1 /* $OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */
2 /*
3 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
4 * (steve@openssl.org) for the OpenSSL project 2014.
5 */
6 /* ====================================================================
7 * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60 #ifdef OPENSSL_NO_CT
61 # error "CT is disabled"
62 #endif
63
64 #include <string.h>
65
66 #include "ct_local.h"
67
68 static char *
i2s_poison(const X509V3_EXT_METHOD * method,void * val)69 i2s_poison(const X509V3_EXT_METHOD *method, void *val)
70 {
71 return strdup("NULL");
72 }
73
74 static void *
s2i_poison(const X509V3_EXT_METHOD * method,X509V3_CTX * ctx,const char * str)75 s2i_poison(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
76 {
77 return ASN1_NULL_new();
78 }
79
80 static int
i2r_SCT_LIST(X509V3_EXT_METHOD * method,STACK_OF (SCT)* sct_list,BIO * out,int indent)81 i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list, BIO *out,
82 int indent)
83 {
84 SCT_LIST_print(sct_list, out, indent, "\n", NULL);
85 return 1;
86 }
87
88 static int
set_sct_list_source(STACK_OF (SCT)* s,sct_source_t source)89 set_sct_list_source(STACK_OF(SCT) *s, sct_source_t source)
90 {
91 if (s != NULL) {
92 int i;
93
94 for (i = 0; i < sk_SCT_num(s); i++) {
95 int res = SCT_set_source(sk_SCT_value(s, i), source);
96
97 if (res != 1) {
98 return 0;
99 }
100 }
101 }
102 return 1;
103 }
104
STACK_OF(SCT)105 static STACK_OF(SCT) *
106 x509_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
107 {
108 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len);
109
110 if (set_sct_list_source(s, SCT_SOURCE_X509V3_EXTENSION) != 1) {
111 SCT_LIST_free(s);
112 *a = NULL;
113 return NULL;
114 }
115 return s;
116 }
117
STACK_OF(SCT)118 static STACK_OF(SCT) *
119 ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
120 {
121 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len);
122
123 if (set_sct_list_source(s, SCT_SOURCE_OCSP_STAPLED_RESPONSE) != 1) {
124 SCT_LIST_free(s);
125 *a = NULL;
126 return NULL;
127 }
128 return s;
129 }
130
131 /* Handlers for X509v3/OCSP Certificate Transparency extensions */
132 const X509V3_EXT_METHOD v3_ct_scts[3] = {
133 /* X509v3 extension in certificates that contains SCTs */
134 [0] = {
135 .ext_nid = NID_ct_precert_scts,
136 .ext_flags = 0,
137 .it = NULL,
138 .ext_new = NULL,
139 .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
140 .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
141 .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
142 .i2s = NULL,
143 .s2i = NULL,
144 .i2v = NULL,
145 .v2i = NULL,
146 .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
147 .r2i = NULL,
148 .usr_data = NULL,
149 },
150
151 /* X509v3 extension to mark a certificate as a pre-certificate */
152 [1] = {
153 .ext_nid = NID_ct_precert_poison,
154 .ext_flags = 0,
155 .it = &ASN1_NULL_it,
156 .ext_new = NULL,
157 .ext_free = NULL,
158 .d2i = NULL,
159 .i2d = NULL,
160 .i2s = i2s_poison,
161 .s2i = s2i_poison,
162 .i2v = NULL,
163 .v2i = NULL,
164 .i2r = NULL,
165 .r2i = NULL,
166 .usr_data = NULL,
167 },
168
169 /* OCSP extension that contains SCTs */
170 [2] = {
171 .ext_nid = NID_ct_cert_scts,
172 .ext_flags = 0,
173 .it = NULL,
174 .ext_new = NULL,
175 .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
176 .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
177 .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
178 .i2s = NULL,
179 .s2i = NULL,
180 .i2v = NULL,
181 .v2i = NULL,
182 .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
183 .r2i = NULL,
184 .usr_data = NULL,
185 },
186 };
187