static int policy_cache_create (X509 * x, CERTIFICATEPOLICIES * policies, int crit)
{
int i;
int ret = 0;
X509_POLICY_CACHE *cache = x->policy_cache;
X509_POLICY_DATA *data = NULL;
POLICYINFO *policy;
if (sk_POLICYINFO_num (policies) == 0)
goto bad_policy;
cache->data = sk_X509_POLICY_DATA_new (policy_data_cmp);
if (!cache->data)
goto bad_policy;
for (i = 0; i < sk_POLICYINFO_num (policies); i++)
{
policy = sk_POLICYINFO_value (policies, i);
data = policy_data_new (policy, NULL, crit);
if (!data)
goto bad_policy;
/* Duplicate policy OIDs are illegal: reject if matches
* found.
*/
if (OBJ_obj2nid (data->valid_policy) == NID_any_policy)
{
if (cache->anyPolicy)
{
ret = -1;
goto bad_policy;
}
cache->anyPolicy = data;
}
else if (sk_X509_POLICY_DATA_find (cache->data, data) != -1)
{
ret = -1;
goto bad_policy;
}
else if (!sk_X509_POLICY_DATA_push (cache->data, data))
goto bad_policy;
data = NULL;
}
ret = 1;
bad_policy:
if (ret == -1)
x->ex_flags |= EXFLAG_INVALID_POLICY;
if (data)
policy_data_free (data);
sk_POLICYINFO_pop_free (policies, POLICYINFO_free);
if (ret <= 0)
{
sk_X509_POLICY_DATA_pop_free (cache->data, policy_data_free);
cache->data = NULL;
}
return ret;
}
/**
* Returns current certificate policies
*
* @return certificate policies
*/
std::vector<std::string> digidoc::X509Cert::getCertificatePolicies() const throw(IOException)
{
CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(cert, NID_certificate_policies, 0, 0);
if(!cp)
return std::vector<std::string>();
char buf[50];
std::vector<std::string> pol;
for(int i = 0; i < sk_POLICYINFO_num(cp); ++i)
{
memset(buf, 0, 50);
int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1);
if(len != NID_undef)
pol.push_back(std::string(buf, len));
}
sk_POLICYINFO_pop_free(cp, POLICYINFO_free);
return pol;
}
int digidoc::EstEIDSigner::type() const
{
int result = digidoc::Digest::toMethod( Conf::getInstance()->getSignatureUri() );
if( result == NID_sha1 )
return result;
char buf[50];
bool found = false;
CERTIFICATEPOLICIES *cp = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(getCert(), NID_certificate_policies, 0, 0);
for( int i = 0; i < sk_POLICYINFO_num(cp); ++i )
{
memset(buf, 0, 50);
int len = OBJ_obj2txt(buf, 50, sk_POLICYINFO_value(cp, i)->policyid, 1);
if(len != NID_undef &&
(strncmp(buf, "1.3.6.1.4.1.10015.1.2.", 22) == 0 ||
strncmp(buf, "1.3.6.1.4.1.10015.3.2.", 22) == 0))
found = true;
}
sk_POLICYINFO_pop_free(cp, POLICYINFO_free);
if(!found)
return X509Cert(getCert()).getPaddingSize() > 128 ? result : NID_sha224;
return result;
}
static void CheckPolicy(X509 *x509, CertType type, X509_NAME *subject)
{
int idx = -1;
bool bPolicyFound = false;
bool DomainValidated = false;
bool OrganizationValidated = false;
bool IndividualValidated = false;
bool EVValidated = false;
bool CabIVPresent = false;
do
{
int critical = -1;
CERTIFICATEPOLICIES *policy = X509_get_ext_d2i(x509, NID_certificate_policies, &critical, &idx);
if (policy == NULL)
{
if (critical >= 0)
{
/* Found but fails to parse */
SetError(ERR_INVALID);
bPolicyFound = true;
continue;
}
/* Not found */
break;
}
bPolicyFound = true;
for (int pi = 0; pi < sk_POLICYINFO_num(policy); pi++)
{
POLICYINFO *info = sk_POLICYINFO_value(policy, pi);
char oid[80];
OBJ_obj2txt(oid, sizeof(oid), info->policyid, 1);
if (type == SubscriberCertificate)
{
if (strcmp(oid, OIDCabDomainValidated) == 0
|| strcmp(oid, "2.16.840.1.114413.1.7.23.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.5.3") == 0
|| strcmp(oid, "1.3.6.1.4.1.14777.1.2.4") == 0
|| strcmp(oid, "2.16.840.1.114414.1.7.23.1") == 0)
{
DomainValidated = true;
SetCertInfo(CERT_INFO_DV);
/* Required by CAB base 7.1.6.1 */
if (IsNameObjPresent(subject, obj_organizationName))
{
SetError(ERR_DOMAIN_WITH_ORG);
}
if (IsNameObjPresent(subject, obj_StreetAddress))
{
SetError(ERR_DOMAIN_WITH_STREET);
}
if (IsNameObjPresent(subject, obj_localityName))
{
SetError(ERR_DOMAIN_WITH_LOCALITY);
}
if (IsNameObjPresent(subject, obj_stateOrProvinceName))
{
SetError(ERR_DOMAIN_WITH_STATE);
}
if (IsNameObjPresent(subject, obj_postalCode))
{
SetError(ERR_DOMAIN_WITH_POSTAL);
}
if (IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname))
{
SetError(ERR_DOMAIN_WITH_NAME);
}
}
if (strcmp(oid, OIDCabOrganizationIdentityValidated) == 0
|| strcmp(oid, "2.16.840.1.114412.1.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.4788.2.200.1") == 0
|| strcmp(oid, "2.16.840.1.114413.1.7.23.2") == 0
|| strcmp(oid, "2.16.528.1.1003.1.2.5.6") == 0
|| strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.1") == 0
|| strcmp(oid, "2.16.840.1.114414.1.7.23.2") == 0
|| strcmp(oid, "1.3.6.1.4.1.30360.3.3.3.3.4.4.3") == 0
|| strcmp(oid, "1.3.6.1.4.1.14777.1.2.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.14777.1.1.3") == 0
|| strcmp(oid, "2.16.792.3.0.3.1.1.2") == 0)
{
OrganizationValidated = true;
SetCertInfo(CERT_INFO_OV);
/* Required by CAB base 7.1.6.1 */
if (!IsNameObjPresent(subject, obj_organizationName))
{
SetError(ERR_ORGANIZATION_WITHOUT_ORG);
}
if (!IsNameObjPresent(subject, obj_countryName))
{
SetError(ERR_ORGANIZATION_WITHOUT_COUNTRY);
}
}
if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0)
{
CabIVPresent = true;
}
if (strcmp(oid, OIDCabIndividualIdentityValidated) == 0)
{
IndividualValidated = true;
SetCertInfo(CERT_INFO_IV);
/* Required by CAB base 7.1.6.1 */
if (!IsNameObjPresent(subject, obj_organizationName)
&& !(IsNameObjPresent(subject, obj_givenName) && IsNameObjPresent(subject, obj_surname)))
{
SetError(ERR_INDIVIDUAL_WITHOUT_NAME);
}
if (!IsNameObjPresent(subject, obj_countryName))
{
SetError(ERR_INDIVIDUAL_WITHOUT_COUNTRY);
}
}
if (strcmp(oid, OIDCabExtendedValidation) == 0
|| strcmp(oid, "2.16.840.1.114412.2.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.4788.2.202.1") == 0
|| strcmp(oid, "2.16.840.1.114413.1.7.23.3") == 0
|| strcmp(oid, "1.3.6.1.4.1.8024.0.2.100.1.2") == 0
|| strcmp(oid, "2.16.840.1.114414.1.7.23.3") == 0
|| strcmp(oid, "2.16.756.1.89.1.2.1.1") == 0
|| strcmp(oid, "2.16.792.3.0.3.1.1.5") == 0
|| strcmp(oid, "1.3.6.1.4.1.6449.1.2.1.5.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.14777.6.1.1") == 0
|| strcmp(oid, "1.3.6.1.4.1.14777.6.1.2") == 0
|| strcmp(oid, "1.3.6.1.4.1.36305.2") == 0)
{
EVValidated = true;
SetCertInfo(CERT_INFO_EV);
/* 9.2.1 */
if (!IsNameObjPresent(subject, obj_organizationName))
{
SetError(ERR_EV_WITHOUT_ORGANIZATION);
}
/* 9.2.4 */
if (!IsNameObjPresent(subject, obj_businessCategory))
{
SetError(ERR_EV_WITHOUT_BUSINESS);
}
/* 9.2.5 */
if (!IsNameObjPresent(subject, obj_jurisdictionCountryName))
{
SetError(ERR_EV_WITHOUT_JURISDICTION_COUNTRY);
}
/* 9.2.6 */
if (!IsNameObjPresent(subject, obj_serialNumber))
{
SetError(ERR_EV_WITHOUT_NUMBER);
}
/* 9.2.7 */
if (!IsNameObjPresent(subject, obj_localityName))
{
SetError(ERR_EV_WITHOUT_LOCALITY);
}
if (!IsNameObjPresent(subject, obj_countryName))
{
SetError(ERR_EV_WITHOUT_COUNTRY);
}
}
}
if (info->qualifiers)
{
for (int i = 0; i < sk_POLICYQUALINFO_num(info->qualifiers); i++)
{
POLICYQUALINFO *qualinfo = sk_POLICYQUALINFO_value(info->qualifiers, i);
int nid = OBJ_obj2nid(qualinfo->pqualid);
if (nid == NID_id_qt_unotice)
{
if (qualinfo->d.usernotice->exptext)
{
ASN1_STRING *s = qualinfo->d.usernotice->exptext;
CheckDisplayText(s);
/*
* RFC5280 says:
* Conforming CAs SHOULD use the UTF8String encoding for explicitText,
* but MAY use IA5String. Conforming CAs MUST NOT encode explicitText
* as VisibleString or BMPString.
*
* RFC6818 updates that to:
* Conforming CAs SHOULD use the UTF8String encoding for explicitText.
* VisibleString or BMPString are acceptable but less preferred alternatives.
* Conforming CAs MUST NOT encode explicitText as IA5String.
*
* Combining both, UTF8String is the only valid encoding.
*/
if (s->type != V_ASN1_UTF8STRING)
{
SetWarning(WARN_EXPLICIT_TEXT_ENCODING);
}
if (s->type != V_ASN1_UTF8STRING && s->type != V_ASN1_BMPSTRING &&
s->type != V_ASN1_VISIBLESTRING && s->type != V_ASN1_IA5STRING)
{
SetError(ERR_INVALID_TYPE_USER_NOTICE);
}
}
}
else if (nid == NID_id_qt_cps)
{
CheckValidURL(qualinfo->d.cpsuri->data, qualinfo->d.cpsuri->length);
}
else
{
SetError(ERR_INVALID_POLICY_QUALIFIER_ID);
}
if (nid != NID_id_qt_cps)
{
SetWarning(WARN_POLICY_QUALIFIER_NOT_CPS);
}
}
}
}
CERTIFICATEPOLICIES_free(policy);
}
while (1);
if (GetBit(cert_info, CERT_INFO_SERV_AUTH) || GetBit(cert_info, CERT_INFO_ANY_EKU) || GetBit(cert_info, CERT_INFO_NO_EKU))
{
if ((IsNameObjPresent(subject, obj_givenName) || IsNameObjPresent(subject, obj_surname))
&& !CabIVPresent)
{
/* Required by CAB 7.1.4.2.2c */
SetError(ERR_NAME_NO_IV_POLICY);
}
}
else
{
if (DomainValidated || IndividualValidated || CabIVPresent)
{
SetError(ERR_POLICY_BR);
}
}
if (!bPolicyFound && type == SubscriberCertificate)
{
/* Required by CAB 9.3.4 */
SetError(ERR_NO_POLICY);
}
if (type == SubscriberCertificate && !DomainValidated && !OrganizationValidated
&& !IndividualValidated && !EVValidated)
{
SetInfo(INF_UNKNOWN_VALIDATION);
}
}
