1 /*
2 * Written by Dr Stephen N Henson ([email protected]) for the OpenSSL project
3 * 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * [email protected].
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * ([email protected]). This product includes software written by Tim
55 * Hudson ([email protected]). */
56
57 #include <stdio.h>
58 #include <string.h>
59
60 #include <openssl/asn1.h>
61 #include <openssl/asn1t.h>
62 #include <openssl/conf.h>
63 #include <openssl/err.h>
64 #include <openssl/mem.h>
65 #include <openssl/obj.h>
66 #include <openssl/x509.h>
67
68 #include "internal.h"
69
70
71 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
72 const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
73 static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
74 const X509V3_CTX *ctx,
75 const STACK_OF(CONF_VALUE) *values);
76
77 const X509V3_EXT_METHOD v3_akey_id = {
78 NID_authority_key_identifier,
79 X509V3_EXT_MULTILINE,
80 ASN1_ITEM_ref(AUTHORITY_KEYID),
81 0,
82 0,
83 0,
84 0,
85 0,
86 0,
87 i2v_AUTHORITY_KEYID,
88 v2i_AUTHORITY_KEYID,
89 0,
90 0,
91 NULL,
92 };
93
STACK_OF(CONF_VALUE)94 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
95 const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist) {
96 const AUTHORITY_KEYID *akeyid = ext;
97 int extlist_was_null = extlist == NULL;
98 if (akeyid->keyid) {
99 char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);
100 int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist);
101 OPENSSL_free(tmp);
102 if (!ok) {
103 goto err;
104 }
105 }
106 if (akeyid->issuer) {
107 STACK_OF(CONF_VALUE) *tmpextlist =
108 i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
109 if (tmpextlist == NULL) {
110 goto err;
111 }
112 extlist = tmpextlist;
113 }
114 if (akeyid->serial) {
115 if (!X509V3_add_value_int("serial", akeyid->serial, &extlist)) {
116 goto err;
117 }
118 }
119 return extlist;
120
121 err:
122 if (extlist_was_null) {
123 sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
124 }
125 return NULL;
126 }
127
128 // Currently two options: keyid: use the issuers subject keyid, the value
129 // 'always' means its is an error if the issuer certificate doesn't have a
130 // key id. issuer: use the issuers cert issuer and serial number. The default
131 // is to only use this if keyid is not present. With the option 'always' this
132 // is always included.
133
v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD * method,const X509V3_CTX * ctx,const STACK_OF (CONF_VALUE)* values)134 static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
135 const X509V3_CTX *ctx,
136 const STACK_OF(CONF_VALUE) *values) {
137 char keyid = 0, issuer = 0;
138 int j;
139 ASN1_OCTET_STRING *ikeyid = NULL;
140 X509_NAME *isname = NULL;
141 GENERAL_NAMES *gens = NULL;
142 GENERAL_NAME *gen = NULL;
143 ASN1_INTEGER *serial = NULL;
144 const X509 *cert;
145 AUTHORITY_KEYID *akeyid;
146
147 for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
148 const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i);
149 if (!strcmp(cnf->name, "keyid")) {
150 keyid = 1;
151 if (cnf->value && !strcmp(cnf->value, "always")) {
152 keyid = 2;
153 }
154 } else if (!strcmp(cnf->name, "issuer")) {
155 issuer = 1;
156 if (cnf->value && !strcmp(cnf->value, "always")) {
157 issuer = 2;
158 }
159 } else {
160 OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION);
161 ERR_add_error_data(2, "name=", cnf->name);
162 return NULL;
163 }
164 }
165
166 if (!ctx || !ctx->issuer_cert) {
167 if (ctx && (ctx->flags == X509V3_CTX_TEST)) {
168 return AUTHORITY_KEYID_new();
169 }
170 OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
171 return NULL;
172 }
173
174 cert = ctx->issuer_cert;
175
176 if (keyid) {
177 j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
178 const X509_EXTENSION *ext;
179 if ((j >= 0) && (ext = X509_get_ext(cert, j))) {
180 ikeyid = X509V3_EXT_d2i(ext);
181 }
182 if (keyid == 2 && !ikeyid) {
183 OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
184 return NULL;
185 }
186 }
187
188 if ((issuer && !ikeyid) || (issuer == 2)) {
189 isname = X509_NAME_dup(X509_get_issuer_name(cert));
190 serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));
191 if (!isname || !serial) {
192 OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
193 goto err;
194 }
195 }
196
197 if (!(akeyid = AUTHORITY_KEYID_new())) {
198 goto err;
199 }
200
201 if (isname) {
202 if (!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) ||
203 !sk_GENERAL_NAME_push(gens, gen)) {
204 goto err;
205 }
206 gen->type = GEN_DIRNAME;
207 gen->d.dirn = isname;
208 }
209
210 akeyid->issuer = gens;
211 akeyid->serial = serial;
212 akeyid->keyid = ikeyid;
213
214 return akeyid;
215
216 err:
217 X509_NAME_free(isname);
218 ASN1_INTEGER_free(serial);
219 ASN1_OCTET_STRING_free(ikeyid);
220 return NULL;
221 }
222