1 /* $OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */ 2 /* 3 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson 4 * (steve@openssl.org) for the OpenSSL project 2014. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2014 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #ifdef OPENSSL_NO_CT 61 # error "CT is disabled" 62 #endif 63 64 #include <string.h> 65 66 #include "ct_local.h" 67 68 static char * 69 i2s_poison(const X509V3_EXT_METHOD *method, void *val) 70 { 71 return strdup("NULL"); 72 } 73 74 static void * 75 s2i_poison(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) 76 { 77 return ASN1_NULL_new(); 78 } 79 80 static int 81 i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list, BIO *out, 82 int indent) 83 { 84 SCT_LIST_print(sct_list, out, indent, "\n", NULL); 85 return 1; 86 } 87 88 static int 89 set_sct_list_source(STACK_OF(SCT) *s, sct_source_t source) 90 { 91 if (s != NULL) { 92 int i; 93 94 for (i = 0; i < sk_SCT_num(s); i++) { 95 int res = SCT_set_source(sk_SCT_value(s, i), source); 96 97 if (res != 1) { 98 return 0; 99 } 100 } 101 } 102 return 1; 103 } 104 105 static STACK_OF(SCT) * 106 x509_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) 107 { 108 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len); 109 110 if (set_sct_list_source(s, SCT_SOURCE_X509V3_EXTENSION) != 1) { 111 SCT_LIST_free(s); 112 *a = NULL; 113 return NULL; 114 } 115 return s; 116 } 117 118 static STACK_OF(SCT) * 119 ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) 120 { 121 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len); 122 123 if (set_sct_list_source(s, SCT_SOURCE_OCSP_STAPLED_RESPONSE) != 1) { 124 SCT_LIST_free(s); 125 *a = NULL; 126 return NULL; 127 } 128 return s; 129 } 130 131 /* Handlers for X509v3/OCSP Certificate Transparency extensions */ 132 const X509V3_EXT_METHOD v3_ct_scts[3] = { 133 /* X509v3 extension in certificates that contains SCTs */ 134 [0] = { 135 .ext_nid = NID_ct_precert_scts, 136 .ext_flags = 0, 137 .it = NULL, 138 .ext_new = NULL, 139 .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, 140 .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST, 141 .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, 142 .i2s = NULL, 143 .s2i = NULL, 144 .i2v = NULL, 145 .v2i = NULL, 146 .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, 147 .r2i = NULL, 148 .usr_data = NULL, 149 }, 150 151 /* X509v3 extension to mark a certificate as a pre-certificate */ 152 [1] = { 153 .ext_nid = NID_ct_precert_poison, 154 .ext_flags = 0, 155 .it = &ASN1_NULL_it, 156 .ext_new = NULL, 157 .ext_free = NULL, 158 .d2i = NULL, 159 .i2d = NULL, 160 .i2s = i2s_poison, 161 .s2i = s2i_poison, 162 .i2v = NULL, 163 .v2i = NULL, 164 .i2r = NULL, 165 .r2i = NULL, 166 .usr_data = NULL, 167 }, 168 169 /* OCSP extension that contains SCTs */ 170 [2] = { 171 .ext_nid = NID_ct_cert_scts, 172 .ext_flags = 0, 173 .it = NULL, 174 .ext_new = NULL, 175 .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, 176 .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST, 177 .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, 178 .i2s = NULL, 179 .s2i = NULL, 180 .i2v = NULL, 181 .v2i = NULL, 182 .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, 183 .r2i = NULL, 184 .usr_data = NULL, 185 }, 186 }; 187