From: pcarana Date: Tue, 5 Feb 2019 18:27:22 +0000 (-0600) Subject: Validate certificate policies extension X-Git-Tag: v0.0.2~99 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a567060af5f13ff0ea780a96a0a777d9448f0559;p=thirdparty%2FFORT-validator.git Validate certificate policies extension --- diff --git a/src/common.c b/src/common.c index c9138aa4..df54b9d2 100644 --- a/src/common.c +++ b/src/common.c @@ -7,6 +7,8 @@ int NID_rpkiManifest; int NID_signedObject; int NID_rpkiNotify; +int NID_certPolicyRpki; +int NID_certPolicyRpkiV2; int string_clone(void const *string, size_t size, char **clone) diff --git a/src/common.h b/src/common.h index e50f7d36..07024f03 100644 --- a/src/common.h +++ b/src/common.h @@ -19,6 +19,8 @@ extern int NID_rpkiManifest; extern int NID_signedObject; extern int NID_rpkiNotify; +extern int NID_certPolicyRpki; +extern int NID_certPolicyRpkiV2; #define ARRAY_LEN(array) (sizeof(array) / sizeof(array[0])) diff --git a/src/main.c b/src/main.c index a1594254..d4417712 100644 --- a/src/main.c +++ b/src/main.c @@ -35,6 +35,17 @@ add_rpki_oids(void) "rpkiNotify", "RPKI Update Notification File (RFC 8182)"); printf("rpkiNotify registered. Its nid is %d.\n", NID_rpkiNotify); + + NID_certPolicyRpki = OBJ_create("1.3.6.1.5.5.7.14.2", + "id-cp-ipAddr-asNumber (RFC 6484)", + "Certificate Policy (CP) for the Resource PKI (RPKI)"); + printf("certPolicyRpki registered. Its nid is %d.\n", NID_certPolicyRpki); + + NID_certPolicyRpkiV2 = OBJ_create("1.3.6.1.5.5.7.14.3", + "id-cp-ipAddr-asNumber-v2 (RFC 8360)", + "Certificate Policy for Use with Validation Reconsidered in the RPKI"); + printf("certPolicyRpkiV2 registered. Its nid is %d.\n", + NID_certPolicyRpkiV2); } /** diff --git a/src/object/certificate.c b/src/object/certificate.c index db2cb9cb..c4601920 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1150,7 +1150,51 @@ handle_sia_ee(X509_EXTENSION *ext, void *arg) static int handle_cp(X509_EXTENSION *ext, void *arg) { - return 0; /* TODO (certext) Implement */ + CERTIFICATEPOLICIES *cp; + POLICYINFO *pi; + POLICYQUALINFO *pqi; + int error, nid_cp, nid_qt_cps, pqi_num; + + error = 0; + cp = X509V3_EXT_d2i(ext); + if (cp == NULL) + return cannot_decode(&CP); + + if (sk_POLICYINFO_num(cp) != 1) { + error = pr_err("The %s extension has %u policy information's. (1 expected)", + CP.name, sk_POLICYINFO_num(cp)); + goto end; + } + + /* rfc7318#section-2 and consider rfc8360#section-4.2.1 */ + pi = sk_POLICYINFO_value(cp, 0); + nid_cp = OBJ_obj2nid(pi->policyid); + if (nid_cp != NID_certPolicyRpki && nid_cp != NID_certPolicyRpkiV2) { + error = pr_err("Invalid certificate policy OID, isn't 'id-cp-ipAddr-asNumber' nor 'id-cp-ipAddr-asNumber-v2'"); + goto end; + } + /* Exactly one policy qualifier MAY be included (so none is also valid) */ + if (pi->qualifiers == NULL) + goto end; + + pqi_num = sk_POLICYQUALINFO_num(pi->qualifiers); + if (pqi_num == 0) + goto end; + if (pqi_num != 1) { + error = pr_err("The %s extension has %d policy qualifiers. (none or only 1 expected)", + CP.name, pqi_num); + goto end; + } + + pqi = sk_POLICYQUALINFO_value(pi->qualifiers, 0); + nid_qt_cps = OBJ_obj2nid(pqi->pqualid); + if (nid_qt_cps != NID_id_qt_cps) { + error = pr_err("Policy qualifier ID isn't Certification Practice Statement (CPS)"); + goto end; + } +end: + CERTIFICATEPOLICIES_free(cp); + return error; } static int