1 /* $OpenBSD: x509_cpols.c,v 1.3 2022/01/08 07:25:52 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 1999. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <stdio.h> 60 #include <string.h> 61 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/conf.h> 65 #include <openssl/err.h> 66 #include <openssl/x509v3.h> 67 68 #include "pcy_int.h" 69 #include "x509_lcl.h" 70 71 /* Certificate policies extension support: this one is a bit complex... */ 72 73 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, 74 BIO *out, int indent); 75 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, 76 X509V3_CTX *ctx, char *value); 77 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, 78 int indent); 79 static void print_notice(BIO *out, USERNOTICE *notice, int indent); 80 static POLICYINFO *policy_section(X509V3_CTX *ctx, 81 STACK_OF(CONF_VALUE) *polstrs, int ia5org); 82 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, 83 STACK_OF(CONF_VALUE) *unot, int ia5org); 84 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); 85 86 const X509V3_EXT_METHOD v3_cpols = { 87 .ext_nid = NID_certificate_policies, 88 .ext_flags = 0, 89 .it = &CERTIFICATEPOLICIES_it, 90 .ext_new = NULL, 91 .ext_free = NULL, 92 .d2i = NULL, 93 .i2d = NULL, 94 .i2s = NULL, 95 .s2i = NULL, 96 .i2v = NULL, 97 .v2i = NULL, 98 .i2r = (X509V3_EXT_I2R)i2r_certpol, 99 .r2i = (X509V3_EXT_R2I)r2i_certpol, 100 .usr_data = NULL, 101 }; 102 103 static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = { 104 .flags = ASN1_TFLG_SEQUENCE_OF, 105 .tag = 0, 106 .offset = 0, 107 .field_name = "CERTIFICATEPOLICIES", 108 .item = &POLICYINFO_it, 109 }; 110 111 const ASN1_ITEM CERTIFICATEPOLICIES_it = { 112 .itype = ASN1_ITYPE_PRIMITIVE, 113 .utype = -1, 114 .templates = &CERTIFICATEPOLICIES_item_tt, 115 .tcount = 0, 116 .funcs = NULL, 117 .size = 0, 118 .sname = "CERTIFICATEPOLICIES", 119 }; 120 121 122 CERTIFICATEPOLICIES * 123 d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len) 124 { 125 return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 126 &CERTIFICATEPOLICIES_it); 127 } 128 129 int 130 i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out) 131 { 132 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it); 133 } 134 135 CERTIFICATEPOLICIES * 136 CERTIFICATEPOLICIES_new(void) 137 { 138 return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it); 139 } 140 141 void 142 CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a) 143 { 144 ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it); 145 } 146 147 static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = { 148 { 149 .flags = 0, 150 .tag = 0, 151 .offset = offsetof(POLICYINFO, policyid), 152 .field_name = "policyid", 153 .item = &ASN1_OBJECT_it, 154 }, 155 { 156 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 157 .tag = 0, 158 .offset = offsetof(POLICYINFO, qualifiers), 159 .field_name = "qualifiers", 160 .item = &POLICYQUALINFO_it, 161 }, 162 }; 163 164 const ASN1_ITEM POLICYINFO_it = { 165 .itype = ASN1_ITYPE_SEQUENCE, 166 .utype = V_ASN1_SEQUENCE, 167 .templates = POLICYINFO_seq_tt, 168 .tcount = sizeof(POLICYINFO_seq_tt) / sizeof(ASN1_TEMPLATE), 169 .funcs = NULL, 170 .size = sizeof(POLICYINFO), 171 .sname = "POLICYINFO", 172 }; 173 174 175 POLICYINFO * 176 d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len) 177 { 178 return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 179 &POLICYINFO_it); 180 } 181 182 int 183 i2d_POLICYINFO(POLICYINFO *a, unsigned char **out) 184 { 185 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it); 186 } 187 188 POLICYINFO * 189 POLICYINFO_new(void) 190 { 191 return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it); 192 } 193 194 void 195 POLICYINFO_free(POLICYINFO *a) 196 { 197 ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it); 198 } 199 200 static const ASN1_TEMPLATE policydefault_tt = { 201 .flags = 0, 202 .tag = 0, 203 .offset = offsetof(POLICYQUALINFO, d.other), 204 .field_name = "d.other", 205 .item = &ASN1_ANY_it, 206 }; 207 208 static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = { 209 { 210 .value = NID_id_qt_cps, 211 .tt = { 212 .flags = 0, 213 .tag = 0, 214 .offset = offsetof(POLICYQUALINFO, d.cpsuri), 215 .field_name = "d.cpsuri", 216 .item = &ASN1_IA5STRING_it, 217 }, 218 219 }, 220 { 221 .value = NID_id_qt_unotice, 222 .tt = { 223 .flags = 0, 224 .tag = 0, 225 .offset = offsetof(POLICYQUALINFO, d.usernotice), 226 .field_name = "d.usernotice", 227 .item = &USERNOTICE_it, 228 }, 229 230 }, 231 }; 232 233 static const ASN1_ADB POLICYQUALINFO_adb = { 234 .flags = 0, 235 .offset = offsetof(POLICYQUALINFO, pqualid), 236 .app_items = 0, 237 .tbl = POLICYQUALINFO_adbtbl, 238 .tblcount = sizeof(POLICYQUALINFO_adbtbl) / sizeof(ASN1_ADB_TABLE), 239 .default_tt = &policydefault_tt, 240 .null_tt = NULL, 241 }; 242 243 static const ASN1_TEMPLATE POLICYQUALINFO_seq_tt[] = { 244 { 245 .flags = 0, 246 .tag = 0, 247 .offset = offsetof(POLICYQUALINFO, pqualid), 248 .field_name = "pqualid", 249 .item = &ASN1_OBJECT_it, 250 }, 251 { 252 .flags = ASN1_TFLG_ADB_OID, 253 .tag = -1, 254 .offset = 0, 255 .field_name = "POLICYQUALINFO", 256 .item = (const ASN1_ITEM *)&POLICYQUALINFO_adb, 257 }, 258 }; 259 260 const ASN1_ITEM POLICYQUALINFO_it = { 261 .itype = ASN1_ITYPE_SEQUENCE, 262 .utype = V_ASN1_SEQUENCE, 263 .templates = POLICYQUALINFO_seq_tt, 264 .tcount = sizeof(POLICYQUALINFO_seq_tt) / sizeof(ASN1_TEMPLATE), 265 .funcs = NULL, 266 .size = sizeof(POLICYQUALINFO), 267 .sname = "POLICYQUALINFO", 268 }; 269 270 271 POLICYQUALINFO * 272 d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len) 273 { 274 return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 275 &POLICYQUALINFO_it); 276 } 277 278 int 279 i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out) 280 { 281 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it); 282 } 283 284 POLICYQUALINFO * 285 POLICYQUALINFO_new(void) 286 { 287 return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it); 288 } 289 290 void 291 POLICYQUALINFO_free(POLICYQUALINFO *a) 292 { 293 ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it); 294 } 295 296 static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = { 297 { 298 .flags = ASN1_TFLG_OPTIONAL, 299 .tag = 0, 300 .offset = offsetof(USERNOTICE, noticeref), 301 .field_name = "noticeref", 302 .item = &NOTICEREF_it, 303 }, 304 { 305 .flags = ASN1_TFLG_OPTIONAL, 306 .tag = 0, 307 .offset = offsetof(USERNOTICE, exptext), 308 .field_name = "exptext", 309 .item = &DISPLAYTEXT_it, 310 }, 311 }; 312 313 const ASN1_ITEM USERNOTICE_it = { 314 .itype = ASN1_ITYPE_SEQUENCE, 315 .utype = V_ASN1_SEQUENCE, 316 .templates = USERNOTICE_seq_tt, 317 .tcount = sizeof(USERNOTICE_seq_tt) / sizeof(ASN1_TEMPLATE), 318 .funcs = NULL, 319 .size = sizeof(USERNOTICE), 320 .sname = "USERNOTICE", 321 }; 322 323 324 USERNOTICE * 325 d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len) 326 { 327 return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 328 &USERNOTICE_it); 329 } 330 331 int 332 i2d_USERNOTICE(USERNOTICE *a, unsigned char **out) 333 { 334 return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it); 335 } 336 337 USERNOTICE * 338 USERNOTICE_new(void) 339 { 340 return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it); 341 } 342 343 void 344 USERNOTICE_free(USERNOTICE *a) 345 { 346 ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it); 347 } 348 349 static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = { 350 { 351 .flags = 0, 352 .tag = 0, 353 .offset = offsetof(NOTICEREF, organization), 354 .field_name = "organization", 355 .item = &DISPLAYTEXT_it, 356 }, 357 { 358 .flags = ASN1_TFLG_SEQUENCE_OF, 359 .tag = 0, 360 .offset = offsetof(NOTICEREF, noticenos), 361 .field_name = "noticenos", 362 .item = &ASN1_INTEGER_it, 363 }, 364 }; 365 366 const ASN1_ITEM NOTICEREF_it = { 367 .itype = ASN1_ITYPE_SEQUENCE, 368 .utype = V_ASN1_SEQUENCE, 369 .templates = NOTICEREF_seq_tt, 370 .tcount = sizeof(NOTICEREF_seq_tt) / sizeof(ASN1_TEMPLATE), 371 .funcs = NULL, 372 .size = sizeof(NOTICEREF), 373 .sname = "NOTICEREF", 374 }; 375 376 377 NOTICEREF * 378 d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len) 379 { 380 return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 381 &NOTICEREF_it); 382 } 383 384 int 385 i2d_NOTICEREF(NOTICEREF *a, unsigned char **out) 386 { 387 return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it); 388 } 389 390 NOTICEREF * 391 NOTICEREF_new(void) 392 { 393 return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it); 394 } 395 396 void 397 NOTICEREF_free(NOTICEREF *a) 398 { 399 ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it); 400 } 401 402 static STACK_OF(POLICYINFO) * 403 r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value) 404 { 405 STACK_OF(POLICYINFO) *pols = NULL; 406 char *pstr; 407 POLICYINFO *pol; 408 ASN1_OBJECT *pobj; 409 STACK_OF(CONF_VALUE) *vals; 410 CONF_VALUE *cnf; 411 int i, ia5org; 412 413 pols = sk_POLICYINFO_new_null(); 414 if (pols == NULL) { 415 X509V3error(ERR_R_MALLOC_FAILURE); 416 return NULL; 417 } 418 vals = X509V3_parse_list(value); 419 if (vals == NULL) { 420 X509V3error(ERR_R_X509V3_LIB); 421 goto err; 422 } 423 ia5org = 0; 424 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { 425 cnf = sk_CONF_VALUE_value(vals, i); 426 if (cnf->value || !cnf->name) { 427 X509V3error(X509V3_R_INVALID_POLICY_IDENTIFIER); 428 X509V3_conf_err(cnf); 429 goto err; 430 } 431 pstr = cnf->name; 432 if (!strcmp(pstr, "ia5org")) { 433 ia5org = 1; 434 continue; 435 } else if (*pstr == '@') { 436 STACK_OF(CONF_VALUE) *polsect; 437 polsect = X509V3_get_section(ctx, pstr + 1); 438 if (!polsect) { 439 X509V3error(X509V3_R_INVALID_SECTION); 440 X509V3_conf_err(cnf); 441 goto err; 442 } 443 pol = policy_section(ctx, polsect, ia5org); 444 X509V3_section_free(ctx, polsect); 445 if (!pol) 446 goto err; 447 } else { 448 if (!(pobj = OBJ_txt2obj(cnf->name, 0))) { 449 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER); 450 X509V3_conf_err(cnf); 451 goto err; 452 } 453 pol = POLICYINFO_new(); 454 pol->policyid = pobj; 455 } 456 if (!sk_POLICYINFO_push(pols, pol)){ 457 POLICYINFO_free(pol); 458 X509V3error(ERR_R_MALLOC_FAILURE); 459 goto err; 460 } 461 } 462 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 463 return pols; 464 465 err: 466 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 467 sk_POLICYINFO_pop_free(pols, POLICYINFO_free); 468 return NULL; 469 } 470 471 static POLICYINFO * 472 policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org) 473 { 474 int i; 475 CONF_VALUE *cnf; 476 POLICYINFO *pol; 477 POLICYQUALINFO *nqual = NULL; 478 479 if ((pol = POLICYINFO_new()) == NULL) 480 goto merr; 481 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { 482 cnf = sk_CONF_VALUE_value(polstrs, i); 483 if (strcmp(cnf->name, "policyIdentifier") == 0) { 484 ASN1_OBJECT *pobj; 485 486 if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) { 487 X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER); 488 X509V3_conf_err(cnf); 489 goto err; 490 } 491 pol->policyid = pobj; 492 } else if (name_cmp(cnf->name, "CPS") == 0) { 493 if ((nqual = POLICYQUALINFO_new()) == NULL) 494 goto merr; 495 nqual->pqualid = OBJ_nid2obj(NID_id_qt_cps); 496 nqual->d.cpsuri = ASN1_IA5STRING_new(); 497 if (nqual->d.cpsuri == NULL) 498 goto merr; 499 if (ASN1_STRING_set(nqual->d.cpsuri, cnf->value, 500 strlen(cnf->value)) == 0) 501 goto merr; 502 503 if (pol->qualifiers == NULL) { 504 pol->qualifiers = sk_POLICYQUALINFO_new_null(); 505 if (pol->qualifiers == NULL) 506 goto merr; 507 } 508 if (sk_POLICYQUALINFO_push(pol->qualifiers, nqual) == 0) 509 goto merr; 510 nqual = NULL; 511 } else if (name_cmp(cnf->name, "userNotice") == 0) { 512 STACK_OF(CONF_VALUE) *unot; 513 POLICYQUALINFO *qual; 514 515 if (*cnf->value != '@') { 516 X509V3error(X509V3_R_EXPECTED_A_SECTION_NAME); 517 X509V3_conf_err(cnf); 518 goto err; 519 } 520 unot = X509V3_get_section(ctx, cnf->value + 1); 521 if (unot == NULL) { 522 X509V3error(X509V3_R_INVALID_SECTION); 523 X509V3_conf_err(cnf); 524 goto err; 525 } 526 qual = notice_section(ctx, unot, ia5org); 527 X509V3_section_free(ctx, unot); 528 if (qual == NULL) 529 goto err; 530 531 if (pol->qualifiers == NULL) { 532 pol->qualifiers = sk_POLICYQUALINFO_new_null(); 533 if (pol->qualifiers == NULL) 534 goto merr; 535 } 536 if (sk_POLICYQUALINFO_push(pol->qualifiers, qual) == 0) 537 goto merr; 538 } else { 539 X509V3error(X509V3_R_INVALID_OPTION); 540 X509V3_conf_err(cnf); 541 goto err; 542 } 543 } 544 if (pol->policyid == NULL) { 545 X509V3error(X509V3_R_NO_POLICY_IDENTIFIER); 546 goto err; 547 } 548 549 return pol; 550 551 merr: 552 X509V3error(ERR_R_MALLOC_FAILURE); 553 554 err: 555 POLICYQUALINFO_free(nqual); 556 POLICYINFO_free(pol); 557 return NULL; 558 } 559 560 static POLICYQUALINFO * 561 notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org) 562 { 563 int i, ret; 564 CONF_VALUE *cnf; 565 USERNOTICE *not; 566 POLICYQUALINFO *qual; 567 568 if (!(qual = POLICYQUALINFO_new())) 569 goto merr; 570 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice); 571 if (!(not = USERNOTICE_new())) 572 goto merr; 573 qual->d.usernotice = not; 574 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { 575 cnf = sk_CONF_VALUE_value(unot, i); 576 if (!strcmp(cnf->name, "explicitText")) { 577 if (not->exptext == NULL) { 578 not->exptext = ASN1_VISIBLESTRING_new(); 579 if (not->exptext == NULL) 580 goto merr; 581 } 582 if (!ASN1_STRING_set(not->exptext, cnf->value, 583 strlen(cnf->value))) 584 goto merr; 585 } else if (!strcmp(cnf->name, "organization")) { 586 NOTICEREF *nref; 587 if (!not->noticeref) { 588 if (!(nref = NOTICEREF_new())) 589 goto merr; 590 not->noticeref = nref; 591 } else 592 nref = not->noticeref; 593 if (ia5org) 594 nref->organization->type = V_ASN1_IA5STRING; 595 else 596 nref->organization->type = V_ASN1_VISIBLESTRING; 597 if (!ASN1_STRING_set(nref->organization, cnf->value, 598 strlen(cnf->value))) 599 goto merr; 600 } else if (!strcmp(cnf->name, "noticeNumbers")) { 601 NOTICEREF *nref; 602 STACK_OF(CONF_VALUE) *nos; 603 if (!not->noticeref) { 604 if (!(nref = NOTICEREF_new())) 605 goto merr; 606 not->noticeref = nref; 607 } else 608 nref = not->noticeref; 609 nos = X509V3_parse_list(cnf->value); 610 if (!nos || !sk_CONF_VALUE_num(nos)) { 611 X509V3error(X509V3_R_INVALID_NUMBERS); 612 X509V3_conf_err(cnf); 613 if (nos != NULL) 614 sk_CONF_VALUE_pop_free(nos, 615 X509V3_conf_free); 616 goto err; 617 } 618 ret = nref_nos(nref->noticenos, nos); 619 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); 620 if (!ret) 621 goto err; 622 } else { 623 X509V3error(X509V3_R_INVALID_OPTION); 624 X509V3_conf_err(cnf); 625 goto err; 626 } 627 } 628 629 if (not->noticeref && 630 (!not->noticeref->noticenos || !not->noticeref->organization)) { 631 X509V3error(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); 632 goto err; 633 } 634 635 return qual; 636 637 merr: 638 X509V3error(ERR_R_MALLOC_FAILURE); 639 640 err: 641 POLICYQUALINFO_free(qual); 642 return NULL; 643 } 644 645 static int 646 nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) 647 { 648 CONF_VALUE *cnf; 649 ASN1_INTEGER *aint; 650 int i; 651 652 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) { 653 cnf = sk_CONF_VALUE_value(nos, i); 654 if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) { 655 X509V3error(X509V3_R_INVALID_NUMBER); 656 goto err; 657 } 658 if (!sk_ASN1_INTEGER_push(nnums, aint)) 659 goto merr; 660 } 661 return 1; 662 663 merr: 664 X509V3error(ERR_R_MALLOC_FAILURE); 665 666 err: 667 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); 668 return 0; 669 } 670 671 static int 672 i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, 673 int indent) 674 { 675 int i; 676 POLICYINFO *pinfo; 677 678 /* First print out the policy OIDs */ 679 for (i = 0; i < sk_POLICYINFO_num(pol); i++) { 680 pinfo = sk_POLICYINFO_value(pol, i); 681 BIO_printf(out, "%*sPolicy: ", indent, ""); 682 i2a_ASN1_OBJECT(out, pinfo->policyid); 683 BIO_puts(out, "\n"); 684 if (pinfo->qualifiers) 685 print_qualifiers(out, pinfo->qualifiers, indent + 2); 686 } 687 return 1; 688 } 689 690 static void 691 print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent) 692 { 693 POLICYQUALINFO *qualinfo; 694 int i; 695 696 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) { 697 qualinfo = sk_POLICYQUALINFO_value(quals, i); 698 switch (OBJ_obj2nid(qualinfo->pqualid)) { 699 case NID_id_qt_cps: 700 BIO_printf(out, "%*sCPS: %.*s\n", indent, "", 701 qualinfo->d.cpsuri->length, 702 qualinfo->d.cpsuri->data); 703 break; 704 705 case NID_id_qt_unotice: 706 BIO_printf(out, "%*sUser Notice:\n", indent, ""); 707 print_notice(out, qualinfo->d.usernotice, indent + 2); 708 break; 709 710 default: 711 BIO_printf(out, "%*sUnknown Qualifier: ", 712 indent + 2, ""); 713 714 i2a_ASN1_OBJECT(out, qualinfo->pqualid); 715 BIO_puts(out, "\n"); 716 break; 717 } 718 } 719 } 720 721 static void 722 print_notice(BIO *out, USERNOTICE *notice, int indent) 723 { 724 int i; 725 726 if (notice->noticeref) { 727 NOTICEREF *ref; 728 ref = notice->noticeref; 729 BIO_printf(out, "%*sOrganization: %.*s\n", indent, "", 730 ref->organization->length, ref->organization->data); 731 BIO_printf(out, "%*sNumber%s: ", indent, "", 732 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); 733 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { 734 ASN1_INTEGER *num; 735 char *tmp; 736 num = sk_ASN1_INTEGER_value(ref->noticenos, i); 737 if (i) 738 BIO_puts(out, ", "); 739 tmp = i2s_ASN1_INTEGER(NULL, num); 740 BIO_puts(out, tmp); 741 free(tmp); 742 } 743 BIO_puts(out, "\n"); 744 } 745 if (notice->exptext) 746 BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", 747 notice->exptext->length, notice->exptext->data); 748 } 749 750 void 751 X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) 752 { 753 const X509_POLICY_DATA *dat = node->data; 754 755 BIO_printf(out, "%*sPolicy: ", indent, ""); 756 757 i2a_ASN1_OBJECT(out, dat->valid_policy); 758 BIO_puts(out, "\n"); 759 BIO_printf(out, "%*s%s\n", indent + 2, "", 760 node_data_critical(dat) ? "Critical" : "Non Critical"); 761 if (dat->qualifier_set) 762 print_qualifiers(out, dat->qualifier_set, indent + 2); 763 else 764 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); 765 } 766