[thirdparty/openssl.git] / crypto / x509v3 / v3_conf.c

/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 1999.
 */
/* ====================================================================
 * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* extension creation utilities */

#include <stdio.h>
#include <ctype.h>
#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include "internal/x509_int.h"
#include <openssl/x509v3.h>

static int v3_check_critical(char **value);
static int v3_check_generic(char **value);
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                    int crit, char *value);
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                            int crit, int type,
                                            X509V3_CTX *ctx);
static char *conf_lhash_get_string(void *db, char *section, char *value);
static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                  int ext_nid, int crit, void *ext_struc);
static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                   long *ext_len);
/* CONF *conf:  Config file    */
/* char *name:  Name    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
                                 char *value)
{
    int crit;
    int ext_type;
    X509_EXTENSION *ret;
    crit = v3_check_critical(&value);
    if ((ext_type = v3_check_generic(&value)))
        return v3_generic_extension(name, value, crit, ext_type, ctx);
    ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
    if (!ret) {
        X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
        ERR_add_error_data(4, "name=", name, ", value=", value);
    }
    return ret;
}

/* CONF *conf:  Config file    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                     char *value)
{
    int crit;
    int ext_type;
    crit = v3_check_critical(&value);
    if ((ext_type = v3_check_generic(&value)))
        return v3_generic_extension(OBJ_nid2sn(ext_nid),
                                    value, crit, ext_type, ctx);
    return do_ext_nconf(conf, ctx, ext_nid, crit, value);
}

/* CONF *conf:  Config file    */
/* char *value:  Value    */
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
                                    int crit, char *value)
{
    const X509V3_EXT_METHOD *method;
    X509_EXTENSION *ext;
    STACK_OF(CONF_VALUE) *nval;
    void *ext_struc;

    if (ext_nid == NID_undef) {
        X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
        return NULL;
    }
    if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
        X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
        return NULL;
    }
    /* Now get internal extension representation based on type */
    if (method->v2i) {
        if (*value == '@')
            nval = NCONF_get_section(conf, value + 1);
        else
            nval = X509V3_parse_list(value);
        if (sk_CONF_VALUE_num(nval) <= 0) {
            X509V3err(X509V3_F_DO_EXT_NCONF,
                      X509V3_R_INVALID_EXTENSION_STRING);
            ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
                               value);
            return NULL;
        }
        ext_struc = method->v2i(method, ctx, nval);
        if (*value != '@')
            sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
        if (!ext_struc)
            return NULL;
    } else if (method->s2i) {
        if ((ext_struc = method->s2i(method, ctx, value)) == NULL)
            return NULL;
    } else if (method->r2i) {
        if (!ctx->db || !ctx->db_meth) {
            X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
            return NULL;
        }
        if ((ext_struc = method->r2i(method, ctx, value)) == NULL)
            return NULL;
    } else {
        X509V3err(X509V3_F_DO_EXT_NCONF,
                  X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
        ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
        return NULL;
    }

    ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
    if (method->it)
        ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
    else
        method->ext_free(ext_struc);
    return ext;

}

static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                  int ext_nid, int crit, void *ext_struc)
{
    unsigned char *ext_der = NULL;
    int ext_len;
    ASN1_OCTET_STRING *ext_oct = NULL;
    X509_EXTENSION *ext;
    /* Convert internal representation to DER */
    if (method->it) {
        ext_der = NULL;
        ext_len =
            ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
        if (ext_len < 0)
            goto merr;
    } else {
        unsigned char *p;

        ext_len = method->i2d(ext_struc, NULL);
        if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
            goto merr;
        p = ext_der;
        method->i2d(ext_struc, &p);
    }
    if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
        goto merr;
    ext_oct->data = ext_der;
    ext_der = NULL;
    ext_oct->length = ext_len;

    ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
    if (!ext)
        goto merr;
    ASN1_OCTET_STRING_free(ext_oct);

    return ext;

 merr:
    X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
    OPENSSL_free(ext_der);
    ASN1_OCTET_STRING_free(ext_oct);
    return NULL;

}

/* Given an internal structure, nid and critical flag create an extension */

X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
{
    const X509V3_EXT_METHOD *method;

    if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
        X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
        return NULL;
    }
    return do_ext_i2d(method, ext_nid, crit, ext_struc);
}

/* Check the extension string for critical flag */
static int v3_check_critical(char **value)
{
    char *p = *value;
    if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
        return 0;
    p += 9;
    while (isspace((unsigned char)*p))
        p++;
    *value = p;
    return 1;
}

/* Check extension string for generic extension and return the type */
static int v3_check_generic(char **value)
{
    int gen_type = 0;
    char *p = *value;
    if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
        p += 4;
        gen_type = 1;
    } else if ((strlen(p) >= 5) && strncmp(p, "ASN1:", 5) == 0) {
        p += 5;
        gen_type = 2;
    } else
        return 0;

    while (isspace((unsigned char)*p))
        p++;
    *value = p;
    return gen_type;
}

/* Create a generic extension: for now just handle DER type */
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                            int crit, int gen_type,
                                            X509V3_CTX *ctx)
{
    unsigned char *ext_der = NULL;
    long ext_len = 0;
    ASN1_OBJECT *obj = NULL;
    ASN1_OCTET_STRING *oct = NULL;
    X509_EXTENSION *extension = NULL;

    if ((obj = OBJ_txt2obj(ext, 0)) == NULL) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
                  X509V3_R_EXTENSION_NAME_ERROR);
        ERR_add_error_data(2, "name=", ext);
        goto err;
    }

    if (gen_type == 1)
        ext_der = string_to_hex(value, &ext_len);
    else if (gen_type == 2)
        ext_der = generic_asn1(value, ctx, &ext_len);

    if (ext_der == NULL) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
                  X509V3_R_EXTENSION_VALUE_ERROR);
        ERR_add_error_data(2, "value=", value);
        goto err;
    }

    if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
        X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    oct->data = ext_der;
    oct->length = ext_len;
    ext_der = NULL;

    extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);

 err:
    ASN1_OBJECT_free(obj);
    ASN1_OCTET_STRING_free(oct);
    OPENSSL_free(ext_der);
    return extension;

}

static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                   long *ext_len)
{
    ASN1_TYPE *typ;
    unsigned char *ext_der = NULL;
    typ = ASN1_generate_v3(value, ctx);
    if (typ == NULL)
        return NULL;
    *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
    ASN1_TYPE_free(typ);
    return ext_der;
}

static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
{
    int idx;
    ASN1_OBJECT *obj;
    obj = X509_EXTENSION_get_object(dext);
    while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
        X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
        X509v3_delete_ext(sk, idx);
        X509_EXTENSION_free(tmpext);
    }
}

/*
 * This is the main function: add a bunch of extensions based on a config
 * file section to an extension STACK.
 */

int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
                            STACK_OF(X509_EXTENSION) **sk)
{
    X509_EXTENSION *ext;
    STACK_OF(CONF_VALUE) *nval;
    CONF_VALUE *val;
    int i;

    if ((nval = NCONF_get_section(conf, section)) == NULL)
        return 0;
    for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
        val = sk_CONF_VALUE_value(nval, i);
        if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
            return 0;
        if (ctx->flags == X509V3_CTX_REPLACE)
            delete_ext(*sk, ext);
        if (sk)
            X509v3_add_ext(sk, ext, -1);
        X509_EXTENSION_free(ext);
    }
    return 1;
}

/*
 * Convenience functions to add extensions to a certificate, CRL and request
 */

int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                         X509 *cert)
{
    STACK_OF(X509_EXTENSION) **sk = NULL;
    if (cert)
        sk = &cert->cert_info.extensions;
    return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}

/* Same as above but for a CRL */

int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                             X509_CRL *crl)
{
    STACK_OF(X509_EXTENSION) **sk = NULL;
    if (crl)
        sk = &crl->crl.extensions;
    return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}

/* Add extensions to certificate request */

int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                             X509_REQ *req)
{
    STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
    int i;
    if (req)
        sk = &extlist;
    i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
    if (!i || !sk)
        return i;
    i = X509_REQ_add_extensions(req, extlist);
    sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
    return i;
}

/* Config database functions */

char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
{
    if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
        X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
        return NULL;
    }
    if (ctx->db_meth->get_string)
        return ctx->db_meth->get_string(ctx->db, name, section);
    return NULL;
}

STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, char *section)
{
    if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
        X509V3err(X509V3_F_X509V3_GET_SECTION,
                  X509V3_R_OPERATION_NOT_DEFINED);
        return NULL;
    }
    if (ctx->db_meth->get_section)
        return ctx->db_meth->get_section(ctx->db, section);
    return NULL;
}

void X509V3_string_free(X509V3_CTX *ctx, char *str)
{
    if (!str)
        return;
    if (ctx->db_meth->free_string)
        ctx->db_meth->free_string(ctx->db, str);
}

void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
{
    if (!section)
        return;
    if (ctx->db_meth->free_section)
        ctx->db_meth->free_section(ctx->db, section);
}

static char *nconf_get_string(void *db, char *section, char *value)
{
    return NCONF_get_string(db, section, value);
}

static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
{
    return NCONF_get_section(db, section);
}

static X509V3_CONF_METHOD nconf_method = {
    nconf_get_string,
    nconf_get_section,
    NULL,
    NULL
};

void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
{
    ctx->db_meth = &nconf_method;
    ctx->db = conf;
}

void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
                    X509_CRL *crl, int flags)
{
    ctx->issuer_cert = issuer;
    ctx->subject_cert = subj;
    ctx->crl = crl;
    ctx->subject_req = req;
    ctx->flags = flags;
}

/* Old conf compatibility functions */

X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                                char *name, char *value)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_nconf(&ctmp, ctx, name, value);
}

/* LHASH *conf:  Config file    */
/* char *value:  Value    */
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
                                    X509V3_CTX *ctx, int ext_nid, char *value)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
}

static char *conf_lhash_get_string(void *db, char *section, char *value)
{
    return CONF_get_string(db, section, value);
}

static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
{
    return CONF_get_section(db, section);
}

static X509V3_CONF_METHOD conf_lhash_method = {
    conf_lhash_get_string,
    conf_lhash_get_section,
    NULL,
    NULL
};

void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
{
    ctx->db_meth = &conf_lhash_method;
    ctx->db = lhash;
}

int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                        char *section, X509 *cert)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
}

/* Same as above but for a CRL */

int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                            char *section, X509_CRL *crl)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
}

/* Add extensions to certificate request */

int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
                            char *section, X509_REQ *req)
{
    CONF ctmp;
    CONF_set_nconf(&ctmp, conf);
    return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
}
Commit	Line	Data
0f113f3e MC	1	/*
	2	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
	3	* 1999.
9aeaf1b4 DSH	4	*/
9aeaf1b4 DSH	5	/* ====================================================================
9ea1b878	6	* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
9aeaf1b4 DSH	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
0f113f3e	13	* notice, this list of conditions and the following disclaimer.
9aeaf1b4 DSH	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
388ff0b0	58	/* extension creation utilities */
9aeaf1b4	59
e527ba09	60	#include <stdio.h>
9aeaf1b4	61	#include <ctype.h>
b39fc560	62	#include "internal/cryptlib.h"
ec577822 BM	63	#include <openssl/conf.h>
ec577822 BM	64	#include <openssl/x509.h>
e3e57192	65	#include "internal/x509_int.h"
ec577822	66	#include <openssl/x509v3.h>
9aeaf1b4	67
388ff0b0 DSH	68	static int v3_check_critical(char **value);
388ff0b0 DSH	69	static int v3_check_generic(char **value);
0f113f3e MC	70	static X509_EXTENSION do_ext_nconf(CONF conf, X509V3_CTX *ctx, int ext_nid,
	71	int crit, char *value);
	72	static X509_EXTENSION v3_generic_extension(const char ext, char *value,
	73	int crit, int type,
	74	X509V3_CTX *ctx);
f5fedc04	75	static char conf_lhash_get_string(void db, char section, char value);
ba404b5e	76	static STACK_OF(CONF_VALUE) conf_lhash_get_section(void db, char *section);
0f113f3e MC	77	static X509_EXTENSION do_ext_i2d(const X509V3_EXT_METHOD method,
	78	int ext_nid, int crit, void *ext_struc);
	79	static unsigned char generic_asn1(char value, X509V3_CTX *ctx,
	80	long *ext_len);
b7a26e6d	81	/* CONF conf: Config file /
6b691a5c UM	82	/* char name: Name /
6b691a5c UM	83	/* char value: Value /
b7a26e6d	84	X509_EXTENSION X509V3_EXT_nconf(CONF conf, X509V3_CTX ctx, char name,
0f113f3e MC	85	char *value)
	86	{
	87	int crit;
	88	int ext_type;
	89	X509_EXTENSION *ret;
	90	crit = v3_check_critical(&value);
	91	if ((ext_type = v3_check_generic(&value)))
	92	return v3_generic_extension(name, value, crit, ext_type, ctx);
	93	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
	94	if (!ret) {
	95	X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
	96	ERR_add_error_data(4, "name=", name, ", value=", value);
	97	}
	98	return ret;
	99	}
9aeaf1b4	100
b7a26e6d	101	/* CONF conf: Config file /
6b691a5c	102	/* char value: Value /
b7a26e6d	103	X509_EXTENSION X509V3_EXT_nconf_nid(CONF conf, X509V3_CTX *ctx, int ext_nid,
0f113f3e MC	104	char *value)
	105	{
	106	int crit;
	107	int ext_type;
	108	crit = v3_check_critical(&value);
	109	if ((ext_type = v3_check_generic(&value)))
	110	return v3_generic_extension(OBJ_nid2sn(ext_nid),
	111	value, crit, ext_type, ctx);
	112	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
	113	}
388ff0b0	114
b7a26e6d	115	/* CONF conf: Config file /
6b691a5c	116	/* char value: Value /
b7a26e6d	117	static X509_EXTENSION do_ext_nconf(CONF conf, X509V3_CTX *ctx, int ext_nid,
0f113f3e MC	118	int crit, char *value)
	119	{
	120	const X509V3_EXT_METHOD *method;
	121	X509_EXTENSION *ext;
	122	STACK_OF(CONF_VALUE) *nval;
	123	void *ext_struc;
75ebbd9a	124
0f113f3e MC	125	if (ext_nid == NID_undef) {
	126	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
	127	return NULL;
	128	}
75ebbd9a	129	if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
0f113f3e MC	130	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
	131	return NULL;
	132	}
	133	/* Now get internal extension representation based on type */
	134	if (method->v2i) {
	135	if (*value == '@')
	136	nval = NCONF_get_section(conf, value + 1);
	137	else
	138	nval = X509V3_parse_list(value);
	139	if (sk_CONF_VALUE_num(nval) <= 0) {
	140	X509V3err(X509V3_F_DO_EXT_NCONF,
	141	X509V3_R_INVALID_EXTENSION_STRING);
	142	ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
	143	value);
	144	return NULL;
	145	}
	146	ext_struc = method->v2i(method, ctx, nval);
	147	if (*value != '@')
	148	sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
	149	if (!ext_struc)
	150	return NULL;
	151	} else if (method->s2i) {
75ebbd9a	152	if ((ext_struc = method->s2i(method, ctx, value)) == NULL)
0f113f3e MC	153	return NULL;
	154	} else if (method->r2i) {
	155	if (!ctx->db \|\| !ctx->db_meth) {
	156	X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
	157	return NULL;
	158	}
75ebbd9a	159	if ((ext_struc = method->r2i(method, ctx, value)) == NULL)
0f113f3e MC	160	return NULL;
	161	} else {
	162	X509V3err(X509V3_F_DO_EXT_NCONF,
	163	X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
	164	ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
	165	return NULL;
	166	}
	167
	168	ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
	169	if (method->it)
	170	ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
	171	else
	172	method->ext_free(ext_struc);
	173	return ext;
	174
	175	}
	176
	177	static X509_EXTENSION do_ext_i2d(const X509V3_EXT_METHOD method,
	178	int ext_nid, int crit, void *ext_struc)
	179	{
	180	unsigned char *ext_der = NULL;
	181	int ext_len;
	182	ASN1_OCTET_STRING *ext_oct = NULL;
	183	X509_EXTENSION *ext;
	184	/* Convert internal representation to DER */
	185	if (method->it) {
	186	ext_der = NULL;
	187	ext_len =
	188	ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
	189	if (ext_len < 0)
	190	goto merr;
	191	} else {
	192	unsigned char *p;
75ebbd9a	193
0f113f3e	194	ext_len = method->i2d(ext_struc, NULL);
75ebbd9a	195	if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
0f113f3e MC	196	goto merr;
	197	p = ext_der;
	198	method->i2d(ext_struc, &p);
	199	}
75ebbd9a	200	if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
0f113f3e MC	201	goto merr;
	202	ext_oct->data = ext_der;
	203	ext_der = NULL;
	204	ext_oct->length = ext_len;
	205
	206	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
	207	if (!ext)
	208	goto merr;
f422a514	209	ASN1_OCTET_STRING_free(ext_oct);
0f113f3e MC	210
	211	return ext;
	212
	213	merr:
	214	X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
b548a1f1	215	OPENSSL_free(ext_der);
0dfb9398	216	ASN1_OCTET_STRING_free(ext_oct);
0f113f3e MC	217	return NULL;
	218
	219	}
c8b41850 DSH	220
	221	/* Given an internal structure, nid and critical flag create an extension */
	222
	223	X509_EXTENSION X509V3_EXT_i2d(int ext_nid, int crit, void ext_struc)
0f113f3e MC	224	{
0f113f3e MC	225	const X509V3_EXT_METHOD *method;
75ebbd9a RS	226
75ebbd9a RS	227	if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
0f113f3e MC	228	X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
	229	return NULL;
	230	}
	231	return do_ext_i2d(method, ext_nid, crit, ext_struc);
9aeaf1b4 DSH	232	}
9aeaf1b4 DSH	233
388ff0b0	234	/* Check the extension string for critical flag */
6b691a5c	235	static int v3_check_critical(char **value)
388ff0b0	236	{
0f113f3e MC	237	char p = value;
	238	if ((strlen(p) < 9) \|\| strncmp(p, "critical,", 9))
	239	return 0;
	240	p += 9;
	241	while (isspace((unsigned char)*p))
	242	p++;
	243	*value = p;
	244	return 1;
388ff0b0 DSH	245	}
	246
	247	/* Check extension string for generic extension and return the type */
6b691a5c	248	static int v3_check_generic(char **value)
388ff0b0	249	{
0f113f3e MC	250	int gen_type = 0;
0f113f3e MC	251	char p = value;
86885c28	252	if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
0f113f3e MC	253	p += 4;
0f113f3e MC	254	gen_type = 1;
86885c28	255	} else if ((strlen(p) >= 5) && strncmp(p, "ASN1:", 5) == 0) {
0f113f3e MC	256	p += 5;
	257	gen_type = 2;
	258	} else
	259	return 0;
	260
	261	while (isspace((unsigned char)*p))
	262	p++;
	263	*value = p;
	264	return gen_type;
388ff0b0 DSH	265	}
388ff0b0 DSH	266
c79b16e1	267	/* Create a generic extension: for now just handle DER type */
6b691a5c	268	static X509_EXTENSION v3_generic_extension(const char ext, char *value,
0f113f3e MC	269	int crit, int gen_type,
	270	X509V3_CTX *ctx)
	271	{
	272	unsigned char *ext_der = NULL;
4c9b0a03	273	long ext_len = 0;
0f113f3e MC	274	ASN1_OBJECT *obj = NULL;
	275	ASN1_OCTET_STRING *oct = NULL;
	276	X509_EXTENSION *extension = NULL;
75ebbd9a RS	277
75ebbd9a RS	278	if ((obj = OBJ_txt2obj(ext, 0)) == NULL) {
0f113f3e MC	279	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
	280	X509V3_R_EXTENSION_NAME_ERROR);
	281	ERR_add_error_data(2, "name=", ext);
	282	goto err;
	283	}
	284
	285	if (gen_type == 1)
	286	ext_der = string_to_hex(value, &ext_len);
	287	else if (gen_type == 2)
	288	ext_der = generic_asn1(value, ctx, &ext_len);
	289
	290	if (ext_der == NULL) {
	291	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
	292	X509V3_R_EXTENSION_VALUE_ERROR);
	293	ERR_add_error_data(2, "value=", value);
	294	goto err;
	295	}
	296
75ebbd9a	297	if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
0f113f3e MC	298	X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
	299	goto err;
	300	}
	301
	302	oct->data = ext_der;
	303	oct->length = ext_len;
	304	ext_der = NULL;
	305
	306	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
	307
	308	err:
	309	ASN1_OBJECT_free(obj);
f422a514	310	ASN1_OCTET_STRING_free(oct);
b548a1f1	311	OPENSSL_free(ext_der);
0f113f3e MC	312	return extension;
	313
	314	}
	315
	316	static unsigned char generic_asn1(char value, X509V3_CTX *ctx,
	317	long *ext_len)
	318	{
	319	ASN1_TYPE *typ;
	320	unsigned char *ext_der = NULL;
	321	typ = ASN1_generate_v3(value, ctx);
	322	if (typ == NULL)
	323	return NULL;
	324	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
	325	ASN1_TYPE_free(typ);
	326	return ext_der;
	327	}
388ff0b0	328
ebaa2cf5	329	static void delete_ext(STACK_OF(X509_EXTENSION) sk, X509_EXTENSION dext)
0f113f3e MC	330	{
	331	int idx;
	332	ASN1_OBJECT *obj;
	333	obj = X509_EXTENSION_get_object(dext);
	334	while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
	335	X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
	336	X509v3_delete_ext(sk, idx);
	337	X509_EXTENSION_free(tmpext);
	338	}
	339	}
9aeaf1b4	340
0f113f3e MC	341	/*
	342	* This is the main function: add a bunch of extensions based on a config
	343	* file section to an extension STACK.
	344	*/
b7a26e6d DSH	345
b7a26e6d DSH	346	int X509V3_EXT_add_nconf_sk(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	347	STACK_OF(X509_EXTENSION) **sk)
	348	{
	349	X509_EXTENSION *ext;
	350	STACK_OF(CONF_VALUE) *nval;
	351	CONF_VALUE *val;
	352	int i;
75ebbd9a RS	353
75ebbd9a RS	354	if ((nval = NCONF_get_section(conf, section)) == NULL)
0f113f3e MC	355	return 0;
	356	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
	357	val = sk_CONF_VALUE_value(nval, i);
75ebbd9a	358	if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
0f113f3e MC	359	return 0;
	360	if (ctx->flags == X509V3_CTX_REPLACE)
	361	delete_ext(*sk, ext);
	362	if (sk)
	363	X509v3_add_ext(sk, ext, -1);
	364	X509_EXTENSION_free(ext);
	365	}
	366	return 1;
	367	}
	368
	369	/*
	370	* Convenience functions to add extensions to a certificate, CRL and request
	371	*/
b7a26e6d DSH	372
b7a26e6d DSH	373	int X509V3_EXT_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	374	X509 *cert)
	375	{
	376	STACK_OF(X509_EXTENSION) **sk = NULL;
	377	if (cert)
5cf6abd8	378	sk = &cert->cert_info.extensions;
0f113f3e MC	379	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
0f113f3e MC	380	}
9aeaf1b4	381
1756d405 DSH	382	/* Same as above but for a CRL */
1756d405 DSH	383
b7a26e6d	384	int X509V3_EXT_CRL_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	385	X509_CRL *crl)
	386	{
	387	STACK_OF(X509_EXTENSION) **sk = NULL;
	388	if (crl)
7aef39a7	389	sk = &crl->crl.extensions;
0f113f3e MC	390	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
0f113f3e MC	391	}
1756d405	392
c79b16e1 DSH	393	/* Add extensions to certificate request */
c79b16e1 DSH	394
b7a26e6d	395	int X509V3_EXT_REQ_add_nconf(CONF conf, X509V3_CTX ctx, char *section,
0f113f3e MC	396	X509_REQ *req)
	397	{
	398	STACK_OF(X509_EXTENSION) extlist = NULL, *sk = NULL;
	399	int i;
	400	if (req)
	401	sk = &extlist;
	402	i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
	403	if (!i \|\| !sk)
	404	return i;
	405	i = X509_REQ_add_extensions(req, extlist);
	406	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
	407	return i;
	408	}
c79b16e1	409
1d48dd00 DSH	410	/* Config database functions */
1d48dd00 DSH	411
0f113f3e MC	412	char X509V3_get_string(X509V3_CTX ctx, char name, char section)
	413	{
	414	if (!ctx->db \|\| !ctx->db_meth \|\| !ctx->db_meth->get_string) {
	415	X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
	416	return NULL;
	417	}
	418	if (ctx->db_meth->get_string)
	419	return ctx->db_meth->get_string(ctx->db, name, section);
	420	return NULL;
	421	}
	422
	423	STACK_OF(CONF_VALUE) X509V3_get_section(X509V3_CTX ctx, char *section)
	424	{
	425	if (!ctx->db \|\| !ctx->db_meth \|\| !ctx->db_meth->get_section) {
	426	X509V3err(X509V3_F_X509V3_GET_SECTION,
	427	X509V3_R_OPERATION_NOT_DEFINED);
	428	return NULL;
	429	}
	430	if (ctx->db_meth->get_section)
	431	return ctx->db_meth->get_section(ctx->db, section);
	432	return NULL;
	433	}
1d48dd00	434
6b691a5c	435	void X509V3_string_free(X509V3_CTX ctx, char str)
0f113f3e MC	436	{
	437	if (!str)
	438	return;
	439	if (ctx->db_meth->free_string)
	440	ctx->db_meth->free_string(ctx->db, str);
	441	}
1d48dd00	442
ba404b5e	443	void X509V3_section_free(X509V3_CTX ctx, STACK_OF(CONF_VALUE) section)
0f113f3e MC	444	{
	445	if (!section)
	446	return;
	447	if (ctx->db_meth->free_section)
	448	ctx->db_meth->free_section(ctx->db, section);
	449	}
b7a26e6d DSH	450
b7a26e6d DSH	451	static char nconf_get_string(void db, char section, char value)
0f113f3e MC	452	{
	453	return NCONF_get_string(db, section, value);
	454	}
b7a26e6d DSH	455
b7a26e6d DSH	456	static STACK_OF(CONF_VALUE) nconf_get_section(void db, char *section)
0f113f3e MC	457	{
	458	return NCONF_get_section(db, section);
	459	}
b7a26e6d DSH	460
b7a26e6d DSH	461	static X509V3_CONF_METHOD nconf_method = {
0f113f3e MC	462	nconf_get_string,
	463	nconf_get_section,
	464	NULL,
	465	NULL
b7a26e6d DSH	466	};
	467
	468	void X509V3_set_nconf(X509V3_CTX ctx, CONF conf)
0f113f3e MC	469	{
	470	ctx->db_meth = &nconf_method;
	471	ctx->db = conf;
	472	}
b7a26e6d DSH	473
b7a26e6d DSH	474	void X509V3_set_ctx(X509V3_CTX ctx, X509 issuer, X509 subj, X509_REQ req,
0f113f3e MC	475	X509_CRL *crl, int flags)
	476	{
	477	ctx->issuer_cert = issuer;
	478	ctx->subject_cert = subj;
	479	ctx->crl = crl;
	480	ctx->subject_req = req;
	481	ctx->flags = flags;
	482	}
b7a26e6d DSH	483
	484	/* Old conf compatibility functions */
	485
3c1d6bbc	486	X509_EXTENSION X509V3_EXT_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX *ctx,
0f113f3e MC	487	char name, char value)
	488	{
	489	CONF ctmp;
	490	CONF_set_nconf(&ctmp, conf);
	491	return X509V3_EXT_nconf(&ctmp, ctx, name, value);
	492	}
b7a26e6d DSH	493
	494	/* LHASH conf: Config file /
	495	/* char value: Value /
0f113f3e MC	496	X509_EXTENSION X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) conf,
	497	X509V3_CTX ctx, int ext_nid, char value)
	498	{
	499	CONF ctmp;
	500	CONF_set_nconf(&ctmp, conf);
	501	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
	502	}
1d48dd00	503
6b691a5c	504	static char conf_lhash_get_string(void db, char section, char value)
0f113f3e MC	505	{
	506	return CONF_get_string(db, section, value);
	507	}
1d48dd00	508
ba404b5e	509	static STACK_OF(CONF_VALUE) conf_lhash_get_section(void db, char *section)
0f113f3e MC	510	{
	511	return CONF_get_section(db, section);
	512	}
1d48dd00 DSH	513
1d48dd00 DSH	514	static X509V3_CONF_METHOD conf_lhash_method = {
0f113f3e MC	515	conf_lhash_get_string,
	516	conf_lhash_get_section,
	517	NULL,
	518	NULL
1d48dd00 DSH	519	};
1d48dd00 DSH	520
3c1d6bbc	521	void X509V3_set_conf_lhash(X509V3_CTX ctx, LHASH_OF(CONF_VALUE) lhash)
0f113f3e MC	522	{
	523	ctx->db_meth = &conf_lhash_method;
	524	ctx->db = lhash;
	525	}
1d48dd00	526
3c1d6bbc	527	int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	528	char section, X509 cert)
	529	{
	530	CONF ctmp;
	531	CONF_set_nconf(&ctmp, conf);
	532	return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
	533	}
b7a26e6d DSH	534
	535	/* Same as above but for a CRL */
	536
3c1d6bbc	537	int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	538	char section, X509_CRL crl)
	539	{
	540	CONF ctmp;
	541	CONF_set_nconf(&ctmp, conf);
	542	return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
	543	}
b7a26e6d DSH	544
	545	/* Add extensions to certificate request */
	546
3c1d6bbc	547	int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) conf, X509V3_CTX ctx,
0f113f3e MC	548	char section, X509_REQ req)
	549	{
	550	CONF ctmp;
	551	CONF_set_nconf(&ctmp, conf);
	552	return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
	553	}