40
41
#include <openssl/x509v3.h>
42
43
static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43
BIO *out, int indent);
44
BIO *out, int indent);
44
45
static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45
X509V3_CTX *ctx, char *str);
46
X509V3_CTX *ctx, char *str);
47
48
const X509V3_EXT_METHOD v3_pci =
48
{ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
52
(X509V3_EXT_I2R)i2r_pci,
53
(X509V3_EXT_R2I)r2i_pci,
49
{ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
53
(X509V3_EXT_I2R)i2r_pci,
54
(X509V3_EXT_R2I)r2i_pci,
57
58
static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
60
BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61
if (pci->pcPathLengthConstraint)
62
i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
64
BIO_printf(out, "infinite");
66
BIO_printf(out, "%*sPolicy Language: ", indent, "");
67
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
69
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70
BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71
pci->proxyPolicy->policy->data);
61
BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
62
if (pci->pcPathLengthConstraint)
63
i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
65
BIO_printf(out, "infinite");
67
BIO_printf(out, "%*sPolicy Language: ", indent, "");
68
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
70
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
71
BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
72
pci->proxyPolicy->policy->data);
75
76
static int process_pci_value(CONF_VALUE *val,
76
ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77
ASN1_OCTET_STRING **policy)
81
if (strcmp(val->name, "language") == 0)
85
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
89
if (!(*language = OBJ_txt2obj(val->value, 0)))
91
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
96
else if (strcmp(val->name, "pathlen") == 0)
100
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
101
X509V3_conf_err(val);
104
if (!X509V3_get_value_int(val, pathlen))
106
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107
X509V3_conf_err(val);
111
else if (strcmp(val->name, "policy") == 0)
113
unsigned char *tmp_data = NULL;
117
*policy = ASN1_OCTET_STRING_new();
120
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121
X509V3_conf_err(val);
126
if (strncmp(val->value, "hex:", 4) == 0)
128
unsigned char *tmp_data2 =
129
string_to_hex(val->value + 4, &val_len);
133
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134
X509V3_conf_err(val);
138
tmp_data = OPENSSL_realloc((*policy)->data,
139
(*policy)->length + val_len + 1);
142
(*policy)->data = tmp_data;
143
memcpy(&(*policy)->data[(*policy)->length],
145
(*policy)->length += val_len;
146
(*policy)->data[(*policy)->length] = '\0';
150
OPENSSL_free(tmp_data2);
151
/* realloc failure implies the original data space is b0rked too! */
152
(*policy)->data = NULL;
153
(*policy)->length = 0;
154
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155
X509V3_conf_err(val);
158
OPENSSL_free(tmp_data2);
160
#ifndef OPENSSL_NO_STDIO
161
else if (strncmp(val->value, "file:", 5) == 0)
163
unsigned char buf[2048];
165
BIO *b = BIO_new_file(val->value + 5, "r");
168
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
169
X509V3_conf_err(val);
172
while((n = BIO_read(b, buf, sizeof(buf))) > 0
173
|| (n == 0 && BIO_should_retry(b)))
177
tmp_data = OPENSSL_realloc((*policy)->data,
178
(*policy)->length + n + 1);
183
(*policy)->data = tmp_data;
184
memcpy(&(*policy)->data[(*policy)->length],
186
(*policy)->length += n;
187
(*policy)->data[(*policy)->length] = '\0';
193
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
194
X509V3_conf_err(val);
199
else if (strncmp(val->value, "text:", 5) == 0)
201
val_len = strlen(val->value + 5);
202
tmp_data = OPENSSL_realloc((*policy)->data,
203
(*policy)->length + val_len + 1);
206
(*policy)->data = tmp_data;
207
memcpy(&(*policy)->data[(*policy)->length],
208
val->value + 5, val_len);
209
(*policy)->length += val_len;
210
(*policy)->data[(*policy)->length] = '\0';
214
/* realloc failure implies the original data space is b0rked too! */
215
(*policy)->data = NULL;
216
(*policy)->length = 0;
217
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
218
X509V3_conf_err(val);
224
X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
225
X509V3_conf_err(val);
230
X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
231
X509V3_conf_err(val);
239
ASN1_OCTET_STRING_free(*policy);
77
ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
78
ASN1_OCTET_STRING **policy)
82
if (strcmp(val->name, "language") == 0) {
84
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
85
X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
89
if (!(*language = OBJ_txt2obj(val->value, 0))) {
90
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
91
X509V3_R_INVALID_OBJECT_IDENTIFIER);
95
} else if (strcmp(val->name, "pathlen") == 0) {
97
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
98
X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
102
if (!X509V3_get_value_int(val, pathlen)) {
103
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
104
X509V3_R_POLICY_PATH_LENGTH);
105
X509V3_conf_err(val);
108
} else if (strcmp(val->name, "policy") == 0) {
109
unsigned char *tmp_data = NULL;
112
*policy = ASN1_OCTET_STRING_new();
114
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
115
X509V3_conf_err(val);
120
if (strncmp(val->value, "hex:", 4) == 0) {
121
unsigned char *tmp_data2 =
122
string_to_hex(val->value + 4, &val_len);
125
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
126
X509V3_R_ILLEGAL_HEX_DIGIT);
127
X509V3_conf_err(val);
131
tmp_data = OPENSSL_realloc((*policy)->data,
132
(*policy)->length + val_len + 1);
134
(*policy)->data = tmp_data;
135
memcpy(&(*policy)->data[(*policy)->length],
137
(*policy)->length += val_len;
138
(*policy)->data[(*policy)->length] = '\0';
140
OPENSSL_free(tmp_data2);
142
* realloc failure implies the original data space is b0rked
145
(*policy)->data = NULL;
146
(*policy)->length = 0;
147
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
148
X509V3_conf_err(val);
151
OPENSSL_free(tmp_data2);
152
} else if (strncmp(val->value, "file:", 5) == 0) {
153
unsigned char buf[2048];
155
BIO *b = BIO_new_file(val->value + 5, "r");
157
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB);
158
X509V3_conf_err(val);
161
while ((n = BIO_read(b, buf, sizeof(buf))) > 0
162
|| (n == 0 && BIO_should_retry(b))) {
166
tmp_data = OPENSSL_realloc((*policy)->data,
167
(*policy)->length + n + 1);
172
(*policy)->data = tmp_data;
173
memcpy(&(*policy)->data[(*policy)->length], buf, n);
174
(*policy)->length += n;
175
(*policy)->data[(*policy)->length] = '\0';
180
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB);
181
X509V3_conf_err(val);
184
} else if (strncmp(val->value, "text:", 5) == 0) {
185
val_len = strlen(val->value + 5);
186
tmp_data = OPENSSL_realloc((*policy)->data,
187
(*policy)->length + val_len + 1);
189
(*policy)->data = tmp_data;
190
memcpy(&(*policy)->data[(*policy)->length],
191
val->value + 5, val_len);
192
(*policy)->length += val_len;
193
(*policy)->data[(*policy)->length] = '\0';
196
* realloc failure implies the original data space is b0rked
199
(*policy)->data = NULL;
200
(*policy)->length = 0;
201
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
202
X509V3_conf_err(val);
206
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
207
X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
208
X509V3_conf_err(val);
212
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
213
X509V3_conf_err(val);
220
ASN1_OCTET_STRING_free(*policy);
245
226
static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
246
X509V3_CTX *ctx, char *value)
248
PROXY_CERT_INFO_EXTENSION *pci = NULL;
249
STACK_OF(CONF_VALUE) *vals;
250
ASN1_OBJECT *language = NULL;
251
ASN1_INTEGER *pathlen = NULL;
252
ASN1_OCTET_STRING *policy = NULL;
255
vals = X509V3_parse_list(value);
256
for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
258
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
259
if (!cnf->name || (*cnf->name != '@' && !cnf->value))
261
X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
262
X509V3_conf_err(cnf);
265
if (*cnf->name == '@')
267
STACK_OF(CONF_VALUE) *sect;
270
sect = X509V3_get_section(ctx, cnf->name + 1);
273
X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
274
X509V3_conf_err(cnf);
277
for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
280
process_pci_value(sk_CONF_VALUE_value(sect, j),
281
&language, &pathlen, &policy);
283
X509V3_section_free(ctx, sect);
289
if (!process_pci_value(cnf,
290
&language, &pathlen, &policy))
292
X509V3_conf_err(cnf);
298
/* Language is mandatory */
301
X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
304
i = OBJ_obj2nid(language);
305
if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
307
X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
311
pci = PROXY_CERT_INFO_EXTENSION_new();
314
X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
318
pci->proxyPolicy->policyLanguage = language; language = NULL;
319
pci->proxyPolicy->policy = policy; policy = NULL;
320
pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
323
if (language) { ASN1_OBJECT_free(language); language = NULL; }
324
if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
325
if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
326
if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
328
sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
227
X509V3_CTX *ctx, char *value)
229
PROXY_CERT_INFO_EXTENSION *pci = NULL;
230
STACK_OF(CONF_VALUE) *vals;
231
ASN1_OBJECT *language = NULL;
232
ASN1_INTEGER *pathlen = NULL;
233
ASN1_OCTET_STRING *policy = NULL;
236
vals = X509V3_parse_list(value);
237
for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
238
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
239
if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
240
X509V3err(X509V3_F_R2I_PCI,
241
X509V3_R_INVALID_PROXY_POLICY_SETTING);
242
X509V3_conf_err(cnf);
245
if (*cnf->name == '@') {
246
STACK_OF(CONF_VALUE) *sect;
249
sect = X509V3_get_section(ctx, cnf->name + 1);
251
X509V3err(X509V3_F_R2I_PCI, X509V3_R_INVALID_SECTION);
252
X509V3_conf_err(cnf);
255
for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) {
257
process_pci_value(sk_CONF_VALUE_value(sect, j),
258
&language, &pathlen, &policy);
260
X509V3_section_free(ctx, sect);
264
if (!process_pci_value(cnf, &language, &pathlen, &policy)) {
265
X509V3_conf_err(cnf);
271
/* Language is mandatory */
273
X509V3err(X509V3_F_R2I_PCI,
274
X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
277
i = OBJ_obj2nid(language);
278
if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
279
X509V3err(X509V3_F_R2I_PCI,
280
X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
284
pci = PROXY_CERT_INFO_EXTENSION_new();
286
X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
290
pci->proxyPolicy->policyLanguage = language;
292
pci->proxyPolicy->policy = policy;
294
pci->pcPathLengthConstraint = pathlen;
299
ASN1_OBJECT_free(language);
303
ASN1_INTEGER_free(pathlen);
307
ASN1_OCTET_STRING_free(policy);
311
PROXY_CERT_INFO_EXTENSION_free(pci);
315
sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);