1 /*
2 * Written by Dr Stephen N Henson ([email protected]) for the OpenSSL project
3 * 1999.
4 */
5 /* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * [email protected].
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * ([email protected]). This product includes software written by Tim
55 * Hudson ([email protected]). */
56
57 #include <openssl/err.h>
58 #include <openssl/mem.h>
59 #include <openssl/obj.h>
60 #include <openssl/x509.h>
61
62 #include "../internal.h"
63 #include "internal.h"
64
65
66 typedef struct x509_trust_st X509_TRUST;
67
68 struct x509_trust_st {
69 int trust;
70 int (*check_trust)(const X509_TRUST *, X509 *);
71 int nid;
72 } /* X509_TRUST */;
73
74 static int trust_1oidany(const X509_TRUST *trust, X509 *x);
75 static int trust_compat(const X509_TRUST *trust, X509 *x);
76
77 static int obj_trust(int id, X509 *x);
78
79 static const X509_TRUST trstandard[] = {
80 {X509_TRUST_COMPAT, trust_compat, 0},
81 {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth},
82 {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth},
83 {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect},
84 {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign},
85 {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}};
86
X509_TRUST_get0(int id)87 static const X509_TRUST *X509_TRUST_get0(int id) {
88 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) {
89 if (trstandard[i].trust == id) {
90 return &trstandard[i];
91 }
92 }
93 return NULL;
94 }
95
X509_check_trust(X509 * x,int id,int flags)96 int X509_check_trust(X509 *x, int id, int flags) {
97 if (id == -1) {
98 return X509_TRUST_TRUSTED;
99 }
100 // We get this as a default value
101 if (id == 0) {
102 int rv = obj_trust(NID_anyExtendedKeyUsage, x);
103 if (rv != X509_TRUST_UNTRUSTED) {
104 return rv;
105 }
106 return trust_compat(NULL, x);
107 }
108 const X509_TRUST *pt = X509_TRUST_get0(id);
109 if (pt == NULL) {
110 // Unknown trust IDs are silently reintrepreted as NIDs. This is unreachable
111 // from the certificate verifier itself, but wpa_supplicant relies on it.
112 // Note this relies on commonly-used NIDs and trust IDs not colliding.
113 return obj_trust(id, x);
114 }
115 return pt->check_trust(pt, x);
116 }
117
X509_is_valid_trust_id(int trust)118 int X509_is_valid_trust_id(int trust) {
119 return X509_TRUST_get0(trust) != NULL;
120 }
121
trust_1oidany(const X509_TRUST * trust,X509 * x)122 static int trust_1oidany(const X509_TRUST *trust, X509 *x) {
123 if (x->aux && (x->aux->trust || x->aux->reject)) {
124 return obj_trust(trust->nid, x);
125 }
126 // we don't have any trust settings: for compatibility we return trusted
127 // if it is self signed
128 return trust_compat(trust, x);
129 }
130
trust_compat(const X509_TRUST * trust,X509 * x)131 static int trust_compat(const X509_TRUST *trust, X509 *x) {
132 if (!x509v3_cache_extensions(x)) {
133 return X509_TRUST_UNTRUSTED;
134 }
135 if (x->ex_flags & EXFLAG_SS) {
136 return X509_TRUST_TRUSTED;
137 } else {
138 return X509_TRUST_UNTRUSTED;
139 }
140 }
141
obj_trust(int id,X509 * x)142 static int obj_trust(int id, X509 *x) {
143 X509_CERT_AUX *ax = x->aux;
144 if (!ax) {
145 return X509_TRUST_UNTRUSTED;
146 }
147 for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
148 const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);
149 if (OBJ_obj2nid(obj) == id) {
150 return X509_TRUST_REJECTED;
151 }
152 }
153 for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
154 const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
155 if (OBJ_obj2nid(obj) == id) {
156 return X509_TRUST_TRUSTED;
157 }
158 }
159 return X509_TRUST_UNTRUSTED;
160 }
161