/src/boringssl/crypto/x509v3/v3_akey.c

Source (jump to first uncovered line)
/*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com). */

#include <stdio.h>
#include <string.h>

#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/x509v3.h>

#include "internal.h"


static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
    const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
                                 const X509V3_CTX *ctx,
                                 const STACK_OF(CONF_VALUE) *values);

const X509V3_EXT_METHOD v3_akey_id = {
    NID_authority_key_identifier,
    X509V3_EXT_MULTILINE,
    ASN1_ITEM_ref(AUTHORITY_KEYID),
    0,
    0,
    0,
    0,
    0,
    0,
    i2v_AUTHORITY_KEYID,
    v2i_AUTHORITY_KEYID,
    0,
    0,
    NULL,
};

static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
    const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist) {
  const AUTHORITY_KEYID *akeyid = ext;
  int extlist_was_null = extlist == NULL;
  if (akeyid->keyid) {
    char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);
    int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist);
    OPENSSL_free(tmp);
    if (!ok) {
      goto err;
    }
  }
  if (akeyid->issuer) {
    STACK_OF(CONF_VALUE) *tmpextlist =
        i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
    if (tmpextlist == NULL) {
      goto err;
    }
    extlist = tmpextlist;
  }
  if (akeyid->serial) {
    if (!X509V3_add_value_int("serial", akeyid->serial, &extlist)) {
      goto err;
    }
  }
  return extlist;

err:
  if (extlist_was_null) {
    sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
  }
  return NULL;
}

// Currently two options: keyid: use the issuers subject keyid, the value
// 'always' means its is an error if the issuer certificate doesn't have a
// key id. issuer: use the issuers cert issuer and serial number. The default
// is to only use this if keyid is not present. With the option 'always' this
// is always included.

static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
                                 const X509V3_CTX *ctx,
                                 const STACK_OF(CONF_VALUE) *values) {
  char keyid = 0, issuer = 0;
  int j;
  ASN1_OCTET_STRING *ikeyid = NULL;
  X509_NAME *isname = NULL;
  GENERAL_NAMES *gens = NULL;
  GENERAL_NAME *gen = NULL;
  ASN1_INTEGER *serial = NULL;
  const X509 *cert;
  AUTHORITY_KEYID *akeyid;

  for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
    const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i);
    if (!strcmp(cnf->name, "keyid")) {
      keyid = 1;
      if (cnf->value && !strcmp(cnf->value, "always")) {
        keyid = 2;
      }
    } else if (!strcmp(cnf->name, "issuer")) {
      issuer = 1;
      if (cnf->value && !strcmp(cnf->value, "always")) {
        issuer = 2;
      }
    } else {
      OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION);
      ERR_add_error_data(2, "name=", cnf->name);
      return NULL;
    }
  }

  if (!ctx || !ctx->issuer_cert) {
    if (ctx && (ctx->flags == X509V3_CTX_TEST)) {
      return AUTHORITY_KEYID_new();
    }
    OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
    return NULL;
  }

  cert = ctx->issuer_cert;

  if (keyid) {
    j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
    const X509_EXTENSION *ext;
    if ((j >= 0) && (ext = X509_get_ext(cert, j))) {
      ikeyid = X509V3_EXT_d2i(ext);
    }
    if (keyid == 2 && !ikeyid) {
      OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
      return NULL;
    }
  }

  if ((issuer && !ikeyid) || (issuer == 2)) {
    isname = X509_NAME_dup(X509_get_issuer_name(cert));
    serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));
    if (!isname || !serial) {
      OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
      goto err;
    }
  }

  if (!(akeyid = AUTHORITY_KEYID_new())) {
    goto err;
  }

  if (isname) {
    if (!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) ||
        !sk_GENERAL_NAME_push(gens, gen)) {
      goto err;
    }
    gen->type = GEN_DIRNAME;
    gen->d.dirn = isname;
  }

  akeyid->issuer = gens;
  akeyid->serial = serial;
  akeyid->keyid = ikeyid;

  return akeyid;

err:
  X509_NAME_free(isname);
  ASN1_INTEGER_free(serial);
  ASN1_OCTET_STRING_free(ikeyid);
  return NULL;
}

Coverage Report

Created: 2023-06-07 07:13

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
3		* 1999.
4		*/
5		/* ====================================================================
6		* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7		*
8		* Redistribution and use in source and binary forms, with or without
9		* modification, are permitted provided that the following conditions
10		* are met:
11		*
12		* 1. Redistributions of source code must retain the above copyright
13		* notice, this list of conditions and the following disclaimer.
14		*
15		* 2. Redistributions in binary form must reproduce the above copyright
16		* notice, this list of conditions and the following disclaimer in
17		* the documentation and/or other materials provided with the
18		* distribution.
19		*
20		* 3. All advertising materials mentioning features or use of this
21		* software must display the following acknowledgment:
22		* "This product includes software developed by the OpenSSL Project
23		* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24		*
25		* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26		* endorse or promote products derived from this software without
27		* prior written permission. For written permission, please contact
28		* licensing@OpenSSL.org.
29		*
30		* 5. Products derived from this software may not be called "OpenSSL"
31		* nor may "OpenSSL" appear in their names without prior written
32		* permission of the OpenSSL Project.
33		*
34		* 6. Redistributions of any form whatsoever must retain the following
35		* acknowledgment:
36		* "This product includes software developed by the OpenSSL Project
37		* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38		*
39		* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40		* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42		* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43		* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45		* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46		* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48		* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50		* OF THE POSSIBILITY OF SUCH DAMAGE.
51		* ====================================================================
52		*
53		* This product includes cryptographic software written by Eric Young
54		* (eay@cryptsoft.com). This product includes software written by Tim
55		* Hudson (tjh@cryptsoft.com). */
56
57		#include <stdio.h>
58		#include <string.h>
59
60		#include <openssl/asn1.h>
61		#include <openssl/asn1t.h>
62		#include <openssl/conf.h>
63		#include <openssl/err.h>
64		#include <openssl/mem.h>
65		#include <openssl/obj.h>
66		#include <openssl/x509v3.h>
67
68		#include "internal.h"
69
70
71		static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
72		const X509V3_EXT_METHOD method, void ext, STACK_OF(CONF_VALUE) *extlist);
73		static void v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD method,
74		const X509V3_CTX *ctx,
75		const STACK_OF(CONF_VALUE) *values);
76
77		const X509V3_EXT_METHOD v3_akey_id = {
78		NID_authority_key_identifier,
79		X509V3_EXT_MULTILINE,
80		ASN1_ITEM_ref(AUTHORITY_KEYID),
81		0,
82		0,
83		0,
84		0,
85		0,
86		0,
87		i2v_AUTHORITY_KEYID,
88		v2i_AUTHORITY_KEYID,
89		0,
90		0,
91		NULL,
92		};
93
94		static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
95	353	const X509V3_EXT_METHOD method, void ext, STACK_OF(CONF_VALUE) *extlist) {
96	353	const AUTHORITY_KEYID *akeyid = ext;
97	353	int extlist_was_null = extlist == NULL;
98	353	if (akeyid->keyid) {
99	185	char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);
100	185	int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist);
101	185	OPENSSL_free(tmp);
102	185	if (!ok) {
103	0	goto err;
104	0	}
105	185	}
106	353	if (akeyid->issuer) {
107	182	STACK_OF(CONF_VALUE) *tmpextlist =
108	182	i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
109	182	if (tmpextlist == NULL) {
110	50	goto err;
111	50	}
112	132	extlist = tmpextlist;
113	132	}
114	303	if (akeyid->serial) {
115	145	if (!X509V3_add_value_int("serial", akeyid->serial, &extlist)) {
116	0	goto err;
117	0	}
118	145	}
119	303	return extlist;
120
121	50	err:
122	50	if (extlist_was_null) {
123	50	sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
124	50	}
125	50	return NULL;
126	303	}
127
128		// Currently two options: keyid: use the issuers subject keyid, the value
129		// 'always' means its is an error if the issuer certificate doesn't have a
130		// key id. issuer: use the issuers cert issuer and serial number. The default
131		// is to only use this if keyid is not present. With the option 'always' this
132		// is always included.
133
134		static void v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD method,
135		const X509V3_CTX *ctx,
136	455	const STACK_OF(CONF_VALUE) *values) {
137	455	char keyid = 0, issuer = 0;
138	455	int j;
139	455	ASN1_OCTET_STRING *ikeyid = NULL;
140	455	X509_NAME *isname = NULL;
141	455	GENERAL_NAMES *gens = NULL;
142	455	GENERAL_NAME *gen = NULL;
143	455	ASN1_INTEGER *serial = NULL;
144	455	const X509 *cert;
145	455	AUTHORITY_KEYID *akeyid;
146
147	3.07k	for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
148	2.79k	const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i);
149	2.79k	if (!strcmp(cnf->name, "keyid")) {
150	1.29k	keyid = 1;
151	1.29k	if (cnf->value && !strcmp(cnf->value, "always")) {
152	317	keyid = 2;
153	317	}
154	1.50k	} else if (!strcmp(cnf->name, "issuer")) {
155	1.32k	issuer = 1;
156	1.32k	if (cnf->value && !strcmp(cnf->value, "always")) {
157	208	issuer = 2;
158	208	}
159	1.32k	} else {
160	178	OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION);
161	178	ERR_add_error_data(2, "name=", cnf->name);
162	178	return NULL;
163	178	}
164	2.79k	}
165
166	277	if (!ctx \|\| !ctx->issuer_cert) {
167	141	if (ctx && (ctx->flags == X509V3_CTX_TEST)) {
168	0	return AUTHORITY_KEYID_new();
169	0	}
170	141	OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
171	141	return NULL;
172	141	}
173
174	136	cert = ctx->issuer_cert;
175
176	136	if (keyid) {
177	108	j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
178	108	const X509_EXTENSION *ext;
179	108	if ((j >= 0) && (ext = X509_get_ext(cert, j))) {
180	49	ikeyid = X509V3_EXT_d2i(ext);
181	49	}
182	108	if (keyid == 2 && !ikeyid) {
183	4	OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
184	4	return NULL;
185	4	}
186	108	}
187
188	132	if ((issuer && !ikeyid) \|\| (issuer == 2)) {
189	42	isname = X509_NAME_dup(X509_get_issuer_name(cert));
190	42	serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));
191	42	if (!isname \|\| !serial) {
192	0	OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
193	0	goto err;
194	0	}
195	42	}
196
197	132	if (!(akeyid = AUTHORITY_KEYID_new())) {
198	0	goto err;
199	0	}
200
201	132	if (isname) {
202	42	if (!(gens = sk_GENERAL_NAME_new_null()) \|\| !(gen = GENERAL_NAME_new()) \|\|
203	42	!sk_GENERAL_NAME_push(gens, gen)) {
204	0	goto err;
205	0	}
206	42	gen->type = GEN_DIRNAME;
207	42	gen->d.dirn = isname;
208	42	}
209
210	132	akeyid->issuer = gens;
211	132	akeyid->serial = serial;
212	132	akeyid->keyid = ikeyid;
213
214	132	return akeyid;
215
216	0	err:
217	0	X509_NAME_free(isname);
218	0	ASN1_INTEGER_free(serial);
219	0	ASN1_OCTET_STRING_free(ikeyid);
220	0	return NULL;
221	132	}