2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 1999, 2005 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
61 #include <openssl/conf.h>
62 #include <openssl/asn1.h>
63 #include <openssl/asn1t.h>
64 #include <openssl/x509v3.h>
66 static void *v2i_crld(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68 static int i2r_crldp(X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
71 X509V3_EXT_METHOD v3_crld =
73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
82 static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
84 STACK_OF(CONF_VALUE) *gnsect;
85 STACK_OF(GENERAL_NAME) *gens;
87 gnsect = X509V3_get_section(ctx, sect + 1);
89 gnsect = X509V3_parse_list(sect);
92 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
93 X509V3_R_SECTION_NOT_FOUND);
96 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
98 X509V3_section_free(ctx, gnsect);
100 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
104 static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
107 STACK_OF(GENERAL_NAME) *fnm = NULL;
108 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
109 if (!strncmp(cnf->name, "fullname", 9))
111 fnm = gnames_from_sectname(ctx, cnf->value);
115 else if (!strcmp(cnf->name, "relativename"))
118 STACK_OF(CONF_VALUE) *dnsect;
120 nm = X509_NAME_new();
123 dnsect = X509V3_get_section(ctx, cnf->value);
126 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
127 X509V3_R_SECTION_NOT_FOUND);
130 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
131 X509V3_section_free(ctx, dnsect);
135 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
137 /* Since its a name fragment can't have more than one
140 if (sk_X509_NAME_ENTRY_value(rnm,
141 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
143 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
144 X509V3_R_INVAID_MULTIPLE_RDNS);
153 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
154 X509V3_R_DISTPOINT_ALREADY_SET);
158 *pdp = DIST_POINT_NAME_new();
164 (*pdp)->name.fullname = fnm;
169 (*pdp)->name.relativename = rnm;
176 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
178 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
182 static const BIT_STRING_BITNAME reason_flags[] = {
183 {1, "Key Compromise", "keyCompromise"},
184 {2, "CA Compromise", "CACompromise"},
185 {3, "Affiliation Changed", "affiliationChanged"},
186 {4, "Superseded", "superseded"},
187 {5, "Cessation Of Operation", "cessationOfOperation"},
188 {6, "Certificate Hold", "certificateHold"},
189 {7, "Privilege Withdrawn", "privilegeWithdrawn"},
190 {8, "AA Compromise", "AACompromise"},
194 static int set_reasons(ASN1_BIT_STRING **preas, char *value)
196 STACK_OF(CONF_VALUE) *rsk = NULL;
197 const BIT_STRING_BITNAME *pbn;
200 rsk = X509V3_parse_list(value);
205 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
207 bnam = sk_CONF_VALUE_value(rsk, i)->name;
210 *preas = ASN1_BIT_STRING_new();
214 for (pbn = reason_flags; pbn->lname; pbn++)
216 if (!strcmp(pbn->sname, bnam))
218 if (!ASN1_BIT_STRING_set_bit(*preas,
230 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
234 static int print_reasons(BIO *out, const char *rname,
235 ASN1_BIT_STRING *rflags, int indent)
238 const BIT_STRING_BITNAME *pbn;
239 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
240 for (pbn = reason_flags; pbn->lname; pbn++)
242 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
248 BIO_puts(out, pbn->lname);
252 BIO_puts(out, "<EMPTY>\n");
258 static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
259 STACK_OF(CONF_VALUE) *nval)
263 DIST_POINT *point = NULL;
264 point = DIST_POINT_new();
267 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
270 cnf = sk_CONF_VALUE_value(nval, i);
271 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
276 if (!strcmp(cnf->name, "reasons"))
278 if (!set_reasons(&point->reasons, cnf->value))
281 else if (!strcmp(cnf->name, "CRLissuer"))
284 gnames_from_sectname(ctx, cnf->value);
285 if (!point->CRLissuer)
295 DIST_POINT_free(point);
299 static void *v2i_crld(X509V3_EXT_METHOD *method,
300 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
302 STACK_OF(DIST_POINT) *crld = NULL;
303 GENERAL_NAMES *gens = NULL;
304 GENERAL_NAME *gen = NULL;
307 if(!(crld = sk_DIST_POINT_new_null())) goto merr;
308 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
310 cnf = sk_CONF_VALUE_value(nval, i);
313 STACK_OF(CONF_VALUE) *dpsect;
314 dpsect = X509V3_get_section(ctx, cnf->name);
317 point = crldp_from_section(ctx, dpsect);
318 X509V3_section_free(ctx, dpsect);
321 if(!sk_DIST_POINT_push(crld, point))
323 DIST_POINT_free(point);
329 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
331 if(!(gens = GENERAL_NAMES_new()))
333 if(!sk_GENERAL_NAME_push(gens, gen))
336 if(!(point = DIST_POINT_new()))
338 if(!sk_DIST_POINT_push(crld, point))
340 DIST_POINT_free(point);
343 if(!(point->distpoint = DIST_POINT_NAME_new()))
345 point->distpoint->name.fullname = gens;
346 point->distpoint->type = 0;
353 X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
355 GENERAL_NAME_free(gen);
356 GENERAL_NAMES_free(gens);
357 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
361 IMPLEMENT_STACK_OF(DIST_POINT)
362 IMPLEMENT_ASN1_SET_OF(DIST_POINT)
365 ASN1_CHOICE(DIST_POINT_NAME) = {
366 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
367 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
368 } ASN1_CHOICE_END(DIST_POINT_NAME)
370 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
372 ASN1_SEQUENCE(DIST_POINT) = {
373 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
374 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
375 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
376 } ASN1_SEQUENCE_END(DIST_POINT)
378 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
380 ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
381 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
382 ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
384 IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
386 ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
387 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
388 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
389 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
390 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
391 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
392 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
393 } ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
395 IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
397 static int i2r_idp(X509V3_EXT_METHOD *method,
398 void *pidp, BIO *out, int indent);
399 static void *v2i_idp(X509V3_EXT_METHOD *method,
400 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
402 X509V3_EXT_METHOD v3_idp =
404 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
405 ASN1_ITEM_ref(ISSUING_DIST_POINT),
414 static void *v2i_idp(X509V3_EXT_METHOD *method,
415 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
417 ISSUING_DIST_POINT *idp = NULL;
421 idp = ISSUING_DIST_POINT_new();
424 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
426 cnf = sk_CONF_VALUE_value(nval, i);
429 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
434 if (!strcmp(name, "onlyuser"))
436 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
439 else if (!strcmp(name, "onlyCA"))
441 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
444 else if (!strcmp(name, "onlyAA"))
446 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
449 else if (!strcmp(name, "indirectCRL"))
451 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
454 else if (!strcmp(name, "onlysomereasons"))
456 if (!set_reasons(&idp->onlysomereasons, val))
461 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
462 X509V3_conf_err(cnf);
469 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
471 ISSUING_DIST_POINT_free(idp);
475 static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
478 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
480 BIO_printf(out, "%*s", indent + 2, "");
481 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
487 static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
491 BIO_printf(out, "%*sFull Name:\n", indent, "");
492 print_gens(out, dpn->name.fullname, indent);
497 ntmp.entries = dpn->name.relativename;
498 BIO_printf(out, "%*sRelative Name:\n%*s",
499 indent, "", indent + 2, "");
500 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
506 static int i2r_idp(X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
508 ISSUING_DIST_POINT *idp = pidp;
510 print_distpoint(out, idp->distpoint, indent);
511 if (idp->onlyuser > 0)
512 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
514 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
515 if (idp->indirectCRL > 0)
516 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
517 if (idp->onlysomereasons)
518 print_reasons(out, "Only Some Reasons",
519 idp->onlysomereasons, indent);
520 if (idp->onlyattr > 0)
521 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
522 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
523 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
524 && (idp->onlyattr <= 0))
525 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
530 static int i2r_crldp(X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
533 STACK_OF(DIST_POINT) *crld = pcrldp;
536 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
539 point = sk_DIST_POINT_value(crld, i);
541 print_distpoint(out, point->distpoint, indent);
543 print_reasons(out, "Reasons", point->reasons,
547 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
548 print_gens(out, point->CRLissuer, indent);