crypto/x509v3/v3_akey.c

   1 /*
   2  * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include "internal/cryptlib.h"
  12 #include <openssl/conf.h>
  13 #include <openssl/asn1.h>
  14 #include <openssl/asn1t.h>
  15 #include <openssl/x509v3.h>
  16 #include "ext_dat.h"
  17
  18 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  19                                                  AUTHORITY_KEYID *akeyid,
  20                                                  STACK_OF(CONF_VALUE)
  21                                                  *extlist);
  22 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  23                                             X509V3_CTX *ctx,
  24                                             STACK_OF(CONF_VALUE) *values);
  25
  26 const X509V3_EXT_METHOD v3_akey_id = {
  27     NID_authority_key_identifier,
  28     X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
  29     0, 0, 0, 0,
  30     0, 0,
  31     (X509V3_EXT_I2V) i2v_AUTHORITY_KEYID,
  32     (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
  33     0, 0,
  34     NULL
  35 };
  36
  37 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  38                                                  AUTHORITY_KEYID *akeyid,
  39                                                  STACK_OF(CONF_VALUE)
  40                                                  *extlist)
  41 {
  42     char *tmp = NULL;
  43     STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist;
  44
  45     if (akeyid->keyid) {
  46         tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
  47         if (tmp == NULL) {
  48             X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
  49             return NULL;
  50         }
  51         if (!X509V3_add_value("keyid", tmp, &extlist)) {
  52             OPENSSL_free(tmp);
  53             X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
  54             goto err;
  55         }
  56         OPENSSL_free(tmp);
  57     }
  58     if (akeyid->issuer) {
  59         tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
  60         if (tmpextlist == NULL) {
  61             X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
  62             goto err;
  63         }
  64         extlist = tmpextlist;
  65     }
  66     if (akeyid->serial) {
  67         tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
  68         if (tmp == NULL) {
  69             X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
  70             goto err;
  71         }
  72         if (!X509V3_add_value("serial", tmp, &extlist)) {
  73             OPENSSL_free(tmp);
  74             X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
  75             goto err;
  76         }
  77         OPENSSL_free(tmp);
  78     }
  79     return extlist;
  80  err:
  81     if (origextlist == NULL)
  82         sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
  83     return NULL;
  84 }
  85
  86 /*-
  87  * Currently two options:
  88  * keyid: use the issuers subject keyid, the value 'always' means its is
  89  * an error if the issuer certificate doesn't have a key id.
  90  * issuer: use the issuers cert issuer and serial number. The default is
  91  * to only use this if keyid is not present. With the option 'always'
  92  * this is always included.
  93  */
  94
  95 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
  96                                             X509V3_CTX *ctx,
  97                                             STACK_OF(CONF_VALUE) *values)
  98 {
  99     char keyid = 0, issuer = 0;
 100     int i;
 101     CONF_VALUE *cnf;
 102     ASN1_OCTET_STRING *ikeyid = NULL;
 103     X509_NAME *isname = NULL;
 104     GENERAL_NAMES *gens = NULL;
 105     GENERAL_NAME *gen = NULL;
 106     ASN1_INTEGER *serial = NULL;
 107     X509_EXTENSION *ext;
 108     X509 *cert;
 109     AUTHORITY_KEYID *akeyid;
 110
 111     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
 112         cnf = sk_CONF_VALUE_value(values, i);
 113         if (strcmp(cnf->name, "keyid") == 0) {
 114             keyid = 1;
 115             if (cnf->value && strcmp(cnf->value, "always") == 0)
 116                 keyid = 2;
 117         } else if (strcmp(cnf->name, "issuer") == 0) {
 118             issuer = 1;
 119             if (cnf->value && strcmp(cnf->value, "always") == 0)
 120                 issuer = 2;
 121         } else {
 122             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, X509V3_R_UNKNOWN_OPTION);
 123             ERR_add_error_data(2, "name=", cnf->name);
 124             return NULL;
 125         }
 126     }
 127
 128     if (!ctx || !ctx->issuer_cert) {
 129         if (ctx && (ctx->flags == CTX_TEST))
 130             return AUTHORITY_KEYID_new();
 131         X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 132                   X509V3_R_NO_ISSUER_CERTIFICATE);
 133         return NULL;
 134     }
 135
 136     cert = ctx->issuer_cert;
 137
 138     if (keyid) {
 139         i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
 140         if ((i >= 0) && (ext = X509_get_ext(cert, i)))
 141             ikeyid = X509V3_EXT_d2i(ext);
 142         if (keyid == 2 && !ikeyid) {
 143             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 144                       X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
 145             return NULL;
 146         }
 147     }
 148
 149     if ((issuer && !ikeyid) || (issuer == 2)) {
 150         isname = X509_NAME_dup(X509_get_issuer_name(cert));
 151         serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
 152         if (!isname || !serial) {
 153             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
 154                       X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
 155             goto err;
 156         }
 157     }
 158
 159     if ((akeyid = AUTHORITY_KEYID_new()) == NULL)
 160         goto err;
 161
 162     if (isname) {
 163         if ((gens = sk_GENERAL_NAME_new_null()) == NULL
 164             || (gen = GENERAL_NAME_new()) == NULL
 165             || !sk_GENERAL_NAME_push(gens, gen)) {
 166             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
 167             goto err;
 168         }
 169         gen->type = GEN_DIRNAME;
 170         gen->d.dirn = isname;
 171     }
 172
 173     akeyid->issuer = gens;
 174     gen = NULL;
 175     gens = NULL;
 176     akeyid->serial = serial;
 177     akeyid->keyid = ikeyid;
 178
 179     return akeyid;
 180
 181  err:
 182     sk_GENERAL_NAME_free(gens);
 183     GENERAL_NAME_free(gen);
 184     X509_NAME_free(isname);
 185     ASN1_INTEGER_free(serial);
 186     ASN1_OCTET_STRING_free(ikeyid);
 187     return NULL;
 188 }