xref: /openbsd-src/lib/libcrypto/x509/x509_lib.c (revision 0e6355d3a9b9daaba03a48c83fb71f46bd15730c) 
1 /* $OpenBSD: x509_lib.c,v 1.22 2024/06/17 05:31:26 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 1999.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* X509 v3 extension utilities */
59 
60 #include <stdio.h>
61 
62 #include <openssl/conf.h>
63 #include <openssl/err.h>
64 #include <openssl/x509v3.h>
65 
66 #include "x509_local.h"
67 
68 extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
69 extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
70 extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
71 extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
72 extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
73 extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
74 extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
75 extern const X509V3_EXT_METHOD v3_crl_hold;
76 extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
77 extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
78 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
79 extern const X509V3_EXT_METHOD v3_ct_scts[3];
80 
81 static const X509V3_EXT_METHOD *standard_exts[] = {
82 	&v3_nscert,
83 	&v3_ns_ia5_list[0],
84 	&v3_ns_ia5_list[1],
85 	&v3_ns_ia5_list[2],
86 	&v3_ns_ia5_list[3],
87 	&v3_ns_ia5_list[4],
88 	&v3_ns_ia5_list[5],
89 	&v3_ns_ia5_list[6],
90 	&v3_skey_id,
91 	&v3_key_usage,
92 	&v3_pkey_usage_period,
93 	&v3_alt[0],
94 	&v3_alt[1],
95 	&v3_bcons,
96 	&v3_crl_num,
97 	&v3_cpols,
98 	&v3_akey_id,
99 	&v3_crld,
100 	&v3_ext_ku,
101 	&v3_delta_crl,
102 	&v3_crl_reason,
103 #ifndef OPENSSL_NO_OCSP
104 	&v3_crl_invdate,
105 #endif
106 	&v3_info,
107 #ifndef OPENSSL_NO_RFC3779
108 	&v3_addr,
109 	&v3_asid,
110 #endif
111 #ifndef OPENSSL_NO_OCSP
112 	&v3_ocsp_nonce,
113 	&v3_ocsp_crlid,
114 	&v3_ocsp_accresp,
115 	&v3_ocsp_nocheck,
116 	&v3_ocsp_acutoff,
117 	&v3_ocsp_serviceloc,
118 #endif
119 	&v3_sinfo,
120 	&v3_policy_constraints,
121 #ifndef OPENSSL_NO_OCSP
122 	&v3_crl_hold,
123 #endif
124 	&v3_name_constraints,
125 	&v3_policy_mappings,
126 	&v3_inhibit_anyp,
127 	&v3_idp,
128 	&v3_alt[2],
129 	&v3_freshest_crl,
130 #ifndef OPENSSL_NO_CT
131 	&v3_ct_scts[0],
132 	&v3_ct_scts[1],
133 	&v3_ct_scts[2],
134 #endif
135 };
136 
137 #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
138 
139 const X509V3_EXT_METHOD *
140 X509V3_EXT_get_nid(int nid)
141 {
142 	size_t i;
143 
144 	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
145 		if (standard_exts[i]->ext_nid == nid)
146 			return standard_exts[i];
147 	}
148 
149 	return NULL;
150 }
151 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
152 
153 const X509V3_EXT_METHOD *
154 X509V3_EXT_get(X509_EXTENSION *ext)
155 {
156 	int nid;
157 
158 	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
159 		return NULL;
160 	return X509V3_EXT_get_nid(nid);
161 }
162 LCRYPTO_ALIAS(X509V3_EXT_get);
163 
164 /* Return an extension internal structure */
165 
166 void *
167 X509V3_EXT_d2i(X509_EXTENSION *ext)
168 {
169 	const X509V3_EXT_METHOD *method;
170 	const unsigned char *p;
171 
172 	if ((method = X509V3_EXT_get(ext)) == NULL)
173 		return NULL;
174 	p = ext->value->data;
175 	if (method->it != NULL)
176 		return ASN1_item_d2i(NULL, &p, ext->value->length, method->it);
177 	return method->d2i(NULL, &p, ext->value->length);
178 }
179 LCRYPTO_ALIAS(X509V3_EXT_d2i);
180 
181 /*
182  * This API is only safe to call with known nid, crit != NULL and idx == NULL.
183  * On NULL return, crit acts as a failure indicator: crit == -1 means an
184  * extension of type nid was not present, crit != -1 is fatal: crit == -2
185  * means multiple extensions of type nid are present; if crit is 0 or 1, this
186  * implies the extension was found but could not be decoded.
187  */
188 
189 void *
190 X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
191 {
192 	X509_EXTENSION *ext;
193 	int lastpos = idx == NULL ? -1 : *idx;
194 
195 	if (crit != NULL)
196 		*crit = -1;
197 	if (idx != NULL)
198 		*idx = -1;
199 
200 	/*
201 	 * Nothing to do if no extensions, unknown nid, or missing extension.
202 	 */
203 
204 	if (x == NULL)
205 		return NULL;
206 	if ((lastpos = X509v3_get_ext_by_NID(x, nid, lastpos)) < 0)
207 		return NULL;
208 	if ((ext = X509v3_get_ext(x, lastpos)) == NULL)
209 		return NULL;
210 
211 	/*
212 	 * API madness. Only check for a second extension of type nid if
213 	 * idx == NULL. Indicate this by setting *crit to -2. If idx != NULL,
214 	 * don't care and set *idx to the index of the first extension found.
215 	 */
216 
217 	if (idx == NULL && X509v3_get_ext_by_NID(x, nid, lastpos) > 0) {
218 		if (crit != NULL)
219 			*crit = -2;
220 		return NULL;
221 	}
222 
223 	/*
224 	 * Another beautiful API detail: *crit will be set to 0 or 1, so if the
225 	 * extension fails to decode, we can deduce this from return value NULL
226 	 * and crit != -1.
227 	 */
228 
229 	if (crit != NULL)
230 		*crit = X509_EXTENSION_get_critical(ext);
231 	if (idx != NULL)
232 		*idx = lastpos;
233 
234 	return X509V3_EXT_d2i(ext);
235 }
236 LCRYPTO_ALIAS(X509V3_get_d2i);
237 
238 int
239 X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
240     int crit, unsigned long flags)
241 {
242 	STACK_OF(X509_EXTENSION) *exts = *x;
243 	X509_EXTENSION *ext = NULL;
244 	X509_EXTENSION *existing;
245 	int extidx;
246 	int errcode = 0;
247 	int ret = 0;
248 
249 	/* See if the extension already exists. */
250 	extidx = X509v3_get_ext_by_NID(*x, nid, -1);
251 
252 	switch (flags & X509V3_ADD_OP_MASK) {
253 	case X509V3_ADD_DEFAULT:
254 		/* If the extension exists, adding another one is an error. */
255 		if (extidx >= 0) {
256 			errcode = X509V3_R_EXTENSION_EXISTS;
257 			goto err;
258 		}
259 		break;
260 	case X509V3_ADD_APPEND:
261 		/*
262 		 * XXX - Total misfeature. If the extension exists, appending
263 		 * another one will invalidate the certificate. Unfortunately
264 		 * things use this, in particular Viktor's DANE code.
265 		 */
266 		/* Pretend the extension didn't exist and append the new one. */
267 		extidx = -1;
268 		break;
269 	case X509V3_ADD_REPLACE:
270 		/* Replace existing extension, otherwise append the new one. */
271 		break;
272 	case X509V3_ADD_REPLACE_EXISTING:
273 		/* Can't replace a non-existent extension. */
274 		if (extidx < 0) {
275 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
276 			goto err;
277 		}
278 		break;
279 	case X509V3_ADD_KEEP_EXISTING:
280 		/* If the extension exists, there's nothing to do. */
281 		if (extidx >= 0)
282 			goto done;
283 		break;
284 	case X509V3_ADD_DELETE:
285 		/* Can't delete a non-existent extension. */
286 		if (extidx < 0) {
287 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
288 			goto err;
289 		}
290 		if ((existing = sk_X509_EXTENSION_delete(*x, extidx)) == NULL) {
291 			ret = -1;
292 			goto err;
293 		}
294 		X509_EXTENSION_free(existing);
295 		existing = NULL;
296 		goto done;
297 	default:
298 		errcode = X509V3_R_UNSUPPORTED_OPTION; /* XXX */
299 		ret = -1;
300 		goto err;
301 	}
302 
303 	if ((ext = X509V3_EXT_i2d(nid, crit, value)) == NULL) {
304 		X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
305 		goto err;
306 	}
307 
308 	/* From here, errors are fatal. */
309 	ret = -1;
310 
311 	/* If extension exists, replace it. */
312 	if (extidx >= 0) {
313 		existing = sk_X509_EXTENSION_value(*x, extidx);
314 		X509_EXTENSION_free(existing);
315 		existing = NULL;
316 		if (sk_X509_EXTENSION_set(*x, extidx, ext) == NULL) {
317 			/*
318 			 * XXX - Can't happen. If it did happen, |existing| is
319 			 * now a freed pointer. Nothing we can do here.
320 			 */
321 			goto err;
322 		}
323 		goto done;
324 	}
325 
326 	if (exts == NULL)
327 		exts = sk_X509_EXTENSION_new_null();
328 	if (exts == NULL)
329 		goto err;
330 
331 	if (!sk_X509_EXTENSION_push(exts, ext))
332 		goto err;
333 	ext = NULL;
334 
335 	*x = exts;
336 
337  done:
338 	return 1;
339 
340  err:
341 	if ((flags & X509V3_ADD_SILENT) == 0 && errcode != 0)
342 		X509V3error(errcode);
343 
344 	if (exts != *x)
345 		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
346 	X509_EXTENSION_free(ext);
347 
348 	return ret;
349 }
350 LCRYPTO_ALIAS(X509V3_add1_i2d);
351 
352 int
353 X509V3_add_standard_extensions(void)
354 {
355 	return 1;
356 }
357 LCRYPTO_ALIAS(X509V3_add_standard_extensions);
358