Support for policy constraints.

author: Dr. Stephen Henson <steve@openssl.org> 2003-03-21 16:26:20 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2003-03-21 16:26:20 +0000
commit: f80153e20b9db5f0e18db6a259f8bdb88ff79273 (patch)
tree: 1b2b2938ff2b39e0667f1b2397d35d9994f54e8c
parent: 33b34a9d8fd187fdcf36a2d3d7a3f56fee92ef27 (diff)
7 files changed, 156 insertions, 4 deletions
diff --git a/CHANGES b/CHANGES
index a03875767c..1cea4962c9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.7a and 0.9.8  [xx XXX xxxx]
 
+  *) Support for policyConstraints certificate extension.
+     [Steve Henson]
+
   *) Support for policyMappings certificate extension.
      [Steve Henson]
 
diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index a353fec25b..3167b8ba3e 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -26,11 +26,11 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
 v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o
 
 SRC= $(LIBSRC)
 
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 4c801c2c1d..1e005c229c 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold;
-extern X509V3_EXT_METHOD v3_policy_mappings;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -105,6 +105,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_serviceloc,
 #endif
 &v3_sinfo,
+&v3_policy_constraints,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_hold,
 #endif
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index eeb365b081..7e813db0d7 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -134,7 +134,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 		{
 		if(*value == '@') nval = NCONF_get_section(conf, value + 1);
 		else nval = X509V3_parse_list(value);
-		if(!nval)
+		if(sk_CONF_VALUE_num(nval) <= 0)
 			{
 			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
 			ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
new file mode 100644
index 0000000000..10d2120c33
--- /dev/null
+++ b/crypto/x509v3/v3_pcons.c
@@ -0,0 +1,136 @@
+/* v3_pcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				void *bcons, STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_policy_constraints = {
+NID_policy_constraints, 0,
+ASN1_ITEM_ref(POLICY_CONSTRAINTS),
+0,0,0,0,
+0,0,
+i2v_POLICY_CONSTRAINTS,
+v2i_POLICY_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
+	ASN1_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER),
+	ASN1_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     void *a, STACK_OF(CONF_VALUE) *extlist)
+{
+	POLICY_CONSTRAINTS *pcons = a;
+	X509V3_add_value_int("Require Explicit Policy",
+			pcons->requireExplicitPolicy, &extlist);
+	X509V3_add_value_int("Inhibit Policy Mapping",
+			pcons->inhibitPolicyMapping, &extlist);
+	return extlist;
+}
+
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+	POLICY_CONSTRAINTS *pcons=NULL;
+	CONF_VALUE *val;
+	int i;
+	if(!(pcons = POLICY_CONSTRAINTS_new())) {
+		X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		val = sk_CONF_VALUE_value(values, i);
+		if(!strcmp(val->name, "requireExplicitPolicy")) {
+			if(!X509V3_get_value_int(val,
+				&pcons->requireExplicitPolicy)) goto err;
+		} else if(!strcmp(val->name, "inhibitPolicyMapping")) {
+			if(!X509V3_get_value_int(val,
+				&pcons->inhibitPolicyMapping)) goto err;
+		} else {
+			X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
+		X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
+		goto err;
+	}
+
+	return pcons;
+	err:
+	POLICY_CONSTRAINTS_free(pcons);
+	return NULL;
+}
+
diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index 80b821dda1..a4c8e59ef1 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -98,6 +98,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},
+{ERR_PACK(0,X509V3_F_V2I_POLICY_CONSTRAINTS,0),	"V2I_POLICY_CONSTRAINTS"},
 {ERR_PACK(0,X509V3_F_V2I_POLICY_MAPPINGS,0),	"V2I_POLICY_MAPPINGS"},
 {ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),	"V3_GENERIC_EXTENSION"},
 {ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0),	"X509V3_ADD_I2D"},
@@ -132,6 +133,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
+{X509V3_R_ILLEGAL_EMPTY_EXTENSION        ,"illegal empty extension"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 2cbe1b9632..65c74cbff7 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -295,6 +295,11 @@ DECLARE_STACK_OF(POLICY_MAPPING)
 
 typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
 
+typedef struct POLICY_CONSTRAINTS_st {
+	ASN1_INTEGER *requireExplicitPolicy;
+	ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
@@ -468,6 +473,9 @@ DECLARE_ASN1_ITEM(POLICY_MAPPING)
 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
 DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
 
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -605,6 +613,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_V2I_GENERAL_NAME			 117
 #define X509V3_F_V2I_GENERAL_NAMES			 118
+#define X509V3_F_V2I_POLICY_CONSTRAINTS			 146
 #define X509V3_F_V2I_POLICY_MAPPINGS			 145
 #define X509V3_F_V3_GENERIC_EXTENSION			 116
 #define X509V3_F_X509V3_ADD_I2D				 140
@@ -636,6 +645,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_NOT_FOUND			 102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
 #define X509V3_R_EXTENSION_VALUE_ERROR			 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION		 151
 #define X509V3_R_ILLEGAL_HEX_DIGIT			 113
 #define X509V3_R_INVALID_BOOLEAN_STRING			 104
 #define X509V3_R_INVALID_EXTENSION_STRING		 105
author	Dr. Stephen Henson <steve@openssl.org>	2003-03-21 16:26:20 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2003-03-21 16:26:20 +0000
commit	f80153e20b9db5f0e18db6a259f8bdb88ff79273 (patch)
tree	1b2b2938ff2b39e0667f1b2397d35d9994f54e8c
parent	33b34a9d8fd187fdcf36a2d3d7a3f56fee92ef27 (diff)