crypto/x509/pcy_map.c

   1 /*
   2  * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/cryptlib.h"
  11 #include <openssl/x509.h>
  12 #include <openssl/x509v3.h>
  13 #include "internal/x509_int.h"
  14
  15 #include "pcy_int.h"
  16
  17 /*
  18  * Set policy mapping entries in cache. Note: this modifies the passed
  19  * POLICY_MAPPINGS structure
  20  */
  21
  22 int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
  23 {
  24     POLICY_MAPPING *map;
  25     X509_POLICY_DATA *data;
  26     X509_POLICY_CACHE *cache = x->policy_cache;
  27     int i;
  28     int ret = 0;
  29     if (sk_POLICY_MAPPING_num(maps) == 0) {
  30         ret = -1;
  31         goto bad_mapping;
  32     }
  33     for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
  34         map = sk_POLICY_MAPPING_value(maps, i);
  35         /* Reject if map to or from anyPolicy */
  36         if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
  37             || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
  38             ret = -1;
  39             goto bad_mapping;
  40         }
  41
  42         /* Attempt to find matching policy data */
  43         data = policy_cache_find_data(cache, map->issuerDomainPolicy);
  44         /* If we don't have anyPolicy can't map */
  45         if (data == NULL && !cache->anyPolicy)
  46             continue;
  47
  48         /* Create a NODE from anyPolicy */
  49         if (data == NULL) {
  50             data = policy_data_new(NULL, map->issuerDomainPolicy,
  51                                    cache->anyPolicy->flags
  52                                    & POLICY_DATA_FLAG_CRITICAL);
  53             if (data == NULL)
  54                 goto bad_mapping;
  55             data->qualifier_set = cache->anyPolicy->qualifier_set;
  56             /*
  57              * map->issuerDomainPolicy = NULL;
  58              */
  59             data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
  60             data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
  61             if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
  62                 policy_data_free(data);
  63                 goto bad_mapping;
  64             }
  65         } else
  66             data->flags |= POLICY_DATA_FLAG_MAPPED;
  67         if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
  68                                  map->subjectDomainPolicy))
  69             goto bad_mapping;
  70         map->subjectDomainPolicy = NULL;
  71
  72     }
  73
  74     ret = 1;
  75  bad_mapping:
  76     if (ret == -1)
  77         x->ex_flags |= EXFLAG_INVALID_POLICY;
  78     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
  79     return ret;
  80
  81 }