11cb0ef41Sopenharmony_ci/* 21cb0ef41Sopenharmony_ci * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. 31cb0ef41Sopenharmony_ci * 41cb0ef41Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 51cb0ef41Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 61cb0ef41Sopenharmony_ci * in the file LICENSE in the source distribution or at 71cb0ef41Sopenharmony_ci * https://www.openssl.org/source/license.html 81cb0ef41Sopenharmony_ci */ 91cb0ef41Sopenharmony_ci 101cb0ef41Sopenharmony_ci#include "internal/refcount.h" 111cb0ef41Sopenharmony_ci 121cb0ef41Sopenharmony_ci#define X509V3_conf_add_error_name_value(val) \ 131cb0ef41Sopenharmony_ci ERR_add_error_data(4, "name=", (val)->name, ", value=", (val)->value) 141cb0ef41Sopenharmony_ci 151cb0ef41Sopenharmony_ci/* 161cb0ef41Sopenharmony_ci * This structure holds all parameters associated with a verify operation by 171cb0ef41Sopenharmony_ci * including an X509_VERIFY_PARAM structure in related structures the 181cb0ef41Sopenharmony_ci * parameters used can be customized 191cb0ef41Sopenharmony_ci */ 201cb0ef41Sopenharmony_ci 211cb0ef41Sopenharmony_cistruct X509_VERIFY_PARAM_st { 221cb0ef41Sopenharmony_ci char *name; 231cb0ef41Sopenharmony_ci time_t check_time; /* Time to use */ 241cb0ef41Sopenharmony_ci uint32_t inh_flags; /* Inheritance flags */ 251cb0ef41Sopenharmony_ci unsigned long flags; /* Various verify flags */ 261cb0ef41Sopenharmony_ci int purpose; /* purpose to check untrusted certificates */ 271cb0ef41Sopenharmony_ci int trust; /* trust setting to check */ 281cb0ef41Sopenharmony_ci int depth; /* Verify depth */ 291cb0ef41Sopenharmony_ci int auth_level; /* Security level for chain verification */ 301cb0ef41Sopenharmony_ci STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ 311cb0ef41Sopenharmony_ci /* Peer identity details */ 321cb0ef41Sopenharmony_ci STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ 331cb0ef41Sopenharmony_ci unsigned int hostflags; /* Flags to control matching features */ 341cb0ef41Sopenharmony_ci char *peername; /* Matching hostname in peer certificate */ 351cb0ef41Sopenharmony_ci char *email; /* If not NULL email address to match */ 361cb0ef41Sopenharmony_ci size_t emaillen; 371cb0ef41Sopenharmony_ci unsigned char *ip; /* If not NULL IP address to match */ 381cb0ef41Sopenharmony_ci size_t iplen; /* Length of IP address */ 391cb0ef41Sopenharmony_ci}; 401cb0ef41Sopenharmony_ci 411cb0ef41Sopenharmony_ci/* No error callback if depth < 0 */ 421cb0ef41Sopenharmony_ciint ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth); 431cb0ef41Sopenharmony_ci 441cb0ef41Sopenharmony_ci/* a sequence of these are used */ 451cb0ef41Sopenharmony_cistruct x509_attributes_st { 461cb0ef41Sopenharmony_ci ASN1_OBJECT *object; 471cb0ef41Sopenharmony_ci STACK_OF(ASN1_TYPE) *set; 481cb0ef41Sopenharmony_ci}; 491cb0ef41Sopenharmony_ci 501cb0ef41Sopenharmony_cistruct X509_extension_st { 511cb0ef41Sopenharmony_ci ASN1_OBJECT *object; 521cb0ef41Sopenharmony_ci ASN1_BOOLEAN critical; 531cb0ef41Sopenharmony_ci ASN1_OCTET_STRING value; 541cb0ef41Sopenharmony_ci}; 551cb0ef41Sopenharmony_ci 561cb0ef41Sopenharmony_ci/* 571cb0ef41Sopenharmony_ci * Method to handle CRL access. In general a CRL could be very large (several 581cb0ef41Sopenharmony_ci * Mb) and can consume large amounts of resources if stored in memory by 591cb0ef41Sopenharmony_ci * multiple processes. This method allows general CRL operations to be 601cb0ef41Sopenharmony_ci * redirected to more efficient callbacks: for example a CRL entry database. 611cb0ef41Sopenharmony_ci */ 621cb0ef41Sopenharmony_ci 631cb0ef41Sopenharmony_ci#define X509_CRL_METHOD_DYNAMIC 1 641cb0ef41Sopenharmony_ci 651cb0ef41Sopenharmony_cistruct x509_crl_method_st { 661cb0ef41Sopenharmony_ci int flags; 671cb0ef41Sopenharmony_ci int (*crl_init) (X509_CRL *crl); 681cb0ef41Sopenharmony_ci int (*crl_free) (X509_CRL *crl); 691cb0ef41Sopenharmony_ci int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret, 701cb0ef41Sopenharmony_ci const ASN1_INTEGER *ser, const X509_NAME *issuer); 711cb0ef41Sopenharmony_ci int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk); 721cb0ef41Sopenharmony_ci}; 731cb0ef41Sopenharmony_ci 741cb0ef41Sopenharmony_cistruct x509_lookup_method_st { 751cb0ef41Sopenharmony_ci char *name; 761cb0ef41Sopenharmony_ci int (*new_item) (X509_LOOKUP *ctx); 771cb0ef41Sopenharmony_ci void (*free) (X509_LOOKUP *ctx); 781cb0ef41Sopenharmony_ci int (*init) (X509_LOOKUP *ctx); 791cb0ef41Sopenharmony_ci int (*shutdown) (X509_LOOKUP *ctx); 801cb0ef41Sopenharmony_ci int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 811cb0ef41Sopenharmony_ci char **ret); 821cb0ef41Sopenharmony_ci int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 831cb0ef41Sopenharmony_ci const X509_NAME *name, X509_OBJECT *ret); 841cb0ef41Sopenharmony_ci int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 851cb0ef41Sopenharmony_ci const X509_NAME *name, 861cb0ef41Sopenharmony_ci const ASN1_INTEGER *serial, 871cb0ef41Sopenharmony_ci X509_OBJECT *ret); 881cb0ef41Sopenharmony_ci int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 891cb0ef41Sopenharmony_ci const unsigned char *bytes, int len, 901cb0ef41Sopenharmony_ci X509_OBJECT *ret); 911cb0ef41Sopenharmony_ci int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 921cb0ef41Sopenharmony_ci const char *str, int len, X509_OBJECT *ret); 931cb0ef41Sopenharmony_ci int (*get_by_subject_ex) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 941cb0ef41Sopenharmony_ci const X509_NAME *name, X509_OBJECT *ret, 951cb0ef41Sopenharmony_ci OSSL_LIB_CTX *libctx, const char *propq); 961cb0ef41Sopenharmony_ci int (*ctrl_ex) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 971cb0ef41Sopenharmony_ci char **ret, OSSL_LIB_CTX *libctx, const char *propq); 981cb0ef41Sopenharmony_ci}; 991cb0ef41Sopenharmony_ci 1001cb0ef41Sopenharmony_ci/* This is the functions plus an instance of the local variables. */ 1011cb0ef41Sopenharmony_cistruct x509_lookup_st { 1021cb0ef41Sopenharmony_ci int init; /* have we been started */ 1031cb0ef41Sopenharmony_ci int skip; /* don't use us. */ 1041cb0ef41Sopenharmony_ci X509_LOOKUP_METHOD *method; /* the functions */ 1051cb0ef41Sopenharmony_ci void *method_data; /* method data */ 1061cb0ef41Sopenharmony_ci X509_STORE *store_ctx; /* who owns us */ 1071cb0ef41Sopenharmony_ci}; 1081cb0ef41Sopenharmony_ci 1091cb0ef41Sopenharmony_ci/* 1101cb0ef41Sopenharmony_ci * This is used to hold everything. It is used for all certificate 1111cb0ef41Sopenharmony_ci * validation. Once we have a certificate chain, the 'verify' function is 1121cb0ef41Sopenharmony_ci * then called to actually check the cert chain. 1131cb0ef41Sopenharmony_ci */ 1141cb0ef41Sopenharmony_cistruct x509_store_st { 1151cb0ef41Sopenharmony_ci /* The following is a cache of trusted certs */ 1161cb0ef41Sopenharmony_ci int cache; /* if true, stash any hits */ 1171cb0ef41Sopenharmony_ci STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ 1181cb0ef41Sopenharmony_ci /* These are external lookup methods */ 1191cb0ef41Sopenharmony_ci STACK_OF(X509_LOOKUP) *get_cert_methods; 1201cb0ef41Sopenharmony_ci X509_VERIFY_PARAM *param; 1211cb0ef41Sopenharmony_ci /* Callbacks for various operations */ 1221cb0ef41Sopenharmony_ci /* called to verify a certificate */ 1231cb0ef41Sopenharmony_ci int (*verify) (X509_STORE_CTX *ctx); 1241cb0ef41Sopenharmony_ci /* error callback */ 1251cb0ef41Sopenharmony_ci int (*verify_cb) (int ok, X509_STORE_CTX *ctx); 1261cb0ef41Sopenharmony_ci /* get issuers cert from ctx */ 1271cb0ef41Sopenharmony_ci int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); 1281cb0ef41Sopenharmony_ci /* check issued */ 1291cb0ef41Sopenharmony_ci int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 1301cb0ef41Sopenharmony_ci /* Check revocation status of chain */ 1311cb0ef41Sopenharmony_ci int (*check_revocation) (X509_STORE_CTX *ctx); 1321cb0ef41Sopenharmony_ci /* retrieve CRL */ 1331cb0ef41Sopenharmony_ci int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); 1341cb0ef41Sopenharmony_ci /* Check CRL validity */ 1351cb0ef41Sopenharmony_ci int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); 1361cb0ef41Sopenharmony_ci /* Check certificate against CRL */ 1371cb0ef41Sopenharmony_ci int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); 1381cb0ef41Sopenharmony_ci /* Check policy status of the chain */ 1391cb0ef41Sopenharmony_ci int (*check_policy) (X509_STORE_CTX *ctx); 1401cb0ef41Sopenharmony_ci STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, 1411cb0ef41Sopenharmony_ci const X509_NAME *nm); 1421cb0ef41Sopenharmony_ci /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */ 1431cb0ef41Sopenharmony_ci STACK_OF(X509_CRL) *(*lookup_crls) (const X509_STORE_CTX *ctx, 1441cb0ef41Sopenharmony_ci const X509_NAME *nm); 1451cb0ef41Sopenharmony_ci int (*cleanup) (X509_STORE_CTX *ctx); 1461cb0ef41Sopenharmony_ci CRYPTO_EX_DATA ex_data; 1471cb0ef41Sopenharmony_ci CRYPTO_REF_COUNT references; 1481cb0ef41Sopenharmony_ci CRYPTO_RWLOCK *lock; 1491cb0ef41Sopenharmony_ci}; 1501cb0ef41Sopenharmony_ci 1511cb0ef41Sopenharmony_citypedef struct lookup_dir_hashes_st BY_DIR_HASH; 1521cb0ef41Sopenharmony_citypedef struct lookup_dir_entry_st BY_DIR_ENTRY; 1531cb0ef41Sopenharmony_ciDEFINE_STACK_OF(BY_DIR_HASH) 1541cb0ef41Sopenharmony_ciDEFINE_STACK_OF(BY_DIR_ENTRY) 1551cb0ef41Sopenharmony_citypedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; 1561cb0ef41Sopenharmony_ciDEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) 1571cb0ef41Sopenharmony_ci 1581cb0ef41Sopenharmony_ciint ossl_x509_likely_issued(X509 *issuer, X509 *subject); 1591cb0ef41Sopenharmony_ciint ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject); 160