/src/boringssl/crypto/x509v3/v3_ncons.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
3 | | * project. |
4 | | */ |
5 | | /* ==================================================================== |
6 | | * Copyright (c) 2003 The OpenSSL Project. All rights reserved. |
7 | | * |
8 | | * Redistribution and use in source and binary forms, with or without |
9 | | * modification, are permitted provided that the following conditions |
10 | | * are met: |
11 | | * |
12 | | * 1. Redistributions of source code must retain the above copyright |
13 | | * notice, this list of conditions and the following disclaimer. |
14 | | * |
15 | | * 2. Redistributions in binary form must reproduce the above copyright |
16 | | * notice, this list of conditions and the following disclaimer in |
17 | | * the documentation and/or other materials provided with the |
18 | | * distribution. |
19 | | * |
20 | | * 3. All advertising materials mentioning features or use of this |
21 | | * software must display the following acknowledgment: |
22 | | * "This product includes software developed by the OpenSSL Project |
23 | | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
24 | | * |
25 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
26 | | * endorse or promote products derived from this software without |
27 | | * prior written permission. For written permission, please contact |
28 | | * licensing@OpenSSL.org. |
29 | | * |
30 | | * 5. Products derived from this software may not be called "OpenSSL" |
31 | | * nor may "OpenSSL" appear in their names without prior written |
32 | | * permission of the OpenSSL Project. |
33 | | * |
34 | | * 6. Redistributions of any form whatsoever must retain the following |
35 | | * acknowledgment: |
36 | | * "This product includes software developed by the OpenSSL Project |
37 | | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
38 | | * |
39 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
40 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
41 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
42 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
43 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
44 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
45 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
46 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
48 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
49 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
50 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
51 | | * ==================================================================== |
52 | | * |
53 | | * This product includes cryptographic software written by Eric Young |
54 | | * (eay@cryptsoft.com). This product includes software written by Tim |
55 | | * Hudson (tjh@cryptsoft.com). */ |
56 | | |
57 | | #include <stdio.h> |
58 | | #include <string.h> |
59 | | |
60 | | #include <openssl/asn1t.h> |
61 | | #include <openssl/conf.h> |
62 | | #include <openssl/err.h> |
63 | | #include <openssl/mem.h> |
64 | | #include <openssl/obj.h> |
65 | | #include <openssl/x509v3.h> |
66 | | |
67 | | #include "../internal.h" |
68 | | #include "../x509/internal.h" |
69 | | |
70 | | |
71 | | static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, |
72 | | const X509V3_CTX *ctx, |
73 | | const STACK_OF(CONF_VALUE) *nval); |
74 | | static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, |
75 | | BIO *bp, int ind); |
76 | | static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, |
77 | | STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, |
78 | | int ind, const char *name); |
79 | | static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip); |
80 | | |
81 | | static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); |
82 | | static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); |
83 | | static int nc_dn(X509_NAME *sub, X509_NAME *nm); |
84 | | static int nc_dns(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *dns); |
85 | | static int nc_email(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *eml); |
86 | | static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base); |
87 | | |
88 | | const X509V3_EXT_METHOD v3_name_constraints = { |
89 | | NID_name_constraints, |
90 | | 0, |
91 | | ASN1_ITEM_ref(NAME_CONSTRAINTS), |
92 | | 0, |
93 | | 0, |
94 | | 0, |
95 | | 0, |
96 | | 0, |
97 | | 0, |
98 | | 0, |
99 | | v2i_NAME_CONSTRAINTS, |
100 | | i2r_NAME_CONSTRAINTS, |
101 | | 0, |
102 | | NULL, |
103 | | }; |
104 | | |
105 | | ASN1_SEQUENCE(GENERAL_SUBTREE) = { |
106 | | ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME), |
107 | | ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0), |
108 | | ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1), |
109 | | } ASN1_SEQUENCE_END(GENERAL_SUBTREE) |
110 | | |
111 | | ASN1_SEQUENCE(NAME_CONSTRAINTS) = { |
112 | | ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees, |
113 | | GENERAL_SUBTREE, 0), |
114 | | ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees, |
115 | | GENERAL_SUBTREE, 1), |
116 | | } ASN1_SEQUENCE_END(NAME_CONSTRAINTS) |
117 | | |
118 | | |
119 | | IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) |
120 | | IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) |
121 | | |
122 | | static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, |
123 | | const X509V3_CTX *ctx, |
124 | 325 | const STACK_OF(CONF_VALUE) *nval) { |
125 | 325 | STACK_OF(GENERAL_SUBTREE) **ptree = NULL; |
126 | 325 | NAME_CONSTRAINTS *ncons = NULL; |
127 | 325 | GENERAL_SUBTREE *sub = NULL; |
128 | 325 | ncons = NAME_CONSTRAINTS_new(); |
129 | 325 | if (!ncons) { |
130 | 0 | goto err; |
131 | 0 | } |
132 | 1.97k | for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) { |
133 | 1.94k | const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i); |
134 | 1.94k | CONF_VALUE tval; |
135 | 1.94k | if (!strncmp(val->name, "permitted", 9) && val->name[9]) { |
136 | 308 | ptree = &ncons->permittedSubtrees; |
137 | 308 | tval.name = val->name + 10; |
138 | 1.63k | } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) { |
139 | 1.41k | ptree = &ncons->excludedSubtrees; |
140 | 1.41k | tval.name = val->name + 9; |
141 | 1.41k | } else { |
142 | 221 | OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX); |
143 | 221 | goto err; |
144 | 221 | } |
145 | 1.72k | tval.value = val->value; |
146 | 1.72k | sub = GENERAL_SUBTREE_new(); |
147 | 1.72k | if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) { |
148 | 69 | goto err; |
149 | 69 | } |
150 | 1.65k | if (!*ptree) { |
151 | 86 | *ptree = sk_GENERAL_SUBTREE_new_null(); |
152 | 86 | } |
153 | 1.65k | if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) { |
154 | 0 | goto err; |
155 | 0 | } |
156 | 1.65k | sub = NULL; |
157 | 1.65k | } |
158 | | |
159 | 35 | return ncons; |
160 | | |
161 | 290 | err: |
162 | 290 | NAME_CONSTRAINTS_free(ncons); |
163 | 290 | GENERAL_SUBTREE_free(sub); |
164 | 290 | return NULL; |
165 | 325 | } |
166 | | |
167 | | static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, |
168 | 133 | BIO *bp, int ind) { |
169 | 133 | NAME_CONSTRAINTS *ncons = a; |
170 | 133 | do_i2r_name_constraints(method, ncons->permittedSubtrees, bp, ind, |
171 | 133 | "Permitted"); |
172 | 133 | do_i2r_name_constraints(method, ncons->excludedSubtrees, bp, ind, "Excluded"); |
173 | 133 | return 1; |
174 | 133 | } |
175 | | |
176 | | static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, |
177 | | STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, |
178 | 266 | int ind, const char *name) { |
179 | 266 | GENERAL_SUBTREE *tree; |
180 | 266 | size_t i; |
181 | 266 | if (sk_GENERAL_SUBTREE_num(trees) > 0) { |
182 | 81 | BIO_printf(bp, "%*s%s:\n", ind, "", name); |
183 | 81 | } |
184 | 715 | for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) { |
185 | 449 | tree = sk_GENERAL_SUBTREE_value(trees, i); |
186 | 449 | BIO_printf(bp, "%*s", ind + 2, ""); |
187 | 449 | if (tree->base->type == GEN_IPADD) { |
188 | 68 | print_nc_ipadd(bp, tree->base->d.ip); |
189 | 381 | } else { |
190 | 381 | GENERAL_NAME_print(bp, tree->base); |
191 | 381 | } |
192 | 449 | BIO_puts(bp, "\n"); |
193 | 449 | } |
194 | 266 | return 1; |
195 | 266 | } |
196 | | |
197 | 68 | static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip) { |
198 | 68 | int i, len; |
199 | 68 | unsigned char *p; |
200 | 68 | p = ip->data; |
201 | 68 | len = ip->length; |
202 | 68 | BIO_puts(bp, "IP:"); |
203 | 68 | if (len == 8) { |
204 | 19 | BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d", p[0], p[1], p[2], p[3], p[4], |
205 | 19 | p[5], p[6], p[7]); |
206 | 49 | } else if (len == 32) { |
207 | 51 | for (i = 0; i < 16; i++) { |
208 | 48 | uint16_t v = ((uint16_t)p[0] << 8) | p[1]; |
209 | 48 | BIO_printf(bp, "%X", v); |
210 | 48 | p += 2; |
211 | 48 | if (i == 7) { |
212 | 3 | BIO_puts(bp, "/"); |
213 | 45 | } else if (i != 15) { |
214 | 42 | BIO_puts(bp, ":"); |
215 | 42 | } |
216 | 48 | } |
217 | 46 | } else { |
218 | 46 | BIO_printf(bp, "IP Address:<invalid>"); |
219 | 46 | } |
220 | 68 | return 1; |
221 | 68 | } |
222 | | |
223 | | //- |
224 | | // Check a certificate conforms to a specified set of constraints. |
225 | | // Return values: |
226 | | // X509_V_OK: All constraints obeyed. |
227 | | // X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation. |
228 | | // X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation. |
229 | | // X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type. |
230 | | // X509_V_ERR_UNSPECIFIED: Unspecified error. |
231 | | // X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type. |
232 | | // X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint |
233 | | // syntax. |
234 | | // X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name. |
235 | | |
236 | 0 | int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) { |
237 | 0 | int r, i; |
238 | 0 | size_t j; |
239 | 0 | X509_NAME *nm; |
240 | |
|
241 | 0 | nm = X509_get_subject_name(x); |
242 | | |
243 | | // Guard against certificates with an excessive number of names or |
244 | | // constraints causing a computationally expensive name constraints |
245 | | // check. |
246 | 0 | size_t name_count = |
247 | 0 | X509_NAME_entry_count(nm) + sk_GENERAL_NAME_num(x->altname); |
248 | 0 | size_t constraint_count = sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) + |
249 | 0 | sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); |
250 | 0 | size_t check_count = constraint_count * name_count; |
251 | 0 | if (name_count < (size_t)X509_NAME_entry_count(nm) || |
252 | 0 | constraint_count < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) || |
253 | 0 | (constraint_count && check_count / constraint_count != name_count) || |
254 | 0 | check_count > 1 << 20) { |
255 | 0 | return X509_V_ERR_UNSPECIFIED; |
256 | 0 | } |
257 | | |
258 | 0 | if (X509_NAME_entry_count(nm) > 0) { |
259 | 0 | GENERAL_NAME gntmp; |
260 | 0 | gntmp.type = GEN_DIRNAME; |
261 | 0 | gntmp.d.directoryName = nm; |
262 | |
|
263 | 0 | r = nc_match(&gntmp, nc); |
264 | |
|
265 | 0 | if (r != X509_V_OK) { |
266 | 0 | return r; |
267 | 0 | } |
268 | | |
269 | 0 | gntmp.type = GEN_EMAIL; |
270 | | |
271 | | // Process any email address attributes in subject name |
272 | |
|
273 | 0 | for (i = -1;;) { |
274 | 0 | i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i); |
275 | 0 | if (i == -1) { |
276 | 0 | break; |
277 | 0 | } |
278 | 0 | const X509_NAME_ENTRY *ne = X509_NAME_get_entry(nm, i); |
279 | 0 | gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne); |
280 | 0 | if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING) { |
281 | 0 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
282 | 0 | } |
283 | | |
284 | 0 | r = nc_match(&gntmp, nc); |
285 | |
|
286 | 0 | if (r != X509_V_OK) { |
287 | 0 | return r; |
288 | 0 | } |
289 | 0 | } |
290 | 0 | } |
291 | | |
292 | 0 | for (j = 0; j < sk_GENERAL_NAME_num(x->altname); j++) { |
293 | 0 | GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, j); |
294 | 0 | r = nc_match(gen, nc); |
295 | 0 | if (r != X509_V_OK) { |
296 | 0 | return r; |
297 | 0 | } |
298 | 0 | } |
299 | | |
300 | 0 | return X509_V_OK; |
301 | 0 | } |
302 | | |
303 | 0 | static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { |
304 | 0 | GENERAL_SUBTREE *sub; |
305 | 0 | int r, match = 0; |
306 | 0 | size_t i; |
307 | | |
308 | | // Permitted subtrees: if any subtrees exist of matching the type at |
309 | | // least one subtree must match. |
310 | |
|
311 | 0 | for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { |
312 | 0 | sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); |
313 | 0 | if (gen->type != sub->base->type) { |
314 | 0 | continue; |
315 | 0 | } |
316 | 0 | if (sub->minimum || sub->maximum) { |
317 | 0 | return X509_V_ERR_SUBTREE_MINMAX; |
318 | 0 | } |
319 | | // If we already have a match don't bother trying any more |
320 | 0 | if (match == 2) { |
321 | 0 | continue; |
322 | 0 | } |
323 | 0 | if (match == 0) { |
324 | 0 | match = 1; |
325 | 0 | } |
326 | 0 | r = nc_match_single(gen, sub->base); |
327 | 0 | if (r == X509_V_OK) { |
328 | 0 | match = 2; |
329 | 0 | } else if (r != X509_V_ERR_PERMITTED_VIOLATION) { |
330 | 0 | return r; |
331 | 0 | } |
332 | 0 | } |
333 | | |
334 | 0 | if (match == 1) { |
335 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
336 | 0 | } |
337 | | |
338 | | // Excluded subtrees: must not match any of these |
339 | | |
340 | 0 | for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { |
341 | 0 | sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); |
342 | 0 | if (gen->type != sub->base->type) { |
343 | 0 | continue; |
344 | 0 | } |
345 | 0 | if (sub->minimum || sub->maximum) { |
346 | 0 | return X509_V_ERR_SUBTREE_MINMAX; |
347 | 0 | } |
348 | | |
349 | 0 | r = nc_match_single(gen, sub->base); |
350 | 0 | if (r == X509_V_OK) { |
351 | 0 | return X509_V_ERR_EXCLUDED_VIOLATION; |
352 | 0 | } else if (r != X509_V_ERR_PERMITTED_VIOLATION) { |
353 | 0 | return r; |
354 | 0 | } |
355 | 0 | } |
356 | | |
357 | 0 | return X509_V_OK; |
358 | 0 | } |
359 | | |
360 | 0 | static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) { |
361 | 0 | switch (base->type) { |
362 | 0 | case GEN_DIRNAME: |
363 | 0 | return nc_dn(gen->d.directoryName, base->d.directoryName); |
364 | | |
365 | 0 | case GEN_DNS: |
366 | 0 | return nc_dns(gen->d.dNSName, base->d.dNSName); |
367 | | |
368 | 0 | case GEN_EMAIL: |
369 | 0 | return nc_email(gen->d.rfc822Name, base->d.rfc822Name); |
370 | | |
371 | 0 | case GEN_URI: |
372 | 0 | return nc_uri(gen->d.uniformResourceIdentifier, |
373 | 0 | base->d.uniformResourceIdentifier); |
374 | | |
375 | 0 | default: |
376 | 0 | return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; |
377 | 0 | } |
378 | 0 | } |
379 | | |
380 | | // directoryName name constraint matching. The canonical encoding of |
381 | | // X509_NAME makes this comparison easy. It is matched if the subtree is a |
382 | | // subset of the name. |
383 | | |
384 | 0 | static int nc_dn(X509_NAME *nm, X509_NAME *base) { |
385 | | // Ensure canonical encodings are up to date. |
386 | 0 | if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) { |
387 | 0 | return X509_V_ERR_OUT_OF_MEM; |
388 | 0 | } |
389 | 0 | if (base->modified && i2d_X509_NAME(base, NULL) < 0) { |
390 | 0 | return X509_V_ERR_OUT_OF_MEM; |
391 | 0 | } |
392 | 0 | if (base->canon_enclen > nm->canon_enclen) { |
393 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
394 | 0 | } |
395 | 0 | if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) { |
396 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
397 | 0 | } |
398 | 0 | return X509_V_OK; |
399 | 0 | } |
400 | | |
401 | 0 | static int starts_with(const CBS *cbs, uint8_t c) { |
402 | 0 | return CBS_len(cbs) > 0 && CBS_data(cbs)[0] == c; |
403 | 0 | } |
404 | | |
405 | 0 | static int equal_case(const CBS *a, const CBS *b) { |
406 | 0 | if (CBS_len(a) != CBS_len(b)) { |
407 | 0 | return 0; |
408 | 0 | } |
409 | | // Note we cannot use |OPENSSL_strncasecmp| because that would stop |
410 | | // iterating at NUL. |
411 | 0 | const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b); |
412 | 0 | for (size_t i = 0; i < CBS_len(a); i++) { |
413 | 0 | if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) { |
414 | 0 | return 0; |
415 | 0 | } |
416 | 0 | } |
417 | 0 | return 1; |
418 | 0 | } |
419 | | |
420 | 0 | static int has_suffix_case(const CBS *a, const CBS *b) { |
421 | 0 | if (CBS_len(a) < CBS_len(b)) { |
422 | 0 | return 0; |
423 | 0 | } |
424 | 0 | CBS copy = *a; |
425 | 0 | CBS_skip(©, CBS_len(a) - CBS_len(b)); |
426 | 0 | return equal_case(©, b); |
427 | 0 | } |
428 | | |
429 | 0 | static int nc_dns(const ASN1_IA5STRING *dns, const ASN1_IA5STRING *base) { |
430 | 0 | CBS dns_cbs, base_cbs; |
431 | 0 | CBS_init(&dns_cbs, dns->data, dns->length); |
432 | 0 | CBS_init(&base_cbs, base->data, base->length); |
433 | | |
434 | | // Empty matches everything |
435 | 0 | if (CBS_len(&base_cbs) == 0) { |
436 | 0 | return X509_V_OK; |
437 | 0 | } |
438 | | |
439 | | // If |base_cbs| begins with a '.', do a simple suffix comparison. This is |
440 | | // not part of RFC5280, but is part of OpenSSL's original behavior. |
441 | 0 | if (starts_with(&base_cbs, '.')) { |
442 | 0 | if (has_suffix_case(&dns_cbs, &base_cbs)) { |
443 | 0 | return X509_V_OK; |
444 | 0 | } |
445 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
446 | 0 | } |
447 | | |
448 | | // Otherwise can add zero or more components on the left so compare RHS |
449 | | // and if dns is longer and expect '.' as preceding character. |
450 | 0 | if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) { |
451 | 0 | uint8_t dot; |
452 | 0 | if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) || |
453 | 0 | !CBS_get_u8(&dns_cbs, &dot) || dot != '.') { |
454 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
455 | 0 | } |
456 | 0 | } |
457 | | |
458 | 0 | if (!equal_case(&dns_cbs, &base_cbs)) { |
459 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
460 | 0 | } |
461 | | |
462 | 0 | return X509_V_OK; |
463 | 0 | } |
464 | | |
465 | 0 | static int nc_email(const ASN1_IA5STRING *eml, const ASN1_IA5STRING *base) { |
466 | 0 | CBS eml_cbs, base_cbs; |
467 | 0 | CBS_init(&eml_cbs, eml->data, eml->length); |
468 | 0 | CBS_init(&base_cbs, base->data, base->length); |
469 | | |
470 | | // TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the |
471 | | // last one. Match them here, or perhaps do an actual parse. Looks like |
472 | | // multiple '@'s may be allowed in quoted strings. |
473 | 0 | CBS eml_local, base_local; |
474 | 0 | if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) { |
475 | 0 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
476 | 0 | } |
477 | 0 | int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@'); |
478 | | |
479 | | // Special case: initial '.' is RHS match |
480 | 0 | if (!base_has_at && starts_with(&base_cbs, '.')) { |
481 | 0 | if (has_suffix_case(&eml_cbs, &base_cbs)) { |
482 | 0 | return X509_V_OK; |
483 | 0 | } |
484 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
485 | 0 | } |
486 | | |
487 | | // If we have anything before '@' match local part |
488 | 0 | if (base_has_at) { |
489 | | // TODO(davidben): This interprets a constraint of "@example.com" as |
490 | | // "example.com", which is not part of RFC5280. |
491 | 0 | if (CBS_len(&base_local) > 0) { |
492 | | // Case sensitive match of local part |
493 | 0 | if (!CBS_mem_equal(&base_local, CBS_data(&eml_local), |
494 | 0 | CBS_len(&eml_local))) { |
495 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
496 | 0 | } |
497 | 0 | } |
498 | | // Position base after '@' |
499 | 0 | assert(starts_with(&base_cbs, '@')); |
500 | 0 | CBS_skip(&base_cbs, 1); |
501 | 0 | } |
502 | | |
503 | | // Just have hostname left to match: case insensitive |
504 | 0 | assert(starts_with(&eml_cbs, '@')); |
505 | 0 | CBS_skip(&eml_cbs, 1); |
506 | 0 | if (!equal_case(&base_cbs, &eml_cbs)) { |
507 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
508 | 0 | } |
509 | | |
510 | 0 | return X509_V_OK; |
511 | 0 | } |
512 | | |
513 | 0 | static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) { |
514 | 0 | CBS uri_cbs, base_cbs; |
515 | 0 | CBS_init(&uri_cbs, uri->data, uri->length); |
516 | 0 | CBS_init(&base_cbs, base->data, base->length); |
517 | | |
518 | | // Check for foo:// and skip past it |
519 | 0 | CBS scheme; |
520 | 0 | uint8_t byte; |
521 | 0 | if (!CBS_get_until_first(&uri_cbs, &scheme, ':') || |
522 | 0 | !CBS_skip(&uri_cbs, 1) || // Skip the colon |
523 | 0 | !CBS_get_u8(&uri_cbs, &byte) || byte != '/' || |
524 | 0 | !CBS_get_u8(&uri_cbs, &byte) || byte != '/') { |
525 | 0 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
526 | 0 | } |
527 | | |
528 | | // Look for a port indicator as end of hostname first. Otherwise look for |
529 | | // trailing slash, or the end of the string. |
530 | | // TODO(davidben): This is not a correct URI parser and mishandles IPv6 |
531 | | // literals. |
532 | 0 | CBS host; |
533 | 0 | if (!CBS_get_until_first(&uri_cbs, &host, ':') && |
534 | 0 | !CBS_get_until_first(&uri_cbs, &host, '/')) { |
535 | 0 | host = uri_cbs; |
536 | 0 | } |
537 | |
|
538 | 0 | if (CBS_len(&host) == 0) { |
539 | 0 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
540 | 0 | } |
541 | | |
542 | | // Special case: initial '.' is RHS match |
543 | 0 | if (starts_with(&base_cbs, '.')) { |
544 | 0 | if (has_suffix_case(&host, &base_cbs)) { |
545 | 0 | return X509_V_OK; |
546 | 0 | } |
547 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
548 | 0 | } |
549 | | |
550 | 0 | if (!equal_case(&base_cbs, &host)) { |
551 | 0 | return X509_V_ERR_PERMITTED_VIOLATION; |
552 | 0 | } |
553 | | |
554 | 0 | return X509_V_OK; |
555 | 0 | } |