]>
Commit | Line | Data |
---|---|---|
673b102c DSH |
1 | /* v3_purp.c */ |
2 | /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL | |
3 | * project 1999. | |
4 | */ | |
5 | /* ==================================================================== | |
6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | |
7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | |
11 | * | |
12 | * 1. Redistributions of source code must retain the above copyright | |
13 | * notice, this list of conditions and the following disclaimer. | |
14 | * | |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in | |
17 | * the documentation and/or other materials provided with the | |
18 | * distribution. | |
19 | * | |
20 | * 3. All advertising materials mentioning features or use of this | |
21 | * software must display the following acknowledgment: | |
22 | * "This product includes software developed by the OpenSSL Project | |
23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
24 | * | |
25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
26 | * endorse or promote products derived from this software without | |
27 | * prior written permission. For written permission, please contact | |
28 | * licensing@OpenSSL.org. | |
29 | * | |
30 | * 5. Products derived from this software may not be called "OpenSSL" | |
31 | * nor may "OpenSSL" appear in their names without prior written | |
32 | * permission of the OpenSSL Project. | |
33 | * | |
34 | * 6. Redistributions of any form whatsoever must retain the following | |
35 | * acknowledgment: | |
36 | * "This product includes software developed by the OpenSSL Project | |
37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
38 | * | |
39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
51 | * ==================================================================== | |
52 | * | |
53 | * This product includes cryptographic software written by Eric Young | |
54 | * (eay@cryptsoft.com). This product includes software written by Tim | |
55 | * Hudson (tjh@cryptsoft.com). | |
56 | * | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
60 | #include "cryptlib.h" | |
61 | #include <openssl/x509v3.h> | |
2f043896 | 62 | #include <openssl/x509_vfy.h> |
673b102c | 63 | |
ce1b4fe1 | 64 | static void x509v3_cache_extensions(X509 *x); |
673b102c | 65 | |
ccd86b68 GT |
66 | static int ca_check(const X509 *x); |
67 | static int check_ssl_ca(const X509 *x); | |
68 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); | |
69 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); | |
70 | static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); | |
71 | static int purpose_smime(const X509 *x, int ca); | |
72 | static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); | |
73 | static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); | |
74 | static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); | |
75 | static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); | |
81f169e9 | 76 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); |
ccd86b68 GT |
77 | |
78 | static int xp_cmp(const X509_PURPOSE * const *a, | |
79 | const X509_PURPOSE * const *b); | |
d4cec6a1 | 80 | static void xptable_free(X509_PURPOSE *p); |
673b102c DSH |
81 | |
82 | static X509_PURPOSE xstandard[] = { | |
d4cec6a1 DSH |
83 | {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL}, |
84 | {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL}, | |
85 | {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL}, | |
86 | {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL}, | |
87 | {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, | |
068fdce8 DSH |
88 | {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, |
89 | {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, | |
81f169e9 | 90 | {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, |
673b102c DSH |
91 | }; |
92 | ||
dd413410 DSH |
93 | #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) |
94 | ||
673b102c DSH |
95 | IMPLEMENT_STACK_OF(X509_PURPOSE) |
96 | ||
79875776 | 97 | static STACK_OF(X509_PURPOSE) *xptable = NULL; |
673b102c | 98 | |
ccd86b68 GT |
99 | static int xp_cmp(const X509_PURPOSE * const *a, |
100 | const X509_PURPOSE * const *b) | |
673b102c | 101 | { |
13938ace | 102 | return (*a)->purpose - (*b)->purpose; |
673b102c DSH |
103 | } |
104 | ||
ccd86b68 GT |
105 | /* As much as I'd like to make X509_check_purpose use a "const" X509* |
106 | * I really can't because it does recalculate hashes and do other non-const | |
107 | * things. */ | |
673b102c DSH |
108 | int X509_check_purpose(X509 *x, int id, int ca) |
109 | { | |
110 | int idx; | |
ccd86b68 | 111 | const X509_PURPOSE *pt; |
673b102c DSH |
112 | if(!(x->ex_flags & EXFLAG_SET)) { |
113 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | |
114 | x509v3_cache_extensions(x); | |
115 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | |
116 | } | |
e947f396 | 117 | if(id == -1) return 1; |
d4cec6a1 | 118 | idx = X509_PURPOSE_get_by_id(id); |
673b102c | 119 | if(idx == -1) return -1; |
6d0d5431 | 120 | pt = X509_PURPOSE_get0(idx); |
dd413410 | 121 | return pt->check_purpose(pt, x, ca); |
673b102c | 122 | } |
e947f396 | 123 | |
d4cec6a1 DSH |
124 | int X509_PURPOSE_get_count(void) |
125 | { | |
dd413410 DSH |
126 | if(!xptable) return X509_PURPOSE_COUNT; |
127 | return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; | |
d4cec6a1 | 128 | } |
ce1b4fe1 | 129 | |
6d0d5431 | 130 | X509_PURPOSE * X509_PURPOSE_get0(int idx) |
d4cec6a1 | 131 | { |
dd413410 DSH |
132 | if(idx < 0) return NULL; |
133 | if(idx < X509_PURPOSE_COUNT) return xstandard + idx; | |
134 | return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); | |
d4cec6a1 DSH |
135 | } |
136 | ||
137 | int X509_PURPOSE_get_by_sname(char *sname) | |
138 | { | |
139 | int i; | |
140 | X509_PURPOSE *xptmp; | |
dd413410 | 141 | for(i = 0; i < X509_PURPOSE_get_count(); i++) { |
6d0d5431 | 142 | xptmp = X509_PURPOSE_get0(i); |
13938ace | 143 | if(!strcmp(xptmp->sname, sname)) return i; |
d4cec6a1 DSH |
144 | } |
145 | return -1; | |
146 | } | |
673b102c | 147 | |
13938ace | 148 | int X509_PURPOSE_get_by_id(int purpose) |
673b102c DSH |
149 | { |
150 | X509_PURPOSE tmp; | |
dd413410 DSH |
151 | int idx; |
152 | if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) | |
153 | return purpose - X509_PURPOSE_MIN; | |
13938ace | 154 | tmp.purpose = purpose; |
673b102c | 155 | if(!xptable) return -1; |
dd413410 DSH |
156 | idx = sk_X509_PURPOSE_find(xptable, &tmp); |
157 | if(idx == -1) return -1; | |
158 | return idx + X509_PURPOSE_COUNT; | |
673b102c DSH |
159 | } |
160 | ||
dd413410 | 161 | int X509_PURPOSE_add(int id, int trust, int flags, |
ccd86b68 | 162 | int (*ck)(const X509_PURPOSE *, const X509 *, int), |
dd413410 | 163 | char *name, char *sname, void *arg) |
673b102c DSH |
164 | { |
165 | int idx; | |
dd413410 DSH |
166 | X509_PURPOSE *ptmp; |
167 | /* This is set according to what we change: application can't set it */ | |
168 | flags &= ~X509_PURPOSE_DYNAMIC; | |
169 | /* This will always be set for application modified trust entries */ | |
170 | flags |= X509_PURPOSE_DYNAMIC_NAME; | |
171 | /* Get existing entry if any */ | |
172 | idx = X509_PURPOSE_get_by_id(id); | |
173 | /* Need a new entry */ | |
174 | if(idx == -1) { | |
26a3a48d | 175 | if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) { |
79875776 BM |
176 | X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); |
177 | return 0; | |
79875776 | 178 | } |
dd413410 | 179 | ptmp->flags = X509_PURPOSE_DYNAMIC; |
6d0d5431 | 180 | } else ptmp = X509_PURPOSE_get0(idx); |
dd413410 | 181 | |
26a3a48d | 182 | /* OPENSSL_free existing name if dynamic */ |
dd413410 | 183 | if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { |
26a3a48d RL |
184 | OPENSSL_free(ptmp->name); |
185 | OPENSSL_free(ptmp->sname); | |
dd413410 DSH |
186 | } |
187 | /* dup supplied name */ | |
188 | ptmp->name = BUF_strdup(name); | |
189 | ptmp->sname = BUF_strdup(sname); | |
190 | if(!ptmp->name || !ptmp->sname) { | |
191 | X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); | |
192 | return 0; | |
193 | } | |
194 | /* Keep the dynamic flag of existing entry */ | |
195 | ptmp->flags &= X509_PURPOSE_DYNAMIC; | |
196 | /* Set all other flags */ | |
197 | ptmp->flags |= flags; | |
198 | ||
199 | ptmp->purpose = id; | |
200 | ptmp->trust = trust; | |
201 | ptmp->check_purpose = ck; | |
202 | ptmp->usr_data = arg; | |
203 | ||
204 | /* If its a new entry manage the dynamic table */ | |
205 | if(idx == -1) { | |
206 | if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { | |
207 | X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); | |
208 | return 0; | |
209 | } | |
210 | if (!sk_X509_PURPOSE_push(xptable, ptmp)) { | |
79875776 BM |
211 | X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); |
212 | return 0; | |
d4cec6a1 DSH |
213 | } |
214 | } | |
673b102c DSH |
215 | return 1; |
216 | } | |
217 | ||
79875776 BM |
218 | static void xptable_free(X509_PURPOSE *p) |
219 | { | |
d4cec6a1 | 220 | if(!p) return; |
13938ace | 221 | if (p->flags & X509_PURPOSE_DYNAMIC) |
79875776 | 222 | { |
13938ace | 223 | if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { |
26a3a48d RL |
224 | OPENSSL_free(p->name); |
225 | OPENSSL_free(p->sname); | |
d4cec6a1 | 226 | } |
26a3a48d | 227 | OPENSSL_free(p); |
79875776 BM |
228 | } |
229 | } | |
230 | ||
231 | void X509_PURPOSE_cleanup(void) | |
232 | { | |
dd413410 | 233 | int i; |
79875776 | 234 | sk_X509_PURPOSE_pop_free(xptable, xptable_free); |
dd413410 | 235 | for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); |
79875776 BM |
236 | xptable = NULL; |
237 | } | |
238 | ||
d4cec6a1 | 239 | int X509_PURPOSE_get_id(X509_PURPOSE *xp) |
673b102c | 240 | { |
13938ace | 241 | return xp->purpose; |
673b102c DSH |
242 | } |
243 | ||
c7cb16a8 | 244 | char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) |
d4cec6a1 | 245 | { |
13938ace | 246 | return xp->name; |
d4cec6a1 | 247 | } |
673b102c | 248 | |
c7cb16a8 | 249 | char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) |
673b102c | 250 | { |
13938ace | 251 | return xp->sname; |
673b102c DSH |
252 | } |
253 | ||
d4cec6a1 | 254 | int X509_PURPOSE_get_trust(X509_PURPOSE *xp) |
673b102c | 255 | { |
13938ace | 256 | return xp->trust; |
673b102c DSH |
257 | } |
258 | ||
ce1b4fe1 | 259 | static void x509v3_cache_extensions(X509 *x) |
673b102c DSH |
260 | { |
261 | BASIC_CONSTRAINTS *bs; | |
262 | ASN1_BIT_STRING *usage; | |
263 | ASN1_BIT_STRING *ns; | |
9d6b1ce6 | 264 | EXTENDED_KEY_USAGE *extusage; |
2f043896 | 265 | |
673b102c DSH |
266 | int i; |
267 | if(x->ex_flags & EXFLAG_SET) return; | |
2f043896 | 268 | #ifndef NO_SHA |
e947f396 | 269 | X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); |
2f043896 | 270 | #endif |
673b102c | 271 | /* Does subject name match issuer ? */ |
51630a37 | 272 | if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) |
673b102c DSH |
273 | x->ex_flags |= EXFLAG_SS; |
274 | /* V1 should mean no extensions ... */ | |
275 | if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; | |
276 | /* Handle basic constraints */ | |
ff8a4c47 | 277 | if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { |
673b102c DSH |
278 | if(bs->ca) x->ex_flags |= EXFLAG_CA; |
279 | if(bs->pathlen) { | |
280 | if((bs->pathlen->type == V_ASN1_NEG_INTEGER) | |
281 | || !bs->ca) { | |
282 | x->ex_flags |= EXFLAG_INVALID; | |
283 | x->ex_pathlen = 0; | |
284 | } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); | |
285 | } else x->ex_pathlen = -1; | |
286 | BASIC_CONSTRAINTS_free(bs); | |
287 | x->ex_flags |= EXFLAG_BCONS; | |
288 | } | |
289 | /* Handle key usage */ | |
ff8a4c47 | 290 | if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { |
673b102c DSH |
291 | if(usage->length > 0) { |
292 | x->ex_kusage = usage->data[0]; | |
293 | if(usage->length > 1) | |
294 | x->ex_kusage |= usage->data[1] << 8; | |
295 | } else x->ex_kusage = 0; | |
296 | x->ex_flags |= EXFLAG_KUSAGE; | |
297 | ASN1_BIT_STRING_free(usage); | |
298 | } | |
299 | x->ex_xkusage = 0; | |
ff8a4c47 | 300 | if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { |
673b102c DSH |
301 | x->ex_flags |= EXFLAG_XKUSAGE; |
302 | for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { | |
303 | switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { | |
304 | case NID_server_auth: | |
305 | x->ex_xkusage |= XKU_SSL_SERVER; | |
306 | break; | |
307 | ||
308 | case NID_client_auth: | |
309 | x->ex_xkusage |= XKU_SSL_CLIENT; | |
310 | break; | |
311 | ||
312 | case NID_email_protect: | |
313 | x->ex_xkusage |= XKU_SMIME; | |
314 | break; | |
315 | ||
316 | case NID_code_sign: | |
317 | x->ex_xkusage |= XKU_CODE_SIGN; | |
318 | break; | |
319 | ||
320 | case NID_ms_sgc: | |
321 | case NID_ns_sgc: | |
322 | x->ex_xkusage |= XKU_SGC; | |
81f169e9 DSH |
323 | break; |
324 | ||
325 | case NID_OCSP_sign: | |
326 | x->ex_xkusage |= XKU_OCSP_SIGN; | |
327 | break; | |
328 | ||
329 | case NID_time_stamp: | |
330 | x->ex_xkusage |= XKU_TIMESTAMP; | |
331 | break; | |
673b102c DSH |
332 | } |
333 | } | |
334 | sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); | |
335 | } | |
336 | ||
ff8a4c47 | 337 | if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { |
673b102c DSH |
338 | if(ns->length > 0) x->ex_nscert = ns->data[0]; |
339 | else x->ex_nscert = 0; | |
340 | x->ex_flags |= EXFLAG_NSCERT; | |
341 | ASN1_BIT_STRING_free(ns); | |
342 | } | |
2f043896 DSH |
343 | x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); |
344 | x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); | |
673b102c DSH |
345 | x->ex_flags |= EXFLAG_SET; |
346 | } | |
347 | ||
348 | /* CA checks common to all purposes | |
349 | * return codes: | |
350 | * 0 not a CA | |
351 | * 1 is a CA | |
352 | * 2 basicConstraints absent so "maybe" a CA | |
353 | * 3 basicConstraints absent but self signed V1. | |
354 | */ | |
355 | ||
356 | #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) | |
357 | #define ku_reject(x, usage) \ | |
358 | (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) | |
359 | #define xku_reject(x, usage) \ | |
360 | (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) | |
361 | #define ns_reject(x, usage) \ | |
362 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) | |
363 | ||
ccd86b68 | 364 | static int ca_check(const X509 *x) |
673b102c DSH |
365 | { |
366 | /* keyUsage if present should allow cert signing */ | |
367 | if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; | |
368 | if(x->ex_flags & EXFLAG_BCONS) { | |
369 | if(x->ex_flags & EXFLAG_CA) return 1; | |
370 | /* If basicConstraints says not a CA then say so */ | |
371 | else return 0; | |
372 | } else { | |
373 | if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; | |
374 | else return 2; | |
375 | } | |
376 | } | |
377 | ||
0cb957a6 | 378 | /* Check SSL CA: common checks for SSL client and server */ |
ccd86b68 | 379 | static int check_ssl_ca(const X509 *x) |
0cb957a6 DSH |
380 | { |
381 | int ca_ret; | |
382 | ca_ret = ca_check(x); | |
383 | if(!ca_ret) return 0; | |
384 | /* check nsCertType if present */ | |
385 | if(x->ex_flags & EXFLAG_NSCERT) { | |
386 | if(x->ex_nscert & NS_SSL_CA) return ca_ret; | |
387 | return 0; | |
388 | } | |
389 | if(ca_ret != 2) return ca_ret; | |
390 | else return 0; | |
391 | } | |
392 | ||
673b102c | 393 | |
ccd86b68 | 394 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
395 | { |
396 | if(xku_reject(x,XKU_SSL_CLIENT)) return 0; | |
0cb957a6 | 397 | if(ca) return check_ssl_ca(x); |
673b102c DSH |
398 | /* We need to do digital signatures with it */ |
399 | if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; | |
400 | /* nsCertType if present should allow SSL client use */ | |
401 | if(ns_reject(x, NS_SSL_CLIENT)) return 0; | |
402 | return 1; | |
403 | } | |
404 | ||
ccd86b68 | 405 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
406 | { |
407 | if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; | |
0cb957a6 | 408 | if(ca) return check_ssl_ca(x); |
673b102c DSH |
409 | |
410 | if(ns_reject(x, NS_SSL_SERVER)) return 0; | |
411 | /* Now as for keyUsage: we'll at least need to sign OR encipher */ | |
412 | if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; | |
413 | ||
414 | return 1; | |
415 | ||
416 | } | |
417 | ||
ccd86b68 | 418 | static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
419 | { |
420 | int ret; | |
421 | ret = check_purpose_ssl_server(xp, x, ca); | |
422 | if(!ret || ca) return ret; | |
423 | /* We need to encipher or Netscape complains */ | |
424 | if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; | |
425 | return ret; | |
426 | } | |
427 | ||
428 | /* common S/MIME checks */ | |
ccd86b68 | 429 | static int purpose_smime(const X509 *x, int ca) |
673b102c DSH |
430 | { |
431 | if(xku_reject(x,XKU_SMIME)) return 0; | |
432 | if(ca) { | |
433 | int ca_ret; | |
434 | ca_ret = ca_check(x); | |
435 | if(!ca_ret) return 0; | |
436 | /* check nsCertType if present */ | |
437 | if(x->ex_flags & EXFLAG_NSCERT) { | |
438 | if(x->ex_nscert & NS_SMIME_CA) return ca_ret; | |
439 | return 0; | |
440 | } | |
441 | if(ca_ret != 2) return ca_ret; | |
442 | else return 0; | |
443 | } | |
444 | if(x->ex_flags & EXFLAG_NSCERT) { | |
445 | if(x->ex_nscert & NS_SMIME) return 1; | |
446 | /* Workaround for some buggy certificates */ | |
447 | if(x->ex_nscert & NS_SSL_CLIENT) return 2; | |
448 | return 0; | |
449 | } | |
450 | return 1; | |
451 | } | |
452 | ||
ccd86b68 | 453 | static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
454 | { |
455 | int ret; | |
456 | ret = purpose_smime(x, ca); | |
457 | if(!ret || ca) return ret; | |
458 | if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; | |
459 | return ret; | |
460 | } | |
461 | ||
ccd86b68 | 462 | static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
463 | { |
464 | int ret; | |
465 | ret = purpose_smime(x, ca); | |
466 | if(!ret || ca) return ret; | |
467 | if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; | |
468 | return ret; | |
469 | } | |
470 | ||
ccd86b68 | 471 | static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) |
673b102c DSH |
472 | { |
473 | if(ca) { | |
474 | int ca_ret; | |
475 | if((ca_ret = ca_check(x)) != 2) return ca_ret; | |
476 | else return 0; | |
477 | } | |
478 | if(ku_reject(x, KU_CRL_SIGN)) return 0; | |
479 | return 1; | |
480 | } | |
068fdce8 | 481 | |
81f169e9 DSH |
482 | /* OCSP helper: this is *not* a full OCSP check. It just checks that |
483 | * each CA is valid. Additional checks must be made on the chain. | |
484 | */ | |
485 | ||
486 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) | |
487 | { | |
488 | /* Must be a valid CA */ | |
489 | if(ca) { | |
490 | int ca_ret; | |
491 | ca_ret = ca_check(x); | |
492 | if(ca_ret != 2) return ca_ret; | |
493 | if(x->ex_flags & EXFLAG_NSCERT) { | |
494 | if(x->ex_nscert & NS_ANY_CA) return ca_ret; | |
495 | return 0; | |
496 | } | |
497 | return 0; | |
498 | } | |
499 | /* leaf certificate is checked in OCSP_verify() */ | |
500 | return 1; | |
501 | } | |
502 | ||
ccd86b68 | 503 | static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) |
068fdce8 DSH |
504 | { |
505 | return 1; | |
506 | } | |
2f043896 DSH |
507 | |
508 | /* Various checks to see if one certificate issued the second. | |
509 | * This can be used to prune a set of possible issuer certificates | |
510 | * which have been looked up using some simple method such as by | |
511 | * subject name. | |
512 | * These are: | |
513 | * 1. Check issuer_name(subject) == subject_name(issuer) | |
514 | * 2. If akid(subject) exists check it matches issuer | |
515 | * 3. If key_usage(issuer) exists check it supports certificate signing | |
516 | * returns 0 for OK, positive for reason for mismatch, reasons match | |
517 | * codes for X509_verify_cert() | |
518 | */ | |
519 | ||
520 | int X509_check_issued(X509 *issuer, X509 *subject) | |
521 | { | |
522 | if(X509_NAME_cmp(X509_get_subject_name(issuer), | |
523 | X509_get_issuer_name(subject))) | |
524 | return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; | |
525 | x509v3_cache_extensions(issuer); | |
526 | x509v3_cache_extensions(subject); | |
527 | if(subject->akid) { | |
528 | /* Check key ids (if present) */ | |
529 | if(subject->akid->keyid && issuer->skid && | |
530 | ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) ) | |
531 | return X509_V_ERR_AKID_SKID_MISMATCH; | |
532 | /* Check serial number */ | |
533 | if(subject->akid->serial && | |
534 | ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), | |
535 | subject->akid->serial)) | |
536 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; | |
537 | /* Check issuer name */ | |
538 | if(subject->akid->issuer) { | |
539 | /* Ugh, for some peculiar reason AKID includes | |
540 | * SEQUENCE OF GeneralName. So look for a DirName. | |
541 | * There may be more than one but we only take any | |
542 | * notice of the first. | |
543 | */ | |
9d6b1ce6 | 544 | GENERAL_NAMES *gens; |
2f043896 DSH |
545 | GENERAL_NAME *gen; |
546 | X509_NAME *nm = NULL; | |
547 | int i; | |
548 | gens = subject->akid->issuer; | |
549 | for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { | |
550 | gen = sk_GENERAL_NAME_value(gens, i); | |
551 | if(gen->type == GEN_DIRNAME) { | |
552 | nm = gen->d.dirn; | |
553 | break; | |
554 | } | |
555 | } | |
556 | if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) | |
557 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; | |
558 | } | |
559 | } | |
560 | if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | |
561 | return X509_V_OK; | |
562 | } | |
563 |