diff options
| author | job <> | 2021-09-02 12:41:44 +0000 |
|---|---|---|
| committer | job <> | 2021-09-02 12:41:44 +0000 |
| commit | a9cb954f2cf630ab74009f5641622ac0d175bc58 (patch) | |
| tree | 68881b07659cc9e2b17902a5156f430f2154ecf8 /src/lib/libcrypto/x509/x509_purp.c | |
| parent | e7198b4ee0ece23326da3c1f771171a6ca285eca (diff) | |
| download | openbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.tar.gz openbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.tar.bz2 openbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.zip | |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.
OK tb@, discussed with beck@
Diffstat (limited to 'src/lib/libcrypto/x509/x509_purp.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index aff9f607bc..3f0081fe40 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.5 2021/07/23 20:40:49 schwarze Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.6 2021/09/02 12:41:44 job Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -366,6 +366,10 @@ X509_supported_extension(X509_EXTENSION *ex) | |||
| 366 | NID_basic_constraints, /* 87 */ | 366 | NID_basic_constraints, /* 87 */ |
| 367 | NID_certificate_policies, /* 89 */ | 367 | NID_certificate_policies, /* 89 */ |
| 368 | NID_ext_key_usage, /* 126 */ | 368 | NID_ext_key_usage, /* 126 */ |
| 369 | #ifndef OPENSSL_NO_RFC3779 | ||
| 370 | NID_sbgp_ipAddrBlock, /* 290 */ | ||
| 371 | NID_sbgp_autonomousSysNum, /* 291 */ | ||
| 372 | #endif | ||
| 369 | NID_policy_constraints, /* 401 */ | 373 | NID_policy_constraints, /* 401 */ |
| 370 | NID_proxyCertInfo, /* 663 */ | 374 | NID_proxyCertInfo, /* 663 */ |
| 371 | NID_name_constraints, /* 666 */ | 375 | NID_name_constraints, /* 666 */ |
| @@ -587,6 +591,15 @@ x509v3_cache_extensions(X509 *x) | |||
| 587 | x->ex_flags |= EXFLAG_INVALID; | 591 | x->ex_flags |= EXFLAG_INVALID; |
| 588 | setup_crldp(x); | 592 | setup_crldp(x); |
| 589 | 593 | ||
| 594 | #ifndef OPENSSL_NO_RFC3779 | ||
| 595 | x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); | ||
| 596 | if (x->rfc3779_addr == NULL && i != -1) | ||
| 597 | x->ex_flags |= EXFLAG_INVALID; | ||
| 598 | x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); | ||
| 599 | if (x->rfc3779_asid == NULL && i != -1) | ||
| 600 | x->ex_flags |= EXFLAG_INVALID; | ||
| 601 | #endif | ||
| 602 | |||
| 590 | for (i = 0; i < X509_get_ext_count(x); i++) { | 603 | for (i = 0; i < X509_get_ext_count(x); i++) { |
| 591 | ex = X509_get_ext(x, i); | 604 | ex = X509_get_ext(x, i); |
| 592 | if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == | 605 | if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == |