/*

* Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved.

*

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

* in the file LICENSE in the source distribution or at

* https://www.openssl.org/source/license.html

*/

#define OPENSSL_SUPPRESS_DEPRECATED

#include "internal/deprecated.h"

#include <stdio.h>

#include <time.h>

#include <errno.h>

#include <limits.h>

#include "crypto/ctype.h"

#include "internal/cryptlib.h"

#include <openssl/crypto.h>

#include <openssl/buffer.h>

#include <openssl/evp.h>

#include <openssl/asn1.h>

#include <openssl/x509.h>

#include <openssl/x509v3.h>

#include <openssl/ocsp.h>

#include <openssl/objects.h>

#include <openssl/posix_time.h>

#include <openssl/core_names.h>

#include "internal/dane.h"

#include "crypto/x509.h"

#include "x509_local.h"

/* CRL score values */

#define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */

#define CRL_SCORE_SCOPE 0x080 /* certificate is within CRL scope */

#define CRL_SCORE_TIME 0x040 /* CRL times valid */

#define CRL_SCORE_ISSUER_NAME 0x020 /* Issuer name matches certificate */

#define CRL_SCORE_VALID /* If this score or above CRL is probably valid */ \

(CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)

#define CRL_SCORE_ISSUER_CERT 0x018 /* CRL issuer is certificate issuer */

#define CRL_SCORE_SAME_PATH 0x008 /* CRL issuer is on certificate path */

#define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */

#define CRL_SCORE_TIME_DELTA 0x002 /* Have a delta CRL with valid times */

static int x509_verify_x509(X509_STORE_CTX *ctx);

static int x509_verify_rpk(X509_STORE_CTX *ctx);

static int build_chain(X509_STORE_CTX *ctx);

static int verify_chain(X509_STORE_CTX *ctx);

static int verify_rpk(X509_STORE_CTX *ctx);

static int dane_verify(X509_STORE_CTX *ctx);

static int dane_verify_rpk(X509_STORE_CTX *ctx);

static int null_callback(int ok, X509_STORE_CTX *e);

static int check_issued(X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer);

static int check_extensions(X509_STORE_CTX *ctx);

static int check_name_constraints(X509_STORE_CTX *ctx);

static int check_id(X509_STORE_CTX *ctx);

static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);

static int check_revocation(X509_STORE_CTX *ctx);

#ifndef OPENSSL_NO_OCSP

static int check_cert_ocsp_resp(X509_STORE_CTX *ctx);

#endif

static int check_cert_crl(X509_STORE_CTX *ctx);

static int check_policy(X509_STORE_CTX *ctx);

static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);

static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert);

static int check_key_level(X509_STORE_CTX *ctx, EVP_PKEY *pkey);

static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);

static int check_curve(X509 *cert);

static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,

unsigned int *preasons, X509_CRL *crl, X509 *x);

static int get_crl_delta(X509_STORE_CTX *ctx,

X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);

static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,

int *pcrl_score, X509_CRL *base,

STACK_OF(X509_CRL) *crls);

static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,

int *pcrl_score);

static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,

unsigned int *preasons);

static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);

static int check_crl_chain(X509_STORE_CTX *ctx,

STACK_OF(X509) *cert_path,

STACK_OF(X509) *crl_path);

static int internal_verify(X509_STORE_CTX *ctx);

static int null_callback(int ok, X509_STORE_CTX *e)

{

return ok;

}

/*-

* Return 1 if given cert is considered self-signed, 0 if not, or -1 on error.

* This actually verifies self-signedness only if requested.

* It calls ossl_x509v3_cache_extensions()

* to match issuer and subject names (i.e., the cert being self-issued) and any

* present authority key identifier to match the subject key identifier, etc.

*/

int X509_self_signed(const X509 *cert, int verify_signature)

{

EVP_PKEY *pkey;

if ((pkey = X509_get0_pubkey(cert)) == NULL) { /* handles cert == NULL */

ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);

return -1;

}

if (!ossl_x509v3_cache_extensions((X509 *)cert))

return -1;

if ((cert->ex_flags & EXFLAG_SS) == 0)

return 0;

if (!verify_signature)

return 1;

return X509_verify(cert, pkey);

}

/*

* Given a certificate, try and find an exact match in the store.

* Returns 1 on success, 0 on not found, -1 on internal error.

*/

static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x)

{

STACK_OF(X509) *certs;

X509 *xtmp = NULL;

int i, ret;

*result = NULL;

/* Lookup all certs with matching subject name */

ERR_set_mark();

certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));

ERR_pop_to_mark();

if (certs == NULL)

return -1;

/* Look for exact match */

for (i = 0; i < sk_X509_num(certs); i++) {

xtmp = sk_X509_value(certs, i);

if (X509_cmp(xtmp, x) == 0)

break;

xtmp = NULL;

}

ret = xtmp != NULL;

if (ret) {

if (!X509_up_ref(xtmp))

ret = -1;

else

*result = xtmp;

}

OSSL_STACK_OF_X509_free(certs);

return ret;

}

/*-

* Inform the verify callback of an error.

* The error code is set to |err| if |err| is not X509_V_OK, else

* |ctx->error| is left unchanged (under the assumption it is set elsewhere).

* The error depth is |depth| if >= 0, else it defaults to |ctx->error_depth|.

* The error cert is |x| if not NULL, else the cert in |ctx->chain| at |depth|.

*

* Returns 0 to abort verification with an error, non-zero to continue.

*/

static int verify_cb_cert(X509_STORE_CTX *ctx, const X509 *x, int depth, int err)

{

if (depth < 0)

depth = ctx->error_depth;

else

ctx->error_depth = depth;

ctx->current_cert = x != NULL ? (X509 *)x : sk_X509_value(ctx->chain, depth);

if (err != X509_V_OK)

ctx->error = err;

return ctx->verify_cb(0, ctx);

}

#define CB_FAIL_IF(cond, ctx, cert, depth, err) \

if ((cond) && verify_cb_cert(ctx, cert, depth, err) == 0) \

return 0

/*-

* Inform the verify callback of an error, CRL-specific variant. Here, the

* error depth and certificate are already set, we just specify the error

* number.

*

* Returns 0 to abort verification with an error, non-zero to continue.

*/

static int verify_cb_crl(X509_STORE_CTX *ctx, int err)

{

ctx->error = err;

return ctx->verify_cb(0, ctx);

}

#ifndef OPENSSL_NO_OCSP

/*

* Inform the verify callback of an error, OCSP-specific variant.

* It is called also on OCSP response errors, if the

* X509_V_FLAG_OCSP_RESP_CHECK flag is set.

* Here, the error depth and certificate are already set, we just specify

* the error number.

*

* Returns 0 to abort verification with an error, non-zero to continue.

*/

static int verify_cb_ocsp(X509_STORE_CTX *ctx, int err)

{

ctx->error = err;

return ctx->verify_cb(0, ctx);

}

#endif

/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */

static int check_auth_level(X509_STORE_CTX *ctx)

{

int i;

int num = sk_X509_num(ctx->chain);

if (ctx->param->auth_level <= 0)

return 1;

for (i = 0; i < num; ++i) {

X509 *cert = sk_X509_value(ctx->chain, i);

/*

* We've already checked the security of the leaf key, so here we only

* check the security of issuer keys.

*/

CB_FAIL_IF(i > 0 && !check_cert_key_level(ctx, cert),

ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL);

/*

* We also check the signature algorithm security of all certificates

* except those of the trust anchor at index num-1.

*/

CB_FAIL_IF(i < num - 1 && !check_sig_level(ctx, cert),

ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK);

}

return 1;

}

/*-

* Returns -1 on internal error.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int verify_rpk(X509_STORE_CTX *ctx)

{

/* Not much to verify on a RPK */

if (ctx->verify != NULL)

return ctx->verify(ctx);

return !!ctx->verify_cb(ctx->error == X509_V_OK, ctx);

}

/*-

* Returns -1 on internal error.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int verify_chain(X509_STORE_CTX *ctx)

{

int err;

int ok;

if ((ok = build_chain(ctx)) <= 0

|| (ok = check_extensions(ctx)) <= 0

|| (ok = check_auth_level(ctx)) <= 0

|| (ok = check_id(ctx)) <= 0

|| (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0

|| (ok = ctx->check_revocation(ctx)) <= 0)

return ok;

err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,

ctx->param->flags);

CB_FAIL_IF(err != X509_V_OK, ctx, NULL, ctx->error_depth, err);

/* Verify chain signatures and expiration times */

ok = ctx->verify != NULL ? ctx->verify(ctx) : internal_verify(ctx);

if (ok <= 0)

return ok;

if ((ok = check_name_constraints(ctx)) <= 0)

return ok;

#ifndef OPENSSL_NO_RFC3779

/* RFC 3779 path validation, now that CRL check has been done */

if ((ok = X509v3_asid_validate_path(ctx)) <= 0)

return ok;

if ((ok = X509v3_addr_validate_path(ctx)) <= 0)

return ok;

#endif

/* If we get this far evaluate policies */

if ((ctx->param->flags & X509_V_FLAG_POLICY_CHECK) != 0)

ok = ctx->check_policy(ctx);

return ok;

}

int X509_STORE_CTX_verify(X509_STORE_CTX *ctx)

{

if (ctx == NULL) {

ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);

return -1;

}

if (ctx->rpk != NULL)

return x509_verify_rpk(ctx);

if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1)

ctx->cert = sk_X509_value(ctx->untrusted, 0);

return x509_verify_x509(ctx);

}

int X509_verify_cert(X509_STORE_CTX *ctx)

{

if (ctx == NULL) {

ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);

return -1;

}

return (ctx->rpk != NULL) ? x509_verify_rpk(ctx) : x509_verify_x509(ctx);

}

/*-

* Returns -1 on internal error.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int x509_verify_rpk(X509_STORE_CTX *ctx)

{

int ret;

/* If the peer's public key is too weak, we can stop early. */

if (!check_key_level(ctx, ctx->rpk)

&& verify_cb_cert(ctx, NULL, 0, X509_V_ERR_EE_KEY_TOO_SMALL) == 0)

return 0;

/* Barring any data to verify the RPK, simply report it as untrusted */

ctx->error = X509_V_ERR_RPK_UNTRUSTED;

ret = DANETLS_ENABLED(ctx->dane) ? dane_verify_rpk(ctx) : verify_rpk(ctx);

/*

* Safety-net. If we are returning an error, we must also set ctx->error,

* so that the chain is not considered verified should the error be ignored

* (e.g. TLS with SSL_VERIFY_NONE).

*/

if (ret <= 0 && ctx->error == X509_V_OK)

ctx->error = X509_V_ERR_UNSPECIFIED;

return ret;

}

/*-

* Returns -1 on internal error.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int x509_verify_x509(X509_STORE_CTX *ctx)

{

int ret;

if (ctx->cert == NULL) {

ERR_raise(ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);

ctx->error = X509_V_ERR_INVALID_CALL;

return -1;

}

if (ctx->chain != NULL) {

/*

* This X509_STORE_CTX has already been used to verify a cert. We

* cannot do another one.

*/

ERR_raise(ERR_LIB_X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

ctx->error = X509_V_ERR_INVALID_CALL;

return -1;

}

if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {

ctx->error = X509_V_ERR_OUT_OF_MEM;

return -1;

}

ctx->num_untrusted = 1;

/* If the peer's public key is too weak, we can stop early. */

CB_FAIL_IF(!check_cert_key_level(ctx, ctx->cert),

ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL);

ret = DANETLS_ENABLED(ctx->dane) ? dane_verify(ctx) : verify_chain(ctx);

/*

* Safety-net. If we are returning an error, we must also set ctx->error,

* so that the chain is not considered verified should the error be ignored

* (e.g. TLS with SSL_VERIFY_NONE).

*/

if (ret <= 0 && ctx->error == X509_V_OK)

ctx->error = X509_V_ERR_UNSPECIFIED;

return ret;

}

static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)

{

int i, n = sk_X509_num(sk);

for (i = 0; i < n; i++)

if (X509_cmp(sk_X509_value(sk, i), cert) == 0)

return 1;

return 0;

}

/*-

* Find in |sk| an issuer cert of cert |x| accepted by |ctx->check_issued|.

* If no_dup, the issuer must not yet be in |ctx->chain|, yet allowing the

* exception that |x| is self-issued and |ctx->chain| has just one element.

* Prefer the first match with suitable validity period or latest expiration.

*/

/*

* Note: so far, we do not check during chain building

* whether any key usage extension stands against a candidate issuer cert.

* Likely it would be good if build_chain() sets |check_signing_allowed|.

* Yet if |sk| is a list of trusted certs, as with X509_STORE_CTX_set0_trusted_stack(),

* better not set |check_signing_allowed|.

* Maybe not touch X509_STORE_CTX_get1_issuer(), for API backward compatibility.

*/

static X509 *get0_best_issuer_sk(X509_STORE_CTX *ctx, int check_signing_allowed,

int no_dup, STACK_OF(X509) *sk, const X509 *x)

{

int i;

X509 *candidate, *issuer = NULL;

for (i = 0; i < sk_X509_num(sk); i++) {

candidate = sk_X509_value(sk, i);

if (no_dup

&& !((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)

&& sk_X509_contains(ctx->chain, candidate))

continue;

if (ctx->check_issued(ctx, x, candidate)) {

if (check_signing_allowed

/* yet better not check key usage for trust anchors */

&& ossl_x509_signing_allowed(candidate, x) != X509_V_OK)

continue;

if (ossl_x509_check_cert_time(ctx, candidate, -1))

return candidate;

/*

* Leave in *issuer the first match that has the latest expiration

* date so we return nearest match if no certificate time is OK.

*/

if (issuer == NULL

|| ASN1_TIME_compare(X509_get0_notAfter(candidate),

X509_get0_notAfter(issuer))

> 0)

issuer = candidate;

}

}

return issuer;

}

/*-

* Try to get issuer cert from |ctx->store| accepted by |ctx->check_issued|.

* Prefer the first match with suitable validity period or latest expiration.

*

* Return values are:

* 1 lookup successful.

* 0 certificate not found.

* -1 some other error.

*/

int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x)

{

const X509_NAME *xn = X509_get_issuer_name(x);

X509_OBJECT *obj = X509_OBJECT_new();

STACK_OF(X509) *certs;

int ret;

*issuer = NULL;

if (obj == NULL)

return -1;

ret = ossl_x509_store_ctx_get_by_subject(ctx, X509_LU_X509, xn, obj);

if (ret != 1)

goto end;

/* quick happy path: certificate matches and is currently valid */

if (ctx->check_issued(ctx, x, obj->data.x509)) {

if (ossl_x509_check_cert_time(ctx, obj->data.x509, -1)) {

*issuer = obj->data.x509;

/* |*issuer| has taken over the cert reference from |obj| */

obj->type = X509_LU_NONE;

goto end;

}

}

ret = -1;

if ((certs = X509_STORE_CTX_get1_certs(ctx, xn)) == NULL)

goto end;

*issuer = get0_best_issuer_sk(ctx, 0, 0 /* allow duplicates */, certs, x);

ret = 0;

if (*issuer != NULL)

ret = X509_up_ref(*issuer) ? 1 : -1;

OSSL_STACK_OF_X509_free(certs);

end:

X509_OBJECT_free(obj);

return ret;

}

/* Check that the given certificate |x| is issued by the certificate |issuer| */

static int check_issued(ossl_unused X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer)

{

int err = ossl_x509_likely_issued(issuer, x);

if (err == X509_V_OK)

return 1;

/*

* SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'.

* Every other error code likely indicates a real error.

*/

return 0;

}

/*-

* Alternative get_issuer method: look up from a STACK_OF(X509) in other_ctx.

* Returns -1 on internal error.

*/

static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x)

{

*issuer = get0_best_issuer_sk(ctx, 0, 1 /* no_dup */, ctx->other_ctx, x);

if (*issuer == NULL)

return 0;

return X509_up_ref(*issuer) ? 1 : -1;

}

/*-

* Alternative lookup method: look from a STACK stored in other_ctx.

* Returns NULL on internal/fatal error, empty stack if not found.

*/

static STACK_OF(X509) *lookup_certs_sk(const X509_STORE_CTX *ctx, const X509_NAME *nm)

{

STACK_OF(X509) *sk = sk_X509_new_null();

X509 *x;

int i;

if (sk == NULL)

return NULL;

for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {

x = sk_X509_value(ctx->other_ctx, i);

if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {

if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {

OSSL_STACK_OF_X509_free(sk);

return NULL;

}

}

}

return sk;

}

/*

* Check EE or CA certificate purpose. For trusted certificates explicit local

* auxiliary trust can be used to override EKU-restrictions.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,

int must_be_ca)

{

int tr_ok = X509_TRUST_UNTRUSTED;

/*

* For trusted certificates we want to see whether any auxiliary trust

* settings trump the purpose constraints.

*

* This is complicated by the fact that the trust ordinals in

* ctx->param->trust are entirely independent of the purpose ordinals in

* ctx->param->purpose!

*

* What connects them is their mutual initialization via calls from

* X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets

* related values of both param->trust and param->purpose. It is however

* typically possible to infer associated trust values from a purpose value

* via the X509_PURPOSE API.

*

* Therefore, we can only check for trust overrides when the purpose we're

* checking is the same as ctx->param->purpose and ctx->param->trust is

* also set.

*/

if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)

tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);

switch (tr_ok) {

case X509_TRUST_TRUSTED:

return 1;

case X509_TRUST_REJECTED:

break;

default: /* can only be X509_TRUST_UNTRUSTED */

switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {

case 1:

return 1;

case 0:

break;

default:

if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0)

return 1;

}

break;

}

return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);

}

/*-

* Check extensions of a cert chain for consistency with the supplied purpose.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int check_extensions(X509_STORE_CTX *ctx)

{

int i, must_be_ca, plen = 0;

X509 *x;

int ret, proxy_path_length = 0;

int purpose, allow_proxy_certs, num = sk_X509_num(ctx->chain);

/*-

* must_be_ca can have 1 of 3 values:

* -1: we accept both CA and non-CA certificates, to allow direct

* use of self-signed certificates (which are marked as CA).

* 0: we only accept non-CA certificates. This is currently not

* used, but the possibility is present for future extensions.

* 1: we only accept CA certificates. This is currently used for

* all certificates in the chain except the leaf certificate.

*/

must_be_ca = -1;

/* CRL path validation */

if (ctx->parent != NULL) {

allow_proxy_certs = 0;

purpose = X509_PURPOSE_CRL_SIGN;

} else {

allow_proxy_certs = (ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS) != 0;

purpose = ctx->param->purpose;

}

for (i = 0; i < num; i++) {

x = sk_X509_value(ctx->chain, i);

/* RFC 5280, 4.2: a given extension MUST NOT appear more than once */

CB_FAIL_IF((x->ex_flags & EXFLAG_DUPLICATE) != 0,

ctx, x, i, X509_V_ERR_DUPLICATE_EXTENSION);

CB_FAIL_IF((ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) == 0

&& (x->ex_flags & EXFLAG_CRITICAL) != 0,

ctx, x, i, X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION);

CB_FAIL_IF(!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY) != 0,

ctx, x, i, X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);

ret = X509_check_ca(x);

switch (must_be_ca) {

case -1:

CB_FAIL_IF((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0

&& ret != 1 && ret != 0,

ctx, x, i, X509_V_ERR_INVALID_CA);

break;

case 0:

CB_FAIL_IF(ret != 0, ctx, x, i, X509_V_ERR_INVALID_NON_CA);

break;

default:

/* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */

CB_FAIL_IF(ret == 0

|| ((i + 1 < num

|| (ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0)

&& ret != 1),

ctx, x, i, X509_V_ERR_INVALID_CA);

break;

}

if (num > 1) {

/* Check for presence of explicit elliptic curve parameters */

ret = check_curve(x);

CB_FAIL_IF(ret < 0, ctx, x, i, X509_V_ERR_UNSPECIFIED);

CB_FAIL_IF(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS);

}

/*

* Do the following set of checks only if strict checking is requested

* and not for self-issued (including self-signed) EE (non-CA) certs

* because RFC 5280 does not apply to them according RFC 6818 section 2.

*/

if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0

&& num > 1) { /*

* this should imply

* !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0

* && (x->ex_flags & EXFLAG_SI) != 0)

*/

/* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */

if (x->ex_pathlen != -1) {

CB_FAIL_IF((x->ex_flags & EXFLAG_CA) == 0,

ctx, x, i, X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA);

CB_FAIL_IF((x->ex_kusage & KU_KEY_CERT_SIGN) == 0, ctx,

x, i, X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN);

}

/* Check Key Usage according to RFC 5280 section 4.2.1.3 */

if ((x->ex_flags & EXFLAG_CA) != 0) {

CB_FAIL_IF((x->ex_flags & EXFLAG_KUSAGE) == 0,

ctx, x, i, X509_V_ERR_CA_CERT_MISSING_KEY_USAGE);

} else {

CB_FAIL_IF((x->ex_kusage & KU_KEY_CERT_SIGN) != 0, ctx, x, i,

X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA);

}

/* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */

CB_FAIL_IF(X509_NAME_entry_count(X509_get_issuer_name(x)) == 0,

ctx, x, i, X509_V_ERR_ISSUER_NAME_EMPTY);

/* Check subject is non-empty acc. to RFC 5280 section 4.1.2.6 */

CB_FAIL_IF(((x->ex_flags & EXFLAG_CA) != 0

|| (x->ex_kusage & KU_CRL_SIGN) != 0

|| x->altname == NULL)

&& X509_NAME_entry_count(X509_get_subject_name(x)) == 0,

ctx, x, i, X509_V_ERR_SUBJECT_NAME_EMPTY);

/* Check SAN is non-empty according to RFC 5280 section 4.2.1.6 */

CB_FAIL_IF(x->altname != NULL

&& sk_GENERAL_NAME_num(x->altname) <= 0,

ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_ALT_NAME);

/* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */

CB_FAIL_IF(X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0,

ctx, x, i, X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY);

if (X509_get_version(x) >= X509_VERSION_3) {

/* Check AKID presence acc. to RFC 5280 section 4.2.1.1 */

/*

* This means not last cert in chain, taken as generated by

* conforming CAs and not self-signed.

*/

unsigned int check_akid = (i + 1 < num)

&& ((x->ex_flags & EXFLAG_SS) == 0);

CB_FAIL_IF(check_akid != 0 && x->akid == NULL,

ctx, x, i, X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER);

CB_FAIL_IF(check_akid != 0 && x->akid != NULL

&& x->akid->keyid == NULL && x->akid->issuer == NULL

&& x->akid->serial == NULL,

ctx, x, i, X509_V_ERR_EMPTY_AUTHORITY_KEY_IDENTIFIER);

/*

* The authorityCertIssuer and authorityCertSerialNumber fields

* are paired and MUST either both be present or both be absent.

*

* Issuer without serial is ambiguous, and serial without issuer

* is meaningless, leading to unresolvable and misleading issuer

* identification.

*/

CB_FAIL_IF(x->akid != NULL

&& (x->akid->issuer == NULL) != (x->akid->serial == NULL),

ctx, x, i, X509_V_ERR_AKID_ISSUER_SERIAL_NOT_PAIRED);

/* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */

CB_FAIL_IF((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL,

ctx, x, i, X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER);

} else {

CB_FAIL_IF(sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0,

ctx, x, i, X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3);

}

}

/* check_purpose() makes the callback as needed */

if (purpose >= X509_PURPOSE_MIN && !check_purpose(ctx, x, purpose, i, must_be_ca))

return 0;

/* Check path length */

CB_FAIL_IF(i > 1 && x->ex_pathlen != -1

&& plen > x->ex_pathlen + proxy_path_length,

ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED);

/* Increment path length if not a self-issued intermediate CA */

if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)

plen++;

/*

* If this certificate is a proxy certificate, the next certificate

* must be another proxy certificate or a EE certificate. If not,

* the next certificate must be a CA certificate.

*/

if (x->ex_flags & EXFLAG_PROXY) {

/*

* RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint

* is less than max_path_length, the former should be copied to

* the latter, and 4.1.4 (a) stipulates that max_path_length

* should be verified to be larger than zero and decrement it.

*

* Because we're checking the certs in the reverse order, we start

* with verifying that proxy_path_length isn't larger than pcPLC,

* and copy the latter to the former if it is, and finally,

* increment proxy_path_length.

*/

if (x->ex_pcpathlen != -1) {

CB_FAIL_IF(proxy_path_length > x->ex_pcpathlen,

ctx, x, i, X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED);

proxy_path_length = x->ex_pcpathlen;

}

proxy_path_length++;

must_be_ca = 0;

} else {

must_be_ca = 1;

}

}

return 1;

}

static int has_san_id(const X509 *x, int gtype)

{

int i;

int ret = 0;

GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);

if (gs == NULL)

return 0;

for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {

GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);

if (g->type == gtype) {

ret = 1;

break;

}

}

GENERAL_NAMES_free(gs);

return ret;

}

/*-

* Returns -1 on internal error.

* Sadly, returns 0 also on internal error in ctx->verify_cb().

*/

static int check_name_constraints(X509_STORE_CTX *ctx)

{

int i;

/* Check name constraints for all certificates */

for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {

const X509 *x = sk_X509_value(ctx->chain, i);

int j;

/* Ignore self-issued certs unless last in chain */

if (i != 0 && (x->ex_flags & EXFLAG_SI) != 0)

continue;

/*

* Proxy certificates policy has an extra constraint, where the

* certificate subject MUST be the issuer with a single CN entry

* added.

* (RFC 3820: 3.4, 4.1.3 (a)(4))

*/

if ((x->ex_flags & EXFLAG_PROXY) != 0) {

const X509_NAME *tmpsubject = X509_get_subject_name(x);

const X509_NAME *tmpissuer = X509_get_issuer_name(x);

X509_NAME *tmpsubject2;

X509_NAME_ENTRY *tmpentry = NULL;

int last_nid = 0;

int err = X509_V_OK;

int last_loc = X509_NAME_entry_count(tmpsubject) - 1;

/* Check that there are at least two RDNs */

if (last_loc < 1) {

err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;

goto proxy_name_done;

}

/*

* Check that there is exactly one more RDN in subject as

* there is in issuer.

*/

if (X509_NAME_entry_count(tmpsubject)

!= X509_NAME_entry_count(tmpissuer) + 1) {

err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;

goto proxy_name_done;

}

/*

* Check that the last subject component isn't part of a

* multi-valued RDN

*/

if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, last_loc))

== X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,

last_loc - 1))) {

err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;

goto proxy_name_done;

}

/*

* Check that the last subject RDN is a commonName, and that

* all the previous RDNs match the issuer exactly

*/

tmpsubject2 = X509_NAME_dup(tmpsubject);

if (tmpsubject2 == NULL) {

ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);

ctx->error = X509_V_ERR_OUT_OF_MEM;

return -1;

}

tmpentry = X509_NAME_delete_entry(tmpsubject2, last_loc);

last_nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry));

if (last_nid != NID_commonName

|| X509_NAME_cmp(tmpsubject2, tmpissuer) != 0) {

err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;

}

X509_NAME_ENTRY_free(tmpentry);

X509_NAME_free(tmpsubject2);

proxy_name_done:

CB_FAIL_IF(err != X509_V_OK, ctx, x, i, err);

}

/*

* Check against constraints for all certificates higher in chain

* including trust anchor. Trust anchor not strictly speaking needed

* but if it includes constraints it is to be assumed it expects them

* to be obeyed.

*/

for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {

NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;

if (nc) {

int rv = NAME_CONSTRAINTS_check(x, nc);

int ret = 1;

/* If EE certificate check commonName too */

if (rv == X509_V_OK && i == 0

&& (ctx->param->hostflags

& X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)

== 0

&& ((ctx->param->hostflags

& X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)

!= 0

|| (ret = has_san_id(x, GEN_DNS)) == 0))

rv = NAME_CONSTRAINTS_check_CN(x, nc);

if (ret < 0)

return ret;

switch (rv) {

case X509_V_OK:

break;

case X509_V_ERR_OUT_OF_MEM:

return -1;

default:

CB_FAIL_IF(1, ctx, x, i, rv);

break;

}

}

}

}

return 1;

}

static int check_id_error(X509_STORE_CTX *ctx, int errcode)

{

return verify_cb_cert(ctx, ctx->cert, 0, errcode);

}

static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)

{

const uint8_t *name;

int n = sk_X509_BUFFER_num(vpm->hosts);

if (vpm->peername != NULL) {

OPENSSL_free(vpm->peername);

vpm->peername = NULL;

}

for (int i = 0; i < n; ++i) {

size_t len = sk_X509_BUFFER_value(vpm->hosts, i)->len;

name = sk_X509_BUFFER_value(vpm->hosts, i)->data;

if (X509_check_host(x, (const char *)name, len, vpm->hostflags, &vpm->peername) > 0)

return 1;

}

return n <= 0;

}

static int check_email(X509 *x, X509_VERIFY_PARAM *vpm)

{

const uint8_t *name;

int nasc = sk_X509_BUFFER_num(vpm->rfc822s);

int nutf = sk_X509_BUFFER_num(vpm->smtputf8s);

for (int i = 0; i < nasc; ++i) {

size_t len = sk_X509_BUFFER_value(vpm->rfc822s, i)->len;

name = sk_X509_BUFFER_value(vpm->rfc822s, i)->data;

if (ossl_x509_check_rfc822(x, (const char *)name, len, vpm->hostflags))

return 1;

}

for (int i = 0; i < nutf; ++i) {

size_t len = sk_X509_BUFFER_value(vpm->smtputf8s, i)->len;

name = sk_X509_BUFFER_value(vpm->smtputf8s, i)->data;

if (ossl_x509_check_smtputf8(x, (const char *)name, len, vpm->hostflags))

return 1;

}

return nasc <= 0 && nutf <= 0;

}

static int check_ips(X509 *x, X509_VERIFY_PARAM *vpm)

{

const uint8_t *name;

int n = sk_X509_BUFFER_num(vpm->ips);

for (int i = 0; i < n; ++i) {

size_t len = sk_X509_BUFFER_value(vpm->ips, i)->len;

name = sk_X509_BUFFER_value(vpm->ips, i)->data;

if (X509_check_ip(x, name, len, vpm->hostflags) > 0)

return 1;

}

return n <= 0;

}

static int check_id(X509_STORE_CTX *ctx)

{

X509_VERIFY_PARAM *vpm = ctx->param;

X509 *x = ctx->cert;

if (vpm->hosts != NULL && check_hosts(x, vpm) <= 0) {

if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))

return 0;

}

if (!check_email(x, vpm)) {

if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))

return 0;

}

if (vpm->ips != NULL && check_ips(x, vpm) <= 0) {

if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))

return 0;