xref: /openbsd/lib/libcrypto/x509/x509_lib.c (revision 9ea232b5) 
1 /* $OpenBSD: x509_lib.c,v 1.16 2024/01/25 15:09:22 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 1999.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* X509 v3 extension utilities */
59 
60 #include <stdio.h>
61 
62 #include <openssl/conf.h>
63 #include <openssl/err.h>
64 #include <openssl/x509v3.h>
65 
66 #include "x509_local.h"
67 
68 extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
69 extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
70 extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
71 extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
72 extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
73 extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
74 extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
75 extern const X509V3_EXT_METHOD v3_crl_hold;
76 extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
77 extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
78 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
79 extern const X509V3_EXT_METHOD v3_ct_scts[3];
80 
81 static const X509V3_EXT_METHOD *standard_exts[] = {
82 	&v3_nscert,
83 	&v3_ns_ia5_list[0],
84 	&v3_ns_ia5_list[1],
85 	&v3_ns_ia5_list[2],
86 	&v3_ns_ia5_list[3],
87 	&v3_ns_ia5_list[4],
88 	&v3_ns_ia5_list[5],
89 	&v3_ns_ia5_list[6],
90 	&v3_skey_id,
91 	&v3_key_usage,
92 	&v3_pkey_usage_period,
93 	&v3_alt[0],
94 	&v3_alt[1],
95 	&v3_bcons,
96 	&v3_crl_num,
97 	&v3_cpols,
98 	&v3_akey_id,
99 	&v3_crld,
100 	&v3_ext_ku,
101 	&v3_delta_crl,
102 	&v3_crl_reason,
103 #ifndef OPENSSL_NO_OCSP
104 	&v3_crl_invdate,
105 #endif
106 	&v3_info,
107 #ifndef OPENSSL_NO_RFC3779
108 	&v3_addr,
109 	&v3_asid,
110 #endif
111 #ifndef OPENSSL_NO_OCSP
112 	&v3_ocsp_nonce,
113 	&v3_ocsp_crlid,
114 	&v3_ocsp_accresp,
115 	&v3_ocsp_nocheck,
116 	&v3_ocsp_acutoff,
117 	&v3_ocsp_serviceloc,
118 #endif
119 	&v3_sinfo,
120 	&v3_policy_constraints,
121 #ifndef OPENSSL_NO_OCSP
122 	&v3_crl_hold,
123 #endif
124 	&v3_name_constraints,
125 	&v3_policy_mappings,
126 	&v3_inhibit_anyp,
127 	&v3_idp,
128 	&v3_alt[2],
129 	&v3_freshest_crl,
130 #ifndef OPENSSL_NO_CT
131 	&v3_ct_scts[0],
132 	&v3_ct_scts[1],
133 	&v3_ct_scts[2],
134 #endif
135 };
136 
137 #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
138 
139 const X509V3_EXT_METHOD *
140 X509V3_EXT_get_nid(int nid)
141 {
142 	size_t i;
143 
144 	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
145 		if (standard_exts[i]->ext_nid == nid)
146 			return standard_exts[i];
147 	}
148 
149 	return NULL;
150 }
151 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
152 
153 const X509V3_EXT_METHOD *
154 X509V3_EXT_get(X509_EXTENSION *ext)
155 {
156 	int nid;
157 
158 	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
159 		return NULL;
160 	return X509V3_EXT_get_nid(nid);
161 }
162 LCRYPTO_ALIAS(X509V3_EXT_get);
163 
164 int
165 X509V3_add_standard_extensions(void)
166 {
167 	return 1;
168 }
169 LCRYPTO_ALIAS(X509V3_add_standard_extensions);
170 
171 /* Return an extension internal structure */
172 
173 void *
174 X509V3_EXT_d2i(X509_EXTENSION *ext)
175 {
176 	const X509V3_EXT_METHOD *method;
177 	const unsigned char *p;
178 
179 	if (!(method = X509V3_EXT_get(ext)))
180 		return NULL;
181 	p = ext->value->data;
182 	if (method->it)
183 		return ASN1_item_d2i(NULL, &p, ext->value->length,
184 		    method->it);
185 	return method->d2i(NULL, &p, ext->value->length);
186 }
187 LCRYPTO_ALIAS(X509V3_EXT_d2i);
188 
189 /* Get critical flag and decoded version of extension from a NID.
190  * The "idx" variable returns the last found extension and can
191  * be used to retrieve multiple extensions of the same NID.
192  * However multiple extensions with the same NID is usually
193  * due to a badly encoded certificate so if idx is NULL we
194  * choke if multiple extensions exist.
195  * The "crit" variable is set to the critical value.
196  * The return value is the decoded extension or NULL on
197  * error. The actual error can have several different causes,
198  * the value of *crit reflects the cause:
199  * >= 0, extension found but not decoded (reflects critical value).
200  * -1 extension not found.
201  * -2 extension occurs more than once.
202  */
203 
204 void *
205 X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
206 {
207 	int lastpos, i;
208 	X509_EXTENSION *ex, *found_ex = NULL;
209 
210 	if (!x) {
211 		if (idx)
212 			*idx = -1;
213 		if (crit)
214 			*crit = -1;
215 		return NULL;
216 	}
217 	if (idx)
218 		lastpos = *idx + 1;
219 	else
220 		lastpos = 0;
221 	if (lastpos < 0)
222 		lastpos = 0;
223 	for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
224 		ex = sk_X509_EXTENSION_value(x, i);
225 		if (OBJ_obj2nid(ex->object) == nid) {
226 			if (idx) {
227 				*idx = i;
228 				found_ex = ex;
229 				break;
230 			} else if (found_ex) {
231 				/* Found more than one */
232 				if (crit)
233 					*crit = -2;
234 				return NULL;
235 			}
236 			found_ex = ex;
237 		}
238 	}
239 	if (found_ex) {
240 		/* Found it */
241 		if (crit)
242 			*crit = X509_EXTENSION_get_critical(found_ex);
243 		return X509V3_EXT_d2i(found_ex);
244 	}
245 
246 	/* Extension not found */
247 	if (idx)
248 		*idx = -1;
249 	if (crit)
250 		*crit = -1;
251 	return NULL;
252 }
253 LCRYPTO_ALIAS(X509V3_get_d2i);
254 
255 /* This function is a general extension append, replace and delete utility.
256  * The precise operation is governed by the 'flags' value. The 'crit' and
257  * 'value' arguments (if relevant) are the extensions internal structure.
258  */
259 
260 int
261 X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
262     int crit, unsigned long flags)
263 {
264 	int extidx = -1;
265 	int errcode;
266 	X509_EXTENSION *ext, *extmp;
267 	unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
268 
269 	/* If appending we don't care if it exists, otherwise
270 	 * look for existing extension.
271 	 */
272 	if (ext_op != X509V3_ADD_APPEND)
273 		extidx = X509v3_get_ext_by_NID(*x, nid, -1);
274 
275 	/* See if extension exists */
276 	if (extidx >= 0) {
277 		/* If keep existing, nothing to do */
278 		if (ext_op == X509V3_ADD_KEEP_EXISTING)
279 			return 1;
280 		/* If default then its an error */
281 		if (ext_op == X509V3_ADD_DEFAULT) {
282 			errcode = X509V3_R_EXTENSION_EXISTS;
283 			goto err;
284 		}
285 		/* If delete, just delete it */
286 		if (ext_op == X509V3_ADD_DELETE) {
287 			if ((extmp = sk_X509_EXTENSION_delete(*x, extidx)) == NULL)
288 				return -1;
289 			X509_EXTENSION_free(extmp);
290 			return 1;
291 		}
292 	} else {
293 		/* If replace existing or delete, error since
294 		 * extension must exist
295 		 */
296 		if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
297 		    (ext_op == X509V3_ADD_DELETE)) {
298 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
299 			goto err;
300 		}
301 	}
302 
303 	/* If we get this far then we have to create an extension:
304 	 * could have some flags for alternative encoding schemes...
305 	 */
306 
307 	ext = X509V3_EXT_i2d(nid, crit, value);
308 
309 	if (!ext) {
310 		X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
311 		return 0;
312 	}
313 
314 	/* If extension exists replace it.. */
315 	if (extidx >= 0) {
316 		extmp = sk_X509_EXTENSION_value(*x, extidx);
317 		X509_EXTENSION_free(extmp);
318 		if (!sk_X509_EXTENSION_set(*x, extidx, ext))
319 			return -1;
320 		return 1;
321 	}
322 
323 	if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
324 		return -1;
325 	if (!sk_X509_EXTENSION_push(*x, ext))
326 		return -1;
327 
328 	return 1;
329 
330 err:
331 	if (!(flags & X509V3_ADD_SILENT))
332 		X509V3error(errcode);
333 	return 0;
334 }
335 LCRYPTO_ALIAS(X509V3_add1_i2d);
336 
337 /*
338  * XXX - remove all the functions below in the next major bump.
339  */
340 
341 int
342 X509V3_EXT_add(X509V3_EXT_METHOD *ext)
343 {
344 	X509V3error(ERR_R_DISABLED);
345 	return 0;
346 }
347 LCRYPTO_ALIAS(X509V3_EXT_add);
348 
349 int
350 X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
351 {
352 	X509V3error(ERR_R_DISABLED);
353 	return 0;
354 }
355 LCRYPTO_ALIAS(X509V3_EXT_add_list);
356 
357 int
358 X509V3_EXT_add_alias(int nid_to, int nid_from)
359 {
360 	X509V3error(ERR_R_DISABLED);
361 	return 0;
362 }
363 LCRYPTO_ALIAS(X509V3_EXT_add_alias);
364 
365 void
366 X509V3_EXT_cleanup(void)
367 {
368 }
369 LCRYPTO_ALIAS(X509V3_EXT_cleanup);
370