summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2011-02-12 15:54:20 +0000
committercvs2svn <admin@example.com>2011-02-12 15:54:20 +0000
commitb9388eba740387eaff0dcb9492cdefc1adcf40ff (patch)
tree26cf8fda7724fe56961aa26b7da50db9634c08a2 /src/lib/libcrypto/x509
parentd1c27f232cfde582e176b277933b485ea84ac845 (diff)
downloadopenbsd-OPENBSD_4_9.tar.gz
openbsd-OPENBSD_4_9.tar.bz2
openbsd-OPENBSD_4_9.zip
This commit was manufactured by cvs2git to create branch 'OPENBSD_4_9'.OPENBSD_4_9
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r--src/lib/libcrypto/x509/by_dir.c482
-rw-r--r--src/lib/libcrypto/x509/by_file.c300
-rw-r--r--src/lib/libcrypto/x509/x509.h1285
-rw-r--r--src/lib/libcrypto/x509/x509_att.c359
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c331
-rw-r--r--src/lib/libcrypto/x509/x509_d2.c107
-rw-r--r--src/lib/libcrypto/x509/x509_def.c81
-rw-r--r--src/lib/libcrypto/x509/x509_err.c164
-rw-r--r--src/lib/libcrypto/x509/x509_ext.c210
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c716
-rw-r--r--src/lib/libcrypto/x509/x509_obj.c226
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c114
-rw-r--r--src/lib/libcrypto/x509/x509_req.c316
-rw-r--r--src/lib/libcrypto/x509/x509_set.c150
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c288
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c193
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c274
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2215
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h567
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c438
-rw-r--r--src/lib/libcrypto/x509/x509cset.c170
-rw-r--r--src/lib/libcrypto/x509/x509name.c383
-rw-r--r--src/lib/libcrypto/x509/x509rset.c83
-rw-r--r--src/lib/libcrypto/x509/x509spki.c121
-rw-r--r--src/lib/libcrypto/x509/x509type.c125
-rw-r--r--src/lib/libcrypto/x509/x_all.c515
26 files changed, 0 insertions, 10213 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
deleted file mode 100644
index 27ca5150c1..0000000000
--- a/src/lib/libcrypto/x509/by_dir.c
+++ /dev/null
@@ -1,482 +0,0 @@
1/* crypto/x509/by_dir.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64
65#ifndef NO_SYS_TYPES_H
66# include <sys/types.h>
67#endif
68#ifndef OPENSSL_NO_POSIX_IO
69# include <sys/stat.h>
70#endif
71
72#include <openssl/lhash.h>
73#include <openssl/x509.h>
74
75
76typedef struct lookup_dir_hashes_st
77 {
78 unsigned long hash;
79 int suffix;
80 } BY_DIR_HASH;
81
82typedef struct lookup_dir_entry_st
83 {
84 char *dir;
85 int dir_type;
86 STACK_OF(BY_DIR_HASH) *hashes;
87 } BY_DIR_ENTRY;
88
89typedef struct lookup_dir_st
90 {
91 BUF_MEM *buffer;
92 STACK_OF(BY_DIR_ENTRY) *dirs;
93 } BY_DIR;
94
95DECLARE_STACK_OF(BY_DIR_HASH)
96DECLARE_STACK_OF(BY_DIR_ENTRY)
97
98static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
99 char **ret);
100static int new_dir(X509_LOOKUP *lu);
101static void free_dir(X509_LOOKUP *lu);
102static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
103static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
104 X509_OBJECT *ret);
105X509_LOOKUP_METHOD x509_dir_lookup=
106 {
107 "Load certs from files in a directory",
108 new_dir, /* new */
109 free_dir, /* free */
110 NULL, /* init */
111 NULL, /* shutdown */
112 dir_ctrl, /* ctrl */
113 get_cert_by_subject, /* get_by_subject */
114 NULL, /* get_by_issuer_serial */
115 NULL, /* get_by_fingerprint */
116 NULL, /* get_by_alias */
117 };
118
119X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
120 {
121 return(&x509_dir_lookup);
122 }
123
124static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
125 char **retp)
126 {
127 int ret=0;
128 BY_DIR *ld;
129 char *dir = NULL;
130
131 ld=(BY_DIR *)ctx->method_data;
132
133 switch (cmd)
134 {
135 case X509_L_ADD_DIR:
136 if (argl == X509_FILETYPE_DEFAULT)
137 {
138 dir=(char *)getenv(X509_get_default_cert_dir_env());
139 if (dir)
140 ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
141 else
142 ret=add_cert_dir(ld,X509_get_default_cert_dir(),
143 X509_FILETYPE_PEM);
144 if (!ret)
145 {
146 X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
147 }
148 }
149 else
150 ret=add_cert_dir(ld,argp,(int)argl);
151 break;
152 }
153 return(ret);
154 }
155
156static int new_dir(X509_LOOKUP *lu)
157 {
158 BY_DIR *a;
159
160 if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
161 return(0);
162 if ((a->buffer=BUF_MEM_new()) == NULL)
163 {
164 OPENSSL_free(a);
165 return(0);
166 }
167 a->dirs=NULL;
168 lu->method_data=(char *)a;
169 return(1);
170 }
171
172static void by_dir_hash_free(BY_DIR_HASH *hash)
173 {
174 OPENSSL_free(hash);
175 }
176
177static int by_dir_hash_cmp(const BY_DIR_HASH * const *a,
178 const BY_DIR_HASH * const *b)
179 {
180 if ((*a)->hash > (*b)->hash)
181 return 1;
182 if ((*a)->hash < (*b)->hash)
183 return -1;
184 return 0;
185 }
186
187static void by_dir_entry_free(BY_DIR_ENTRY *ent)
188 {
189 if (ent->dir)
190 OPENSSL_free(ent->dir);
191 if (ent->hashes)
192 sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
193 OPENSSL_free(ent);
194 }
195
196static void free_dir(X509_LOOKUP *lu)
197 {
198 BY_DIR *a;
199
200 a=(BY_DIR *)lu->method_data;
201 if (a->dirs != NULL)
202 sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
203 if (a->buffer != NULL)
204 BUF_MEM_free(a->buffer);
205 OPENSSL_free(a);
206 }
207
208static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
209 {
210 int j,len;
211 const char *s,*ss,*p;
212
213 if (dir == NULL || !*dir)
214 {
215 X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
216 return 0;
217 }
218
219 s=dir;
220 p=s;
221 for (;;p++)
222 {
223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
224 {
225 BY_DIR_ENTRY *ent;
226 ss=s;
227 s=p+1;
228 len=(int)(p-ss);
229 if (len == 0) continue;
230 for (j=0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++)
231 {
232 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
233 if (strlen(ent->dir) == (size_t)len &&
234 strncmp(ent->dir,ss,(unsigned int)len) == 0)
235 break;
236 }
237 if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
238 continue;
239 if (ctx->dirs == NULL)
240 {
241 ctx->dirs = sk_BY_DIR_ENTRY_new_null();
242 if (!ctx->dirs)
243 {
244 X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE);
245 return 0;
246 }
247 }
248 ent = OPENSSL_malloc(sizeof(BY_DIR_ENTRY));
249 if (!ent)
250 return 0;
251 ent->dir_type = type;
252 ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
253 ent->dir = OPENSSL_malloc((unsigned int)len+1);
254 if (!ent->dir || !ent->hashes)
255 {
256 by_dir_entry_free(ent);
257 return 0;
258 }
259 strncpy(ent->dir,ss,(unsigned int)len);
260 ent->dir[len] = '\0';
261 if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent))
262 {
263 by_dir_entry_free(ent);
264 return 0;
265 }
266 }
267 if (*p == '\0')
268 break;
269 }
270 return 1;
271 }
272
273static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
274 X509_OBJECT *ret)
275 {
276 BY_DIR *ctx;
277 union {
278 struct {
279 X509 st_x509;
280 X509_CINF st_x509_cinf;
281 } x509;
282 struct {
283 X509_CRL st_crl;
284 X509_CRL_INFO st_crl_info;
285 } crl;
286 } data;
287 int ok=0;
288 int i,j,k;
289 unsigned long h;
290 BUF_MEM *b=NULL;
291 X509_OBJECT stmp,*tmp;
292 const char *postfix="";
293
294 if (name == NULL) return(0);
295
296 stmp.type=type;
297 if (type == X509_LU_X509)
298 {
299 data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
300 data.x509.st_x509_cinf.subject=name;
301 stmp.data.x509= &data.x509.st_x509;
302 postfix="";
303 }
304 else if (type == X509_LU_CRL)
305 {
306 data.crl.st_crl.crl= &data.crl.st_crl_info;
307 data.crl.st_crl_info.issuer=name;
308 stmp.data.crl= &data.crl.st_crl;
309 postfix="r";
310 }
311 else
312 {
313 X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
314 goto finish;
315 }
316
317 if ((b=BUF_MEM_new()) == NULL)
318 {
319 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB);
320 goto finish;
321 }
322
323 ctx=(BY_DIR *)xl->method_data;
324
325 h=X509_NAME_hash(name);
326 for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
327 {
328 BY_DIR_ENTRY *ent;
329 int idx;
330 BY_DIR_HASH htmp, *hent;
331 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
332 j=strlen(ent->dir)+1+8+6+1+1;
333 if (!BUF_MEM_grow(b,j))
334 {
335 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
336 goto finish;
337 }
338 if (type == X509_LU_CRL && ent->hashes)
339 {
340 htmp.hash = h;
341 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
342 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
343 if (idx >= 0)
344 {
345 hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
346 k = hent->suffix;
347 }
348 else
349 {
350 hent = NULL;
351 k=0;
352 }
353 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
354 }
355 else
356 {
357 k = 0;
358 hent = NULL;
359 }
360 for (;;)
361 {
362 char c = '/';
363#ifdef OPENSSL_SYS_VMS
364 c = ent->dir[strlen(ent->dir)-1];
365 if (c != ':' && c != '>' && c != ']')
366 {
367 /* If no separator is present, we assume the
368 directory specifier is a logical name, and
369 add a colon. We really should use better
370 VMS routines for merging things like this,
371 but this will do for now...
372 -- Richard Levitte */
373 c = ':';
374 }
375 else
376 {
377 c = '\0';
378 }
379#endif
380 if (c == '\0')
381 {
382 /* This is special. When c == '\0', no
383 directory separator should be added. */
384 BIO_snprintf(b->data,b->max,
385 "%s%08lx.%s%d",ent->dir,h,
386 postfix,k);
387 }
388 else
389 {
390 BIO_snprintf(b->data,b->max,
391 "%s%c%08lx.%s%d",ent->dir,c,h,
392 postfix,k);
393 }
394#ifndef OPENSSL_NO_POSIX_IO
395#ifdef _WIN32
396#define stat _stat
397#endif
398 {
399 struct stat st;
400 if (stat(b->data,&st) < 0)
401 break;
402 }
403#endif
404 /* found one. */
405 if (type == X509_LU_X509)
406 {
407 if ((X509_load_cert_file(xl,b->data,
408 ent->dir_type)) == 0)
409 break;
410 }
411 else if (type == X509_LU_CRL)
412 {
413 if ((X509_load_crl_file(xl,b->data,
414 ent->dir_type)) == 0)
415 break;
416 }
417 /* else case will caught higher up */
418 k++;
419 }
420
421 /* we have added it to the cache so now pull
422 * it out again */
423 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
424 j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
425 if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
426 else tmp = NULL;
427 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
428
429
430 /* If a CRL, update the last file suffix added for this */
431
432 if (type == X509_LU_CRL)
433 {
434 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
435 /* Look for entry again in case another thread added
436 * an entry first.
437 */
438 if (!hent)
439 {
440 htmp.hash = h;
441 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
442 if (idx >= 0)
443 hent =
444 sk_BY_DIR_HASH_value(ent->hashes, idx);
445 }
446 if (!hent)
447 {
448 hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
449 hent->hash = h;
450 hent->suffix = k;
451 if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
452 {
453 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
454 OPENSSL_free(hent);
455 ok = 0;
456 goto finish;
457 }
458 }
459 else if (hent->suffix < k)
460 hent->suffix = k;
461
462 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
463
464 }
465
466 if (tmp != NULL)
467 {
468 ok=1;
469 ret->type=tmp->type;
470 memcpy(&ret->data,&tmp->data,sizeof(ret->data));
471 /* If we were going to up the reference count,
472 * we would need to do it on a perl 'type'
473 * basis */
474 /* CRYPTO_add(&tmp->data.x509->references,1,
475 CRYPTO_LOCK_X509);*/
476 goto finish;
477 }
478 }
479finish:
480 if (b != NULL) BUF_MEM_free(b);
481 return(ok);
482 }
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
deleted file mode 100644
index 57b08ee094..0000000000
--- a/src/lib/libcrypto/x509/by_file.c
+++ /dev/null
@@ -1,300 +0,0 @@
1/* crypto/x509/by_file.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/x509.h>
67#include <openssl/pem.h>
68
69#ifndef OPENSSL_NO_STDIO
70
71static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
72 long argl, char **ret);
73X509_LOOKUP_METHOD x509_file_lookup=
74 {
75 "Load file into cache",
76 NULL, /* new */
77 NULL, /* free */
78 NULL, /* init */
79 NULL, /* shutdown */
80 by_file_ctrl, /* ctrl */
81 NULL, /* get_by_subject */
82 NULL, /* get_by_issuer_serial */
83 NULL, /* get_by_fingerprint */
84 NULL, /* get_by_alias */
85 };
86
87X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
88 {
89 return(&x509_file_lookup);
90 }
91
92static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
93 char **ret)
94 {
95 int ok=0;
96 char *file;
97
98 switch (cmd)
99 {
100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT)
102 {
103 file = (char *)getenv(X509_get_default_cert_file_env());
104 if (file)
105 ok = (X509_load_cert_crl_file(ctx,file,
106 X509_FILETYPE_PEM) != 0);
107
108 else
109 ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
110 X509_FILETYPE_PEM) != 0);
111
112 if (!ok)
113 {
114 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
115 }
116 }
117 else
118 {
119 if(argl == X509_FILETYPE_PEM)
120 ok = (X509_load_cert_crl_file(ctx,argp,
121 X509_FILETYPE_PEM) != 0);
122 else
123 ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
124 }
125 break;
126 }
127 return(ok);
128 }
129
130int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
131 {
132 int ret=0;
133 BIO *in=NULL;
134 int i,count=0;
135 X509 *x=NULL;
136
137 if (file == NULL) return(1);
138 in=BIO_new(BIO_s_file_internal());
139
140 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
141 {
142 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
143 goto err;
144 }
145
146 if (type == X509_FILETYPE_PEM)
147 {
148 for (;;)
149 {
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL)
152 {
153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0))
155 {
156 ERR_clear_error();
157 break;
158 }
159 else
160 {
161 X509err(X509_F_X509_LOAD_CERT_FILE,
162 ERR_R_PEM_LIB);
163 goto err;
164 }
165 }
166 i=X509_STORE_add_cert(ctx->store_ctx,x);
167 if (!i) goto err;
168 count++;
169 X509_free(x);
170 x=NULL;
171 }
172 ret=count;
173 }
174 else if (type == X509_FILETYPE_ASN1)
175 {
176 x=d2i_X509_bio(in,NULL);
177 if (x == NULL)
178 {
179 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB);
180 goto err;
181 }
182 i=X509_STORE_add_cert(ctx->store_ctx,x);
183 if (!i) goto err;
184 ret=i;
185 }
186 else
187 {
188 X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE);
189 goto err;
190 }
191err:
192 if (x != NULL) X509_free(x);
193 if (in != NULL) BIO_free(in);
194 return(ret);
195 }
196
197int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
198 {
199 int ret=0;
200 BIO *in=NULL;
201 int i,count=0;
202 X509_CRL *x=NULL;
203
204 if (file == NULL) return(1);
205 in=BIO_new(BIO_s_file_internal());
206
207 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
208 {
209 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
210 goto err;
211 }
212
213 if (type == X509_FILETYPE_PEM)
214 {
215 for (;;)
216 {
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL)
219 {
220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0))
222 {
223 ERR_clear_error();
224 break;
225 }
226 else
227 {
228 X509err(X509_F_X509_LOAD_CRL_FILE,
229 ERR_R_PEM_LIB);
230 goto err;
231 }
232 }
233 i=X509_STORE_add_crl(ctx->store_ctx,x);
234 if (!i) goto err;
235 count++;
236 X509_CRL_free(x);
237 x=NULL;
238 }
239 ret=count;
240 }
241 else if (type == X509_FILETYPE_ASN1)
242 {
243 x=d2i_X509_CRL_bio(in,NULL);
244 if (x == NULL)
245 {
246 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
247 goto err;
248 }
249 i=X509_STORE_add_crl(ctx->store_ctx,x);
250 if (!i) goto err;
251 ret=i;
252 }
253 else
254 {
255 X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
256 goto err;
257 }
258err:
259 if (x != NULL) X509_CRL_free(x);
260 if (in != NULL) BIO_free(in);
261 return(ret);
262 }
263
264int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
265{
266 STACK_OF(X509_INFO) *inf;
267 X509_INFO *itmp;
268 BIO *in;
269 int i, count = 0;
270 if(type != X509_FILETYPE_PEM)
271 return X509_load_cert_file(ctx, file, type);
272 in = BIO_new_file(file, "r");
273 if(!in) {
274 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
275 return 0;
276 }
277 inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
278 BIO_free(in);
279 if(!inf) {
280 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
281 return 0;
282 }
283 for(i = 0; i < sk_X509_INFO_num(inf); i++) {
284 itmp = sk_X509_INFO_value(inf, i);
285 if(itmp->x509) {
286 X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
287 count++;
288 }
289 if(itmp->crl) {
290 X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
291 count++;
292 }
293 }
294 sk_X509_INFO_pop_free(inf, X509_INFO_free);
295 return count;
296}
297
298
299#endif /* OPENSSL_NO_STDIO */
300
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
deleted file mode 100644
index 604f4fb27f..0000000000
--- a/src/lib/libcrypto/x509/x509.h
+++ /dev/null
@@ -1,1285 +0,0 @@
1/* crypto/x509/x509.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * ECDH support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
63
64#ifndef HEADER_X509_H
65#define HEADER_X509_H
66
67#include <openssl/e_os2.h>
68#include <openssl/symhacks.h>
69#ifndef OPENSSL_NO_BUFFER
70#include <openssl/buffer.h>
71#endif
72#ifndef OPENSSL_NO_EVP
73#include <openssl/evp.h>
74#endif
75#ifndef OPENSSL_NO_BIO
76#include <openssl/bio.h>
77#endif
78#include <openssl/stack.h>
79#include <openssl/asn1.h>
80#include <openssl/safestack.h>
81
82#ifndef OPENSSL_NO_EC
83#include <openssl/ec.h>
84#endif
85
86#ifndef OPENSSL_NO_ECDSA
87#include <openssl/ecdsa.h>
88#endif
89
90#ifndef OPENSSL_NO_ECDH
91#include <openssl/ecdh.h>
92#endif
93
94#ifndef OPENSSL_NO_DEPRECATED
95#ifndef OPENSSL_NO_RSA
96#include <openssl/rsa.h>
97#endif
98#ifndef OPENSSL_NO_DSA
99#include <openssl/dsa.h>
100#endif
101#ifndef OPENSSL_NO_DH
102#include <openssl/dh.h>
103#endif
104#endif
105
106#ifndef OPENSSL_NO_SHA
107#include <openssl/sha.h>
108#endif
109#include <openssl/ossl_typ.h>
110
111#ifdef __cplusplus
112extern "C" {
113#endif
114
115#ifdef OPENSSL_SYS_WIN32
116/* Under Win32 these are defined in wincrypt.h */
117#undef X509_NAME
118#undef X509_CERT_PAIR
119#undef X509_EXTENSIONS
120#endif
121
122#define X509_FILETYPE_PEM 1
123#define X509_FILETYPE_ASN1 2
124#define X509_FILETYPE_DEFAULT 3
125
126#define X509v3_KU_DIGITAL_SIGNATURE 0x0080
127#define X509v3_KU_NON_REPUDIATION 0x0040
128#define X509v3_KU_KEY_ENCIPHERMENT 0x0020
129#define X509v3_KU_DATA_ENCIPHERMENT 0x0010
130#define X509v3_KU_KEY_AGREEMENT 0x0008
131#define X509v3_KU_KEY_CERT_SIGN 0x0004
132#define X509v3_KU_CRL_SIGN 0x0002
133#define X509v3_KU_ENCIPHER_ONLY 0x0001
134#define X509v3_KU_DECIPHER_ONLY 0x8000
135#define X509v3_KU_UNDEF 0xffff
136
137typedef struct X509_objects_st
138 {
139 int nid;
140 int (*a2i)(void);
141 int (*i2a)(void);
142 } X509_OBJECTS;
143
144struct X509_algor_st
145 {
146 ASN1_OBJECT *algorithm;
147 ASN1_TYPE *parameter;
148 } /* X509_ALGOR */;
149
150DECLARE_ASN1_SET_OF(X509_ALGOR)
151
152typedef STACK_OF(X509_ALGOR) X509_ALGORS;
153
154typedef struct X509_val_st
155 {
156 ASN1_TIME *notBefore;
157 ASN1_TIME *notAfter;
158 } X509_VAL;
159
160struct X509_pubkey_st
161 {
162 X509_ALGOR *algor;
163 ASN1_BIT_STRING *public_key;
164 EVP_PKEY *pkey;
165 };
166
167typedef struct X509_sig_st
168 {
169 X509_ALGOR *algor;
170 ASN1_OCTET_STRING *digest;
171 } X509_SIG;
172
173typedef struct X509_name_entry_st
174 {
175 ASN1_OBJECT *object;
176 ASN1_STRING *value;
177 int set;
178 int size; /* temp variable */
179 } X509_NAME_ENTRY;
180
181DECLARE_STACK_OF(X509_NAME_ENTRY)
182DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
183
184/* we always keep X509_NAMEs in 2 forms. */
185struct X509_name_st
186 {
187 STACK_OF(X509_NAME_ENTRY) *entries;
188 int modified; /* true if 'bytes' needs to be built */
189#ifndef OPENSSL_NO_BUFFER
190 BUF_MEM *bytes;
191#else
192 char *bytes;
193#endif
194/* unsigned long hash; Keep the hash around for lookups */
195 unsigned char *canon_enc;
196 int canon_enclen;
197 } /* X509_NAME */;
198
199DECLARE_STACK_OF(X509_NAME)
200
201#define X509_EX_V_NETSCAPE_HACK 0x8000
202#define X509_EX_V_INIT 0x0001
203typedef struct X509_extension_st
204 {
205 ASN1_OBJECT *object;
206 ASN1_BOOLEAN critical;
207 ASN1_OCTET_STRING *value;
208 } X509_EXTENSION;
209
210typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
211
212DECLARE_STACK_OF(X509_EXTENSION)
213DECLARE_ASN1_SET_OF(X509_EXTENSION)
214
215/* a sequence of these are used */
216typedef struct x509_attributes_st
217 {
218 ASN1_OBJECT *object;
219 int single; /* 0 for a set, 1 for a single item (which is wrong) */
220 union {
221 char *ptr;
222/* 0 */ STACK_OF(ASN1_TYPE) *set;
223/* 1 */ ASN1_TYPE *single;
224 } value;
225 } X509_ATTRIBUTE;
226
227DECLARE_STACK_OF(X509_ATTRIBUTE)
228DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
229
230
231typedef struct X509_req_info_st
232 {
233 ASN1_ENCODING enc;
234 ASN1_INTEGER *version;
235 X509_NAME *subject;
236 X509_PUBKEY *pubkey;
237 /* d=2 hl=2 l= 0 cons: cont: 00 */
238 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
239 } X509_REQ_INFO;
240
241typedef struct X509_req_st
242 {
243 X509_REQ_INFO *req_info;
244 X509_ALGOR *sig_alg;
245 ASN1_BIT_STRING *signature;
246 int references;
247 } X509_REQ;
248
249typedef struct x509_cinf_st
250 {
251 ASN1_INTEGER *version; /* [ 0 ] default of v1 */
252 ASN1_INTEGER *serialNumber;
253 X509_ALGOR *signature;
254 X509_NAME *issuer;
255 X509_VAL *validity;
256 X509_NAME *subject;
257 X509_PUBKEY *key;
258 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
259 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
260 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
261 } X509_CINF;
262
263/* This stuff is certificate "auxiliary info"
264 * it contains details which are useful in certificate
265 * stores and databases. When used this is tagged onto
266 * the end of the certificate itself
267 */
268
269typedef struct x509_cert_aux_st
270 {
271 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
272 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
273 ASN1_UTF8STRING *alias; /* "friendly name" */
274 ASN1_OCTET_STRING *keyid; /* key id of private key */
275 STACK_OF(X509_ALGOR) *other; /* other unspecified info */
276 } X509_CERT_AUX;
277
278struct x509_st
279 {
280 X509_CINF *cert_info;
281 X509_ALGOR *sig_alg;
282 ASN1_BIT_STRING *signature;
283 int valid;
284 int references;
285 char *name;
286 CRYPTO_EX_DATA ex_data;
287 /* These contain copies of various extension values */
288 long ex_pathlen;
289 long ex_pcpathlen;
290 unsigned long ex_flags;
291 unsigned long ex_kusage;
292 unsigned long ex_xkusage;
293 unsigned long ex_nscert;
294 ASN1_OCTET_STRING *skid;
295 AUTHORITY_KEYID *akid;
296 X509_POLICY_CACHE *policy_cache;
297 STACK_OF(DIST_POINT) *crldp;
298 STACK_OF(GENERAL_NAME) *altname;
299 NAME_CONSTRAINTS *nc;
300#ifndef OPENSSL_NO_RFC3779
301 STACK_OF(IPAddressFamily) *rfc3779_addr;
302 struct ASIdentifiers_st *rfc3779_asid;
303#endif
304#ifndef OPENSSL_NO_SHA
305 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
306#endif
307 X509_CERT_AUX *aux;
308 } /* X509 */;
309
310DECLARE_STACK_OF(X509)
311DECLARE_ASN1_SET_OF(X509)
312
313/* This is used for a table of trust checking functions */
314
315typedef struct x509_trust_st {
316 int trust;
317 int flags;
318 int (*check_trust)(struct x509_trust_st *, X509 *, int);
319 char *name;
320 int arg1;
321 void *arg2;
322} X509_TRUST;
323
324DECLARE_STACK_OF(X509_TRUST)
325
326typedef struct x509_cert_pair_st {
327 X509 *forward;
328 X509 *reverse;
329} X509_CERT_PAIR;
330
331/* standard trust ids */
332
333#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */
334
335#define X509_TRUST_COMPAT 1
336#define X509_TRUST_SSL_CLIENT 2
337#define X509_TRUST_SSL_SERVER 3
338#define X509_TRUST_EMAIL 4
339#define X509_TRUST_OBJECT_SIGN 5
340#define X509_TRUST_OCSP_SIGN 6
341#define X509_TRUST_OCSP_REQUEST 7
342#define X509_TRUST_TSA 8
343
344/* Keep these up to date! */
345#define X509_TRUST_MIN 1
346#define X509_TRUST_MAX 8
347
348
349/* trust_flags values */
350#define X509_TRUST_DYNAMIC 1
351#define X509_TRUST_DYNAMIC_NAME 2
352
353/* check_trust return codes */
354
355#define X509_TRUST_TRUSTED 1
356#define X509_TRUST_REJECTED 2
357#define X509_TRUST_UNTRUSTED 3
358
359/* Flags for X509_print_ex() */
360
361#define X509_FLAG_COMPAT 0
362#define X509_FLAG_NO_HEADER 1L
363#define X509_FLAG_NO_VERSION (1L << 1)
364#define X509_FLAG_NO_SERIAL (1L << 2)
365#define X509_FLAG_NO_SIGNAME (1L << 3)
366#define X509_FLAG_NO_ISSUER (1L << 4)
367#define X509_FLAG_NO_VALIDITY (1L << 5)
368#define X509_FLAG_NO_SUBJECT (1L << 6)
369#define X509_FLAG_NO_PUBKEY (1L << 7)
370#define X509_FLAG_NO_EXTENSIONS (1L << 8)
371#define X509_FLAG_NO_SIGDUMP (1L << 9)
372#define X509_FLAG_NO_AUX (1L << 10)
373#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
374
375/* Flags specific to X509_NAME_print_ex() */
376
377/* The field separator information */
378
379#define XN_FLAG_SEP_MASK (0xf << 16)
380
381#define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */
382#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */
383#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */
384#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */
385#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */
386
387#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */
388
389/* How the field name is shown */
390
391#define XN_FLAG_FN_MASK (0x3 << 21)
392
393#define XN_FLAG_FN_SN 0 /* Object short name */
394#define XN_FLAG_FN_LN (1 << 21) /* Object long name */
395#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */
396#define XN_FLAG_FN_NONE (3 << 21) /* No field names */
397
398#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */
399
400/* This determines if we dump fields we don't recognise:
401 * RFC2253 requires this.
402 */
403
404#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
405
406#define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 characters */
407
408/* Complete set of RFC2253 flags */
409
410#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
411 XN_FLAG_SEP_COMMA_PLUS | \
412 XN_FLAG_DN_REV | \
413 XN_FLAG_FN_SN | \
414 XN_FLAG_DUMP_UNKNOWN_FIELDS)
415
416/* readable oneline form */
417
418#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
419 ASN1_STRFLGS_ESC_QUOTE | \
420 XN_FLAG_SEP_CPLUS_SPC | \
421 XN_FLAG_SPC_EQ | \
422 XN_FLAG_FN_SN)
423
424/* readable multiline form */
425
426#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
427 ASN1_STRFLGS_ESC_MSB | \
428 XN_FLAG_SEP_MULTILINE | \
429 XN_FLAG_SPC_EQ | \
430 XN_FLAG_FN_LN | \
431 XN_FLAG_FN_ALIGN)
432
433struct x509_revoked_st
434 {
435 ASN1_INTEGER *serialNumber;
436 ASN1_TIME *revocationDate;
437 STACK_OF(X509_EXTENSION) /* optional */ *extensions;
438 /* Set up if indirect CRL */
439 STACK_OF(GENERAL_NAME) *issuer;
440 /* Revocation reason */
441 int reason;
442 int sequence; /* load sequence */
443 };
444
445DECLARE_STACK_OF(X509_REVOKED)
446DECLARE_ASN1_SET_OF(X509_REVOKED)
447
448typedef struct X509_crl_info_st
449 {
450 ASN1_INTEGER *version;
451 X509_ALGOR *sig_alg;
452 X509_NAME *issuer;
453 ASN1_TIME *lastUpdate;
454 ASN1_TIME *nextUpdate;
455 STACK_OF(X509_REVOKED) *revoked;
456 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
457 ASN1_ENCODING enc;
458 } X509_CRL_INFO;
459
460struct X509_crl_st
461 {
462 /* actual signature */
463 X509_CRL_INFO *crl;
464 X509_ALGOR *sig_alg;
465 ASN1_BIT_STRING *signature;
466 int references;
467 int flags;
468 /* Copies of various extensions */
469 AUTHORITY_KEYID *akid;
470 ISSUING_DIST_POINT *idp;
471 /* Convenient breakdown of IDP */
472 int idp_flags;
473 int idp_reasons;
474 /* CRL and base CRL numbers for delta processing */
475 ASN1_INTEGER *crl_number;
476 ASN1_INTEGER *base_crl_number;
477#ifndef OPENSSL_NO_SHA
478 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
479#endif
480 STACK_OF(GENERAL_NAMES) *issuers;
481 const X509_CRL_METHOD *meth;
482 void *meth_data;
483 } /* X509_CRL */;
484
485DECLARE_STACK_OF(X509_CRL)
486DECLARE_ASN1_SET_OF(X509_CRL)
487
488typedef struct private_key_st
489 {
490 int version;
491 /* The PKCS#8 data types */
492 X509_ALGOR *enc_algor;
493 ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */
494
495 /* When decrypted, the following will not be NULL */
496 EVP_PKEY *dec_pkey;
497
498 /* used to encrypt and decrypt */
499 int key_length;
500 char *key_data;
501 int key_free; /* true if we should auto free key_data */
502
503 /* expanded version of 'enc_algor' */
504 EVP_CIPHER_INFO cipher;
505
506 int references;
507 } X509_PKEY;
508
509#ifndef OPENSSL_NO_EVP
510typedef struct X509_info_st
511 {
512 X509 *x509;
513 X509_CRL *crl;
514 X509_PKEY *x_pkey;
515
516 EVP_CIPHER_INFO enc_cipher;
517 int enc_len;
518 char *enc_data;
519
520 int references;
521 } X509_INFO;
522
523DECLARE_STACK_OF(X509_INFO)
524#endif
525
526/* The next 2 structures and their 8 routines were sent to me by
527 * Pat Richard <patr@x509.com> and are used to manipulate
528 * Netscapes spki structures - useful if you are writing a CA web page
529 */
530typedef struct Netscape_spkac_st
531 {
532 X509_PUBKEY *pubkey;
533 ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */
534 } NETSCAPE_SPKAC;
535
536typedef struct Netscape_spki_st
537 {
538 NETSCAPE_SPKAC *spkac; /* signed public key and challenge */
539 X509_ALGOR *sig_algor;
540 ASN1_BIT_STRING *signature;
541 } NETSCAPE_SPKI;
542
543/* Netscape certificate sequence structure */
544typedef struct Netscape_certificate_sequence
545 {
546 ASN1_OBJECT *type;
547 STACK_OF(X509) *certs;
548 } NETSCAPE_CERT_SEQUENCE;
549
550/* Unused (and iv length is wrong)
551typedef struct CBCParameter_st
552 {
553 unsigned char iv[8];
554 } CBC_PARAM;
555*/
556
557/* Password based encryption structure */
558
559typedef struct PBEPARAM_st {
560ASN1_OCTET_STRING *salt;
561ASN1_INTEGER *iter;
562} PBEPARAM;
563
564/* Password based encryption V2 structures */
565
566typedef struct PBE2PARAM_st {
567X509_ALGOR *keyfunc;
568X509_ALGOR *encryption;
569} PBE2PARAM;
570
571typedef struct PBKDF2PARAM_st {
572ASN1_TYPE *salt; /* Usually OCTET STRING but could be anything */
573ASN1_INTEGER *iter;
574ASN1_INTEGER *keylength;
575X509_ALGOR *prf;
576} PBKDF2PARAM;
577
578
579/* PKCS#8 private key info structure */
580
581struct pkcs8_priv_key_info_st
582 {
583 int broken; /* Flag for various broken formats */
584#define PKCS8_OK 0
585#define PKCS8_NO_OCTET 1
586#define PKCS8_EMBEDDED_PARAM 2
587#define PKCS8_NS_DB 3
588#define PKCS8_NEG_PRIVKEY 4
589 ASN1_INTEGER *version;
590 X509_ALGOR *pkeyalg;
591 ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
592 STACK_OF(X509_ATTRIBUTE) *attributes;
593 };
594
595#ifdef __cplusplus
596}
597#endif
598
599#include <openssl/x509_vfy.h>
600#include <openssl/pkcs7.h>
601
602#ifdef __cplusplus
603extern "C" {
604#endif
605
606#define X509_EXT_PACK_UNKNOWN 1
607#define X509_EXT_PACK_STRING 2
608
609#define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
610/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
611#define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
612#define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
613#define X509_extract_key(x) X509_get_pubkey(x) /*****/
614#define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
615#define X509_REQ_get_subject_name(x) ((x)->req_info->subject)
616#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
617#define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
618#define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
619
620#define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version)
621#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
622#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
623#define X509_CRL_get_issuer(x) ((x)->crl->issuer)
624#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
625
626void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
627X509_CRL_METHOD *X509_CRL_METHOD_new(
628 int (*crl_init)(X509_CRL *crl),
629 int (*crl_free)(X509_CRL *crl),
630 int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
631 ASN1_INTEGER *ser, X509_NAME *issuer),
632 int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
633void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
634
635void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
636void *X509_CRL_get_meth_data(X509_CRL *crl);
637
638/* This one is only used so that a binary form can output, as in
639 * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */
640#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
641
642
643const char *X509_verify_cert_error_string(long n);
644
645#ifndef OPENSSL_NO_EVP
646int X509_verify(X509 *a, EVP_PKEY *r);
647
648int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
649int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
650int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
651
652NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
653char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
654EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
655int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
656
657int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
658
659int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
660
661int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
662int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
663int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
664int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
665
666int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
667 unsigned char *md, unsigned int *len);
668int X509_digest(const X509 *data,const EVP_MD *type,
669 unsigned char *md, unsigned int *len);
670int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
671 unsigned char *md, unsigned int *len);
672int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
673 unsigned char *md, unsigned int *len);
674int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
675 unsigned char *md, unsigned int *len);
676#endif
677
678#ifndef OPENSSL_NO_FP_API
679X509 *d2i_X509_fp(FILE *fp, X509 **x509);
680int i2d_X509_fp(FILE *fp,X509 *x509);
681X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
682int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
683X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
684int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
685#ifndef OPENSSL_NO_RSA
686RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
687int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
688RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
689int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
690RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
691int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
692#endif
693#ifndef OPENSSL_NO_DSA
694DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
695int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
696DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
697int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
698#endif
699#ifndef OPENSSL_NO_EC
700EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
701int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
702EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
703int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
704#endif
705X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
706int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
707PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
708 PKCS8_PRIV_KEY_INFO **p8inf);
709int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
710int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
711int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
712EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
713int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
714EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
715#endif
716
717#ifndef OPENSSL_NO_BIO
718X509 *d2i_X509_bio(BIO *bp,X509 **x509);
719int i2d_X509_bio(BIO *bp,X509 *x509);
720X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
721int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
722X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
723int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
724#ifndef OPENSSL_NO_RSA
725RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
726int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
727RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
728int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
729RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
730int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
731#endif
732#ifndef OPENSSL_NO_DSA
733DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
734int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
735DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
736int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
737#endif
738#ifndef OPENSSL_NO_EC
739EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
740int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
741EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
742int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
743#endif
744X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
745int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
746PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
747 PKCS8_PRIV_KEY_INFO **p8inf);
748int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
749int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
750int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
751EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
752int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
753EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
754#endif
755
756X509 *X509_dup(X509 *x509);
757X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
758X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
759X509_CRL *X509_CRL_dup(X509_CRL *crl);
760X509_REQ *X509_REQ_dup(X509_REQ *req);
761X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
762int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
763void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
764 X509_ALGOR *algor);
765
766X509_NAME *X509_NAME_dup(X509_NAME *xn);
767X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
768
769int X509_cmp_time(const ASN1_TIME *s, time_t *t);
770int X509_cmp_current_time(const ASN1_TIME *s);
771ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
772ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s,
773 int offset_day, long offset_sec, time_t *t);
774ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj);
775
776const char * X509_get_default_cert_area(void );
777const char * X509_get_default_cert_dir(void );
778const char * X509_get_default_cert_file(void );
779const char * X509_get_default_cert_dir_env(void );
780const char * X509_get_default_cert_file_env(void );
781const char * X509_get_default_private_dir(void );
782
783X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
784X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
785
786DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
787DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
788DECLARE_ASN1_FUNCTIONS(X509_VAL)
789
790DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
791
792int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
793EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
794int X509_get_pubkey_parameters(EVP_PKEY *pkey,
795 STACK_OF(X509) *chain);
796int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
797EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
798 long length);
799#ifndef OPENSSL_NO_RSA
800int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
801RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
802 long length);
803#endif
804#ifndef OPENSSL_NO_DSA
805int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
806DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
807 long length);
808#endif
809#ifndef OPENSSL_NO_EC
810int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
811EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
812 long length);
813#endif
814
815DECLARE_ASN1_FUNCTIONS(X509_SIG)
816DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
817DECLARE_ASN1_FUNCTIONS(X509_REQ)
818
819DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
820X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
821
822DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
823DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
824
825DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
826
827DECLARE_ASN1_FUNCTIONS(X509_NAME)
828
829int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
830
831DECLARE_ASN1_FUNCTIONS(X509_CINF)
832
833DECLARE_ASN1_FUNCTIONS(X509)
834DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
835
836DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
837
838int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
839 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
840int X509_set_ex_data(X509 *r, int idx, void *arg);
841void *X509_get_ex_data(X509 *r, int idx);
842int i2d_X509_AUX(X509 *a,unsigned char **pp);
843X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
844
845int X509_alias_set1(X509 *x, unsigned char *name, int len);
846int X509_keyid_set1(X509 *x, unsigned char *id, int len);
847unsigned char * X509_alias_get0(X509 *x, int *len);
848unsigned char * X509_keyid_get0(X509 *x, int *len);
849int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
850int X509_TRUST_set(int *t, int trust);
851int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
852int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
853void X509_trust_clear(X509 *x);
854void X509_reject_clear(X509 *x);
855
856DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
857DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
858DECLARE_ASN1_FUNCTIONS(X509_CRL)
859
860int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
861int X509_CRL_get0_by_serial(X509_CRL *crl,
862 X509_REVOKED **ret, ASN1_INTEGER *serial);
863int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
864
865X509_PKEY * X509_PKEY_new(void );
866void X509_PKEY_free(X509_PKEY *a);
867int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
868X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
869
870DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
871DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
872DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
873
874#ifndef OPENSSL_NO_EVP
875X509_INFO * X509_INFO_new(void);
876void X509_INFO_free(X509_INFO *a);
877char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
878
879int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
880 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
881
882int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
883 unsigned char *md,unsigned int *len);
884
885int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
886 X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
887 char *data,EVP_PKEY *pkey, const EVP_MD *type);
888
889int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
890 unsigned char *md,unsigned int *len);
891
892int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
893 ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
894
895int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
896 ASN1_BIT_STRING *signature,
897 void *data, EVP_PKEY *pkey, const EVP_MD *type);
898#endif
899
900int X509_set_version(X509 *x,long version);
901int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
902ASN1_INTEGER * X509_get_serialNumber(X509 *x);
903int X509_set_issuer_name(X509 *x, X509_NAME *name);
904X509_NAME * X509_get_issuer_name(X509 *a);
905int X509_set_subject_name(X509 *x, X509_NAME *name);
906X509_NAME * X509_get_subject_name(X509 *a);
907int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
908int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
909int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
910EVP_PKEY * X509_get_pubkey(X509 *x);
911ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
912int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
913
914int X509_REQ_set_version(X509_REQ *x,long version);
915int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
916int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
917EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req);
918int X509_REQ_extension_nid(int nid);
919int * X509_REQ_get_extension_nids(void);
920void X509_REQ_set_extension_nids(int *nids);
921STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
922int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
923 int nid);
924int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
925int X509_REQ_get_attr_count(const X509_REQ *req);
926int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
927 int lastpos);
928int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
929 int lastpos);
930X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
931X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
932int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
933int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
934 const ASN1_OBJECT *obj, int type,
935 const unsigned char *bytes, int len);
936int X509_REQ_add1_attr_by_NID(X509_REQ *req,
937 int nid, int type,
938 const unsigned char *bytes, int len);
939int X509_REQ_add1_attr_by_txt(X509_REQ *req,
940 const char *attrname, int type,
941 const unsigned char *bytes, int len);
942
943int X509_CRL_set_version(X509_CRL *x, long version);
944int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
945int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
946int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
947int X509_CRL_sort(X509_CRL *crl);
948
949int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
950int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
951
952int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
953
954int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
955
956int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
957unsigned long X509_issuer_and_serial_hash(X509 *a);
958
959int X509_issuer_name_cmp(const X509 *a, const X509 *b);
960unsigned long X509_issuer_name_hash(X509 *a);
961
962int X509_subject_name_cmp(const X509 *a, const X509 *b);
963unsigned long X509_subject_name_hash(X509 *x);
964
965#ifndef OPENSSL_NO_MD5
966unsigned long X509_issuer_name_hash_old(X509 *a);
967unsigned long X509_subject_name_hash_old(X509 *x);
968#endif
969
970int X509_cmp(const X509 *a, const X509 *b);
971int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
972unsigned long X509_NAME_hash(X509_NAME *x);
973unsigned long X509_NAME_hash_old(X509_NAME *x);
974
975int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
976int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
977#ifndef OPENSSL_NO_FP_API
978int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
979int X509_print_fp(FILE *bp,X509 *x);
980int X509_CRL_print_fp(FILE *bp,X509_CRL *x);
981int X509_REQ_print_fp(FILE *bp,X509_REQ *req);
982int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
983#endif
984
985#ifndef OPENSSL_NO_BIO
986int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
987int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
988int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
989int X509_print(BIO *bp,X509 *x);
990int X509_ocspid_print(BIO *bp,X509 *x);
991int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
992int X509_CRL_print(BIO *bp,X509_CRL *x);
993int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
994int X509_REQ_print(BIO *bp,X509_REQ *req);
995#endif
996
997int X509_NAME_entry_count(X509_NAME *name);
998int X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
999 char *buf,int len);
1000int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
1001 char *buf,int len);
1002
1003/* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
1004 * lastpos, search after that position on. */
1005int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
1006int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
1007 int lastpos);
1008X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
1009X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
1010int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
1011 int loc, int set);
1012int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1013 unsigned char *bytes, int len, int loc, int set);
1014int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1015 unsigned char *bytes, int len, int loc, int set);
1016X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1017 const char *field, int type, const unsigned char *bytes, int len);
1018X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1019 int type,unsigned char *bytes, int len);
1020int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1021 const unsigned char *bytes, int len, int loc, int set);
1022X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1023 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1024 int len);
1025int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1026 ASN1_OBJECT *obj);
1027int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1028 const unsigned char *bytes, int len);
1029ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1030ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1031
1032int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1033int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1034 int nid, int lastpos);
1035int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1036 ASN1_OBJECT *obj,int lastpos);
1037int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1038 int crit, int lastpos);
1039X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
1040X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
1041STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
1042 X509_EXTENSION *ex, int loc);
1043
1044int X509_get_ext_count(X509 *x);
1045int X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
1046int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
1047int X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
1048X509_EXTENSION *X509_get_ext(X509 *x, int loc);
1049X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
1050int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
1051void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
1052int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
1053 unsigned long flags);
1054
1055int X509_CRL_get_ext_count(X509_CRL *x);
1056int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
1057int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
1058int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
1059X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
1060X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
1061int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
1062void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
1063int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
1064 unsigned long flags);
1065
1066int X509_REVOKED_get_ext_count(X509_REVOKED *x);
1067int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
1068int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
1069int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
1070X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
1071X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
1072int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
1073void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
1074int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
1075 unsigned long flags);
1076
1077X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
1078 int nid, int crit, ASN1_OCTET_STRING *data);
1079X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
1080 ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data);
1081int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj);
1082int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1083int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1084 ASN1_OCTET_STRING *data);
1085ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex);
1086ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
1087int X509_EXTENSION_get_critical(X509_EXTENSION *ex);
1088
1089int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
1090int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
1091 int lastpos);
1092int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
1093 int lastpos);
1094X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
1095X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
1096STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
1097 X509_ATTRIBUTE *attr);
1098STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
1099 const ASN1_OBJECT *obj, int type,
1100 const unsigned char *bytes, int len);
1101STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
1102 int nid, int type,
1103 const unsigned char *bytes, int len);
1104STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
1105 const char *attrname, int type,
1106 const unsigned char *bytes, int len);
1107void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
1108 ASN1_OBJECT *obj, int lastpos, int type);
1109X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
1110 int atrtype, const void *data, int len);
1111X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
1112 const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
1113X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
1114 const char *atrname, int type, const unsigned char *bytes, int len);
1115int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
1116int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
1117void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
1118 int atrtype, void *data);
1119int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
1120ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
1121ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
1122
1123int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
1124int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
1125 int lastpos);
1126int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
1127 int lastpos);
1128X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
1129X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
1130int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
1131int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
1132 const ASN1_OBJECT *obj, int type,
1133 const unsigned char *bytes, int len);
1134int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
1135 int nid, int type,
1136 const unsigned char *bytes, int len);
1137int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
1138 const char *attrname, int type,
1139 const unsigned char *bytes, int len);
1140
1141int X509_verify_cert(X509_STORE_CTX *ctx);
1142
1143/* lookup a cert from a X509 STACK */
1144X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
1145 ASN1_INTEGER *serial);
1146X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
1147
1148DECLARE_ASN1_FUNCTIONS(PBEPARAM)
1149DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
1150DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
1151
1152int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
1153 const unsigned char *salt, int saltlen);
1154
1155X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
1156 const unsigned char *salt, int saltlen);
1157X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
1158 unsigned char *salt, int saltlen);
1159X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1160 unsigned char *salt, int saltlen,
1161 unsigned char *aiv, int prf_nid);
1162
1163/* PKCS#8 utilities */
1164
1165DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
1166
1167EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
1168PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
1169PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
1170PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
1171
1172int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
1173 int version, int ptype, void *pval,
1174 unsigned char *penc, int penclen);
1175int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
1176 const unsigned char **pk, int *ppklen,
1177 X509_ALGOR **pa,
1178 PKCS8_PRIV_KEY_INFO *p8);
1179
1180int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1181 int ptype, void *pval,
1182 unsigned char *penc, int penclen);
1183int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
1184 const unsigned char **pk, int *ppklen,
1185 X509_ALGOR **pa,
1186 X509_PUBKEY *pub);
1187
1188int X509_check_trust(X509 *x, int id, int flags);
1189int X509_TRUST_get_count(void);
1190X509_TRUST * X509_TRUST_get0(int idx);
1191int X509_TRUST_get_by_id(int id);
1192int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
1193 char *name, int arg1, void *arg2);
1194void X509_TRUST_cleanup(void);
1195int X509_TRUST_get_flags(X509_TRUST *xp);
1196char *X509_TRUST_get0_name(X509_TRUST *xp);
1197int X509_TRUST_get_trust(X509_TRUST *xp);
1198
1199/* BEGIN ERROR CODES */
1200/* The following lines are auto generated by the script mkerr.pl. Any changes
1201 * made after this point may be overwritten when the script is next run.
1202 */
1203void ERR_load_X509_strings(void);
1204
1205/* Error codes for the X509 functions. */
1206
1207/* Function codes. */
1208#define X509_F_ADD_CERT_DIR 100
1209#define X509_F_BY_FILE_CTRL 101
1210#define X509_F_CHECK_POLICY 145
1211#define X509_F_DIR_CTRL 102
1212#define X509_F_GET_CERT_BY_SUBJECT 103
1213#define X509_F_NETSCAPE_SPKI_B64_DECODE 129
1214#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130
1215#define X509_F_X509AT_ADD1_ATTR 135
1216#define X509_F_X509V3_ADD_EXT 104
1217#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136
1218#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137
1219#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140
1220#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
1221#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
1222#define X509_F_X509_CHECK_PRIVATE_KEY 128
1223#define X509_F_X509_CRL_PRINT_FP 147
1224#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
1225#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
1226#define X509_F_X509_GET_PUBKEY_PARAMETERS 110
1227#define X509_F_X509_LOAD_CERT_CRL_FILE 132
1228#define X509_F_X509_LOAD_CERT_FILE 111
1229#define X509_F_X509_LOAD_CRL_FILE 112
1230#define X509_F_X509_NAME_ADD_ENTRY 113
1231#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114
1232#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131
1233#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115
1234#define X509_F_X509_NAME_ONELINE 116
1235#define X509_F_X509_NAME_PRINT 117
1236#define X509_F_X509_PRINT_EX_FP 118
1237#define X509_F_X509_PUBKEY_GET 119
1238#define X509_F_X509_PUBKEY_SET 120
1239#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
1240#define X509_F_X509_REQ_PRINT_EX 121
1241#define X509_F_X509_REQ_PRINT_FP 122
1242#define X509_F_X509_REQ_TO_X509 123
1243#define X509_F_X509_STORE_ADD_CERT 124
1244#define X509_F_X509_STORE_ADD_CRL 125
1245#define X509_F_X509_STORE_CTX_GET1_ISSUER 146
1246#define X509_F_X509_STORE_CTX_INIT 143
1247#define X509_F_X509_STORE_CTX_NEW 142
1248#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134
1249#define X509_F_X509_TO_X509_REQ 126
1250#define X509_F_X509_TRUST_ADD 133
1251#define X509_F_X509_TRUST_SET 141
1252#define X509_F_X509_VERIFY_CERT 127
1253
1254/* Reason codes. */
1255#define X509_R_BAD_X509_FILETYPE 100
1256#define X509_R_BASE64_DECODE_ERROR 118
1257#define X509_R_CANT_CHECK_DH_KEY 114
1258#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
1259#define X509_R_ERR_ASN1_LIB 102
1260#define X509_R_INVALID_DIRECTORY 113
1261#define X509_R_INVALID_FIELD_NAME 119
1262#define X509_R_INVALID_TRUST 123
1263#define X509_R_KEY_TYPE_MISMATCH 115
1264#define X509_R_KEY_VALUES_MISMATCH 116
1265#define X509_R_LOADING_CERT_DIR 103
1266#define X509_R_LOADING_DEFAULTS 104
1267#define X509_R_METHOD_NOT_SUPPORTED 124
1268#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
1269#define X509_R_PUBLIC_KEY_DECODE_ERROR 125
1270#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
1271#define X509_R_SHOULD_RETRY 106
1272#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 107
1273#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 108
1274#define X509_R_UNKNOWN_KEY_TYPE 117
1275#define X509_R_UNKNOWN_NID 109
1276#define X509_R_UNKNOWN_PURPOSE_ID 121
1277#define X509_R_UNKNOWN_TRUST_ID 120
1278#define X509_R_UNSUPPORTED_ALGORITHM 111
1279#define X509_R_WRONG_LOOKUP_TYPE 112
1280#define X509_R_WRONG_TYPE 122
1281
1282#ifdef __cplusplus
1283}
1284#endif
1285#endif
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
deleted file mode 100644
index 98460e8921..0000000000
--- a/src/lib/libcrypto/x509/x509_att.c
+++ /dev/null
@@ -1,359 +0,0 @@
1/* crypto/x509/x509_att.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
69{
70 return sk_X509_ATTRIBUTE_num(x);
71}
72
73int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
74 int lastpos)
75{
76 ASN1_OBJECT *obj;
77
78 obj=OBJ_nid2obj(nid);
79 if (obj == NULL) return(-2);
80 return(X509at_get_attr_by_OBJ(x,obj,lastpos));
81}
82
83int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
84 int lastpos)
85{
86 int n;
87 X509_ATTRIBUTE *ex;
88
89 if (sk == NULL) return(-1);
90 lastpos++;
91 if (lastpos < 0)
92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++)
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos);
99 }
100 return(-1);
101}
102
103X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
104{
105 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
106 return NULL;
107 else
108 return sk_X509_ATTRIBUTE_value(x,loc);
109}
110
111X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
112{
113 X509_ATTRIBUTE *ret;
114
115 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
116 return(NULL);
117 ret=sk_X509_ATTRIBUTE_delete(x,loc);
118 return(ret);
119}
120
121STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
122 X509_ATTRIBUTE *attr)
123{
124 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126
127 if (x == NULL)
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2;
131 }
132
133 if (*x == NULL)
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err;
137 }
138 else
139 sk= *x;
140
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
142 goto err2;
143 if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
144 goto err;
145 if (*x == NULL)
146 *x=sk;
147 return(sk);
148err:
149 X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
150err2:
151 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
152 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
153 return(NULL);
154}
155
156STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
157 const ASN1_OBJECT *obj, int type,
158 const unsigned char *bytes, int len)
159{
160 X509_ATTRIBUTE *attr;
161 STACK_OF(X509_ATTRIBUTE) *ret;
162 attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
163 if(!attr) return 0;
164 ret = X509at_add1_attr(x, attr);
165 X509_ATTRIBUTE_free(attr);
166 return ret;
167}
168
169STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
170 int nid, int type,
171 const unsigned char *bytes, int len)
172{
173 X509_ATTRIBUTE *attr;
174 STACK_OF(X509_ATTRIBUTE) *ret;
175 attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
176 if(!attr) return 0;
177 ret = X509at_add1_attr(x, attr);
178 X509_ATTRIBUTE_free(attr);
179 return ret;
180}
181
182STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
183 const char *attrname, int type,
184 const unsigned char *bytes, int len)
185{
186 X509_ATTRIBUTE *attr;
187 STACK_OF(X509_ATTRIBUTE) *ret;
188 attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
189 if(!attr) return 0;
190 ret = X509at_add1_attr(x, attr);
191 X509_ATTRIBUTE_free(attr);
192 return ret;
193}
194
195void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
196 ASN1_OBJECT *obj, int lastpos, int type)
197{
198 int i;
199 X509_ATTRIBUTE *at;
200 i = X509at_get_attr_by_OBJ(x, obj, lastpos);
201 if (i == -1)
202 return NULL;
203 if ((lastpos <= -2) && (X509at_get_attr_by_OBJ(x, obj, i) != -1))
204 return NULL;
205 at = X509at_get_attr(x, i);
206 if (lastpos <= -3 && (X509_ATTRIBUTE_count(at) != 1))
207 return NULL;
208 return X509_ATTRIBUTE_get0_data(at, 0, type, NULL);
209}
210
211X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
212 int atrtype, const void *data, int len)
213{
214 ASN1_OBJECT *obj;
215 X509_ATTRIBUTE *ret;
216
217 obj=OBJ_nid2obj(nid);
218 if (obj == NULL)
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL);
222 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret);
226}
227
228X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
229 const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
230{
231 X509_ATTRIBUTE *ret;
232
233 if ((attr == NULL) || (*attr == NULL))
234 {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL);
239 }
240 }
241 else
242 ret= *attr;
243
244 if (!X509_ATTRIBUTE_set1_object(ret,obj))
245 goto err;
246 if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
247 goto err;
248
249 if ((attr != NULL) && (*attr == NULL)) *attr=ret;
250 return(ret);
251err:
252 if ((attr == NULL) || (ret != *attr))
253 X509_ATTRIBUTE_free(ret);
254 return(NULL);
255}
256
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len)
259 {
260 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr;
262
263 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL)
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname);
269 return(NULL);
270 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj);
273 return nattr;
274 }
275
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{
278 if ((attr == NULL) || (obj == NULL))
279 return(0);
280 ASN1_OBJECT_free(attr->object);
281 attr->object=OBJ_dup(obj);
282 return(1);
283}
284
285int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
286{
287 ASN1_TYPE *ttmp;
288 ASN1_STRING *stmp = NULL;
289 int atype = 0;
290 if (!attr) return 0;
291 if(attrtype & MBSTRING_FLAG) {
292 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
293 OBJ_obj2nid(attr->object));
294 if(!stmp) {
295 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
296 return 0;
297 }
298 atype = stmp->type;
299 } else if (len != -1){
300 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
301 if(!ASN1_STRING_set(stmp, data, len)) goto err;
302 atype = attrtype;
303 }
304 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
305 attr->single = 0;
306 /* This is a bit naughty because the attribute should really have
307 * at least one value but some types use and zero length SET and
308 * require this.
309 */
310 if (attrtype == 0)
311 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG))
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err;
317 }
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1;
322 err:
323 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
324 return 0;
325}
326
327int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
328{
329 if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
330 if(attr->value.single) return 1;
331 return 0;
332}
333
334ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
335{
336 if (attr == NULL) return(NULL);
337 return(attr->object);
338}
339
340void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
341 int atrtype, void *data)
342{
343 ASN1_TYPE *ttmp;
344 ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
345 if(!ttmp) return NULL;
346 if(atrtype != ASN1_TYPE_get(ttmp)){
347 X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
348 return NULL;
349 }
350 return ttmp->value.ptr;
351}
352
353ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
354{
355 if (attr == NULL) return(NULL);
356 if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
357 if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
358 else return attr->value.single;
359}
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
deleted file mode 100644
index 4bc9da07e0..0000000000
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ /dev/null
@@ -1,331 +0,0 @@
1/* crypto/x509/x509_cmp.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <ctype.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 {
69 int i;
70 X509_CINF *ai,*bi;
71
72 ai=a->cert_info;
73 bi=b->cert_info;
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 }
78
79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 {
82 unsigned long ret=0;
83 EVP_MD_CTX ctx;
84 unsigned char md[16];
85 char *f;
86
87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f);
90 EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
91 EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
92 OPENSSL_free(f);
93 EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
94 (unsigned long)a->cert_info->serialNumber->length);
95 EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
96 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
97 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
98 )&0xffffffffL;
99 EVP_MD_CTX_cleanup(&ctx);
100 return(ret);
101 }
102#endif
103
104int X509_issuer_name_cmp(const X509 *a, const X509 *b)
105 {
106 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
107 }
108
109int X509_subject_name_cmp(const X509 *a, const X509 *b)
110 {
111 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
112 }
113
114int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
115 {
116 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
117 }
118
119#ifndef OPENSSL_NO_SHA
120int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
121 {
122 return memcmp(a->sha1_hash, b->sha1_hash, 20);
123 }
124#endif
125
126X509_NAME *X509_get_issuer_name(X509 *a)
127 {
128 return(a->cert_info->issuer);
129 }
130
131unsigned long X509_issuer_name_hash(X509 *x)
132 {
133 return(X509_NAME_hash(x->cert_info->issuer));
134 }
135
136#ifndef OPENSSL_NO_MD5
137unsigned long X509_issuer_name_hash_old(X509 *x)
138 {
139 return(X509_NAME_hash_old(x->cert_info->issuer));
140 }
141#endif
142
143X509_NAME *X509_get_subject_name(X509 *a)
144 {
145 return(a->cert_info->subject);
146 }
147
148ASN1_INTEGER *X509_get_serialNumber(X509 *a)
149 {
150 return(a->cert_info->serialNumber);
151 }
152
153unsigned long X509_subject_name_hash(X509 *x)
154 {
155 return(X509_NAME_hash(x->cert_info->subject));
156 }
157
158#ifndef OPENSSL_NO_MD5
159unsigned long X509_subject_name_hash_old(X509 *x)
160 {
161 return(X509_NAME_hash_old(x->cert_info->subject));
162 }
163#endif
164
165#ifndef OPENSSL_NO_SHA
166/* Compare two certificates: they must be identical for
167 * this to work. NB: Although "cmp" operations are generally
168 * prototyped to take "const" arguments (eg. for use in
169 * STACKs), the way X509 handling is - these operations may
170 * involve ensuring the hashes are up-to-date and ensuring
171 * certain cert information is cached. So this is the point
172 * where the "depth-first" constification tree has to halt
173 * with an evil cast.
174 */
175int X509_cmp(const X509 *a, const X509 *b)
176{
177 /* ensure hash is valid */
178 X509_check_purpose((X509 *)a, -1, 0);
179 X509_check_purpose((X509 *)b, -1, 0);
180
181 return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
182}
183#endif
184
185
186int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
187 {
188 int ret;
189
190 /* Ensure canonical encoding is present and up to date */
191
192 if (!a->canon_enc || a->modified)
193 {
194 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
195 if (ret < 0)
196 return -2;
197 }
198
199 if (!b->canon_enc || b->modified)
200 {
201 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
202 if (ret < 0)
203 return -2;
204 }
205
206 ret = a->canon_enclen - b->canon_enclen;
207
208 if (ret)
209 return ret;
210
211 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
212
213 }
214
215unsigned long X509_NAME_hash(X509_NAME *x)
216 {
217 unsigned long ret=0;
218 unsigned char md[SHA_DIGEST_LENGTH];
219
220 /* Make sure X509_NAME structure contains valid cached encoding */
221 i2d_X509_NAME(x,NULL);
222 EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
223
224 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
225 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
226 )&0xffffffffL;
227 return(ret);
228 }
229
230
231#ifndef OPENSSL_NO_MD5
232/* I now DER encode the name and hash it. Since I cache the DER encoding,
233 * this is reasonably efficient. */
234
235unsigned long X509_NAME_hash_old(X509_NAME *x)
236 {
237 unsigned long ret=0;
238 unsigned char md[16];
239
240 /* Make sure X509_NAME structure contains valid cached encoding */
241 i2d_X509_NAME(x,NULL);
242 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
243
244 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
245 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
246 )&0xffffffffL;
247 return(ret);
248 }
249#endif
250
251/* Search a stack of X509 for a match */
252X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
253 ASN1_INTEGER *serial)
254 {
255 int i;
256 X509_CINF cinf;
257 X509 x,*x509=NULL;
258
259 if(!sk) return NULL;
260
261 x.cert_info= &cinf;
262 cinf.serialNumber=serial;
263 cinf.issuer=name;
264
265 for (i=0; i<sk_X509_num(sk); i++)
266 {
267 x509=sk_X509_value(sk,i);
268 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
269 return(x509);
270 }
271 return(NULL);
272 }
273
274X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
275 {
276 X509 *x509;
277 int i;
278
279 for (i=0; i<sk_X509_num(sk); i++)
280 {
281 x509=sk_X509_value(sk,i);
282 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
283 return(x509);
284 }
285 return(NULL);
286 }
287
288EVP_PKEY *X509_get_pubkey(X509 *x)
289 {
290 if ((x == NULL) || (x->cert_info == NULL))
291 return(NULL);
292 return(X509_PUBKEY_get(x->cert_info->key));
293 }
294
295ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
296 {
297 if(!x) return NULL;
298 return x->cert_info->key->public_key;
299 }
300
301int X509_check_private_key(X509 *x, EVP_PKEY *k)
302 {
303 EVP_PKEY *xk;
304 int ret;
305
306 xk=X509_get_pubkey(x);
307
308 if (xk)
309 ret = EVP_PKEY_cmp(xk, k);
310 else
311 ret = -2;
312
313 switch (ret)
314 {
315 case 1:
316 break;
317 case 0:
318 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
319 break;
320 case -1:
321 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
322 break;
323 case -2:
324 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
325 }
326 if (xk)
327 EVP_PKEY_free(xk);
328 if (ret > 0)
329 return 1;
330 return 0;
331 }
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
deleted file mode 100644
index 51410cfd1a..0000000000
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ /dev/null
@@ -1,107 +0,0 @@
1/* crypto/x509/x509_d2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 {
67 X509_LOOKUP *lookup;
68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
70 if (lookup == NULL) return(0);
71 X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
72
73 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
74 if (lookup == NULL) return(0);
75 X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
76
77 /* clear any errors */
78 ERR_clear_error();
79
80 return(1);
81 }
82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path)
85 {
86 X509_LOOKUP *lookup;
87
88 if (file != NULL)
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0);
94 }
95 if (path != NULL)
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0);
101 }
102 if ((path == NULL) && (file == NULL))
103 return(0);
104 return(1);
105 }
106
107#endif
diff --git a/src/lib/libcrypto/x509/x509_def.c b/src/lib/libcrypto/x509/x509_def.c
deleted file mode 100644
index e0ac151a76..0000000000
--- a/src/lib/libcrypto/x509/x509_def.c
+++ /dev/null
@@ -1,81 +0,0 @@
1/* crypto/x509/x509_def.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64const char *X509_get_default_private_dir(void)
65 { return(X509_PRIVATE_DIR); }
66
67const char *X509_get_default_cert_area(void)
68 { return(X509_CERT_AREA); }
69
70const char *X509_get_default_cert_dir(void)
71 { return(X509_CERT_DIR); }
72
73const char *X509_get_default_cert_file(void)
74 { return(X509_CERT_FILE); }
75
76const char *X509_get_default_cert_dir_env(void)
77 { return(X509_CERT_DIR_EVP); }
78
79const char *X509_get_default_cert_file_env(void)
80 { return(X509_CERT_FILE_EVP); }
81
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
deleted file mode 100644
index a01402f416..0000000000
--- a/src/lib/libcrypto/x509/x509_err.c
+++ /dev/null
@@ -1,164 +0,0 @@
1/* crypto/x509/x509_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70
71static ERR_STRING_DATA X509_str_functs[]=
72 {
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
76{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
77{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
79{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
80{ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
81{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"},
82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
84{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
85{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"},
86{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"},
87{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"},
88{ERR_FUNC(X509_F_X509_CRL_PRINT_FP), "X509_CRL_print_fp"},
89{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
90{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
91{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"},
92{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"},
93{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"},
94{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"},
95{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"},
96{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"},
97{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT), "X509_NAME_ENTRY_create_by_txt"},
98{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"},
99{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
100{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
101{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
102{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
103{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
104{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"},
105{ERR_FUNC(X509_F_X509_REQ_PRINT_EX), "X509_REQ_print_ex"},
106{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"},
107{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"},
108{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"},
109{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"},
110{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER), "X509_STORE_CTX_get1_issuer"},
111{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"},
112{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
113{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"},
114{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"},
115{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"},
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL}
119 };
120
121static ERR_STRING_DATA X509_str_reasons[]=
122 {
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
126{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
127{ERR_REASON(X509_R_ERR_ASN1_LIB) ,"err asn1 lib"},
128{ERR_REASON(X509_R_INVALID_DIRECTORY) ,"invalid directory"},
129{ERR_REASON(X509_R_INVALID_FIELD_NAME) ,"invalid field name"},
130{ERR_REASON(X509_R_INVALID_TRUST) ,"invalid trust"},
131{ERR_REASON(X509_R_KEY_TYPE_MISMATCH) ,"key type mismatch"},
132{ERR_REASON(X509_R_KEY_VALUES_MISMATCH) ,"key values mismatch"},
133{ERR_REASON(X509_R_LOADING_CERT_DIR) ,"loading cert dir"},
134{ERR_REASON(X509_R_LOADING_DEFAULTS) ,"loading defaults"},
135{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED) ,"method not supported"},
136{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
137{ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR),"public key decode error"},
138{ERR_REASON(X509_R_PUBLIC_KEY_ENCODE_ERROR),"public key encode error"},
139{ERR_REASON(X509_R_SHOULD_RETRY) ,"should retry"},
140{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
141{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
142{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE) ,"unknown key type"},
143{ERR_REASON(X509_R_UNKNOWN_NID) ,"unknown nid"},
144{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID) ,"unknown purpose id"},
145{ERR_REASON(X509_R_UNKNOWN_TRUST_ID) ,"unknown trust id"},
146{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL}
150 };
151
152#endif
153
154void ERR_load_X509_strings(void)
155 {
156#ifndef OPENSSL_NO_ERR
157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
159 {
160 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 }
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
deleted file mode 100644
index e7fdacb5e4..0000000000
--- a/src/lib/libcrypto/x509/x509_ext.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/* crypto/x509/x509_ext.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68
69int X509_CRL_get_ext_count(X509_CRL *x)
70 {
71 return(X509v3_get_ext_count(x->crl->extensions));
72 }
73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 {
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 }
78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 {
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 }
83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 {
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 }
88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 {
91 return(X509v3_get_ext(x->crl->extensions,loc));
92 }
93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 {
96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 }
98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{
101 return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
102}
103
104int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
105 unsigned long flags)
106{
107 return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
108}
109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 {
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 }
114
115int X509_get_ext_count(X509 *x)
116 {
117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 }
119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 {
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 }
124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 {
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 }
129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 {
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 }
134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 {
137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 }
139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 {
142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 }
144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 {
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 }
149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{
152 return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
153}
154
155int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
156 unsigned long flags)
157{
158 return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
159 flags);
160}
161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 {
164 return(X509v3_get_ext_count(x->extensions));
165 }
166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 {
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 }
171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos)
174 {
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 }
177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 {
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 }
182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 {
185 return(X509v3_get_ext(x->extensions,loc));
186 }
187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 {
190 return(X509v3_delete_ext(x->extensions,loc));
191 }
192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 {
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 }
197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{
200 return X509V3_get_d2i(x->extensions, nid, crit, idx);
201}
202
203int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
204 unsigned long flags)
205{
206 return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
207}
208
209IMPLEMENT_STACK_OF(X509_EXTENSION)
210IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
deleted file mode 100644
index 3a6e04a1de..0000000000
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ /dev/null
@@ -1,716 +0,0 @@
1/* crypto/x509/x509_lu.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/x509.h>
63#include <openssl/x509v3.h>
64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 {
67 X509_LOOKUP *ret;
68
69 ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
70 if (ret == NULL) return NULL;
71
72 ret->init=0;
73 ret->skip=0;
74 ret->method=method;
75 ret->method_data=NULL;
76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret))
78 {
79 OPENSSL_free(ret);
80 return NULL;
81 }
82 return ret;
83 }
84
85void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 {
87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL))
90 ctx->method->free(ctx);
91 OPENSSL_free(ctx);
92 }
93
94int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 {
96 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx);
99 else
100 return 1;
101 }
102
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 {
105 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx);
108 else
109 return 1;
110 }
111
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret)
114 {
115 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else
119 return 1;
120 }
121
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret)
124 {
125 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
126 return X509_LU_FAIL;
127 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret);
129 }
130
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 {
134 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 }
139
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret)
142 {
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 }
147
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret)
150 {
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 }
155
156
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 {
159 int ret;
160
161 ret=((*a)->type - (*b)->type);
162 if (ret) return ret;
163 switch ((*a)->type)
164 {
165 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break;
168 case X509_LU_CRL:
169 ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
170 break;
171 default:
172 /* abort(); */
173 return 0;
174 }
175 return ret;
176 }
177
178X509_STORE *X509_STORE_new(void)
179 {
180 X509_STORE *ret;
181
182 if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
183 return NULL;
184 ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
185 ret->cache=1;
186 ret->get_cert_methods=sk_X509_LOOKUP_new_null();
187 ret->verify=0;
188 ret->verify_cb=0;
189
190 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
191 return NULL;
192
193 ret->get_issuer = 0;
194 ret->check_issued = 0;
195 ret->check_revocation = 0;
196 ret->get_crl = 0;
197 ret->check_crl = 0;
198 ret->cert_crl = 0;
199 ret->lookup_certs = 0;
200 ret->lookup_crls = 0;
201 ret->cleanup = 0;
202
203 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
204 {
205 sk_X509_OBJECT_free(ret->objs);
206 OPENSSL_free(ret);
207 return NULL;
208 }
209
210 ret->references=1;
211 return ret;
212 }
213
214static void cleanup(X509_OBJECT *a)
215 {
216 if (a->type == X509_LU_X509)
217 {
218 X509_free(a->data.x509);
219 }
220 else if (a->type == X509_LU_CRL)
221 {
222 X509_CRL_free(a->data.crl);
223 }
224 else
225 {
226 /* abort(); */
227 }
228
229 OPENSSL_free(a);
230 }
231
232void X509_STORE_free(X509_STORE *vfy)
233 {
234 int i;
235 STACK_OF(X509_LOOKUP) *sk;
236 X509_LOOKUP *lu;
237
238 if (vfy == NULL)
239 return;
240
241 sk=vfy->get_cert_methods;
242 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
243 {
244 lu=sk_X509_LOOKUP_value(sk,i);
245 X509_LOOKUP_shutdown(lu);
246 X509_LOOKUP_free(lu);
247 }
248 sk_X509_LOOKUP_free(sk);
249 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
250
251 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
252 if (vfy->param)
253 X509_VERIFY_PARAM_free(vfy->param);
254 OPENSSL_free(vfy);
255 }
256
257X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
258 {
259 int i;
260 STACK_OF(X509_LOOKUP) *sk;
261 X509_LOOKUP *lu;
262
263 sk=v->get_cert_methods;
264 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
265 {
266 lu=sk_X509_LOOKUP_value(sk,i);
267 if (m == lu->method)
268 {
269 return lu;
270 }
271 }
272 /* a new one */
273 lu=X509_LOOKUP_new(m);
274 if (lu == NULL)
275 return NULL;
276 else
277 {
278 lu->store_ctx=v;
279 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
280 return lu;
281 else
282 {
283 X509_LOOKUP_free(lu);
284 return NULL;
285 }
286 }
287 }
288
289int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
290 X509_OBJECT *ret)
291 {
292 X509_STORE *ctx=vs->ctx;
293 X509_LOOKUP *lu;
294 X509_OBJECT stmp,*tmp;
295 int i,j;
296
297 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
298 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
299 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
300
301 if (tmp == NULL || type == X509_LU_CRL)
302 {
303 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
304 {
305 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
306 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
307 if (j < 0)
308 {
309 vs->current_method=j;
310 return j;
311 }
312 else if (j)
313 {
314 tmp= &stmp;
315 break;
316 }
317 }
318 vs->current_method=0;
319 if (tmp == NULL)
320 return 0;
321 }
322
323/* if (ret->data.ptr != NULL)
324 X509_OBJECT_free_contents(ret); */
325
326 ret->type=tmp->type;
327 ret->data.ptr=tmp->data.ptr;
328
329 X509_OBJECT_up_ref_count(ret);
330
331 return 1;
332 }
333
334int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
335 {
336 X509_OBJECT *obj;
337 int ret=1;
338
339 if (x == NULL) return 0;
340 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
341 if (obj == NULL)
342 {
343 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
344 return 0;
345 }
346 obj->type=X509_LU_X509;
347 obj->data.x509=x;
348
349 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
350
351 X509_OBJECT_up_ref_count(obj);
352
353 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
354 {
355 X509_OBJECT_free_contents(obj);
356 OPENSSL_free(obj);
357 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
358 ret=0;
359 }
360 else sk_X509_OBJECT_push(ctx->objs, obj);
361
362 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
363
364 return ret;
365 }
366
367int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
368 {
369 X509_OBJECT *obj;
370 int ret=1;
371
372 if (x == NULL) return 0;
373 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
374 if (obj == NULL)
375 {
376 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
377 return 0;
378 }
379 obj->type=X509_LU_CRL;
380 obj->data.crl=x;
381
382 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
383
384 X509_OBJECT_up_ref_count(obj);
385
386 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
387 {
388 X509_OBJECT_free_contents(obj);
389 OPENSSL_free(obj);
390 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
391 ret=0;
392 }
393 else sk_X509_OBJECT_push(ctx->objs, obj);
394
395 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
396
397 return ret;
398 }
399
400void X509_OBJECT_up_ref_count(X509_OBJECT *a)
401 {
402 switch (a->type)
403 {
404 case X509_LU_X509:
405 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
406 break;
407 case X509_LU_CRL:
408 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
409 break;
410 }
411 }
412
413void X509_OBJECT_free_contents(X509_OBJECT *a)
414 {
415 switch (a->type)
416 {
417 case X509_LU_X509:
418 X509_free(a->data.x509);
419 break;
420 case X509_LU_CRL:
421 X509_CRL_free(a->data.crl);
422 break;
423 }
424 }
425
426static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
427 X509_NAME *name, int *pnmatch)
428 {
429 X509_OBJECT stmp;
430 X509 x509_s;
431 X509_CINF cinf_s;
432 X509_CRL crl_s;
433 X509_CRL_INFO crl_info_s;
434 int idx;
435
436 stmp.type=type;
437 switch (type)
438 {
439 case X509_LU_X509:
440 stmp.data.x509= &x509_s;
441 x509_s.cert_info= &cinf_s;
442 cinf_s.subject=name;
443 break;
444 case X509_LU_CRL:
445 stmp.data.crl= &crl_s;
446 crl_s.crl= &crl_info_s;
447 crl_info_s.issuer=name;
448 break;
449 default:
450 /* abort(); */
451 return -1;
452 }
453
454 idx = sk_X509_OBJECT_find(h,&stmp);
455 if (idx >= 0 && pnmatch)
456 {
457 int tidx;
458 const X509_OBJECT *tobj, *pstmp;
459 *pnmatch = 1;
460 pstmp = &stmp;
461 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
462 {
463 tobj = sk_X509_OBJECT_value(h, tidx);
464 if (x509_object_cmp(&tobj, &pstmp))
465 break;
466 (*pnmatch)++;
467 }
468 }
469 return idx;
470 }
471
472
473int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
474 X509_NAME *name)
475 {
476 return x509_object_idx_cnt(h, type, name, NULL);
477 }
478
479X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
480 X509_NAME *name)
481 {
482 int idx;
483 idx = X509_OBJECT_idx_by_subject(h, type, name);
484 if (idx==-1) return NULL;
485 return sk_X509_OBJECT_value(h, idx);
486 }
487
488STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
489 {
490 int i, idx, cnt;
491 STACK_OF(X509) *sk;
492 X509 *x;
493 X509_OBJECT *obj;
494 sk = sk_X509_new_null();
495 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
496 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
497 if (idx < 0)
498 {
499 /* Nothing found in cache: do lookup to possibly add new
500 * objects to cache
501 */
502 X509_OBJECT xobj;
503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
504 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
505 {
506 sk_X509_free(sk);
507 return NULL;
508 }
509 X509_OBJECT_free_contents(&xobj);
510 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
511 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
512 if (idx < 0)
513 {
514 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
515 sk_X509_free(sk);
516 return NULL;
517 }
518 }
519 for (i = 0; i < cnt; i++, idx++)
520 {
521 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
522 x = obj->data.x509;
523 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
524 if (!sk_X509_push(sk, x))
525 {
526 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
527 X509_free(x);
528 sk_X509_pop_free(sk, X509_free);
529 return NULL;
530 }
531 }
532 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
533 return sk;
534
535 }
536
537STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
538 {
539 int i, idx, cnt;
540 STACK_OF(X509_CRL) *sk;
541 X509_CRL *x;
542 X509_OBJECT *obj, xobj;
543 sk = sk_X509_CRL_new_null();
544 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
545 /* Check cache first */
546 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
547
548 /* Always do lookup to possibly add new CRLs to cache
549 */
550 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
551 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
552 {
553 sk_X509_CRL_free(sk);
554 return NULL;
555 }
556 X509_OBJECT_free_contents(&xobj);
557 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
558 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
559 if (idx < 0)
560 {
561 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
562 sk_X509_CRL_free(sk);
563 return NULL;
564 }
565
566 for (i = 0; i < cnt; i++, idx++)
567 {
568 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
569 x = obj->data.crl;
570 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
571 if (!sk_X509_CRL_push(sk, x))
572 {
573 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
574 X509_CRL_free(x);
575 sk_X509_CRL_pop_free(sk, X509_CRL_free);
576 return NULL;
577 }
578 }
579 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
580 return sk;
581 }
582
583X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
584 {
585 int idx, i;
586 X509_OBJECT *obj;
587 idx = sk_X509_OBJECT_find(h, x);
588 if (idx == -1) return NULL;
589 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
590 return sk_X509_OBJECT_value(h, idx);
591 for (i = idx; i < sk_X509_OBJECT_num(h); i++)
592 {
593 obj = sk_X509_OBJECT_value(h, i);
594 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
595 return NULL;
596 if (x->type == X509_LU_X509)
597 {
598 if (!X509_cmp(obj->data.x509, x->data.x509))
599 return obj;
600 }
601 else if (x->type == X509_LU_CRL)
602 {
603 if (!X509_CRL_match(obj->data.crl, x->data.crl))
604 return obj;
605 }
606 else
607 return obj;
608 }
609 return NULL;
610 }
611
612
613/* Try to get issuer certificate from store. Due to limitations
614 * of the API this can only retrieve a single certificate matching
615 * a given subject name. However it will fill the cache with all
616 * matching certificates, so we can examine the cache for all
617 * matches.
618 *
619 * Return values are:
620 * 1 lookup successful.
621 * 0 certificate not found.
622 * -1 some other error.
623 */
624int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
625 {
626 X509_NAME *xn;
627 X509_OBJECT obj, *pobj;
628 int i, ok, idx, ret;
629 xn=X509_get_issuer_name(x);
630 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
631 if (ok != X509_LU_X509)
632 {
633 if (ok == X509_LU_RETRY)
634 {
635 X509_OBJECT_free_contents(&obj);
636 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
637 return -1;
638 }
639 else if (ok != X509_LU_FAIL)
640 {
641 X509_OBJECT_free_contents(&obj);
642 /* not good :-(, break anyway */
643 return -1;
644 }
645 return 0;
646 }
647 /* If certificate matches all OK */
648 if (ctx->check_issued(ctx, x, obj.data.x509))
649 {
650 *issuer = obj.data.x509;
651 return 1;
652 }
653 X509_OBJECT_free_contents(&obj);
654
655 /* Else find index of first cert accepted by 'check_issued' */
656 ret = 0;
657 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
658 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
659 if (idx != -1) /* should be true as we've had at least one match */
660 {
661 /* Look through all matching certs for suitable issuer */
662 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
663 {
664 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
665 /* See if we've run past the matches */
666 if (pobj->type != X509_LU_X509)
667 break;
668 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
669 break;
670 if (ctx->check_issued(ctx, x, pobj->data.x509))
671 {
672 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1;
675 break;
676 }
677 }
678 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
680 return ret;
681 }
682
683int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
684 {
685 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
686 }
687
688int X509_STORE_set_depth(X509_STORE *ctx, int depth)
689 {
690 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
691 return 1;
692 }
693
694int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
695 {
696 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
697 }
698
699int X509_STORE_set_trust(X509_STORE *ctx, int trust)
700 {
701 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
702 }
703
704int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
705 {
706 return X509_VERIFY_PARAM_set1(ctx->param, param);
707 }
708
709void X509_STORE_set_verify_cb(X509_STORE *ctx,
710 int (*verify_cb)(int, X509_STORE_CTX *))
711 {
712 ctx->verify_cb = verify_cb;
713 }
714
715IMPLEMENT_STACK_OF(X509_LOOKUP)
716IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
deleted file mode 100644
index 21fed9f838..0000000000
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* crypto/x509/x509_obj.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64#include <openssl/buffer.h>
65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 {
68 X509_NAME_ENTRY *ne;
69int i;
70 int n,lold,l,l1,l2,num,j,type;
71 const char *s;
72 char *p;
73 unsigned char *q;
74 BUF_MEM *b=NULL;
75 static const char hex[17]="0123456789ABCDEF";
76 int gs_doit[4];
77 char tmp_buf[80];
78#ifdef CHARSET_EBCDIC
79 char ebcdic_buf[1024];
80#endif
81
82 if (buf == NULL)
83 {
84 if ((b=BUF_MEM_new()) == NULL) goto err;
85 if (!BUF_MEM_grow(b,200)) goto err;
86 b->data[0]='\0';
87 len=200;
88 }
89 if (a == NULL)
90 {
91 if(b)
92 {
93 buf=b->data;
94 OPENSSL_free(b);
95 }
96 strncpy(buf,"NO X509_NAME",len);
97 buf[len-1]='\0';
98 return buf;
99 }
100
101 len--; /* space for '\0' */
102 l=0;
103 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
104 {
105 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
106 n=OBJ_obj2nid(ne->object);
107 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
108 {
109 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
110 s=tmp_buf;
111 }
112 l1=strlen(s);
113
114 type=ne->value->type;
115 num=ne->value->length;
116 q=ne->value->data;
117#ifdef CHARSET_EBCDIC
118 if (type == V_ASN1_GENERALSTRING ||
119 type == V_ASN1_VISIBLESTRING ||
120 type == V_ASN1_PRINTABLESTRING ||
121 type == V_ASN1_TELETEXSTRING ||
122 type == V_ASN1_VISIBLESTRING ||
123 type == V_ASN1_IA5STRING) {
124 ascii2ebcdic(ebcdic_buf, q,
125 (num > sizeof ebcdic_buf)
126 ? sizeof ebcdic_buf : num);
127 q=ebcdic_buf;
128 }
129#endif
130
131 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
132 {
133 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
134 for (j=0; j<num; j++)
135 if (q[j] != 0) gs_doit[j&3]=1;
136
137 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
138 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
139 else
140 {
141 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
142 gs_doit[3]=1;
143 }
144 }
145 else
146 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
147
148 for (l2=j=0; j<num; j++)
149 {
150 if (!gs_doit[j&3]) continue;
151 l2++;
152#ifndef CHARSET_EBCDIC
153 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
154#else
155 if ((os_toascii[q[j]] < os_toascii[' ']) ||
156 (os_toascii[q[j]] > os_toascii['~'])) l2+=3;
157#endif
158 }
159
160 lold=l;
161 l+=1+l1+1+l2;
162 if (b != NULL)
163 {
164 if (!BUF_MEM_grow(b,l+1)) goto err;
165 p= &(b->data[lold]);
166 }
167 else if (l > len)
168 {
169 break;
170 }
171 else
172 p= &(buf[lold]);
173 *(p++)='/';
174 memcpy(p,s,(unsigned int)l1); p+=l1;
175 *(p++)='=';
176
177#ifndef CHARSET_EBCDIC /* q was assigned above already. */
178 q=ne->value->data;
179#endif
180
181 for (j=0; j<num; j++)
182 {
183 if (!gs_doit[j&3]) continue;
184#ifndef CHARSET_EBCDIC
185 n=q[j];
186 if ((n < ' ') || (n > '~'))
187 {
188 *(p++)='\\';
189 *(p++)='x';
190 *(p++)=hex[(n>>4)&0x0f];
191 *(p++)=hex[n&0x0f];
192 }
193 else
194 *(p++)=n;
195#else
196 n=os_toascii[q[j]];
197 if ((n < os_toascii[' ']) ||
198 (n > os_toascii['~']))
199 {
200 *(p++)='\\';
201 *(p++)='x';
202 *(p++)=hex[(n>>4)&0x0f];
203 *(p++)=hex[n&0x0f];
204 }
205 else
206 *(p++)=q[j];
207#endif
208 }
209 *p='\0';
210 }
211 if (b != NULL)
212 {
213 p=b->data;
214 OPENSSL_free(b);
215 }
216 else
217 p=buf;
218 if (i == 0)
219 *p = '\0';
220 return(p);
221err:
222 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
223 if (b != NULL) BUF_MEM_free(b);
224 return(NULL);
225 }
226
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
deleted file mode 100644
index 254a14693d..0000000000
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ /dev/null
@@ -1,114 +0,0 @@
1/* crypto/x509/x509_r2x.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/x509.h>
65#include <openssl/objects.h>
66#include <openssl/buffer.h>
67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 {
70 X509 *ret=NULL;
71 X509_CINF *xi=NULL;
72 X509_NAME *xn;
73
74 if ((ret=X509_new()) == NULL)
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err;
78 }
79
80 /* duplicate the request */
81 xi=ret->cert_info;
82
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */
89 }
90
91 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
93 goto err;
94 if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
95 goto err;
96
97 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
98 goto err;
99 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
100 goto err;
101
102 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
103
104 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err;
106 if (0)
107 {
108err:
109 X509_free(ret);
110 ret=NULL;
111 }
112 return(ret);
113 }
114
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
deleted file mode 100644
index 48183dc00c..0000000000
--- a/src/lib/libcrypto/x509/x509_req.c
+++ /dev/null
@@ -1,316 +0,0 @@
1/* crypto/x509/x509_req.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/asn1t.h>
65#include <openssl/x509.h>
66#include <openssl/objects.h>
67#include <openssl/buffer.h>
68#include <openssl/pem.h>
69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 {
72 X509_REQ *ret;
73 X509_REQ_INFO *ri;
74 int i;
75 EVP_PKEY *pktmp;
76
77 ret=X509_REQ_new();
78 if (ret == NULL)
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err;
82 }
83
84 ri=ret->req_info;
85
86 ri->version->length=1;
87 ri->version->data=(unsigned char *)OPENSSL_malloc(1);
88 if (ri->version->data == NULL) goto err;
89 ri->version->data[0]=0; /* version == 0 */
90
91 if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
92 goto err;
93
94 pktmp = X509_get_pubkey(x);
95 i=X509_REQ_set_pubkey(ret,pktmp);
96 EVP_PKEY_free(pktmp);
97 if (!i) goto err;
98
99 if (pkey != NULL)
100 {
101 if (!X509_REQ_sign(ret,pkey,md))
102 goto err;
103 }
104 return(ret);
105err:
106 X509_REQ_free(ret);
107 return(NULL);
108 }
109
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 {
112 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey));
115 }
116
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 {
119 EVP_PKEY *xk=NULL;
120 int ok=0;
121
122 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k))
124 {
125 case 1:
126 ok=1;
127 break;
128 case 0:
129 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
130 break;
131 case -1:
132 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
133 break;
134 case -2:
135#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC)
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break;
140 }
141#endif
142#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH)
144 {
145 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break;
148 }
149#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 }
152
153 EVP_PKEY_free(xk);
154 return(ok);
155 }
156
157/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are
159 * used and there may be more: so the list is configurable.
160 */
161
162static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
163
164static int *ext_nids = ext_nid_list;
165
166int X509_REQ_extension_nid(int req_nid)
167{
168 int i, nid;
169 for(i = 0; ; i++) {
170 nid = ext_nids[i];
171 if(nid == NID_undef) return 0;
172 else if (req_nid == nid) return 1;
173 }
174}
175
176int *X509_REQ_get_extension_nids(void)
177{
178 return ext_nids;
179}
180
181void X509_REQ_set_extension_nids(int *nids)
182{
183 ext_nids = nids;
184}
185
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 {
188 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL;
190 int idx, *pnid;
191 const unsigned char *p;
192
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1)
199 continue;
200 attr = X509_REQ_get_attr(req, idx);
201 if(attr->single) ext = attr->value.single;
202 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break;
205 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL;
208 p = ext->value.sequence->data;
209 return (STACK_OF(X509_EXTENSION) *)
210 ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
211 ASN1_ITEM_rptr(X509_EXTENSIONS));
212}
213
214/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
215 * in case we want to create a non standard one.
216 */
217
218int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
219 int nid)
220{
221 ASN1_TYPE *at = NULL;
222 X509_ATTRIBUTE *attr = NULL;
223 if(!(at = ASN1_TYPE_new()) ||
224 !(at->value.sequence = ASN1_STRING_new())) goto err;
225
226 at->type = V_ASN1_SEQUENCE;
227 /* Generate encoding of extensions */
228 at->value.sequence->length =
229 ASN1_item_i2d((ASN1_VALUE *)exts,
230 &at->value.sequence->data,
231 ASN1_ITEM_rptr(X509_EXTENSIONS));
232 if(!(attr = X509_ATTRIBUTE_new())) goto err;
233 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
234 if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
235 at = NULL;
236 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes)
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err;
242 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1;
245 err:
246 X509_ATTRIBUTE_free(attr);
247 ASN1_TYPE_free(at);
248 return 0;
249}
250/* This is the normal usage: use the "official" OID */
251int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
252{
253 return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
254}
255
256/* Request attribute functions */
257
258int X509_REQ_get_attr_count(const X509_REQ *req)
259{
260 return X509at_get_attr_count(req->req_info->attributes);
261}
262
263int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
264 int lastpos)
265{
266 return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
267}
268
269int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
270 int lastpos)
271{
272 return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
273}
274
275X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
276{
277 return X509at_get_attr(req->req_info->attributes, loc);
278}
279
280X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
281{
282 return X509at_delete_attr(req->req_info->attributes, loc);
283}
284
285int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
286{
287 if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
288 return 0;
289}
290
291int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
292 const ASN1_OBJECT *obj, int type,
293 const unsigned char *bytes, int len)
294{
295 if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
296 type, bytes, len)) return 1;
297 return 0;
298}
299
300int X509_REQ_add1_attr_by_NID(X509_REQ *req,
301 int nid, int type,
302 const unsigned char *bytes, int len)
303{
304 if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
305 type, bytes, len)) return 1;
306 return 0;
307}
308
309int X509_REQ_add1_attr_by_txt(X509_REQ *req,
310 const char *attrname, int type,
311 const unsigned char *bytes, int len)
312{
313 if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
314 type, bytes, len)) return 1;
315 return 0;
316}
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
deleted file mode 100644
index 4b94fc5847..0000000000
--- a/src/lib/libcrypto/x509/x509_set.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* crypto/x509/x509_set.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_set_version(X509 *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL)
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 }
76
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 {
79 ASN1_INTEGER *in;
80
81 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber;
83 if (in != serial)
84 {
85 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL)
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in;
90 }
91 }
92 return(in != NULL);
93 }
94
95int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 {
97 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name));
99 }
100
101int X509_set_subject_name(X509 *x, X509_NAME *name)
102 {
103 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name));
105 }
106
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 {
109 ASN1_TIME *in;
110
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore;
113 if (in != tm)
114 {
115 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL)
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in;
120 }
121 }
122 return(in != NULL);
123 }
124
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 {
127 ASN1_TIME *in;
128
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter;
131 if (in != tm)
132 {
133 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL)
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in;
138 }
139 }
140 return(in != NULL);
141 }
142
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 {
145 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 }
148
149
150
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
deleted file mode 100644
index a6cb9c8b1b..0000000000
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ /dev/null
@@ -1,288 +0,0 @@
1/* x509_trs.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63
64static int tr_cmp(const X509_TRUST * const *a,
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p);
67
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
69static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
70static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
71
72static int obj_trust(int id, X509 *x, int flags);
73static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
74
75/* WARNING: the following table should be kept in order of trust
76 * and without any gaps so we can just subtract the minimum trust
77 * value to get an index into the table
78 */
79
80static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89};
90
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
92
93IMPLEMENT_STACK_OF(X509_TRUST)
94
95static STACK_OF(X509_TRUST) *trtable = NULL;
96
97static int tr_cmp(const X509_TRUST * const *a,
98 const X509_TRUST * const *b)
99{
100 return (*a)->trust - (*b)->trust;
101}
102
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{
105 int (*oldtrust)(int , X509 *, int);
106 oldtrust = default_trust;
107 default_trust = trust;
108 return oldtrust;
109}
110
111
112int X509_check_trust(X509 *x, int id, int flags)
113{
114 X509_TRUST *pt;
115 int idx;
116 if(id == -1) return 1;
117 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags);
121}
122
123int X509_TRUST_get_count(void)
124{
125 if(!trtable) return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127}
128
129X509_TRUST * X509_TRUST_get0(int idx)
130{
131 if(idx < 0) return NULL;
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134}
135
136int X509_TRUST_get_by_id(int id)
137{
138 X509_TRUST tmp;
139 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
141 return id - X509_TRUST_MIN;
142 tmp.trust = id;
143 if(!trtable) return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1;
146 return idx + X509_TRUST_COUNT;
147}
148
149int X509_TRUST_set(int *t, int trust)
150{
151 if(X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0;
154 }
155 *t = trust;
156 return 1;
157}
158
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
160 char *name, int arg1, void *arg2)
161{
162 int idx;
163 X509_TRUST *trtmp;
164 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */
167 flags |= X509_TRUST_DYNAMIC_NAME;
168 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */
171 if(idx == -1) {
172 if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx);
178
179 /* OPENSSL_free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
181 /* dup supplied name */
182 if(!(trtmp->name = BUF_strdup(name))) {
183 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
184 return 0;
185 }
186 /* Keep the dynamic flag of existing entry */
187 trtmp->flags &= X509_TRUST_DYNAMIC;
188 /* Set all other flags */
189 trtmp->flags |= flags;
190
191 trtmp->trust = id;
192 trtmp->check_trust = ck;
193 trtmp->arg1 = arg1;
194 trtmp->arg2 = arg2;
195
196 /* If its a new entry manage the dynamic table */
197 if(idx == -1) {
198 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
199 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
200 return 0;
201 }
202 if (!sk_X509_TRUST_push(trtable, trtmp)) {
203 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
204 return 0;
205 }
206 }
207 return 1;
208}
209
210static void trtable_free(X509_TRUST *p)
211 {
212 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC)
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 OPENSSL_free(p->name);
217 OPENSSL_free(p);
218 }
219 }
220
221void X509_TRUST_cleanup(void)
222{
223 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL;
227}
228
229int X509_TRUST_get_flags(X509_TRUST *xp)
230{
231 return xp->flags;
232}
233
234char *X509_TRUST_get0_name(X509_TRUST *xp)
235{
236 return xp->name;
237}
238
239int X509_TRUST_get_trust(X509_TRUST *xp)
240{
241 return xp->trust;
242}
243
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{
246 if(x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed
250 */
251 return trust_compat(trust, x, flags);
252}
253
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{
256 if(x->aux) return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED;
258}
259
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{
262 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
264 else return X509_TRUST_UNTRUSTED;
265}
266
267static int obj_trust(int id, X509 *x, int flags)
268{
269 ASN1_OBJECT *obj;
270 int i;
271 X509_CERT_AUX *ax;
272 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED;
274 if(ax->reject) {
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
278 }
279 }
280 if(ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
284 }
285 }
286 return X509_TRUST_UNTRUSTED;
287}
288
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
deleted file mode 100644
index c44f753c46..0000000000
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ /dev/null
@@ -1,193 +0,0 @@
1/* crypto/x509/x509_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/evp.h>
67#include <openssl/asn1.h>
68#include <openssl/x509.h>
69#include <openssl/objects.h>
70
71const char *X509_verify_cert_error_string(long n)
72 {
73 static char buf[100];
74
75 switch ((int)n)
76 {
77 case X509_V_OK:
78 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
80 return("unable to get issuer certificate");
81 case X509_V_ERR_UNABLE_TO_GET_CRL:
82 return("unable to get certificate CRL");
83 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
84 return("unable to decrypt certificate's signature");
85 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
86 return("unable to decrypt CRL's signature");
87 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
88 return("unable to decode issuer public key");
89 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
90 return("certificate signature failure");
91 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
92 return("CRL signature failure");
93 case X509_V_ERR_CERT_NOT_YET_VALID:
94 return("certificate is not yet valid");
95 case X509_V_ERR_CRL_NOT_YET_VALID:
96 return("CRL is not yet valid");
97 case X509_V_ERR_CERT_HAS_EXPIRED:
98 return("certificate has expired");
99 case X509_V_ERR_CRL_HAS_EXPIRED:
100 return("CRL has expired");
101 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
102 return("format error in certificate's notBefore field");
103 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
104 return("format error in certificate's notAfter field");
105 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
106 return("format error in CRL's lastUpdate field");
107 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
108 return("format error in CRL's nextUpdate field");
109 case X509_V_ERR_OUT_OF_MEM:
110 return("out of memory");
111 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
112 return("self signed certificate");
113 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
114 return("self signed certificate in certificate chain");
115 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
116 return("unable to get local issuer certificate");
117 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
118 return("unable to verify the first certificate");
119 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
120 return("certificate chain too long");
121 case X509_V_ERR_CERT_REVOKED:
122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy certificates not allowed, please set the appropriate flag");
133 case X509_V_ERR_INVALID_PURPOSE:
134 return ("unsupported certificate purpose");
135 case X509_V_ERR_CERT_UNTRUSTED:
136 return ("certificate not trusted");
137 case X509_V_ERR_CERT_REJECTED:
138 return ("certificate rejected");
139 case X509_V_ERR_APPLICATION_VERIFICATION:
140 return("application verification failure");
141 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
142 return("subject issuer mismatch");
143 case X509_V_ERR_AKID_SKID_MISMATCH:
144 return("authority and subject key identifier mismatch");
145 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
146 return("authority and issuer serial number mismatch");
147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
148 return("key usage does not include certificate signing");
149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
150 return("unable to get CRL issuer certificate");
151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
152 return("unhandled critical extension");
153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
154 return("key usage does not include CRL signing");
155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158 return("unhandled critical CRL extension");
159 case X509_V_ERR_INVALID_EXTENSION:
160 return("invalid or inconsistent certificate extension");
161 case X509_V_ERR_INVALID_POLICY_EXTENSION:
162 return("invalid or inconsistent certificate policy extension");
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 return("no explicit policy");
165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
166 return("Different CRL scope");
167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
168 return("Unsupported extension feature");
169 case X509_V_ERR_UNNESTED_RESOURCE:
170 return("RFC 3779 resource not subset of parent's resources");
171
172 case X509_V_ERR_PERMITTED_VIOLATION:
173 return("permitted subtree violation");
174 case X509_V_ERR_EXCLUDED_VIOLATION:
175 return("excluded subtree violation");
176 case X509_V_ERR_SUBTREE_MINMAX:
177 return("name constraints minimum and maximum not supported");
178 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
179 return("unsupported name constraint type");
180 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
181 return("unsupported or invalid name constraint syntax");
182 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
183 return("unsupported or invalid name syntax");
184 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
185 return("CRL path validation error");
186
187 default:
188 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf);
190 }
191 }
192
193
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
deleted file mode 100644
index 42e6f0ab05..0000000000
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ /dev/null
@@ -1,274 +0,0 @@
1/* crypto/x509/x509_v3.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 {
70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x));
72 }
73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos)
76 {
77 ASN1_OBJECT *obj;
78
79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 }
83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos)
86 {
87 int n;
88 X509_EXTENSION *ex;
89
90 if (sk == NULL) return(-1);
91 lastpos++;
92 if (lastpos < 0)
93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++)
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos);
100 }
101 return(-1);
102 }
103
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos)
106 {
107 int n;
108 X509_EXTENSION *ex;
109
110 if (sk == NULL) return(-1);
111 lastpos++;
112 if (lastpos < 0)
113 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++)
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit))
120 return(lastpos);
121 }
122 return(-1);
123 }
124
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 {
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL;
129 else
130 return sk_X509_EXTENSION_value(x,loc);
131 }
132
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 {
135 X509_EXTENSION *ret;
136
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret);
141 }
142
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc)
145 {
146 X509_EXTENSION *new_ex=NULL;
147 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL;
149
150 if (x == NULL)
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2;
154 }
155
156 if (*x == NULL)
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err;
160 }
161 else
162 sk= *x;
163
164 n=sk_X509_EXTENSION_num(sk);
165 if (loc > n) loc=n;
166 else if (loc < 0) loc=n;
167
168 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
169 goto err2;
170 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
171 goto err;
172 if (*x == NULL)
173 *x=sk;
174 return(sk);
175err:
176 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
177err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL);
181 }
182
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data)
185 {
186 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret;
188
189 obj=OBJ_nid2obj(nid);
190 if (obj == NULL)
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL);
194 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret);
198 }
199
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 {
203 X509_EXTENSION *ret;
204
205 if ((ex == NULL) || (*ex == NULL))
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL)
208 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL);
211 }
212 }
213 else
214 ret= *ex;
215
216 if (!X509_EXTENSION_set_object(ret,obj))
217 goto err;
218 if (!X509_EXTENSION_set_critical(ret,crit))
219 goto err;
220 if (!X509_EXTENSION_set_data(ret,data))
221 goto err;
222
223 if ((ex != NULL) && (*ex == NULL)) *ex=ret;
224 return(ret);
225err:
226 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret);
228 return(NULL);
229 }
230
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 {
233 if ((ex == NULL) || (obj == NULL))
234 return(0);
235 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj);
237 return(1);
238 }
239
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 {
242 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1;
244 return(1);
245 }
246
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 {
249 int i;
250
251 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0);
254 return(1);
255 }
256
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 {
259 if (ex == NULL) return(NULL);
260 return(ex->object);
261 }
262
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 {
265 if (ex == NULL) return(NULL);
266 return(ex->value);
267 }
268
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 {
271 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1;
273 return 0;
274 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
deleted file mode 100644
index 87ebf62525..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ /dev/null
@@ -1,2215 +0,0 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0;
160 int num;
161 int (*cb)(int xok,X509_STORE_CTX *xctx);
162 STACK_OF(X509) *sktmp=NULL;
163 if (ctx->cert == NULL)
164 {
165 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
166 return -1;
167 }
168
169 cb=ctx->verify_cb;
170
171 /* first we make sure the chain we are going to build is
172 * present and that the first entry is in place */
173 if (ctx->chain == NULL)
174 {
175 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
176 (!sk_X509_push(ctx->chain,ctx->cert)))
177 {
178 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
179 goto end;
180 }
181 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
182 ctx->last_untrusted=1;
183 }
184
185 /* We use a temporary STACK so we can chop and hack at it */
186 if (ctx->untrusted != NULL
187 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
188 {
189 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
190 goto end;
191 }
192
193 num=sk_X509_num(ctx->chain);
194 x=sk_X509_value(ctx->chain,num-1);
195 depth=param->depth;
196
197
198 for (;;)
199 {
200 /* If we have enough, we break */
201 if (depth < num) break; /* FIXME: If this happens, we should take
202 * note of it and, if appropriate, use the
203 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
204 * code later.
205 */
206
207 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break;
210
211 /* If we were passed a cert chain, use it first */
212 if (ctx->untrusted != NULL)
213 {
214 xtmp=find_issuer(ctx, sktmp,x);
215 if (xtmp != NULL)
216 {
217 if (!sk_X509_push(ctx->chain,xtmp))
218 {
219 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
220 goto end;
221 }
222 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
223 (void)sk_X509_delete_ptr(sktmp,xtmp);
224 ctx->last_untrusted++;
225 x=xtmp;
226 num++;
227 /* reparse the full chain for
228 * the next one */
229 continue;
230 }
231 }
232 break;
233 }
234
235 /* at this point, chain should contain a list of untrusted
236 * certificates. We now need to add at least one trusted one,
237 * if possible, otherwise we complain. */
238
239 /* Examine last certificate in chain and see if it
240 * is self signed.
241 */
242
243 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x))
247 {
248 /* we have a self signed certificate */
249 if (sk_X509_num(ctx->chain) == 1)
250 {
251 /* We have a single self signed certificate: see if
252 * we can find it in the store. We must have an exact
253 * match to avoid possible impersonation.
254 */
255 ok = ctx->get_issuer(&xtmp, ctx, x);
256 if ((ok <= 0) || X509_cmp(x, xtmp))
257 {
258 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
259 ctx->current_cert=x;
260 ctx->error_depth=i-1;
261 if (ok == 1) X509_free(xtmp);
262 bad_chain = 1;
263 ok=cb(0,ctx);
264 if (!ok) goto end;
265 }
266 else
267 {
268 /* We have a match: replace certificate with store version
269 * so we get any trust settings.
270 */
271 X509_free(x);
272 x = xtmp;
273 (void)sk_X509_set(ctx->chain, i - 1, x);
274 ctx->last_untrusted=0;
275 }
276 }
277 else
278 {
279 /* extract and save self signed certificate for later use */
280 chain_ss=sk_X509_pop(ctx->chain);
281 ctx->last_untrusted--;
282 num--;
283 x=sk_X509_value(ctx->chain,num-1);
284 }
285 }
286
287 /* We now lookup certs from the certificate store */
288 for (;;)
289 {
290 /* If we have enough, we break */
291 if (depth < num) break;
292
293 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break;
296
297 ok = ctx->get_issuer(&xtmp, ctx, x);
298
299 if (ok < 0) return ok;
300 if (ok == 0) break;
301
302 x = xtmp;
303 if (!sk_X509_push(ctx->chain,x))
304 {
305 X509_free(xtmp);
306 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
307 return 0;
308 }
309 num++;
310 }
311
312 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314
315 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x))
317 {
318 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
319 {
320 if (ctx->last_untrusted >= num)
321 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
322 else
323 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
324 ctx->current_cert=x;
325 }
326 else
327 {
328
329 sk_X509_push(ctx->chain,chain_ss);
330 num++;
331 ctx->last_untrusted=num;
332 ctx->current_cert=chain_ss;
333 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
334 chain_ss=NULL;
335 }
336
337 ctx->error_depth=num-1;
338 bad_chain = 1;
339 ok=cb(0,ctx);
340 if (!ok) goto end;
341 }
342
343 /* We have the chain complete: now we need to check its purpose */
344 ok = check_chain_extensions(ctx);
345
346 if (!ok) goto end;
347
348 /* Check name constraints */
349
350 ok = check_name_constraints(ctx);
351
352 if (!ok) goto end;
353
354 /* The chain extensions are OK: check trust */
355
356 if (param->trust > 0) ok = check_trust(ctx);
357
358 if (!ok) goto end;
359
360 /* We may as well copy down any DSA parameters that are required */
361 X509_get_pubkey_parameters(NULL,ctx->chain);
362
363 /* Check revocation status: we do this after copying parameters
364 * because they may be needed for CRL signature verification.
365 */
366
367 ok = ctx->check_revocation(ctx);
368 if(!ok) goto end;
369
370 /* At this point, we have a chain and need to verify it */
371 if (ctx->verify != NULL)
372 ok=ctx->verify(ctx);
373 else
374 ok=internal_verify(ctx);
375 if(!ok) goto end;
376
377#ifndef OPENSSL_NO_RFC3779
378 /* RFC 3779 path validation, now that CRL check has been done */
379 ok = v3_asid_validate_path(ctx);
380 if (!ok) goto end;
381 ok = v3_addr_validate_path(ctx);
382 if (!ok) goto end;
383#endif
384
385 /* If we get this far evaluate policies */
386 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
387 ok = ctx->check_policy(ctx);
388 if(!ok) goto end;
389 if (0)
390 {
391end:
392 X509_get_pubkey_parameters(NULL,ctx->chain);
393 }
394 if (sktmp != NULL) sk_X509_free(sktmp);
395 if (chain_ss != NULL) X509_free(chain_ss);
396 return ok;
397 }
398
399
400/* Given a STACK_OF(X509) find the issuer of cert (if any)
401 */
402
403static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
404{
405 int i;
406 X509 *issuer;
407 for (i = 0; i < sk_X509_num(sk); i++)
408 {
409 issuer = sk_X509_value(sk, i);
410 if (ctx->check_issued(ctx, x, issuer))
411 return issuer;
412 }
413 return NULL;
414}
415
416/* Given a possible certificate and issuer check them */
417
418static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
419{
420 int ret;
421 ret = X509_check_issued(issuer, x);
422 if (ret == X509_V_OK)
423 return 1;
424 /* If we haven't asked for issuer errors don't set ctx */
425 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
426 return 0;
427
428 ctx->error = ret;
429 ctx->current_cert = x;
430 ctx->current_issuer = issuer;
431 return ctx->verify_cb(0, ctx);
432 return 0;
433}
434
435/* Alternative lookup method: look from a STACK stored in other_ctx */
436
437static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
438{
439 *issuer = find_issuer(ctx, ctx->other_ctx, x);
440 if (*issuer)
441 {
442 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
443 return 1;
444 }
445 else
446 return 0;
447}
448
449
450/* Check a certificate chains extensions for consistency
451 * with the supplied purpose
452 */
453
454static int check_chain_extensions(X509_STORE_CTX *ctx)
455{
456#ifdef OPENSSL_NO_CHAIN_VERIFY
457 return 1;
458#else
459 int i, ok=0, must_be_ca, plen = 0;
460 X509 *x;
461 int (*cb)(int xok,X509_STORE_CTX *xctx);
462 int proxy_path_length = 0;
463 int purpose;
464 int allow_proxy_certs;
465 cb=ctx->verify_cb;
466
467 /* must_be_ca can have 1 of 3 values:
468 -1: we accept both CA and non-CA certificates, to allow direct
469 use of self-signed certificates (which are marked as CA).
470 0: we only accept non-CA certificates. This is currently not
471 used, but the possibility is present for future extensions.
472 1: we only accept CA certificates. This is currently used for
473 all certificates in the chain except the leaf certificate.
474 */
475 must_be_ca = -1;
476
477 /* CRL path validation */
478 if (ctx->parent)
479 {
480 allow_proxy_certs = 0;
481 purpose = X509_PURPOSE_CRL_SIGN;
482 }
483 else
484 {
485 allow_proxy_certs =
486 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
487 /* A hack to keep people who don't want to modify their
488 software happy */
489 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
490 allow_proxy_certs = 1;
491 purpose = ctx->param->purpose;
492 }
493
494 /* Check all untrusted certificates */
495 for (i = 0; i < ctx->last_untrusted; i++)
496 {
497 int ret;
498 x = sk_X509_value(ctx->chain, i);
499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
500 && (x->ex_flags & EXFLAG_CRITICAL))
501 {
502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
503 ctx->error_depth = i;
504 ctx->current_cert = x;
505 ok=cb(0,ctx);
506 if (!ok) goto end;
507 }
508 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
509 {
510 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 ok=cb(0,ctx);
514 if (!ok) goto end;
515 }
516 ret = X509_check_ca(x);
517 switch(must_be_ca)
518 {
519 case -1:
520 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
521 && (ret != 1) && (ret != 0))
522 {
523 ret = 0;
524 ctx->error = X509_V_ERR_INVALID_CA;
525 }
526 else
527 ret = 1;
528 break;
529 case 0:
530 if (ret != 0)
531 {
532 ret = 0;
533 ctx->error = X509_V_ERR_INVALID_NON_CA;
534 }
535 else
536 ret = 1;
537 break;
538 default:
539 if ((ret == 0)
540 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
541 && (ret != 1)))
542 {
543 ret = 0;
544 ctx->error = X509_V_ERR_INVALID_CA;
545 }
546 else
547 ret = 1;
548 break;
549 }
550 if (ret == 0)
551 {
552 ctx->error_depth = i;
553 ctx->current_cert = x;
554 ok=cb(0,ctx);
555 if (!ok) goto end;
556 }
557 if (ctx->param->purpose > 0)
558 {
559 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
560 if ((ret == 0)
561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
562 && (ret != 1)))
563 {
564 ctx->error = X509_V_ERR_INVALID_PURPOSE;
565 ctx->error_depth = i;
566 ctx->current_cert = x;
567 ok=cb(0,ctx);
568 if (!ok) goto end;
569 }
570 }
571 /* Check pathlen if not self issued */
572 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
573 && (x->ex_pathlen != -1)
574 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
575 {
576 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
577 ctx->error_depth = i;
578 ctx->current_cert = x;
579 ok=cb(0,ctx);
580 if (!ok) goto end;
581 }
582 /* Increment path length if not self issued */
583 if (!(x->ex_flags & EXFLAG_SI))
584 plen++;
585 /* If this certificate is a proxy certificate, the next
586 certificate must be another proxy certificate or a EE
587 certificate. If not, the next certificate must be a
588 CA certificate. */
589 if (x->ex_flags & EXFLAG_PROXY)
590 {
591 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
592 {
593 ctx->error =
594 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
595 ctx->error_depth = i;
596 ctx->current_cert = x;
597 ok=cb(0,ctx);
598 if (!ok) goto end;
599 }
600 proxy_path_length++;
601 must_be_ca = 0;
602 }
603 else
604 must_be_ca = 1;
605 }
606 ok = 1;
607 end:
608 return ok;
609#endif
610}
611
612static int check_name_constraints(X509_STORE_CTX *ctx)
613 {
614 X509 *x;
615 int i, j, rv;
616 /* Check name constraints for all certificates */
617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
618 {
619 x = sk_X509_value(ctx->chain, i);
620 /* Ignore self issued certs unless last in chain */
621 if (i && (x->ex_flags & EXFLAG_SI))
622 continue;
623 /* Check against constraints for all certificates higher in
624 * chain including trust anchor. Trust anchor not strictly
625 * speaking needed but if it includes constraints it is to be
626 * assumed it expects them to be obeyed.
627 */
628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
629 {
630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
631 if (nc)
632 {
633 rv = NAME_CONSTRAINTS_check(x, nc);
634 if (rv != X509_V_OK)
635 {
636 ctx->error = rv;
637 ctx->error_depth = i;
638 ctx->current_cert = x;
639 if (!ctx->verify_cb(0,ctx))
640 return 0;
641 }
642 }
643 }
644 }
645 return 1;
646 }
647
648static int check_trust(X509_STORE_CTX *ctx)
649{
650#ifdef OPENSSL_NO_CHAIN_VERIFY
651 return 1;
652#else
653 int i, ok;
654 X509 *x;
655 int (*cb)(int xok,X509_STORE_CTX *xctx);
656 cb=ctx->verify_cb;
657/* For now just check the last certificate in the chain */
658 i = sk_X509_num(ctx->chain) - 1;
659 x = sk_X509_value(ctx->chain, i);
660 ok = X509_check_trust(x, ctx->param->trust, 0);
661 if (ok == X509_TRUST_TRUSTED)
662 return 1;
663 ctx->error_depth = i;
664 ctx->current_cert = x;
665 if (ok == X509_TRUST_REJECTED)
666 ctx->error = X509_V_ERR_CERT_REJECTED;
667 else
668 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
669 ok = cb(0, ctx);
670 return ok;
671#endif
672}
673
674static int check_revocation(X509_STORE_CTX *ctx)
675 {
676 int i, last, ok;
677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
678 return 1;
679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
680 last = sk_X509_num(ctx->chain) - 1;
681 else
682 {
683 /* If checking CRL paths this isn't the EE certificate */
684 if (ctx->parent)
685 return 1;
686 last = 0;
687 }
688 for(i = 0; i <= last; i++)
689 {
690 ctx->error_depth = i;
691 ok = check_cert(ctx);
692 if (!ok) return ok;
693 }
694 return 1;
695 }
696
697static int check_cert(X509_STORE_CTX *ctx)
698 {
699 X509_CRL *crl = NULL, *dcrl = NULL;
700 X509 *x;
701 int ok, cnum;
702 cnum = ctx->error_depth;
703 x = sk_X509_value(ctx->chain, cnum);
704 ctx->current_cert = x;
705 ctx->current_issuer = NULL;
706 ctx->current_reasons = 0;
707 while (ctx->current_reasons != CRLDP_ALL_REASONS)
708 {
709 /* Try to retrieve relevant CRL */
710 if (ctx->get_crl)
711 ok = ctx->get_crl(ctx, &crl, x);
712 else
713 ok = get_crl_delta(ctx, &crl, &dcrl, x);
714 /* If error looking up CRL, nothing we can do except
715 * notify callback
716 */
717 if(!ok)
718 {
719 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
720 ok = ctx->verify_cb(0, ctx);
721 goto err;
722 }
723 ctx->current_crl = crl;
724 ok = ctx->check_crl(ctx, crl);
725 if (!ok)
726 goto err;
727
728 if (dcrl)
729 {
730 ok = ctx->check_crl(ctx, dcrl);
731 if (!ok)
732 goto err;
733 ok = ctx->cert_crl(ctx, dcrl, x);
734 if (!ok)
735 goto err;
736 }
737 else
738 ok = 1;
739
740 /* Don't look in full CRL if delta reason is removefromCRL */
741 if (ok != 2)
742 {
743 ok = ctx->cert_crl(ctx, crl, x);
744 if (!ok)
745 goto err;
746 }
747
748 X509_CRL_free(crl);
749 X509_CRL_free(dcrl);
750 crl = NULL;
751 dcrl = NULL;
752 }
753 err:
754 X509_CRL_free(crl);
755 X509_CRL_free(dcrl);
756
757 ctx->current_crl = NULL;
758 return ok;
759
760 }
761
762/* Check CRL times against values in X509_STORE_CTX */
763
764static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
765 {
766 time_t *ptime;
767 int i;
768 if (notify)
769 ctx->current_crl = crl;
770 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
771 ptime = &ctx->param->check_time;
772 else
773 ptime = NULL;
774
775 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
776 if (i == 0)
777 {
778 if (!notify)
779 return 0;
780 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
781 if (!ctx->verify_cb(0, ctx))
782 return 0;
783 }
784
785 if (i > 0)
786 {
787 if (!notify)
788 return 0;
789 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
790 if (!ctx->verify_cb(0, ctx))
791 return 0;
792 }
793
794 if(X509_CRL_get_nextUpdate(crl))
795 {
796 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
797
798 if (i == 0)
799 {
800 if (!notify)
801 return 0;
802 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
803 if (!ctx->verify_cb(0, ctx))
804 return 0;
805 }
806 /* Ignore expiry of base CRL is delta is valid */
807 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
808 {
809 if (!notify)
810 return 0;
811 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
812 if (!ctx->verify_cb(0, ctx))
813 return 0;
814 }
815 }
816
817 if (notify)
818 ctx->current_crl = NULL;
819
820 return 1;
821 }
822
823static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
824 X509 **pissuer, int *pscore, unsigned int *preasons,
825 STACK_OF(X509_CRL) *crls)
826 {
827 int i, crl_score, best_score = *pscore;
828 unsigned int reasons, best_reasons = 0;
829 X509 *x = ctx->current_cert;
830 X509_CRL *crl, *best_crl = NULL;
831 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
832
833 for (i = 0; i < sk_X509_CRL_num(crls); i++)
834 {
835 crl = sk_X509_CRL_value(crls, i);
836 reasons = *preasons;
837 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
838
839 if (crl_score > best_score)
840 {
841 best_crl = crl;
842 best_crl_issuer = crl_issuer;
843 best_score = crl_score;
844 best_reasons = reasons;
845 }
846 }
847
848 if (best_crl)
849 {
850 if (*pcrl)
851 X509_CRL_free(*pcrl);
852 *pcrl = best_crl;
853 *pissuer = best_crl_issuer;
854 *pscore = best_score;
855 *preasons = best_reasons;
856 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
857 if (*pdcrl)
858 {
859 X509_CRL_free(*pdcrl);
860 *pdcrl = NULL;
861 }
862 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
863 }
864
865 if (best_score >= CRL_SCORE_VALID)
866 return 1;
867
868 return 0;
869 }
870
871/* Compare two CRL extensions for delta checking purposes. They should be
872 * both present or both absent. If both present all fields must be identical.
873 */
874
875static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
876 {
877 ASN1_OCTET_STRING *exta, *extb;
878 int i;
879 i = X509_CRL_get_ext_by_NID(a, nid, 0);
880 if (i >= 0)
881 {
882 /* Can't have multiple occurrences */
883 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
884 return 0;
885 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
886 }
887 else
888 exta = NULL;
889
890 i = X509_CRL_get_ext_by_NID(b, nid, 0);
891
892 if (i >= 0)
893 {
894
895 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
896 return 0;
897 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
898 }
899 else
900 extb = NULL;
901
902 if (!exta && !extb)
903 return 1;
904
905 if (!exta || !extb)
906 return 0;
907
908
909 if (ASN1_OCTET_STRING_cmp(exta, extb))
910 return 0;
911
912 return 1;
913 }
914
915/* See if a base and delta are compatible */
916
917static int check_delta_base(X509_CRL *delta, X509_CRL *base)
918 {
919 /* Delta CRL must be a delta */
920 if (!delta->base_crl_number)
921 return 0;
922 /* Base must have a CRL number */
923 if (!base->crl_number)
924 return 0;
925 /* Issuer names must match */
926 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
927 X509_CRL_get_issuer(delta)))
928 return 0;
929 /* AKID and IDP must match */
930 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
931 return 0;
932 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
933 return 0;
934 /* Delta CRL base number must not exceed Full CRL number. */
935 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
936 return 0;
937 /* Delta CRL number must exceed full CRL number */
938 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
939 return 1;
940 return 0;
941 }
942
943/* For a given base CRL find a delta... maybe extend to delta scoring
944 * or retrieve a chain of deltas...
945 */
946
947static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
948 X509_CRL *base, STACK_OF(X509_CRL) *crls)
949 {
950 X509_CRL *delta;
951 int i;
952 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
953 return;
954 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
955 return;
956 for (i = 0; i < sk_X509_CRL_num(crls); i++)
957 {
958 delta = sk_X509_CRL_value(crls, i);
959 if (check_delta_base(delta, base))
960 {
961 if (check_crl_time(ctx, delta, 0))
962 *pscore |= CRL_SCORE_TIME_DELTA;
963 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
964 *dcrl = delta;
965 return;
966 }
967 }
968 *dcrl = NULL;
969 }
970
971/* For a given CRL return how suitable it is for the supplied certificate 'x'.
972 * The return value is a mask of several criteria.
973 * If the issuer is not the certificate issuer this is returned in *pissuer.
974 * The reasons mask is also used to determine if the CRL is suitable: if
975 * no new reasons the CRL is rejected, otherwise reasons is updated.
976 */
977
978static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
979 unsigned int *preasons,
980 X509_CRL *crl, X509 *x)
981 {
982
983 int crl_score = 0;
984 unsigned int tmp_reasons = *preasons, crl_reasons;
985
986 /* First see if we can reject CRL straight away */
987
988 /* Invalid IDP cannot be processed */
989 if (crl->idp_flags & IDP_INVALID)
990 return 0;
991 /* Reason codes or indirect CRLs need extended CRL support */
992 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
993 {
994 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
995 return 0;
996 }
997 else if (crl->idp_flags & IDP_REASONS)
998 {
999 /* If no new reasons reject */
1000 if (!(crl->idp_reasons & ~tmp_reasons))
1001 return 0;
1002 }
1003 /* Don't process deltas at this stage */
1004 else if (crl->base_crl_number)
1005 return 0;
1006 /* If issuer name doesn't match certificate need indirect CRL */
1007 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1008 {
1009 if (!(crl->idp_flags & IDP_INDIRECT))
1010 return 0;
1011 }
1012 else
1013 crl_score |= CRL_SCORE_ISSUER_NAME;
1014
1015 if (!(crl->flags & EXFLAG_CRITICAL))
1016 crl_score |= CRL_SCORE_NOCRITICAL;
1017
1018 /* Check expiry */
1019 if (check_crl_time(ctx, crl, 0))
1020 crl_score |= CRL_SCORE_TIME;
1021
1022 /* Check authority key ID and locate certificate issuer */
1023 crl_akid_check(ctx, crl, pissuer, &crl_score);
1024
1025 /* If we can't locate certificate issuer at this point forget it */
1026
1027 if (!(crl_score & CRL_SCORE_AKID))
1028 return 0;
1029
1030 /* Check cert for matching CRL distribution points */
1031
1032 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1033 {
1034 /* If no new reasons reject */
1035 if (!(crl_reasons & ~tmp_reasons))
1036 return 0;
1037 tmp_reasons |= crl_reasons;
1038 crl_score |= CRL_SCORE_SCOPE;
1039 }
1040
1041 *preasons = tmp_reasons;
1042
1043 return crl_score;
1044
1045 }
1046
1047static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1048 X509 **pissuer, int *pcrl_score)
1049 {
1050 X509 *crl_issuer = NULL;
1051 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1052 int cidx = ctx->error_depth;
1053 int i;
1054
1055 if (cidx != sk_X509_num(ctx->chain) - 1)
1056 cidx++;
1057
1058 crl_issuer = sk_X509_value(ctx->chain, cidx);
1059
1060 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1061 {
1062 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1063 {
1064 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1065 *pissuer = crl_issuer;
1066 return;
1067 }
1068 }
1069
1070 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1071 {
1072 crl_issuer = sk_X509_value(ctx->chain, cidx);
1073 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1074 continue;
1075 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1076 {
1077 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1078 *pissuer = crl_issuer;
1079 return;
1080 }
1081 }
1082
1083 /* Anything else needs extended CRL support */
1084
1085 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1086 return;
1087
1088 /* Otherwise the CRL issuer is not on the path. Look for it in the
1089 * set of untrusted certificates.
1090 */
1091 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1092 {
1093 crl_issuer = sk_X509_value(ctx->untrusted, i);
1094 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1095 continue;
1096 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1097 {
1098 *pissuer = crl_issuer;
1099 *pcrl_score |= CRL_SCORE_AKID;
1100 return;
1101 }
1102 }
1103 }
1104
1105/* Check the path of a CRL issuer certificate. This creates a new
1106 * X509_STORE_CTX and populates it with most of the parameters from the
1107 * parent. This could be optimised somewhat since a lot of path checking
1108 * will be duplicated by the parent, but this will rarely be used in
1109 * practice.
1110 */
1111
1112static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1113 {
1114 X509_STORE_CTX crl_ctx;
1115 int ret;
1116 /* Don't allow recursive CRL path validation */
1117 if (ctx->parent)
1118 return 0;
1119 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1120 return -1;
1121
1122 crl_ctx.crls = ctx->crls;
1123 /* Copy verify params across */
1124 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1125
1126 crl_ctx.parent = ctx;
1127 crl_ctx.verify_cb = ctx->verify_cb;
1128
1129 /* Verify CRL issuer */
1130 ret = X509_verify_cert(&crl_ctx);
1131
1132 if (ret <= 0)
1133 goto err;
1134
1135 /* Check chain is acceptable */
1136
1137 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1138 err:
1139 X509_STORE_CTX_cleanup(&crl_ctx);
1140 return ret;
1141 }
1142
1143/* RFC3280 says nothing about the relationship between CRL path
1144 * and certificate path, which could lead to situations where a
1145 * certificate could be revoked or validated by a CA not authorised
1146 * to do so. RFC5280 is more strict and states that the two paths must
1147 * end in the same trust anchor, though some discussions remain...
1148 * until this is resolved we use the RFC5280 version
1149 */
1150
1151static int check_crl_chain(X509_STORE_CTX *ctx,
1152 STACK_OF(X509) *cert_path,
1153 STACK_OF(X509) *crl_path)
1154 {
1155 X509 *cert_ta, *crl_ta;
1156 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1157 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1158 if (!X509_cmp(cert_ta, crl_ta))
1159 return 1;
1160 return 0;
1161 }
1162
1163/* Check for match between two dist point names: three separate cases.
1164 * 1. Both are relative names and compare X509_NAME types.
1165 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1166 * 3. Both are full names and compare two GENERAL_NAMES.
1167 * 4. One is NULL: automatic match.
1168 */
1169
1170
1171static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1172 {
1173 X509_NAME *nm = NULL;
1174 GENERAL_NAMES *gens = NULL;
1175 GENERAL_NAME *gena, *genb;
1176 int i, j;
1177 if (!a || !b)
1178 return 1;
1179 if (a->type == 1)
1180 {
1181 if (!a->dpname)
1182 return 0;
1183 /* Case 1: two X509_NAME */
1184 if (b->type == 1)
1185 {
1186 if (!b->dpname)
1187 return 0;
1188 if (!X509_NAME_cmp(a->dpname, b->dpname))
1189 return 1;
1190 else
1191 return 0;
1192 }
1193 /* Case 2: set name and GENERAL_NAMES appropriately */
1194 nm = a->dpname;
1195 gens = b->name.fullname;
1196 }
1197 else if (b->type == 1)
1198 {
1199 if (!b->dpname)
1200 return 0;
1201 /* Case 2: set name and GENERAL_NAMES appropriately */
1202 gens = a->name.fullname;
1203 nm = b->dpname;
1204 }
1205
1206 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1207 if (nm)
1208 {
1209 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1210 {
1211 gena = sk_GENERAL_NAME_value(gens, i);
1212 if (gena->type != GEN_DIRNAME)
1213 continue;
1214 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1215 return 1;
1216 }
1217 return 0;
1218 }
1219
1220 /* Else case 3: two GENERAL_NAMES */
1221
1222 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1223 {
1224 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1225 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1226 {
1227 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1228 if (!GENERAL_NAME_cmp(gena, genb))
1229 return 1;
1230 }
1231 }
1232
1233 return 0;
1234
1235 }
1236
1237static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1238 {
1239 int i;
1240 X509_NAME *nm = X509_CRL_get_issuer(crl);
1241 /* If no CRLissuer return is successful iff don't need a match */
1242 if (!dp->CRLissuer)
1243 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1244 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1245 {
1246 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1247 if (gen->type != GEN_DIRNAME)
1248 continue;
1249 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1250 return 1;
1251 }
1252 return 0;
1253 }
1254
1255/* Check CRLDP and IDP */
1256
1257static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1258 unsigned int *preasons)
1259 {
1260 int i;
1261 if (crl->idp_flags & IDP_ONLYATTR)
1262 return 0;
1263 if (x->ex_flags & EXFLAG_CA)
1264 {
1265 if (crl->idp_flags & IDP_ONLYUSER)
1266 return 0;
1267 }
1268 else
1269 {
1270 if (crl->idp_flags & IDP_ONLYCA)
1271 return 0;
1272 }
1273 *preasons = crl->idp_reasons;
1274 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1275 {
1276 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1277 if (crldp_check_crlissuer(dp, crl, crl_score))
1278 {
1279 if (!crl->idp ||
1280 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1281 {
1282 *preasons &= dp->dp_reasons;
1283 return 1;
1284 }
1285 }
1286 }
1287 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1288 return 1;
1289 return 0;
1290 }
1291
1292/* Retrieve CRL corresponding to current certificate.
1293 * If deltas enabled try to find a delta CRL too
1294 */
1295
1296static int get_crl_delta(X509_STORE_CTX *ctx,
1297 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1298 {
1299 int ok;
1300 X509 *issuer = NULL;
1301 int crl_score = 0;
1302 unsigned int reasons;
1303 X509_CRL *crl = NULL, *dcrl = NULL;
1304 STACK_OF(X509_CRL) *skcrl;
1305 X509_NAME *nm = X509_get_issuer_name(x);
1306 reasons = ctx->current_reasons;
1307 ok = get_crl_sk(ctx, &crl, &dcrl,
1308 &issuer, &crl_score, &reasons, ctx->crls);
1309
1310 if (ok)
1311 goto done;
1312
1313 /* Lookup CRLs from store */
1314
1315 skcrl = ctx->lookup_crls(ctx, nm);
1316
1317 /* If no CRLs found and a near match from get_crl_sk use that */
1318 if (!skcrl && crl)
1319 goto done;
1320
1321 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1322
1323 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1324
1325 done:
1326
1327 /* If we got any kind of CRL use it and return success */
1328 if (crl)
1329 {
1330 ctx->current_issuer = issuer;
1331 ctx->current_crl_score = crl_score;
1332 ctx->current_reasons = reasons;
1333 *pcrl = crl;
1334 *pdcrl = dcrl;
1335 return 1;
1336 }
1337
1338 return 0;
1339 }
1340
1341/* Check CRL validity */
1342static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1343 {
1344 X509 *issuer = NULL;
1345 EVP_PKEY *ikey = NULL;
1346 int ok = 0, chnum, cnum;
1347 cnum = ctx->error_depth;
1348 chnum = sk_X509_num(ctx->chain) - 1;
1349 /* if we have an alternative CRL issuer cert use that */
1350 if (ctx->current_issuer)
1351 issuer = ctx->current_issuer;
1352
1353 /* Else find CRL issuer: if not last certificate then issuer
1354 * is next certificate in chain.
1355 */
1356 else if (cnum < chnum)
1357 issuer = sk_X509_value(ctx->chain, cnum + 1);
1358 else
1359 {
1360 issuer = sk_X509_value(ctx->chain, chnum);
1361 /* If not self signed, can't check signature */
1362 if(!ctx->check_issued(ctx, issuer, issuer))
1363 {
1364 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1365 ok = ctx->verify_cb(0, ctx);
1366 if(!ok) goto err;
1367 }
1368 }
1369
1370 if(issuer)
1371 {
1372 /* Skip most tests for deltas because they have already
1373 * been done
1374 */
1375 if (!crl->base_crl_number)
1376 {
1377 /* Check for cRLSign bit if keyUsage present */
1378 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1379 !(issuer->ex_kusage & KU_CRL_SIGN))
1380 {
1381 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1382 ok = ctx->verify_cb(0, ctx);
1383 if(!ok) goto err;
1384 }
1385
1386 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1387 {
1388 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1389 ok = ctx->verify_cb(0, ctx);
1390 if(!ok) goto err;
1391 }
1392
1393 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1394 {
1395 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1396 {
1397 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1398 ok = ctx->verify_cb(0, ctx);
1399 if(!ok) goto err;
1400 }
1401 }
1402
1403 if (crl->idp_flags & IDP_INVALID)
1404 {
1405 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1406 ok = ctx->verify_cb(0, ctx);
1407 if(!ok) goto err;
1408 }
1409
1410
1411 }
1412
1413 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1414 {
1415 ok = check_crl_time(ctx, crl, 1);
1416 if (!ok)
1417 goto err;
1418 }
1419
1420 /* Attempt to get issuer certificate public key */
1421 ikey = X509_get_pubkey(issuer);
1422
1423 if(!ikey)
1424 {
1425 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1426 ok = ctx->verify_cb(0, ctx);
1427 if (!ok) goto err;
1428 }
1429 else
1430 {
1431 /* Verify CRL signature */
1432 if(X509_CRL_verify(crl, ikey) <= 0)
1433 {
1434 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1435 ok = ctx->verify_cb(0, ctx);
1436 if (!ok) goto err;
1437 }
1438 }
1439 }
1440
1441 ok = 1;
1442
1443 err:
1444 EVP_PKEY_free(ikey);
1445 return ok;
1446 }
1447
1448/* Check certificate against CRL */
1449static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1450 {
1451 int ok;
1452 X509_REVOKED *rev;
1453 /* The rules changed for this... previously if a CRL contained
1454 * unhandled critical extensions it could still be used to indicate
1455 * a certificate was revoked. This has since been changed since
1456 * critical extension can change the meaning of CRL entries.
1457 */
1458 if (crl->flags & EXFLAG_CRITICAL)
1459 {
1460 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1461 return 1;
1462 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1463 ok = ctx->verify_cb(0, ctx);
1464 if(!ok)
1465 return 0;
1466 }
1467 /* Look for serial number of certificate in CRL
1468 * If found make sure reason is not removeFromCRL.
1469 */
1470 if (X509_CRL_get0_by_cert(crl, &rev, x))
1471 {
1472 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1473 return 2;
1474 ctx->error = X509_V_ERR_CERT_REVOKED;
1475 ok = ctx->verify_cb(0, ctx);
1476 if (!ok)
1477 return 0;
1478 }
1479
1480 return 1;
1481 }
1482
1483static int check_policy(X509_STORE_CTX *ctx)
1484 {
1485 int ret;
1486 if (ctx->parent)
1487 return 1;
1488 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1489 ctx->param->policies, ctx->param->flags);
1490 if (ret == 0)
1491 {
1492 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1493 return 0;
1494 }
1495 /* Invalid or inconsistent extensions */
1496 if (ret == -1)
1497 {
1498 /* Locate certificates with bad extensions and notify
1499 * callback.
1500 */
1501 X509 *x;
1502 int i;
1503 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1504 {
1505 x = sk_X509_value(ctx->chain, i);
1506 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1507 continue;
1508 ctx->current_cert = x;
1509 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1510 if(!ctx->verify_cb(0, ctx))
1511 return 0;
1512 }
1513 return 1;
1514 }
1515 if (ret == -2)
1516 {
1517 ctx->current_cert = NULL;
1518 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1519 return ctx->verify_cb(0, ctx);
1520 }
1521
1522 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1523 {
1524 ctx->current_cert = NULL;
1525 ctx->error = X509_V_OK;
1526 if (!ctx->verify_cb(2, ctx))
1527 return 0;
1528 }
1529
1530 return 1;
1531 }
1532
1533static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1534 {
1535 time_t *ptime;
1536 int i;
1537
1538 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1539 ptime = &ctx->param->check_time;
1540 else
1541 ptime = NULL;
1542
1543 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1544 if (i == 0)
1545 {
1546 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1547 ctx->current_cert=x;
1548 if (!ctx->verify_cb(0, ctx))
1549 return 0;
1550 }
1551
1552 if (i > 0)
1553 {
1554 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1555 ctx->current_cert=x;
1556 if (!ctx->verify_cb(0, ctx))
1557 return 0;
1558 }
1559
1560 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1561 if (i == 0)
1562 {
1563 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1564 ctx->current_cert=x;
1565 if (!ctx->verify_cb(0, ctx))
1566 return 0;
1567 }
1568
1569 if (i < 0)
1570 {
1571 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1572 ctx->current_cert=x;
1573 if (!ctx->verify_cb(0, ctx))
1574 return 0;
1575 }
1576
1577 return 1;
1578 }
1579
1580static int internal_verify(X509_STORE_CTX *ctx)
1581 {
1582 int ok=0,n;
1583 X509 *xs,*xi;
1584 EVP_PKEY *pkey=NULL;
1585 int (*cb)(int xok,X509_STORE_CTX *xctx);
1586
1587 cb=ctx->verify_cb;
1588
1589 n=sk_X509_num(ctx->chain);
1590 ctx->error_depth=n-1;
1591 n--;
1592 xi=sk_X509_value(ctx->chain,n);
1593
1594 if (ctx->check_issued(ctx, xi, xi))
1595 xs=xi;
1596 else
1597 {
1598 if (n <= 0)
1599 {
1600 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1601 ctx->current_cert=xi;
1602 ok=cb(0,ctx);
1603 goto end;
1604 }
1605 else
1606 {
1607 n--;
1608 ctx->error_depth=n;
1609 xs=sk_X509_value(ctx->chain,n);
1610 }
1611 }
1612
1613/* ctx->error=0; not needed */
1614 while (n >= 0)
1615 {
1616 ctx->error_depth=n;
1617
1618 /* Skip signature check for self signed certificates unless
1619 * explicitly asked for. It doesn't add any security and
1620 * just wastes time.
1621 */
1622 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1623 {
1624 if ((pkey=X509_get_pubkey(xi)) == NULL)
1625 {
1626 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1627 ctx->current_cert=xi;
1628 ok=(*cb)(0,ctx);
1629 if (!ok) goto end;
1630 }
1631 else if (X509_verify(xs,pkey) <= 0)
1632 {
1633 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1634 ctx->current_cert=xs;
1635 ok=(*cb)(0,ctx);
1636 if (!ok)
1637 {
1638 EVP_PKEY_free(pkey);
1639 goto end;
1640 }
1641 }
1642 EVP_PKEY_free(pkey);
1643 pkey=NULL;
1644 }
1645
1646 xs->valid = 1;
1647
1648 ok = check_cert_time(ctx, xs);
1649 if (!ok)
1650 goto end;
1651
1652 /* The last error (if any) is still in the error value */
1653 ctx->current_issuer=xi;
1654 ctx->current_cert=xs;
1655 ok=(*cb)(1,ctx);
1656 if (!ok) goto end;
1657
1658 n--;
1659 if (n >= 0)
1660 {
1661 xi=xs;
1662 xs=sk_X509_value(ctx->chain,n);
1663 }
1664 }
1665 ok=1;
1666end:
1667 return ok;
1668 }
1669
1670int X509_cmp_current_time(const ASN1_TIME *ctm)
1671{
1672 return X509_cmp_time(ctm, NULL);
1673}
1674
1675int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1676 {
1677 char *str;
1678 ASN1_TIME atm;
1679 long offset;
1680 char buff1[24],buff2[24],*p;
1681 int i,j;
1682
1683 p=buff1;
1684 i=ctm->length;
1685 str=(char *)ctm->data;
1686 if (ctm->type == V_ASN1_UTCTIME)
1687 {
1688 if ((i < 11) || (i > 17)) return 0;
1689 memcpy(p,str,10);
1690 p+=10;
1691 str+=10;
1692 }
1693 else
1694 {
1695 if (i < 13) return 0;
1696 memcpy(p,str,12);
1697 p+=12;
1698 str+=12;
1699 }
1700
1701 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1702 { *(p++)='0'; *(p++)='0'; }
1703 else
1704 {
1705 *(p++)= *(str++);
1706 *(p++)= *(str++);
1707 /* Skip any fractional seconds... */
1708 if (*str == '.')
1709 {
1710 str++;
1711 while ((*str >= '0') && (*str <= '9')) str++;
1712 }
1713
1714 }
1715 *(p++)='Z';
1716 *(p++)='\0';
1717
1718 if (*str == 'Z')
1719 offset=0;
1720 else
1721 {
1722 if ((*str != '+') && (*str != '-'))
1723 return 0;
1724 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1725 offset+=(str[3]-'0')*10+(str[4]-'0');
1726 if (*str == '-')
1727 offset= -offset;
1728 }
1729 atm.type=ctm->type;
1730 atm.flags = 0;
1731 atm.length=sizeof(buff2);
1732 atm.data=(unsigned char *)buff2;
1733
1734 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
1735 return 0;
1736
1737 if (ctm->type == V_ASN1_UTCTIME)
1738 {
1739 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1740 if (i < 50) i+=100; /* cf. RFC 2459 */
1741 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1742 if (j < 50) j+=100;
1743
1744 if (i < j) return -1;
1745 if (i > j) return 1;
1746 }
1747 i=strcmp(buff1,buff2);
1748 if (i == 0) /* wait a second then return younger :-) */
1749 return -1;
1750 else
1751 return i;
1752 }
1753
1754ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1755{
1756 return X509_time_adj(s, adj, NULL);
1757}
1758
1759ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1760 {
1761 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1762 }
1763
1764ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1765 int offset_day, long offset_sec, time_t *in_tm)
1766 {
1767 time_t t;
1768
1769 if (in_tm) t = *in_tm;
1770 else time(&t);
1771
1772 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1773 {
1774 if (s->type == V_ASN1_UTCTIME)
1775 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1776 if (s->type == V_ASN1_GENERALIZEDTIME)
1777 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1778 offset_sec);
1779 }
1780 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1781 }
1782
1783int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1784 {
1785 EVP_PKEY *ktmp=NULL,*ktmp2;
1786 int i,j;
1787
1788 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1789
1790 for (i=0; i<sk_X509_num(chain); i++)
1791 {
1792 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1793 if (ktmp == NULL)
1794 {
1795 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1796 return 0;
1797 }
1798 if (!EVP_PKEY_missing_parameters(ktmp))
1799 break;
1800 else
1801 {
1802 EVP_PKEY_free(ktmp);
1803 ktmp=NULL;
1804 }
1805 }
1806 if (ktmp == NULL)
1807 {
1808 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1809 return 0;
1810 }
1811
1812 /* first, populate the other certs */
1813 for (j=i-1; j >= 0; j--)
1814 {
1815 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1816 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1817 EVP_PKEY_free(ktmp2);
1818 }
1819
1820 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1821 EVP_PKEY_free(ktmp);
1822 return 1;
1823 }
1824
1825int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1826 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1827 {
1828 /* This function is (usually) called only once, by
1829 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1830 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1831 new_func, dup_func, free_func);
1832 }
1833
1834int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1835 {
1836 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1837 }
1838
1839void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1840 {
1841 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1842 }
1843
1844int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1845 {
1846 return ctx->error;
1847 }
1848
1849void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1850 {
1851 ctx->error=err;
1852 }
1853
1854int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1855 {
1856 return ctx->error_depth;
1857 }
1858
1859X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1860 {
1861 return ctx->current_cert;
1862 }
1863
1864STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1865 {
1866 return ctx->chain;
1867 }
1868
1869STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1870 {
1871 int i;
1872 X509 *x;
1873 STACK_OF(X509) *chain;
1874 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1875 for (i = 0; i < sk_X509_num(chain); i++)
1876 {
1877 x = sk_X509_value(chain, i);
1878 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1879 }
1880 return chain;
1881 }
1882
1883X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1884 {
1885 return ctx->current_issuer;
1886 }
1887
1888X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1889 {
1890 return ctx->current_crl;
1891 }
1892
1893X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1894 {
1895 return ctx->parent;
1896 }
1897
1898void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1899 {
1900 ctx->cert=x;
1901 }
1902
1903void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1904 {
1905 ctx->untrusted=sk;
1906 }
1907
1908void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1909 {
1910 ctx->crls=sk;
1911 }
1912
1913int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1914 {
1915 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1916 }
1917
1918int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1919 {
1920 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1921 }
1922
1923/* This function is used to set the X509_STORE_CTX purpose and trust
1924 * values. This is intended to be used when another structure has its
1925 * own trust and purpose values which (if set) will be inherited by
1926 * the ctx. If they aren't set then we will usually have a default
1927 * purpose in mind which should then be used to set the trust value.
1928 * An example of this is SSL use: an SSL structure will have its own
1929 * purpose and trust settings which the application can set: if they
1930 * aren't set then we use the default of SSL client/server.
1931 */
1932
1933int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1934 int purpose, int trust)
1935{
1936 int idx;
1937 /* If purpose not set use default */
1938 if (!purpose) purpose = def_purpose;
1939 /* If we have a purpose then check it is valid */
1940 if (purpose)
1941 {
1942 X509_PURPOSE *ptmp;
1943 idx = X509_PURPOSE_get_by_id(purpose);
1944 if (idx == -1)
1945 {
1946 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1947 X509_R_UNKNOWN_PURPOSE_ID);
1948 return 0;
1949 }
1950 ptmp = X509_PURPOSE_get0(idx);
1951 if (ptmp->trust == X509_TRUST_DEFAULT)
1952 {
1953 idx = X509_PURPOSE_get_by_id(def_purpose);
1954 if (idx == -1)
1955 {
1956 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1957 X509_R_UNKNOWN_PURPOSE_ID);
1958 return 0;
1959 }
1960 ptmp = X509_PURPOSE_get0(idx);
1961 }
1962 /* If trust not set then get from purpose default */
1963 if (!trust) trust = ptmp->trust;
1964 }
1965 if (trust)
1966 {
1967 idx = X509_TRUST_get_by_id(trust);
1968 if (idx == -1)
1969 {
1970 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1971 X509_R_UNKNOWN_TRUST_ID);
1972 return 0;
1973 }
1974 }
1975
1976 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1977 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1978 return 1;
1979}
1980
1981X509_STORE_CTX *X509_STORE_CTX_new(void)
1982{
1983 X509_STORE_CTX *ctx;
1984 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1985 if (!ctx)
1986 {
1987 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1988 return NULL;
1989 }
1990 memset(ctx, 0, sizeof(X509_STORE_CTX));
1991 return ctx;
1992}
1993
1994void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1995{
1996 X509_STORE_CTX_cleanup(ctx);
1997 OPENSSL_free(ctx);
1998}
1999
2000int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2001 STACK_OF(X509) *chain)
2002 {
2003 int ret = 1;
2004 ctx->ctx=store;
2005 ctx->current_method=0;
2006 ctx->cert=x509;
2007 ctx->untrusted=chain;
2008 ctx->crls = NULL;
2009 ctx->last_untrusted=0;
2010 ctx->other_ctx=NULL;
2011 ctx->valid=0;
2012 ctx->chain=NULL;
2013 ctx->error=0;
2014 ctx->explicit_policy=0;
2015 ctx->error_depth=0;
2016 ctx->current_cert=NULL;
2017 ctx->current_issuer=NULL;
2018 ctx->tree = NULL;
2019 ctx->parent = NULL;
2020
2021 ctx->param = X509_VERIFY_PARAM_new();
2022
2023 if (!ctx->param)
2024 {
2025 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2026 return 0;
2027 }
2028
2029 /* Inherit callbacks and flags from X509_STORE if not set
2030 * use defaults.
2031 */
2032
2033
2034 if (store)
2035 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2036 else
2037 ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2038
2039 if (store)
2040 {
2041 ctx->verify_cb = store->verify_cb;
2042 ctx->cleanup = store->cleanup;
2043 }
2044 else
2045 ctx->cleanup = 0;
2046
2047 if (ret)
2048 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2049 X509_VERIFY_PARAM_lookup("default"));
2050
2051 if (ret == 0)
2052 {
2053 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2054 return 0;
2055 }
2056
2057 if (store && store->check_issued)
2058 ctx->check_issued = store->check_issued;
2059 else
2060 ctx->check_issued = check_issued;
2061
2062 if (store && store->get_issuer)
2063 ctx->get_issuer = store->get_issuer;
2064 else
2065 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2066
2067 if (store && store->verify_cb)
2068 ctx->verify_cb = store->verify_cb;
2069 else
2070 ctx->verify_cb = null_callback;
2071
2072 if (store && store->verify)
2073 ctx->verify = store->verify;
2074 else
2075 ctx->verify = internal_verify;
2076
2077 if (store && store->check_revocation)
2078 ctx->check_revocation = store->check_revocation;
2079 else
2080 ctx->check_revocation = check_revocation;
2081
2082 if (store && store->get_crl)
2083 ctx->get_crl = store->get_crl;
2084 else
2085 ctx->get_crl = NULL;
2086
2087 if (store && store->check_crl)
2088 ctx->check_crl = store->check_crl;
2089 else
2090 ctx->check_crl = check_crl;
2091
2092 if (store && store->cert_crl)
2093 ctx->cert_crl = store->cert_crl;
2094 else
2095 ctx->cert_crl = cert_crl;
2096
2097 if (store && store->lookup_certs)
2098 ctx->lookup_certs = store->lookup_certs;
2099 else
2100 ctx->lookup_certs = X509_STORE_get1_certs;
2101
2102 if (store && store->lookup_crls)
2103 ctx->lookup_crls = store->lookup_crls;
2104 else
2105 ctx->lookup_crls = X509_STORE_get1_crls;
2106
2107 ctx->check_policy = check_policy;
2108
2109
2110 /* This memset() can't make any sense anyway, so it's removed. As
2111 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2112 * corresponding "new" here and remove this bogus initialisation. */
2113 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2114 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2115 &(ctx->ex_data)))
2116 {
2117 OPENSSL_free(ctx);
2118 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2119 return 0;
2120 }
2121 return 1;
2122 }
2123
2124/* Set alternative lookup method: just a STACK of trusted certificates.
2125 * This avoids X509_STORE nastiness where it isn't needed.
2126 */
2127
2128void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2129{
2130 ctx->other_ctx = sk;
2131 ctx->get_issuer = get_issuer_sk;
2132}
2133
2134void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2135 {
2136 if (ctx->cleanup) ctx->cleanup(ctx);
2137 if (ctx->param != NULL)
2138 {
2139 if (ctx->parent == NULL)
2140 X509_VERIFY_PARAM_free(ctx->param);
2141 ctx->param=NULL;
2142 }
2143 if (ctx->tree != NULL)
2144 {
2145 X509_policy_tree_free(ctx->tree);
2146 ctx->tree=NULL;
2147 }
2148 if (ctx->chain != NULL)
2149 {
2150 sk_X509_pop_free(ctx->chain,X509_free);
2151 ctx->chain=NULL;
2152 }
2153 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2154 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2155 }
2156
2157void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2158 {
2159 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2160 }
2161
2162void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2163 {
2164 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2165 }
2166
2167void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2168 {
2169 X509_VERIFY_PARAM_set_time(ctx->param, t);
2170 }
2171
2172void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2173 int (*verify_cb)(int, X509_STORE_CTX *))
2174 {
2175 ctx->verify_cb=verify_cb;
2176 }
2177
2178X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2179 {
2180 return ctx->tree;
2181 }
2182
2183int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2184 {
2185 return ctx->explicit_policy;
2186 }
2187
2188int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2189 {
2190 const X509_VERIFY_PARAM *param;
2191 param = X509_VERIFY_PARAM_lookup(name);
2192 if (!param)
2193 return 0;
2194 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2195 }
2196
2197X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2198 {
2199 return ctx->param;
2200 }
2201
2202void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2203 {
2204 if (ctx->param)
2205 X509_VERIFY_PARAM_free(ctx->param);
2206 ctx->param = param;
2207 }
2208
2209IMPLEMENT_STACK_OF(X509)
2210IMPLEMENT_ASN1_SET_OF(X509)
2211
2212IMPLEMENT_STACK_OF(X509_NAME)
2213
2214IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2215IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
deleted file mode 100644
index fe09b30aaa..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ /dev/null
@@ -1,567 +0,0 @@
1/* crypto/x509/x509_vfy.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_X509_H
60#include <openssl/x509.h>
61/* openssl/x509.h ends up #include-ing this file at about the only
62 * appropriate moment. */
63#endif
64
65#ifndef HEADER_X509_VFY_H
66#define HEADER_X509_VFY_H
67
68#include <openssl/opensslconf.h>
69#ifndef OPENSSL_NO_LHASH
70#include <openssl/lhash.h>
71#endif
72#include <openssl/bio.h>
73#include <openssl/crypto.h>
74#include <openssl/symhacks.h>
75
76#ifdef __cplusplus
77extern "C" {
78#endif
79
80#if 0
81/* Outer object */
82typedef struct x509_hash_dir_st
83 {
84 int num_dirs;
85 char **dirs;
86 int *dirs_type;
87 int num_dirs_alloced;
88 } X509_HASH_DIR_CTX;
89#endif
90
91typedef struct x509_file_st
92 {
93 int num_paths; /* number of paths to files or directories */
94 int num_alloced;
95 char **paths; /* the list of paths or directories */
96 int *path_type;
97 } X509_CERT_FILE_CTX;
98
99/*******************************/
100/*
101SSL_CTX -> X509_STORE
102 -> X509_LOOKUP
103 ->X509_LOOKUP_METHOD
104 -> X509_LOOKUP
105 ->X509_LOOKUP_METHOD
106
107SSL -> X509_STORE_CTX
108 ->X509_STORE
109
110The X509_STORE holds the tables etc for verification stuff.
111A X509_STORE_CTX is used while validating a single certificate.
112The X509_STORE has X509_LOOKUPs for looking up certs.
113The X509_STORE then calls a function to actually verify the
114certificate chain.
115*/
116
117#define X509_LU_RETRY -1
118#define X509_LU_FAIL 0
119#define X509_LU_X509 1
120#define X509_LU_CRL 2
121#define X509_LU_PKEY 3
122
123typedef struct x509_object_st
124 {
125 /* one of the above types */
126 int type;
127 union {
128 char *ptr;
129 X509 *x509;
130 X509_CRL *crl;
131 EVP_PKEY *pkey;
132 } data;
133 } X509_OBJECT;
134
135typedef struct x509_lookup_st X509_LOOKUP;
136
137DECLARE_STACK_OF(X509_LOOKUP)
138DECLARE_STACK_OF(X509_OBJECT)
139
140/* This is a static that defines the function interface */
141typedef struct x509_lookup_method_st
142 {
143 const char *name;
144 int (*new_item)(X509_LOOKUP *ctx);
145 void (*free)(X509_LOOKUP *ctx);
146 int (*init)(X509_LOOKUP *ctx);
147 int (*shutdown)(X509_LOOKUP *ctx);
148 int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl,
149 char **ret);
150 int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name,
151 X509_OBJECT *ret);
152 int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name,
153 ASN1_INTEGER *serial,X509_OBJECT *ret);
154 int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type,
155 unsigned char *bytes,int len,
156 X509_OBJECT *ret);
157 int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len,
158 X509_OBJECT *ret);
159 } X509_LOOKUP_METHOD;
160
161/* This structure hold all parameters associated with a verify operation
162 * by including an X509_VERIFY_PARAM structure in related structures the
163 * parameters used can be customized
164 */
165
166typedef struct X509_VERIFY_PARAM_st
167 {
168 char *name;
169 time_t check_time; /* Time to use */
170 unsigned long inh_flags; /* Inheritance flags */
171 unsigned long flags; /* Various verify flags */
172 int purpose; /* purpose to check untrusted certificates */
173 int trust; /* trust setting to check */
174 int depth; /* Verify depth */
175 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
176 } X509_VERIFY_PARAM;
177
178DECLARE_STACK_OF(X509_VERIFY_PARAM)
179
180/* This is used to hold everything. It is used for all certificate
181 * validation. Once we have a certificate chain, the 'verify'
182 * function is then called to actually check the cert chain. */
183struct x509_store_st
184 {
185 /* The following is a cache of trusted certs */
186 int cache; /* if true, stash any hits */
187 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
188
189 /* These are external lookup methods */
190 STACK_OF(X509_LOOKUP) *get_cert_methods;
191
192 X509_VERIFY_PARAM *param;
193
194 /* Callbacks for various operations */
195 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
196 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
197 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
198 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
199 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
200 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
201 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
202 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
203 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
204 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
205 int (*cleanup)(X509_STORE_CTX *ctx);
206
207 CRYPTO_EX_DATA ex_data;
208 int references;
209 } /* X509_STORE */;
210
211int X509_STORE_set_depth(X509_STORE *store, int depth);
212
213#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
214#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func))
215
216/* This is the functions plus an instance of the local variables. */
217struct x509_lookup_st
218 {
219 int init; /* have we been started */
220 int skip; /* don't use us. */
221 X509_LOOKUP_METHOD *method; /* the functions */
222 char *method_data; /* method data */
223
224 X509_STORE *store_ctx; /* who owns us */
225 } /* X509_LOOKUP */;
226
227/* This is a used when verifying cert chains. Since the
228 * gathering of the cert chain can take some time (and have to be
229 * 'retried', this needs to be kept and passed around. */
230struct x509_store_ctx_st /* X509_STORE_CTX */
231 {
232 X509_STORE *ctx;
233 int current_method; /* used when looking up certs */
234
235 /* The following are set by the caller */
236 X509 *cert; /* The cert to check */
237 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
238 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
239
240 X509_VERIFY_PARAM *param;
241 void *other_ctx; /* Other info for use with get_issuer() */
242
243 /* Callbacks for various operations */
244 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
245 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
246 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
247 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
248 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
249 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
250 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
251 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
252 int (*check_policy)(X509_STORE_CTX *ctx);
253 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
254 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
255 int (*cleanup)(X509_STORE_CTX *ctx);
256
257 /* The following is built up */
258 int valid; /* if 0, rebuild chain */
259 int last_untrusted; /* index of last untrusted cert */
260 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
261 X509_POLICY_TREE *tree; /* Valid policy tree */
262
263 int explicit_policy; /* Require explicit policy value */
264
265 /* When something goes wrong, this is why */
266 int error_depth;
267 int error;
268 X509 *current_cert;
269 X509 *current_issuer; /* cert currently being tested as valid issuer */
270 X509_CRL *current_crl; /* current CRL */
271
272 int current_crl_score; /* score of current CRL */
273 unsigned int current_reasons; /* Reason mask */
274
275 X509_STORE_CTX *parent; /* For CRL path validation: parent context */
276
277 CRYPTO_EX_DATA ex_data;
278 } /* X509_STORE_CTX */;
279
280void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
281
282#define X509_STORE_CTX_set_app_data(ctx,data) \
283 X509_STORE_CTX_set_ex_data(ctx,0,data)
284#define X509_STORE_CTX_get_app_data(ctx) \
285 X509_STORE_CTX_get_ex_data(ctx,0)
286
287#define X509_L_FILE_LOAD 1
288#define X509_L_ADD_DIR 2
289
290#define X509_LOOKUP_load_file(x,name,type) \
291 X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
292
293#define X509_LOOKUP_add_dir(x,name,type) \
294 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
295
296#define X509_V_OK 0
297/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
298
299#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
300#define X509_V_ERR_UNABLE_TO_GET_CRL 3
301#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
302#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
303#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
304#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
305#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
306#define X509_V_ERR_CERT_NOT_YET_VALID 9
307#define X509_V_ERR_CERT_HAS_EXPIRED 10
308#define X509_V_ERR_CRL_NOT_YET_VALID 11
309#define X509_V_ERR_CRL_HAS_EXPIRED 12
310#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
311#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
312#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
313#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
314#define X509_V_ERR_OUT_OF_MEM 17
315#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
316#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
317#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
318#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
319#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
320#define X509_V_ERR_CERT_REVOKED 23
321#define X509_V_ERR_INVALID_CA 24
322#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
323#define X509_V_ERR_INVALID_PURPOSE 26
324#define X509_V_ERR_CERT_UNTRUSTED 27
325#define X509_V_ERR_CERT_REJECTED 28
326/* These are 'informational' when looking for issuer cert */
327#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
328#define X509_V_ERR_AKID_SKID_MISMATCH 30
329#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
330#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
331
332#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
333#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
334#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
335#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
336#define X509_V_ERR_INVALID_NON_CA 37
337#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
338#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
339#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
340
341#define X509_V_ERR_INVALID_EXTENSION 41
342#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
343#define X509_V_ERR_NO_EXPLICIT_POLICY 43
344#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
345#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
346
347#define X509_V_ERR_UNNESTED_RESOURCE 46
348
349#define X509_V_ERR_PERMITTED_VIOLATION 47
350#define X509_V_ERR_EXCLUDED_VIOLATION 48
351#define X509_V_ERR_SUBTREE_MINMAX 49
352#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
353#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
354#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
355#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
356
357/* The application is not happy */
358#define X509_V_ERR_APPLICATION_VERIFICATION 50
359
360/* Certificate verify flags */
361
362/* Send issuer+subject checks to verify_cb */
363#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
364/* Use check time instead of current time */
365#define X509_V_FLAG_USE_CHECK_TIME 0x2
366/* Lookup CRLs */
367#define X509_V_FLAG_CRL_CHECK 0x4
368/* Lookup CRLs for whole chain */
369#define X509_V_FLAG_CRL_CHECK_ALL 0x8
370/* Ignore unhandled critical extensions */
371#define X509_V_FLAG_IGNORE_CRITICAL 0x10
372/* Disable workarounds for broken certificates */
373#define X509_V_FLAG_X509_STRICT 0x20
374/* Enable proxy certificate validation */
375#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
376/* Enable policy checking */
377#define X509_V_FLAG_POLICY_CHECK 0x80
378/* Policy variable require-explicit-policy */
379#define X509_V_FLAG_EXPLICIT_POLICY 0x100
380/* Policy variable inhibit-any-policy */
381#define X509_V_FLAG_INHIBIT_ANY 0x200
382/* Policy variable inhibit-policy-mapping */
383#define X509_V_FLAG_INHIBIT_MAP 0x400
384/* Notify callback that policy is OK */
385#define X509_V_FLAG_NOTIFY_POLICY 0x800
386/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
387#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
388/* Delta CRL support */
389#define X509_V_FLAG_USE_DELTAS 0x2000
390/* Check selfsigned CA signature */
391#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
392
393
394#define X509_VP_FLAG_DEFAULT 0x1
395#define X509_VP_FLAG_OVERWRITE 0x2
396#define X509_VP_FLAG_RESET_FLAGS 0x4
397#define X509_VP_FLAG_LOCKED 0x8
398#define X509_VP_FLAG_ONCE 0x10
399
400/* Internal use: mask of policy related options */
401#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
402 | X509_V_FLAG_EXPLICIT_POLICY \
403 | X509_V_FLAG_INHIBIT_ANY \
404 | X509_V_FLAG_INHIBIT_MAP)
405
406int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
407 X509_NAME *name);
408X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
409X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
410void X509_OBJECT_up_ref_count(X509_OBJECT *a);
411void X509_OBJECT_free_contents(X509_OBJECT *a);
412X509_STORE *X509_STORE_new(void );
413void X509_STORE_free(X509_STORE *v);
414
415STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
416STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
417int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
418int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
419int X509_STORE_set_trust(X509_STORE *ctx, int trust);
420int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
421
422void X509_STORE_set_verify_cb(X509_STORE *ctx,
423 int (*verify_cb)(int, X509_STORE_CTX *));
424
425X509_STORE_CTX *X509_STORE_CTX_new(void);
426
427int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
428
429void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
430int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
431 X509 *x509, STACK_OF(X509) *chain);
432void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
433void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
434
435X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
436
437X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
438X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
439
440int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
441int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
442
443int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
444 X509_OBJECT *ret);
445
446int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
447 long argl, char **ret);
448
449#ifndef OPENSSL_NO_STDIO
450int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
451int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
452int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
453#endif
454
455
456X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
457void X509_LOOKUP_free(X509_LOOKUP *ctx);
458int X509_LOOKUP_init(X509_LOOKUP *ctx);
459int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
460 X509_OBJECT *ret);
461int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
462 ASN1_INTEGER *serial, X509_OBJECT *ret);
463int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
464 unsigned char *bytes, int len, X509_OBJECT *ret);
465int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
466 int len, X509_OBJECT *ret);
467int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
468
469#ifndef OPENSSL_NO_STDIO
470int X509_STORE_load_locations (X509_STORE *ctx,
471 const char *file, const char *dir);
472int X509_STORE_set_default_paths(X509_STORE *ctx);
473#endif
474
475int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
476 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
477int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
478void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
479int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
480void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
481int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
482X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
483X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
484X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
485X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
486STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
487STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
488void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
489void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
490void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
491int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
492int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
493int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
494 int purpose, int trust);
495void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
496void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
497 time_t t);
498void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
499 int (*verify_cb)(int, X509_STORE_CTX *));
500
501X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
502int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
503
504X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
505void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
506int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
507
508/* X509_VERIFY_PARAM functions */
509
510X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
511void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
512int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
513 const X509_VERIFY_PARAM *from);
514int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
515 const X509_VERIFY_PARAM *from);
516int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
517int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
518int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
519 unsigned long flags);
520unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
521int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
522int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
523void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
524void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
525int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
526 ASN1_OBJECT *policy);
527int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
528 STACK_OF(ASN1_OBJECT) *policies);
529int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
530
531int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
532const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
533void X509_VERIFY_PARAM_table_cleanup(void);
534
535int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
536 STACK_OF(X509) *certs,
537 STACK_OF(ASN1_OBJECT) *policy_oids,
538 unsigned int flags);
539
540void X509_policy_tree_free(X509_POLICY_TREE *tree);
541
542int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
543X509_POLICY_LEVEL *
544 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
545
546STACK_OF(X509_POLICY_NODE) *
547 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
548
549STACK_OF(X509_POLICY_NODE) *
550 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
551
552int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
553
554X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
555
556const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
557
558STACK_OF(POLICYQUALINFO) *
559 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
560const X509_POLICY_NODE *
561 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
562
563#ifdef __cplusplus
564}
565#endif
566#endif
567
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
deleted file mode 100644
index dfd89d89fa..0000000000
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ /dev/null
@@ -1,438 +0,0 @@
1/* x509_vpm.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include "cryptlib.h"
62#include <openssl/crypto.h>
63#include <openssl/lhash.h>
64#include <openssl/buffer.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* X509_VERIFY_PARAM functions */
69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 {
72 if (!param)
73 return;
74 param->name = NULL;
75 param->purpose = 0;
76 param->trust = 0;
77 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
78 param->inh_flags = 0;
79 param->flags = 0;
80 param->depth = -1;
81 if (param->policies)
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL;
85 }
86 }
87
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 {
90 X509_VERIFY_PARAM *param;
91 param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param);
94 return param;
95 }
96
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 {
99 x509_verify_param_zero(param);
100 OPENSSL_free(param);
101 }
102
103/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen.
105 *
106 * 1. If a child structure needs to have its values initialized from a parent
107 * they are simply copied across. For example SSL_CTX copied to SSL.
108 * 2. If the structure should take on values only if they are currently unset.
109 * For example the values in an SSL structure will take appropriate value
110 * for SSL servers or clients but only if the application has not set new
111 * ones.
112 *
113 * The "inh_flags" field determines how this function behaves.
114 *
115 * Normally any values which are set in the default are not copied from the
116 * destination and verify flags are ORed together.
117 *
118 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
119 * to the destination. Effectively the values in "to" become default values
120 * which will be used only if nothing new is set in "from".
121 *
122 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
123 * they are set or not. Flags is still Ored though.
124 *
125 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
126 * of ORed.
127 *
128 * If X509_VP_FLAG_LOCKED is set then no values are copied.
129 *
130 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
131 * after the next call.
132 */
133
134/* Macro to test if a field should be copied from src to dest */
135
136#define test_x509_verify_param_copy(field, def) \
137 (to_overwrite || \
138 ((src->field != def) && (to_default || (dest->field == def))))
139
140/* Macro to test and copy a field if necessary */
141
142#define x509_verify_param_copy(field, def) \
143 if (test_x509_verify_param_copy(field, def)) \
144 dest->field = src->field
145
146
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src)
149 {
150 unsigned long inh_flags;
151 int to_default, to_overwrite;
152 if (!src)
153 return 1;
154 inh_flags = dest->inh_flags | src->inh_flags;
155
156 if (inh_flags & X509_VP_FLAG_ONCE)
157 dest->inh_flags = 0;
158
159 if (inh_flags & X509_VP_FLAG_LOCKED)
160 return 1;
161
162 if (inh_flags & X509_VP_FLAG_DEFAULT)
163 to_default = 1;
164 else
165 to_default = 0;
166
167 if (inh_flags & X509_VP_FLAG_OVERWRITE)
168 to_overwrite = 1;
169 else
170 to_overwrite = 0;
171
172 x509_verify_param_copy(purpose, 0);
173 x509_verify_param_copy(trust, 0);
174 x509_verify_param_copy(depth, -1);
175
176 /* If overwrite or check time not set, copy across */
177
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
179 {
180 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */
183 }
184
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0;
187
188 dest->flags |= src->flags;
189
190 if (test_x509_verify_param_copy(policies, NULL))
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0;
194 }
195
196 return 1;
197 }
198
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from)
201 {
202 unsigned long save_flags = to->inh_flags;
203 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags;
207 return ret;
208 }
209
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 {
212 if (param->name)
213 OPENSSL_free(param->name);
214 param->name = BUF_strdup(name);
215 if (param->name)
216 return 1;
217 return 0;
218 }
219
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 {
222 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1;
226 }
227
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 {
230 param->flags &= ~flags;
231 return 1;
232 }
233
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 {
236 return param->flags;
237 }
238
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 {
241 return X509_PURPOSE_set(&param->purpose, purpose);
242 }
243
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 {
246 return X509_TRUST_set(&param->trust, trust);
247 }
248
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 {
251 param->depth = depth;
252 }
253
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 {
256 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 }
259
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 {
262 if (!param->policies)
263 {
264 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies)
266 return 0;
267 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0;
270 return 1;
271 }
272
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies)
275 {
276 int i;
277 ASN1_OBJECT *oid, *doid;
278 if (!param)
279 return 0;
280 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282
283 if (!policies)
284 {
285 param->policies = NULL;
286 return 1;
287 }
288
289 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies)
291 return 0;
292
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid);
297 if (!doid)
298 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid))
300 {
301 ASN1_OBJECT_free(doid);
302 return 0;
303 }
304 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1;
307 }
308
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 {
311 return param->depth;
312 }
313
314/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table.
316 * NB: the 'name' field *must* be in alphabetical order because it
317 * will be searched using OBJ_search.
318 */
319
320static const X509_VERIFY_PARAM default_table[] = {
321 {
322 "default", /* X509 default parameters */
323 0, /* Check time */
324 0, /* internal flags */
325 0, /* flags */
326 0, /* purpose */
327 0, /* trust */
328 100, /* depth */
329 NULL /* policies */
330 },
331 {
332 "pkcs7", /* S/MIME sign parameters */
333 0, /* Check time */
334 0, /* internal flags */
335 0, /* flags */
336 X509_PURPOSE_SMIME_SIGN, /* purpose */
337 X509_TRUST_EMAIL, /* trust */
338 -1, /* depth */
339 NULL /* policies */
340 },
341 {
342 "smime_sign", /* S/MIME sign parameters */
343 0, /* Check time */
344 0, /* internal flags */
345 0, /* flags */
346 X509_PURPOSE_SMIME_SIGN, /* purpose */
347 X509_TRUST_EMAIL, /* trust */
348 -1, /* depth */
349 NULL /* policies */
350 },
351 {
352 "ssl_client", /* SSL/TLS client parameters */
353 0, /* Check time */
354 0, /* internal flags */
355 0, /* flags */
356 X509_PURPOSE_SSL_CLIENT, /* purpose */
357 X509_TRUST_SSL_CLIENT, /* trust */
358 -1, /* depth */
359 NULL /* policies */
360 },
361 {
362 "ssl_server", /* SSL/TLS server parameters */
363 0, /* Check time */
364 0, /* internal flags */
365 0, /* flags */
366 X509_PURPOSE_SSL_SERVER, /* purpose */
367 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */
369 NULL /* policies */
370 }};
371
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375
376 {
377 return strcmp(a->name, b->name);
378 }
379
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table);
382IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
383 table);
384
385static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b)
387 {
388 return strcmp((*a)->name, (*b)->name);
389 }
390
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 {
393 int idx;
394 X509_VERIFY_PARAM *ptmp;
395 if (!param_table)
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table)
399 return 0;
400 }
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1)
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0;
413 return 1;
414 }
415
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 {
418 int idx;
419 X509_VERIFY_PARAM pm;
420
421 pm.name = (char *)name;
422 if (param_table)
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 }
428 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 }
431
432void X509_VERIFY_PARAM_table_cleanup(void)
433 {
434 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free);
437 param_table = NULL;
438 }
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
deleted file mode 100644
index 3109defb0b..0000000000
--- a/src/lib/libcrypto/x509/x509cset.c
+++ /dev/null
@@ -1,170 +0,0 @@
1/* crypto/x509/x509cset.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_CRL_set_version(X509_CRL *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->crl->version == NULL)
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 }
76
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 {
79 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name));
81 }
82
83
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 {
86 ASN1_TIME *in;
87
88 if (x == NULL) return(0);
89 in=x->crl->lastUpdate;
90 if (in != tm)
91 {
92 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL)
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in;
97 }
98 }
99 return(in != NULL);
100 }
101
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 {
104 ASN1_TIME *in;
105
106 if (x == NULL) return(0);
107 in=x->crl->nextUpdate;
108 if (in != tm)
109 {
110 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL)
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in;
115 }
116 }
117 return(in != NULL);
118 }
119
120int X509_CRL_sort(X509_CRL *c)
121 {
122 int i;
123 X509_REVOKED *r;
124 /* sort the data so it will be written in serial
125 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i;
131 }
132 c->crl->enc.modified = 1;
133 return 1;
134 }
135
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 {
138 ASN1_TIME *in;
139
140 if (x == NULL) return(0);
141 in=x->revocationDate;
142 if (in != tm)
143 {
144 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL)
146 {
147 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in;
149 }
150 }
151 return(in != NULL);
152 }
153
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 {
156 ASN1_INTEGER *in;
157
158 if (x == NULL) return(0);
159 in=x->serialNumber;
160 if (in != serial)
161 {
162 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL)
164 {
165 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in;
167 }
168 }
169 return(in != NULL);
170 }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
deleted file mode 100644
index 27bc4dc9a3..0000000000
--- a/src/lib/libcrypto/x509/x509name.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* crypto/x509/x509name.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 {
69 ASN1_OBJECT *obj;
70
71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 }
75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len)
78 {
79 int i;
80 ASN1_STRING *data;
81
82 i=X509_NAME_get_index_by_OBJ(name,obj,-1);
83 if (i < 0) return(-1);
84 data=X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
85 i=(data->length > (len-1))?(len-1):data->length;
86 if (buf == NULL) return(data->length);
87 memcpy(buf,data->data,i);
88 buf[i]='\0';
89 return(i);
90 }
91
92int X509_NAME_entry_count(X509_NAME *name)
93 {
94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 }
97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 {
100 ASN1_OBJECT *obj;
101
102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 }
106
107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos)
110 {
111 int n;
112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk;
114
115 if (name == NULL) return(-1);
116 if (lastpos < 0)
117 lastpos= -1;
118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++)
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos);
125 }
126 return(-1);
127 }
128
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 {
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0)
133 return(NULL);
134 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 }
137
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 {
140 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk;
143
144 if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
145 || loc < 0)
146 return(NULL);
147 sk=name->entries;
148 ret=sk_X509_NAME_ENTRY_delete(sk,loc);
149 n=sk_X509_NAME_ENTRY_num(sk);
150 name->modified=1;
151 if (loc == n) return(ret);
152
153 /* else we need to fixup the set field */
154 if (loc != 0)
155 set_prev=(sk_X509_NAME_ENTRY_value(sk,loc-1))->set;
156 else
157 set_prev=ret->set-1;
158 set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
159
160 /* set_prev is the previous set
161 * set is the current set
162 * set_next is the following
163 * prev 1 1 1 1 1 1 1 1
164 * set 1 1 2 2
165 * next 1 1 2 2 2 2 3 2
166 * so basically only if prev and next differ by 2, then
167 * re-number down by 1 */
168 if (set_prev+1 < set_next)
169 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret);
172 }
173
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set)
176{
177 X509_NAME_ENTRY *ne;
178 int ret;
179 ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
180 if(!ne) return 0;
181 ret = X509_NAME_add_entry(name, ne, loc, set);
182 X509_NAME_ENTRY_free(ne);
183 return ret;
184}
185
186int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
187 unsigned char *bytes, int len, int loc, int set)
188{
189 X509_NAME_ENTRY *ne;
190 int ret;
191 ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
192 if(!ne) return 0;
193 ret = X509_NAME_add_entry(name, ne, loc, set);
194 X509_NAME_ENTRY_free(ne);
195 return ret;
196}
197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 const unsigned char *bytes, int len, int loc, int set)
200{
201 X509_NAME_ENTRY *ne;
202 int ret;
203 ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
204 if(!ne) return 0;
205 ret = X509_NAME_add_entry(name, ne, loc, set);
206 X509_NAME_ENTRY_free(ne);
207 return ret;
208}
209
210/* if set is -1, append to previous set, 0 'a new one', and 1,
211 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set)
214 {
215 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk;
218
219 if (name == NULL) return(0);
220 sk=name->entries;
221 n=sk_X509_NAME_ENTRY_num(sk);
222 if (loc > n) loc=n;
223 else if (loc < 0) loc=n;
224
225 name->modified=1;
226
227 if (set == -1)
228 {
229 if (loc == 0)
230 {
231 set=0;
232 inc=1;
233 }
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0;
238 }
239 }
240 else /* if (set >= 0) */
241 {
242 if (loc >= n)
243 {
244 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else
247 set=0;
248 }
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0;
252 }
253
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err;
256 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262 if (inc)
263 {
264 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 }
268 return(1);
269err:
270 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name);
272 return(0);
273 }
274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len)
277 {
278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry;
280
281 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL)
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field);
287 return(NULL);
288 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj);
291 return nentry;
292 }
293
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len)
296 {
297 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry;
299
300 obj=OBJ_nid2obj(nid);
301 if (obj == NULL)
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL);
305 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj);
308 return nentry;
309 }
310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 {
314 X509_NAME_ENTRY *ret;
315
316 if ((ne == NULL) || (*ne == NULL))
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL);
320 }
321 else
322 ret= *ne;
323
324 if (!X509_NAME_ENTRY_set_object(ret,obj))
325 goto err;
326 if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
327 goto err;
328
329 if ((ne != NULL) && (*ne == NULL)) *ne=ret;
330 return(ret);
331err:
332 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret);
334 return(NULL);
335 }
336
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 {
339 if ((ne == NULL) || (obj == NULL))
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0);
343 }
344 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1);
347 }
348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len)
351 {
352 int i;
353
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
355 if((type > 0) && (type & MBSTRING_FLAG))
356 return ASN1_STRING_set_by_NID(&ne->value, bytes,
357 len, type,
358 OBJ_obj2nid(ne->object)) ? 1 : 0;
359 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0);
362 if (type != V_ASN1_UNDEF)
363 {
364 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else
367 ne->value->type=type;
368 }
369 return(1);
370 }
371
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 {
374 if (ne == NULL) return(NULL);
375 return(ne->object);
376 }
377
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 {
380 if (ne == NULL) return(NULL);
381 return(ne->value);
382 }
383
diff --git a/src/lib/libcrypto/x509/x509rset.c b/src/lib/libcrypto/x509/x509rset.c
deleted file mode 100644
index d9f6b57372..0000000000
--- a/src/lib/libcrypto/x509/x509rset.c
+++ /dev/null
@@ -1,83 +0,0 @@
1/* crypto/x509/x509rset.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_REQ_set_version(X509_REQ *x, long version)
67 {
68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 }
71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 {
74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name));
76 }
77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 {
80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 }
83
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
deleted file mode 100644
index 02a203d72c..0000000000
--- a/src/lib/libcrypto/x509/x509spki.c
+++ /dev/null
@@ -1,121 +0,0 @@
1/* x509spki.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509.h>
62
63int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
64{
65 if ((x == NULL) || (x->spkac == NULL)) return(0);
66 return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
67}
68
69EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
70{
71 if ((x == NULL) || (x->spkac == NULL))
72 return(NULL);
73 return(X509_PUBKEY_get(x->spkac->pubkey));
74}
75
76/* Load a Netscape SPKI from a base64 encoded string */
77
78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
79{
80 unsigned char *spki_der;
81 const unsigned char *p;
82 int spki_len;
83 NETSCAPE_SPKI *spki;
84 if(len <= 0) len = strlen(str);
85 if (!(spki_der = OPENSSL_malloc(len + 1))) {
86 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
90 if(spki_len < 0) {
91 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
92 X509_R_BASE64_DECODE_ERROR);
93 OPENSSL_free(spki_der);
94 return NULL;
95 }
96 p = spki_der;
97 spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
98 OPENSSL_free(spki_der);
99 return spki;
100}
101
102/* Generate a base64 encoded string from an SPKI */
103
104char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
105{
106 unsigned char *der_spki, *p;
107 char *b64_str;
108 int der_len;
109 der_len = i2d_NETSCAPE_SPKI(spki, NULL);
110 der_spki = OPENSSL_malloc(der_len);
111 b64_str = OPENSSL_malloc(der_len * 2);
112 if(!der_spki || !b64_str) {
113 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 p = der_spki;
117 i2d_NETSCAPE_SPKI(spki, &p);
118 EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
119 OPENSSL_free(der_spki);
120 return b64_str;
121}
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
deleted file mode 100644
index 3385ad3f67..0000000000
--- a/src/lib/libcrypto/x509/x509type.c
+++ /dev/null
@@ -1,125 +0,0 @@
1/* crypto/x509/x509type.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/evp.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 {
67 EVP_PKEY *pk;
68 int ret=0,i;
69
70 if (x == NULL) return(0);
71
72 if (pkey == NULL)
73 pk=X509_get_pubkey(x);
74 else
75 pk=pkey;
76
77 if (pk == NULL) return(0);
78
79 switch (pk->type)
80 {
81 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */
84 ret|=EVP_PKT_ENC;
85 break;
86 case EVP_PKEY_DSA:
87 ret=EVP_PK_DSA|EVP_PKT_SIGN;
88 break;
89 case EVP_PKEY_EC:
90 ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
91 break;
92 case EVP_PKEY_DH:
93 ret=EVP_PK_DH|EVP_PKT_EXCH;
94 break;
95 case NID_id_GostR3410_94:
96 case NID_id_GostR3410_2001:
97 ret=EVP_PKT_EXCH|EVP_PKT_SIGN;
98 break;
99 default:
100 break;
101 }
102
103 i=X509_get_signature_type(x);
104 switch (i)
105 {
106 case EVP_PKEY_RSA:
107 ret|=EVP_PKS_RSA;
108 break;
109 case EVP_PKEY_DSA:
110 ret|=EVP_PKS_DSA;
111 break;
112 case EVP_PKEY_EC:
113 ret|=EVP_PKS_EC;
114 break;
115 default:
116 break;
117 }
118
119 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
120 for, not bytes */
121 ret|=EVP_PKT_EXP;
122 if(pkey==NULL) EVP_PKEY_free(pk);
123 return(ret);
124 }
125
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
deleted file mode 100644
index ebae30b701..0000000000
--- a/src/lib/libcrypto/x509/x_all.c
+++ /dev/null
@@ -1,515 +0,0 @@
1/* crypto/x509/x_all.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/buffer.h>
63#include <openssl/asn1.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#ifndef OPENSSL_NO_RSA
67#include <openssl/rsa.h>
68#endif
69#ifndef OPENSSL_NO_DSA
70#include <openssl/dsa.h>
71#endif
72
73int X509_verify(X509 *a, EVP_PKEY *r)
74 {
75 return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
76 a->signature,a->cert_info,r));
77 }
78
79int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
80 {
81 return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
82 a->sig_alg,a->signature,a->req_info,r));
83 }
84
85int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
86 {
87 return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
88 a->sig_algor,a->signature,a->spkac,r));
89 }
90
91int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
92 {
93 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
94 x->sig_alg, x->signature, x->cert_info,pkey,md));
95 }
96
97int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
98 {
99 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
100 x->signature, x->req_info,pkey,md));
101 }
102
103int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
104 {
105 x->crl->enc.modified = 1;
106 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
107 x->sig_alg, x->signature, x->crl,pkey,md));
108 }
109
110int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
111 {
112 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
113 x->signature, x->spkac,pkey,md));
114 }
115
116#ifndef OPENSSL_NO_FP_API
117X509 *d2i_X509_fp(FILE *fp, X509 **x509)
118 {
119 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
120 }
121
122int i2d_X509_fp(FILE *fp, X509 *x509)
123 {
124 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
125 }
126#endif
127
128X509 *d2i_X509_bio(BIO *bp, X509 **x509)
129 {
130 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
131 }
132
133int i2d_X509_bio(BIO *bp, X509 *x509)
134 {
135 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
136 }
137
138#ifndef OPENSSL_NO_FP_API
139X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
140 {
141 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
142 }
143
144int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
145 {
146 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
147 }
148#endif
149
150X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
151 {
152 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
153 }
154
155int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
156 {
157 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
158 }
159
160#ifndef OPENSSL_NO_FP_API
161PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
162 {
163 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
164 }
165
166int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
167 {
168 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
169 }
170#endif
171
172PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
173 {
174 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
175 }
176
177int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
178 {
179 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
180 }
181
182#ifndef OPENSSL_NO_FP_API
183X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
184 {
185 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
186 }
187
188int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
189 {
190 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
191 }
192#endif
193
194X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
195 {
196 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
197 }
198
199int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
200 {
201 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
202 }
203
204#ifndef OPENSSL_NO_RSA
205
206#ifndef OPENSSL_NO_FP_API
207RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
208 {
209 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
210 }
211
212int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
213 {
214 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
215 }
216
217RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
218 {
219 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
220 }
221
222
223RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
224 {
225 return ASN1_d2i_fp((void *(*)(void))
226 RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
227 (void **)rsa);
228 }
229
230int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
231 {
232 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
233 }
234
235int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
236 {
237 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
238 }
239#endif
240
241RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
242 {
243 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
244 }
245
246int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
247 {
248 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
249 }
250
251RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
252 {
253 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
254 }
255
256
257RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
258 {
259 return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
260 }
261
262int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
263 {
264 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
265 }
266
267int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
268 {
269 return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
270 }
271#endif
272
273#ifndef OPENSSL_NO_DSA
274#ifndef OPENSSL_NO_FP_API
275DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
276 {
277 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
278 }
279
280int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
281 {
282 return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
283 }
284
285DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
286 {
287 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
288 }
289
290int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
291 {
292 return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
293 }
294#endif
295
296DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
297 {
298 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
299);
300 }
301
302int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
303 {
304 return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
305 }
306
307DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
308 {
309 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
310 }
311
312int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
313 {
314 return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
315 }
316
317#endif
318
319#ifndef OPENSSL_NO_EC
320#ifndef OPENSSL_NO_FP_API
321EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
322 {
323 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
324 }
325
326int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
327 {
328 return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
329 }
330
331EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
332 {
333 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
334 }
335
336int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
337 {
338 return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
339 }
340#endif
341EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
342 {
343 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
344 }
345
346int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
347 {
348 return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
349 }
350
351EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
352 {
353 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
354 }
355
356int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
357 {
358 return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
359 }
360#endif
361
362
363int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
364 unsigned int *len)
365 {
366 ASN1_BIT_STRING *key;
367 key = X509_get0_pubkey_bitstr(data);
368 if(!key) return 0;
369 return EVP_Digest(key->data, key->length, md, len, type, NULL);
370 }
371
372int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
373 unsigned int *len)
374 {
375 return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
376 }
377
378int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
379 unsigned int *len)
380 {
381 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
382 }
383
384int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
385 unsigned int *len)
386 {
387 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
388 }
389
390int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
391 unsigned int *len)
392 {
393 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
394 }
395
396int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
397 unsigned char *md, unsigned int *len)
398 {
399 return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
400 (char *)data,md,len));
401 }
402
403
404#ifndef OPENSSL_NO_FP_API
405X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
406 {
407 return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
408 }
409
410int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
411 {
412 return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
413 }
414#endif
415
416X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
417 {
418 return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
419 }
420
421int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
422 {
423 return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
424 }
425
426#ifndef OPENSSL_NO_FP_API
427PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
428 PKCS8_PRIV_KEY_INFO **p8inf)
429 {
430 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
431 d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
432 }
433
434int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
435 {
436 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
437 p8inf);
438 }
439
440int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
441 {
442 PKCS8_PRIV_KEY_INFO *p8inf;
443 int ret;
444 p8inf = EVP_PKEY2PKCS8(key);
445 if(!p8inf) return 0;
446 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
447 PKCS8_PRIV_KEY_INFO_free(p8inf);
448 return ret;
449 }
450
451int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
452 {
453 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
454 }
455
456EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
457{
458 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
459}
460
461int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
462 {
463 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
464 }
465
466EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
467{
468 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
469}
470
471#endif
472
473PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
474 PKCS8_PRIV_KEY_INFO **p8inf)
475 {
476 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
477 d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
478 }
479
480int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
481 {
482 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
483 p8inf);
484 }
485
486int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
487 {
488 PKCS8_PRIV_KEY_INFO *p8inf;
489 int ret;
490 p8inf = EVP_PKEY2PKCS8(key);
491 if(!p8inf) return 0;
492 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
493 PKCS8_PRIV_KEY_INFO_free(p8inf);
494 return ret;
495 }
496
497int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
498 {
499 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
500 }
501
502EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
503 {
504 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
505 }
506
507int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
508 {
509 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
510 }
511
512EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
513 {
514 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
515 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-08 10:46:33 +0000