1/* 2 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include "internal/cryptlib.h" 11#include <openssl/x509.h> 12#include <openssl/x509v3.h> 13#include "crypto/x509.h" 14 15#include "pcy_local.h" 16 17static int policy_data_cmp(const X509_POLICY_DATA *const *a, 18 const X509_POLICY_DATA *const *b); 19static int policy_cache_set_int(long *out, ASN1_INTEGER *value); 20 21/* 22 * Set cache entry according to CertificatePolicies extension. Note: this 23 * destroys the passed CERTIFICATEPOLICIES structure. 24 */ 25 26static int policy_cache_create(X509 *x, 27 CERTIFICATEPOLICIES *policies, int crit) 28{ 29 int i, num, ret = 0; 30 X509_POLICY_CACHE *cache = x->policy_cache; 31 X509_POLICY_DATA *data = NULL; 32 POLICYINFO *policy; 33 34 if ((num = sk_POLICYINFO_num(policies)) <= 0) 35 goto bad_policy; 36 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); 37 if (cache->data == NULL) { 38 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); 39 goto just_cleanup; 40 } 41 for (i = 0; i < num; i++) { 42 policy = sk_POLICYINFO_value(policies, i); 43 data = ossl_policy_data_new(policy, NULL, crit); 44 if (data == NULL) { 45 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); 46 goto just_cleanup; 47 } 48 /* 49 * Duplicate policy OIDs are illegal: reject if matches found. 50 */ 51 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { 52 if (cache->anyPolicy) { 53 ret = -1; 54 goto bad_policy; 55 } 56 cache->anyPolicy = data; 57 } else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0 ) { 58 ret = -1; 59 goto bad_policy; 60 } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) { 61 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); 62 goto bad_policy; 63 } 64 data = NULL; 65 } 66 ret = 1; 67 68 bad_policy: 69 if (ret == -1) 70 x->ex_flags |= EXFLAG_INVALID_POLICY; 71 ossl_policy_data_free(data); 72 just_cleanup: 73 sk_POLICYINFO_pop_free(policies, POLICYINFO_free); 74 if (ret <= 0) { 75 sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free); 76 cache->data = NULL; 77 } 78 return ret; 79} 80 81static int policy_cache_new(X509 *x) 82{ 83 X509_POLICY_CACHE *cache; 84 ASN1_INTEGER *ext_any = NULL; 85 POLICY_CONSTRAINTS *ext_pcons = NULL; 86 CERTIFICATEPOLICIES *ext_cpols = NULL; 87 POLICY_MAPPINGS *ext_pmaps = NULL; 88 int i; 89 90 if (x->policy_cache != NULL) 91 return 1; 92 cache = OPENSSL_malloc(sizeof(*cache)); 93 if (cache == NULL) { 94 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); 95 return 0; 96 } 97 cache->anyPolicy = NULL; 98 cache->data = NULL; 99 cache->any_skip = -1; 100 cache->explicit_skip = -1; 101 cache->map_skip = -1; 102 103 x->policy_cache = cache; 104 105 /* 106 * Handle requireExplicitPolicy *first*. Need to process this even if we 107 * don't have any policies. 108 */ 109 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); 110 111 if (!ext_pcons) { 112 if (i != -1) 113 goto bad_cache; 114 } else { 115 if (!ext_pcons->requireExplicitPolicy 116 && !ext_pcons->inhibitPolicyMapping) 117 goto bad_cache; 118 if (!policy_cache_set_int(&cache->explicit_skip, 119 ext_pcons->requireExplicitPolicy)) 120 goto bad_cache; 121 if (!policy_cache_set_int(&cache->map_skip, 122 ext_pcons->inhibitPolicyMapping)) 123 goto bad_cache; 124 } 125 126 /* Process CertificatePolicies */ 127 128 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL); 129 /* 130 * If no CertificatePolicies extension or problem decoding then there is 131 * no point continuing because the valid policies will be NULL. 132 */ 133 if (!ext_cpols) { 134 /* If not absent some problem with extension */ 135 if (i != -1) 136 goto bad_cache; 137 return 1; 138 } 139 140 i = policy_cache_create(x, ext_cpols, i); 141 142 /* NB: ext_cpols freed by policy_cache_set_policies */ 143 144 if (i <= 0) 145 return i; 146 147 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); 148 149 if (!ext_pmaps) { 150 /* If not absent some problem with extension */ 151 if (i != -1) 152 goto bad_cache; 153 } else { 154 i = ossl_policy_cache_set_mapping(x, ext_pmaps); 155 if (i <= 0) 156 goto bad_cache; 157 } 158 159 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); 160 161 if (!ext_any) { 162 if (i != -1) 163 goto bad_cache; 164 } else if (!policy_cache_set_int(&cache->any_skip, ext_any)) 165 goto bad_cache; 166 goto just_cleanup; 167 168 bad_cache: 169 x->ex_flags |= EXFLAG_INVALID_POLICY; 170 171 just_cleanup: 172 POLICY_CONSTRAINTS_free(ext_pcons); 173 ASN1_INTEGER_free(ext_any); 174 return 1; 175 176} 177 178void ossl_policy_cache_free(X509_POLICY_CACHE *cache) 179{ 180 if (!cache) 181 return; 182 ossl_policy_data_free(cache->anyPolicy); 183 sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free); 184 OPENSSL_free(cache); 185} 186 187const X509_POLICY_CACHE *ossl_policy_cache_set(X509 *x) 188{ 189 190 if (x->policy_cache == NULL) { 191 if (!CRYPTO_THREAD_write_lock(x->lock)) 192 return NULL; 193 policy_cache_new(x); 194 CRYPTO_THREAD_unlock(x->lock); 195 } 196 197 return x->policy_cache; 198 199} 200 201X509_POLICY_DATA *ossl_policy_cache_find_data(const X509_POLICY_CACHE *cache, 202 const ASN1_OBJECT *id) 203{ 204 int idx; 205 X509_POLICY_DATA tmp; 206 tmp.valid_policy = (ASN1_OBJECT *)id; 207 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); 208 return sk_X509_POLICY_DATA_value(cache->data, idx); 209} 210 211static int policy_data_cmp(const X509_POLICY_DATA *const *a, 212 const X509_POLICY_DATA *const *b) 213{ 214 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); 215} 216 217static int policy_cache_set_int(long *out, ASN1_INTEGER *value) 218{ 219 if (value == NULL) 220 return 1; 221 if (value->type == V_ASN1_NEG_INTEGER) 222 return 0; 223 *out = ASN1_INTEGER_get(value); 224 return 1; 225} 226