crypto/x509/v3_akey.c

   1 /*
   2  * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include "internal/cryptlib.h"
  12 #include <openssl/conf.h>
  13 #include <openssl/asn1.h>
  14 #include <openssl/asn1t.h>
  15 #include <openssl/x509v3.h>
  16 #include "ext_dat.h"
  17
  18 DEFINE_STACK_OF(CONF_VALUE)
  19 DEFINE_STACK_OF(GENERAL_NAME)
  20
  21 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  22                                                  AUTHORITY_KEYID *akeyid,
  23                                                  STACK_OF(CONF_VALUE)
  24                                                  *extlist);
  25 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  26                                             X509V3_CTX *ctx,
  27                                             STACK_OF(CONF_VALUE) *values);
  28
  29 const X509V3_EXT_METHOD v3_akey_id = {
  30     NID_authority_key_identifier,
  31     X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
  32     0, 0, 0, 0,
  33     0, 0,
  34     (X509V3_EXT_I2V) i2v_AUTHORITY_KEYID,
  35     (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
  36     0, 0,
  37     NULL
  38 };
  39
  40 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  41                                                  AUTHORITY_KEYID *akeyid,
  42                                                  STACK_OF(CONF_VALUE)
  43                                                  *extlist)
  44 {
  45     char *tmp;
  46     if (akeyid->keyid) {
  47         tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
  48         if (tmp == NULL) {
  49             ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
  50             return NULL;
  51         }
  52         X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL,
  53                          tmp, &extlist);
  54         OPENSSL_free(tmp);
  55     }
  56     if (akeyid->issuer)
  57         extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
  58     if (akeyid->serial) {
  59         tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
  60         if (tmp == NULL) {
  61             ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
  62             return NULL;
  63         }
  64         X509V3_add_value("serial", tmp, &extlist);
  65         OPENSSL_free(tmp);
  66     }
  67     return extlist;
  68 }
  69
  70 /*-
  71  * Currently two options:
  72  * keyid: use the issuers subject keyid, the value 'always' means its is
  73  * an error if the issuer certificate doesn't have a key id.
  74  * issuer: use the issuers cert issuer and serial number. The default is
  75  * to only use this if keyid is not present. With the option 'always'
  76  * this is always included.
  77  */
  78
  79 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  80                                             X509V3_CTX *ctx,
  81                                             STACK_OF(CONF_VALUE) *values)
  82 {
  83     char keyid = 0, issuer = 0;
  84     int i;
  85     CONF_VALUE *cnf;
  86     ASN1_OCTET_STRING *ikeyid = NULL;
  87     X509_NAME *isname = NULL;
  88     GENERAL_NAMES *gens = NULL;
  89     GENERAL_NAME *gen = NULL;
  90     ASN1_INTEGER *serial = NULL;
  91     X509_EXTENSION *ext;
  92     X509 *cert;
  93     AUTHORITY_KEYID *akeyid;
  94
  95     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
  96         cnf = sk_CONF_VALUE_value(values, i);
  97         if (strcmp(cnf->name, "keyid") == 0) {
  98             keyid = 1;
  99             if (cnf->value && strcmp(cnf->value, "always") == 0)
 100                 keyid = 2;
 101         } else if (strcmp(cnf->name, "issuer") == 0) {
 102             issuer = 1;
 103             if (cnf->value && strcmp(cnf->value, "always") == 0)
 104                 issuer = 2;
 105         } else {
 106             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, X509V3_R_UNKNOWN_OPTION);
 107             ERR_add_error_data(2, "name=", cnf->name);
 108             return NULL;
 109         }
 110     }
 111
 112     if (!ctx || !ctx->issuer_cert) {
 113         if (ctx && (ctx->flags == CTX_TEST))
 114             return AUTHORITY_KEYID_new();
 115         X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 116                   X509V3_R_NO_ISSUER_CERTIFICATE);
 117         return NULL;
 118     }
 119
 120     cert = ctx->issuer_cert;
 121
 122     if (keyid) {
 123         i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
 124         if ((i >= 0) && (ext = X509_get_ext(cert, i)))
 125             ikeyid = X509V3_EXT_d2i(ext);
 126         if (keyid == 2 && !ikeyid) {
 127             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 128                       X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
 129             return NULL;
 130         }
 131     }
 132
 133     if ((issuer && !ikeyid) || (issuer == 2)) {
 134         isname = X509_NAME_dup(X509_get_issuer_name(cert));
 135         serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
 136         if (!isname || !serial) {
 137             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 138                       X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
 139             goto err;
 140         }
 141     }
 142
 143     if ((akeyid = AUTHORITY_KEYID_new()) == NULL)
 144         goto err;
 145
 146     if (isname) {
 147         if ((gens = sk_GENERAL_NAME_new_null()) == NULL
 148             || (gen = GENERAL_NAME_new()) == NULL
 149             || !sk_GENERAL_NAME_push(gens, gen)) {
 150             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
 151             goto err;
 152         }
 153         gen->type = GEN_DIRNAME;
 154         gen->d.dirn = isname;
 155     }
 156
 157     akeyid->issuer = gens;
 158     gen = NULL;
 159     gens = NULL;
 160     akeyid->serial = serial;
 161     akeyid->keyid = ikeyid;
 162
 163     return akeyid;
 164
 165  err:
 166     sk_GENERAL_NAME_free(gens);
 167     GENERAL_NAME_free(gen);
 168     X509_NAME_free(isname);
 169     ASN1_INTEGER_free(serial);
 170     ASN1_OCTET_STRING_free(ikeyid);
 171     return NULL;
 172 }