xref: /openbsd-src/lib/libcrypto/x509/x509_lib.c (revision fd1d0ae521a2751c2ac63a5b93325512ee1e8e81) 
1 /* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3  * project 1999.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* X509 v3 extension utilities */
59 
60 #include <stdio.h>
61 
62 #include <openssl/conf.h>
63 #include <openssl/err.h>
64 #include <openssl/x509v3.h>
65 
66 #include "x509_local.h"
67 
68 extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
69 extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
70 extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
71 extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
72 extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
73 extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
74 extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
75 extern const X509V3_EXT_METHOD v3_crl_hold;
76 extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
77 extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
78 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
79 extern const X509V3_EXT_METHOD v3_ct_scts[3];
80 
81 static const X509V3_EXT_METHOD *standard_exts[] = {
82 	&v3_nscert,
83 	&v3_ns_ia5_list[0],
84 	&v3_ns_ia5_list[1],
85 	&v3_ns_ia5_list[2],
86 	&v3_ns_ia5_list[3],
87 	&v3_ns_ia5_list[4],
88 	&v3_ns_ia5_list[5],
89 	&v3_ns_ia5_list[6],
90 	&v3_skey_id,
91 	&v3_key_usage,
92 	&v3_pkey_usage_period,
93 	&v3_alt[0],
94 	&v3_alt[1],
95 	&v3_bcons,
96 	&v3_crl_num,
97 	&v3_cpols,
98 	&v3_akey_id,
99 	&v3_crld,
100 	&v3_ext_ku,
101 	&v3_delta_crl,
102 	&v3_crl_reason,
103 #ifndef OPENSSL_NO_OCSP
104 	&v3_crl_invdate,
105 #endif
106 	&v3_info,
107 #ifndef OPENSSL_NO_RFC3779
108 	&v3_addr,
109 	&v3_asid,
110 #endif
111 #ifndef OPENSSL_NO_OCSP
112 	&v3_ocsp_nonce,
113 	&v3_ocsp_crlid,
114 	&v3_ocsp_accresp,
115 	&v3_ocsp_nocheck,
116 	&v3_ocsp_acutoff,
117 	&v3_ocsp_serviceloc,
118 #endif
119 	&v3_sinfo,
120 	&v3_policy_constraints,
121 #ifndef OPENSSL_NO_OCSP
122 	&v3_crl_hold,
123 #endif
124 	&v3_name_constraints,
125 	&v3_policy_mappings,
126 	&v3_inhibit_anyp,
127 	&v3_idp,
128 	&v3_alt[2],
129 	&v3_freshest_crl,
130 #ifndef OPENSSL_NO_CT
131 	&v3_ct_scts[0],
132 	&v3_ct_scts[1],
133 	&v3_ct_scts[2],
134 #endif
135 };
136 
137 #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
138 
139 const X509V3_EXT_METHOD *
140 X509V3_EXT_get_nid(int nid)
141 {
142 	size_t i;
143 
144 	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
145 		if (standard_exts[i]->ext_nid == nid)
146 			return standard_exts[i];
147 	}
148 
149 	return NULL;
150 }
151 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
152 
153 const X509V3_EXT_METHOD *
154 X509V3_EXT_get(X509_EXTENSION *ext)
155 {
156 	int nid;
157 
158 	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
159 		return NULL;
160 	return X509V3_EXT_get_nid(nid);
161 }
162 LCRYPTO_ALIAS(X509V3_EXT_get);
163 
164 /* Return an extension internal structure */
165 
166 void *
167 X509V3_EXT_d2i(X509_EXTENSION *ext)
168 {
169 	const X509V3_EXT_METHOD *method;
170 	const unsigned char *p;
171 
172 	if ((method = X509V3_EXT_get(ext)) == NULL)
173 		return NULL;
174 	p = ext->value->data;
175 	if (method->it != NULL)
176 		return ASN1_item_d2i(NULL, &p, ext->value->length, method->it);
177 	return method->d2i(NULL, &p, ext->value->length);
178 }
179 LCRYPTO_ALIAS(X509V3_EXT_d2i);
180 
181 /*
182  * This API is only safe to call with known nid, crit != NULL and idx == NULL.
183  * On NULL return, crit acts as a failure indicator: crit == -1 means an
184  * extension of type nid was not present, crit != -1 is fatal: crit == -2
185  * means multiple extensions of type nid are present; if crit is 0 or 1, this
186  * implies the extension was found but could not be decoded.
187  */
188 
189 void *
190 X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x509_exts, int nid, int *crit,
191     int *idx)
192 {
193 	X509_EXTENSION *ext;
194 	int lastpos = idx == NULL ? -1 : *idx;
195 
196 	if (crit != NULL)
197 		*crit = -1;
198 	if (idx != NULL)
199 		*idx = -1;
200 
201 	/*
202 	 * Nothing to do if no extensions, unknown nid, or missing extension.
203 	 */
204 
205 	if (x509_exts == NULL)
206 		return NULL;
207 	if ((lastpos = X509v3_get_ext_by_NID(x509_exts, nid, lastpos)) < 0)
208 		return NULL;
209 	if ((ext = X509v3_get_ext(x509_exts, lastpos)) == NULL)
210 		return NULL;
211 
212 	/*
213 	 * API madness. Only check for a second extension of type nid if
214 	 * idx == NULL. Indicate this by setting *crit to -2. If idx != NULL,
215 	 * don't care and set *idx to the index of the first extension found.
216 	 */
217 
218 	if (idx == NULL && X509v3_get_ext_by_NID(x509_exts, nid, lastpos) > 0) {
219 		if (crit != NULL)
220 			*crit = -2;
221 		return NULL;
222 	}
223 
224 	/*
225 	 * Another beautiful API detail: *crit will be set to 0 or 1, so if the
226 	 * extension fails to decode, we can deduce this from return value NULL
227 	 * and crit != -1.
228 	 */
229 
230 	if (crit != NULL)
231 		*crit = X509_EXTENSION_get_critical(ext);
232 	if (idx != NULL)
233 		*idx = lastpos;
234 
235 	return X509V3_EXT_d2i(ext);
236 }
237 LCRYPTO_ALIAS(X509V3_get_d2i);
238 
239 int
240 X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x509_exts, int nid, void *value,
241     int crit, unsigned long flags)
242 {
243 	STACK_OF(X509_EXTENSION) *exts = *x509_exts;
244 	X509_EXTENSION *ext = NULL;
245 	X509_EXTENSION *existing;
246 	int extidx;
247 	int errcode = 0;
248 	int ret = 0;
249 
250 	/* See if the extension already exists. */
251 	extidx = X509v3_get_ext_by_NID(*x509_exts, nid, -1);
252 
253 	switch (flags & X509V3_ADD_OP_MASK) {
254 	case X509V3_ADD_DEFAULT:
255 		/* If the extension exists, adding another one is an error. */
256 		if (extidx >= 0) {
257 			errcode = X509V3_R_EXTENSION_EXISTS;
258 			goto err;
259 		}
260 		break;
261 	case X509V3_ADD_APPEND:
262 		/*
263 		 * XXX - Total misfeature. If the extension exists, appending
264 		 * another one will invalidate the certificate. Unfortunately
265 		 * things use this, in particular Viktor's DANE code.
266 		 */
267 		/* Pretend the extension didn't exist and append the new one. */
268 		extidx = -1;
269 		break;
270 	case X509V3_ADD_REPLACE:
271 		/* Replace existing extension, otherwise append the new one. */
272 		break;
273 	case X509V3_ADD_REPLACE_EXISTING:
274 		/* Can't replace a non-existent extension. */
275 		if (extidx < 0) {
276 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
277 			goto err;
278 		}
279 		break;
280 	case X509V3_ADD_KEEP_EXISTING:
281 		/* If the extension exists, there's nothing to do. */
282 		if (extidx >= 0)
283 			goto done;
284 		break;
285 	case X509V3_ADD_DELETE:
286 		/* Can't delete a non-existent extension. */
287 		if (extidx < 0) {
288 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
289 			goto err;
290 		}
291 		if ((existing = sk_X509_EXTENSION_delete(*x509_exts,
292 		    extidx)) == NULL) {
293 			ret = -1;
294 			goto err;
295 		}
296 		X509_EXTENSION_free(existing);
297 		existing = NULL;
298 		goto done;
299 	default:
300 		errcode = X509V3_R_UNSUPPORTED_OPTION; /* XXX */
301 		ret = -1;
302 		goto err;
303 	}
304 
305 	if ((ext = X509V3_EXT_i2d(nid, crit, value)) == NULL) {
306 		X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
307 		goto err;
308 	}
309 
310 	/* From here, errors are fatal. */
311 	ret = -1;
312 
313 	/* If extension exists, replace it. */
314 	if (extidx >= 0) {
315 		existing = sk_X509_EXTENSION_value(*x509_exts, extidx);
316 		X509_EXTENSION_free(existing);
317 		existing = NULL;
318 		if (sk_X509_EXTENSION_set(*x509_exts, extidx, ext) == NULL) {
319 			/*
320 			 * XXX - Can't happen. If it did happen, |existing| is
321 			 * now a freed pointer. Nothing we can do here.
322 			 */
323 			goto err;
324 		}
325 		goto done;
326 	}
327 
328 	if (exts == NULL)
329 		exts = sk_X509_EXTENSION_new_null();
330 	if (exts == NULL)
331 		goto err;
332 
333 	if (!sk_X509_EXTENSION_push(exts, ext))
334 		goto err;
335 	ext = NULL;
336 
337 	*x509_exts = exts;
338 
339  done:
340 	return 1;
341 
342  err:
343 	if ((flags & X509V3_ADD_SILENT) == 0 && errcode != 0)
344 		X509V3error(errcode);
345 
346 	if (exts != *x509_exts)
347 		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
348 	X509_EXTENSION_free(ext);
349 
350 	return ret;
351 }
352 LCRYPTO_ALIAS(X509V3_add1_i2d);
353 
354 int
355 X509V3_add_standard_extensions(void)
356 {
357 	return 1;
358 }
359 LCRYPTO_ALIAS(X509V3_add_standard_extensions);
360