Policy Constraints Extension

Read the policy constraints extension from a certificate. Save the skip value but don't do anything with it at this time.
2021-02-17 15:21:42 -08:00
parent fa8934c5fc
commit 62ec4ef3b9
2 changed files with 78 additions and 14 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -8328,6 +8328,57 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
 }
 static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
 {
    word32 idx = 0;
    int length = 0;
    int skipLength = 0;
    int ret;
    byte tag;
    WOLFSSL_ENTER("DecodePolicyConstraints");
    if (GetSequence(input, &idx, &length, sz) < 0) {
        WOLFSSL_MSG("\tfail: bad SEQUENCE");
        return ASN_PARSE_E;
    }
    if (length == 0)
        return ASN_PARSE_E;
    if (GetASNTag(input, &idx, &tag, sz) < 0) {
        WOLFSSL_MSG("\tfail: bad TAG");
        return ASN_PARSE_E;
    }
    if (tag == (ASN_CONTEXT_SPECIFIC | 0)) {
        /* requireExplicitPolicy */
        cert->extPolicyConstRxpSet = 1;
    }
    else if (tag == (ASN_CONTEXT_SPECIFIC | 1)) {
        /* inhibitPolicyMapping */
        cert->extPolicyConstIpmSet = 1;
    }
    else {
        WOLFSSL_MSG("\tfail: invalid TAG");
        return ASN_PARSE_E;
    }
    ret = GetLength(input, &idx, &skipLength, sz);
    if (ret < 0) {
        WOLFSSL_MSG("\tfail: invalid length");
        return ret;
    }
    if (skipLength > 1) {
        WOLFSSL_MSG("\tfail: skip value too big");
        return BUFFER_E;
    }
    cert->policyConstSkip = input[idx];
    return 0;
 }
 #define CRLDP_FULL_NAME 0
    /* From RFC3280 SS4.2.1.14, Distribution Point Name*/
 #define GENERALNAME_URI 6
@ -9164,6 +9215,14 @@ static int DecodeCertExtensions(DecodedCert* cert)
                    return ASN_PARSE_E;
                break;
        #endif
            case POLICY_CONST_OID:
                VERIFY_AND_SET_OID(cert->extPolicyConstSet);
                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                    cert->extPolicyConstCrit = critical;
                #endif
                if (DecodePolicyConstraints(&input[idx], length, cert) < 0)
                    return ASN_PARSE_E;
                break;
            default:
            #ifndef WOLFSSL_NO_ASN_STRICT
                /* While it is a failure to not support critical extensions,
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -531,23 +531,23 @@ enum HMAC_Sum {
 enum Extensions_Sum {
-    BASIC_CA_OID    = 133,
+    BASIC_CA_OID    = 133,           /* 2.5.29.19 */
-    ALT_NAMES_OID   = 131,
+    ALT_NAMES_OID   = 131,           /* 2.5.29.17 */
-    CRL_DIST_OID    = 145,
+    CRL_DIST_OID    = 145,           /* 2.5.29.31 */
-    AUTH_INFO_OID   = 69, /* id-pe 1 */
+    AUTH_INFO_OID   = 69,            /* 1.3.6.1.5.5.7.1.1 */
-    AUTH_KEY_OID    = 149,
+    AUTH_KEY_OID    = 149,           /* 2.5.29.35 */
-    SUBJ_KEY_OID    = 128,
+    SUBJ_KEY_OID    = 128,           /* 2.5.29.14 */
-    CERT_POLICY_OID = 146,
+    CERT_POLICY_OID = 146,           /* 2.5.29.32 */
-    KEY_USAGE_OID   = 129,  /* 2.5.29.15 */
+    KEY_USAGE_OID   = 129,           /* 2.5.29.15 */
-    INHIBIT_ANY_OID = 168,  /* 2.5.29.54 */
+    INHIBIT_ANY_OID = 168,           /* 2.5.29.54 */
    EXT_KEY_USAGE_OID         = 151, /* 2.5.29.37 */
    NAME_CONS_OID             = 144, /* 2.5.29.30 */
    PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
-    SUBJECT_INFO_ACCESS       = 79,  /* id-pe 11 */
+    SUBJECT_INFO_ACCESS       = 79,  /* 1.3.6.1.5.5.7.1.11 */
-    POLICY_MAP_OID            = 147,
+    POLICY_MAP_OID            = 147, /* 2.5.29.33 */
-    POLICY_CONST_OID          = 150,
+    POLICY_CONST_OID          = 150, /* 2.5.29.36 */
-    ISSUE_ALT_NAMES_OID       = 132,
+    ISSUE_ALT_NAMES_OID       = 132, /* 2.5.29.18 */
-    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
+    TLS_FEATURE_OID           = 92,  /* 1.3.6.1.5.5.7.1.24 */
    NETSCAPE_CT_OID           = 753, /* 2.16.840.1.113730.1.1 */
    OCSP_NOCHECK_OID          = 121  /* 1.3.6.1.5.5.7.48.1.5
                                         id-pkix-ocsp-nocheck */
@ -830,6 +830,7 @@ struct DecodedCert {
    byte    maxPathLen;              /* max_path_len see RFC 5280 section
                                      * 6.1.2 "Initialization" - (k) for
                                      * description of max_path_len */
    byte    policyConstSkip;         /* Policy Constraints skip certs value */
    word16  extKeyUsage;             /* Key usage bitfield               */
    byte    extExtKeyUsage;          /* Extended Key usage bitfield      */
@ -950,6 +951,9 @@ struct DecodedCert {
    byte extCRLdistSet : 1;
    byte extAuthInfoSet : 1;
    byte extBasicConstSet : 1;
    byte extPolicyConstSet : 1;
    byte extPolicyConstRxpSet : 1; /* requireExplicitPolicy set */
    byte extPolicyConstIpmSet : 1; /* inhibitPolicyMapping set */
    byte extSubjAltNameSet : 1;
    byte inhibitAnyOidSet : 1;
    byte selfSigned : 1;           /* Indicates subject and issuer are same */
@ -960,6 +964,7 @@ struct DecodedCert {
    byte extCRLdistCrit : 1;
    byte extAuthInfoCrit : 1;
    byte extBasicConstCrit : 1;
    byte extPolicyConstCrit : 1;
    byte extSubjAltNameCrit : 1;
    byte extAuthKeyIdCrit : 1;
    #ifndef IGNORE_NAME_CONSTRAINTS