xref: /openssl/crypto/x509/x509_acert.c (revision 7ed6de99)
1 /*
2  * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <string.h>
11 #include <crypto/ctype.h>
12 #include <openssl/asn1t.h>
13 #include <openssl/err.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include "x509_acert.h"
17 
18 /*
19  * OpenSSL ASN.1 template translation of RFC 5755 4.1.
20  */
21 
22 ASN1_SEQUENCE(OSSL_OBJECT_DIGEST_INFO) = {
23     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, digestedObjectType, ASN1_ENUMERATED),
24     ASN1_OPT(OSSL_OBJECT_DIGEST_INFO, otherObjectTypeID, ASN1_OBJECT),
25     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, digestAlgorithm, X509_ALGOR),
26     ASN1_EMBED(OSSL_OBJECT_DIGEST_INFO, objectDigest, ASN1_BIT_STRING),
27 } ASN1_SEQUENCE_END(OSSL_OBJECT_DIGEST_INFO)
28 
29 ASN1_SEQUENCE(OSSL_ISSUER_SERIAL) = {
30     ASN1_SEQUENCE_OF(OSSL_ISSUER_SERIAL, issuer, GENERAL_NAME),
31     ASN1_EMBED(OSSL_ISSUER_SERIAL, serial, ASN1_INTEGER),
32     ASN1_OPT(OSSL_ISSUER_SERIAL, issuerUID, ASN1_BIT_STRING),
33 } ASN1_SEQUENCE_END(OSSL_ISSUER_SERIAL)
34 
35 ASN1_SEQUENCE(X509_ACERT_ISSUER_V2FORM) = {
36     ASN1_SEQUENCE_OF_OPT(X509_ACERT_ISSUER_V2FORM, issuerName, GENERAL_NAME),
37     ASN1_IMP_OPT(X509_ACERT_ISSUER_V2FORM, baseCertificateId, OSSL_ISSUER_SERIAL, 0),
38     ASN1_IMP_OPT(X509_ACERT_ISSUER_V2FORM, objectDigestInfo, OSSL_OBJECT_DIGEST_INFO, 1),
39 } ASN1_SEQUENCE_END(X509_ACERT_ISSUER_V2FORM)
40 
41 ASN1_CHOICE(X509_ACERT_ISSUER) = {
42     ASN1_SEQUENCE_OF(X509_ACERT_ISSUER, u.v1Form, GENERAL_NAME),
43     ASN1_IMP(X509_ACERT_ISSUER, u.v2Form, X509_ACERT_ISSUER_V2FORM, 0),
44 } ASN1_CHOICE_END(X509_ACERT_ISSUER)
45 
46 ASN1_SEQUENCE(X509_HOLDER) = {
47     ASN1_IMP_OPT(X509_HOLDER, baseCertificateID, OSSL_ISSUER_SERIAL, 0),
48     ASN1_IMP_SEQUENCE_OF_OPT(X509_HOLDER, entityName, GENERAL_NAME, 1),
49     ASN1_IMP_OPT(X509_HOLDER, objectDigestInfo, OSSL_OBJECT_DIGEST_INFO, 2),
50 } ASN1_SEQUENCE_END(X509_HOLDER)
51 
52 ASN1_SEQUENCE(X509_ACERT_INFO) = {
53     ASN1_EMBED(X509_ACERT_INFO, version, ASN1_INTEGER),
54     ASN1_EMBED(X509_ACERT_INFO, holder, X509_HOLDER),
55     ASN1_EMBED(X509_ACERT_INFO, issuer, X509_ACERT_ISSUER),
56     ASN1_EMBED(X509_ACERT_INFO, signature, X509_ALGOR),
57     ASN1_EMBED(X509_ACERT_INFO, serialNumber, ASN1_INTEGER),
58     ASN1_EMBED(X509_ACERT_INFO, validityPeriod, X509_VAL),
59     ASN1_SEQUENCE_OF(X509_ACERT_INFO, attributes, X509_ATTRIBUTE),
60     ASN1_OPT(X509_ACERT_INFO, issuerUID, ASN1_BIT_STRING),
61     ASN1_SEQUENCE_OF_OPT(X509_ACERT_INFO, extensions, X509_EXTENSION),
62 } ASN1_SEQUENCE_END(X509_ACERT_INFO)
63 
64 ASN1_SEQUENCE(X509_ACERT) = {
65     ASN1_SIMPLE(X509_ACERT, acinfo, X509_ACERT_INFO),
66     ASN1_EMBED(X509_ACERT, sig_alg, X509_ALGOR),
67     ASN1_EMBED(X509_ACERT, signature, ASN1_BIT_STRING),
68 } ASN1_SEQUENCE_END(X509_ACERT)
69 
70 IMPLEMENT_ASN1_FUNCTIONS(X509_ACERT)
71 IMPLEMENT_ASN1_DUP_FUNCTION(X509_ACERT)
72 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_ACERT_INFO)
73 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_ISSUER_SERIAL)
74 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_OBJECT_DIGEST_INFO)
75 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_ACERT_ISSUER_V2FORM)
76 
77 IMPLEMENT_PEM_rw(X509_ACERT, X509_ACERT, PEM_STRING_ACERT, X509_ACERT)
78 
79 static X509_NAME *get_dirName(const GENERAL_NAMES *names)
80 {
81     GENERAL_NAME *dirName;
82 
83     if (sk_GENERAL_NAME_num(names) != 1)
84         return NULL;
85 
86     dirName = sk_GENERAL_NAME_value(names, 0);
87     if (dirName->type != GEN_DIRNAME)
88         return NULL;
89 
90     return dirName->d.directoryName;
91 }
92 
OSSL_OBJECT_DIGEST_INFO_get0_digest(const OSSL_OBJECT_DIGEST_INFO * o,int * digestedObjectType,const X509_ALGOR ** digestAlgorithm,const ASN1_BIT_STRING ** digest)93 void OSSL_OBJECT_DIGEST_INFO_get0_digest(const OSSL_OBJECT_DIGEST_INFO *o,
94                                          int *digestedObjectType,
95                                          const X509_ALGOR **digestAlgorithm,
96                                          const ASN1_BIT_STRING **digest)
97 {
98     if (digestedObjectType != NULL)
99         *digestedObjectType = ASN1_ENUMERATED_get(&o->digestedObjectType);
100     if (digestAlgorithm != NULL)
101         *digestAlgorithm = &o->digestAlgorithm;
102     if (digest != NULL)
103         *digest = &o->objectDigest;
104 }
105 
OSSL_ISSUER_SERIAL_get0_issuer(const OSSL_ISSUER_SERIAL * isss)106 const X509_NAME *OSSL_ISSUER_SERIAL_get0_issuer(const OSSL_ISSUER_SERIAL *isss)
107 {
108     return get_dirName(isss->issuer);
109 }
110 
OSSL_ISSUER_SERIAL_get0_serial(const OSSL_ISSUER_SERIAL * isss)111 const ASN1_INTEGER *OSSL_ISSUER_SERIAL_get0_serial(const OSSL_ISSUER_SERIAL *isss)
112 {
113     return &isss->serial;
114 }
115 
OSSL_ISSUER_SERIAL_get0_issuerUID(const OSSL_ISSUER_SERIAL * isss)116 const ASN1_BIT_STRING *OSSL_ISSUER_SERIAL_get0_issuerUID(const OSSL_ISSUER_SERIAL *isss)
117 {
118     return isss->issuerUID;
119 }
120 
X509_ACERT_get_version(const X509_ACERT * x)121 long X509_ACERT_get_version(const X509_ACERT *x)
122 {
123     return ASN1_INTEGER_get(&x->acinfo->version);
124 }
125 
X509_ACERT_get0_signature(const X509_ACERT * x,const ASN1_BIT_STRING ** psig,const X509_ALGOR ** palg)126 void X509_ACERT_get0_signature(const X509_ACERT *x,
127                                const ASN1_BIT_STRING **psig,
128                                const X509_ALGOR **palg)
129 {
130     if (psig != NULL)
131         *psig = &x->signature;
132     if (palg != NULL)
133         *palg = &x->sig_alg;
134 }
135 
X509_ACERT_get_signature_nid(const X509_ACERT * x)136 int X509_ACERT_get_signature_nid(const X509_ACERT *x)
137 {
138     return OBJ_obj2nid(x->sig_alg.algorithm);
139 }
140 
X509_ACERT_get0_holder_entityName(const X509_ACERT * x)141 const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x)
142 {
143     return x->acinfo->holder.entityName;
144 }
145 
X509_ACERT_get0_holder_baseCertId(const X509_ACERT * x)146 const OSSL_ISSUER_SERIAL *X509_ACERT_get0_holder_baseCertId(const X509_ACERT *x)
147 {
148     return x->acinfo->holder.baseCertificateID;
149 }
150 
X509_ACERT_get0_holder_digest(const X509_ACERT * x)151 const OSSL_OBJECT_DIGEST_INFO *X509_ACERT_get0_holder_digest(const X509_ACERT *x)
152 {
153     return x->acinfo->holder.objectDigestInfo;
154 }
155 
X509_ACERT_get0_issuerName(const X509_ACERT * x)156 const X509_NAME *X509_ACERT_get0_issuerName(const X509_ACERT *x)
157 {
158     if (x->acinfo->issuer.type != X509_ACERT_ISSUER_V2
159         || x->acinfo->issuer.u.v2Form == NULL)
160         return NULL;
161 
162     return get_dirName(x->acinfo->issuer.u.v2Form->issuerName);
163 }
164 
X509_ACERT_get0_issuerUID(const X509_ACERT * x)165 const ASN1_BIT_STRING *X509_ACERT_get0_issuerUID(const X509_ACERT *x)
166 {
167     return x->acinfo->issuerUID;
168 }
169 
X509_ACERT_get0_info_sigalg(const X509_ACERT * x)170 const X509_ALGOR *X509_ACERT_get0_info_sigalg(const X509_ACERT *x)
171 {
172     return &x->acinfo->signature;
173 }
174 
X509_ACERT_get0_serialNumber(const X509_ACERT * x)175 const ASN1_INTEGER *X509_ACERT_get0_serialNumber(const X509_ACERT *x)
176 {
177     return &x->acinfo->serialNumber;
178 }
179 
X509_ACERT_get0_notBefore(const X509_ACERT * x)180 const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notBefore(const X509_ACERT *x)
181 {
182     return x->acinfo->validityPeriod.notBefore;
183 }
184 
X509_ACERT_get0_notAfter(const X509_ACERT * x)185 const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notAfter(const X509_ACERT *x)
186 {
187     return x->acinfo->validityPeriod.notAfter;
188 }
189 
190 /* Attribute management functions */
191 
X509_ACERT_get_attr_count(const X509_ACERT * x)192 int X509_ACERT_get_attr_count(const X509_ACERT *x)
193 {
194     return X509at_get_attr_count(x->acinfo->attributes);
195 }
196 
X509_ACERT_get_attr_by_NID(const X509_ACERT * x,int nid,int lastpos)197 int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos)
198 {
199     return X509at_get_attr_by_NID(x->acinfo->attributes, nid, lastpos);
200 }
201 
X509_ACERT_get_attr_by_OBJ(const X509_ACERT * x,const ASN1_OBJECT * obj,int lastpos)202 int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
203                                int lastpos)
204 {
205     return X509at_get_attr_by_OBJ(x->acinfo->attributes, obj, lastpos);
206 }
207 
X509_ACERT_get_attr(const X509_ACERT * x,int loc)208 X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc)
209 {
210     return X509at_get_attr(x->acinfo->attributes, loc);
211 }
212 
X509_ACERT_delete_attr(X509_ACERT * x,int loc)213 X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc)
214 {
215     return X509at_delete_attr(x->acinfo->attributes, loc);
216 }
217 
X509_ACERT_add1_attr(X509_ACERT * x,X509_ATTRIBUTE * attr)218 int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr)
219 {
220     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
221 
222     return X509at_add1_attr(attrs, attr) != NULL;
223 }
224 
X509_ACERT_add1_attr_by_OBJ(X509_ACERT * x,const ASN1_OBJECT * obj,int type,const void * bytes,int len)225 int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
226                                 int type, const void *bytes, int len)
227 {
228     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
229 
230     return X509at_add1_attr_by_OBJ(attrs, obj, type, bytes, len) != NULL;
231 }
232 
X509_ACERT_add1_attr_by_NID(X509_ACERT * x,int nid,int type,const void * bytes,int len)233 int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
234                                 const void *bytes, int len)
235 {
236     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
237 
238     return X509at_add1_attr_by_NID(attrs, nid, type, bytes, len) != NULL;
239 }
240 
X509_ACERT_add1_attr_by_txt(X509_ACERT * x,const char * attrname,int type,const unsigned char * bytes,int len)241 int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
242                                 const unsigned char *bytes, int len)
243 {
244     STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
245 
246     return X509at_add1_attr_by_txt(attrs, attrname, type, bytes, len) != NULL;
247 }
248 
check_asn1_attribute(const char ** value)249 static int check_asn1_attribute(const char **value)
250 {
251     const char *p = *value;
252 
253     if (strncmp(p, "ASN1:", 5) != 0)
254         return 0;
255 
256     p += 5;
257     while (ossl_isspace(*p))
258         p++;
259 
260     *value = p;
261     return 1;
262 }
263 
X509_ACERT_add_attr_nconf(CONF * conf,const char * section,X509_ACERT * acert)264 int X509_ACERT_add_attr_nconf(CONF *conf, const char *section,
265                               X509_ACERT *acert)
266 {
267     int ret = 0, i;
268     STACK_OF(CONF_VALUE) *attr_sk = NCONF_get_section(conf, section);
269 
270     if (attr_sk == NULL)
271         goto err;
272 
273     for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
274         CONF_VALUE *v = sk_CONF_VALUE_value(attr_sk, i);
275         const char *value = v->value;
276 
277         if (value == NULL) {
278             ERR_raise_data(ERR_LIB_X509, X509_R_INVALID_ATTRIBUTES,
279                            "name=%s,section=%s",v->name, section);
280             goto err;
281         }
282 
283         if (check_asn1_attribute(&value) == 1) {
284             int att_len;
285             unsigned char *att_data = NULL;
286             ASN1_TYPE *asn1 = ASN1_generate_nconf(value, conf);
287 
288             if (asn1 == NULL)
289                 goto err;
290 
291             att_len = i2d_ASN1_TYPE(asn1, &att_data);
292 
293             ret = X509_ACERT_add1_attr_by_txt(acert, v->name, V_ASN1_SEQUENCE,
294                                               att_data, att_len);
295             OPENSSL_free(att_data);
296             ASN1_TYPE_free(asn1);
297 
298             if (!ret)
299                 goto err;
300         } else {
301             ret = X509_ACERT_add1_attr_by_txt(acert, v->name,
302                                               V_ASN1_OCTET_STRING,
303                                               (unsigned char *)value,
304                                               strlen(value));
305             if (!ret)
306                 goto err;
307         }
308     }
309     ret = 1;
310 err:
311     return ret;
312 }
313 
X509_ACERT_get_ext_d2i(const X509_ACERT * x,int nid,int * crit,int * idx)314 void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx)
315 {
316     return X509V3_get_d2i(x->acinfo->extensions, nid, crit, idx);
317 }
318 
X509_ACERT_add1_ext_i2d(X509_ACERT * x,int nid,void * value,int crit,unsigned long flags)319 int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
320                             unsigned long flags)
321 {
322     return X509V3_add1_i2d(&x->acinfo->extensions, nid, value, crit, flags);
323 }
324 
STACK_OF(X509_EXTENSION)325 const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509_ACERT *x)
326 {
327     return x->acinfo->extensions;
328 }
329