1*66bae5e7Schristos /* 2*66bae5e7Schristos * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. 3*66bae5e7Schristos * 4*66bae5e7Schristos * Licensed under the Apache License 2.0 (the "License"). You may not use 5*66bae5e7Schristos * this file except in compliance with the License. You can obtain a copy 6*66bae5e7Schristos * in the file LICENSE in the source distribution or at 7*66bae5e7Schristos * https://www.openssl.org/source/license.html 8*66bae5e7Schristos */ 9*66bae5e7Schristos 10*66bae5e7Schristos #include "internal/cryptlib.h" 11*66bae5e7Schristos #include <openssl/x509.h> 12*66bae5e7Schristos #include <openssl/x509v3.h> 13*66bae5e7Schristos #include "crypto/x509.h" 14*66bae5e7Schristos 15*66bae5e7Schristos #include "pcy_local.h" 16*66bae5e7Schristos 17*66bae5e7Schristos /* 18*66bae5e7Schristos * Set policy mapping entries in cache. Note: this modifies the passed 19*66bae5e7Schristos * POLICY_MAPPINGS structure 20*66bae5e7Schristos */ 21*66bae5e7Schristos ossl_policy_cache_set_mapping(X509 * x,POLICY_MAPPINGS * maps)22*66bae5e7Schristosint ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) 23*66bae5e7Schristos { 24*66bae5e7Schristos POLICY_MAPPING *map; 25*66bae5e7Schristos X509_POLICY_DATA *data; 26*66bae5e7Schristos X509_POLICY_CACHE *cache = x->policy_cache; 27*66bae5e7Schristos int i; 28*66bae5e7Schristos int ret = 0; 29*66bae5e7Schristos if (sk_POLICY_MAPPING_num(maps) == 0) { 30*66bae5e7Schristos ret = -1; 31*66bae5e7Schristos goto bad_mapping; 32*66bae5e7Schristos } 33*66bae5e7Schristos for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) { 34*66bae5e7Schristos map = sk_POLICY_MAPPING_value(maps, i); 35*66bae5e7Schristos /* Reject if map to or from anyPolicy */ 36*66bae5e7Schristos if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) 37*66bae5e7Schristos || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) { 38*66bae5e7Schristos ret = -1; 39*66bae5e7Schristos goto bad_mapping; 40*66bae5e7Schristos } 41*66bae5e7Schristos 42*66bae5e7Schristos /* Attempt to find matching policy data */ 43*66bae5e7Schristos data = ossl_policy_cache_find_data(cache, map->issuerDomainPolicy); 44*66bae5e7Schristos /* If we don't have anyPolicy can't map */ 45*66bae5e7Schristos if (data == NULL && !cache->anyPolicy) 46*66bae5e7Schristos continue; 47*66bae5e7Schristos 48*66bae5e7Schristos /* Create a NODE from anyPolicy */ 49*66bae5e7Schristos if (data == NULL) { 50*66bae5e7Schristos data = ossl_policy_data_new(NULL, map->issuerDomainPolicy, 51*66bae5e7Schristos cache->anyPolicy->flags 52*66bae5e7Schristos & POLICY_DATA_FLAG_CRITICAL); 53*66bae5e7Schristos if (data == NULL) 54*66bae5e7Schristos goto bad_mapping; 55*66bae5e7Schristos data->qualifier_set = cache->anyPolicy->qualifier_set; 56*66bae5e7Schristos /* 57*66bae5e7Schristos * map->issuerDomainPolicy = NULL; 58*66bae5e7Schristos */ 59*66bae5e7Schristos data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; 60*66bae5e7Schristos data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 61*66bae5e7Schristos if (!sk_X509_POLICY_DATA_push(cache->data, data)) { 62*66bae5e7Schristos ossl_policy_data_free(data); 63*66bae5e7Schristos goto bad_mapping; 64*66bae5e7Schristos } 65*66bae5e7Schristos } else 66*66bae5e7Schristos data->flags |= POLICY_DATA_FLAG_MAPPED; 67*66bae5e7Schristos if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 68*66bae5e7Schristos map->subjectDomainPolicy)) 69*66bae5e7Schristos goto bad_mapping; 70*66bae5e7Schristos map->subjectDomainPolicy = NULL; 71*66bae5e7Schristos 72*66bae5e7Schristos } 73*66bae5e7Schristos 74*66bae5e7Schristos ret = 1; 75*66bae5e7Schristos bad_mapping: 76*66bae5e7Schristos sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); 77*66bae5e7Schristos return ret; 78*66bae5e7Schristos 79*66bae5e7Schristos } 80