diff options
| author | djm <> | 2005-04-29 05:39:33 +0000 |
|---|---|---|
| committer | djm <> | 2005-04-29 05:39:33 +0000 |
| commit | 68edd00d9258df93b1366c71ac124e0cadf7bc08 (patch) | |
| tree | 3ce4ae2a9747bbc11aed1f95f9bbea92c41f8683 /src/lib/libcrypto/x509v3 | |
| parent | f396ed0f5ce0af56bfde2e75e15cf1f52924c779 (diff) | |
| download | openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.gz openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.bz2 openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.zip | |
resolve conflicts
Diffstat (limited to 'src/lib/libcrypto/x509v3')
| -rw-r--r-- | src/lib/libcrypto/x509v3/ext_dat.h | 11 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_bitst.c | 7 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_ia5.c | 5 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_int.c | 19 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_purp.c | 75 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3err.c | 14 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/x509v3.h | 31 |
7 files changed, 120 insertions, 42 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h index 5442480595..d8328ac468 100644 --- a/src/lib/libcrypto/x509v3/ext_dat.h +++ b/src/lib/libcrypto/x509v3/ext_dat.h | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| 5 | /* ==================================================================== | 5 | /* ==================================================================== |
| 6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 6 | * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. |
| 7 | * | 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions |
| @@ -60,10 +60,11 @@ | |||
| 60 | extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; | 60 | extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; |
| 61 | extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; | 61 | extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; |
| 62 | extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; | 62 | extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; |
| 63 | extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; | 63 | extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; |
| 64 | extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; | ||
| 64 | extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; | 65 | extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; |
| 65 | extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; | 66 | extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; |
| 66 | extern X509V3_EXT_METHOD v3_crl_hold; | 67 | extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; |
| 67 | 68 | ||
| 68 | /* This table will be searched using OBJ_bsearch so it *must* kept in | 69 | /* This table will be searched using OBJ_bsearch so it *must* kept in |
| 69 | * order of the ext_nid values. | 70 | * order of the ext_nid values. |
| @@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = { | |||
| 89 | &v3_akey_id, | 90 | &v3_akey_id, |
| 90 | &v3_crld, | 91 | &v3_crld, |
| 91 | &v3_ext_ku, | 92 | &v3_ext_ku, |
| 93 | &v3_delta_crl, | ||
| 92 | &v3_crl_reason, | 94 | &v3_crl_reason, |
| 93 | #ifndef OPENSSL_NO_OCSP | 95 | #ifndef OPENSSL_NO_OCSP |
| 94 | &v3_crl_invdate, | 96 | &v3_crl_invdate, |
| @@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = { | |||
| 105 | #endif | 107 | #endif |
| 106 | &v3_sinfo, | 108 | &v3_sinfo, |
| 107 | #ifndef OPENSSL_NO_OCSP | 109 | #ifndef OPENSSL_NO_OCSP |
| 108 | &v3_crl_hold | 110 | &v3_crl_hold, |
| 109 | #endif | 111 | #endif |
| 112 | &v3_pci, | ||
| 110 | }; | 113 | }; |
| 111 | 114 | ||
| 112 | /* Number of standard extensions */ | 115 | /* Number of standard extensions */ |
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c index 16cf125562..274965306d 100644 --- a/src/lib/libcrypto/x509v3/v3_bitst.c +++ b/src/lib/libcrypto/x509v3/v3_bitst.c | |||
| @@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, | |||
| 124 | for(bnam = method->usr_data; bnam->lname; bnam++) { | 124 | for(bnam = method->usr_data; bnam->lname; bnam++) { |
| 125 | if(!strcmp(bnam->sname, val->name) || | 125 | if(!strcmp(bnam->sname, val->name) || |
| 126 | !strcmp(bnam->lname, val->name) ) { | 126 | !strcmp(bnam->lname, val->name) ) { |
| 127 | ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); | 127 | if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) { |
| 128 | X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, | ||
| 129 | ERR_R_MALLOC_FAILURE); | ||
| 130 | M_ASN1_BIT_STRING_free(bs); | ||
| 131 | return NULL; | ||
| 132 | } | ||
| 128 | break; | 133 | break; |
| 129 | } | 134 | } |
| 130 | } | 135 | } |
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c index f9414456de..9683afa47c 100644 --- a/src/lib/libcrypto/x509v3/v3_ia5.c +++ b/src/lib/libcrypto/x509v3/v3_ia5.c | |||
| @@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, | |||
| 82 | { | 82 | { |
| 83 | char *tmp; | 83 | char *tmp; |
| 84 | if(!ia5 || !ia5->length) return NULL; | 84 | if(!ia5 || !ia5->length) return NULL; |
| 85 | if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; | 85 | if(!(tmp = OPENSSL_malloc(ia5->length + 1))) { |
| 86 | X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); | ||
| 87 | return NULL; | ||
| 88 | } | ||
| 86 | memcpy(tmp, ia5->data, ia5->length); | 89 | memcpy(tmp, ia5->data, ia5->length); |
| 87 | tmp[ia5->length] = 0; | 90 | tmp[ia5->length] = 0; |
| 88 | return tmp; | 91 | return tmp; |
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c index f34cbfb731..7a43b4717b 100644 --- a/src/lib/libcrypto/x509v3/v3_int.c +++ b/src/lib/libcrypto/x509v3/v3_int.c | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| 5 | /* ==================================================================== | 5 | /* ==================================================================== |
| 6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 6 | * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. |
| 7 | * | 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions |
| @@ -61,9 +61,16 @@ | |||
| 61 | #include <openssl/x509v3.h> | 61 | #include <openssl/x509v3.h> |
| 62 | 62 | ||
| 63 | X509V3_EXT_METHOD v3_crl_num = { | 63 | X509V3_EXT_METHOD v3_crl_num = { |
| 64 | NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), | 64 | NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), |
| 65 | 0,0,0,0, | 65 | 0,0,0,0, |
| 66 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, | 66 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, |
| 67 | 0, | 67 | 0, |
| 68 | 0,0,0,0, NULL}; | 68 | 0,0,0,0, NULL}; |
| 69 | |||
| 70 | X509V3_EXT_METHOD v3_delta_crl = { | ||
| 71 | NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), | ||
| 72 | 0,0,0,0, | ||
| 73 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, | ||
| 74 | 0, | ||
| 75 | 0,0,0,0, NULL}; | ||
| 69 | 76 | ||
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index b3d1ae5d1c..bbdf6da493 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c | |||
| @@ -63,7 +63,6 @@ | |||
| 63 | 63 | ||
| 64 | static void x509v3_cache_extensions(X509 *x); | 64 | static void x509v3_cache_extensions(X509 *x); |
| 65 | 65 | ||
| 66 | static int ca_check(const X509 *x); | ||
| 67 | static int check_ssl_ca(const X509 *x); | 66 | static int check_ssl_ca(const X509 *x); |
| 68 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); | 67 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); |
| 69 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); | 68 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); |
| @@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex) | |||
| 286 | NID_key_usage, /* 83 */ | 285 | NID_key_usage, /* 83 */ |
| 287 | NID_subject_alt_name, /* 85 */ | 286 | NID_subject_alt_name, /* 85 */ |
| 288 | NID_basic_constraints, /* 87 */ | 287 | NID_basic_constraints, /* 87 */ |
| 289 | NID_ext_key_usage /* 126 */ | 288 | NID_ext_key_usage, /* 126 */ |
| 289 | NID_proxyCertInfo /* 661 */ | ||
| 290 | }; | 290 | }; |
| 291 | 291 | ||
| 292 | int ex_nid; | 292 | int ex_nid; |
| @@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex) | |||
| 307 | static void x509v3_cache_extensions(X509 *x) | 307 | static void x509v3_cache_extensions(X509 *x) |
| 308 | { | 308 | { |
| 309 | BASIC_CONSTRAINTS *bs; | 309 | BASIC_CONSTRAINTS *bs; |
| 310 | PROXY_CERT_INFO_EXTENSION *pci; | ||
| 310 | ASN1_BIT_STRING *usage; | 311 | ASN1_BIT_STRING *usage; |
| 311 | ASN1_BIT_STRING *ns; | 312 | ASN1_BIT_STRING *ns; |
| 312 | EXTENDED_KEY_USAGE *extusage; | 313 | EXTENDED_KEY_USAGE *extusage; |
| @@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x) | |||
| 335 | BASIC_CONSTRAINTS_free(bs); | 336 | BASIC_CONSTRAINTS_free(bs); |
| 336 | x->ex_flags |= EXFLAG_BCONS; | 337 | x->ex_flags |= EXFLAG_BCONS; |
| 337 | } | 338 | } |
| 339 | /* Handle proxy certificates */ | ||
| 340 | if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { | ||
| 341 | if (x->ex_flags & EXFLAG_CA | ||
| 342 | || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 | ||
| 343 | || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { | ||
| 344 | x->ex_flags |= EXFLAG_INVALID; | ||
| 345 | } | ||
| 346 | PROXY_CERT_INFO_EXTENSION_free(pci); | ||
| 347 | x->ex_flags |= EXFLAG_PROXY; | ||
| 348 | } | ||
| 338 | /* Handle key usage */ | 349 | /* Handle key usage */ |
| 339 | if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { | 350 | if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { |
| 340 | if(usage->length > 0) { | 351 | if(usage->length > 0) { |
| @@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x) | |||
| 426 | #define ns_reject(x, usage) \ | 437 | #define ns_reject(x, usage) \ |
| 427 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) | 438 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) |
| 428 | 439 | ||
| 429 | static int ca_check(const X509 *x) | 440 | static int check_ca(const X509 *x) |
| 430 | { | 441 | { |
| 431 | /* keyUsage if present should allow cert signing */ | 442 | /* keyUsage if present should allow cert signing */ |
| 432 | if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; | 443 | if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; |
| @@ -435,25 +446,37 @@ static int ca_check(const X509 *x) | |||
| 435 | /* If basicConstraints says not a CA then say so */ | 446 | /* If basicConstraints says not a CA then say so */ |
| 436 | else return 0; | 447 | else return 0; |
| 437 | } else { | 448 | } else { |
| 449 | /* we support V1 roots for... uh, I don't really know why. */ | ||
| 438 | if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; | 450 | if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; |
| 439 | /* If key usage present it must have certSign so tolerate it */ | 451 | /* If key usage present it must have certSign so tolerate it */ |
| 440 | else if (x->ex_flags & EXFLAG_KUSAGE) return 4; | 452 | else if (x->ex_flags & EXFLAG_KUSAGE) return 4; |
| 441 | else return 2; | 453 | /* Older certificates could have Netscape-specific CA types */ |
| 454 | else if (x->ex_flags & EXFLAG_NSCERT | ||
| 455 | && x->ex_nscert & NS_ANY_CA) return 5; | ||
| 456 | /* can this still be regarded a CA certificate? I doubt it */ | ||
| 457 | return 0; | ||
| 442 | } | 458 | } |
| 443 | } | 459 | } |
| 444 | 460 | ||
| 461 | int X509_check_ca(X509 *x) | ||
| 462 | { | ||
| 463 | if(!(x->ex_flags & EXFLAG_SET)) { | ||
| 464 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | ||
| 465 | x509v3_cache_extensions(x); | ||
| 466 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | ||
| 467 | } | ||
| 468 | |||
| 469 | return check_ca(x); | ||
| 470 | } | ||
| 471 | |||
| 445 | /* Check SSL CA: common checks for SSL client and server */ | 472 | /* Check SSL CA: common checks for SSL client and server */ |
| 446 | static int check_ssl_ca(const X509 *x) | 473 | static int check_ssl_ca(const X509 *x) |
| 447 | { | 474 | { |
| 448 | int ca_ret; | 475 | int ca_ret; |
| 449 | ca_ret = ca_check(x); | 476 | ca_ret = check_ca(x); |
| 450 | if(!ca_ret) return 0; | 477 | if(!ca_ret) return 0; |
| 451 | /* check nsCertType if present */ | 478 | /* check nsCertType if present */ |
| 452 | if(x->ex_flags & EXFLAG_NSCERT) { | 479 | if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; |
| 453 | if(x->ex_nscert & NS_SSL_CA) return ca_ret; | ||
| 454 | return 0; | ||
| 455 | } | ||
| 456 | if(ca_ret != 2) return ca_ret; | ||
| 457 | else return 0; | 480 | else return 0; |
| 458 | } | 481 | } |
| 459 | 482 | ||
| @@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca) | |||
| 498 | if(xku_reject(x,XKU_SMIME)) return 0; | 521 | if(xku_reject(x,XKU_SMIME)) return 0; |
| 499 | if(ca) { | 522 | if(ca) { |
| 500 | int ca_ret; | 523 | int ca_ret; |
| 501 | ca_ret = ca_check(x); | 524 | ca_ret = check_ca(x); |
| 502 | if(!ca_ret) return 0; | 525 | if(!ca_ret) return 0; |
| 503 | /* check nsCertType if present */ | 526 | /* check nsCertType if present */ |
| 504 | if(x->ex_flags & EXFLAG_NSCERT) { | 527 | if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; |
| 505 | if(x->ex_nscert & NS_SMIME_CA) return ca_ret; | ||
| 506 | return 0; | ||
| 507 | } | ||
| 508 | if(ca_ret != 2) return ca_ret; | ||
| 509 | else return 0; | 528 | else return 0; |
| 510 | } | 529 | } |
| 511 | if(x->ex_flags & EXFLAG_NSCERT) { | 530 | if(x->ex_flags & EXFLAG_NSCERT) { |
| @@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) | |||
| 539 | { | 558 | { |
| 540 | if(ca) { | 559 | if(ca) { |
| 541 | int ca_ret; | 560 | int ca_ret; |
| 542 | if((ca_ret = ca_check(x)) != 2) return ca_ret; | 561 | if((ca_ret = check_ca(x)) != 2) return ca_ret; |
| 543 | else return 0; | 562 | else return 0; |
| 544 | } | 563 | } |
| 545 | if(ku_reject(x, KU_CRL_SIGN)) return 0; | 564 | if(ku_reject(x, KU_CRL_SIGN)) return 0; |
| @@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) | |||
| 552 | 571 | ||
| 553 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) | 572 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) |
| 554 | { | 573 | { |
| 555 | /* Must be a valid CA */ | 574 | /* Must be a valid CA. Should we really support the "I don't know" |
| 556 | if(ca) { | 575 | value (2)? */ |
| 557 | int ca_ret; | 576 | if(ca) return check_ca(x); |
| 558 | ca_ret = ca_check(x); | ||
| 559 | if(ca_ret != 2) return ca_ret; | ||
| 560 | if(x->ex_flags & EXFLAG_NSCERT) { | ||
| 561 | if(x->ex_nscert & NS_ANY_CA) return ca_ret; | ||
| 562 | return 0; | ||
| 563 | } | ||
| 564 | return 0; | ||
| 565 | } | ||
| 566 | /* leaf certificate is checked in OCSP_verify() */ | 577 | /* leaf certificate is checked in OCSP_verify() */ |
| 567 | return 1; | 578 | return 1; |
| 568 | } | 579 | } |
| @@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) | |||
| 624 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; | 635 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; |
| 625 | } | 636 | } |
| 626 | } | 637 | } |
| 627 | if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | 638 | if(subject->ex_flags & EXFLAG_PROXY) |
| 639 | { | ||
| 640 | if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) | ||
| 641 | return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; | ||
| 642 | } | ||
| 643 | else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) | ||
| 644 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | ||
| 628 | return X509_V_OK; | 645 | return X509_V_OK; |
| 629 | } | 646 | } |
| 630 | 647 | ||
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c index 6458e95bb9..2df0c3ef01 100644 --- a/src/lib/libcrypto/x509v3/v3err.c +++ b/src/lib/libcrypto/x509v3/v3err.c | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | /* crypto/x509v3/v3err.c */ | 1 | /* crypto/x509v3/v3err.c */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without | 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions | 6 | * modification, are permitted provided that the following conditions |
| @@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]= | |||
| 72 | {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, | 72 | {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, |
| 73 | {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, | 73 | {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, |
| 74 | {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, | 74 | {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, |
| 75 | {ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"}, | ||
| 75 | {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, | 76 | {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, |
| 76 | {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, | 77 | {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, |
| 77 | {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, | 78 | {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, |
| 78 | {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, | 79 | {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, |
| 79 | {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, | 80 | {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, |
| 80 | {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, | 81 | {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, |
| 82 | {ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, | ||
| 81 | {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, | 83 | {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, |
| 82 | {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, | 84 | {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, |
| 83 | {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, | 85 | {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, |
| @@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 128 | {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, | 130 | {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, |
| 129 | {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, | 131 | {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, |
| 130 | {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, | 132 | {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, |
| 133 | {X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, | ||
| 131 | {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, | 134 | {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, |
| 132 | {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, | 135 | {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, |
| 133 | {X509V3_R_INVALID_NAME ,"invalid name"}, | 136 | {X509V3_R_INVALID_NAME ,"invalid name"}, |
| @@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 139 | {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, | 142 | {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, |
| 140 | {X509V3_R_INVALID_OPTION ,"invalid option"}, | 143 | {X509V3_R_INVALID_OPTION ,"invalid option"}, |
| 141 | {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, | 144 | {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, |
| 145 | {X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, | ||
| 146 | {X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, | ||
| 142 | {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, | 147 | {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, |
| 143 | {X509V3_R_INVALID_SECTION ,"invalid section"}, | 148 | {X509V3_R_INVALID_SECTION ,"invalid section"}, |
| 144 | {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, | 149 | {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, |
| @@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 149 | {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, | 154 | {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, |
| 150 | {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, | 155 | {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, |
| 151 | {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, | 156 | {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, |
| 157 | {X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, | ||
| 152 | {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, | 158 | {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, |
| 153 | {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, | 159 | {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, |
| 154 | {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, | 160 | {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, |
| 161 | {X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, | ||
| 162 | {X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, | ||
| 163 | {X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, | ||
| 164 | {X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, | ||
| 165 | {X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, | ||
| 166 | {X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, | ||
| 155 | {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, | 167 | {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, |
| 156 | {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, | 168 | {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, |
| 157 | {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, | 169 | {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, |
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h index fb07a19016..e6d91251c2 100644 --- a/src/lib/libcrypto/x509v3/x509v3.h +++ b/src/lib/libcrypto/x509v3/x509v3.h | |||
| @@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; | |||
| 287 | DECLARE_STACK_OF(POLICYINFO) | 287 | DECLARE_STACK_OF(POLICYINFO) |
| 288 | DECLARE_ASN1_SET_OF(POLICYINFO) | 288 | DECLARE_ASN1_SET_OF(POLICYINFO) |
| 289 | 289 | ||
| 290 | /* Proxy certificate structures, see RFC 3820 */ | ||
| 291 | typedef struct PROXY_POLICY_st | ||
| 292 | { | ||
| 293 | ASN1_OBJECT *policyLanguage; | ||
| 294 | ASN1_OCTET_STRING *policy; | ||
| 295 | } PROXY_POLICY; | ||
| 296 | |||
| 297 | typedef struct PROXY_CERT_INFO_EXTENSION_st | ||
| 298 | { | ||
| 299 | ASN1_INTEGER *pcPathLengthConstraint; | ||
| 300 | PROXY_POLICY *proxyPolicy; | ||
| 301 | } PROXY_CERT_INFO_EXTENSION; | ||
| 302 | |||
| 303 | DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) | ||
| 304 | DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) | ||
| 305 | |||
| 306 | |||
| 290 | #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ | 307 | #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ |
| 291 | ",name:", val->name, ",value:", val->value); | 308 | ",name:", val->name, ",value:", val->value); |
| 292 | 309 | ||
| @@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) | |||
| 325 | #define EXFLAG_INVALID 0x80 | 342 | #define EXFLAG_INVALID 0x80 |
| 326 | #define EXFLAG_SET 0x100 | 343 | #define EXFLAG_SET 0x100 |
| 327 | #define EXFLAG_CRITICAL 0x200 | 344 | #define EXFLAG_CRITICAL 0x200 |
| 345 | #define EXFLAG_PROXY 0x400 | ||
| 328 | 346 | ||
| 329 | #define KU_DIGITAL_SIGNATURE 0x0080 | 347 | #define KU_DIGITAL_SIGNATURE 0x0080 |
| 330 | #define KU_NON_REPUDIATION 0x0040 | 348 | #define KU_NON_REPUDIATION 0x0040 |
| @@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); | |||
| 527 | 545 | ||
| 528 | int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); | 546 | int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); |
| 529 | 547 | ||
| 548 | int X509_check_ca(X509 *x); | ||
| 530 | int X509_check_purpose(X509 *x, int id, int ca); | 549 | int X509_check_purpose(X509 *x, int id, int ca); |
| 531 | int X509_supported_extension(X509_EXTENSION *ex); | 550 | int X509_supported_extension(X509_EXTENSION *ex); |
| 532 | int X509_PURPOSE_set(int *p, int purpose); | 551 | int X509_PURPOSE_set(int *p, int purpose); |
| @@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void); | |||
| 564 | #define X509V3_F_DO_EXT_I2D 135 | 583 | #define X509V3_F_DO_EXT_I2D 135 |
| 565 | #define X509V3_F_HEX_TO_STRING 111 | 584 | #define X509V3_F_HEX_TO_STRING 111 |
| 566 | #define X509V3_F_I2S_ASN1_ENUMERATED 121 | 585 | #define X509V3_F_I2S_ASN1_ENUMERATED 121 |
| 586 | #define X509V3_F_I2S_ASN1_IA5STRING 142 | ||
| 567 | #define X509V3_F_I2S_ASN1_INTEGER 120 | 587 | #define X509V3_F_I2S_ASN1_INTEGER 120 |
| 568 | #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 | 588 | #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 |
| 569 | #define X509V3_F_NOTICE_SECTION 132 | 589 | #define X509V3_F_NOTICE_SECTION 132 |
| 570 | #define X509V3_F_NREF_NOS 133 | 590 | #define X509V3_F_NREF_NOS 133 |
| 571 | #define X509V3_F_POLICY_SECTION 131 | 591 | #define X509V3_F_POLICY_SECTION 131 |
| 572 | #define X509V3_F_R2I_CERTPOL 130 | 592 | #define X509V3_F_R2I_CERTPOL 130 |
| 593 | #define X509V3_F_R2I_PCI 142 | ||
| 573 | #define X509V3_F_S2I_ASN1_IA5STRING 100 | 594 | #define X509V3_F_S2I_ASN1_IA5STRING 100 |
| 574 | #define X509V3_F_S2I_ASN1_INTEGER 108 | 595 | #define X509V3_F_S2I_ASN1_INTEGER 108 |
| 575 | #define X509V3_F_S2I_ASN1_OCTET_STRING 112 | 596 | #define X509V3_F_S2I_ASN1_OCTET_STRING 112 |
| @@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void); | |||
| 617 | #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 | 638 | #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 |
| 618 | #define X509V3_R_EXTENSION_VALUE_ERROR 116 | 639 | #define X509V3_R_EXTENSION_VALUE_ERROR 116 |
| 619 | #define X509V3_R_ILLEGAL_HEX_DIGIT 113 | 640 | #define X509V3_R_ILLEGAL_HEX_DIGIT 113 |
| 641 | #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 | ||
| 620 | #define X509V3_R_INVALID_BOOLEAN_STRING 104 | 642 | #define X509V3_R_INVALID_BOOLEAN_STRING 104 |
| 621 | #define X509V3_R_INVALID_EXTENSION_STRING 105 | 643 | #define X509V3_R_INVALID_EXTENSION_STRING 105 |
| 622 | #define X509V3_R_INVALID_NAME 106 | 644 | #define X509V3_R_INVALID_NAME 106 |
| @@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void); | |||
| 628 | #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 | 650 | #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 |
| 629 | #define X509V3_R_INVALID_OPTION 138 | 651 | #define X509V3_R_INVALID_OPTION 138 |
| 630 | #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 | 652 | #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 |
| 653 | #define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 | ||
| 654 | #define X509V3_R_INVALID_PROXY_POLICY_SETTING 151 | ||
| 631 | #define X509V3_R_INVALID_PURPOSE 146 | 655 | #define X509V3_R_INVALID_PURPOSE 146 |
| 632 | #define X509V3_R_INVALID_SECTION 135 | 656 | #define X509V3_R_INVALID_SECTION 135 |
| 633 | #define X509V3_R_INVALID_SYNTAX 143 | 657 | #define X509V3_R_INVALID_SYNTAX 143 |
| @@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void); | |||
| 638 | #define X509V3_R_NO_ISSUER_CERTIFICATE 121 | 662 | #define X509V3_R_NO_ISSUER_CERTIFICATE 121 |
| 639 | #define X509V3_R_NO_ISSUER_DETAILS 127 | 663 | #define X509V3_R_NO_ISSUER_DETAILS 127 |
| 640 | #define X509V3_R_NO_POLICY_IDENTIFIER 139 | 664 | #define X509V3_R_NO_POLICY_IDENTIFIER 139 |
| 665 | #define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 | ||
| 641 | #define X509V3_R_NO_PUBLIC_KEY 114 | 666 | #define X509V3_R_NO_PUBLIC_KEY 114 |
| 642 | #define X509V3_R_NO_SUBJECT_DETAILS 125 | 667 | #define X509V3_R_NO_SUBJECT_DETAILS 125 |
| 643 | #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 | 668 | #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 |
| 669 | #define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 | ||
| 670 | #define X509V3_R_POLICY_PATH_LENGTH 152 | ||
| 671 | #define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 | ||
| 672 | #define X509V3_R_POLICY_SYNTAX_NOT 154 | ||
| 673 | #define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 | ||
| 674 | #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 | ||
| 644 | #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 | 675 | #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 |
| 645 | #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 | 676 | #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 |
| 646 | #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 | 677 | #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 |