Ejemplo n.º 1
0
static int policy_cache_create (X509 * x, CERTIFICATEPOLICIES * policies, int crit)
{
    int i;

    int ret = 0;

    X509_POLICY_CACHE *cache = x->policy_cache;

    X509_POLICY_DATA *data = NULL;

    POLICYINFO *policy;

    if (sk_POLICYINFO_num (policies) == 0)
        goto bad_policy;
    cache->data = sk_X509_POLICY_DATA_new (policy_data_cmp);
    if (!cache->data)
        goto bad_policy;
    for (i = 0; i < sk_POLICYINFO_num (policies); i++)
    {
        policy = sk_POLICYINFO_value (policies, i);
        data = policy_data_new (policy, NULL, crit);
        if (!data)
            goto bad_policy;
        /* Duplicate policy OIDs are illegal: reject if matches
         * found.
         */
        if (OBJ_obj2nid (data->valid_policy) == NID_any_policy)
        {
            if (cache->anyPolicy)
            {
                ret = -1;
                goto bad_policy;
            }
            cache->anyPolicy = data;
        }
        else if (sk_X509_POLICY_DATA_find (cache->data, data) != -1)
        {
            ret = -1;
            goto bad_policy;
        }
        else if (!sk_X509_POLICY_DATA_push (cache->data, data))
            goto bad_policy;
        data = NULL;
    }
    ret = 1;
  bad_policy:
    if (ret == -1)
        x->ex_flags |= EXFLAG_INVALID_POLICY;
    if (data)
        policy_data_free (data);
    sk_POLICYINFO_pop_free (policies, POLICYINFO_free);
    if (ret <= 0)
    {
        sk_X509_POLICY_DATA_pop_free (cache->data, policy_data_free);
        cache->data = NULL;
    }
    return ret;
}
Ejemplo n.º 2
0
/**
 * Returns current certificate policies
 *
 * @return certificate policies
 */
std::vector<std::string> digidoc::X509Cert::getCertificatePolicies() const throw(IOException)
{
    CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(cert, NID_certificate_policies, 0, 0);
    if(!cp)
        return std::vector<std::string>();

    char buf[50];
    std::vector<std::string> pol;
    for(int i = 0; i < sk_POLICYINFO_num(cp); ++i)
    {
        memset(buf, 0, 50);
        int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1);
        if(len != NID_undef)
            pol.push_back(std::string(buf, len));
    }
    sk_POLICYINFO_pop_free(cp, POLICYINFO_free);
    return pol;
}
Ejemplo n.º 3
0
int digidoc::EstEIDSigner::type() const
{
    int result = digidoc::Digest::toMethod( Conf::getInstance()->getSignatureUri() );
    if( result == NID_sha1 )
        return result;
    char buf[50];
    bool found = false;
    CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(getCert(), NID_certificate_policies, 0, 0);
    for( int i = 0; i < sk_POLICYINFO_num(cp); ++i )
    {
        memset(buf, 0, 50);
        int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1);
        if(len != NID_undef &&
           (strncmp(buf, "1.3.6.1.4.1.10015.1.2.", 22) == 0 ||
            strncmp(buf, "1.3.6.1.4.1.10015.3.2.", 22) == 0))
            found = true;
    }
    sk_POLICYINFO_pop_free(cp, POLICYINFO_free);

    if(!found)
        return X509Cert(getCert()).getPaddingSize() > 128 ? result : NID_sha224;

    return result;
}
Ejemplo n.º 4
0
static void CheckPolicy(X509 *x509, CertType type, X509_NAME *subject)
{
	int idx = -1;
	bool bPolicyFound = false;
	bool DomainValidated = false;
	bool OrganizationValidated = false;
	bool IndividualValidated = false;
	bool EVValidated = false;
	bool CabIVPresent = false;

	do
	{
		int critical = -1;

		CERTIFICATEPOLICIES *policy = X509_get_ext_d2i(x509, NID_certificate_policies, &critical, &idx);

		if (policy == NULL)
		{
			if (critical >= 0)
			{
				/* Found but fails to parse */
				SetError(ERR_INVALID);
				bPolicyFound = true;
				continue;
			}
			/* Not found */
			break;
		}
		bPolicyFound = true;

		for (int pi = 0; pi < sk_POLICYINFO_num(policy); pi++)
		{
			POLICYINFO *info = sk_POLICYINFO_value(policy, pi);

			char oid[80];
			OBJ_obj2txt(oid, sizeof(oid), info->policyid, 1);

			if (type == SubscriberCertificate)
			{
				if (strcmp(oid, OIDCabDomainValidated) == 0
					|| strcmp(oid, "2.16.840.1.114413.1.7.23.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.5.3") == 0
					|| strcmp(oid, "1.3.6.1.4.1.14777.1.2.4") == 0
					|| strcmp(oid, "2.16.840.1.114414.1.7.23.1") == 0)
				{
					DomainValidated = true;
					SetCertInfo(CERT_INFO_DV);
					/* Required by CAB base 7.1.6.1 */
					if (IsNameObjPresent(subject, obj_organizationName))
					{
						SetError(ERR_DOMAIN_WITH_ORG);
					}
					if (IsNameObjPresent(subject, obj_StreetAddress))
					{
						SetError(ERR_DOMAIN_WITH_STREET);
					}
					if (IsNameObjPresent(subject, obj_localityName))
					{
						SetError(ERR_DOMAIN_WITH_LOCALITY);
					}
					if (IsNameObjPresent(subject, obj_stateOrProvinceName))
					{
						SetError(ERR_DOMAIN_WITH_STATE);
					}
					if (IsNameObjPresent(subject, obj_postalCode))
					{
						SetError(ERR_DOMAIN_WITH_POSTAL);
					}
					if (IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname))
					{
						SetError(ERR_DOMAIN_WITH_NAME);
					}
				}

				if (strcmp(oid, OIDCabOrganizationIdentityValidated) == 0
					|| strcmp(oid, "2.16.840.1.114412.1.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.4788.2.200.1") == 0
					|| strcmp(oid, "2.16.840.1.114413.1.7.23.2") == 0
					|| strcmp(oid, "2.16.528.1.1003.1.2.5.6") == 0
					|| strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.1") == 0
					|| strcmp(oid, "2.16.840.1.114414.1.7.23.2") == 0
					|| strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.4.3") == 0
					|| strcmp(oid, "1.3.6.1.4.1.14777.1.2.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.14777.1.1.3") == 0
					|| strcmp(oid, "2.16.792.3.0.3.1.1.2") == 0)
				{
					OrganizationValidated = true;
					SetCertInfo(CERT_INFO_OV);
					/* Required by CAB base 7.1.6.1 */
					if (!IsNameObjPresent(subject, obj_organizationName))
					{
						SetError(ERR_ORGANIZATION_WITHOUT_ORG);
					}
					if (!IsNameObjPresent(subject, obj_countryName))
					{
						SetError(ERR_ORGANIZATION_WITHOUT_COUNTRY);
					}
				}

				if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0)
				{
					CabIVPresent = true;
				}

				if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0)
				{
					IndividualValidated = true;
					SetCertInfo(CERT_INFO_IV);
					/* Required by CAB base 7.1.6.1 */
					if (!IsNameObjPresent(subject, obj_organizationName)
						&& !(IsNameObjPresent(subject, obj_givenName) && IsNameObjPresent(subject, obj_surname)))
					{
						SetError(ERR_INDIVIDUAL_WITHOUT_NAME);
					}
					if (!IsNameObjPresent(subject, obj_countryName))
					{
						SetError(ERR_INDIVIDUAL_WITHOUT_COUNTRY);
					}
				}

				if (strcmp(oid, OIDCabExtendedValidation) == 0
					|| strcmp(oid, "2.16.840.1.114412.2.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.4788.2.202.1") == 0
					|| strcmp(oid, "2.16.840.1.114413.1.7.23.3") == 0
					|| strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.2") == 0
					|| strcmp(oid, "2.16.840.1.114414.1.7.23.3") == 0
					|| strcmp(oid, "2.16.756.1.89.1.2.1.1") == 0
					|| strcmp(oid, "2.16.792.3.0.3.1.1.5") == 0
					|| strcmp(oid, "1.3.6.1.4.1.6449.1.2.1.5.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.14777.6.1.1") == 0
					|| strcmp(oid, "1.3.6.1.4.1.14777.6.1.2") == 0
					|| strcmp(oid, "1.3.6.1.4.1.36305.2") == 0)
				{
					EVValidated = true;
					SetCertInfo(CERT_INFO_EV);
					/* 9.2.1 */
					if (!IsNameObjPresent(subject, obj_organizationName))
					{
						SetError(ERR_EV_WITHOUT_ORGANIZATION);
					}
					/* 9.2.4 */
					if (!IsNameObjPresent(subject, obj_businessCategory))
					{
						SetError(ERR_EV_WITHOUT_BUSINESS);
					}
					/* 9.2.5 */
					if (!IsNameObjPresent(subject, obj_jurisdictionCountryName))
					{
						SetError(ERR_EV_WITHOUT_JURISDICTION_COUNTRY);
					}
					/* 9.2.6 */
					if (!IsNameObjPresent(subject, obj_serialNumber))
					{
						SetError(ERR_EV_WITHOUT_NUMBER);
					}
					/* 9.2.7 */
					if (!IsNameObjPresent(subject, obj_localityName))
					{
						SetError(ERR_EV_WITHOUT_LOCALITY);
					}
					if (!IsNameObjPresent(subject, obj_countryName))
					{
						SetError(ERR_EV_WITHOUT_COUNTRY);
					}
				}
			}

			if (info->qualifiers)
			{
				for (int i = 0; i < sk_POLICYQUALINFO_num(info->qualifiers); i++)
				{
					POLICYQUALINFO *qualinfo = sk_POLICYQUALINFO_value(info->qualifiers, i);
					int nid = OBJ_obj2nid(qualinfo->pqualid);
					if (nid == NID_id_qt_unotice)
					{
						if (qualinfo->d.usernotice->exptext)
						{
							ASN1_STRING *s = qualinfo->d.usernotice->exptext;
							CheckDisplayText(s);
							/*
							 * RFC5280 says:
							 * Conforming CAs SHOULD use the UTF8String encoding for explicitText,
							 * but MAY use IA5String. Conforming CAs MUST NOT encode explicitText
							 * as VisibleString or BMPString.
							 *
							 * RFC6818 updates that to:
							 * Conforming CAs SHOULD use the UTF8String encoding for explicitText.
							 * VisibleString or BMPString are acceptable but less preferred alternatives.
							 * Conforming CAs MUST NOT encode explicitText as IA5String.
							 *
							 * Combining both, UTF8String is the only valid encoding.
							 */
							if (s->type != V_ASN1_UTF8STRING)
							{
								SetWarning(WARN_EXPLICIT_TEXT_ENCODING);
							}
							if (s->type != V_ASN1_UTF8STRING && s->type != V_ASN1_BMPSTRING &&
								s->type != V_ASN1_VISIBLESTRING && s->type != V_ASN1_IA5STRING)
							{
								SetError(ERR_INVALID_TYPE_USER_NOTICE);
							}
						}
					}
					else if (nid == NID_id_qt_cps)
					{
						CheckValidURL(qualinfo->d.cpsuri->data, qualinfo->d.cpsuri->length);
					}
					else
					{
						SetError(ERR_INVALID_POLICY_QUALIFIER_ID);
					}
					if (nid != NID_id_qt_cps)
					{
						SetWarning(WARN_POLICY_QUALIFIER_NOT_CPS);
					}
				}
			}
		}
		CERTIFICATEPOLICIES_free(policy);
	}
	while (1);

	if (GetBit(cert_info, CERT_INFO_SERV_AUTH) || GetBit(cert_info, CERT_INFO_ANY_EKU) || GetBit(cert_info, CERT_INFO_NO_EKU))
	{
		if ((IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname))
			&& !CabIVPresent)
		{
			/* Required by CAB 7.1.4.2.2c */
			SetError(ERR_NAME_NO_IV_POLICY);
		}
	}
	else
	{
		if (DomainValidated || IndividualValidated || CabIVPresent)
		{
			SetError(ERR_POLICY_BR);
		}
	}


	if (!bPolicyFound && type == SubscriberCertificate)
	{
		/* Required by CAB 9.3.4 */
		SetError(ERR_NO_POLICY);
	}

	if (type == SubscriberCertificate && !DomainValidated && !OrganizationValidated
		&& !IndividualValidated && !EVValidated)
	{
		SetInfo(INF_UNKNOWN_VALIDATION);
	}
}