1/* v3_lib.c */ 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 1999. 4 */ 5/* ==================================================================== 6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58/* X509 v3 extension utilities */ 59 60#include <stdio.h> 61 62#include <openssl/conf.h> 63#include <openssl/err.h> 64#include <openssl/mem.h> 65#include <openssl/obj.h> 66#include <openssl/x509v3.h> 67 68#include "ext_dat.h" 69static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; 70 71static void ext_list_free(X509V3_EXT_METHOD *ext); 72 73static int ext_stack_cmp(const X509V3_EXT_METHOD **a, const X509V3_EXT_METHOD **b) 74{ 75 return ((*a)->ext_nid - (*b)->ext_nid); 76} 77 78int X509V3_EXT_add(X509V3_EXT_METHOD *ext) 79{ 80 if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_stack_cmp))) { 81 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_add, ERR_R_MALLOC_FAILURE); 82 return 0; 83 } 84 if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) { 85 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_add, ERR_R_MALLOC_FAILURE); 86 return 0; 87 } 88 return 1; 89} 90 91static int ext_cmp(const void *void_a, 92 const void *void_b) 93{ 94 const X509V3_EXT_METHOD **a = (const X509V3_EXT_METHOD**) void_a; 95 const X509V3_EXT_METHOD **b = (const X509V3_EXT_METHOD**) void_b; 96 return ext_stack_cmp(a, b); 97} 98 99const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) 100{ 101 X509V3_EXT_METHOD tmp; 102 const X509V3_EXT_METHOD *t = &tmp, * const *ret; 103 size_t idx; 104 105 if(nid < 0) return NULL; 106 tmp.ext_nid = nid; 107 ret = bsearch(&t, standard_exts, STANDARD_EXTENSION_COUNT, sizeof(X509V3_EXT_METHOD*), ext_cmp); 108 if(ret) return *ret; 109 if(!ext_list) return NULL; 110 111 if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp)) 112 return NULL; 113 return sk_X509V3_EXT_METHOD_value(ext_list, idx); 114} 115 116const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext) 117{ 118 int nid; 119 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL; 120 return X509V3_EXT_get_nid(nid); 121} 122 123int X509V3_EXT_free(int nid, void *ext_data) 124{ 125 const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid); 126 if (ext_method == NULL) 127 { 128 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_free, X509V3_R_CANNOT_FIND_FREE_FUNCTION); 129 return 0; 130 } 131 132 if (ext_method->it != NULL) 133 ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it)); 134 else if (ext_method->ext_free != NULL) 135 ext_method->ext_free(ext_data); 136 else 137 { 138 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_free, X509V3_R_CANNOT_FIND_FREE_FUNCTION); 139 return 0; 140 } 141 142 return 1; 143} 144 145int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) 146{ 147 for(;extlist->ext_nid!=-1;extlist++) 148 if(!X509V3_EXT_add(extlist)) return 0; 149 return 1; 150} 151 152int X509V3_EXT_add_alias(int nid_to, int nid_from) 153{ 154 const X509V3_EXT_METHOD *ext; 155 X509V3_EXT_METHOD *tmpext; 156 157 if(!(ext = X509V3_EXT_get_nid(nid_from))) { 158 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_add_alias, X509V3_R_EXTENSION_NOT_FOUND); 159 return 0; 160 } 161 if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) { 162 OPENSSL_PUT_ERROR(X509V3, X509V3_EXT_add_alias, ERR_R_MALLOC_FAILURE); 163 return 0; 164 } 165 *tmpext = *ext; 166 tmpext->ext_nid = nid_to; 167 tmpext->ext_flags |= X509V3_EXT_DYNAMIC; 168 return X509V3_EXT_add(tmpext); 169} 170 171void X509V3_EXT_cleanup(void) 172{ 173 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free); 174 ext_list = NULL; 175} 176 177static void ext_list_free(X509V3_EXT_METHOD *ext) 178{ 179 if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext); 180} 181 182/* Legacy function: we don't need to add standard extensions 183 * any more because they are now kept in ext_dat.h. 184 */ 185 186int X509V3_add_standard_extensions(void) 187{ 188 return 1; 189} 190 191/* Return an extension internal structure */ 192 193void *X509V3_EXT_d2i(X509_EXTENSION *ext) 194{ 195 const X509V3_EXT_METHOD *method; 196 const unsigned char *p; 197 198 if(!(method = X509V3_EXT_get(ext))) return NULL; 199 p = ext->value->data; 200 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); 201 return method->d2i(NULL, &p, ext->value->length); 202} 203 204/* Get critical flag and decoded version of extension from a NID. 205 * The "idx" variable returns the last found extension and can 206 * be used to retrieve multiple extensions of the same NID. 207 * However multiple extensions with the same NID is usually 208 * due to a badly encoded certificate so if idx is NULL we 209 * choke if multiple extensions exist. 210 * The "crit" variable is set to the critical value. 211 * The return value is the decoded extension or NULL on 212 * error. The actual error can have several different causes, 213 * the value of *crit reflects the cause: 214 * >= 0, extension found but not decoded (reflects critical value). 215 * -1 extension not found. 216 * -2 extension occurs more than once. 217 */ 218 219void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) 220{ 221 int lastpos; 222 size_t i; 223 X509_EXTENSION *ex, *found_ex = NULL; 224 if(!x) { 225 if(idx) *idx = -1; 226 if(crit) *crit = -1; 227 return NULL; 228 } 229 if(idx) lastpos = *idx + 1; 230 else lastpos = 0; 231 if(lastpos < 0) lastpos = 0; 232 for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++) 233 { 234 ex = sk_X509_EXTENSION_value(x, i); 235 if(OBJ_obj2nid(ex->object) == nid) { 236 if(idx) { 237 *idx = i; 238 found_ex = ex; 239 break; 240 } else if(found_ex) { 241 /* Found more than one */ 242 if(crit) *crit = -2; 243 return NULL; 244 } 245 found_ex = ex; 246 } 247 } 248 if(found_ex) { 249 /* Found it */ 250 if(crit) *crit = X509_EXTENSION_get_critical(found_ex); 251 return X509V3_EXT_d2i(found_ex); 252 } 253 254 /* Extension not found */ 255 if(idx) *idx = -1; 256 if(crit) *crit = -1; 257 return NULL; 258} 259 260/* This function is a general extension append, replace and delete utility. 261 * The precise operation is governed by the 'flags' value. The 'crit' and 262 * 'value' arguments (if relevant) are the extensions internal structure. 263 */ 264 265int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, 266 int crit, unsigned long flags) 267{ 268 int extidx = -1; 269 int errcode; 270 X509_EXTENSION *ext, *extmp; 271 unsigned long ext_op = flags & X509V3_ADD_OP_MASK; 272 273 /* If appending we don't care if it exists, otherwise 274 * look for existing extension. 275 */ 276 if(ext_op != X509V3_ADD_APPEND) 277 extidx = X509v3_get_ext_by_NID(*x, nid, -1); 278 279 /* See if extension exists */ 280 if(extidx >= 0) { 281 /* If keep existing, nothing to do */ 282 if(ext_op == X509V3_ADD_KEEP_EXISTING) 283 return 1; 284 /* If default then its an error */ 285 if(ext_op == X509V3_ADD_DEFAULT) { 286 errcode = X509V3_R_EXTENSION_EXISTS; 287 goto err; 288 } 289 /* If delete, just delete it */ 290 if(ext_op == X509V3_ADD_DELETE) { 291 if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1; 292 return 1; 293 } 294 } else { 295 /* If replace existing or delete, error since 296 * extension must exist 297 */ 298 if((ext_op == X509V3_ADD_REPLACE_EXISTING) || 299 (ext_op == X509V3_ADD_DELETE)) { 300 errcode = X509V3_R_EXTENSION_NOT_FOUND; 301 goto err; 302 } 303 } 304 305 /* If we get this far then we have to create an extension: 306 * could have some flags for alternative encoding schemes... 307 */ 308 309 ext = X509V3_EXT_i2d(nid, crit, value); 310 311 if(!ext) { 312 OPENSSL_PUT_ERROR(X509V3, X509V3_add1_i2d, X509V3_R_ERROR_CREATING_EXTENSION); 313 return 0; 314 } 315 316 /* If extension exists replace it.. */ 317 if(extidx >= 0) { 318 extmp = sk_X509_EXTENSION_value(*x, extidx); 319 X509_EXTENSION_free(extmp); 320 if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1; 321 return 1; 322 } 323 324 if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1; 325 if(!sk_X509_EXTENSION_push(*x, ext)) return -1; 326 327 return 1; 328 329 err: 330 if(!(flags & X509V3_ADD_SILENT)) 331 OPENSSL_PUT_ERROR(X509V3, X509V3_add1_i2d, errcode); 332 return 0; 333} 334