Policy Constraints Extension

Read the policy constraints extension from a certificate. Save the skip value but don't do anything with it at this time.
2021-02-17 15:21:42 -08:00
parent fa8934c5fc
commit 62ec4ef3b9
2 changed files with 78 additions and 14 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -8328,6 +8328,57 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
 }


+static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
+{
+    word32 idx = 0;
+    int length = 0;
+    int skipLength = 0;
+    int ret;
+    byte tag;
+
+    WOLFSSL_ENTER("DecodePolicyConstraints");
+
+    if (GetSequence(input, &idx, &length, sz) < 0) {
+        WOLFSSL_MSG("\tfail: bad SEQUENCE");
+        return ASN_PARSE_E;
+    }
+
+    if (length == 0)
+        return ASN_PARSE_E;
+
+    if (GetASNTag(input, &idx, &tag, sz) < 0) {
+        WOLFSSL_MSG("\tfail: bad TAG");
+        return ASN_PARSE_E;
+    }
+
+    if (tag == (ASN_CONTEXT_SPECIFIC | 0)) {
+        /* requireExplicitPolicy */
+        cert->extPolicyConstRxpSet = 1;
+    }
+    else if (tag == (ASN_CONTEXT_SPECIFIC | 1)) {
+        /* inhibitPolicyMapping */
+        cert->extPolicyConstIpmSet = 1;
+    }
+    else {
+        WOLFSSL_MSG("\tfail: invalid TAG");
+        return ASN_PARSE_E;
+    }
+
+    ret = GetLength(input, &idx, &skipLength, sz);
+    if (ret < 0) {
+        WOLFSSL_MSG("\tfail: invalid length");
+        return ret;
+    }
+    if (skipLength > 1) {
+        WOLFSSL_MSG("\tfail: skip value too big");
+        return BUFFER_E;
+    }
+    cert->policyConstSkip = input[idx];
+
+    return 0;
+}
+
+
 #define CRLDP_FULL_NAME 0
    /* From RFC3280 SS4.2.1.14, Distribution Point Name*/
 #define GENERALNAME_URI 6
@ -9164,6 +9215,14 @@ static int DecodeCertExtensions(DecodedCert* cert)
                    return ASN_PARSE_E;
                break;
        #endif
+            case POLICY_CONST_OID:
+                VERIFY_AND_SET_OID(cert->extPolicyConstSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                    cert->extPolicyConstCrit = critical;
+                #endif
+                if (DecodePolicyConstraints(&input[idx], length, cert) < 0)
+                    return ASN_PARSE_E;
+                break;
            default:
            #ifndef WOLFSSL_NO_ASN_STRICT
                /* While it is a failure to not support critical extensions,
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -531,23 +531,23 @@ enum HMAC_Sum {


 enum Extensions_Sum {
-    BASIC_CA_OID    = 133,
-    ALT_NAMES_OID   = 131,
-    CRL_DIST_OID    = 145,
-    AUTH_INFO_OID   = 69, /* id-pe 1 */
-    AUTH_KEY_OID    = 149,
-    SUBJ_KEY_OID    = 128,
-    CERT_POLICY_OID = 146,
-    KEY_USAGE_OID   = 129,  /* 2.5.29.15 */
-    INHIBIT_ANY_OID = 168,  /* 2.5.29.54 */
+    BASIC_CA_OID    = 133,           /* 2.5.29.19 */
+    ALT_NAMES_OID   = 131,           /* 2.5.29.17 */
+    CRL_DIST_OID    = 145,           /* 2.5.29.31 */
+    AUTH_INFO_OID   = 69,            /* 1.3.6.1.5.5.7.1.1 */
+    AUTH_KEY_OID    = 149,           /* 2.5.29.35 */
+    SUBJ_KEY_OID    = 128,           /* 2.5.29.14 */
+    CERT_POLICY_OID = 146,           /* 2.5.29.32 */
+    KEY_USAGE_OID   = 129,           /* 2.5.29.15 */
+    INHIBIT_ANY_OID = 168,           /* 2.5.29.54 */
    EXT_KEY_USAGE_OID         = 151, /* 2.5.29.37 */
    NAME_CONS_OID             = 144, /* 2.5.29.30 */
    PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
-    SUBJECT_INFO_ACCESS       = 79,  /* id-pe 11 */
-    POLICY_MAP_OID            = 147,
-    POLICY_CONST_OID          = 150,
-    ISSUE_ALT_NAMES_OID       = 132,
-    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
+    SUBJECT_INFO_ACCESS       = 79,  /* 1.3.6.1.5.5.7.1.11 */
+    POLICY_MAP_OID            = 147, /* 2.5.29.33 */
+    POLICY_CONST_OID          = 150, /* 2.5.29.36 */
+    ISSUE_ALT_NAMES_OID       = 132, /* 2.5.29.18 */
+    TLS_FEATURE_OID           = 92,  /* 1.3.6.1.5.5.7.1.24 */
    NETSCAPE_CT_OID           = 753, /* 2.16.840.1.113730.1.1 */
    OCSP_NOCHECK_OID          = 121  /* 1.3.6.1.5.5.7.48.1.5
                                         id-pkix-ocsp-nocheck */
@ -830,6 +830,7 @@ struct DecodedCert {
    byte    maxPathLen;              /* max_path_len see RFC 5280 section
                                      * 6.1.2 "Initialization" - (k) for
                                      * description of max_path_len */
+    byte    policyConstSkip;         /* Policy Constraints skip certs value */
    word16  extKeyUsage;             /* Key usage bitfield               */
    byte    extExtKeyUsage;          /* Extended Key usage bitfield      */

@ -950,6 +951,9 @@ struct DecodedCert {
    byte extCRLdistSet : 1;
    byte extAuthInfoSet : 1;
    byte extBasicConstSet : 1;
+    byte extPolicyConstSet : 1;
+    byte extPolicyConstRxpSet : 1; /* requireExplicitPolicy set */
+    byte extPolicyConstIpmSet : 1; /* inhibitPolicyMapping set */
    byte extSubjAltNameSet : 1;
    byte inhibitAnyOidSet : 1;
    byte selfSigned : 1;           /* Indicates subject and issuer are same */
@ -960,6 +964,7 @@ struct DecodedCert {
    byte extCRLdistCrit : 1;
    byte extAuthInfoCrit : 1;
    byte extBasicConstCrit : 1;
+    byte extPolicyConstCrit : 1;
    byte extSubjAltNameCrit : 1;
    byte extAuthKeyIdCrit : 1;
    #ifndef IGNORE_NAME_CONSTRAINTS