[thirdparty/openssl.git] / crypto / x509v3 / v3_conf.c

/* v3_conf.c */
/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 1999.
 */
/* ====================================================================
 * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* extension creation utilities */

#include <stdio.h>
#include <ctype.h>
#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

static int v3_check_critical(char **value);
static int v3_check_generic(char **value);
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                    int crit, char *value);
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                            int crit, int type,
                                            X509V3_CTX *ctx);
static char *conf_lhash_get_string(void *db, char *section, char *value);
static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                  int ext_nid, int crit, void *ext_struc);
static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                   long *ext_len);
/* CONF *conf:  Config file    */
/* char *name:  Name    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
                                 char *value)
{
    int crit;
    int ext_type;
    X509_EXTENSION *ret;
    crit = v3_check_critical(&value);
    if ((ext_type = v3_check_generic(&value)))
        return v3_generic_extension(name, value, crit, ext_type, ctx);
    ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
    if (!ret) {
        X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
        ERR_add_error_data(4, "name=", name, ", value=", value);
    }
    return ret;
}

/* CONF *conf:  Config file    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                     char *value)
{
    int crit;
    int ext_type;
    crit = v3_check_critical(&value);
    if ((ext_type = v3_check_generic(&value)))
        return v3_generic_extension(OBJ_nid2sn(ext_nid),
                                    value, crit, ext_type, ctx);
    return do_ext_nconf(conf, ctx, ext_nid, crit, value);
}

/* CONF *conf:  Config file    */
/* char *value:  Value    */
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                    int crit, char *value)
{
    const X509V3_EXT_METHOD *method;
    X509_EXTENSION *ext;
    STACK_OF(CONF_VALUE) *nval;
    void *ext_struc;
    if (ext_nid == NID_undef) {
        X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
        return NULL;
    }
    if (!(method = X509V3_EXT_get_nid(ext_nid))) {
        X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
        return NULL;
    }
    /* Now get internal extension representation based on type */
    if (method->v2i) {
        if (*value == '@')
            nval = NCONF_get_section(conf, value + 1);
        else
            nval = X509V3_parse_list(value);
        if (sk_CONF_VALUE_num(nval) <= 0) {
            X509V3err(X509V3_F_DO_EXT_NCONF,
                      X509V3_R_INVALID_EXTENSION_STRING);
            ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
                               value);
            return NULL;
        }
        ext_struc = method->v2i(method, ctx, nval);
        if (*value != '@')
            sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
        if (!ext_struc)
            return NULL;
    } else if (method->s2i) {
        if (!(ext_struc = method->s2i(method, ctx, value)))
            return NULL;
    } else if (method->r2i) {
        if (!ctx->db || !ctx->db_meth) {
            X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
            return NULL;
        }
        if (!(ext_struc = method->r2i(method, ctx, value)))
            return NULL;
    } else {
        X509V3err(X509V3_F_DO_EXT_NCONF,
                  X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
        ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
        return NULL;
    }

    ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
    if (method->it)
        ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
    else
        method->ext_free(ext_struc);
    return ext;

}

static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                  int ext_nid, int crit, void *ext_struc)
{
    unsigned char *ext_der = NULL;
    int ext_len;
    ASN1_OCTET_STRING *ext_oct = NULL;
    X509_EXTENSION *ext;
    /* Convert internal representation to DER */
    if (method->it) {
        ext_der = NULL;
        ext_len =
            ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
        if (ext_len < 0)
            goto merr;
    } else {
        unsigned char *p;
        ext_len = method->i2d(ext_struc, NULL);
        if (!(ext_der = OPENSSL_malloc(ext_len)))
            goto merr;
        p = ext_der;
        method->i2d(ext_struc, &p);
    }
    if (!(ext_oct = ASN1_OCTET_STRING_new()))
        goto merr;
    ext_oct->data = ext_der;
    ext_der = NULL;
    ext_oct->length = ext_len;

    ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
    if (!ext)
        goto merr;
    ASN1_OCTET_STRING_free(ext_oct);

    return ext;

 merr:
    X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
    OPENSSL_free(ext_der);
    ASN1_OCTET_STRING_free(ext_oct);
    return NULL;

}

/* Given an internal structure, nid and critical flag create an extension */

X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
{
    const X509V3_EXT_METHOD *method;
    if (!(method = X509V3_EXT_get_nid(ext_nid))) {
        X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
        return NULL;
    }
    return do_ext_i2d(method, ext_nid, crit, ext_struc);
}

/* Check the extension string for critical flag */
static int v3_check_critical(char **value)
{
    char *p = *value;
    if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
        return 0;
    p += 9;
    while (isspace((unsigned char)*p))
        p++;
    *value = p;
    return 1;
}

/* Check extension string for generic extension and return the type */
static int v3_check_generic(char **value)
{
    int gen_type = 0;
    char *p = *value;
    if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
        p += 4;
        gen_type = 1;
    } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
        p += 5;
        gen_type = 2;
    } else
        return 0;

    while (isspace((unsigned char)*p))
        p++;
    *value = p;
    return gen_type;
}

/* Create a generic extension: for now just handle DER type */
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                            int crit, int gen_type,
                                            X509V3_CTX *ctx)
{
    unsigned char *ext_der = NULL;
    long ext_len;
    ASN1_OBJECT *obj = NULL;
    ASN1_OCTET_STRING *oct = NULL;
    X509_EXTENSION *extension = NULL;
    if (!(obj = OBJ_txt2obj(ext, 0))) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
                  X509V3_R_EXTENSION_NAME_ERROR);
        ERR_add_error_data(2, "name=", ext);
        goto err;
    }

    if (gen_type == 1)
        ext_der = string_to_hex(value, &ext_len);
    else if (gen_type == 2)
        ext_der = generic_asn1(value, ctx, &ext_len);

    if (ext_der == NULL) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
                  X509V3_R_EXTENSION_VALUE_ERROR);
        ERR_add_error_data(2, "value=", value);
        goto err;
    }

    if (!(oct = ASN1_OCTET_STRING_new())) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    oct->data = ext_der;
    oct->length = ext_len;
    ext_der = NULL;

    extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);

 err:
    ASN1_OBJECT_free(obj);
    ASN1_OCTET_STRING_free(oct);
    OPENSSL_free(ext_der);
    return extension;

}

static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                   long *ext_len)
{
    ASN1_TYPE *typ;
    unsigned char *ext_der = NULL;
    typ = ASN1_generate_v3(value, ctx);
    if (typ == NULL)
        return NULL;
    *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
    ASN1_TYPE_free(typ);
    return ext_der;
}

static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
{
    int idx;
    ASN1_OBJECT *obj;
    obj = X509_EXTENSION_get_object(dext);
    while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
        X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
        X509v3_delete_ext(sk, idx);
        X509_EXTENSION_free(tmpext);
    }
}

/*
 * This is the main function: add a bunch of extensions based on a config
 * file section to an extension STACK.
 */

int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
                            STACK_OF(X509_EXTENSION) **sk)
{
    X509_EXTENSION *ext;
    STACK_OF(CONF_VALUE) *nval;
    CONF_VALUE *val;
    int i;
    if (!(nval = NCONF_get_section(conf, section)))
        return 0;
    for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
        val = sk_CONF_VALUE_value(nval, i);
        if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
            return 0;
        if (ctx->flags == X509V3_CTX_REPLACE)
            delete_ext(*sk, ext);
        if (sk)
            X509v3_add_ext(sk, ext, -1);
        X509_EXTENSION_free(ext);
    }
    return 1;
}

/*
 * Convenience functions to add extensions to a certificate, CRL and request
 */

int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                         X509 *cert)
{
    STACK_OF(X509_EXTENSION) **sk = NULL;
    if (cert)
        sk = &cert->cert_info->extensions;
    return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}

/* Same as above but for a CRL */

int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                             X509_CRL *crl)
{
    STACK_OF(X509_EXTENSION) **sk = NULL;
    if (crl)
        sk = &crl->crl->extensions;
    return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}

/* Add extensions to certificate request */

int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                             X509_REQ *req)
{
    STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
    int i;
    if (req)
        sk = &extlist;
    i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
    if (!i || !sk)
        return i;
    i = X509_REQ_add_extensions(req, extlist);
    sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
    return i;
}

/* Config database functions */

char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
{
    if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
        X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
        return NULL;
    }
    if (ctx->db_meth->get_string)
        return ctx->db_meth->get_string(ctx->db, name, section);
    return NULL;
}

STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, char *section)
{
    if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
        X509V3err(X509V3_F_X509V3_GET_SECTION,
                  X509V3_R_OPERATION_NOT_DEFINED);
        return NULL;
    }
    if (ctx->db_meth->get_section)
        return ctx->db_meth->get_section(ctx->db, section);
    return NULL;
}

void X509V3_string_free(X509V3_CTX *ctx, char *str)
{
    if (!str)
        return;
    if (ctx->db_meth->free_string)
        ctx->db_meth->free_string(ctx->db, str);
}

void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
{
    if (!section)
        return;
    if (ctx->db_meth->free_section)
        ctx->db_meth->free_section(ctx->db, section);
}

static char *nconf_get_string(void *db, char *section, char *value)
{
    return NCONF_get_string(db, section, value);
}

static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
{
    return NCONF_get_section(db, section);
}

static X509V3_CONF_METHOD nconf_method = {
    nconf_get_string,
    nconf_get_section,
    NULL,
    NULL
};

void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
{
    ctx->db_meth = &nconf_method;
    ctx->db = conf;
}

void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
                    X509_CRL *crl, int flags)
{
    ctx->issuer_cert = issuer;
    ctx->subject_cert = subj;
    ctx->crl = crl;
    ctx->subject_req = req;
    ctx->flags = flags;
}

/* Old conf compatibility functions */

X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                                char *name, char *value)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_nconf(&ctmp, ctx, name, value);
}

/* LHASH *conf:  Config file    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
                                    X509V3_CTX *ctx, int ext_nid, char *value)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
}

static char *conf_lhash_get_string(void *db, char *section, char *value)
{
    return CONF_get_string(db, section, value);
}

static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
{
    return CONF_get_section(db, section);
}

static X509V3_CONF_METHOD conf_lhash_method = {
    conf_lhash_get_string,
    conf_lhash_get_section,
    NULL,
    NULL
};

void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
{
    ctx->db_meth = &conf_lhash_method;
    ctx->db = lhash;
}

int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                        char *section, X509 *cert)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
}

/* Same as above but for a CRL */

int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                            char *section, X509_CRL *crl)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
}

/* Add extensions to certificate request */

int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                            char *section, X509_REQ *req)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
}
Commit	Line	Data
9aeaf1b4	1	/* v3_conf.c */
0f113f3e MC	2	/*
	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
	4	* 1999.
9aeaf1b4 DSH	5	*/
9aeaf1b4 DSH	6	/* ====================================================================
9ea1b878	7	* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
9aeaf1b4 DSH	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	*
	13	* 1. Redistributions of source code must retain the above copyright
0f113f3e	14	* notice, this list of conditions and the following disclaimer.
9aeaf1b4 DSH	15	*
	16	* 2. Redistributions in binary form must reproduce the above copyright
	17	* notice, this list of conditions and the following disclaimer in
	18	* the documentation and/or other materials provided with the
	19	* distribution.
	20	*
	21	* 3. All advertising materials mentioning features or use of this
	22	* software must display the following acknowledgment:
	23	* "This product includes software developed by the OpenSSL Project
	24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	25	*
	26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	27	* endorse or promote products derived from this software without
	28	* prior written permission. For written permission, please contact
	29	* licensing@OpenSSL.org.
	30	*
	31	* 5. Products derived from this software may not be called "OpenSSL"
	32	* nor may "OpenSSL" appear in their names without prior written
	33	* permission of the OpenSSL Project.
	34	*
	35	* 6. Redistributions of any form whatsoever must retain the following
	36	* acknowledgment:
	37	* "This product includes software developed by the OpenSSL Project
	38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	39	*
	40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	51	* OF THE POSSIBILITY OF SUCH DAMAGE.
	52	* ====================================================================
	53	*
	54	* This product includes cryptographic software written by Eric Young
	55	* (eay@cryptsoft.com). This product includes software written by Tim
	56	* Hudson (tjh@cryptsoft.com).
	57	*
	58	*/
388ff0b0	59	/* extension creation utilities */
9aeaf1b4	60
e527ba09	61	#include <stdio.h>
9aeaf1b4	62	#include <ctype.h>
e527ba09	63	#include "cryptlib.h"
ec577822 BM	64	#include <openssl/conf.h>
	65	#include <openssl/x509.h>
	66	#include <openssl/x509v3.h>
9aeaf1b4	67
388ff0b0 DSH	68	static int v3_check_critical(char **value);
388ff0b0 DSH	69	static int v3_check_generic(char **value);
0f113f3e MC	70	static X509_EXTENSION do_ext_nconf(CONF conf, X509V3_CTX *ctx, int ext_nid,
	71	int crit, char *value);
	72	static X509_EXTENSION v3_generic_extension(const char ext, char *value,
	73	int crit, int type,
	74	X509V3_CTX *ctx);
f5fedc04	75	static char conf_lhash_get_string(void db, char section, char value);
ba404b5e	76	static STACK_OF(CONF_VALUE) conf_lhash_get_section(void db, char *section);
0f113f3e MC	77	static X509_EXTENSION do_ext_i2d(const X509V3_EXT_METHOD method,
	78	int ext_nid, int crit, void *ext_struc);
	79	static unsigned char generic_asn1(char value, X509V3_CTX *ctx,
	80	long *ext_len);
b7a26e6d	81	/* CONF conf: Config file /
6b691a5c UM	82	/* char name: Name /
6b691a5c UM	83	/* char value: Value /
b7a26e6d	84	X509_EXTENSION X509V3_EXT_nconf(CONF conf, X509V3_CTX ctx, char name,
0f113f3e MC	85	char *value)
	86	{
	87	int crit;
	88	int ext_type;
	89	X509_EXTENSION *ret;
	90	crit = v3_check_critical(&value);
	91	if ((ext_type = v3_check_generic(&value)))
	92	return v3_generic_extension(name, value, crit, ext_type, ctx);
	93	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
	94	if (!ret) {
	95	X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
	96	ERR_add_error_data(4, "name=", name, ", value=", value);
	97	}
	98	return ret;
	99	}
9aeaf1b4	100
b7a26e6d	101	/* CONF conf: Config file /
6b691a5c	102	/* char value: Value /
b7a26e6d	103	X509_EXTENSION X509V3_EXT_nconf_nid(CONF conf, X509V3_CTX *ctx, int ext_nid,
0f113f3e MC	104	char *value)
	105	{
	106	int crit;
	107	int ext_type;
	108	crit = v3_check_critical(&value);
	109	if ((ext_type = v3_check_generic(&value)))
	110	return v3_generic_extension(OBJ_nid2sn(ext_nid),
	111	value, crit, ext_type, ctx);
	112	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
	113	}
388ff0b0	114
b7a26e6d	115	/* CONF conf: Config file /
6b691a5c	116	/* char value: Value /
b7a26e6d	117	static X509_EXTENSION do_ext_nconf(CONF conf, X509V3_CTX *ctx, int ext_nid,
0f113f3e MC	118	int crit, char *value)
	119	{
	120	const X509V3_EXT_METHOD *method;
	121	X509_EXTENSION *ext;
	122	STACK_OF(CONF_VALUE) *nval;
	123	void *ext_struc;
	124	if (ext_nid == NID_undef) {
	125	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
	126	return NULL;
	127	}
	128	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
	129	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
	130	return NULL;
	131	}
	132	/* Now get internal extension representation based on type */
	133	if (method->v2i) {
	134	if (*value == '@')
	135	nval = NCONF_get_section(conf, value + 1);
	136	else
	137	nval = X509V3_parse_list(value);
	138	if (sk_CONF_VALUE_num(nval) <= 0) {
	139	X509V3err(X509V3_F_DO_EXT_NCONF,
	140	X509V3_R_INVALID_EXTENSION_STRING);
	141	ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
	142	value);
	143	return NULL;
	144	}
	145	ext_struc = method->v2i(method, ctx, nval);
	146	if (*value != '@')
	147	sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
	148	if (!ext_struc)
	149	return NULL;
	150	} else if (method->s2i) {
	151	if (!(ext_struc = method->s2i(method, ctx, value)))
	152	return NULL;
	153	} else if (method->r2i) {
	154	if (!ctx->db \|\| !ctx->db_meth) {
	155	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
	156	return NULL;
	157	}
	158	if (!(ext_struc = method->r2i(method, ctx, value)))
	159	return NULL;
	160	} else {
	161	X509V3err(X509V3_F_DO_EXT_NCONF,
	162	X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
	163	ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
	164	return NULL;
	165	}
	166
	167	ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
	168	if (method->it)
	169	ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
	170	else
	171	method->ext_free(ext_struc);
	172	return ext;
	173
	174	}
	175
	176	static X509_EXTENSION do_ext_i2d(const X509V3_EXT_METHOD method,
	177	int ext_nid, int crit, void *ext_struc)
	178	{
	179	unsigned char *ext_der = NULL;
	180	int ext_len;
	181	ASN1_OCTET_STRING *ext_oct = NULL;
182	X509_EXTENSION *ext;
183	/* Convert internal representation to DER */
184	if (method->it) {
185	ext_der = NULL;
186	ext_len =
187	ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
188	if (ext_len < 0)
189	goto merr;
190	} else {
191	unsigned char *p;
192	ext_len = method->i2d(ext_struc, NULL);
193	if (!(ext_der = OPENSSL_malloc(ext_len)))
194	goto merr;
195	p = ext_der;
196	method->i2d(ext_struc, &p);
197	}
f422a514	198	if (!(ext_oct = ASN1_OCTET_STRING_new()))
0f113f3e MC	199	goto merr;
	200	ext_oct->data = ext_der;
	201	ext_der = NULL;
	202	ext_oct->length = ext_len;
	203
	204	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
	205	if (!ext)
	206	goto merr;
f422a514	207	ASN1_OCTET_STRING_free(ext_oct);
0f113f3e MC	208
	209	return ext;
	210
	211	merr:
	212	X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
b548a1f1	213	OPENSSL_free(ext_der);
0dfb9398	214	ASN1_OCTET_STRING_free(ext_oct);
0f113f3e MC	215	return NULL;
	216
	217	}
c8b41850 DSH	218
	219	/* Given an internal structure, nid and critical flag create an extension */
	220
	221	X509_EXTENSION X509V3_EXT_i2d(int ext_nid, int crit, void ext_struc)
0f113f3e MC	222	{
	223	const X509V3_EXT_METHOD *method;
	224	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
	225	X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
	226	return NULL;
	227	}
	228	return do_ext_i2d(method, ext_nid, crit, ext_struc);
9aeaf1b4 DSH	229	}
9aeaf1b4 DSH	230
388ff0b0	231	/* Check the extension string for critical flag */
6b691a5c	232	static int v3_check_critical(char **value)
388ff0b0	233	{
0f113f3e MC	234	char p = value;
	235	if ((strlen(p) < 9) \|\| strncmp(p, "critical,", 9))
	236	return 0;
	237	p += 9;
	238	while (isspace((unsigned char)*p))
	239	p++;
	240	*value = p;
	241	return 1;
388ff0b0 DSH	242	}
	243
	244	/* Check extension string for generic extension and return the type */
6b691a5c	245	static int v3_check_generic(char **value)
388ff0b0	246	{
0f113f3e MC	247	int gen_type = 0;
	248	char p = value;
	249	if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
	250	p += 4;
	251	gen_type = 1;
	252	} else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
	253	p += 5;
	254	gen_type = 2;
	255	} else
	256	return 0;
	257
	258	while (isspace((unsigned char)*p))
	259	p++;
	260	*value = p;
	261	return gen_type;
388ff0b0 DSH	262	}
388ff0b0 DSH	263
c79b16e1	264	/* Create a generic extension: for now just handle DER type */
6b691a5c	265	static X509_EXTENSION v3_generic_extension(const char ext, char *value,
0f113f3e MC	266	int crit, int gen_type,
	267	X509V3_CTX *ctx)
	268	{
	269	unsigned char *ext_der = NULL;
	270	long ext_len;
	271	ASN1_OBJECT *obj = NULL;
	272	ASN1_OCTET_STRING *oct = NULL;
	273	X509_EXTENSION *extension = NULL;
	274	if (!(obj = OBJ_txt2obj(ext, 0))) {
	275	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
	276	X509V3_R_EXTENSION_NAME_ERROR);
	277	ERR_add_error_data(2, "name=", ext);
	278	goto err;
	279	}
	280
	281	if (gen_type == 1)
	282	ext_der = string_to_hex(value, &ext_len);
	283	else if (gen_type == 2)
	284	ext_der = generic_asn1(value, ctx, &ext_len);
	285
	286	if (ext_der == NULL) {
	287	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
	288	X509V3_R_EXTENSION_VALUE_ERROR);
	289	ERR_add_error_data(2, "value=", value);
	290	goto err;
	291	}
	292
f422a514	293	if (!(oct = ASN1_OCTET_STRING_new())) {
0f113f3e MC	294	X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
	295	goto err;
	296	}
	297
	298	oct->data = ext_der;
	299	oct->length = ext_len;
	300	ext_der = NULL;
	301
	302	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
	303
	304	err:
	305	ASN1_OBJECT_free(obj);
f422a514	306	ASN1_OCTET_STRING_free(oct);
b548a1f1	307	OPENSSL_free(ext_der);
0f113f3e MC	308	return extension;
	309
	310	}
	311
	312	static unsigned char generic_asn1(char value, X509V3_CTX *ctx,
	313	long *ext_len)
	314	{
	315	ASN1_TYPE *typ;
	316	unsigned char *ext_der = NULL;
	317	typ = ASN1_generate_v3(value, ctx);
	318	if (typ == NULL)
	319	return NULL;
	320	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
	321	ASN1_TYPE_free(typ);
	322	return ext_der;
	323	}
388ff0b0	324
ebaa2cf5	325	static void delete_ext(STACK_OF(X509_EXTENSION) sk, X509_EXTENSION dext)
0f113f3e MC	326	{
	327	int idx;
	328	ASN1_OBJECT *obj;
	329	obj = X509_EXTENSION_get_object(dext);
	330	while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
	331	X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
	332	X509v3_delete_ext(sk, idx);
	333	X509_EXTENSION_free(tmpext);
	334	}
	335	}
9aeaf1b4	336
0f113f3e MC	337	/*
	338	* This is the main function: add a bunch of extensions based on a config
	339	* file section to an extension STACK.
	340	*/
b7a26e6d DSH	341
b7a26e6d DSH	342	int X509V3_EXT_add_nconf_sk(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	343	STACK_OF(X509_EXTENSION) **sk)
	344	{
	345	X509_EXTENSION *ext;
	346	STACK_OF(CONF_VALUE) *nval;
	347	CONF_VALUE *val;
	348	int i;
	349	if (!(nval = NCONF_get_section(conf, section)))
	350	return 0;
	351	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
	352	val = sk_CONF_VALUE_value(nval, i);
	353	if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
	354	return 0;
	355	if (ctx->flags == X509V3_CTX_REPLACE)
	356	delete_ext(*sk, ext);
	357	if (sk)
	358	X509v3_add_ext(sk, ext, -1);
	359	X509_EXTENSION_free(ext);
	360	}
	361	return 1;
	362	}
	363
	364	/*
	365	* Convenience functions to add extensions to a certificate, CRL and request
	366	*/
b7a26e6d DSH	367
b7a26e6d DSH	368	int X509V3_EXT_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	369	X509 *cert)
	370	{
	371	STACK_OF(X509_EXTENSION) **sk = NULL;
	372	if (cert)
	373	sk = &cert->cert_info->extensions;
	374	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
	375	}
9aeaf1b4	376
1756d405 DSH	377	/* Same as above but for a CRL */
1756d405 DSH	378
b7a26e6d	379	int X509V3_EXT_CRL_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	380	X509_CRL *crl)
	381	{
	382	STACK_OF(X509_EXTENSION) **sk = NULL;
	383	if (crl)
	384	sk = &crl->crl->extensions;
	385	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
	386	}
1756d405	387
c79b16e1 DSH	388	/* Add extensions to certificate request */
c79b16e1 DSH	389
b7a26e6d	390	int X509V3_EXT_REQ_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	391	X509_REQ *req)
	392	{
	393	STACK_OF(X509_EXTENSION) extlist = NULL, *sk = NULL;
	394	int i;
	395	if (req)
	396	sk = &extlist;
	397	i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
	398	if (!i \|\| !sk)
	399	return i;
	400	i = X509_REQ_add_extensions(req, extlist);
	401	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
	402	return i;
	403	}
c79b16e1	404
1d48dd00 DSH	405	/* Config database functions */
1d48dd00 DSH	406
0f113f3e MC	407	char X509V3_get_string(X509V3_CTX ctx, char name, char section)
	408	{
	409	if (!ctx->db \|\| !ctx->db_meth \|\| !ctx->db_meth->get_string) {
	410	X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
	411	return NULL;
	412	}
	413	if (ctx->db_meth->get_string)
	414	return ctx->db_meth->get_string(ctx->db, name, section);
	415	return NULL;
	416	}
	417
	418	STACK_OF(CONF_VALUE) X509V3_get_section(X509V3_CTX ctx, char *section)
	419	{
	420	if (!ctx->db \|\| !ctx->db_meth \|\| !ctx->db_meth->get_section) {
	421	X509V3err(X509V3_F_X509V3_GET_SECTION,
	422	X509V3_R_OPERATION_NOT_DEFINED);
	423	return NULL;
	424	}
	425	if (ctx->db_meth->get_section)
	426	return ctx->db_meth->get_section(ctx->db, section);
	427	return NULL;
	428	}
1d48dd00	429
6b691a5c	430	void X509V3_string_free(X509V3_CTX ctx, char str)
0f113f3e MC	431	{
	432	if (!str)
	433	return;
	434	if (ctx->db_meth->free_string)
	435	ctx->db_meth->free_string(ctx->db, str);
	436	}
1d48dd00	437
ba404b5e	438	void X509V3_section_free(X509V3_CTX ctx, STACK_OF(CONF_VALUE) section)
0f113f3e MC	439	{
	440	if (!section)
	441	return;
	442	if (ctx->db_meth->free_section)
	443	ctx->db_meth->free_section(ctx->db, section);
	444	}
b7a26e6d DSH	445
b7a26e6d DSH	446	static char nconf_get_string(void db, char section, char value)
0f113f3e MC	447	{
	448	return NCONF_get_string(db, section, value);
	449	}
b7a26e6d DSH	450
b7a26e6d DSH	451	static STACK_OF(CONF_VALUE) nconf_get_section(void db, char *section)
0f113f3e MC	452	{
	453	return NCONF_get_section(db, section);
	454	}
b7a26e6d DSH	455
b7a26e6d DSH	456	static X509V3_CONF_METHOD nconf_method = {
0f113f3e MC	457	nconf_get_string,
	458	nconf_get_section,
	459	NULL,
	460	NULL
b7a26e6d DSH	461	};
	462
	463	void X509V3_set_nconf(X509V3_CTX ctx, CONF conf)
0f113f3e MC	464	{
	465	ctx->db_meth = &nconf_method;
	466	ctx->db = conf;
	467	}
b7a26e6d DSH	468
b7a26e6d DSH	469	void X509V3_set_ctx(X509V3_CTX ctx, X509 issuer, X509 subj, X509_REQ req,
0f113f3e MC	470	X509_CRL *crl, int flags)
	471	{
	472	ctx->issuer_cert = issuer;
	473	ctx->subject_cert = subj;
	474	ctx->crl = crl;
	475	ctx->subject_req = req;
	476	ctx->flags = flags;
	477	}
b7a26e6d DSH	478
	479	/* Old conf compatibility functions */
	480
3c1d6bbc	481	X509_EXTENSION X509V3_EXT_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX *ctx,
0f113f3e MC	482	char name, char value)
	483	{
	484	CONF ctmp;
	485	CONF_set_nconf(&ctmp, conf);
	486	return X509V3_EXT_nconf(&ctmp, ctx, name, value);
	487	}
b7a26e6d DSH	488
	489	/* LHASH conf: Config file /
	490	/* char value: Value /
0f113f3e MC	491	X509_EXTENSION X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) conf,
	492	X509V3_CTX ctx, int ext_nid, char value)
	493	{
	494	CONF ctmp;
	495	CONF_set_nconf(&ctmp, conf);
	496	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
	497	}
1d48dd00	498
6b691a5c	499	static char conf_lhash_get_string(void db, char section, char value)
0f113f3e MC	500	{
	501	return CONF_get_string(db, section, value);
	502	}
1d48dd00	503
ba404b5e	504	static STACK_OF(CONF_VALUE) conf_lhash_get_section(void db, char *section)
0f113f3e MC	505	{
	506	return CONF_get_section(db, section);
	507	}
1d48dd00 DSH	508
1d48dd00 DSH	509	static X509V3_CONF_METHOD conf_lhash_method = {
0f113f3e MC	510	conf_lhash_get_string,
	511	conf_lhash_get_section,
	512	NULL,
	513	NULL
1d48dd00 DSH	514	};
1d48dd00 DSH	515
3c1d6bbc	516	void X509V3_set_conf_lhash(X509V3_CTX ctx, LHASH_OF(CONF_VALUE) lhash)
0f113f3e MC	517	{
	518	ctx->db_meth = &conf_lhash_method;
	519	ctx->db = lhash;
	520	}
1d48dd00	521
3c1d6bbc	522	int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	523	char section, X509 cert)
	524	{
	525	CONF ctmp;
	526	CONF_set_nconf(&ctmp, conf);
	527	return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
	528	}
b7a26e6d DSH	529
	530	/* Same as above but for a CRL */
	531
3c1d6bbc	532	int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	533	char section, X509_CRL crl)
	534	{
	535	CONF ctmp;
	536	CONF_set_nconf(&ctmp, conf);
	537	return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
	538	}
b7a26e6d DSH	539
	540	/* Add extensions to certificate request */
	541
3c1d6bbc	542	int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	543	char section, X509_REQ req)
	544	{
	545	CONF ctmp;
	546	CONF_set_nconf(&ctmp, conf);
	547	return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
	548	}