]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
3c2bdd7d | 2 | * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. |
d02b48c6 | 3 | * |
3e4b43b9 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
d02b48c6 RE |
8 | */ |
9 | ||
10 | #include <stdio.h> | |
b39fc560 | 11 | #include "internal/cryptlib.h" |
9d6b1ce6 | 12 | #include <openssl/asn1t.h> |
ec577822 | 13 | #include <openssl/x509.h> |
25f2138b | 14 | #include "crypto/x509.h" |
d02b48c6 | 15 | |
1d97c843 TH |
16 | /*- |
17 | * X509_REQ_INFO is handled in an unusual way to get round | |
9d6b1ce6 DSH |
18 | * invalid encodings. Some broken certificate requests don't |
19 | * encode the attributes field if it is empty. This is in | |
20 | * violation of PKCS#10 but we need to tolerate it. We do | |
21 | * this by making the attributes field OPTIONAL then using | |
0f113f3e | 22 | * the callback to initialise it to an empty STACK. |
9d6b1ce6 DSH |
23 | * |
24 | * This means that the field will be correctly encoded unless | |
25 | * we NULL out the field. | |
26 | * | |
27 | * As a result we no longer need the req_kludge field because | |
28 | * the information is now contained in the attributes field: | |
29 | * 1. If it is NULL then it's the invalid omission. | |
30 | * 2. If it is empty it is the correct encoding. | |
31 | * 3. If it is not empty then some attributes are present. | |
32 | * | |
33 | */ | |
d02b48c6 | 34 | |
24484759 | 35 | static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, |
0f113f3e | 36 | void *exarg) |
9d6b1ce6 | 37 | { |
0f113f3e | 38 | X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval; |
d02b48c6 | 39 | |
0f113f3e MC |
40 | if (operation == ASN1_OP_NEW_POST) { |
41 | rinf->attributes = sk_X509_ATTRIBUTE_new_null(); | |
42 | if (!rinf->attributes) | |
43 | return 0; | |
44 | } | |
45 | return 1; | |
9d6b1ce6 DSH |
46 | } |
47 | ||
bc42bd62 PY |
48 | static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, |
49 | void *exarg) | |
50 | { | |
bc42bd62 PY |
51 | X509_REQ *ret = (X509_REQ *)*pval; |
52 | ||
53 | switch (operation) { | |
54 | case ASN1_OP_D2I_PRE: | |
70a7dd6f | 55 | ASN1_OCTET_STRING_free(ret->distinguishing_id); |
bc42bd62 PY |
56 | /* fall thru */ |
57 | case ASN1_OP_NEW_POST: | |
70a7dd6f | 58 | ret->distinguishing_id = NULL; |
bc42bd62 PY |
59 | break; |
60 | ||
61 | case ASN1_OP_FREE_POST: | |
70a7dd6f | 62 | ASN1_OCTET_STRING_free(ret->distinguishing_id); |
bc42bd62 | 63 | break; |
e72dbd8e SL |
64 | case ASN1_OP_DUP_POST: |
65 | { | |
66 | X509_REQ *old = exarg; | |
67 | ||
68 | if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq)) | |
69 | return 0; | |
70 | } | |
71 | break; | |
bc42bd62 | 72 | } |
bc42bd62 PY |
73 | |
74 | return 1; | |
75 | } | |
76 | ||
9d6b1ce6 | 77 | ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = { |
0f113f3e MC |
78 | ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER), |
79 | ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME), | |
80 | ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY), | |
81 | /* This isn't really OPTIONAL but it gets round invalid | |
82 | * encodings | |
83 | */ | |
84 | ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0) | |
d339187b | 85 | } ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO) |
d02b48c6 | 86 | |
9d6b1ce6 | 87 | IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO) |
d02b48c6 | 88 | |
bc42bd62 | 89 | ASN1_SEQUENCE_ref(X509_REQ, req_cb) = { |
95ed0e7c | 90 | ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO), |
6e63c142 | 91 | ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR), |
0f113f3e | 92 | ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING) |
d339187b | 93 | } ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ) |
d02b48c6 | 94 | |
9d6b1ce6 | 95 | IMPLEMENT_ASN1_FUNCTIONS(X509_REQ) |
0f113f3e | 96 | |
1241126a | 97 | IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ) |
bc42bd62 | 98 | |
70a7dd6f | 99 | void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id) |
bc42bd62 | 100 | { |
70a7dd6f RL |
101 | ASN1_OCTET_STRING_free(x->distinguishing_id); |
102 | x->distinguishing_id = d_id; | |
bc42bd62 PY |
103 | } |
104 | ||
70a7dd6f | 105 | ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x) |
bc42bd62 | 106 | { |
70a7dd6f | 107 | return x->distinguishing_id; |
bc42bd62 | 108 | } |
e72dbd8e SL |
109 | |
110 | /* | |
111 | * This should only be used if the X509_REQ object was embedded inside another | |
112 | * asn1 object and it needs a libctx to operate. | |
113 | * Use X509_REQ_new_ex() instead if possible. | |
114 | */ | |
115 | int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx, | |
116 | const char *propq) | |
117 | { | |
118 | if (x != NULL) { | |
119 | x->libctx = libctx; | |
120 | OPENSSL_free(x->propq); | |
121 | x->propq = NULL; | |
122 | if (propq != NULL) { | |
123 | x->propq = OPENSSL_strdup(propq); | |
124 | if (x->propq == NULL) | |
125 | return 0; | |
126 | } | |
127 | } | |
128 | return 1; | |
129 | } | |
130 | ||
131 | X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq) | |
132 | { | |
133 | X509_REQ *req = NULL; | |
134 | ||
135 | req = (X509_REQ *)ASN1_item_new((X509_REQ_it())); | |
136 | if (!ossl_x509_req_set0_libctx(req, libctx, propq)) { | |
137 | X509_REQ_free(req); | |
138 | req = NULL; | |
139 | } | |
140 | return req; | |
141 | } |