From: pcarana Date: Tue, 5 Feb 2019 18:27:22 +0000 (-0600) Subject: Validate certificate policies extension X-Git-Tag: v0.0.2~98^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c93f2e9efa92cd85edb2f0d6cb951c2e2d789518;p=thirdparty%2FFORT-validator.git Validate certificate policies extension --- diff --git a/src/common.c b/src/common.c index ff9f51e5..5e7eda99 100644 --- a/src/common.c +++ b/src/common.c @@ -9,6 +9,8 @@ size_t repository_len; int NID_rpkiManifest; int NID_signedObject; int NID_rpkiNotify; +int NID_certPolicyRpki; +int NID_certPolicyRpkiV2; int string_clone(void const *string, size_t size, char **clone) diff --git a/src/common.h b/src/common.h index e0680722..afa7e153 100644 --- a/src/common.h +++ b/src/common.h @@ -21,6 +21,8 @@ extern size_t repository_len; extern int NID_rpkiManifest; extern int NID_signedObject; extern int NID_rpkiNotify; +extern int NID_certPolicyRpki; +extern int NID_certPolicyRpkiV2; #define ARRAY_LEN(array) (sizeof(array) / sizeof(array[0])) diff --git a/src/main.c b/src/main.c index 511faa46..7f936eb2 100644 --- a/src/main.c +++ b/src/main.c @@ -45,6 +45,17 @@ add_rpki_oids(void) "id-ad-rpkiNotify (RFC 8182)", /* TODO */ "Blah blah"); printf("rpkiNotify registered. Its nid is %d.\n", NID_rpkiNotify); + + NID_certPolicyRpki = OBJ_create("1.3.6.1.5.5.7.14.2", + "id-cp-ipAddr-asNumber (RFC 6484)", + "Certificate Policy (CP) for the Resource PKI (RPKI)"); + printf("certPolicyRpki registered. Its nid is %d.\n", NID_certPolicyRpki); + + NID_certPolicyRpkiV2 = OBJ_create("1.3.6.1.5.5.7.14.3", + "id-cp-ipAddr-asNumber-v2 (RFC 8360)", + "Certificate Policy for Use with Validation Reconsidered in the RPKI"); + printf("certPolicyRpkiV2 registered. Its nid is %d.\n", + NID_certPolicyRpkiV2); } /** diff --git a/src/object/certificate.c b/src/object/certificate.c index a9527989..e6850100 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1142,7 +1142,51 @@ handle_sia_ee(X509_EXTENSION *ext, void *arg) static int handle_cp(X509_EXTENSION *ext, void *arg) { - return 0; /* TODO (certext) Implement */ + CERTIFICATEPOLICIES *cp; + POLICYINFO *pi; + POLICYQUALINFO *pqi; + int error, nid_cp, nid_qt_cps, pqi_num; + + error = 0; + cp = X509V3_EXT_d2i(ext); + if (cp == NULL) + return cannot_decode(&CP); + + if (sk_POLICYINFO_num(cp) != 1) { + error = pr_err("The %s extension has %u policy information's. (1 expected)", + CP.name, sk_POLICYINFO_num(cp)); + goto end; + } + + /* rfc7318#section-2 and consider rfc8360#section-4.2.1 */ + pi = sk_POLICYINFO_value(cp, 0); + nid_cp = OBJ_obj2nid(pi->policyid); + if (nid_cp != NID_certPolicyRpki && nid_cp != NID_certPolicyRpkiV2) { + error = pr_err("Invalid certificate policy OID, isn't 'id-cp-ipAddr-asNumber' nor 'id-cp-ipAddr-asNumber-v2'"); + goto end; + } + /* Exactly one policy qualifier MAY be included (so none is also valid) */ + if (pi->qualifiers == NULL) + goto end; + + pqi_num = sk_POLICYQUALINFO_num(pi->qualifiers); + if (pqi_num == 0) + goto end; + if (pqi_num != 1) { + error = pr_err("The %s extension has %d policy qualifiers. (none or only 1 expected)", + CP.name, pqi_num); + goto end; + } + + pqi = sk_POLICYQUALINFO_value(pi->qualifiers, 0); + nid_qt_cps = OBJ_obj2nid(pqi->pqualid); + if (nid_qt_cps != NID_id_qt_cps) { + error = pr_err("Policy qualifier ID isn't Certification Practice Statement (CPS)"); + goto end; + } +end: + CERTIFICATEPOLICIES_free(cp); + return error; } static int