File: ct_extensions.cc

package info (click to toggle)
golang-github-google-certificate-transparency 0.0~git20160709.0.0f6e3d1~ds1-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, buster
  • size: 5,676 kB
  • sloc: cpp: 35,278; python: 11,838; java: 1,911; sh: 1,885; makefile: 950; xml: 520; ansic: 225
file content (216 lines) | stat: -rw-r--r-- 8,956 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
 
#include "log/ct_extensions.h"

#include <glog/logging.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
#include <openssl/x509v3.h>
#include <string.h>

namespace cert_trans {

int NID_ctSignedCertificateTimestampList = 0;
int NID_ctEmbeddedSignedCertificateTimestampList = 0;
int NID_ctPoison = 0;
int NID_ctPrecertificateSigning = 0;
int NID_ctPrecertificateRedactedLabelCount = 0;
int NID_ctNameConstraintNologIntermediateCa = 0;
int NID_ctV2CmsPayloadContentType = 0;

// The SCT list in the extension of a superfluous certificate
const char kSCTListOID[] = "1.3.6.1.4.1.11129.2.4.1";
// The SCT list embedded in the certificate itself
const char kEmbeddedSCTListOID[] = "1.3.6.1.4.1.11129.2.4.2";
// Extension indicating consent that certs from an intermediate CA with name
// constraints may not be logged (not used in V1)
const char kNameConstraintNologIntermediateOID[] = "1.3.6.1.4.1.11129.2.4.7";
// The poison extension
const char kPoisonOID[] = "1.3.6.1.4.1.11129.2.4.3";
// Extension for wildcard redacted Precertificate indicating redaction count
// (not used in V1)
const char kPrecertificateRedactedLabelOID[] = "1.3.6.1.4.1.11129.2.4.6";
// Extended Key Usage value for Precertificate signing
const char kPrecertificateSigningOID[] = "1.3.6.1.4.1.11129.2.4.4";
// V2 Precert content type
// TODO: Required content type not defined in draft yet. Placeholder in case
// we use our own.
const char kV2PrecertificateCmsContentTypeOID[] = "1.3.6.1.4.1.11129.2.4.8";

static const char kSCTListSN[] = "ctSCT";
static const char kSCTListLN[] =
    "X509v3 Certificate Transparency Signed Certificate Timestamp List";

static const char kEmbeddedSCTListSN[] = "ctEmbeddedSCT";
static const char kEmbeddedSCTListLN[] =
    "X509v3 Certificate Transparency "
    "Embedded Signed Certificate Timestamp List";
static const char kPoisonSN[] = "ctPoison";
static const char kPoisonLN[] = "X509v3 Certificate Transparency Poison";
static const char kPrecertificateSigningSN[] = "ctPresign";
static const char kPrecertificateSigningLN[] =
    "Certificate Transparency "
    "Precertificate Signing";
static const char kPrecertificateRedactedLabelCountSN[] = "ctPreredact";
static const char kPrecertificateRedactedLabelCountLN[] =
    "Certificate Transparency "
    "Precertificate Redacted Label Count";
static const char kNameConstraintNologIntermediateSN[] =
    "ctNoLogIntermediateOk";
static const char kNameConstraintNologIntermediateLN[] =
    "Certificate Transparency "
    "Name Constrained Intermediate CA NoLog Allowed";
static const char kV2PrecertCmsContentTypeSN[] = "ctV2PrecertCmsContentType";
static const char kV2PrecertCmsContentTypeLN[] =
    "Certificate Transparency "
    "V2 Precertificate CMS Message Content Type";

static const char kASN1NullValue[] = "NULL";

// String conversion for an ASN1 NULL
static char* ASN1NullToString(X509V3_EXT_METHOD*, ASN1_NULL* asn1_null) {
  if (asn1_null == NULL)
    return NULL;
  char* buf = strdup(kASN1NullValue);
  return buf;
}

// String conversion from an ASN1:NULL conf.
static ASN1_NULL* StringToASN1Null(X509V3_EXT_METHOD*, X509V3_CTX*,
                                   char* str) {
  if (str == NULL || strcmp(str, kASN1NullValue) != 0) {
    return NULL;
  }

  return ASN1_NULL_new();
}

// clang-format off
static X509V3_EXT_METHOD ct_sctlist_method = {
    0,  // ext_nid, NID, will be created by OBJ_create()
    0,  // flags
    ASN1_ITEM_ref(ASN1_OCTET_STRING),  // the object is an octet string
    0, 0, 0, 0,                        // ignored since the field above is set
    // Create from, and print to, a hex string
    // Allows to specify the extension configuration like so:
    // ctSCT = <hexstring_value>
    // (Unused - we just plumb the bytes in the fake cert directly.)
    reinterpret_cast<X509V3_EXT_I2S>(i2s_ASN1_OCTET_STRING),
    reinterpret_cast<X509V3_EXT_S2I>(s2i_ASN1_OCTET_STRING), 0, 0, 0, 0,
    NULL  // usr_data
};

static X509V3_EXT_METHOD ct_embeddedsctlist_method = {
    0,  // ext_nid, NID, will be created by OBJ_create()
    0,  // flags
    ASN1_ITEM_ref(ASN1_OCTET_STRING),  // the object is an octet string
    0, 0, 0, 0,                        // ignored since the field above is set
    // Create from, and print to, a hex string
    // Allows to specify the extension configuration like so:
    // ctEmbeddedSCT = <hexstring_value>
    // (Unused, as we're not issuing certs.)
    reinterpret_cast<X509V3_EXT_I2S>(i2s_ASN1_OCTET_STRING),
    reinterpret_cast<X509V3_EXT_S2I>(s2i_ASN1_OCTET_STRING), 0, 0, 0, 0,
    NULL  // usr_data
};

static X509V3_EXT_METHOD ct_poison_method = {
    0,                         // ext_nid, NID, will be created by OBJ_create()
    0,                         // flags
    ASN1_ITEM_ref(ASN1_NULL),  // the object is an ASN1 NULL
    0, 0, 0, 0,                // ignored since the above is set
    // Create from, and print to, a hex string
    // Allows to specify the extension configuration like so:
    // ctPoison = "NULL"
    // (Unused, as we're not issuing certs.)
    reinterpret_cast<X509V3_EXT_I2S>(ASN1NullToString),
    reinterpret_cast<X509V3_EXT_S2I>(StringToASN1Null), 0, 0, 0, 0,
    NULL  // usr_data
};

// Not used in protocol v1. Specifies the count of redacted labels of each
// DNS id in the cert. See RFC section 3.2.2.
static X509V3_EXT_METHOD ct_redaction_count_method = {
    0,                         // ext_nid, NID, will be created by OBJ_create()
    0,                         // flags
    ASN1_ITEM_ref(REDACTED_LABEL_COUNT),
    0, 0, 0, 0,                // ignored since the above is set
    // Create from, and print to, a hex string
    // Allows to specify the extension configuration like so:
    // ctPreredact = "NULL"
    // (Unused, as we're not issuing certs.)
    reinterpret_cast<X509V3_EXT_I2S>(i2s_ASN1_OCTET_STRING),
    reinterpret_cast<X509V3_EXT_S2I>(s2i_ASN1_OCTET_STRING), 0, 0, 0, 0,
    NULL  // usr_data
};

// Not used in protocol v1. Specifies consent that name constrained
// intermediate certs may not be logged. See RFC section 3.2.3.
static X509V3_EXT_METHOD ct_name_constraint_nolog_intermediate_ca_method = {
    0,                         // ext_nid, NID, will be created by OBJ_create()
    0,                         // flags
    ASN1_ITEM_ref(ASN1_NULL),  // the object is an ASN1 NULL
    0, 0, 0, 0,                // ignored since the above is set
    // Create from, and print to, a hex string
    // Allows to specify the extension configuration like so:
    // ctPoison = "NULL"
    // (Unused, as we're not issuing certs.)
    reinterpret_cast<X509V3_EXT_I2S>(ASN1NullToString),
    reinterpret_cast<X509V3_EXT_S2I>(StringToASN1Null), 0, 0, 0, 0,
    NULL  // usr_data
};
// clang-format on

void LoadCtExtensions() {
  // V1 Certificate Extensions

  ct_sctlist_method.ext_nid = OBJ_create(kSCTListOID, kSCTListSN, kSCTListLN);
  CHECK_NE(ct_sctlist_method.ext_nid, 0);
  CHECK_EQ(1, X509V3_EXT_add(&ct_sctlist_method));
  NID_ctSignedCertificateTimestampList = ct_sctlist_method.ext_nid;

  ct_embeddedsctlist_method.ext_nid =
      OBJ_create(kEmbeddedSCTListOID, kEmbeddedSCTListSN, kEmbeddedSCTListLN);
  CHECK_NE(ct_embeddedsctlist_method.ext_nid, 0);
  CHECK_EQ(1, X509V3_EXT_add(&ct_embeddedsctlist_method));
  NID_ctEmbeddedSignedCertificateTimestampList =
      ct_embeddedsctlist_method.ext_nid;

  ct_poison_method.ext_nid = OBJ_create(kPoisonOID, kPoisonSN, kPoisonLN);
  CHECK_NE(ct_poison_method.ext_nid, 0);
  CHECK_EQ(1, X509V3_EXT_add(&ct_poison_method));
  NID_ctPoison = ct_poison_method.ext_nid;

  int precert_signing_nid =
      OBJ_create(kPrecertificateSigningOID, kPrecertificateSigningSN,
                 kPrecertificateSigningLN);
  CHECK_NE(precert_signing_nid, 0);
  NID_ctPrecertificateSigning = precert_signing_nid;

  // V2 Certificate extensions

  ct_redaction_count_method.ext_nid =
      OBJ_create(kPrecertificateRedactedLabelOID,
                 kPrecertificateRedactedLabelCountSN,
                 kPrecertificateRedactedLabelCountLN);
  CHECK_NE(ct_redaction_count_method.ext_nid, 0);
  CHECK_EQ(1, X509V3_EXT_add(&ct_redaction_count_method));
  NID_ctPrecertificateRedactedLabelCount = ct_redaction_count_method.ext_nid;

  ct_name_constraint_nolog_intermediate_ca_method.ext_nid =
      OBJ_create(kNameConstraintNologIntermediateOID,
                 kNameConstraintNologIntermediateSN,
                 kNameConstraintNologIntermediateLN);
  CHECK_NE(ct_name_constraint_nolog_intermediate_ca_method.ext_nid, 0);
  CHECK_EQ(1,
           X509V3_EXT_add(&ct_name_constraint_nolog_intermediate_ca_method));
  NID_ctNameConstraintNologIntermediateCa =
      ct_name_constraint_nolog_intermediate_ca_method.ext_nid;

  // V2 Content types

  NID_ctV2CmsPayloadContentType =
      OBJ_create(kV2PrecertificateCmsContentTypeOID,
                 kV2PrecertCmsContentTypeSN, kV2PrecertCmsContentTypeLN);
}

}  // namespace cert_trans