int(&cache->explicit_skip,
156                                  ext_pcons->requireExplicitPolicy))
157            goto bad_cache;
158        if (!policy_cache_set_int(&cache->map_skip,
159                                  ext_pcons->inhibitPolicyMapping))
160            goto bad_cache;
161    }
162
163    /* Process CertificatePolicies */
164
165    ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
166    /*
167     * If no CertificatePolicies extension or problem decoding then there is
168     * no point continuing because the valid policies will be NULL.
169     */
170    if (!ext_cpols) {
171        /* If not absent some problem with extension */
172        if (i != -1)
173            goto bad_cache;
174        return 1;
175    }
176
177    i = policy_cache_create(x, ext_cpols, i);
178
179    /* NB: ext_cpols freed by policy_cache_set_policies */
180
181    if (i <= 0)
182        return i;
183
184    ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
185
186    if (!ext_pmaps) {
187        /* If not absent some problem with extension */
188        if (i != -1)
189            goto bad_cache;
190    } else {
191        i = policy_cache_set_mapping(x, ext_pmaps);
192        if (i <= 0)
193            goto bad_cache;
194    }
195
196    ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
197
198    if (!ext_any) {
199        if (i != -1)
200            goto bad_cache;
201    } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
202        goto bad_cache;
203
204    if (0) {
205 bad_cache:
206        x->ex_flags |= EXFLAG_INVALID_POLICY;
207    }
208
209    if (ext_pcons)
210        POLICY_CONSTRAINTS_free(ext_pcons);
211
212    if (ext_any)
213        ASN1_INTEGER_free(ext_any);
214
215    return 1;
216
217}
218
219void policy_cache_free(X509_POLICY_CACHE *cache)
220{
221    if (!cache)
222        return;
223    if (cache->anyPolicy)
224        policy_data_free(cache->anyPolicy);
225    if (cache->data)
226        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
227    OPENSSL_free(cache);
228}
229
230const X509_POLICY_CACHE *policy_cache_set(X509 *x)
231{
232
233    if (x->policy_cache == NULL) {
234        CRYPTO_w_lock(CRYPTO_LOCK_X509);
235        policy_cache_new(x);
236        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
237    }
238
239    return x->policy_cache;
240
241}
242
243X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
244                                         const ASN1_OBJECT *id)
245{
246    int idx;
247    X509_POLICY_DATA tmp;
248    tmp.valid_policy = (ASN1_OBJECT *)id;
249    idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
250    if (idx == -1)
251        return NULL;
252    return sk_X509_POLICY_DATA_value(cache->data, idx);
253}
254
255static int policy_data_cmp(const X509_POLICY_DATA *const *a,
256                           const X509_POLICY_DATA *const *b)
257{
258    return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
259}
260
261static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
262{
263    if (value == NULL)
264        return 1;
265    if (value->type == V_ASN1_NEG_INTEGER)
266        return 0;
267    *out = ASN1_INTEGER_get(value);
268    return 1;
269}
270