pcy_cache.c revision 296465 
1/* pcy_cache.c */
2/*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4 * 2004.
5 */
6/* ====================================================================
7 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in
18 *    the documentation and/or other materials provided with the
19 *    distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 *    software must display the following acknowledgment:
23 *    "This product includes software developed by the OpenSSL Project
24 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 *    endorse or promote products derived from this software without
28 *    prior written permission. For written permission, please contact
29 *    licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 *    nor may "OpenSSL" appear in their names without prior written
33 *    permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 *    acknowledgment:
37 *    "This product includes software developed by the OpenSSL Project
38 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com).  This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66static int policy_data_cmp(const X509_POLICY_DATA *const *a,
67                           const X509_POLICY_DATA *const *b);
68static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
69
70/*
71 * Set cache entry according to CertificatePolicies extension. Note: this
72 * destroys the passed CERTIFICATEPOLICIES structure.
73 */
74
75static int policy_cache_create(X509 *x,
76                               CERTIFICATEPOLICIES *policies, int crit)
77{
78    int i;
79    int ret = 0;
80    X509_POLICY_CACHE *cache = x->policy_cache;
81    X509_POLICY_DATA *data = NULL;
82    POLICYINFO *policy;
83    if (sk_POLICYINFO_num(policies) == 0)
84        goto bad_policy;
85    cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
86    if (!cache->data)
87        goto bad_policy;
88    for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
89        policy = sk_POLICYINFO_value(policies, i);
90        data = policy_data_new(policy, NULL, crit);
91        if (!data)
92            goto bad_policy;
93        /*
94         * Duplicate policy OIDs are illegal: reject if matches found.
95         */
96        if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
97            if (cache->anyPolicy) {
98                ret = -1;
99                goto bad_policy;
100            }
101            cache->anyPolicy = data;
102        } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
103            ret = -1;
104            goto bad_policy;
105        } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
106            goto bad_policy;
107        data = NULL;
108    }
109    ret = 1;
110 bad_policy:
111    if (ret == -1)
112        x->ex_flags |= EXFLAG_INVALID_POLICY;
113    if (data)
114        policy_data_free(data);
115    sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
116    if (ret <= 0) {
117        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
118        cache->data = NULL;
119    }
120    return ret;
121}
122
123static int policy_cache_new(X509 *x)
124{
125    X509_POLICY_CACHE *cache;
126    ASN1_INTEGER *ext_any = NULL;
127    POLICY_CONSTRAINTS *ext_pcons = NULL;
128    CERTIFICATEPOLICIES *ext_cpols = NULL;
129    POLICY_MAPPINGS *ext_pmaps = NULL;
130    int i;
131    cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
132    if (!cache)
133        return 0;
134    cache->anyPolicy = NULL;
135    cache->data = NULL;
136    cache->maps = NULL;
137    cache->any_skip = -1;
138    cache->explicit_skip = -1;
139    cache->map_skip = -1;
140
141    x->policy_cache = cache;
142
143    /*
144     * Handle requireExplicitPolicy *first*. Need to process this even if we
145     * don't have any policies.
146     */
147    ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
148
149    if (!ext_pcons) {
150        if (i != -1)
151            goto bad_cache;
152    } else {
153        if (!ext_pcons->requireExplicitPolicy
154            && !ext_pcons->inhibitPolicyMapping)
155            goto bad_cache;
156        if (!policy_cache_set_int(&cache->explicit_skip,
157                                  ext_pcons->requireExplicitPolicy))
158            goto bad_cache;
159        if (!policy_cache_set_int(&cache->map_skip,
160                                  ext_pcons->inhibitPolicyMapping))
161            goto bad_cache;
162    }
163
164    /* Process CertificatePolicies */
165
166    ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
167    /*
168     * If no CertificatePolicies extension or problem decoding then there is
169     * no point continuing because the valid policies will be NULL.
170     */
171    if (!ext_cpols) {
172        /* If not absent some problem with extension */
173        if (i != -1)
174            goto bad_cache;
175        return 1;
176    }
177
178    i = policy_cache_create(x, ext_cpols, i);
179
180    /* NB: ext_cpols freed by policy_cache_set_policies */
181
182    if (i <= 0)
183        return i;
184
185    ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
186
187    if (!ext_pmaps) {
188        /* If not absent some problem with extension */
189        if (i != -1)
190            goto bad_cache;
191    } else {
192        i = policy_cache_set_mapping(x, ext_pmaps);
193        if (i <= 0)
194            goto bad_cache;
195    }
196
197    ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
198
199    if (!ext_any) {
200        if (i != -1)
201            goto bad_cache;
202    } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
203        goto bad_cache;
204
205    if (0) {
206 bad_cache:
207        x->ex_flags |= EXFLAG_INVALID_POLICY;
208    }
209
210    if (ext_pcons)
211        POLICY_CONSTRAINTS_free(ext_pcons);
212
213    if (ext_any)
214        ASN1_INTEGER_free(ext_any);
215
216    return 1;
217
218}
219
220void policy_cache_free(X509_POLICY_CACHE *cache)
221{
222    if (!cache)
223        return;
224    if (cache->anyPolicy)
225        policy_data_free(cache->anyPolicy);
226    if (cache->data)
227        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
228    OPENSSL_free(cache);
229}
230
231const X509_POLICY_CACHE *policy_cache_set(X509 *x)
232{
233
234    if (x->policy_cache == NULL) {
235        CRYPTO_w_lock(CRYPTO_LOCK_X509);
236        policy_cache_new(x);
237        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
238    }
239
240    return x->policy_cache;
241
242}
243
244X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
245                                         const ASN1_OBJECT *id)
246{
247    int idx;
248    X509_POLICY_DATA tmp;
249    tmp.valid_policy = (ASN1_OBJECT *)id;
250    idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
251    if (idx == -1)
252        return NULL;
253    return sk_X509_POLICY_DATA_value(cache->data, idx);
254}
255
256static int policy_data_cmp(const X509_POLICY_DATA *const *a,
257                           const X509_POLICY_DATA *const *b)
258{
259    return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
260}
261
262static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
263{
264    if (value == NULL)
265        return 1;
266    if (value->type == V_ASN1_NEG_INTEGER)
267        return 0;
268    *out = ASN1_INTEGER_get(value);
269    return 1;
270}
271