2
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5
/* ====================================================================
6
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
8
* Redistribution and use in source and binary forms, with or without
9
* modification, are permitted provided that the following conditions
12
* 1. Redistributions of source code must retain the above copyright
13
* notice, this list of conditions and the following disclaimer.
15
* 2. Redistributions in binary form must reproduce the above copyright
16
* notice, this list of conditions and the following disclaimer in
17
* the documentation and/or other materials provided with the
20
* 3. All advertising materials mentioning features or use of this
21
* software must display the following acknowledgment:
22
* "This product includes software developed by the OpenSSL Project
23
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26
* endorse or promote products derived from this software without
27
* prior written permission. For written permission, please contact
28
* licensing@OpenSSL.org.
30
* 5. Products derived from this software may not be called "OpenSSL"
31
* nor may "OpenSSL" appear in their names without prior written
32
* permission of the OpenSSL Project.
34
* 6. Redistributions of any form whatsoever must retain the following
36
* "This product includes software developed by the OpenSSL Project
37
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50
* OF THE POSSIBILITY OF SUCH DAMAGE.
51
* ====================================================================
53
* This product includes cryptographic software written by Eric Young
54
* (eay@cryptsoft.com). This product includes software written by Tim
55
* Hudson (tjh@cryptsoft.com).
61
#include <openssl/conf.h>
62
#include <openssl/asn1.h>
63
#include <openssl/asn1t.h>
64
#include <openssl/x509v3.h>
66
static void *v2i_crld(const X509V3_EXT_METHOD *method,
67
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
71
const X509V3_EXT_METHOD v3_crld =
73
NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
82
const X509V3_EXT_METHOD v3_freshest_crl =
84
NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
93
static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
95
STACK_OF(CONF_VALUE) *gnsect;
96
STACK_OF(GENERAL_NAME) *gens;
98
gnsect = X509V3_get_section(ctx, sect + 1);
100
gnsect = X509V3_parse_list(sect);
103
X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104
X509V3_R_SECTION_NOT_FOUND);
107
gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
109
X509V3_section_free(ctx, gnsect);
111
sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
115
static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
118
STACK_OF(GENERAL_NAME) *fnm = NULL;
119
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120
if (!strncmp(cnf->name, "fullname", 9))
122
fnm = gnames_from_sectname(ctx, cnf->value);
126
else if (!strcmp(cnf->name, "relativename"))
129
STACK_OF(CONF_VALUE) *dnsect;
131
nm = X509_NAME_new();
134
dnsect = X509V3_get_section(ctx, cnf->value);
137
X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138
X509V3_R_SECTION_NOT_FOUND);
141
ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142
X509V3_section_free(ctx, dnsect);
146
if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
148
/* Since its a name fragment can't have more than one
151
if (sk_X509_NAME_ENTRY_value(rnm,
152
sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
154
X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155
X509V3_R_INVALID_MULTIPLE_RDNS);
164
X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165
X509V3_R_DISTPOINT_ALREADY_SET);
169
*pdp = DIST_POINT_NAME_new();
175
(*pdp)->name.fullname = fnm;
180
(*pdp)->name.relativename = rnm;
187
sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
189
sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
193
static const BIT_STRING_BITNAME reason_flags[] = {
194
{0, "Unused", "unused"},
195
{1, "Key Compromise", "keyCompromise"},
196
{2, "CA Compromise", "CACompromise"},
197
{3, "Affiliation Changed", "affiliationChanged"},
198
{4, "Superseded", "superseded"},
199
{5, "Cessation Of Operation", "cessationOfOperation"},
200
{6, "Certificate Hold", "certificateHold"},
201
{7, "Privilege Withdrawn", "privilegeWithdrawn"},
202
{8, "AA Compromise", "AACompromise"},
206
static int set_reasons(ASN1_BIT_STRING **preas, char *value)
208
STACK_OF(CONF_VALUE) *rsk = NULL;
209
const BIT_STRING_BITNAME *pbn;
212
rsk = X509V3_parse_list(value);
217
for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
219
bnam = sk_CONF_VALUE_value(rsk, i)->name;
222
*preas = ASN1_BIT_STRING_new();
226
for (pbn = reason_flags; pbn->lname; pbn++)
228
if (!strcmp(pbn->sname, bnam))
230
if (!ASN1_BIT_STRING_set_bit(*preas,
242
sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
246
static int print_reasons(BIO *out, const char *rname,
247
ASN1_BIT_STRING *rflags, int indent)
250
const BIT_STRING_BITNAME *pbn;
251
BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252
for (pbn = reason_flags; pbn->lname; pbn++)
254
if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
260
BIO_puts(out, pbn->lname);
264
BIO_puts(out, "<EMPTY>\n");
270
static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271
STACK_OF(CONF_VALUE) *nval)
275
DIST_POINT *point = NULL;
276
point = DIST_POINT_new();
279
for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
282
cnf = sk_CONF_VALUE_value(nval, i);
283
ret = set_dist_point_name(&point->distpoint, ctx, cnf);
288
if (!strcmp(cnf->name, "reasons"))
290
if (!set_reasons(&point->reasons, cnf->value))
293
else if (!strcmp(cnf->name, "CRLissuer"))
296
gnames_from_sectname(ctx, cnf->value);
297
if (!point->CRLissuer)
307
DIST_POINT_free(point);
311
static void *v2i_crld(const X509V3_EXT_METHOD *method,
312
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
314
STACK_OF(DIST_POINT) *crld = NULL;
315
GENERAL_NAMES *gens = NULL;
316
GENERAL_NAME *gen = NULL;
319
if(!(crld = sk_DIST_POINT_new_null())) goto merr;
320
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
322
cnf = sk_CONF_VALUE_value(nval, i);
325
STACK_OF(CONF_VALUE) *dpsect;
326
dpsect = X509V3_get_section(ctx, cnf->name);
329
point = crldp_from_section(ctx, dpsect);
330
X509V3_section_free(ctx, dpsect);
333
if(!sk_DIST_POINT_push(crld, point))
335
DIST_POINT_free(point);
341
if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
343
if(!(gens = GENERAL_NAMES_new()))
345
if(!sk_GENERAL_NAME_push(gens, gen))
348
if(!(point = DIST_POINT_new()))
350
if(!sk_DIST_POINT_push(crld, point))
352
DIST_POINT_free(point);
355
if(!(point->distpoint = DIST_POINT_NAME_new()))
357
point->distpoint->name.fullname = gens;
358
point->distpoint->type = 0;
365
X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
367
GENERAL_NAME_free(gen);
368
GENERAL_NAMES_free(gens);
369
sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
373
IMPLEMENT_STACK_OF(DIST_POINT)
374
IMPLEMENT_ASN1_SET_OF(DIST_POINT)
376
static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
379
DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
383
case ASN1_OP_NEW_POST:
387
case ASN1_OP_FREE_POST:
389
X509_NAME_free(dpn->dpname);
396
ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
397
ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
398
ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
399
} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
402
IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
404
ASN1_SEQUENCE(DIST_POINT) = {
405
ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
406
ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
407
ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
408
} ASN1_SEQUENCE_END(DIST_POINT)
410
IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
412
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
413
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
414
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
416
IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
418
ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419
ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423
ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424
ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425
} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
427
IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
429
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
431
static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432
STACK_OF(CONF_VALUE) *nval);
434
const X509V3_EXT_METHOD v3_idp =
436
NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437
ASN1_ITEM_ref(ISSUING_DIST_POINT),
446
static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447
STACK_OF(CONF_VALUE) *nval)
449
ISSUING_DIST_POINT *idp = NULL;
453
idp = ISSUING_DIST_POINT_new();
456
for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
458
cnf = sk_CONF_VALUE_value(nval, i);
461
ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
466
if (!strcmp(name, "onlyuser"))
468
if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
471
else if (!strcmp(name, "onlyCA"))
473
if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
476
else if (!strcmp(name, "onlyAA"))
478
if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
481
else if (!strcmp(name, "indirectCRL"))
483
if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
486
else if (!strcmp(name, "onlysomereasons"))
488
if (!set_reasons(&idp->onlysomereasons, val))
493
X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494
X509V3_conf_err(cnf);
501
X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
503
ISSUING_DIST_POINT_free(idp);
507
static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
510
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
512
BIO_printf(out, "%*s", indent + 2, "");
513
GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
519
static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
523
BIO_printf(out, "%*sFull Name:\n", indent, "");
524
print_gens(out, dpn->name.fullname, indent);
529
ntmp.entries = dpn->name.relativename;
530
BIO_printf(out, "%*sRelative Name:\n%*s",
531
indent, "", indent + 2, "");
532
X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
538
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
541
ISSUING_DIST_POINT *idp = pidp;
543
print_distpoint(out, idp->distpoint, indent);
544
if (idp->onlyuser > 0)
545
BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
547
BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548
if (idp->indirectCRL > 0)
549
BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550
if (idp->onlysomereasons)
551
print_reasons(out, "Only Some Reasons",
552
idp->onlysomereasons, indent);
553
if (idp->onlyattr > 0)
554
BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555
if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556
&& (idp->indirectCRL <= 0) && !idp->onlysomereasons
557
&& (idp->onlyattr <= 0))
558
BIO_printf(out, "%*s<EMPTY>\n", indent, "");
563
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
566
STACK_OF(DIST_POINT) *crld = pcrldp;
569
for(i = 0; i < sk_DIST_POINT_num(crld); i++)
572
point = sk_DIST_POINT_value(crld, i);
574
print_distpoint(out, point->distpoint, indent);
576
print_reasons(out, "Reasons", point->reasons,
580
BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581
print_gens(out, point->CRLissuer, indent);
587
int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
590
STACK_OF(X509_NAME_ENTRY) *frag;
592
if (!dpn || (dpn->type != 1))
594
frag = dpn->name.relativename;
595
dpn->dpname = X509_NAME_dup(iname);
598
for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
600
ne = sk_X509_NAME_ENTRY_value(frag, i);
601
if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
603
X509_NAME_free(dpn->dpname);
608
/* generate cached encoding of name */
609
if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
611
X509_NAME_free(dpn->dpname);