]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/x509v3/v3_purp.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add support for CRLs partitioned by reason code.
[thirdparty/openssl.git] / crypto / x509v3 / v3_purp.c
CommitLineData
673b102c
DSH		 1/* v3_purp.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
f1558bb4 3 * project 2001.
673b102c
DSH		 4 */
5/* ====================================================================
bc501570 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
673b102c
DSH		 7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
2f043896 62#include <openssl/x509_vfy.h>
673b102c 63
ce1b4fe1 64static void x509v3_cache_extensions(X509 *x);
673b102c 65
ccd86b68
GT		 66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
70static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
c7235be6 74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
ccd86b68 75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
81f169e9 76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
ccd86b68
GT		 77
78static int xp_cmp(const X509_PURPOSE * const *a,
79 const X509_PURPOSE * const *b);
d4cec6a1 80static void xptable_free(X509_PURPOSE *p);
673b102c
DSH		 81
82static X509_PURPOSE xstandard[] = {
d4cec6a1
DSH		 83 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
84 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
85 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
86 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
87 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
068fdce8
DSH		 88 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
89 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
81f169e9 90 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
c7235be6 91 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
673b102c
DSH		 92};
93
dd413410
DSH		 94#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
95
673b102c
DSH		 96IMPLEMENT_STACK_OF(X509_PURPOSE)
97
79875776 98static STACK_OF(X509_PURPOSE) *xptable = NULL;
673b102c 99
ccd86b68
GT		 100static int xp_cmp(const X509_PURPOSE * const *a,
101 const X509_PURPOSE * const *b)
673b102c 102{
13938ace 103 return (*a)->purpose - (*b)->purpose;
673b102c
DSH		 104}
105
ccd86b68
GT		 106/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const
108 * things. */
673b102c
DSH		 109int X509_check_purpose(X509 *x, int id, int ca)
110{
111 int idx;
ccd86b68 112 const X509_PURPOSE *pt;
673b102c
DSH		 113 if(!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 }
e947f396 118 if(id == -1) return 1;
d4cec6a1 119 idx = X509_PURPOSE_get_by_id(id);
673b102c 120 if(idx == -1) return -1;
6d0d5431 121 pt = X509_PURPOSE_get0(idx);
dd413410 122 return pt->check_purpose(pt, x, ca);
673b102c 123}
e947f396 124
926a56bf
DSH		 125int X509_PURPOSE_set(int *p, int purpose)
126{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0;
130 }
131 *p = purpose;
132 return 1;
133}
134
d4cec6a1
DSH		 135int X509_PURPOSE_get_count(void)
136{
dd413410
DSH		 137 if(!xptable) return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
d4cec6a1 139}
ce1b4fe1 140
6d0d5431 141X509_PURPOSE * X509_PURPOSE_get0(int idx)
d4cec6a1 142{
dd413410 143 if(idx < 0) return NULL;
27545970 144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
dd413410 145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
d4cec6a1
DSH		 146}
147
148int X509_PURPOSE_get_by_sname(char *sname)
149{
150 int i;
151 X509_PURPOSE *xptmp;
dd413410 152 for(i = 0; i < X509_PURPOSE_get_count(); i++) {
6d0d5431 153 xptmp = X509_PURPOSE_get0(i);
13938ace 154 if(!strcmp(xptmp->sname, sname)) return i;
d4cec6a1
DSH		 155 }
156 return -1;
157}
673b102c 158
13938ace 159int X509_PURPOSE_get_by_id(int purpose)
673b102c
DSH		 160{
161 X509_PURPOSE tmp;
dd413410
DSH		 162 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN;
13938ace 165 tmp.purpose = purpose;
673b102c 166 if(!xptable) return -1;
dd413410
DSH		 167 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1;
169 return idx + X509_PURPOSE_COUNT;
673b102c
DSH		 170}
171
dd413410 172int X509_PURPOSE_add(int id, int trust, int flags,
ccd86b68 173 int (*ck)(const X509_PURPOSE *, const X509 *, int),
dd413410 174 char *name, char *sname, void *arg)
673b102c
DSH		 175{
176 int idx;
dd413410
DSH		 177 X509_PURPOSE *ptmp;
178 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */
181 flags |= X509_PURPOSE_DYNAMIC_NAME;
182 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */
185 if(idx == -1) {
26a3a48d 186 if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
79875776
BM		 187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
188 return 0;
79875776 189 }
dd413410 190 ptmp->flags = X509_PURPOSE_DYNAMIC;
6d0d5431 191 } else ptmp = X509_PURPOSE_get0(idx);
dd413410 192
26a3a48d 193 /* OPENSSL_free existing name if dynamic */
dd413410 194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
26a3a48d
RL		 195 OPENSSL_free(ptmp->name);
196 OPENSSL_free(ptmp->sname);
dd413410
DSH		 197 }
198 /* dup supplied name */
199 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
203 return 0;
204 }
205 /* Keep the dynamic flag of existing entry */
206 ptmp->flags &= X509_PURPOSE_DYNAMIC;
207 /* Set all other flags */
208 ptmp->flags |= flags;
209
210 ptmp->purpose = id;
211 ptmp->trust = trust;
212 ptmp->check_purpose = ck;
213 ptmp->usr_data = arg;
214
215 /* If its a new entry manage the dynamic table */
216 if(idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
219 return 0;
220 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
79875776
BM		 222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
223 return 0;
d4cec6a1
DSH		 224 }
225 }
673b102c
DSH		 226 return 1;
227}
228
79875776
BM		 229static void xptable_free(X509_PURPOSE *p)
230 {
d4cec6a1 231 if(!p) return;
13938ace 232 if (p->flags & X509_PURPOSE_DYNAMIC)
79875776 233 {
13938ace 234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
26a3a48d
RL		 235 OPENSSL_free(p->name);
236 OPENSSL_free(p->sname);
d4cec6a1 237 }
26a3a48d 238 OPENSSL_free(p);
79875776
BM		 239 }
240 }
241
242void X509_PURPOSE_cleanup(void)
243{
27545970 244 unsigned int i;
79875776 245 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
dd413410 246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
79875776
BM		 247 xptable = NULL;
248}
249
d4cec6a1 250int X509_PURPOSE_get_id(X509_PURPOSE *xp)
673b102c 251{
13938ace 252 return xp->purpose;
673b102c
DSH		 253}
254
c7cb16a8 255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
d4cec6a1 256{
13938ace 257 return xp->name;
d4cec6a1 258}
673b102c 259
c7cb16a8 260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
673b102c 261{
13938ace 262 return xp->sname;
673b102c
DSH		 263}
264
d4cec6a1 265int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
673b102c 266{
13938ace 267 return xp->trust;
673b102c
DSH		 268}
269
f1558bb4
DSH		 270static int nid_cmp(int *a, int *b)
271 {
272 return *a - *b;
273 }
274
275int X509_supported_extension(X509_EXTENSION *ex)
276 {
277 /* This table is a list of the NIDs of supported extensions:
278 * that is those which are used by the verify process. If
279 * an extension is critical and doesn't appear in this list
280 * then the verify process will normally reject the certificate.
281 * The list must be kept in numerical order because it will be
282 * searched using bsearch.
283 */
284
285 static int supported_nids[] = {
286 NID_netscape_cert_type, /* 71 */
287 NID_key_usage, /* 83 */
288 NID_subject_alt_name, /* 85 */
289 NID_basic_constraints, /* 87 */
96ea4ae9 290 NID_certificate_policies, /* 89 */
6951c23a 291 NID_ext_key_usage, /* 126 */
10ca15f3 292#ifndef OPENSSL_NO_RFC3779
96ea4ae9
BL		 293 NID_sbgp_ipAddrBlock, /* 290 */
294 NID_sbgp_autonomousSysNum, /* 291 */
295#endif
db50661f 296 NID_policy_constraints, /* 401 */
dcc0c298 297 NID_proxyCertInfo, /* 663 */
e9746e03 298 NID_name_constraints, /* 666 */
002e66c0 299 NID_policy_mappings, /* 747 */
dcc0c298 300 NID_inhibit_any_policy /* 748 */
f1558bb4
DSH		 301 };
302
303 int ex_nid;
304
305 ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
306
307 if (ex_nid == NID_undef)
308 return 0;
309
310 if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids,
311 sizeof(supported_nids)/sizeof(int), sizeof(int),
312 (int (*)(const void *, const void *))nid_cmp))
313 return 1;
314 return 0;
315 }
3e727a3b
DSH		 316
317static void setup_dp(X509 *x, DIST_POINT *dp)
318 {
319 X509_NAME *iname = NULL;
320 int i;
4b96839f
DSH		 321 if (dp->reasons)
322 {
323 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 }
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS;
3e727a3b
DSH		 331 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME)
337 {
338 iname = gen->d.directoryName;
339 break;
340 }
341 }
342 if (!iname)
343 iname = X509_get_issuer_name(x);
344
345 DIST_POINT_set_dpname(dp->distpoint, iname);
346
347 }
348
349static void setup_crldp(X509 *x)
350 {
351 int i;
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 }
f1558bb4 356
ce1b4fe1 357static void x509v3_cache_extensions(X509 *x)
673b102c
DSH		 358{
359 BASIC_CONSTRAINTS *bs;
6951c23a 360 PROXY_CERT_INFO_EXTENSION *pci;
673b102c
DSH		 361 ASN1_BIT_STRING *usage;
362 ASN1_BIT_STRING *ns;
9d6b1ce6 363 EXTENDED_KEY_USAGE *extusage;
f1558bb4 364 X509_EXTENSION *ex;
2f043896 365
673b102c
DSH		 366 int i;
367 if(x->ex_flags & EXFLAG_SET) return;
cf1b7d96 368#ifndef OPENSSL_NO_SHA
e947f396 369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
2f043896 370#endif
673b102c 371 /* Does subject name match issuer ? */
51630a37 372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
db50661f 373 x->ex_flags |= EXFLAG_SI;
673b102c
DSH		 374 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */
ff8a4c47 377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
673b102c
DSH		 378 if(bs->ca) x->ex_flags |= EXFLAG_CA;
379 if(bs->pathlen) {
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
381 || !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
385 } else x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS;
388 }
6951c23a
RL		 389 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
d9bfe4f9
RL		 391 if (x->ex_flags & EXFLAG_CA
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
6951c23a
RL		 394 x->ex_flags |= EXFLAG_INVALID;
395 }
396 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY;
402 }
673b102c 403 /* Handle key usage */
ff8a4c47 404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
673b102c
DSH		 405 if(usage->length > 0) {
406 x->ex_kusage = usage->data[0];
407 if(usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage);
412 }
413 x->ex_xkusage = 0;
ff8a4c47 414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
673b102c
DSH		 415 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
418 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER;
420 break;
421
422 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break;
425
426 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME;
428 break;
429
430 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN;
432 break;
433
434 case NID_ms_sgc:
435 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC;
81f169e9
DSH		 437 break;
438
439 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break;
442
443 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP;
445 break;
b637670f
RL		 446
447 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS;
449 break;
673b102c
DSH		 450 }
451 }
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 }
454
ff8a4c47 455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
673b102c
DSH		 456 if(ns->length > 0) x->ex_nscert = ns->data[0];
457 else x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns);
460 }
2f043896
DSH		 461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
e9746e03
DSH		 463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1))
466 x->ex_flags |= EXFLAG_INVALID;
3e727a3b
DSH		 467 setup_crldp(x);
468
469
10ca15f3 470#ifndef OPENSSL_NO_RFC3779
96ea4ae9
BL		 471 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
472 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
473 NULL, NULL);
474#endif
f1558bb4
DSH		 475 for (i = 0; i < X509_get_ext_count(x); i++)
476 {
477 ex = X509_get_ext(x, i);
478 if (!X509_EXTENSION_get_critical(ex))
479 continue;
480 if (!X509_supported_extension(ex))
481 {
482 x->ex_flags |= EXFLAG_CRITICAL;
483 break;
484 }
485 }
673b102c
DSH		 486 x->ex_flags |= EXFLAG_SET;
487}
488
489/* CA checks common to all purposes
490 * return codes:
491 * 0 not a CA
492 * 1 is a CA
493 * 2 basicConstraints absent so "maybe" a CA
494 * 3 basicConstraints absent but self signed V1.
bc501570 495 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
673b102c
DSH		 496 */
497
498#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
499#define ku_reject(x, usage) \
500 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
501#define xku_reject(x, usage) \
502 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
503#define ns_reject(x, usage) \
504 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
505
5073ff03 506static int check_ca(const X509 *x)
673b102c
DSH		 507{
508 /* keyUsage if present should allow cert signing */
509 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
510 if(x->ex_flags & EXFLAG_BCONS) {
511 if(x->ex_flags & EXFLAG_CA) return 1;
512 /* If basicConstraints says not a CA then say so */
513 else return 0;
514 } else {
30b415b0 515 /* we support V1 roots for... uh, I don't really know why. */
673b102c 516 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
8cff6331 517 /* If key usage present it must have certSign so tolerate it */
bc501570 518 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
30b415b0
RL		 519 /* Older certificates could have Netscape-specific CA types */
520 else if (x->ex_flags & EXFLAG_NSCERT
521 && x->ex_nscert & NS_ANY_CA) return 5;
30b415b0
RL		 522 /* can this still be regarded a CA certificate? I doubt it */
523 return 0;
673b102c
DSH		 524 }
525}
526
5073ff03
RL		 527int X509_check_ca(X509 *x)
528{
529 if(!(x->ex_flags & EXFLAG_SET)) {
530 CRYPTO_w_lock(CRYPTO_LOCK_X509);
531 x509v3_cache_extensions(x);
532 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
533 }
534
535 return check_ca(x);
536}
537
0cb957a6 538/* Check SSL CA: common checks for SSL client and server */
ccd86b68 539static int check_ssl_ca(const X509 *x)
0cb957a6
DSH		 540{
541 int ca_ret;
5073ff03 542 ca_ret = check_ca(x);
0cb957a6
DSH		 543 if(!ca_ret) return 0;
544 /* check nsCertType if present */
30b415b0 545 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
0cb957a6
DSH		 546 else return 0;
547}
8cff6331 548
673b102c 549
ccd86b68 550static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 551{
552 if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
0cb957a6 553 if(ca) return check_ssl_ca(x);
673b102c
DSH		 554 /* We need to do digital signatures with it */
555 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
556 /* nsCertType if present should allow SSL client use */
557 if(ns_reject(x, NS_SSL_CLIENT)) return 0;
558 return 1;
559}
560
ccd86b68 561static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 562{
563 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
0cb957a6 564 if(ca) return check_ssl_ca(x);
673b102c
DSH		 565
566 if(ns_reject(x, NS_SSL_SERVER)) return 0;
567 /* Now as for keyUsage: we'll at least need to sign OR encipher */
568 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
569
570 return 1;
571
572}
573
ccd86b68 574static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 575{
576 int ret;
577 ret = check_purpose_ssl_server(xp, x, ca);
578 if(!ret || ca) return ret;
579 /* We need to encipher or Netscape complains */
580 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
581 return ret;
582}
583
584/* common S/MIME checks */
ccd86b68 585static int purpose_smime(const X509 *x, int ca)
673b102c
DSH		 586{
587 if(xku_reject(x,XKU_SMIME)) return 0;
588 if(ca) {
589 int ca_ret;
5073ff03 590 ca_ret = check_ca(x);
673b102c
DSH		 591 if(!ca_ret) return 0;
592 /* check nsCertType if present */
30b415b0 593 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
673b102c
DSH		 594 else return 0;
595 }
596 if(x->ex_flags & EXFLAG_NSCERT) {
597 if(x->ex_nscert & NS_SMIME) return 1;
598 /* Workaround for some buggy certificates */
599 if(x->ex_nscert & NS_SSL_CLIENT) return 2;
600 return 0;
601 }
602 return 1;
603}
604
ccd86b68 605static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 606{
607 int ret;
608 ret = purpose_smime(x, ca);
609 if(!ret || ca) return ret;
8cff6331 610 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
673b102c
DSH		 611 return ret;
612}
613
ccd86b68 614static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 615{
616 int ret;
617 ret = purpose_smime(x, ca);
618 if(!ret || ca) return ret;
619 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
620 return ret;
621}
622
ccd86b68 623static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
673b102c
DSH		 624{
625 if(ca) {
626 int ca_ret;
5073ff03 627 if((ca_ret = check_ca(x)) != 2) return ca_ret;
673b102c
DSH		 628 else return 0;
629 }
630 if(ku_reject(x, KU_CRL_SIGN)) return 0;
631 return 1;
632}
068fdce8 633
81f169e9
DSH		 634/* OCSP helper: this is *not* a full OCSP check. It just checks that
635 * each CA is valid. Additional checks must be made on the chain.
636 */
637
638static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
639{
30b415b0
RL		 640 /* Must be a valid CA. Should we really support the "I don't know"
641 value (2)? */
5073ff03 642 if(ca) return check_ca(x);
81f169e9
DSH		 643 /* leaf certificate is checked in OCSP_verify() */
644 return 1;
645}
646
c7235be6
UM		 647static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
648 int ca)
649{
650 int i_ext;
651
652 /* If ca is true we must return if this is a valid CA certificate. */
653 if (ca) return check_ca(x);
654
655 /*
656 * Check the optional key usage field:
657 * if Key Usage is present, it must be one of digitalSignature
658 * and/or nonRepudiation (other values are not consistent and shall
659 * be rejected).
660 */
661 if ((x->ex_flags & EXFLAG_KUSAGE)
662 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
663 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
664 return 0;
665
666 /* Only time stamp key usage is permitted and it's required. */
667 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
668 return 0;
669
670 /* Extended Key Usage MUST be critical */
671 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
672 if (i_ext >= 0)
673 {
674 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
675 if (!X509_EXTENSION_get_critical(ext))
676 return 0;
677 }
678
679 return 1;
680}
681
ccd86b68 682static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
068fdce8
DSH		 683{
684 return 1;
685}
2f043896
DSH		 686
687/* Various checks to see if one certificate issued the second.
688 * This can be used to prune a set of possible issuer certificates
689 * which have been looked up using some simple method such as by
690 * subject name.
691 * These are:
692 * 1. Check issuer_name(subject) == subject_name(issuer)
693 * 2. If akid(subject) exists check it matches issuer
694 * 3. If key_usage(issuer) exists check it supports certificate signing
695 * returns 0 for OK, positive for reason for mismatch, reasons match
696 * codes for X509_verify_cert()
697 */
698
699int X509_check_issued(X509 *issuer, X509 *subject)
700{
701 if(X509_NAME_cmp(X509_get_subject_name(issuer),
702 X509_get_issuer_name(subject)))
703 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
704 x509v3_cache_extensions(issuer);
705 x509v3_cache_extensions(subject);
bc7535bc
DSH		 706
707 if(subject->akid)
708 {
709 int ret = X509_check_akid(issuer, subject->akid);
710 if (ret != X509_V_OK)
711 return ret;
2f043896 712 }
bc7535bc 713
6951c23a
RL		 714 if(subject->ex_flags & EXFLAG_PROXY)
715 {
716 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
717 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
718 }
719 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
720 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
2f043896
DSH		 721 return X509_V_OK;
722}
723
bc7535bc
DSH		 724int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
725 {
726
727 if(!akid)
728 return X509_V_OK;
729
730 /* Check key ids (if present) */
731 if(akid->keyid && issuer->skid &&
732 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
733 return X509_V_ERR_AKID_SKID_MISMATCH;
734 /* Check serial number */
735 if(akid->serial &&
736 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
737 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
738 /* Check issuer name */
739 if(akid->issuer)
740 {
741 /* Ugh, for some peculiar reason AKID includes
742 * SEQUENCE OF GeneralName. So look for a DirName.
743 * There may be more than one but we only take any
744 * notice of the first.
745 */
746 GENERAL_NAMES *gens;
747 GENERAL_NAME *gen;
748 X509_NAME *nm = NULL;
749 int i;
750 gens = akid->issuer;
751 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
752 {
753 gen = sk_GENERAL_NAME_value(gens, i);
754 if(gen->type == GEN_DIRNAME)
755 {
756 nm = gen->d.dirn;
757 break;
758 }
759 }
760 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
761 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
762 }
763 return X509_V_OK;
764 }
765
A mirror of the official openssl repository