static int policy_cache_create (X509 * x, CERTIFICATEPOLICIES * policies, int crit) { int i; int ret = 0; X509_POLICY_CACHE *cache = x->policy_cache; X509_POLICY_DATA *data = NULL; POLICYINFO *policy; if (sk_POLICYINFO_num (policies) == 0) goto bad_policy; cache->data = sk_X509_POLICY_DATA_new (policy_data_cmp); if (!cache->data) goto bad_policy; for (i = 0; i < sk_POLICYINFO_num (policies); i++) { policy = sk_POLICYINFO_value (policies, i); data = policy_data_new (policy, NULL, crit); if (!data) goto bad_policy; /* Duplicate policy OIDs are illegal: reject if matches * found. */ if (OBJ_obj2nid (data->valid_policy) == NID_any_policy) { if (cache->anyPolicy) { ret = -1; goto bad_policy; } cache->anyPolicy = data; } else if (sk_X509_POLICY_DATA_find (cache->data, data) != -1) { ret = -1; goto bad_policy; } else if (!sk_X509_POLICY_DATA_push (cache->data, data)) goto bad_policy; data = NULL; } ret = 1; bad_policy: if (ret == -1) x->ex_flags |= EXFLAG_INVALID_POLICY; if (data) policy_data_free (data); sk_POLICYINFO_pop_free (policies, POLICYINFO_free); if (ret <= 0) { sk_X509_POLICY_DATA_pop_free (cache->data, policy_data_free); cache->data = NULL; } return ret; }
/** * Returns current certificate policies * * @return certificate policies */ std::vector<std::string> digidoc::X509Cert::getCertificatePolicies() const throw(IOException) { CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(cert, NID_certificate_policies, 0, 0); if(!cp) return std::vector<std::string>(); char buf[50]; std::vector<std::string> pol; for(int i = 0; i < sk_POLICYINFO_num(cp); ++i) { memset(buf, 0, 50); int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1); if(len != NID_undef) pol.push_back(std::string(buf, len)); } sk_POLICYINFO_pop_free(cp, POLICYINFO_free); return pol; }
int digidoc::EstEIDSigner::type() const { int result = digidoc::Digest::toMethod( Conf::getInstance()->getSignatureUri() ); if( result == NID_sha1 ) return result; char buf[50]; bool found = false; CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(getCert(), NID_certificate_policies, 0, 0); for( int i = 0; i < sk_POLICYINFO_num(cp); ++i ) { memset(buf, 0, 50); int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1); if(len != NID_undef && (strncmp(buf, "1.3.6.1.4.1.10015.1.2.", 22) == 0 || strncmp(buf, "1.3.6.1.4.1.10015.3.2.", 22) == 0)) found = true; } sk_POLICYINFO_pop_free(cp, POLICYINFO_free); if(!found) return X509Cert(getCert()).getPaddingSize() > 128 ? result : NID_sha224; return result; }
static void CheckPolicy(X509 *x509, CertType type, X509_NAME *subject) { int idx = -1; bool bPolicyFound = false; bool DomainValidated = false; bool OrganizationValidated = false; bool IndividualValidated = false; bool EVValidated = false; bool CabIVPresent = false; do { int critical = -1; CERTIFICATEPOLICIES *policy = X509_get_ext_d2i(x509, NID_certificate_policies, &critical, &idx); if (policy == NULL) { if (critical >= 0) { /* Found but fails to parse */ SetError(ERR_INVALID); bPolicyFound = true; continue; } /* Not found */ break; } bPolicyFound = true; for (int pi = 0; pi < sk_POLICYINFO_num(policy); pi++) { POLICYINFO *info = sk_POLICYINFO_value(policy, pi); char oid[80]; OBJ_obj2txt(oid, sizeof(oid), info->policyid, 1); if (type == SubscriberCertificate) { if (strcmp(oid, OIDCabDomainValidated) == 0 || strcmp(oid, "2.16.840.1.114413.1.7.23.1") == 0 || strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.5.3") == 0 || strcmp(oid, "1.3.6.1.4.1.14777.1.2.4") == 0 || strcmp(oid, "2.16.840.1.114414.1.7.23.1") == 0) { DomainValidated = true; SetCertInfo(CERT_INFO_DV); /* Required by CAB base 7.1.6.1 */ if (IsNameObjPresent(subject, obj_organizationName)) { SetError(ERR_DOMAIN_WITH_ORG); } if (IsNameObjPresent(subject, obj_StreetAddress)) { SetError(ERR_DOMAIN_WITH_STREET); } if (IsNameObjPresent(subject, obj_localityName)) { SetError(ERR_DOMAIN_WITH_LOCALITY); } if (IsNameObjPresent(subject, obj_stateOrProvinceName)) { SetError(ERR_DOMAIN_WITH_STATE); } if (IsNameObjPresent(subject, obj_postalCode)) { SetError(ERR_DOMAIN_WITH_POSTAL); } if (IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname)) { SetError(ERR_DOMAIN_WITH_NAME); } } if (strcmp(oid, OIDCabOrganizationIdentityValidated) == 0 || strcmp(oid, "2.16.840.1.114412.1.1") == 0 || strcmp(oid, "1.3.6.1.4.1.4788.2.200.1") == 0 || strcmp(oid, "2.16.840.1.114413.1.7.23.2") == 0 || strcmp(oid, "2.16.528.1.1003.1.2.5.6") == 0 || strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.1") == 0 || strcmp(oid, "2.16.840.1.114414.1.7.23.2") == 0 || strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.4.3") == 0 || strcmp(oid, "1.3.6.1.4.1.14777.1.2.1") == 0 || strcmp(oid, "1.3.6.1.4.1.14777.1.1.3") == 0 || strcmp(oid, "2.16.792.3.0.3.1.1.2") == 0) { OrganizationValidated = true; SetCertInfo(CERT_INFO_OV); /* Required by CAB base 7.1.6.1 */ if (!IsNameObjPresent(subject, obj_organizationName)) { SetError(ERR_ORGANIZATION_WITHOUT_ORG); } if (!IsNameObjPresent(subject, obj_countryName)) { SetError(ERR_ORGANIZATION_WITHOUT_COUNTRY); } } if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0) { CabIVPresent = true; } if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0) { IndividualValidated = true; SetCertInfo(CERT_INFO_IV); /* Required by CAB base 7.1.6.1 */ if (!IsNameObjPresent(subject, obj_organizationName) && !(IsNameObjPresent(subject, obj_givenName) && IsNameObjPresent(subject, obj_surname))) { SetError(ERR_INDIVIDUAL_WITHOUT_NAME); } if (!IsNameObjPresent(subject, obj_countryName)) { SetError(ERR_INDIVIDUAL_WITHOUT_COUNTRY); } } if (strcmp(oid, OIDCabExtendedValidation) == 0 || strcmp(oid, "2.16.840.1.114412.2.1") == 0 || strcmp(oid, "1.3.6.1.4.1.4788.2.202.1") == 0 || strcmp(oid, "2.16.840.1.114413.1.7.23.3") == 0 || strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.2") == 0 || strcmp(oid, "2.16.840.1.114414.1.7.23.3") == 0 || strcmp(oid, "2.16.756.1.89.1.2.1.1") == 0 || strcmp(oid, "2.16.792.3.0.3.1.1.5") == 0 || strcmp(oid, "1.3.6.1.4.1.6449.1.2.1.5.1") == 0 || strcmp(oid, "1.3.6.1.4.1.14777.6.1.1") == 0 || strcmp(oid, "1.3.6.1.4.1.14777.6.1.2") == 0 || strcmp(oid, "1.3.6.1.4.1.36305.2") == 0) { EVValidated = true; SetCertInfo(CERT_INFO_EV); /* 9.2.1 */ if (!IsNameObjPresent(subject, obj_organizationName)) { SetError(ERR_EV_WITHOUT_ORGANIZATION); } /* 9.2.4 */ if (!IsNameObjPresent(subject, obj_businessCategory)) { SetError(ERR_EV_WITHOUT_BUSINESS); } /* 9.2.5 */ if (!IsNameObjPresent(subject, obj_jurisdictionCountryName)) { SetError(ERR_EV_WITHOUT_JURISDICTION_COUNTRY); } /* 9.2.6 */ if (!IsNameObjPresent(subject, obj_serialNumber)) { SetError(ERR_EV_WITHOUT_NUMBER); } /* 9.2.7 */ if (!IsNameObjPresent(subject, obj_localityName)) { SetError(ERR_EV_WITHOUT_LOCALITY); } if (!IsNameObjPresent(subject, obj_countryName)) { SetError(ERR_EV_WITHOUT_COUNTRY); } } } if (info->qualifiers) { for (int i = 0; i < sk_POLICYQUALINFO_num(info->qualifiers); i++) { POLICYQUALINFO *qualinfo = sk_POLICYQUALINFO_value(info->qualifiers, i); int nid = OBJ_obj2nid(qualinfo->pqualid); if (nid == NID_id_qt_unotice) { if (qualinfo->d.usernotice->exptext) { ASN1_STRING *s = qualinfo->d.usernotice->exptext; CheckDisplayText(s); /* * RFC5280 says: * Conforming CAs SHOULD use the UTF8String encoding for explicitText, * but MAY use IA5String. Conforming CAs MUST NOT encode explicitText * as VisibleString or BMPString. * * RFC6818 updates that to: * Conforming CAs SHOULD use the UTF8String encoding for explicitText. * VisibleString or BMPString are acceptable but less preferred alternatives. * Conforming CAs MUST NOT encode explicitText as IA5String. * * Combining both, UTF8String is the only valid encoding. */ if (s->type != V_ASN1_UTF8STRING) { SetWarning(WARN_EXPLICIT_TEXT_ENCODING); } if (s->type != V_ASN1_UTF8STRING && s->type != V_ASN1_BMPSTRING && s->type != V_ASN1_VISIBLESTRING && s->type != V_ASN1_IA5STRING) { SetError(ERR_INVALID_TYPE_USER_NOTICE); } } } else if (nid == NID_id_qt_cps) { CheckValidURL(qualinfo->d.cpsuri->data, qualinfo->d.cpsuri->length); } else { SetError(ERR_INVALID_POLICY_QUALIFIER_ID); } if (nid != NID_id_qt_cps) { SetWarning(WARN_POLICY_QUALIFIER_NOT_CPS); } } } } CERTIFICATEPOLICIES_free(policy); } while (1); if (GetBit(cert_info, CERT_INFO_SERV_AUTH) || GetBit(cert_info, CERT_INFO_ANY_EKU) || GetBit(cert_info, CERT_INFO_NO_EKU)) { if ((IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname)) && !CabIVPresent) { /* Required by CAB 7.1.4.2.2c */ SetError(ERR_NAME_NO_IV_POLICY); } } else { if (DomainValidated || IndividualValidated || CabIVPresent) { SetError(ERR_POLICY_BR); } } if (!bPolicyFound && type == SubscriberCertificate) { /* Required by CAB 9.3.4 */ SetError(ERR_NO_POLICY); } if (type == SubscriberCertificate && !DomainValidated && !OrganizationValidated && !IndividualValidated && !EVValidated) { SetInfo(INF_UNKNOWN_VALIDATION); } }