3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6 /* ====================================================================
7 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
62 #include <openssl/asn1t.h>
63 #include <openssl/conf.h>
64 #include <openssl/x509v3.h>
66 #include "internal/x509_int.h"
68 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD
*method
,
70 STACK_OF(CONF_VALUE
) *nval
);
71 static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD
*method
, void *a
,
73 static int do_i2r_name_constraints(const X509V3_EXT_METHOD
*method
,
74 STACK_OF(GENERAL_SUBTREE
) *trees
, BIO
*bp
,
76 static int print_nc_ipadd(BIO
*bp
, ASN1_OCTET_STRING
*ip
);
78 static int nc_match(GENERAL_NAME
*gen
, NAME_CONSTRAINTS
*nc
);
79 static int nc_match_single(GENERAL_NAME
*sub
, GENERAL_NAME
*gen
);
80 static int nc_dn(X509_NAME
*sub
, X509_NAME
*nm
);
81 static int nc_dns(ASN1_IA5STRING
*sub
, ASN1_IA5STRING
*dns
);
82 static int nc_email(ASN1_IA5STRING
*sub
, ASN1_IA5STRING
*eml
);
83 static int nc_uri(ASN1_IA5STRING
*uri
, ASN1_IA5STRING
*base
);
84 static int nc_ip(ASN1_OCTET_STRING
*ip
, ASN1_OCTET_STRING
*base
);
86 const X509V3_EXT_METHOD v3_name_constraints
= {
87 NID_name_constraints
, 0,
88 ASN1_ITEM_ref(NAME_CONSTRAINTS
),
91 0, v2i_NAME_CONSTRAINTS
,
92 i2r_NAME_CONSTRAINTS
, 0,
96 ASN1_SEQUENCE(GENERAL_SUBTREE
) = {
97 ASN1_SIMPLE(GENERAL_SUBTREE
, base
, GENERAL_NAME
),
98 ASN1_IMP_OPT(GENERAL_SUBTREE
, minimum
, ASN1_INTEGER
, 0),
99 ASN1_IMP_OPT(GENERAL_SUBTREE
, maximum
, ASN1_INTEGER
, 1)
100 } ASN1_SEQUENCE_END(GENERAL_SUBTREE
)
102 ASN1_SEQUENCE(NAME_CONSTRAINTS
) = {
103 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS
, permittedSubtrees
,
105 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS
, excludedSubtrees
,
107 } ASN1_SEQUENCE_END(NAME_CONSTRAINTS
)
110 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE
)
111 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS
)
113 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD
*method
,
114 X509V3_CTX
*ctx
, STACK_OF(CONF_VALUE
) *nval
)
117 CONF_VALUE tval
, *val
;
118 STACK_OF(GENERAL_SUBTREE
) **ptree
= NULL
;
119 NAME_CONSTRAINTS
*ncons
= NULL
;
120 GENERAL_SUBTREE
*sub
= NULL
;
122 ncons
= NAME_CONSTRAINTS_new();
125 for (i
= 0; i
< sk_CONF_VALUE_num(nval
); i
++) {
126 val
= sk_CONF_VALUE_value(nval
, i
);
127 if (strncmp(val
->name
, "permitted", 9) == 0 && val
->name
[9]) {
128 ptree
= &ncons
->permittedSubtrees
;
129 tval
.name
= val
->name
+ 10;
130 } else if (strncmp(val
->name
, "excluded", 8) == 0 && val
->name
[8]) {
131 ptree
= &ncons
->excludedSubtrees
;
132 tval
.name
= val
->name
+ 9;
134 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS
, X509V3_R_INVALID_SYNTAX
);
137 tval
.value
= val
->value
;
138 sub
= GENERAL_SUBTREE_new();
139 if (!v2i_GENERAL_NAME_ex(sub
->base
, method
, ctx
, &tval
, 1))
142 *ptree
= sk_GENERAL_SUBTREE_new_null();
143 if (!*ptree
|| !sk_GENERAL_SUBTREE_push(*ptree
, sub
))
151 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS
, ERR_R_MALLOC_FAILURE
);
153 NAME_CONSTRAINTS_free(ncons
);
154 GENERAL_SUBTREE_free(sub
);
159 static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD
*method
, void *a
,
162 NAME_CONSTRAINTS
*ncons
= a
;
163 do_i2r_name_constraints(method
, ncons
->permittedSubtrees
,
164 bp
, ind
, "Permitted");
165 do_i2r_name_constraints(method
, ncons
->excludedSubtrees
,
166 bp
, ind
, "Excluded");
170 static int do_i2r_name_constraints(const X509V3_EXT_METHOD
*method
,
171 STACK_OF(GENERAL_SUBTREE
) *trees
,
172 BIO
*bp
, int ind
, char *name
)
174 GENERAL_SUBTREE
*tree
;
176 if (sk_GENERAL_SUBTREE_num(trees
) > 0)
177 BIO_printf(bp
, "%*s%s:\n", ind
, "", name
);
178 for (i
= 0; i
< sk_GENERAL_SUBTREE_num(trees
); i
++) {
179 tree
= sk_GENERAL_SUBTREE_value(trees
, i
);
180 BIO_printf(bp
, "%*s", ind
+ 2, "");
181 if (tree
->base
->type
== GEN_IPADD
)
182 print_nc_ipadd(bp
, tree
->base
->d
.ip
);
184 GENERAL_NAME_print(bp
, tree
->base
);
190 static int print_nc_ipadd(BIO
*bp
, ASN1_OCTET_STRING
*ip
)
198 BIO_printf(bp
, "%d.%d.%d.%d/%d.%d.%d.%d",
199 p
[0], p
[1], p
[2], p
[3], p
[4], p
[5], p
[6], p
[7]);
200 } else if (len
== 32) {
201 for (i
= 0; i
< 16; i
++) {
202 BIO_printf(bp
, "%X", p
[0] << 8 | p
[1]);
210 BIO_printf(bp
, "IP Address:<invalid>");
215 * Check a certificate conforms to a specified set of constraints.
217 * X509_V_OK: All constraints obeyed.
218 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
219 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
220 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
221 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
222 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
223 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
226 int NAME_CONSTRAINTS_check(X509
*x
, NAME_CONSTRAINTS
*nc
)
231 nm
= X509_get_subject_name(x
);
233 if (X509_NAME_entry_count(nm
) > 0) {
235 gntmp
.type
= GEN_DIRNAME
;
236 gntmp
.d
.directoryName
= nm
;
238 r
= nc_match(&gntmp
, nc
);
243 gntmp
.type
= GEN_EMAIL
;
245 /* Process any email address attributes in subject name */
249 i
= X509_NAME_get_index_by_NID(nm
, NID_pkcs9_emailAddress
, i
);
252 ne
= X509_NAME_get_entry(nm
, i
);
253 gntmp
.d
.rfc822Name
= X509_NAME_ENTRY_get_data(ne
);
254 if (gntmp
.d
.rfc822Name
->type
!= V_ASN1_IA5STRING
)
255 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
257 r
= nc_match(&gntmp
, nc
);
265 for (i
= 0; i
< sk_GENERAL_NAME_num(x
->altname
); i
++) {
266 GENERAL_NAME
*gen
= sk_GENERAL_NAME_value(x
->altname
, i
);
267 r
= nc_match(gen
, nc
);
276 static int nc_match(GENERAL_NAME
*gen
, NAME_CONSTRAINTS
*nc
)
278 GENERAL_SUBTREE
*sub
;
282 * Permitted subtrees: if any subtrees exist of matching the type at
283 * least one subtree must match.
286 for (i
= 0; i
< sk_GENERAL_SUBTREE_num(nc
->permittedSubtrees
); i
++) {
287 sub
= sk_GENERAL_SUBTREE_value(nc
->permittedSubtrees
, i
);
288 if (gen
->type
!= sub
->base
->type
)
290 if (sub
->minimum
|| sub
->maximum
)
291 return X509_V_ERR_SUBTREE_MINMAX
;
292 /* If we already have a match don't bother trying any more */
297 r
= nc_match_single(gen
, sub
->base
);
300 else if (r
!= X509_V_ERR_PERMITTED_VIOLATION
)
305 return X509_V_ERR_PERMITTED_VIOLATION
;
307 /* Excluded subtrees: must not match any of these */
309 for (i
= 0; i
< sk_GENERAL_SUBTREE_num(nc
->excludedSubtrees
); i
++) {
310 sub
= sk_GENERAL_SUBTREE_value(nc
->excludedSubtrees
, i
);
311 if (gen
->type
!= sub
->base
->type
)
313 if (sub
->minimum
|| sub
->maximum
)
314 return X509_V_ERR_SUBTREE_MINMAX
;
316 r
= nc_match_single(gen
, sub
->base
);
318 return X509_V_ERR_EXCLUDED_VIOLATION
;
319 else if (r
!= X509_V_ERR_PERMITTED_VIOLATION
)
328 static int nc_match_single(GENERAL_NAME
*gen
, GENERAL_NAME
*base
)
330 switch (base
->type
) {
332 return nc_dn(gen
->d
.directoryName
, base
->d
.directoryName
);
335 return nc_dns(gen
->d
.dNSName
, base
->d
.dNSName
);
338 return nc_email(gen
->d
.rfc822Name
, base
->d
.rfc822Name
);
341 return nc_uri(gen
->d
.uniformResourceIdentifier
,
342 base
->d
.uniformResourceIdentifier
);
345 return nc_ip(gen
->d
.iPAddress
, base
->d
.iPAddress
);
348 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
;
354 * directoryName name constraint matching. The canonical encoding of
355 * X509_NAME makes this comparison easy. It is matched if the subtree is a
356 * subset of the name.
359 static int nc_dn(X509_NAME
*nm
, X509_NAME
*base
)
361 /* Ensure canonical encodings are up to date. */
362 if (nm
->modified
&& i2d_X509_NAME(nm
, NULL
) < 0)
363 return X509_V_ERR_OUT_OF_MEM
;
364 if (base
->modified
&& i2d_X509_NAME(base
, NULL
) < 0)
365 return X509_V_ERR_OUT_OF_MEM
;
366 if (base
->canon_enclen
> nm
->canon_enclen
)
367 return X509_V_ERR_PERMITTED_VIOLATION
;
368 if (memcmp(base
->canon_enc
, nm
->canon_enc
, base
->canon_enclen
))
369 return X509_V_ERR_PERMITTED_VIOLATION
;
373 static int nc_dns(ASN1_IA5STRING
*dns
, ASN1_IA5STRING
*base
)
375 char *baseptr
= (char *)base
->data
;
376 char *dnsptr
= (char *)dns
->data
;
377 /* Empty matches everything */
381 * Otherwise can add zero or more components on the left so compare RHS
382 * and if dns is longer and expect '.' as preceding character.
384 if (dns
->length
> base
->length
) {
385 dnsptr
+= dns
->length
- base
->length
;
386 if (*baseptr
!= '.' && dnsptr
[-1] != '.')
387 return X509_V_ERR_PERMITTED_VIOLATION
;
390 if (strcasecmp(baseptr
, dnsptr
))
391 return X509_V_ERR_PERMITTED_VIOLATION
;
397 static int nc_email(ASN1_IA5STRING
*eml
, ASN1_IA5STRING
*base
)
399 const char *baseptr
= (char *)base
->data
;
400 const char *emlptr
= (char *)eml
->data
;
402 const char *baseat
= strchr(baseptr
, '@');
403 const char *emlat
= strchr(emlptr
, '@');
405 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
406 /* Special case: inital '.' is RHS match */
407 if (!baseat
&& (*baseptr
== '.')) {
408 if (eml
->length
> base
->length
) {
409 emlptr
+= eml
->length
- base
->length
;
410 if (strcasecmp(baseptr
, emlptr
) == 0)
413 return X509_V_ERR_PERMITTED_VIOLATION
;
416 /* If we have anything before '@' match local part */
419 if (baseat
!= baseptr
) {
420 if ((baseat
- baseptr
) != (emlat
- emlptr
))
421 return X509_V_ERR_PERMITTED_VIOLATION
;
422 /* Case sensitive match of local part */
423 if (strncmp(baseptr
, emlptr
, emlat
- emlptr
))
424 return X509_V_ERR_PERMITTED_VIOLATION
;
426 /* Position base after '@' */
427 baseptr
= baseat
+ 1;
430 /* Just have hostname left to match: case insensitive */
431 if (strcasecmp(baseptr
, emlptr
))
432 return X509_V_ERR_PERMITTED_VIOLATION
;
438 static int nc_uri(ASN1_IA5STRING
*uri
, ASN1_IA5STRING
*base
)
440 const char *baseptr
= (char *)base
->data
;
441 const char *hostptr
= (char *)uri
->data
;
442 const char *p
= strchr(hostptr
, ':');
444 /* Check for foo:// and skip past it */
445 if (!p
|| (p
[1] != '/') || (p
[2] != '/'))
446 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
449 /* Determine length of hostname part of URI */
451 /* Look for a port indicator as end of hostname first */
453 p
= strchr(hostptr
, ':');
454 /* Otherwise look for trailing slash */
456 p
= strchr(hostptr
, '/');
459 hostlen
= strlen(hostptr
);
461 hostlen
= p
- hostptr
;
464 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
466 /* Special case: inital '.' is RHS match */
467 if (*baseptr
== '.') {
468 if (hostlen
> base
->length
) {
469 p
= hostptr
+ hostlen
- base
->length
;
470 if (strncasecmp(p
, baseptr
, base
->length
) == 0)
473 return X509_V_ERR_PERMITTED_VIOLATION
;
476 if ((base
->length
!= (int)hostlen
)
477 || strncasecmp(hostptr
, baseptr
, hostlen
))
478 return X509_V_ERR_PERMITTED_VIOLATION
;
484 static int nc_ip(ASN1_OCTET_STRING
*ip
, ASN1_OCTET_STRING
*base
)
486 int hostlen
, baselen
, i
;
487 unsigned char *hostptr
, *baseptr
, *maskptr
;
489 hostlen
= ip
->length
;
490 baseptr
= base
->data
;
491 baselen
= base
->length
;
493 /* Invalid if not IPv4 or IPv6 */
494 if (!((hostlen
== 4) || (hostlen
== 16)))
495 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
496 if (!((baselen
== 8) || (baselen
== 32)))
497 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
;
499 /* Do not match IPv4 with IPv6 */
500 if (hostlen
* 2 != baselen
)
501 return X509_V_ERR_PERMITTED_VIOLATION
;
503 maskptr
= base
->data
+ hostlen
;
505 /* Considering possible not aligned base ipAddress */
506 /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
507 for (i
= 0; i
< hostlen
; i
++)
508 if ((hostptr
[i
] & maskptr
[i
]) != (baseptr
[i
] & maskptr
[i
]))
509 return X509_V_ERR_PERMITTED_VIOLATION
;