/* * Written by Dr Stephen N Henson ([email protected]) for the OpenSSL * project. */ /* ==================================================================== * Copyright (c) 2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * [email protected]. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * ([email protected]). This product includes software written by Tim * Hudson ([email protected]). */ #include <stdio.h> #include <string.h> #include <openssl/asn1t.h> #include <openssl/conf.h> #include <openssl/err.h> #include <openssl/mem.h> #include <openssl/obj.h> #include <openssl/x509.h> #include "../internal.h" #include "internal.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const STACK_OF(CONF_VALUE) *nval); static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind); static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, const char *name); static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip); static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); static int nc_dn(X509_NAME *sub, X509_NAME *nm); static int nc_dns(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *dns); static int nc_email(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *eml); static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base); const X509V3_EXT_METHOD v3_name_constraints = …; ASN1_SEQUENCE(GENERAL_SUBTREE) = … ASN1_SEQUENCE_END(GENERAL_SUBTREE) ASN1_SEQUENCE(NAME_CONSTRAINTS) = … ASN1_SEQUENCE_END(NAME_CONSTRAINTS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(…) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(…) static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const STACK_OF(CONF_VALUE) *nval) { … } static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind) { … } static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, const char *name) { … } static int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip) { … } //- // Check a certificate conforms to a specified set of constraints. // Return values: // X509_V_OK: All constraints obeyed. // X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation. // X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation. // X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type. // X509_V_ERR_UNSPECIFIED: Unspecified error. // X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type. // X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint // syntax. // X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name. int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) { … } static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { … } static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) { … } // directoryName name constraint matching. The canonical encoding of // X509_NAME makes this comparison easy. It is matched if the subtree is a // subset of the name. static int nc_dn(X509_NAME *nm, X509_NAME *base) { … } static int starts_with(const CBS *cbs, uint8_t c) { … } static int equal_case(const CBS *a, const CBS *b) { … } static int has_suffix_case(const CBS *a, const CBS *b) { … } static int nc_dns(const ASN1_IA5STRING *dns, const ASN1_IA5STRING *base) { … } static int nc_email(const ASN1_IA5STRING *eml, const ASN1_IA5STRING *base) { … } static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) { … }