[thirdparty/openssl.git] / crypto / x509v3 / v3_purp.c

/* v3_purp.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/x509v3.h>


static void x509v3_cache_extensions(X509 *x);

static int ca_check(X509 *x);
static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
static int purpose_smime(X509 *x, int ca);
static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);

static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
static void xptable_free(X509_PURPOSE *p);

static X509_PURPOSE xstandard[] = {
	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
	{X509_PURPOSE_CRL_SIGN, X509_TRUST_ANY, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
	{-1, 0, 0, NULL, NULL, NULL, NULL}
};

IMPLEMENT_STACK_OF(X509_PURPOSE)

static STACK_OF(X509_PURPOSE) *xptable = NULL;

static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
{
	return (*a)->purpose - (*b)->purpose;
}

int X509_check_purpose(X509 *x, int id, int ca)
{
	int idx;
	X509_PURPOSE *pt;
	if(!(x->ex_flags & EXFLAG_SET)) {
		CRYPTO_w_lock(CRYPTO_LOCK_X509);
		X509_init();
		x509v3_cache_extensions(x);
		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	}
	if(id == -1) return 1;
	idx = X509_PURPOSE_get_by_id(id);
	if(idx == -1) return -1;
	pt = sk_X509_PURPOSE_value(xptable, idx);
	return pt->check_purpose(pt, x,ca);
}

int X509_PURPOSE_get_count(void)
{
	return sk_X509_PURPOSE_num(xptable);
}

X509_PURPOSE * X509_PURPOSE_iget(int idx)
{
	return sk_X509_PURPOSE_value(xptable, idx);
}

int X509_PURPOSE_get_by_sname(char *sname)
{
	int i;
	X509_PURPOSE *xptmp;
	for(i = 0; i < sk_X509_PURPOSE_num(xptable); i++) {
		xptmp = sk_X509_PURPOSE_value(xptable, i);
		if(!strcmp(xptmp->sname, sname)) return i;
	}
	return -1;
}


int X509_PURPOSE_get_by_id(int purpose)
{
	X509_PURPOSE tmp;
	tmp.purpose = purpose;
	if(!xptable) return -1;
	return sk_X509_PURPOSE_find(xptable, &tmp);
}

int X509_PURPOSE_add(X509_PURPOSE *xp)
{
	int idx;
	if(!xptable)
		{
		xptable = sk_X509_PURPOSE_new(xp_cmp);
		if (!xptable) 
			{
			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
			return 0;
			}
		}
			
	idx = X509_PURPOSE_get_by_id(xp->purpose);
	if(idx != -1) {
		xptable_free(sk_X509_PURPOSE_value(xptable, idx));
		sk_X509_PURPOSE_set(xptable, idx, xp);
	} else {
		if (!sk_X509_PURPOSE_push(xptable, xp)) {
			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
			return 0;
		}
	}
	return 1;
}

static void xptable_free(X509_PURPOSE *p)
	{
	if(!p) return;
	if (p->flags & X509_PURPOSE_DYNAMIC) 
		{
		if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
			Free(p->name);
			Free(p->sname);
		}
		Free(p);
		}
	}

void X509_PURPOSE_cleanup(void)
{
	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
	xptable = NULL;
}

void X509_PURPOSE_add_standard(void)
{
	X509_PURPOSE *xp;
	for(xp = xstandard; xp->name; xp++) X509_PURPOSE_add(xp);
}

int X509_PURPOSE_get_id(X509_PURPOSE *xp)
{
	return xp->purpose;
}

char *X509_PURPOSE_iget_name(X509_PURPOSE *xp)
{
	return xp->name;
}

char *X509_PURPOSE_iget_sname(X509_PURPOSE *xp)
{
	return xp->sname;
}

int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
{
	return xp->trust;
}

static void x509v3_cache_extensions(X509 *x)
{
	BASIC_CONSTRAINTS *bs;
	ASN1_BIT_STRING *usage;
	ASN1_BIT_STRING *ns;
	STACK_OF(ASN1_OBJECT) *extusage;
	int i;
	if(x->ex_flags & EXFLAG_SET) return;
	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
	/* Does subject name match issuer ? */
	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
			 x->ex_flags |= EXFLAG_SS;
	/* V1 should mean no extensions ... */
	if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
	/* Handle basic constraints */
	if((bs=X509V3_X509_get_d2i(x, NID_basic_constraints, NULL, NULL))) {
		if(bs->ca) x->ex_flags |= EXFLAG_CA;
		if(bs->pathlen) {
			if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
						|| !bs->ca) {
				x->ex_flags |= EXFLAG_INVALID;
				x->ex_pathlen = 0;
			} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
		} else x->ex_pathlen = -1;
		BASIC_CONSTRAINTS_free(bs);
		x->ex_flags |= EXFLAG_BCONS;
	}
	/* Handle key usage */
	if((usage=X509V3_X509_get_d2i(x, NID_key_usage, NULL, NULL))) {
		if(usage->length > 0) {
			x->ex_kusage = usage->data[0];
			if(usage->length > 1) 
				x->ex_kusage |= usage->data[1] << 8;
		} else x->ex_kusage = 0;
		x->ex_flags |= EXFLAG_KUSAGE;
		ASN1_BIT_STRING_free(usage);
	}
	x->ex_xkusage = 0;
	if((extusage=X509V3_X509_get_d2i(x, NID_ext_key_usage, NULL, NULL))) {
		x->ex_flags |= EXFLAG_XKUSAGE;
		for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
			switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
				case NID_server_auth:
				x->ex_xkusage |= XKU_SSL_SERVER;
				break;

				case NID_client_auth:
				x->ex_xkusage |= XKU_SSL_CLIENT;
				break;

				case NID_email_protect:
				x->ex_xkusage |= XKU_SMIME;
				break;

				case NID_code_sign:
				x->ex_xkusage |= XKU_CODE_SIGN;
				break;

				case NID_ms_sgc:
				case NID_ns_sgc:
				x->ex_xkusage |= XKU_SGC;
			}
		}
		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
	}

	if((ns=X509V3_X509_get_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
		if(ns->length > 0) x->ex_nscert = ns->data[0];
		else x->ex_nscert = 0;
		x->ex_flags |= EXFLAG_NSCERT;
		ASN1_BIT_STRING_free(ns);
	}
	x->ex_flags |= EXFLAG_SET;
}

/* CA checks common to all purposes
 * return codes:
 * 0 not a CA
 * 1 is a CA
 * 2 basicConstraints absent so "maybe" a CA
 * 3 basicConstraints absent but self signed V1.
 */

#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
#define ku_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
#define xku_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
#define ns_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

static int ca_check(X509 *x)
{
	/* keyUsage if present should allow cert signing */
	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
	if(x->ex_flags & EXFLAG_BCONS) {
		if(x->ex_flags & EXFLAG_CA) return 1;
		/* If basicConstraints says not a CA then say so */
		else return 0;
	} else {
		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
		else return 2;
	}
}


static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
	if(ca) {
		int ca_ret;
		ca_ret = ca_check(x);
		if(!ca_ret) return 0;
		/* check nsCertType if present */
		if(x->ex_flags & EXFLAG_NSCERT) {
			if(x->ex_nscert & NS_SSL_CA) return ca_ret;
			return 0;
		}
		if(ca_ret != 2) return ca_ret;
		else return 0;
	}
	/* We need to do digital signatures with it */
	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
	/* nsCertType if present should allow SSL client use */	
	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
	return 1;
}

static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
	/* Otherwise same as SSL client for a CA */
	if(ca) return check_purpose_ssl_client(xp, x, 1);

	if(ns_reject(x, NS_SSL_SERVER)) return 0;
	/* Now as for keyUsage: we'll at least need to sign OR encipher */
	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
	
	return 1;

}

static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = check_purpose_ssl_server(xp, x, ca);
	if(!ret || ca) return ret;
	/* We need to encipher or Netscape complains */
	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
	return ret;
}

/* common S/MIME checks */
static int purpose_smime(X509 *x, int ca)
{
	if(xku_reject(x,XKU_SMIME)) return 0;
	if(ca) {
		int ca_ret;
		ca_ret = ca_check(x);
		if(!ca_ret) return 0;
		/* check nsCertType if present */
		if(x->ex_flags & EXFLAG_NSCERT) {
			if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
			return 0;
		}
		if(ca_ret != 2) return ca_ret;
		else return 0;
	}
	if(x->ex_flags & EXFLAG_NSCERT) {
		if(x->ex_nscert & NS_SMIME) return 1;
		/* Workaround for some buggy certificates */
		if(x->ex_nscert & NS_SSL_CLIENT) return 2;
		return 0;
	}
	return 1;
}

static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = purpose_smime(x, ca);
	if(!ret || ca) return ret;
	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
	return ret;
}

static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = purpose_smime(x, ca);
	if(!ret || ca) return ret;
	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
	return ret;
}

static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(ca) {
		int ca_ret;
		if((ca_ret = ca_check(x)) != 2) return ca_ret;
		else return 0;
	}
	if(ku_reject(x, KU_CRL_SIGN)) return 0;
	return 1;
}
Commit	Line	Data
673b102c DSH	1	/* v3_purp.c */
	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
	3	* project 1999.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
	61	#include <openssl/x509v3.h>
	62
	63
ce1b4fe1	64	static void x509v3_cache_extensions(X509 *x);
673b102c DSH	65
	66	static int ca_check(X509 *x);
	67	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca);
	68	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca);
	69	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca);
	70	static int purpose_smime(X509 *x, int ca);
	71	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca);
	72	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca);
	73	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca);
	74
	75	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b);
d4cec6a1	76	static void xptable_free(X509_PURPOSE *p);
673b102c DSH	77
673b102c DSH	78	static X509_PURPOSE xstandard[] = {
d4cec6a1 DSH	79	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
	80	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
	81	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
	82	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
	83	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
	84	{X509_PURPOSE_CRL_SIGN, X509_TRUST_ANY, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
	85	{-1, 0, 0, NULL, NULL, NULL, NULL}
673b102c DSH	86	};
	87
	88	IMPLEMENT_STACK_OF(X509_PURPOSE)
	89
79875776	90	static STACK_OF(X509_PURPOSE) *xptable = NULL;
673b102c DSH	91
	92	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b)
	93	{
13938ace	94	return (a)->purpose - (b)->purpose;
673b102c DSH	95	}
	96
	97	int X509_check_purpose(X509 *x, int id, int ca)
	98	{
	99	int idx;
	100	X509_PURPOSE *pt;
	101	if(!(x->ex_flags & EXFLAG_SET)) {
	102	CRYPTO_w_lock(CRYPTO_LOCK_X509);
13938ace	103	X509_init();
673b102c DSH	104	x509v3_cache_extensions(x);
	105	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	106	}
e947f396	107	if(id == -1) return 1;
d4cec6a1	108	idx = X509_PURPOSE_get_by_id(id);
673b102c DSH	109	if(idx == -1) return -1;
	110	pt = sk_X509_PURPOSE_value(xptable, idx);
	111	return pt->check_purpose(pt, x,ca);
	112	}
e947f396	113
d4cec6a1 DSH	114	int X509_PURPOSE_get_count(void)
	115	{
	116	return sk_X509_PURPOSE_num(xptable);
	117	}
ce1b4fe1	118
d4cec6a1 DSH	119	X509_PURPOSE * X509_PURPOSE_iget(int idx)
	120	{
	121	return sk_X509_PURPOSE_value(xptable, idx);
	122	}
	123
	124	int X509_PURPOSE_get_by_sname(char *sname)
	125	{
	126	int i;
	127	X509_PURPOSE *xptmp;
	128	for(i = 0; i < sk_X509_PURPOSE_num(xptable); i++) {
	129	xptmp = sk_X509_PURPOSE_value(xptable, i);
13938ace	130	if(!strcmp(xptmp->sname, sname)) return i;
d4cec6a1 DSH	131	}
	132	return -1;
	133	}
673b102c DSH	134
673b102c DSH	135
13938ace	136	int X509_PURPOSE_get_by_id(int purpose)
673b102c DSH	137	{
673b102c DSH	138	X509_PURPOSE tmp;
13938ace	139	tmp.purpose = purpose;
673b102c DSH	140	if(!xptable) return -1;
	141	return sk_X509_PURPOSE_find(xptable, &tmp);
	142	}
	143
	144	int X509_PURPOSE_add(X509_PURPOSE *xp)
	145	{
	146	int idx;
79875776 BM	147	if(!xptable)
	148	{
	149	xptable = sk_X509_PURPOSE_new(xp_cmp);
	150	if (!xptable)
	151	{
	152	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
	153	return 0;
	154	}
	155	}
	156
13938ace	157	idx = X509_PURPOSE_get_by_id(xp->purpose);
d4cec6a1 DSH	158	if(idx != -1) {
d4cec6a1 DSH	159	xptable_free(sk_X509_PURPOSE_value(xptable, idx));
79875776	160	sk_X509_PURPOSE_set(xptable, idx, xp);
d4cec6a1 DSH	161	} else {
d4cec6a1 DSH	162	if (!sk_X509_PURPOSE_push(xptable, xp)) {
79875776 BM	163	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
79875776 BM	164	return 0;
d4cec6a1 DSH	165	}
d4cec6a1 DSH	166	}
673b102c DSH	167	return 1;
	168	}
	169
79875776 BM	170	static void xptable_free(X509_PURPOSE *p)
79875776 BM	171	{
d4cec6a1	172	if(!p) return;
13938ace	173	if (p->flags & X509_PURPOSE_DYNAMIC)
79875776	174	{
13938ace DSH	175	if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
	176	Free(p->name);
	177	Free(p->sname);
d4cec6a1	178	}
79875776 BM	179	Free(p);
	180	}
	181	}
	182
	183	void X509_PURPOSE_cleanup(void)
	184	{
	185	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
	186	xptable = NULL;
	187	}
	188
673b102c DSH	189	void X509_PURPOSE_add_standard(void)
	190	{
	191	X509_PURPOSE *xp;
13938ace	192	for(xp = xstandard; xp->name; xp++) X509_PURPOSE_add(xp);
673b102c DSH	193	}
673b102c DSH	194
d4cec6a1	195	int X509_PURPOSE_get_id(X509_PURPOSE *xp)
673b102c	196	{
13938ace	197	return xp->purpose;
673b102c DSH	198	}
673b102c DSH	199
d4cec6a1 DSH	200	char X509_PURPOSE_iget_name(X509_PURPOSE xp)
d4cec6a1 DSH	201	{
13938ace	202	return xp->name;
d4cec6a1	203	}
673b102c	204
d4cec6a1	205	char X509_PURPOSE_iget_sname(X509_PURPOSE xp)
673b102c	206	{
13938ace	207	return xp->sname;
673b102c DSH	208	}
673b102c DSH	209
d4cec6a1	210	int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
673b102c	211	{
13938ace	212	return xp->trust;
673b102c DSH	213	}
673b102c DSH	214
ce1b4fe1	215	static void x509v3_cache_extensions(X509 *x)
673b102c DSH	216	{
	217	BASIC_CONSTRAINTS *bs;
	218	ASN1_BIT_STRING *usage;
	219	ASN1_BIT_STRING *ns;
	220	STACK_OF(ASN1_OBJECT) *extusage;
	221	int i;
	222	if(x->ex_flags & EXFLAG_SET) return;
e947f396	223	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
673b102c	224	/* Does subject name match issuer ? */
51630a37	225	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
673b102c DSH	226	x->ex_flags \|= EXFLAG_SS;
	227	/* V1 should mean no extensions ... */
	228	if(!X509_get_version(x)) x->ex_flags \|= EXFLAG_V1;
	229	/* Handle basic constraints */
	230	if((bs=X509V3_X509_get_d2i(x, NID_basic_constraints, NULL, NULL))) {
	231	if(bs->ca) x->ex_flags \|= EXFLAG_CA;
	232	if(bs->pathlen) {
	233	if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
	234	\|\| !bs->ca) {
	235	x->ex_flags \|= EXFLAG_INVALID;
	236	x->ex_pathlen = 0;
	237	} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
	238	} else x->ex_pathlen = -1;
	239	BASIC_CONSTRAINTS_free(bs);
	240	x->ex_flags \|= EXFLAG_BCONS;
	241	}
	242	/* Handle key usage */
	243	if((usage=X509V3_X509_get_d2i(x, NID_key_usage, NULL, NULL))) {
	244	if(usage->length > 0) {
	245	x->ex_kusage = usage->data[0];
	246	if(usage->length > 1)
	247	x->ex_kusage \|= usage->data[1] << 8;
	248	} else x->ex_kusage = 0;
	249	x->ex_flags \|= EXFLAG_KUSAGE;
	250	ASN1_BIT_STRING_free(usage);
	251	}
	252	x->ex_xkusage = 0;
	253	if((extusage=X509V3_X509_get_d2i(x, NID_ext_key_usage, NULL, NULL))) {
	254	x->ex_flags \|= EXFLAG_XKUSAGE;
	255	for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
	256	switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
	257	case NID_server_auth:
	258	x->ex_xkusage \|= XKU_SSL_SERVER;
	259	break;
	260
	261	case NID_client_auth:
	262	x->ex_xkusage \|= XKU_SSL_CLIENT;
	263	break;
	264
	265	case NID_email_protect:
	266	x->ex_xkusage \|= XKU_SMIME;
	267	break;
	268
	269	case NID_code_sign:
	270	x->ex_xkusage \|= XKU_CODE_SIGN;
	271	break;
	272
	273	case NID_ms_sgc:
	274	case NID_ns_sgc:
	275	x->ex_xkusage \|= XKU_SGC;
	276	}
	277	}
	278	sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
	279	}
	280
	281	if((ns=X509V3_X509_get_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
	282	if(ns->length > 0) x->ex_nscert = ns->data[0];
	283	else x->ex_nscert = 0;
	284	x->ex_flags \|= EXFLAG_NSCERT;
	285	ASN1_BIT_STRING_free(ns);
	286	}
	287	x->ex_flags \|= EXFLAG_SET;
	288	}
	289
290	/* CA checks common to all purposes
291	* return codes:
292	* 0 not a CA
293	* 1 is a CA
294	* 2 basicConstraints absent so "maybe" a CA
295	* 3 basicConstraints absent but self signed V1.
296	*/
297
298	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
299	#define ku_reject(x, usage) \
300	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
301	#define xku_reject(x, usage) \
302	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
303	#define ns_reject(x, usage) \
304	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
305
306	static int ca_check(X509 *x)
307	{
308	/* keyUsage if present should allow cert signing */
309	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
310	if(x->ex_flags & EXFLAG_BCONS) {
311	if(x->ex_flags & EXFLAG_CA) return 1;
312	/* If basicConstraints says not a CA then say so */
313	else return 0;
314	} else {
315	if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
316	else return 2;
317	}
318	}
319
320
321	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca)
322	{
323	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
324	if(ca) {
325	int ca_ret;
326	ca_ret = ca_check(x);
327	if(!ca_ret) return 0;
328	/* check nsCertType if present */
329	if(x->ex_flags & EXFLAG_NSCERT) {
330	if(x->ex_nscert & NS_SSL_CA) return ca_ret;
331	return 0;
332	}
333	if(ca_ret != 2) return ca_ret;
334	else return 0;
335	}
336	/* We need to do digital signatures with it */
337	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
338	/* nsCertType if present should allow SSL client use */
339	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
340	return 1;
341	}
342
343	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca)
344	{
345	if(xku_reject(x,XKU_SSL_SERVER\|XKU_SGC)) return 0;
346	/* Otherwise same as SSL client for a CA */
347	if(ca) return check_purpose_ssl_client(xp, x, 1);
348
349	if(ns_reject(x, NS_SSL_SERVER)) return 0;
350	/* Now as for keyUsage: we'll at least need to sign OR encipher */
351	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_KEY_ENCIPHERMENT)) return 0;
352
353	return 1;
354
355	}
356
357	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca)
358	{
359	int ret;
360	ret = check_purpose_ssl_server(xp, x, ca);
361	if(!ret \|\| ca) return ret;
362	/* We need to encipher or Netscape complains */
363	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
364	return ret;
365	}
366
367	/* common S/MIME checks */
368	static int purpose_smime(X509 *x, int ca)
369	{
370	if(xku_reject(x,XKU_SMIME)) return 0;
371	if(ca) {
372	int ca_ret;
373	ca_ret = ca_check(x);
374	if(!ca_ret) return 0;
375	/* check nsCertType if present */
376	if(x->ex_flags & EXFLAG_NSCERT) {
377	if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
378	return 0;
379	}
380	if(ca_ret != 2) return ca_ret;
381	else return 0;
382	}
383	if(x->ex_flags & EXFLAG_NSCERT) {
384	if(x->ex_nscert & NS_SMIME) return 1;
385	/* Workaround for some buggy certificates */
386	if(x->ex_nscert & NS_SSL_CLIENT) return 2;
387	return 0;
388	}
389	return 1;
390	}
391
392	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca)
393	{
394	int ret;
395	ret = purpose_smime(x, ca);
396	if(!ret \|\| ca) return ret;
397	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
398	return ret;
399	}
400
401	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca)
402	{
403	int ret;
404	ret = purpose_smime(x, ca);
405	if(!ret \|\| ca) return ret;
406	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
407	return ret;
408	}
409
410	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca)
411	{
412	if(ca) {
413	int ca_ret;
414	if((ca_ret = ca_check(x)) != 2) return ca_ret;
415	else return 0;
416	}
417	if(ku_reject(x, KU_CRL_SIGN)) return 0;
418	return 1;
419	}