crypto/x509/x509_acert.c

   1 /*
   2  * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <string.h>
  11 #include <crypto/ctype.h>
  12 #include <openssl/asn1t.h>
  13 #include <openssl/err.h>
  14 #include <openssl/x509.h>
  15 #include <openssl/x509v3.h>
  16 #include "x509_acert.h"
  17
  18 /*
  19  * OpenSSL ASN.1 template translation of RFC 5755 4.1.
  20  */
  21
  22 ASN1_SEQUENCE(OSSL_OBJECT_DIGEST_INFO) = {
  23     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, digestedObjectType, ASN1_ENUMERATED),
  24     ASN1_OPT(OSSL_OBJECT_DIGEST_INFO, otherObjectTypeID, ASN1_OBJECT),
  25     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, digestAlgorithm, X509_ALGOR),
  26     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, objectDigest, ASN1_BIT_STRING),
  27 } ASN1_SEQUENCE_END(OSSL_OBJECT_DIGEST_INFO)
  28
  29 ASN1_SEQUENCE(OSSL_ISSUER_SERIAL) = {
  30     ASN1_SEQUENCE_OF(OSSL_ISSUER_SERIAL, issuer, GENERAL_NAME),
  31     ASN1_EMBED(OSSL_ISSUER_SERIAL, serial, ASN1_INTEGER),
  32     ASN1_OPT(OSSL_ISSUER_SERIAL, issuerUID, ASN1_BIT_STRING),
  33 } ASN1_SEQUENCE_END(OSSL_ISSUER_SERIAL)
  34
  35 ASN1_SEQUENCE(X509_ACERT_ISSUER_V2FORM) = {
  36     ASN1_SEQUENCE_OF_OPT(X509_ACERT_ISSUER_V2FORM, issuerName, GENERAL_NAME),
  37     ASN1_IMP_OPT(X509_ACERT_ISSUER_V2FORM, baseCertificateId, OSSL_ISSUER_SERIAL, 0),
  38     ASN1_IMP_OPT(X509_ACERT_ISSUER_V2FORM, objectDigestInfo, OSSL_OBJECT_DIGEST_INFO, 1),
  39 } ASN1_SEQUENCE_END(X509_ACERT_ISSUER_V2FORM)
  40
  41 ASN1_CHOICE(X509_ACERT_ISSUER) = {
  42     ASN1_SEQUENCE_OF(X509_ACERT_ISSUER, u.v1Form, GENERAL_NAME),
  43     ASN1_IMP(X509_ACERT_ISSUER, u.v2Form, X509_ACERT_ISSUER_V2FORM, 0),
  44 } ASN1_CHOICE_END(X509_ACERT_ISSUER)
  45
  46 ASN1_SEQUENCE(X509_HOLDER) = {
  47     ASN1_IMP_OPT(X509_HOLDER, baseCertificateID, OSSL_ISSUER_SERIAL, 0),
  48     ASN1_IMP_SEQUENCE_OF_OPT(X509_HOLDER, entityName, GENERAL_NAME, 1),
  49     ASN1_IMP_OPT(X509_HOLDER, objectDigestInfo, OSSL_OBJECT_DIGEST_INFO, 2),
  50 } ASN1_SEQUENCE_END(X509_HOLDER)
  51
  52 ASN1_SEQUENCE(X509_ACERT_INFO) = {
  53     ASN1_EMBED(X509_ACERT_INFO, version, ASN1_INTEGER),
  54     ASN1_EMBED(X509_ACERT_INFO, holder, X509_HOLDER),
  55     ASN1_EMBED(X509_ACERT_INFO, issuer, X509_ACERT_ISSUER),
  56     ASN1_EMBED(X509_ACERT_INFO, signature, X509_ALGOR),
  57     ASN1_EMBED(X509_ACERT_INFO, serialNumber, ASN1_INTEGER),
  58     ASN1_EMBED(X509_ACERT_INFO, validityPeriod, X509_VAL),
  59     ASN1_SEQUENCE_OF(X509_ACERT_INFO, attributes, X509_ATTRIBUTE),
  60     ASN1_OPT(X509_ACERT_INFO, issuerUID, ASN1_BIT_STRING),
  61     ASN1_SEQUENCE_OF_OPT(X509_ACERT_INFO, extensions, X509_EXTENSION),
  62 } ASN1_SEQUENCE_END(X509_ACERT_INFO)
  63
  64 ASN1_SEQUENCE(X509_ACERT) = {
  65     ASN1_SIMPLE(X509_ACERT, acinfo, X509_ACERT_INFO),
  66     ASN1_EMBED(X509_ACERT, sig_alg, X509_ALGOR),
  67     ASN1_EMBED(X509_ACERT, signature, ASN1_BIT_STRING),
  68 } ASN1_SEQUENCE_END(X509_ACERT)
  69
  70 IMPLEMENT_ASN1_FUNCTIONS(X509_ACERT)
  71 IMPLEMENT_ASN1_DUP_FUNCTION(X509_ACERT)
  72 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_ACERT_INFO)
  73 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_ISSUER_SERIAL)
  74 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_OBJECT_DIGEST_INFO)
  75 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_ACERT_ISSUER_V2FORM)
  76
  77 IMPLEMENT_PEM_rw(X509_ACERT, X509_ACERT, PEM_STRING_ACERT, X509_ACERT)
  78
  79 static X509_NAME *get_dirName(const GENERAL_NAMES *names)
  80 {
  81     GENERAL_NAME *dirName;
  82
  83     if (sk_GENERAL_NAME_num(names) != 1)
  84         return NULL;
  85
  86     dirName = sk_GENERAL_NAME_value(names, 0);
  87     if (dirName->type != GEN_DIRNAME)
  88         return NULL;
  89
  90     return dirName->d.directoryName;
  91 }
  92
  93 void OSSL_OBJECT_DIGEST_INFO_get0_digest(const OSSL_OBJECT_DIGEST_INFO *o,
  94                                          int *digestedObjectType,
  95                                          const X509_ALGOR **digestAlgorithm,
  96                                          const ASN1_BIT_STRING **digest)
  97 {
  98     if (digestedObjectType != NULL)
  99         *digestedObjectType = ASN1_ENUMERATED_get(&o->digestedObjectType);
 100     if (digestAlgorithm != NULL)
 101         *digestAlgorithm = &o->digestAlgorithm;
 102     if (digest != NULL)
 103         *digest = &o->objectDigest;
 104 }
 105
 106 const X509_NAME *OSSL_ISSUER_SERIAL_get0_issuer(const OSSL_ISSUER_SERIAL *isss)
 107 {
 108     return get_dirName(isss->issuer);
 109 }
 110
 111 const ASN1_INTEGER *OSSL_ISSUER_SERIAL_get0_serial(const OSSL_ISSUER_SERIAL *isss)
 112 {
 113     return &isss->serial;
 114 }
 115
 116 const ASN1_BIT_STRING *OSSL_ISSUER_SERIAL_get0_issuerUID(const OSSL_ISSUER_SERIAL *isss)
 117 {
 118     return isss->issuerUID;
 119 }
 120
 121 long X509_ACERT_get_version(const X509_ACERT *x)
 122 {
 123     return ASN1_INTEGER_get(&x->acinfo->version);
 124 }
 125
 126 void X509_ACERT_get0_signature(const X509_ACERT *x,
 127                                const ASN1_BIT_STRING **psig,
 128                                const X509_ALGOR **palg)
 129 {
 130     if (psig != NULL)
 131         *psig = &x->signature;
 132     if (palg != NULL)
 133         *palg = &x->sig_alg;
 134 }
 135
 136 int X509_ACERT_get_signature_nid(const X509_ACERT *x)
 137 {
 138     return OBJ_obj2nid(x->sig_alg.algorithm);
 139 }
 140
 141 const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x)
 142 {
 143     return x->acinfo->holder.entityName;
 144 }
 145
 146 const OSSL_ISSUER_SERIAL *X509_ACERT_get0_holder_baseCertId(const X509_ACERT *x)
 147 {
 148     return x->acinfo->holder.baseCertificateID;
 149 }
 150
 151 const OSSL_OBJECT_DIGEST_INFO *X509_ACERT_get0_holder_digest(const X509_ACERT *x)
 152 {
 153     return x->acinfo->holder.objectDigestInfo;
 154 }
 155
 156 const X509_NAME *X509_ACERT_get0_issuerName(const X509_ACERT *x)
 157 {
 158     if (x->acinfo->issuer.type != X509_ACERT_ISSUER_V2
 159         || x->acinfo->issuer.u.v2Form == NULL)
 160         return NULL;
 161
 162     return get_dirName(x->acinfo->issuer.u.v2Form->issuerName);
 163 }
 164
 165 const ASN1_BIT_STRING *X509_ACERT_get0_issuerUID(const X509_ACERT *x)
 166 {
 167     return x->acinfo->issuerUID;
 168 }
 169
 170 const X509_ALGOR *X509_ACERT_get0_info_sigalg(const X509_ACERT *x)
 171 {
 172     return &x->acinfo->signature;
 173 }
 174
 175 const ASN1_INTEGER *X509_ACERT_get0_serialNumber(const X509_ACERT *x)
 176 {
 177     return &x->acinfo->serialNumber;
 178 }
 179
 180 const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notBefore(const X509_ACERT *x)
 181 {
 182     return x->acinfo->validityPeriod.notBefore;
 183 }
 184
 185 const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notAfter(const X509_ACERT *x)
 186 {
 187     return x->acinfo->validityPeriod.notAfter;
 188 }
 189
 190 /* Attribute management functions */
 191
 192 int X509_ACERT_get_attr_count(const X509_ACERT *x)
 193 {
 194     return X509at_get_attr_count(x->acinfo->attributes);
 195 }
 196
 197 int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos)
 198 {
 199     return X509at_get_attr_by_NID(x->acinfo->attributes, nid, lastpos);
 200 }
 201
 202 int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
 203                                int lastpos)
 204 {
 205     return X509at_get_attr_by_OBJ(x->acinfo->attributes, obj, lastpos);
 206 }
 207
 208 X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc)
 209 {
 210     return X509at_get_attr(x->acinfo->attributes, loc);
 211 }
 212
 213 X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc)
 214 {
 215     return X509at_delete_attr(x->acinfo->attributes, loc);
 216 }
 217
 218 int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr)
 219 {
 220     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
 221
 222     return X509at_add1_attr(attrs, attr) != NULL;
 223 }
 224
 225 int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
 226                                 int type, const void *bytes, int len)
 227 {
 228     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
 229
 230     return X509at_add1_attr_by_OBJ(attrs, obj, type, bytes, len) != NULL;
 231 }
 232
 233 int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
 234                                 const void *bytes, int len)
 235 {
 236     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
 237
 238     return X509at_add1_attr_by_NID(attrs, nid, type, bytes, len) != NULL;
 239 }
 240
 241 int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
 242                                 const unsigned char *bytes, int len)
 243 {
 244     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
 245
 246     return X509at_add1_attr_by_txt(attrs, attrname, type, bytes, len) != NULL;
 247 }
 248
 249 static int check_asn1_attribute(const char **value)
 250 {
 251     const char *p = *value;
 252
 253     if (strncmp(p, "ASN1:", 5) != 0)
 254         return 0;
 255
 256     p += 5;
 257     while (ossl_isspace(*p))
 258         p++;
 259
 260     *value = p;
 261     return 1;
 262 }
 263
 264 int X509_ACERT_add_attr_nconf(CONF *conf, const char *section,
 265                               X509_ACERT *acert)
 266 {
 267     int ret = 0, i;
 268     STACK_OF(CONF_VALUE) *attr_sk = NCONF_get_section(conf, section);
 269
 270     if (attr_sk == NULL)
 271         goto err;
 272
 273     for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
 274         CONF_VALUE *v = sk_CONF_VALUE_value(attr_sk, i);
 275         const char *value = v->value;
 276
 277         if (value == NULL) {
 278             ERR_raise_data(ERR_LIB_X509, X509_R_INVALID_ATTRIBUTES,
 279                            "name=%s,section=%s",v->name, section);
 280             goto err;
 281         }
 282
 283         if (check_asn1_attribute(&value) == 1) {
 284             int att_len;
 285             unsigned char *att_data = NULL;
 286             ASN1_TYPE *asn1 = ASN1_generate_nconf(value, conf);
 287
 288             if (asn1 == NULL)
 289                 goto err;
 290
 291             att_len = i2d_ASN1_TYPE(asn1, &att_data);
 292
 293             ret = X509_ACERT_add1_attr_by_txt(acert, v->name, V_ASN1_SEQUENCE,
 294                                               att_data, att_len);
 295             OPENSSL_free(att_data);
 296             ASN1_TYPE_free(asn1);
 297
 298             if (!ret)
 299                 goto err;
 300         } else {
 301             ret = X509_ACERT_add1_attr_by_txt(acert, v->name,
 302                                               V_ASN1_OCTET_STRING,
 303                                               (unsigned char *)value,
 304                                               strlen(value));
 305             if (!ret)
 306                 goto err;
 307         }
 308     }
 309     ret = 1;
 310 err:
 311     return ret;
 312 }
 313
 314 void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx)
 315 {
 316     return X509V3_get_d2i(x->acinfo->extensions, nid, crit, idx);
 317 }
 318
 319 int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
 320                             unsigned long flags)
 321 {
 322     return X509V3_add1_i2d(&x->acinfo->extensions, nid, value, crit, flags);
 323 }
 324
 325 const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509_ACERT *x)
 326 {
 327     return x->acinfo->extensions;
 328 }