1 /* v3_crld.c */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/conf.h>
62 #include <openssl/asn1.h>
63 #include <openssl/asn1t.h>
64 #include <openssl/x509v3.h>
65
66 static void *v2i_crld(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
69 int indent);
70
71 const X509V3_EXT_METHOD v3_crld =
72 {
73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
74 0,0,0,0,
75 0,0,
76 0,
77 v2i_crld,
78 i2r_crldp,0,
79 NULL
80 };
81
82 const X509V3_EXT_METHOD v3_freshest_crl =
83 {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0,0,0,0,
86 0,0,
87 0,
88 v2i_crld,
89 i2r_crldp,0,
90 NULL
91 };
92
93 static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
94 {
95 STACK_OF(CONF_VALUE) *gnsect;
96 STACK_OF(GENERAL_NAME) *gens;
97 if (*sect == '@')
98 gnsect = X509V3_get_section(ctx, sect + 1);
99 else
100 gnsect = X509V3_parse_list(sect);
101 if (!gnsect)
102 {
103 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104 X509V3_R_SECTION_NOT_FOUND);
105 return NULL;
106 }
107 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
108 if (*sect == '@')
109 X509V3_section_free(ctx, gnsect);
110 else
111 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
112 return gens;
113 }
114
115 static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
116 CONF_VALUE *cnf)
117 {
118 STACK_OF(GENERAL_NAME) *fnm = NULL;
119 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120 if (!strncmp(cnf->name, "fullname", 9))
121 {
122 fnm = gnames_from_sectname(ctx, cnf->value);
123 if (!fnm)
124 goto err;
125 }
126 else if (!strcmp(cnf->name, "relativename"))
127 {
128 int ret;
129 STACK_OF(CONF_VALUE) *dnsect;
130 X509_NAME *nm;
131 nm = X509_NAME_new();
132 if (!nm)
133 return -1;
134 dnsect = X509V3_get_section(ctx, cnf->value);
135 if (!dnsect)
136 {
137 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138 X509V3_R_SECTION_NOT_FOUND);
139 return -1;
140 }
141 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142 X509V3_section_free(ctx, dnsect);
143 rnm = nm->entries;
144 nm->entries = NULL;
145 X509_NAME_free(nm);
146 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
147 goto err;
148 /* Since its a name fragment can't have more than one
149 * RDNSequence
150 */
151 if (sk_X509_NAME_ENTRY_value(rnm,
152 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
153 {
154 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155 X509V3_R_INVALID_MULTIPLE_RDNS);
156 goto err;
157 }
158 }
159 else
160 return 0;
161
162 if (*pdp)
163 {
164 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165 X509V3_R_DISTPOINT_ALREADY_SET);
166 goto err;
167 }
168
169 *pdp = DIST_POINT_NAME_new();
170 if (!*pdp)
171 goto err;
172 if (fnm)
173 {
174 (*pdp)->type = 0;
175 (*pdp)->name.fullname = fnm;
176 }
177 else
178 {
179 (*pdp)->type = 1;
180 (*pdp)->name.relativename = rnm;
181 }
182
183 return 1;
184
185 err:
186 if (fnm)
187 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
188 if (rnm)
189 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
190 return -1;
191 }
192
193 static const BIT_STRING_BITNAME reason_flags[] = {
194 {0, "Unused", "unused"},
195 {1, "Key Compromise", "keyCompromise"},
196 {2, "CA Compromise", "CACompromise"},
197 {3, "Affiliation Changed", "affiliationChanged"},
198 {4, "Superseded", "superseded"},
199 {5, "Cessation Of Operation", "cessationOfOperation"},
200 {6, "Certificate Hold", "certificateHold"},
201 {7, "Privilege Withdrawn", "privilegeWithdrawn"},
202 {8, "AA Compromise", "AACompromise"},
203 {-1, NULL, NULL}
204 };
205
206 static int set_reasons(ASN1_BIT_STRING **preas, char *value)
207 {
208 STACK_OF(CONF_VALUE) *rsk = NULL;
209 const BIT_STRING_BITNAME *pbn;
210 const char *bnam;
211 int i, ret = 0;
212 rsk = X509V3_parse_list(value);
213 if (!rsk)
214 return 0;
215 if (*preas)
216 return 0;
217 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
218 {
219 bnam = sk_CONF_VALUE_value(rsk, i)->name;
220 if (!*preas)
221 {
222 *preas = ASN1_BIT_STRING_new();
223 if (!*preas)
224 goto err;
225 }
226 for (pbn = reason_flags; pbn->lname; pbn++)
227 {
228 if (!strcmp(pbn->sname, bnam))
229 {
230 if (!ASN1_BIT_STRING_set_bit(*preas,
231 pbn->bitnum, 1))
232 goto err;
233 break;
234 }
235 }
236 if (!pbn->lname)
237 goto err;
238 }
239 ret = 1;
240
241 err:
242 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
243 return ret;
244 }
245
246 static int print_reasons(BIO *out, const char *rname,
247 ASN1_BIT_STRING *rflags, int indent)
248 {
249 int first = 1;
250 const BIT_STRING_BITNAME *pbn;
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++)
253 {
254 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
255 {
256 if (first)
257 first = 0;
258 else
259 BIO_puts(out, ", ");
260 BIO_puts(out, pbn->lname);
261 }
262 }
263 if (first)
264 BIO_puts(out, "<EMPTY>\n");
265 else
266 BIO_puts(out, "\n");
267 return 1;
268 }
269
270 static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271 STACK_OF(CONF_VALUE) *nval)
272 {
273 int i;
274 CONF_VALUE *cnf;
275 DIST_POINT *point = NULL;
276 point = DIST_POINT_new();
277 if (!point)
278 goto err;
279 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
280 {
281 int ret;
282 cnf = sk_CONF_VALUE_value(nval, i);
283 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
284 if (ret > 0)
285 continue;
286 if (ret < 0)
287 goto err;
288 if (!strcmp(cnf->name, "reasons"))
289 {
290 if (!set_reasons(&point->reasons, cnf->value))
291 goto err;
292 }
293 else if (!strcmp(cnf->name, "CRLissuer"))
294 {
295 point->CRLissuer =
296 gnames_from_sectname(ctx, cnf->value);
297 if (!point->CRLissuer)
298 goto err;
299 }
300 }
301
302 return point;
303
304
305 err:
306 if (point)
307 DIST_POINT_free(point);
308 return NULL;
309 }
310
311 static void *v2i_crld(const X509V3_EXT_METHOD *method,
312 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
313 {
314 STACK_OF(DIST_POINT) *crld = NULL;
315 GENERAL_NAMES *gens = NULL;
316 GENERAL_NAME *gen = NULL;
317 CONF_VALUE *cnf;
318 int i;
319 if(!(crld = sk_DIST_POINT_new_null())) goto merr;
320 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
321 DIST_POINT *point;
322 cnf = sk_CONF_VALUE_value(nval, i);
323 if (!cnf->value)
324 {
325 STACK_OF(CONF_VALUE) *dpsect;
326 dpsect = X509V3_get_section(ctx, cnf->name);
327 if (!dpsect)
328 goto err;
329 point = crldp_from_section(ctx, dpsect);
330 X509V3_section_free(ctx, dpsect);
331 if (!point)
332 goto err;
333 if(!sk_DIST_POINT_push(crld, point))
334 {
335 DIST_POINT_free(point);
336 goto merr;
337 }
338 }
339 else
340 {
341 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if(!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if(!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if(!(point = DIST_POINT_new()))
349 goto merr;
350 if(!sk_DIST_POINT_push(crld, point))
351 {
352 DIST_POINT_free(point);
353 goto merr;
354 }
355 if(!(point->distpoint = DIST_POINT_NAME_new()))
356 goto merr;
357 point->distpoint->name.fullname = gens;
358 point->distpoint->type = 0;
359 gens = NULL;
360 }
361 }
362 return crld;
363
364 merr:
365 X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
366 err:
367 GENERAL_NAME_free(gen);
368 GENERAL_NAMES_free(gens);
369 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
370 return NULL;
371 }
372
373 IMPLEMENT_STACK_OF(DIST_POINT)
374 IMPLEMENT_ASN1_SET_OF(DIST_POINT)
375
376 static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
377 void *exarg)
378 {
379 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
380
381 switch(operation)
382 {
383 case ASN1_OP_NEW_POST:
384 dpn->dpname = NULL;
385 break;
386
387 case ASN1_OP_FREE_POST:
388 if (dpn->dpname)
389 X509_NAME_free(dpn->dpname);
390 break;
391 }
392 return 1;
393 }
394
395
396 ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
397 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
398 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
399 } ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
400
401
402 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
403
404 ASN1_SEQUENCE(DIST_POINT) = {
405 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
406 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
407 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
408 } ASN1_SEQUENCE_END(DIST_POINT)
409
410 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
411
412 ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
413 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
414 ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
415
416 IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
417
418 ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425 } ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
426
427 IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
428
429 static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
430 int indent);
431 static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432 STACK_OF(CONF_VALUE) *nval);
433
434 const X509V3_EXT_METHOD v3_idp =
435 {
436 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437 ASN1_ITEM_ref(ISSUING_DIST_POINT),
438 0,0,0,0,
439 0,0,
440 0,
441 v2i_idp,
442 i2r_idp,0,
443 NULL
444 };
445
446 static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447 STACK_OF(CONF_VALUE) *nval)
448 {
449 ISSUING_DIST_POINT *idp = NULL;
450 CONF_VALUE *cnf;
451 char *name, *val;
452 int i, ret;
453 idp = ISSUING_DIST_POINT_new();
454 if (!idp)
455 goto merr;
456 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
457 {
458 cnf = sk_CONF_VALUE_value(nval, i);
459 name = cnf->name;
460 val = cnf->value;
461 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
462 if (ret > 0)
463 continue;
464 if (ret < 0)
465 goto err;
466 if (!strcmp(name, "onlyuser"))
467 {
468 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
469 goto err;
470 }
471 else if (!strcmp(name, "onlyCA"))
472 {
473 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
474 goto err;
475 }
476 else if (!strcmp(name, "onlyAA"))
477 {
478 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
479 goto err;
480 }
481 else if (!strcmp(name, "indirectCRL"))
482 {
483 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
484 goto err;
485 }
486 else if (!strcmp(name, "onlysomereasons"))
487 {
488 if (!set_reasons(&idp->onlysomereasons, val))
489 goto err;
490 }
491 else
492 {
493 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494 X509V3_conf_err(cnf);
495 goto err;
496 }
497 }
498 return idp;
499
500 merr:
501 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
502 err:
503 ISSUING_DIST_POINT_free(idp);
504 return NULL;
505 }
506
507 static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
508 {
509 int i;
510 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
511 {
512 BIO_printf(out, "%*s", indent + 2, "");
513 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
514 BIO_puts(out, "\n");
515 }
516 return 1;
517 }
518
519 static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
520 {
521 if (dpn->type == 0)
522 {
523 BIO_printf(out, "%*sFull Name:\n", indent, "");
524 print_gens(out, dpn->name.fullname, indent);
525 }
526 else
527 {
528 X509_NAME ntmp;
529 ntmp.entries = dpn->name.relativename;
530 BIO_printf(out, "%*sRelative Name:\n%*s",
531 indent, "", indent + 2, "");
532 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
533 BIO_puts(out, "\n");
534 }
535 return 1;
536 }
537
538 static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
539 int indent)
540 {
541 ISSUING_DIST_POINT *idp = pidp;
542 if (idp->distpoint)
543 print_distpoint(out, idp->distpoint, indent);
544 if (idp->onlyuser > 0)
545 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
546 if (idp->onlyCA > 0)
547 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548 if (idp->indirectCRL > 0)
549 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550 if (idp->onlysomereasons)
551 print_reasons(out, "Only Some Reasons",
552 idp->onlysomereasons, indent);
553 if (idp->onlyattr > 0)
554 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
557 && (idp->onlyattr <= 0))
558 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
559
560 return 1;
561 }
562
563 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
564 int indent)
565 {
566 STACK_OF(DIST_POINT) *crld = pcrldp;
567 DIST_POINT *point;
568 int i;
569 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
570 {
571 BIO_puts(out, "\n");
572 point = sk_DIST_POINT_value(crld, i);
573 if(point->distpoint)
574 print_distpoint(out, point->distpoint, indent);
575 if(point->reasons)
576 print_reasons(out, "Reasons", point->reasons,
577 indent);
578 if(point->CRLissuer)
579 {
580 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581 print_gens(out, point->CRLissuer, indent);
582 }
583 }
584 return 1;
585 }
586
587 int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
588 {
589 int i;
590 STACK_OF(X509_NAME_ENTRY) *frag;
591 X509_NAME_ENTRY *ne;
592 if (!dpn || (dpn->type != 1))
593 return 1;
594 frag = dpn->name.relativename;
595 dpn->dpname = X509_NAME_dup(iname);
596 if (!dpn->dpname)
597 return 0;
598 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
599 {
600 ne = sk_X509_NAME_ENTRY_value(frag, i);
601 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
602 {
603 X509_NAME_free(dpn->dpname);
604 dpn->dpname = NULL;
605 return 0;
606 }
607 }
608 /* generate cached encoding of name */
609 if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
610 {
611 X509_NAME_free(dpn->dpname);
612 dpn->dpname = NULL;
613 return 0;
614 }
615 return 1;
616 }