[thirdparty/openssl.git] / crypto / x509v3 / v3_purp.c

/* v3_purp.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/x509v3.h>


static int x509_purpose_get_idx(int id);
static void x509v3_cache_extensions(X509 *x);

static int ca_check(X509 *x);
static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
static int purpose_smime(X509 *x, int ca);
static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);

static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);

static X509_PURPOSE xstandard[] = {
	{1, 0, check_purpose_ssl_client, "SSL client", /* NULL */},
	{2, 0, check_purpose_ssl_server, "SSL server", /* NULL */},
	{3, 0, check_purpose_ns_ssl_server, "Netscape SSL server", /* NULL */},
	{4, 0, check_purpose_smime_sign, "S/MIME signing", /* NULL */},
	{5, 0, check_purpose_smime_encrypt, "S/MIME encryption", /* NULL */},
	{6, 0, check_purpose_crl_sign, "CRL signing", /* NULL */},
	{-1, 0, NULL, NULL, /* NULL */}
};

IMPLEMENT_STACK_OF(X509_PURPOSE)

static STACK_OF(X509_PURPOSE) *xptable = NULL;

static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
{
	return (*a)->purpose_id - (*b)->purpose_id;
}

int X509_check_purpose(X509 *x, int id, int ca)
{
	int idx;
	X509_PURPOSE *pt;
	if(!(x->ex_flags & EXFLAG_SET)) {
		CRYPTO_w_lock(CRYPTO_LOCK_X509);
		x509v3_cache_extensions(x);
		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	}
	idx = x509_purpose_get_idx(id);
	if(idx == -1) return -1;
	pt = sk_X509_PURPOSE_value(xptable, idx);
	return pt->check_purpose(pt, x,ca);
}
			

static int x509_purpose_get_idx(int id)
{
	X509_PURPOSE tmp;
	tmp.purpose_id = id;
	if(!xptable) return -1;
	return sk_X509_PURPOSE_find(xptable, &tmp);
}

int X509_PURPOSE_add(X509_PURPOSE *xp)
{
	int idx;
	if(!xptable)
		{
		xptable = sk_X509_PURPOSE_new(xp_cmp);
		if (!xptable) 
			{
			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
			return 0;
			}
		}
			
	idx = x509_purpose_get_idx(xp->purpose_id);
	if(idx != -1)
		sk_X509_PURPOSE_set(xptable, idx, xp);
	else
		if (!sk_X509_PURPOSE_push(xptable, xp))
			{
			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
			return 0;
			}
	return 1;
}

static void xptable_free(X509_PURPOSE *p)
	{
	if (p->purpose_flags & X509_PURPOSE_DYNAMIC) 
		{
		if (p->purpose_flags & X509_PURPOSE_DYNAMIC_NAME)
			Free(p->purpose_name);
		Free(p);
		}
	}

void X509_PURPOSE_cleanup(void)
{
	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
	xptable = NULL;
}

void X509_PURPOSE_add_standard(void)
{
	X509_PURPOSE *xp;
	for(xp = xstandard; xp->purpose_name; xp++)
		X509_PURPOSE_add(xp);
}

int X509_PURPOSE_enum(int (*efunc)(X509_PURPOSE *, void *), void *usr)
{
	int i;
	X509_PURPOSE *xp;
	if(!xptable) return 0;
	for(i = 0; i < sk_X509_PURPOSE_num(xptable); i++) {
		xp = sk_X509_PURPOSE_value(xptable, i);
		if(!efunc(xp, usr)) return i;
	}
	return i;
}


int X509_PURPOSE_get_id(X509_PURPOSE *xp)
{
	return xp->purpose_id;
}

char *X509_PURPOSE_get_name(X509_PURPOSE *xp)
{
	return xp->purpose_name;
}

static void x509v3_cache_extensions(X509 *x)
{
	BASIC_CONSTRAINTS *bs;
	ASN1_BIT_STRING *usage;
	ASN1_BIT_STRING *ns;
	STACK_OF(ASN1_OBJECT) *extusage;
	int i;
	if(x->ex_flags & EXFLAG_SET) return;
	/* Does subject name match issuer ? */
	if(X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
			 x->ex_flags |= EXFLAG_SS;
	/* V1 should mean no extensions ... */
	if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
	/* Handle basic constraints */
	if((bs=X509V3_X509_get_d2i(x, NID_basic_constraints, NULL, NULL))) {
		if(bs->ca) x->ex_flags |= EXFLAG_CA;
		if(bs->pathlen) {
			if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
						|| !bs->ca) {
				x->ex_flags |= EXFLAG_INVALID;
				x->ex_pathlen = 0;
			} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
		} else x->ex_pathlen = -1;
		BASIC_CONSTRAINTS_free(bs);
		x->ex_flags |= EXFLAG_BCONS;
	}
	/* Handle key usage */
	if((usage=X509V3_X509_get_d2i(x, NID_key_usage, NULL, NULL))) {
		if(usage->length > 0) {
			x->ex_kusage = usage->data[0];
			if(usage->length > 1) 
				x->ex_kusage |= usage->data[1] << 8;
		} else x->ex_kusage = 0;
		x->ex_flags |= EXFLAG_KUSAGE;
		ASN1_BIT_STRING_free(usage);
	}
	x->ex_xkusage = 0;
	if((extusage=X509V3_X509_get_d2i(x, NID_ext_key_usage, NULL, NULL))) {
		x->ex_flags |= EXFLAG_XKUSAGE;
		for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
			switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
				case NID_server_auth:
				x->ex_xkusage |= XKU_SSL_SERVER;
				break;

				case NID_client_auth:
				x->ex_xkusage |= XKU_SSL_CLIENT;
				break;

				case NID_email_protect:
				x->ex_xkusage |= XKU_SMIME;
				break;

				case NID_code_sign:
				x->ex_xkusage |= XKU_CODE_SIGN;
				break;

				case NID_ms_sgc:
				case NID_ns_sgc:
				x->ex_xkusage |= XKU_SGC;
			}
		}
		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
	}

	if((ns=X509V3_X509_get_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
		if(ns->length > 0) x->ex_nscert = ns->data[0];
		else x->ex_nscert = 0;
		x->ex_flags |= EXFLAG_NSCERT;
		ASN1_BIT_STRING_free(ns);
	}
	x->ex_flags |= EXFLAG_SET;
}

/* CA checks common to all purposes
 * return codes:
 * 0 not a CA
 * 1 is a CA
 * 2 basicConstraints absent so "maybe" a CA
 * 3 basicConstraints absent but self signed V1.
 */

#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
#define ku_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
#define xku_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
#define ns_reject(x, usage) \
	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

static int ca_check(X509 *x)
{
	/* keyUsage if present should allow cert signing */
	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
	if(x->ex_flags & EXFLAG_BCONS) {
		if(x->ex_flags & EXFLAG_CA) return 1;
		/* If basicConstraints says not a CA then say so */
		else return 0;
	} else {
		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
		else return 2;
	}
}


static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
	if(ca) {
		int ca_ret;
		ca_ret = ca_check(x);
		if(!ca_ret) return 0;
		/* check nsCertType if present */
		if(x->ex_flags & EXFLAG_NSCERT) {
			if(x->ex_nscert & NS_SSL_CA) return ca_ret;
			return 0;
		}
		if(ca_ret != 2) return ca_ret;
		else return 0;
	}
	/* We need to do digital signatures with it */
	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
	/* nsCertType if present should allow SSL client use */	
	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
	return 1;
}

static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
	/* Otherwise same as SSL client for a CA */
	if(ca) return check_purpose_ssl_client(xp, x, 1);

	if(ns_reject(x, NS_SSL_SERVER)) return 0;
	/* Now as for keyUsage: we'll at least need to sign OR encipher */
	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
	
	return 1;

}

static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = check_purpose_ssl_server(xp, x, ca);
	if(!ret || ca) return ret;
	/* We need to encipher or Netscape complains */
	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
	return ret;
}

/* common S/MIME checks */
static int purpose_smime(X509 *x, int ca)
{
	if(xku_reject(x,XKU_SMIME)) return 0;
	if(ca) {
		int ca_ret;
		ca_ret = ca_check(x);
		if(!ca_ret) return 0;
		/* check nsCertType if present */
		if(x->ex_flags & EXFLAG_NSCERT) {
			if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
			return 0;
		}
		if(ca_ret != 2) return ca_ret;
		else return 0;
	}
	if(x->ex_flags & EXFLAG_NSCERT) {
		if(x->ex_nscert & NS_SMIME) return 1;
		/* Workaround for some buggy certificates */
		if(x->ex_nscert & NS_SSL_CLIENT) return 2;
		return 0;
	}
	return 1;
}

static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = purpose_smime(x, ca);
	if(!ret || ca) return ret;
	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
	return ret;
}

static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
{
	int ret;
	ret = purpose_smime(x, ca);
	if(!ret || ca) return ret;
	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
	return ret;
}

static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
{
	if(ca) {
		int ca_ret;
		if((ca_ret = ca_check(x)) != 2) return ca_ret;
		else return 0;
	}
	if(ku_reject(x, KU_CRL_SIGN)) return 0;
	return 1;
}
Commit	Line	Data
673b102c DSH	1	/* v3_purp.c */
	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
	3	* project 1999.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
	61	#include <openssl/x509v3.h>
	62
	63
	64	static int x509_purpose_get_idx(int id);
ce1b4fe1	65	static void x509v3_cache_extensions(X509 *x);
673b102c DSH	66
	67	static int ca_check(X509 *x);
	68	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca);
	69	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca);
	70	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca);
	71	static int purpose_smime(X509 *x, int ca);
	72	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca);
	73	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca);
	74	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca);
	75
	76	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b);
	77
	78	static X509_PURPOSE xstandard[] = {
79875776 BM	79	{1, 0, check_purpose_ssl_client, "SSL client", /* NULL */},
	80	{2, 0, check_purpose_ssl_server, "SSL server", /* NULL */},
	81	{3, 0, check_purpose_ns_ssl_server, "Netscape SSL server", /* NULL */},
	82	{4, 0, check_purpose_smime_sign, "S/MIME signing", /* NULL */},
	83	{5, 0, check_purpose_smime_encrypt, "S/MIME encryption", /* NULL */},
	84	{6, 0, check_purpose_crl_sign, "CRL signing", /* NULL */},
	85	{-1, 0, NULL, NULL, /* NULL */}
673b102c DSH	86	};
	87
	88	IMPLEMENT_STACK_OF(X509_PURPOSE)
	89
79875776	90	static STACK_OF(X509_PURPOSE) *xptable = NULL;
673b102c DSH	91
	92	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b)
	93	{
	94	return (a)->purpose_id - (b)->purpose_id;
	95	}
	96
	97	int X509_check_purpose(X509 *x, int id, int ca)
	98	{
	99	int idx;
	100	X509_PURPOSE *pt;
	101	if(!(x->ex_flags & EXFLAG_SET)) {
	102	CRYPTO_w_lock(CRYPTO_LOCK_X509);
	103	x509v3_cache_extensions(x);
	104	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
	105	}
	106	idx = x509_purpose_get_idx(id);
	107	if(idx == -1) return -1;
	108	pt = sk_X509_PURPOSE_value(xptable, idx);
	109	return pt->check_purpose(pt, x,ca);
	110	}
	111
ce1b4fe1	112
673b102c DSH	113
	114
	115	static int x509_purpose_get_idx(int id)
	116	{
	117	X509_PURPOSE tmp;
	118	tmp.purpose_id = id;
	119	if(!xptable) return -1;
	120	return sk_X509_PURPOSE_find(xptable, &tmp);
	121	}
	122
	123	int X509_PURPOSE_add(X509_PURPOSE *xp)
	124	{
	125	int idx;
79875776 BM	126	if(!xptable)
	127	{
	128	xptable = sk_X509_PURPOSE_new(xp_cmp);
	129	if (!xptable)
	130	{
	131	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
	132	return 0;
	133	}
	134	}
	135
673b102c	136	idx = x509_purpose_get_idx(xp->purpose_id);
79875776 BM	137	if(idx != -1)
	138	sk_X509_PURPOSE_set(xptable, idx, xp);
	139	else
	140	if (!sk_X509_PURPOSE_push(xptable, xp))
	141	{
	142	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
	143	return 0;
	144	}
673b102c DSH	145	return 1;
	146	}
	147
79875776 BM	148	static void xptable_free(X509_PURPOSE *p)
	149	{
	150	if (p->purpose_flags & X509_PURPOSE_DYNAMIC)
	151	{
	152	if (p->purpose_flags & X509_PURPOSE_DYNAMIC_NAME)
	153	Free(p->purpose_name);
	154	Free(p);
	155	}
	156	}
	157
	158	void X509_PURPOSE_cleanup(void)
	159	{
	160	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
	161	xptable = NULL;
	162	}
	163
673b102c DSH	164	void X509_PURPOSE_add_standard(void)
	165	{
	166	X509_PURPOSE *xp;
	167	for(xp = xstandard; xp->purpose_name; xp++)
	168	X509_PURPOSE_add(xp);
	169	}
	170
	171	int X509_PURPOSE_enum(int (efunc)(X509_PURPOSE , void ), void usr)
	172	{
	173	int i;
	174	X509_PURPOSE *xp;
	175	if(!xptable) return 0;
	176	for(i = 0; i < sk_X509_PURPOSE_num(xptable); i++) {
	177	xp = sk_X509_PURPOSE_value(xptable, i);
	178	if(!efunc(xp, usr)) return i;
	179	}
	180	return i;
	181	}
	182
	183
	184	int X509_PURPOSE_get_id(X509_PURPOSE *xp)
	185	{
	186	return xp->purpose_id;
	187	}
	188
	189	char X509_PURPOSE_get_name(X509_PURPOSE xp)
	190	{
	191	return xp->purpose_name;
	192	}
	193
ce1b4fe1	194	static void x509v3_cache_extensions(X509 *x)
673b102c DSH	195	{
	196	BASIC_CONSTRAINTS *bs;
	197	ASN1_BIT_STRING *usage;
	198	ASN1_BIT_STRING *ns;
	199	STACK_OF(ASN1_OBJECT) *extusage;
	200	int i;
	201	if(x->ex_flags & EXFLAG_SET) return;
	202	/* Does subject name match issuer ? */
	203	if(X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
	204	x->ex_flags \|= EXFLAG_SS;
	205	/* V1 should mean no extensions ... */
	206	if(!X509_get_version(x)) x->ex_flags \|= EXFLAG_V1;
	207	/* Handle basic constraints */
	208	if((bs=X509V3_X509_get_d2i(x, NID_basic_constraints, NULL, NULL))) {
	209	if(bs->ca) x->ex_flags \|= EXFLAG_CA;
	210	if(bs->pathlen) {
	211	if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
	212	\|\| !bs->ca) {
	213	x->ex_flags \|= EXFLAG_INVALID;
	214	x->ex_pathlen = 0;
	215	} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
	216	} else x->ex_pathlen = -1;
	217	BASIC_CONSTRAINTS_free(bs);
	218	x->ex_flags \|= EXFLAG_BCONS;
	219	}
	220	/* Handle key usage */
	221	if((usage=X509V3_X509_get_d2i(x, NID_key_usage, NULL, NULL))) {
	222	if(usage->length > 0) {
	223	x->ex_kusage = usage->data[0];
	224	if(usage->length > 1)
	225	x->ex_kusage \|= usage->data[1] << 8;
	226	} else x->ex_kusage = 0;
	227	x->ex_flags \|= EXFLAG_KUSAGE;
	228	ASN1_BIT_STRING_free(usage);
	229	}
	230	x->ex_xkusage = 0;
	231	if((extusage=X509V3_X509_get_d2i(x, NID_ext_key_usage, NULL, NULL))) {
	232	x->ex_flags \|= EXFLAG_XKUSAGE;
	233	for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
	234	switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
	235	case NID_server_auth:
	236	x->ex_xkusage \|= XKU_SSL_SERVER;
	237	break;
	238
	239	case NID_client_auth:
	240	x->ex_xkusage \|= XKU_SSL_CLIENT;
	241	break;
	242
	243	case NID_email_protect:
	244	x->ex_xkusage \|= XKU_SMIME;
	245	break;
	246
	247	case NID_code_sign:
	248	x->ex_xkusage \|= XKU_CODE_SIGN;
	249	break;
	250
	251	case NID_ms_sgc:
	252	case NID_ns_sgc:
	253	x->ex_xkusage \|= XKU_SGC;
	254	}
	255	}
	256	sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
	257	}
	258
259	if((ns=X509V3_X509_get_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
260	if(ns->length > 0) x->ex_nscert = ns->data[0];
261	else x->ex_nscert = 0;
262	x->ex_flags \|= EXFLAG_NSCERT;
263	ASN1_BIT_STRING_free(ns);
264	}
265	x->ex_flags \|= EXFLAG_SET;
266	}
267
268	/* CA checks common to all purposes
269	* return codes:
270	* 0 not a CA
271	* 1 is a CA
272	* 2 basicConstraints absent so "maybe" a CA
273	* 3 basicConstraints absent but self signed V1.
274	*/
275
276	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
277	#define ku_reject(x, usage) \
278	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
279	#define xku_reject(x, usage) \
280	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
281	#define ns_reject(x, usage) \
282	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
283
284	static int ca_check(X509 *x)
285	{
286	/* keyUsage if present should allow cert signing */
287	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
288	if(x->ex_flags & EXFLAG_BCONS) {
289	if(x->ex_flags & EXFLAG_CA) return 1;
290	/* If basicConstraints says not a CA then say so */
291	else return 0;
292	} else {
293	if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
294	else return 2;
295	}
296	}
297
298
299	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca)
300	{
301	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
302	if(ca) {
303	int ca_ret;
304	ca_ret = ca_check(x);
305	if(!ca_ret) return 0;
306	/* check nsCertType if present */
307	if(x->ex_flags & EXFLAG_NSCERT) {
308	if(x->ex_nscert & NS_SSL_CA) return ca_ret;
309	return 0;
310	}
311	if(ca_ret != 2) return ca_ret;
312	else return 0;
313	}
314	/* We need to do digital signatures with it */
315	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
316	/* nsCertType if present should allow SSL client use */
317	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
318	return 1;
319	}
320
321	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca)
322	{
323	if(xku_reject(x,XKU_SSL_SERVER\|XKU_SGC)) return 0;
324	/* Otherwise same as SSL client for a CA */
325	if(ca) return check_purpose_ssl_client(xp, x, 1);
326
327	if(ns_reject(x, NS_SSL_SERVER)) return 0;
328	/* Now as for keyUsage: we'll at least need to sign OR encipher */
329	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_KEY_ENCIPHERMENT)) return 0;
330
331	return 1;
332
333	}
334
335	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca)
336	{
337	int ret;
338	ret = check_purpose_ssl_server(xp, x, ca);
339	if(!ret \|\| ca) return ret;
340	/* We need to encipher or Netscape complains */
341	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
342	return ret;
343	}
344
345	/* common S/MIME checks */
346	static int purpose_smime(X509 *x, int ca)
347	{
348	if(xku_reject(x,XKU_SMIME)) return 0;
349	if(ca) {
350	int ca_ret;
351	ca_ret = ca_check(x);
352	if(!ca_ret) return 0;
353	/* check nsCertType if present */
354	if(x->ex_flags & EXFLAG_NSCERT) {
355	if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
356	return 0;
357	}
358	if(ca_ret != 2) return ca_ret;
359	else return 0;
360	}
361	if(x->ex_flags & EXFLAG_NSCERT) {
362	if(x->ex_nscert & NS_SMIME) return 1;
363	/* Workaround for some buggy certificates */
364	if(x->ex_nscert & NS_SSL_CLIENT) return 2;
365	return 0;
366	}
367	return 1;
368	}
369
370	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca)
371	{
372	int ret;
373	ret = purpose_smime(x, ca);
374	if(!ret \|\| ca) return ret;
375	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
376	return ret;
377	}
378
379	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca)
380	{
381	int ret;
382	ret = purpose_smime(x, ca);
383	if(!ret \|\| ca) return ret;
384	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
385	return ret;
386	}
387
388	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca)
389	{
390	if(ca) {
391	int ca_ret;
392	if((ca_ret = ca_check(x)) != 2) return ca_ret;
393	else return 0;
394	}
395	if(ku_reject(x, KU_CRL_SIGN)) return 0;
396	return 1;
397	}