crypto/x509/pcy_cache.c

   1 /*
   2  * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/cryptlib.h"
  11 #include <openssl/x509.h>
  12 #include <openssl/x509v3.h>
  13 #include "crypto/x509.h"
  14
  15 #include "pcy_local.h"
  16
  17 static int policy_data_cmp(const X509_POLICY_DATA *const *a,
  18                            const X509_POLICY_DATA *const *b);
  19 static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
  20
  21 /*
  22  * Set cache entry according to CertificatePolicies extension. Note: this
  23  * destroys the passed CERTIFICATEPOLICIES structure.
  24  */
  25
  26 static int policy_cache_create(X509 *x,
  27                                CERTIFICATEPOLICIES *policies, int crit)
  28 {
  29     int i, num, ret = 0;
  30     X509_POLICY_CACHE *cache = x->policy_cache;
  31     X509_POLICY_DATA *data = NULL;
  32     POLICYINFO *policy;
  33
  34     if ((num = sk_POLICYINFO_num(policies)) <= 0)
  35         goto bad_policy;
  36     cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
  37     if (cache->data == NULL) {
  38         ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  39         goto just_cleanup;
  40     }
  41     for (i = 0; i < num; i++) {
  42         policy = sk_POLICYINFO_value(policies, i);
  43         data = ossl_policy_data_new(policy, NULL, crit);
  44         if (data == NULL) {
  45             ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB);
  46             goto just_cleanup;
  47         }
  48         /*
  49          * Duplicate policy OIDs are illegal: reject if matches found.
  50          */
  51         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
  52             if (cache->anyPolicy) {
  53                 ret = -1;
  54                 goto bad_policy;
  55             }
  56             cache->anyPolicy = data;
  57         } else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0) {
  58             ret = -1;
  59             goto bad_policy;
  60         } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
  61             ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  62             goto bad_policy;
  63         }
  64         data = NULL;
  65     }
  66     /* Sort so we can find more quickly */
  67     sk_X509_POLICY_DATA_sort(cache->data);
  68     ret = 1;
  69
  70  bad_policy:
  71     if (ret == -1)
  72         x->ex_flags |= EXFLAG_INVALID_POLICY;
  73     ossl_policy_data_free(data);
  74  just_cleanup:
  75     sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
  76     if (ret <= 0) {
  77         sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
  78         cache->data = NULL;
  79     }
  80     return ret;
  81 }
  82
  83 static int policy_cache_new(X509 *x)
  84 {
  85     X509_POLICY_CACHE *cache;
  86     ASN1_INTEGER *ext_any = NULL;
  87     POLICY_CONSTRAINTS *ext_pcons = NULL;
  88     CERTIFICATEPOLICIES *ext_cpols = NULL;
  89     POLICY_MAPPINGS *ext_pmaps = NULL;
  90     int i;
  91
  92     if (x->policy_cache != NULL)
  93         return 1;
  94     cache = OPENSSL_malloc(sizeof(*cache));
  95     if (cache == NULL)
  96         return 0;
  97     cache->anyPolicy = NULL;
  98     cache->data = NULL;
  99     cache->any_skip = -1;
 100     cache->explicit_skip = -1;
 101     cache->map_skip = -1;
 102
 103     x->policy_cache = cache;
 104
 105     /*
 106      * Handle requireExplicitPolicy *first*. Need to process this even if we
 107      * don't have any policies.
 108      */
 109     ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
 110
 111     if (!ext_pcons) {
 112         if (i != -1)
 113             goto bad_cache;
 114     } else {
 115         if (!ext_pcons->requireExplicitPolicy
 116             && !ext_pcons->inhibitPolicyMapping)
 117             goto bad_cache;
 118         if (!policy_cache_set_int(&cache->explicit_skip,
 119                                   ext_pcons->requireExplicitPolicy))
 120             goto bad_cache;
 121         if (!policy_cache_set_int(&cache->map_skip,
 122                                   ext_pcons->inhibitPolicyMapping))
 123             goto bad_cache;
 124     }
 125
 126     /* Process CertificatePolicies */
 127
 128     ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
 129     /*
 130      * If no CertificatePolicies extension or problem decoding then there is
 131      * no point continuing because the valid policies will be NULL.
 132      */
 133     if (!ext_cpols) {
 134         /* If not absent some problem with extension */
 135         if (i != -1)
 136             goto bad_cache;
 137         return 1;
 138     }
 139
 140     i = policy_cache_create(x, ext_cpols, i);
 141
 142     /* NB: ext_cpols freed by policy_cache_set_policies */
 143
 144     if (i <= 0)
 145         return i;
 146
 147     ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
 148
 149     if (!ext_pmaps) {
 150         /* If not absent some problem with extension */
 151         if (i != -1)
 152             goto bad_cache;
 153     } else {
 154         i = ossl_policy_cache_set_mapping(x, ext_pmaps);
 155         if (i <= 0)
 156             goto bad_cache;
 157     }
 158
 159     ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
 160
 161     if (!ext_any) {
 162         if (i != -1)
 163             goto bad_cache;
 164     } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
 165         goto bad_cache;
 166     goto just_cleanup;
 167
 168  bad_cache:
 169     x->ex_flags |= EXFLAG_INVALID_POLICY;
 170
 171  just_cleanup:
 172     POLICY_CONSTRAINTS_free(ext_pcons);
 173     ASN1_INTEGER_free(ext_any);
 174     return 1;
 175
 176 }
 177
 178 void ossl_policy_cache_free(X509_POLICY_CACHE *cache)
 179 {
 180     if (!cache)
 181         return;
 182     ossl_policy_data_free(cache->anyPolicy);
 183     sk_X509_POLICY_DATA_pop_free(cache->data, ossl_policy_data_free);
 184     OPENSSL_free(cache);
 185 }
 186
 187 const X509_POLICY_CACHE *ossl_policy_cache_set(X509 *x)
 188 {
 189
 190     if (x->policy_cache == NULL) {
 191         if (!CRYPTO_THREAD_write_lock(x->lock))
 192             return NULL;
 193         policy_cache_new(x);
 194         CRYPTO_THREAD_unlock(x->lock);
 195     }
 196
 197     return x->policy_cache;
 198
 199 }
 200
 201 X509_POLICY_DATA *ossl_policy_cache_find_data(const X509_POLICY_CACHE *cache,
 202                                               const ASN1_OBJECT *id)
 203 {
 204     int idx;
 205     X509_POLICY_DATA tmp;
 206     tmp.valid_policy = (ASN1_OBJECT *)id;
 207     idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
 208     return sk_X509_POLICY_DATA_value(cache->data, idx);
 209 }
 210
 211 static int policy_data_cmp(const X509_POLICY_DATA *const *a,
 212                            const X509_POLICY_DATA *const *b)
 213 {
 214     return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
 215 }
 216
 217 static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
 218 {
 219     if (value == NULL)
 220         return 1;
 221     if (value->type == V_ASN1_NEG_INTEGER)
 222         return 0;
 223     *out = ASN1_INTEGER_get(value);
 224     return 1;
 225 }