summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/by_dir.c482
-rw-r--r--src/lib/libcrypto/x509/by_file.c300
-rw-r--r--src/lib/libcrypto/x509/x509.h1297
-rw-r--r--src/lib/libcrypto/x509/x509_att.c359
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c344
-rw-r--r--src/lib/libcrypto/x509/x509_d2.c107
-rw-r--r--src/lib/libcrypto/x509/x509_def.c81
-rw-r--r--src/lib/libcrypto/x509/x509_err.c164
-rw-r--r--src/lib/libcrypto/x509/x509_ext.c210
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c716
-rw-r--r--src/lib/libcrypto/x509/x509_obj.c226
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c114
-rw-r--r--src/lib/libcrypto/x509/x509_req.c316
-rw-r--r--src/lib/libcrypto/x509/x509_set.c150
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c288
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c193
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c274
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2214
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h567
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c438
-rw-r--r--src/lib/libcrypto/x509/x509cset.c170
-rw-r--r--src/lib/libcrypto/x509/x509name.c383
-rw-r--r--src/lib/libcrypto/x509/x509rset.c83
-rw-r--r--src/lib/libcrypto/x509/x509spki.c121
-rw-r--r--src/lib/libcrypto/x509/x509type.c131
-rw-r--r--src/lib/libcrypto/x509/x_all.c535
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c286
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c135
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h212
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c167
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c197
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c872
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c208
-rw-r--r--src/lib/libcrypto/x509v3/v3_akeya.c72
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c614
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c124
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c141
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c525
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c457
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c616
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c97
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c144
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c252
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c116
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c193
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c89
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c309
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c505
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c289
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c328
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c55
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c140
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c108
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c155
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c234
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c767
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c145
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c262
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c874
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c226
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h1007
63 files changed, 0 insertions, 21448 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
deleted file mode 100644
index 27ca5150c1..0000000000
--- a/src/lib/libcrypto/x509/by_dir.c
+++ /dev/null
@@ -1,482 +0,0 @@
1/* crypto/x509/by_dir.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64
65#ifndef NO_SYS_TYPES_H
66# include <sys/types.h>
67#endif
68#ifndef OPENSSL_NO_POSIX_IO
69# include <sys/stat.h>
70#endif
71
72#include <openssl/lhash.h>
73#include <openssl/x509.h>
74
75
76typedef struct lookup_dir_hashes_st
77 {
78 unsigned long hash;
79 int suffix;
80 } BY_DIR_HASH;
81
82typedef struct lookup_dir_entry_st
83 {
84 char *dir;
85 int dir_type;
86 STACK_OF(BY_DIR_HASH) *hashes;
87 } BY_DIR_ENTRY;
88
89typedef struct lookup_dir_st
90 {
91 BUF_MEM *buffer;
92 STACK_OF(BY_DIR_ENTRY) *dirs;
93 } BY_DIR;
94
95DECLARE_STACK_OF(BY_DIR_HASH)
96DECLARE_STACK_OF(BY_DIR_ENTRY)
97
98static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
99 char **ret);
100static int new_dir(X509_LOOKUP *lu);
101static void free_dir(X509_LOOKUP *lu);
102static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
103static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
104 X509_OBJECT *ret);
105X509_LOOKUP_METHOD x509_dir_lookup=
106 {
107 "Load certs from files in a directory",
108 new_dir, /* new */
109 free_dir, /* free */
110 NULL, /* init */
111 NULL, /* shutdown */
112 dir_ctrl, /* ctrl */
113 get_cert_by_subject, /* get_by_subject */
114 NULL, /* get_by_issuer_serial */
115 NULL, /* get_by_fingerprint */
116 NULL, /* get_by_alias */
117 };
118
119X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
120 {
121 return(&x509_dir_lookup);
122 }
123
124static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
125 char **retp)
126 {
127 int ret=0;
128 BY_DIR *ld;
129 char *dir = NULL;
130
131 ld=(BY_DIR *)ctx->method_data;
132
133 switch (cmd)
134 {
135 case X509_L_ADD_DIR:
136 if (argl == X509_FILETYPE_DEFAULT)
137 {
138 dir=(char *)getenv(X509_get_default_cert_dir_env());
139 if (dir)
140 ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
141 else
142 ret=add_cert_dir(ld,X509_get_default_cert_dir(),
143 X509_FILETYPE_PEM);
144 if (!ret)
145 {
146 X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
147 }
148 }
149 else
150 ret=add_cert_dir(ld,argp,(int)argl);
151 break;
152 }
153 return(ret);
154 }
155
156static int new_dir(X509_LOOKUP *lu)
157 {
158 BY_DIR *a;
159
160 if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
161 return(0);
162 if ((a->buffer=BUF_MEM_new()) == NULL)
163 {
164 OPENSSL_free(a);
165 return(0);
166 }
167 a->dirs=NULL;
168 lu->method_data=(char *)a;
169 return(1);
170 }
171
172static void by_dir_hash_free(BY_DIR_HASH *hash)
173 {
174 OPENSSL_free(hash);
175 }
176
177static int by_dir_hash_cmp(const BY_DIR_HASH * const *a,
178 const BY_DIR_HASH * const *b)
179 {
180 if ((*a)->hash > (*b)->hash)
181 return 1;
182 if ((*a)->hash < (*b)->hash)
183 return -1;
184 return 0;
185 }
186
187static void by_dir_entry_free(BY_DIR_ENTRY *ent)
188 {
189 if (ent->dir)
190 OPENSSL_free(ent->dir);
191 if (ent->hashes)
192 sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
193 OPENSSL_free(ent);
194 }
195
196static void free_dir(X509_LOOKUP *lu)
197 {
198 BY_DIR *a;
199
200 a=(BY_DIR *)lu->method_data;
201 if (a->dirs != NULL)
202 sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
203 if (a->buffer != NULL)
204 BUF_MEM_free(a->buffer);
205 OPENSSL_free(a);
206 }
207
208static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
209 {
210 int j,len;
211 const char *s,*ss,*p;
212
213 if (dir == NULL || !*dir)
214 {
215 X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
216 return 0;
217 }
218
219 s=dir;
220 p=s;
221 for (;;p++)
222 {
223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
224 {
225 BY_DIR_ENTRY *ent;
226 ss=s;
227 s=p+1;
228 len=(int)(p-ss);
229 if (len == 0) continue;
230 for (j=0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++)
231 {
232 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
233 if (strlen(ent->dir) == (size_t)len &&
234 strncmp(ent->dir,ss,(unsigned int)len) == 0)
235 break;
236 }
237 if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
238 continue;
239 if (ctx->dirs == NULL)
240 {
241 ctx->dirs = sk_BY_DIR_ENTRY_new_null();
242 if (!ctx->dirs)
243 {
244 X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE);
245 return 0;
246 }
247 }
248 ent = OPENSSL_malloc(sizeof(BY_DIR_ENTRY));
249 if (!ent)
250 return 0;
251 ent->dir_type = type;
252 ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
253 ent->dir = OPENSSL_malloc((unsigned int)len+1);
254 if (!ent->dir || !ent->hashes)
255 {
256 by_dir_entry_free(ent);
257 return 0;
258 }
259 strncpy(ent->dir,ss,(unsigned int)len);
260 ent->dir[len] = '\0';
261 if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent))
262 {
263 by_dir_entry_free(ent);
264 return 0;
265 }
266 }
267 if (*p == '\0')
268 break;
269 }
270 return 1;
271 }
272
273static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
274 X509_OBJECT *ret)
275 {
276 BY_DIR *ctx;
277 union {
278 struct {
279 X509 st_x509;
280 X509_CINF st_x509_cinf;
281 } x509;
282 struct {
283 X509_CRL st_crl;
284 X509_CRL_INFO st_crl_info;
285 } crl;
286 } data;
287 int ok=0;
288 int i,j,k;
289 unsigned long h;
290 BUF_MEM *b=NULL;
291 X509_OBJECT stmp,*tmp;
292 const char *postfix="";
293
294 if (name == NULL) return(0);
295
296 stmp.type=type;
297 if (type == X509_LU_X509)
298 {
299 data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
300 data.x509.st_x509_cinf.subject=name;
301 stmp.data.x509= &data.x509.st_x509;
302 postfix="";
303 }
304 else if (type == X509_LU_CRL)
305 {
306 data.crl.st_crl.crl= &data.crl.st_crl_info;
307 data.crl.st_crl_info.issuer=name;
308 stmp.data.crl= &data.crl.st_crl;
309 postfix="r";
310 }
311 else
312 {
313 X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
314 goto finish;
315 }
316
317 if ((b=BUF_MEM_new()) == NULL)
318 {
319 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB);
320 goto finish;
321 }
322
323 ctx=(BY_DIR *)xl->method_data;
324
325 h=X509_NAME_hash(name);
326 for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
327 {
328 BY_DIR_ENTRY *ent;
329 int idx;
330 BY_DIR_HASH htmp, *hent;
331 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
332 j=strlen(ent->dir)+1+8+6+1+1;
333 if (!BUF_MEM_grow(b,j))
334 {
335 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
336 goto finish;
337 }
338 if (type == X509_LU_CRL && ent->hashes)
339 {
340 htmp.hash = h;
341 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
342 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
343 if (idx >= 0)
344 {
345 hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
346 k = hent->suffix;
347 }
348 else
349 {
350 hent = NULL;
351 k=0;
352 }
353 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
354 }
355 else
356 {
357 k = 0;
358 hent = NULL;
359 }
360 for (;;)
361 {
362 char c = '/';
363#ifdef OPENSSL_SYS_VMS
364 c = ent->dir[strlen(ent->dir)-1];
365 if (c != ':' && c != '>' && c != ']')
366 {
367 /* If no separator is present, we assume the
368 directory specifier is a logical name, and
369 add a colon. We really should use better
370 VMS routines for merging things like this,
371 but this will do for now...
372 -- Richard Levitte */
373 c = ':';
374 }
375 else
376 {
377 c = '\0';
378 }
379#endif
380 if (c == '\0')
381 {
382 /* This is special. When c == '\0', no
383 directory separator should be added. */
384 BIO_snprintf(b->data,b->max,
385 "%s%08lx.%s%d",ent->dir,h,
386 postfix,k);
387 }
388 else
389 {
390 BIO_snprintf(b->data,b->max,
391 "%s%c%08lx.%s%d",ent->dir,c,h,
392 postfix,k);
393 }
394#ifndef OPENSSL_NO_POSIX_IO
395#ifdef _WIN32
396#define stat _stat
397#endif
398 {
399 struct stat st;
400 if (stat(b->data,&st) < 0)
401 break;
402 }
403#endif
404 /* found one. */
405 if (type == X509_LU_X509)
406 {
407 if ((X509_load_cert_file(xl,b->data,
408 ent->dir_type)) == 0)
409 break;
410 }
411 else if (type == X509_LU_CRL)
412 {
413 if ((X509_load_crl_file(xl,b->data,
414 ent->dir_type)) == 0)
415 break;
416 }
417 /* else case will caught higher up */
418 k++;
419 }
420
421 /* we have added it to the cache so now pull
422 * it out again */
423 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
424 j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
425 if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
426 else tmp = NULL;
427 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
428
429
430 /* If a CRL, update the last file suffix added for this */
431
432 if (type == X509_LU_CRL)
433 {
434 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
435 /* Look for entry again in case another thread added
436 * an entry first.
437 */
438 if (!hent)
439 {
440 htmp.hash = h;
441 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
442 if (idx >= 0)
443 hent =
444 sk_BY_DIR_HASH_value(ent->hashes, idx);
445 }
446 if (!hent)
447 {
448 hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
449 hent->hash = h;
450 hent->suffix = k;
451 if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
452 {
453 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
454 OPENSSL_free(hent);
455 ok = 0;
456 goto finish;
457 }
458 }
459 else if (hent->suffix < k)
460 hent->suffix = k;
461
462 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
463
464 }
465
466 if (tmp != NULL)
467 {
468 ok=1;
469 ret->type=tmp->type;
470 memcpy(&ret->data,&tmp->data,sizeof(ret->data));
471 /* If we were going to up the reference count,
472 * we would need to do it on a perl 'type'
473 * basis */
474 /* CRYPTO_add(&tmp->data.x509->references,1,
475 CRYPTO_LOCK_X509);*/
476 goto finish;
477 }
478 }
479finish:
480 if (b != NULL) BUF_MEM_free(b);
481 return(ok);
482 }
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
deleted file mode 100644
index 57b08ee094..0000000000
--- a/src/lib/libcrypto/x509/by_file.c
+++ /dev/null
@@ -1,300 +0,0 @@
1/* crypto/x509/by_file.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/x509.h>
67#include <openssl/pem.h>
68
69#ifndef OPENSSL_NO_STDIO
70
71static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
72 long argl, char **ret);
73X509_LOOKUP_METHOD x509_file_lookup=
74 {
75 "Load file into cache",
76 NULL, /* new */
77 NULL, /* free */
78 NULL, /* init */
79 NULL, /* shutdown */
80 by_file_ctrl, /* ctrl */
81 NULL, /* get_by_subject */
82 NULL, /* get_by_issuer_serial */
83 NULL, /* get_by_fingerprint */
84 NULL, /* get_by_alias */
85 };
86
87X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
88 {
89 return(&x509_file_lookup);
90 }
91
92static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
93 char **ret)
94 {
95 int ok=0;
96 char *file;
97
98 switch (cmd)
99 {
100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT)
102 {
103 file = (char *)getenv(X509_get_default_cert_file_env());
104 if (file)
105 ok = (X509_load_cert_crl_file(ctx,file,
106 X509_FILETYPE_PEM) != 0);
107
108 else
109 ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
110 X509_FILETYPE_PEM) != 0);
111
112 if (!ok)
113 {
114 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
115 }
116 }
117 else
118 {
119 if(argl == X509_FILETYPE_PEM)
120 ok = (X509_load_cert_crl_file(ctx,argp,
121 X509_FILETYPE_PEM) != 0);
122 else
123 ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
124 }
125 break;
126 }
127 return(ok);
128 }
129
130int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
131 {
132 int ret=0;
133 BIO *in=NULL;
134 int i,count=0;
135 X509 *x=NULL;
136
137 if (file == NULL) return(1);
138 in=BIO_new(BIO_s_file_internal());
139
140 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
141 {
142 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
143 goto err;
144 }
145
146 if (type == X509_FILETYPE_PEM)
147 {
148 for (;;)
149 {
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL)
152 {
153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0))
155 {
156 ERR_clear_error();
157 break;
158 }
159 else
160 {
161 X509err(X509_F_X509_LOAD_CERT_FILE,
162 ERR_R_PEM_LIB);
163 goto err;
164 }
165 }
166 i=X509_STORE_add_cert(ctx->store_ctx,x);
167 if (!i) goto err;
168 count++;
169 X509_free(x);
170 x=NULL;
171 }
172 ret=count;
173 }
174 else if (type == X509_FILETYPE_ASN1)
175 {
176 x=d2i_X509_bio(in,NULL);
177 if (x == NULL)
178 {
179 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB);
180 goto err;
181 }
182 i=X509_STORE_add_cert(ctx->store_ctx,x);
183 if (!i) goto err;
184 ret=i;
185 }
186 else
187 {
188 X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE);
189 goto err;
190 }
191err:
192 if (x != NULL) X509_free(x);
193 if (in != NULL) BIO_free(in);
194 return(ret);
195 }
196
197int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
198 {
199 int ret=0;
200 BIO *in=NULL;
201 int i,count=0;
202 X509_CRL *x=NULL;
203
204 if (file == NULL) return(1);
205 in=BIO_new(BIO_s_file_internal());
206
207 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
208 {
209 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
210 goto err;
211 }
212
213 if (type == X509_FILETYPE_PEM)
214 {
215 for (;;)
216 {
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL)
219 {
220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0))
222 {
223 ERR_clear_error();
224 break;
225 }
226 else
227 {
228 X509err(X509_F_X509_LOAD_CRL_FILE,
229 ERR_R_PEM_LIB);
230 goto err;
231 }
232 }
233 i=X509_STORE_add_crl(ctx->store_ctx,x);
234 if (!i) goto err;
235 count++;
236 X509_CRL_free(x);
237 x=NULL;
238 }
239 ret=count;
240 }
241 else if (type == X509_FILETYPE_ASN1)
242 {
243 x=d2i_X509_CRL_bio(in,NULL);
244 if (x == NULL)
245 {
246 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
247 goto err;
248 }
249 i=X509_STORE_add_crl(ctx->store_ctx,x);
250 if (!i) goto err;
251 ret=i;
252 }
253 else
254 {
255 X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
256 goto err;
257 }
258err:
259 if (x != NULL) X509_CRL_free(x);
260 if (in != NULL) BIO_free(in);
261 return(ret);
262 }
263
264int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
265{
266 STACK_OF(X509_INFO) *inf;
267 X509_INFO *itmp;
268 BIO *in;
269 int i, count = 0;
270 if(type != X509_FILETYPE_PEM)
271 return X509_load_cert_file(ctx, file, type);
272 in = BIO_new_file(file, "r");
273 if(!in) {
274 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
275 return 0;
276 }
277 inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
278 BIO_free(in);
279 if(!inf) {
280 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
281 return 0;
282 }
283 for(i = 0; i < sk_X509_INFO_num(inf); i++) {
284 itmp = sk_X509_INFO_value(inf, i);
285 if(itmp->x509) {
286 X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
287 count++;
288 }
289 if(itmp->crl) {
290 X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
291 count++;
292 }
293 }
294 sk_X509_INFO_pop_free(inf, X509_INFO_free);
295 return count;
296}
297
298
299#endif /* OPENSSL_NO_STDIO */
300
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
deleted file mode 100644
index 092dd7450d..0000000000
--- a/src/lib/libcrypto/x509/x509.h
+++ /dev/null
@@ -1,1297 +0,0 @@
1/* crypto/x509/x509.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * ECDH support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
63
64#ifndef HEADER_X509_H
65#define HEADER_X509_H
66
67#include <openssl/e_os2.h>
68#include <openssl/symhacks.h>
69#ifndef OPENSSL_NO_BUFFER
70#include <openssl/buffer.h>
71#endif
72#ifndef OPENSSL_NO_EVP
73#include <openssl/evp.h>
74#endif
75#ifndef OPENSSL_NO_BIO
76#include <openssl/bio.h>
77#endif
78#include <openssl/stack.h>
79#include <openssl/asn1.h>
80#include <openssl/safestack.h>
81
82#ifndef OPENSSL_NO_EC
83#include <openssl/ec.h>
84#endif
85
86#ifndef OPENSSL_NO_ECDSA
87#include <openssl/ecdsa.h>
88#endif
89
90#ifndef OPENSSL_NO_ECDH
91#include <openssl/ecdh.h>
92#endif
93
94#ifndef OPENSSL_NO_DEPRECATED
95#ifndef OPENSSL_NO_RSA
96#include <openssl/rsa.h>
97#endif
98#ifndef OPENSSL_NO_DSA
99#include <openssl/dsa.h>
100#endif
101#ifndef OPENSSL_NO_DH
102#include <openssl/dh.h>
103#endif
104#endif
105
106#ifndef OPENSSL_NO_SHA
107#include <openssl/sha.h>
108#endif
109#include <openssl/ossl_typ.h>
110
111#ifdef __cplusplus
112extern "C" {
113#endif
114
115#ifdef OPENSSL_SYS_WIN32
116/* Under Win32 these are defined in wincrypt.h */
117#undef X509_NAME
118#undef X509_CERT_PAIR
119#undef X509_EXTENSIONS
120#endif
121
122#define X509_FILETYPE_PEM 1
123#define X509_FILETYPE_ASN1 2
124#define X509_FILETYPE_DEFAULT 3
125
126#define X509v3_KU_DIGITAL_SIGNATURE 0x0080
127#define X509v3_KU_NON_REPUDIATION 0x0040
128#define X509v3_KU_KEY_ENCIPHERMENT 0x0020
129#define X509v3_KU_DATA_ENCIPHERMENT 0x0010
130#define X509v3_KU_KEY_AGREEMENT 0x0008
131#define X509v3_KU_KEY_CERT_SIGN 0x0004
132#define X509v3_KU_CRL_SIGN 0x0002
133#define X509v3_KU_ENCIPHER_ONLY 0x0001
134#define X509v3_KU_DECIPHER_ONLY 0x8000
135#define X509v3_KU_UNDEF 0xffff
136
137typedef struct X509_objects_st
138 {
139 int nid;
140 int (*a2i)(void);
141 int (*i2a)(void);
142 } X509_OBJECTS;
143
144struct X509_algor_st
145 {
146 ASN1_OBJECT *algorithm;
147 ASN1_TYPE *parameter;
148 } /* X509_ALGOR */;
149
150DECLARE_ASN1_SET_OF(X509_ALGOR)
151
152typedef STACK_OF(X509_ALGOR) X509_ALGORS;
153
154typedef struct X509_val_st
155 {
156 ASN1_TIME *notBefore;
157 ASN1_TIME *notAfter;
158 } X509_VAL;
159
160struct X509_pubkey_st
161 {
162 X509_ALGOR *algor;
163 ASN1_BIT_STRING *public_key;
164 EVP_PKEY *pkey;
165 };
166
167typedef struct X509_sig_st
168 {
169 X509_ALGOR *algor;
170 ASN1_OCTET_STRING *digest;
171 } X509_SIG;
172
173typedef struct X509_name_entry_st
174 {
175 ASN1_OBJECT *object;
176 ASN1_STRING *value;
177 int set;
178 int size; /* temp variable */
179 } X509_NAME_ENTRY;
180
181DECLARE_STACK_OF(X509_NAME_ENTRY)
182DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
183
184/* we always keep X509_NAMEs in 2 forms. */
185struct X509_name_st
186 {
187 STACK_OF(X509_NAME_ENTRY) *entries;
188 int modified; /* true if 'bytes' needs to be built */
189#ifndef OPENSSL_NO_BUFFER
190 BUF_MEM *bytes;
191#else
192 char *bytes;
193#endif
194/* unsigned long hash; Keep the hash around for lookups */
195 unsigned char *canon_enc;
196 int canon_enclen;
197 } /* X509_NAME */;
198
199DECLARE_STACK_OF(X509_NAME)
200
201#define X509_EX_V_NETSCAPE_HACK 0x8000
202#define X509_EX_V_INIT 0x0001
203typedef struct X509_extension_st
204 {
205 ASN1_OBJECT *object;
206 ASN1_BOOLEAN critical;
207 ASN1_OCTET_STRING *value;
208 } X509_EXTENSION;
209
210typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
211
212DECLARE_STACK_OF(X509_EXTENSION)
213DECLARE_ASN1_SET_OF(X509_EXTENSION)
214
215/* a sequence of these are used */
216typedef struct x509_attributes_st
217 {
218 ASN1_OBJECT *object;
219 int single; /* 0 for a set, 1 for a single item (which is wrong) */
220 union {
221 char *ptr;
222/* 0 */ STACK_OF(ASN1_TYPE) *set;
223/* 1 */ ASN1_TYPE *single;
224 } value;
225 } X509_ATTRIBUTE;
226
227DECLARE_STACK_OF(X509_ATTRIBUTE)
228DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
229
230
231typedef struct X509_req_info_st
232 {
233 ASN1_ENCODING enc;
234 ASN1_INTEGER *version;
235 X509_NAME *subject;
236 X509_PUBKEY *pubkey;
237 /* d=2 hl=2 l= 0 cons: cont: 00 */
238 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
239 } X509_REQ_INFO;
240
241typedef struct X509_req_st
242 {
243 X509_REQ_INFO *req_info;
244 X509_ALGOR *sig_alg;
245 ASN1_BIT_STRING *signature;
246 int references;
247 } X509_REQ;
248
249typedef struct x509_cinf_st
250 {
251 ASN1_INTEGER *version; /* [ 0 ] default of v1 */
252 ASN1_INTEGER *serialNumber;
253 X509_ALGOR *signature;
254 X509_NAME *issuer;
255 X509_VAL *validity;
256 X509_NAME *subject;
257 X509_PUBKEY *key;
258 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
259 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
260 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
261 ASN1_ENCODING enc;
262 } X509_CINF;
263
264/* This stuff is certificate "auxiliary info"
265 * it contains details which are useful in certificate
266 * stores and databases. When used this is tagged onto
267 * the end of the certificate itself
268 */
269
270typedef struct x509_cert_aux_st
271 {
272 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
273 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
274 ASN1_UTF8STRING *alias; /* "friendly name" */
275 ASN1_OCTET_STRING *keyid; /* key id of private key */
276 STACK_OF(X509_ALGOR) *other; /* other unspecified info */
277 } X509_CERT_AUX;
278
279struct x509_st
280 {
281 X509_CINF *cert_info;
282 X509_ALGOR *sig_alg;
283 ASN1_BIT_STRING *signature;
284 int valid;
285 int references;
286 char *name;
287 CRYPTO_EX_DATA ex_data;
288 /* These contain copies of various extension values */
289 long ex_pathlen;
290 long ex_pcpathlen;
291 unsigned long ex_flags;
292 unsigned long ex_kusage;
293 unsigned long ex_xkusage;
294 unsigned long ex_nscert;
295 ASN1_OCTET_STRING *skid;
296 AUTHORITY_KEYID *akid;
297 X509_POLICY_CACHE *policy_cache;
298 STACK_OF(DIST_POINT) *crldp;
299 STACK_OF(GENERAL_NAME) *altname;
300 NAME_CONSTRAINTS *nc;
301#ifndef OPENSSL_NO_RFC3779
302 STACK_OF(IPAddressFamily) *rfc3779_addr;
303 struct ASIdentifiers_st *rfc3779_asid;
304#endif
305#ifndef OPENSSL_NO_SHA
306 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
307#endif
308 X509_CERT_AUX *aux;
309 } /* X509 */;
310
311DECLARE_STACK_OF(X509)
312DECLARE_ASN1_SET_OF(X509)
313
314/* This is used for a table of trust checking functions */
315
316typedef struct x509_trust_st {
317 int trust;
318 int flags;
319 int (*check_trust)(struct x509_trust_st *, X509 *, int);
320 char *name;
321 int arg1;
322 void *arg2;
323} X509_TRUST;
324
325DECLARE_STACK_OF(X509_TRUST)
326
327typedef struct x509_cert_pair_st {
328 X509 *forward;
329 X509 *reverse;
330} X509_CERT_PAIR;
331
332/* standard trust ids */
333
334#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */
335
336#define X509_TRUST_COMPAT 1
337#define X509_TRUST_SSL_CLIENT 2
338#define X509_TRUST_SSL_SERVER 3
339#define X509_TRUST_EMAIL 4
340#define X509_TRUST_OBJECT_SIGN 5
341#define X509_TRUST_OCSP_SIGN 6
342#define X509_TRUST_OCSP_REQUEST 7
343#define X509_TRUST_TSA 8
344
345/* Keep these up to date! */
346#define X509_TRUST_MIN 1
347#define X509_TRUST_MAX 8
348
349
350/* trust_flags values */
351#define X509_TRUST_DYNAMIC 1
352#define X509_TRUST_DYNAMIC_NAME 2
353
354/* check_trust return codes */
355
356#define X509_TRUST_TRUSTED 1
357#define X509_TRUST_REJECTED 2
358#define X509_TRUST_UNTRUSTED 3
359
360/* Flags for X509_print_ex() */
361
362#define X509_FLAG_COMPAT 0
363#define X509_FLAG_NO_HEADER 1L
364#define X509_FLAG_NO_VERSION (1L << 1)
365#define X509_FLAG_NO_SERIAL (1L << 2)
366#define X509_FLAG_NO_SIGNAME (1L << 3)
367#define X509_FLAG_NO_ISSUER (1L << 4)
368#define X509_FLAG_NO_VALIDITY (1L << 5)
369#define X509_FLAG_NO_SUBJECT (1L << 6)
370#define X509_FLAG_NO_PUBKEY (1L << 7)
371#define X509_FLAG_NO_EXTENSIONS (1L << 8)
372#define X509_FLAG_NO_SIGDUMP (1L << 9)
373#define X509_FLAG_NO_AUX (1L << 10)
374#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
375
376/* Flags specific to X509_NAME_print_ex() */
377
378/* The field separator information */
379
380#define XN_FLAG_SEP_MASK (0xf << 16)
381
382#define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */
383#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */
384#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */
385#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */
386#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */
387
388#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */
389
390/* How the field name is shown */
391
392#define XN_FLAG_FN_MASK (0x3 << 21)
393
394#define XN_FLAG_FN_SN 0 /* Object short name */
395#define XN_FLAG_FN_LN (1 << 21) /* Object long name */
396#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */
397#define XN_FLAG_FN_NONE (3 << 21) /* No field names */
398
399#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */
400
401/* This determines if we dump fields we don't recognise:
402 * RFC2253 requires this.
403 */
404
405#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
406
407#define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 characters */
408
409/* Complete set of RFC2253 flags */
410
411#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
412 XN_FLAG_SEP_COMMA_PLUS | \
413 XN_FLAG_DN_REV | \
414 XN_FLAG_FN_SN | \
415 XN_FLAG_DUMP_UNKNOWN_FIELDS)
416
417/* readable oneline form */
418
419#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
420 ASN1_STRFLGS_ESC_QUOTE | \
421 XN_FLAG_SEP_CPLUS_SPC | \
422 XN_FLAG_SPC_EQ | \
423 XN_FLAG_FN_SN)
424
425/* readable multiline form */
426
427#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
428 ASN1_STRFLGS_ESC_MSB | \
429 XN_FLAG_SEP_MULTILINE | \
430 XN_FLAG_SPC_EQ | \
431 XN_FLAG_FN_LN | \
432 XN_FLAG_FN_ALIGN)
433
434struct x509_revoked_st
435 {
436 ASN1_INTEGER *serialNumber;
437 ASN1_TIME *revocationDate;
438 STACK_OF(X509_EXTENSION) /* optional */ *extensions;
439 /* Set up if indirect CRL */
440 STACK_OF(GENERAL_NAME) *issuer;
441 /* Revocation reason */
442 int reason;
443 int sequence; /* load sequence */
444 };
445
446DECLARE_STACK_OF(X509_REVOKED)
447DECLARE_ASN1_SET_OF(X509_REVOKED)
448
449typedef struct X509_crl_info_st
450 {
451 ASN1_INTEGER *version;
452 X509_ALGOR *sig_alg;
453 X509_NAME *issuer;
454 ASN1_TIME *lastUpdate;
455 ASN1_TIME *nextUpdate;
456 STACK_OF(X509_REVOKED) *revoked;
457 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
458 ASN1_ENCODING enc;
459 } X509_CRL_INFO;
460
461struct X509_crl_st
462 {
463 /* actual signature */
464 X509_CRL_INFO *crl;
465 X509_ALGOR *sig_alg;
466 ASN1_BIT_STRING *signature;
467 int references;
468 int flags;
469 /* Copies of various extensions */
470 AUTHORITY_KEYID *akid;
471 ISSUING_DIST_POINT *idp;
472 /* Convenient breakdown of IDP */
473 int idp_flags;
474 int idp_reasons;
475 /* CRL and base CRL numbers for delta processing */
476 ASN1_INTEGER *crl_number;
477 ASN1_INTEGER *base_crl_number;
478#ifndef OPENSSL_NO_SHA
479 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
480#endif
481 STACK_OF(GENERAL_NAMES) *issuers;
482 const X509_CRL_METHOD *meth;
483 void *meth_data;
484 } /* X509_CRL */;
485
486DECLARE_STACK_OF(X509_CRL)
487DECLARE_ASN1_SET_OF(X509_CRL)
488
489typedef struct private_key_st
490 {
491 int version;
492 /* The PKCS#8 data types */
493 X509_ALGOR *enc_algor;
494 ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */
495
496 /* When decrypted, the following will not be NULL */
497 EVP_PKEY *dec_pkey;
498
499 /* used to encrypt and decrypt */
500 int key_length;
501 char *key_data;
502 int key_free; /* true if we should auto free key_data */
503
504 /* expanded version of 'enc_algor' */
505 EVP_CIPHER_INFO cipher;
506
507 int references;
508 } X509_PKEY;
509
510#ifndef OPENSSL_NO_EVP
511typedef struct X509_info_st
512 {
513 X509 *x509;
514 X509_CRL *crl;
515 X509_PKEY *x_pkey;
516
517 EVP_CIPHER_INFO enc_cipher;
518 int enc_len;
519 char *enc_data;
520
521 int references;
522 } X509_INFO;
523
524DECLARE_STACK_OF(X509_INFO)
525#endif
526
527/* The next 2 structures and their 8 routines were sent to me by
528 * Pat Richard <patr@x509.com> and are used to manipulate
529 * Netscapes spki structures - useful if you are writing a CA web page
530 */
531typedef struct Netscape_spkac_st
532 {
533 X509_PUBKEY *pubkey;
534 ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */
535 } NETSCAPE_SPKAC;
536
537typedef struct Netscape_spki_st
538 {
539 NETSCAPE_SPKAC *spkac; /* signed public key and challenge */
540 X509_ALGOR *sig_algor;
541 ASN1_BIT_STRING *signature;
542 } NETSCAPE_SPKI;
543
544/* Netscape certificate sequence structure */
545typedef struct Netscape_certificate_sequence
546 {
547 ASN1_OBJECT *type;
548 STACK_OF(X509) *certs;
549 } NETSCAPE_CERT_SEQUENCE;
550
551/* Unused (and iv length is wrong)
552typedef struct CBCParameter_st
553 {
554 unsigned char iv[8];
555 } CBC_PARAM;
556*/
557
558/* Password based encryption structure */
559
560typedef struct PBEPARAM_st {
561ASN1_OCTET_STRING *salt;
562ASN1_INTEGER *iter;
563} PBEPARAM;
564
565/* Password based encryption V2 structures */
566
567typedef struct PBE2PARAM_st {
568X509_ALGOR *keyfunc;
569X509_ALGOR *encryption;
570} PBE2PARAM;
571
572typedef struct PBKDF2PARAM_st {
573ASN1_TYPE *salt; /* Usually OCTET STRING but could be anything */
574ASN1_INTEGER *iter;
575ASN1_INTEGER *keylength;
576X509_ALGOR *prf;
577} PBKDF2PARAM;
578
579
580/* PKCS#8 private key info structure */
581
582struct pkcs8_priv_key_info_st
583 {
584 int broken; /* Flag for various broken formats */
585#define PKCS8_OK 0
586#define PKCS8_NO_OCTET 1
587#define PKCS8_EMBEDDED_PARAM 2
588#define PKCS8_NS_DB 3
589#define PKCS8_NEG_PRIVKEY 4
590 ASN1_INTEGER *version;
591 X509_ALGOR *pkeyalg;
592 ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
593 STACK_OF(X509_ATTRIBUTE) *attributes;
594 };
595
596#ifdef __cplusplus
597}
598#endif
599
600#include <openssl/x509_vfy.h>
601#include <openssl/pkcs7.h>
602
603#ifdef __cplusplus
604extern "C" {
605#endif
606
607#define X509_EXT_PACK_UNKNOWN 1
608#define X509_EXT_PACK_STRING 2
609
610#define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
611/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
612#define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
613#define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
614#define X509_extract_key(x) X509_get_pubkey(x) /*****/
615#define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
616#define X509_REQ_get_subject_name(x) ((x)->req_info->subject)
617#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
618#define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
619#define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
620
621#define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version)
622#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
623#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
624#define X509_CRL_get_issuer(x) ((x)->crl->issuer)
625#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
626
627void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
628X509_CRL_METHOD *X509_CRL_METHOD_new(
629 int (*crl_init)(X509_CRL *crl),
630 int (*crl_free)(X509_CRL *crl),
631 int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
632 ASN1_INTEGER *ser, X509_NAME *issuer),
633 int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
634void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
635
636void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
637void *X509_CRL_get_meth_data(X509_CRL *crl);
638
639/* This one is only used so that a binary form can output, as in
640 * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */
641#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
642
643
644const char *X509_verify_cert_error_string(long n);
645
646#ifndef OPENSSL_NO_EVP
647int X509_verify(X509 *a, EVP_PKEY *r);
648
649int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
650int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
651int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
652
653NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
654char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
655EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
656int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
657
658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
659
660int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent);
661int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
662
663int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
664int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
665int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
666int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
667int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
668int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
669int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
670
671int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
672 unsigned char *md, unsigned int *len);
673int X509_digest(const X509 *data,const EVP_MD *type,
674 unsigned char *md, unsigned int *len);
675int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
676 unsigned char *md, unsigned int *len);
677int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
678 unsigned char *md, unsigned int *len);
679int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
680 unsigned char *md, unsigned int *len);
681#endif
682
683#ifndef OPENSSL_NO_FP_API
684X509 *d2i_X509_fp(FILE *fp, X509 **x509);
685int i2d_X509_fp(FILE *fp,X509 *x509);
686X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
687int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
688X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
689int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
690#ifndef OPENSSL_NO_RSA
691RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
692int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
693RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
694int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
695RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
696int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
697#endif
698#ifndef OPENSSL_NO_DSA
699DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
700int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
701DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
702int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
703#endif
704#ifndef OPENSSL_NO_EC
705EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
706int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
707EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
708int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
709#endif
710X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
711int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
712PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
713 PKCS8_PRIV_KEY_INFO **p8inf);
714int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
715int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
716int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
717EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
718int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
719EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
720#endif
721
722#ifndef OPENSSL_NO_BIO
723X509 *d2i_X509_bio(BIO *bp,X509 **x509);
724int i2d_X509_bio(BIO *bp,X509 *x509);
725X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
726int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
727X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
728int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
729#ifndef OPENSSL_NO_RSA
730RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
731int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
732RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
733int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
734RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
735int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
736#endif
737#ifndef OPENSSL_NO_DSA
738DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
739int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
740DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
741int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
742#endif
743#ifndef OPENSSL_NO_EC
744EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
745int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
746EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
747int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
748#endif
749X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
750int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
751PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
752 PKCS8_PRIV_KEY_INFO **p8inf);
753int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
754int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
755int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
756EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
757int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
758EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
759#endif
760
761X509 *X509_dup(X509 *x509);
762X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
763X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
764X509_CRL *X509_CRL_dup(X509_CRL *crl);
765X509_REQ *X509_REQ_dup(X509_REQ *req);
766X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
767int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
768void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
769 X509_ALGOR *algor);
770void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
771
772X509_NAME *X509_NAME_dup(X509_NAME *xn);
773X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
774
775int X509_cmp_time(const ASN1_TIME *s, time_t *t);
776int X509_cmp_current_time(const ASN1_TIME *s);
777ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
778ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s,
779 int offset_day, long offset_sec, time_t *t);
780ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj);
781
782const char * X509_get_default_cert_area(void );
783const char * X509_get_default_cert_dir(void );
784const char * X509_get_default_cert_file(void );
785const char * X509_get_default_cert_dir_env(void );
786const char * X509_get_default_cert_file_env(void );
787const char * X509_get_default_private_dir(void );
788
789X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
790X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
791
792DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
793DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
794DECLARE_ASN1_FUNCTIONS(X509_VAL)
795
796DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
797
798int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
799EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
800int X509_get_pubkey_parameters(EVP_PKEY *pkey,
801 STACK_OF(X509) *chain);
802int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
803EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
804 long length);
805#ifndef OPENSSL_NO_RSA
806int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
807RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
808 long length);
809#endif
810#ifndef OPENSSL_NO_DSA
811int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
812DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
813 long length);
814#endif
815#ifndef OPENSSL_NO_EC
816int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
817EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
818 long length);
819#endif
820
821DECLARE_ASN1_FUNCTIONS(X509_SIG)
822DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
823DECLARE_ASN1_FUNCTIONS(X509_REQ)
824
825DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
826X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
827
828DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
829DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
830
831DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
832
833DECLARE_ASN1_FUNCTIONS(X509_NAME)
834
835int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
836
837DECLARE_ASN1_FUNCTIONS(X509_CINF)
838
839DECLARE_ASN1_FUNCTIONS(X509)
840DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
841
842DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
843
844int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
845 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
846int X509_set_ex_data(X509 *r, int idx, void *arg);
847void *X509_get_ex_data(X509 *r, int idx);
848int i2d_X509_AUX(X509 *a,unsigned char **pp);
849X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
850
851int X509_alias_set1(X509 *x, unsigned char *name, int len);
852int X509_keyid_set1(X509 *x, unsigned char *id, int len);
853unsigned char * X509_alias_get0(X509 *x, int *len);
854unsigned char * X509_keyid_get0(X509 *x, int *len);
855int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
856int X509_TRUST_set(int *t, int trust);
857int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
858int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
859void X509_trust_clear(X509 *x);
860void X509_reject_clear(X509 *x);
861
862DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
863DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
864DECLARE_ASN1_FUNCTIONS(X509_CRL)
865
866int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
867int X509_CRL_get0_by_serial(X509_CRL *crl,
868 X509_REVOKED **ret, ASN1_INTEGER *serial);
869int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
870
871X509_PKEY * X509_PKEY_new(void );
872void X509_PKEY_free(X509_PKEY *a);
873int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
874X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
875
876DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
877DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
878DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
879
880#ifndef OPENSSL_NO_EVP
881X509_INFO * X509_INFO_new(void);
882void X509_INFO_free(X509_INFO *a);
883char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
884
885int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
886 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
887
888int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
889 unsigned char *md,unsigned int *len);
890
891int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
892 X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
893 char *data,EVP_PKEY *pkey, const EVP_MD *type);
894
895int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
896 unsigned char *md,unsigned int *len);
897
898int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
899 ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
900
901int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
902 ASN1_BIT_STRING *signature,
903 void *data, EVP_PKEY *pkey, const EVP_MD *type);
904int ASN1_item_sign_ctx(const ASN1_ITEM *it,
905 X509_ALGOR *algor1, X509_ALGOR *algor2,
906 ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx);
907#endif
908
909int X509_set_version(X509 *x,long version);
910int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
911ASN1_INTEGER * X509_get_serialNumber(X509 *x);
912int X509_set_issuer_name(X509 *x, X509_NAME *name);
913X509_NAME * X509_get_issuer_name(X509 *a);
914int X509_set_subject_name(X509 *x, X509_NAME *name);
915X509_NAME * X509_get_subject_name(X509 *a);
916int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
917int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
918int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
919EVP_PKEY * X509_get_pubkey(X509 *x);
920ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
921int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
922
923int X509_REQ_set_version(X509_REQ *x,long version);
924int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
925int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
926EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req);
927int X509_REQ_extension_nid(int nid);
928int * X509_REQ_get_extension_nids(void);
929void X509_REQ_set_extension_nids(int *nids);
930STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
931int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
932 int nid);
933int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
934int X509_REQ_get_attr_count(const X509_REQ *req);
935int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
936 int lastpos);
937int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
938 int lastpos);
939X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
940X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
941int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
942int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
943 const ASN1_OBJECT *obj, int type,
944 const unsigned char *bytes, int len);
945int X509_REQ_add1_attr_by_NID(X509_REQ *req,
946 int nid, int type,
947 const unsigned char *bytes, int len);
948int X509_REQ_add1_attr_by_txt(X509_REQ *req,
949 const char *attrname, int type,
950 const unsigned char *bytes, int len);
951
952int X509_CRL_set_version(X509_CRL *x, long version);
953int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
954int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
955int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
956int X509_CRL_sort(X509_CRL *crl);
957
958int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
959int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
960
961int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
962
963int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
964
965int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
966unsigned long X509_issuer_and_serial_hash(X509 *a);
967
968int X509_issuer_name_cmp(const X509 *a, const X509 *b);
969unsigned long X509_issuer_name_hash(X509 *a);
970
971int X509_subject_name_cmp(const X509 *a, const X509 *b);
972unsigned long X509_subject_name_hash(X509 *x);
973
974#ifndef OPENSSL_NO_MD5
975unsigned long X509_issuer_name_hash_old(X509 *a);
976unsigned long X509_subject_name_hash_old(X509 *x);
977#endif
978
979int X509_cmp(const X509 *a, const X509 *b);
980int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
981unsigned long X509_NAME_hash(X509_NAME *x);
982unsigned long X509_NAME_hash_old(X509_NAME *x);
983
984int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
985int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
986#ifndef OPENSSL_NO_FP_API
987int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
988int X509_print_fp(FILE *bp,X509 *x);
989int X509_CRL_print_fp(FILE *bp,X509_CRL *x);
990int X509_REQ_print_fp(FILE *bp,X509_REQ *req);
991int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
992#endif
993
994#ifndef OPENSSL_NO_BIO
995int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
996int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
997int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
998int X509_print(BIO *bp,X509 *x);
999int X509_ocspid_print(BIO *bp,X509 *x);
1000int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
1001int X509_CRL_print(BIO *bp,X509_CRL *x);
1002int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
1003int X509_REQ_print(BIO *bp,X509_REQ *req);
1004#endif
1005
1006int X509_NAME_entry_count(X509_NAME *name);
1007int X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
1008 char *buf,int len);
1009int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
1010 char *buf,int len);
1011
1012/* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
1013 * lastpos, search after that position on. */
1014int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
1015int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
1016 int lastpos);
1017X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
1018X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
1019int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
1020 int loc, int set);
1021int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1022 unsigned char *bytes, int len, int loc, int set);
1023int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1024 unsigned char *bytes, int len, int loc, int set);
1025X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1026 const char *field, int type, const unsigned char *bytes, int len);
1027X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1028 int type,unsigned char *bytes, int len);
1029int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1030 const unsigned char *bytes, int len, int loc, int set);
1031X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1032 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1033 int len);
1034int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1035 ASN1_OBJECT *obj);
1036int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1037 const unsigned char *bytes, int len);
1038ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1039ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1040
1041int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1042int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1043 int nid, int lastpos);
1044int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1045 ASN1_OBJECT *obj,int lastpos);
1046int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1047 int crit, int lastpos);
1048X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
1049X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
1050STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
1051 X509_EXTENSION *ex, int loc);
1052
1053int X509_get_ext_count(X509 *x);
1054int X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
1055int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
1056int X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
1057X509_EXTENSION *X509_get_ext(X509 *x, int loc);
1058X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
1059int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
1060void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
1061int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
1062 unsigned long flags);
1063
1064int X509_CRL_get_ext_count(X509_CRL *x);
1065int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
1066int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
1067int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
1068X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
1069X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
1070int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
1071void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
1072int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
1073 unsigned long flags);
1074
1075int X509_REVOKED_get_ext_count(X509_REVOKED *x);
1076int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
1077int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
1078int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
1079X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
1080X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
1081int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
1082void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
1083int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
1084 unsigned long flags);
1085
1086X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
1087 int nid, int crit, ASN1_OCTET_STRING *data);
1088X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
1089 ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data);
1090int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj);
1091int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1092int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1093 ASN1_OCTET_STRING *data);
1094ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex);
1095ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
1096int X509_EXTENSION_get_critical(X509_EXTENSION *ex);
1097
1098int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
1099int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
1100 int lastpos);
1101int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
1102 int lastpos);
1103X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
1104X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
1105STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
1106 X509_ATTRIBUTE *attr);
1107STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
1108 const ASN1_OBJECT *obj, int type,
1109 const unsigned char *bytes, int len);
1110STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
1111 int nid, int type,
1112 const unsigned char *bytes, int len);
1113STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
1114 const char *attrname, int type,
1115 const unsigned char *bytes, int len);
1116void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
1117 ASN1_OBJECT *obj, int lastpos, int type);
1118X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
1119 int atrtype, const void *data, int len);
1120X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
1121 const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
1122X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
1123 const char *atrname, int type, const unsigned char *bytes, int len);
1124int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
1125int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
1126void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
1127 int atrtype, void *data);
1128int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
1129ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
1130ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
1131
1132int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
1133int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
1134 int lastpos);
1135int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
1136 int lastpos);
1137X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
1138X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
1139int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
1140int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
1141 const ASN1_OBJECT *obj, int type,
1142 const unsigned char *bytes, int len);
1143int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
1144 int nid, int type,
1145 const unsigned char *bytes, int len);
1146int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
1147 const char *attrname, int type,
1148 const unsigned char *bytes, int len);
1149
1150int X509_verify_cert(X509_STORE_CTX *ctx);
1151
1152/* lookup a cert from a X509 STACK */
1153X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
1154 ASN1_INTEGER *serial);
1155X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
1156
1157DECLARE_ASN1_FUNCTIONS(PBEPARAM)
1158DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
1159DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
1160
1161int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
1162 const unsigned char *salt, int saltlen);
1163
1164X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
1165 const unsigned char *salt, int saltlen);
1166X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
1167 unsigned char *salt, int saltlen);
1168X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1169 unsigned char *salt, int saltlen,
1170 unsigned char *aiv, int prf_nid);
1171
1172X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
1173 int prf_nid, int keylen);
1174
1175/* PKCS#8 utilities */
1176
1177DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
1178
1179EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
1180PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
1181PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
1182PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
1183
1184int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
1185 int version, int ptype, void *pval,
1186 unsigned char *penc, int penclen);
1187int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
1188 const unsigned char **pk, int *ppklen,
1189 X509_ALGOR **pa,
1190 PKCS8_PRIV_KEY_INFO *p8);
1191
1192int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1193 int ptype, void *pval,
1194 unsigned char *penc, int penclen);
1195int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
1196 const unsigned char **pk, int *ppklen,
1197 X509_ALGOR **pa,
1198 X509_PUBKEY *pub);
1199
1200int X509_check_trust(X509 *x, int id, int flags);
1201int X509_TRUST_get_count(void);
1202X509_TRUST * X509_TRUST_get0(int idx);
1203int X509_TRUST_get_by_id(int id);
1204int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
1205 char *name, int arg1, void *arg2);
1206void X509_TRUST_cleanup(void);
1207int X509_TRUST_get_flags(X509_TRUST *xp);
1208char *X509_TRUST_get0_name(X509_TRUST *xp);
1209int X509_TRUST_get_trust(X509_TRUST *xp);
1210
1211/* BEGIN ERROR CODES */
1212/* The following lines are auto generated by the script mkerr.pl. Any changes
1213 * made after this point may be overwritten when the script is next run.
1214 */
1215void ERR_load_X509_strings(void);
1216
1217/* Error codes for the X509 functions. */
1218
1219/* Function codes. */
1220#define X509_F_ADD_CERT_DIR 100
1221#define X509_F_BY_FILE_CTRL 101
1222#define X509_F_CHECK_POLICY 145
1223#define X509_F_DIR_CTRL 102
1224#define X509_F_GET_CERT_BY_SUBJECT 103
1225#define X509_F_NETSCAPE_SPKI_B64_DECODE 129
1226#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130
1227#define X509_F_X509AT_ADD1_ATTR 135
1228#define X509_F_X509V3_ADD_EXT 104
1229#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136
1230#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137
1231#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140
1232#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
1233#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
1234#define X509_F_X509_CHECK_PRIVATE_KEY 128
1235#define X509_F_X509_CRL_PRINT_FP 147
1236#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
1237#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
1238#define X509_F_X509_GET_PUBKEY_PARAMETERS 110
1239#define X509_F_X509_LOAD_CERT_CRL_FILE 132
1240#define X509_F_X509_LOAD_CERT_FILE 111
1241#define X509_F_X509_LOAD_CRL_FILE 112
1242#define X509_F_X509_NAME_ADD_ENTRY 113
1243#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114
1244#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131
1245#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115
1246#define X509_F_X509_NAME_ONELINE 116
1247#define X509_F_X509_NAME_PRINT 117
1248#define X509_F_X509_PRINT_EX_FP 118
1249#define X509_F_X509_PUBKEY_GET 119
1250#define X509_F_X509_PUBKEY_SET 120
1251#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
1252#define X509_F_X509_REQ_PRINT_EX 121
1253#define X509_F_X509_REQ_PRINT_FP 122
1254#define X509_F_X509_REQ_TO_X509 123
1255#define X509_F_X509_STORE_ADD_CERT 124
1256#define X509_F_X509_STORE_ADD_CRL 125
1257#define X509_F_X509_STORE_CTX_GET1_ISSUER 146
1258#define X509_F_X509_STORE_CTX_INIT 143
1259#define X509_F_X509_STORE_CTX_NEW 142
1260#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134
1261#define X509_F_X509_TO_X509_REQ 126
1262#define X509_F_X509_TRUST_ADD 133
1263#define X509_F_X509_TRUST_SET 141
1264#define X509_F_X509_VERIFY_CERT 127
1265
1266/* Reason codes. */
1267#define X509_R_BAD_X509_FILETYPE 100
1268#define X509_R_BASE64_DECODE_ERROR 118
1269#define X509_R_CANT_CHECK_DH_KEY 114
1270#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
1271#define X509_R_ERR_ASN1_LIB 102
1272#define X509_R_INVALID_DIRECTORY 113
1273#define X509_R_INVALID_FIELD_NAME 119
1274#define X509_R_INVALID_TRUST 123
1275#define X509_R_KEY_TYPE_MISMATCH 115
1276#define X509_R_KEY_VALUES_MISMATCH 116
1277#define X509_R_LOADING_CERT_DIR 103
1278#define X509_R_LOADING_DEFAULTS 104
1279#define X509_R_METHOD_NOT_SUPPORTED 124
1280#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
1281#define X509_R_PUBLIC_KEY_DECODE_ERROR 125
1282#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
1283#define X509_R_SHOULD_RETRY 106
1284#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 107
1285#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 108
1286#define X509_R_UNKNOWN_KEY_TYPE 117
1287#define X509_R_UNKNOWN_NID 109
1288#define X509_R_UNKNOWN_PURPOSE_ID 121
1289#define X509_R_UNKNOWN_TRUST_ID 120
1290#define X509_R_UNSUPPORTED_ALGORITHM 111
1291#define X509_R_WRONG_LOOKUP_TYPE 112
1292#define X509_R_WRONG_TYPE 122
1293
1294#ifdef __cplusplus
1295}
1296#endif
1297#endif
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
deleted file mode 100644
index 98460e8921..0000000000
--- a/src/lib/libcrypto/x509/x509_att.c
+++ /dev/null
@@ -1,359 +0,0 @@
1/* crypto/x509/x509_att.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
69{
70 return sk_X509_ATTRIBUTE_num(x);
71}
72
73int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
74 int lastpos)
75{
76 ASN1_OBJECT *obj;
77
78 obj=OBJ_nid2obj(nid);
79 if (obj == NULL) return(-2);
80 return(X509at_get_attr_by_OBJ(x,obj,lastpos));
81}
82
83int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
84 int lastpos)
85{
86 int n;
87 X509_ATTRIBUTE *ex;
88
89 if (sk == NULL) return(-1);
90 lastpos++;
91 if (lastpos < 0)
92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++)
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos);
99 }
100 return(-1);
101}
102
103X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
104{
105 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
106 return NULL;
107 else
108 return sk_X509_ATTRIBUTE_value(x,loc);
109}
110
111X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
112{
113 X509_ATTRIBUTE *ret;
114
115 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
116 return(NULL);
117 ret=sk_X509_ATTRIBUTE_delete(x,loc);
118 return(ret);
119}
120
121STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
122 X509_ATTRIBUTE *attr)
123{
124 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126
127 if (x == NULL)
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2;
131 }
132
133 if (*x == NULL)
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err;
137 }
138 else
139 sk= *x;
140
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
142 goto err2;
143 if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
144 goto err;
145 if (*x == NULL)
146 *x=sk;
147 return(sk);
148err:
149 X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
150err2:
151 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
152 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
153 return(NULL);
154}
155
156STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
157 const ASN1_OBJECT *obj, int type,
158 const unsigned char *bytes, int len)
159{
160 X509_ATTRIBUTE *attr;
161 STACK_OF(X509_ATTRIBUTE) *ret;
162 attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
163 if(!attr) return 0;
164 ret = X509at_add1_attr(x, attr);
165 X509_ATTRIBUTE_free(attr);
166 return ret;
167}
168
169STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
170 int nid, int type,
171 const unsigned char *bytes, int len)
172{
173 X509_ATTRIBUTE *attr;
174 STACK_OF(X509_ATTRIBUTE) *ret;
175 attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
176 if(!attr) return 0;
177 ret = X509at_add1_attr(x, attr);
178 X509_ATTRIBUTE_free(attr);
179 return ret;
180}
181
182STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
183 const char *attrname, int type,
184 const unsigned char *bytes, int len)
185{
186 X509_ATTRIBUTE *attr;
187 STACK_OF(X509_ATTRIBUTE) *ret;
188 attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
189 if(!attr) return 0;
190 ret = X509at_add1_attr(x, attr);
191 X509_ATTRIBUTE_free(attr);
192 return ret;
193}
194
195void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
196 ASN1_OBJECT *obj, int lastpos, int type)
197{
198 int i;
199 X509_ATTRIBUTE *at;
200 i = X509at_get_attr_by_OBJ(x, obj, lastpos);
201 if (i == -1)
202 return NULL;
203 if ((lastpos <= -2) && (X509at_get_attr_by_OBJ(x, obj, i) != -1))
204 return NULL;
205 at = X509at_get_attr(x, i);
206 if (lastpos <= -3 && (X509_ATTRIBUTE_count(at) != 1))
207 return NULL;
208 return X509_ATTRIBUTE_get0_data(at, 0, type, NULL);
209}
210
211X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
212 int atrtype, const void *data, int len)
213{
214 ASN1_OBJECT *obj;
215 X509_ATTRIBUTE *ret;
216
217 obj=OBJ_nid2obj(nid);
218 if (obj == NULL)
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL);
222 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret);
226}
227
228X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
229 const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
230{
231 X509_ATTRIBUTE *ret;
232
233 if ((attr == NULL) || (*attr == NULL))
234 {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL);
239 }
240 }
241 else
242 ret= *attr;
243
244 if (!X509_ATTRIBUTE_set1_object(ret,obj))
245 goto err;
246 if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
247 goto err;
248
249 if ((attr != NULL) && (*attr == NULL)) *attr=ret;
250 return(ret);
251err:
252 if ((attr == NULL) || (ret != *attr))
253 X509_ATTRIBUTE_free(ret);
254 return(NULL);
255}
256
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len)
259 {
260 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr;
262
263 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL)
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname);
269 return(NULL);
270 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj);
273 return nattr;
274 }
275
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{
278 if ((attr == NULL) || (obj == NULL))
279 return(0);
280 ASN1_OBJECT_free(attr->object);
281 attr->object=OBJ_dup(obj);
282 return(1);
283}
284
285int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
286{
287 ASN1_TYPE *ttmp;
288 ASN1_STRING *stmp = NULL;
289 int atype = 0;
290 if (!attr) return 0;
291 if(attrtype & MBSTRING_FLAG) {
292 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
293 OBJ_obj2nid(attr->object));
294 if(!stmp) {
295 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
296 return 0;
297 }
298 atype = stmp->type;
299 } else if (len != -1){
300 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
301 if(!ASN1_STRING_set(stmp, data, len)) goto err;
302 atype = attrtype;
303 }
304 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
305 attr->single = 0;
306 /* This is a bit naughty because the attribute should really have
307 * at least one value but some types use and zero length SET and
308 * require this.
309 */
310 if (attrtype == 0)
311 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG))
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err;
317 }
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1;
322 err:
323 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
324 return 0;
325}
326
327int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
328{
329 if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
330 if(attr->value.single) return 1;
331 return 0;
332}
333
334ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
335{
336 if (attr == NULL) return(NULL);
337 return(attr->object);
338}
339
340void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
341 int atrtype, void *data)
342{
343 ASN1_TYPE *ttmp;
344 ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
345 if(!ttmp) return NULL;
346 if(atrtype != ASN1_TYPE_get(ttmp)){
347 X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
348 return NULL;
349 }
350 return ttmp->value.ptr;
351}
352
353ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
354{
355 if (attr == NULL) return(NULL);
356 if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
357 if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
358 else return attr->value.single;
359}
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
deleted file mode 100644
index 7c2aaee2e9..0000000000
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ /dev/null
@@ -1,344 +0,0 @@
1/* crypto/x509/x509_cmp.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <ctype.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 {
69 int i;
70 X509_CINF *ai,*bi;
71
72 ai=a->cert_info;
73 bi=b->cert_info;
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 }
78
79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 {
82 unsigned long ret=0;
83 EVP_MD_CTX ctx;
84 unsigned char md[16];
85 char *f;
86
87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f);
90 if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
91 goto err;
92 if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
93 goto err;
94 OPENSSL_free(f);
95 if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
96 (unsigned long)a->cert_info->serialNumber->length))
97 goto err;
98 if (!EVP_DigestFinal_ex(&ctx,&(md[0]),NULL))
99 goto err;
100 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
101 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
102 )&0xffffffffL;
103 err:
104 EVP_MD_CTX_cleanup(&ctx);
105 return(ret);
106 }
107#endif
108
109int X509_issuer_name_cmp(const X509 *a, const X509 *b)
110 {
111 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
112 }
113
114int X509_subject_name_cmp(const X509 *a, const X509 *b)
115 {
116 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
117 }
118
119int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
120 {
121 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
122 }
123
124#ifndef OPENSSL_NO_SHA
125int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
126 {
127 return memcmp(a->sha1_hash, b->sha1_hash, 20);
128 }
129#endif
130
131X509_NAME *X509_get_issuer_name(X509 *a)
132 {
133 return(a->cert_info->issuer);
134 }
135
136unsigned long X509_issuer_name_hash(X509 *x)
137 {
138 return(X509_NAME_hash(x->cert_info->issuer));
139 }
140
141#ifndef OPENSSL_NO_MD5
142unsigned long X509_issuer_name_hash_old(X509 *x)
143 {
144 return(X509_NAME_hash_old(x->cert_info->issuer));
145 }
146#endif
147
148X509_NAME *X509_get_subject_name(X509 *a)
149 {
150 return(a->cert_info->subject);
151 }
152
153ASN1_INTEGER *X509_get_serialNumber(X509 *a)
154 {
155 return(a->cert_info->serialNumber);
156 }
157
158unsigned long X509_subject_name_hash(X509 *x)
159 {
160 return(X509_NAME_hash(x->cert_info->subject));
161 }
162
163#ifndef OPENSSL_NO_MD5
164unsigned long X509_subject_name_hash_old(X509 *x)
165 {
166 return(X509_NAME_hash_old(x->cert_info->subject));
167 }
168#endif
169
170#ifndef OPENSSL_NO_SHA
171/* Compare two certificates: they must be identical for
172 * this to work. NB: Although "cmp" operations are generally
173 * prototyped to take "const" arguments (eg. for use in
174 * STACKs), the way X509 handling is - these operations may
175 * involve ensuring the hashes are up-to-date and ensuring
176 * certain cert information is cached. So this is the point
177 * where the "depth-first" constification tree has to halt
178 * with an evil cast.
179 */
180int X509_cmp(const X509 *a, const X509 *b)
181{
182 /* ensure hash is valid */
183 X509_check_purpose((X509 *)a, -1, 0);
184 X509_check_purpose((X509 *)b, -1, 0);
185
186 return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
187}
188#endif
189
190
191int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
192 {
193 int ret;
194
195 /* Ensure canonical encoding is present and up to date */
196
197 if (!a->canon_enc || a->modified)
198 {
199 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
200 if (ret < 0)
201 return -2;
202 }
203
204 if (!b->canon_enc || b->modified)
205 {
206 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
207 if (ret < 0)
208 return -2;
209 }
210
211 ret = a->canon_enclen - b->canon_enclen;
212
213 if (ret)
214 return ret;
215
216 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
217
218 }
219
220unsigned long X509_NAME_hash(X509_NAME *x)
221 {
222 unsigned long ret=0;
223 unsigned char md[SHA_DIGEST_LENGTH];
224
225 /* Make sure X509_NAME structure contains valid cached encoding */
226 i2d_X509_NAME(x,NULL);
227 if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
228 NULL))
229 return 0;
230
231 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
232 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
233 )&0xffffffffL;
234 return(ret);
235 }
236
237
238#ifndef OPENSSL_NO_MD5
239/* I now DER encode the name and hash it. Since I cache the DER encoding,
240 * this is reasonably efficient. */
241
242unsigned long X509_NAME_hash_old(X509_NAME *x)
243 {
244 EVP_MD_CTX md_ctx;
245 unsigned long ret=0;
246 unsigned char md[16];
247
248 /* Make sure X509_NAME structure contains valid cached encoding */
249 i2d_X509_NAME(x,NULL);
250 EVP_MD_CTX_init(&md_ctx);
251 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
252 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
253 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
254 EVP_DigestFinal_ex(&md_ctx,md,NULL);
255 EVP_MD_CTX_cleanup(&md_ctx);
256
257 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
258 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
259 )&0xffffffffL;
260 return(ret);
261 }
262#endif
263
264/* Search a stack of X509 for a match */
265X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
266 ASN1_INTEGER *serial)
267 {
268 int i;
269 X509_CINF cinf;
270 X509 x,*x509=NULL;
271
272 if(!sk) return NULL;
273
274 x.cert_info= &cinf;
275 cinf.serialNumber=serial;
276 cinf.issuer=name;
277
278 for (i=0; i<sk_X509_num(sk); i++)
279 {
280 x509=sk_X509_value(sk,i);
281 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
282 return(x509);
283 }
284 return(NULL);
285 }
286
287X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
288 {
289 X509 *x509;
290 int i;
291
292 for (i=0; i<sk_X509_num(sk); i++)
293 {
294 x509=sk_X509_value(sk,i);
295 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
296 return(x509);
297 }
298 return(NULL);
299 }
300
301EVP_PKEY *X509_get_pubkey(X509 *x)
302 {
303 if ((x == NULL) || (x->cert_info == NULL))
304 return(NULL);
305 return(X509_PUBKEY_get(x->cert_info->key));
306 }
307
308ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
309 {
310 if(!x) return NULL;
311 return x->cert_info->key->public_key;
312 }
313
314int X509_check_private_key(X509 *x, EVP_PKEY *k)
315 {
316 EVP_PKEY *xk;
317 int ret;
318
319 xk=X509_get_pubkey(x);
320
321 if (xk)
322 ret = EVP_PKEY_cmp(xk, k);
323 else
324 ret = -2;
325
326 switch (ret)
327 {
328 case 1:
329 break;
330 case 0:
331 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
332 break;
333 case -1:
334 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
335 break;
336 case -2:
337 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
338 }
339 if (xk)
340 EVP_PKEY_free(xk);
341 if (ret > 0)
342 return 1;
343 return 0;
344 }
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
deleted file mode 100644
index 51410cfd1a..0000000000
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ /dev/null
@@ -1,107 +0,0 @@
1/* crypto/x509/x509_d2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 {
67 X509_LOOKUP *lookup;
68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
70 if (lookup == NULL) return(0);
71 X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
72
73 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
74 if (lookup == NULL) return(0);
75 X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
76
77 /* clear any errors */
78 ERR_clear_error();
79
80 return(1);
81 }
82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path)
85 {
86 X509_LOOKUP *lookup;
87
88 if (file != NULL)
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0);
94 }
95 if (path != NULL)
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0);
101 }
102 if ((path == NULL) && (file == NULL))
103 return(0);
104 return(1);
105 }
106
107#endif
diff --git a/src/lib/libcrypto/x509/x509_def.c b/src/lib/libcrypto/x509/x509_def.c
deleted file mode 100644
index e0ac151a76..0000000000
--- a/src/lib/libcrypto/x509/x509_def.c
+++ /dev/null
@@ -1,81 +0,0 @@
1/* crypto/x509/x509_def.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64const char *X509_get_default_private_dir(void)
65 { return(X509_PRIVATE_DIR); }
66
67const char *X509_get_default_cert_area(void)
68 { return(X509_CERT_AREA); }
69
70const char *X509_get_default_cert_dir(void)
71 { return(X509_CERT_DIR); }
72
73const char *X509_get_default_cert_file(void)
74 { return(X509_CERT_FILE); }
75
76const char *X509_get_default_cert_dir_env(void)
77 { return(X509_CERT_DIR_EVP); }
78
79const char *X509_get_default_cert_file_env(void)
80 { return(X509_CERT_FILE_EVP); }
81
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
deleted file mode 100644
index a01402f416..0000000000
--- a/src/lib/libcrypto/x509/x509_err.c
+++ /dev/null
@@ -1,164 +0,0 @@
1/* crypto/x509/x509_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70
71static ERR_STRING_DATA X509_str_functs[]=
72 {
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
76{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
77{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
79{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
80{ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
81{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"},
82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
84{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
85{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"},
86{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"},
87{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"},
88{ERR_FUNC(X509_F_X509_CRL_PRINT_FP), "X509_CRL_print_fp"},
89{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
90{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
91{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"},
92{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"},
93{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"},
94{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"},
95{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"},
96{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"},
97{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT), "X509_NAME_ENTRY_create_by_txt"},
98{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"},
99{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
100{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
101{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
102{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
103{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
104{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"},
105{ERR_FUNC(X509_F_X509_REQ_PRINT_EX), "X509_REQ_print_ex"},
106{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"},
107{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"},
108{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"},
109{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"},
110{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER), "X509_STORE_CTX_get1_issuer"},
111{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"},
112{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
113{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"},
114{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"},
115{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"},
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL}
119 };
120
121static ERR_STRING_DATA X509_str_reasons[]=
122 {
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
126{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
127{ERR_REASON(X509_R_ERR_ASN1_LIB) ,"err asn1 lib"},
128{ERR_REASON(X509_R_INVALID_DIRECTORY) ,"invalid directory"},
129{ERR_REASON(X509_R_INVALID_FIELD_NAME) ,"invalid field name"},
130{ERR_REASON(X509_R_INVALID_TRUST) ,"invalid trust"},
131{ERR_REASON(X509_R_KEY_TYPE_MISMATCH) ,"key type mismatch"},
132{ERR_REASON(X509_R_KEY_VALUES_MISMATCH) ,"key values mismatch"},
133{ERR_REASON(X509_R_LOADING_CERT_DIR) ,"loading cert dir"},
134{ERR_REASON(X509_R_LOADING_DEFAULTS) ,"loading defaults"},
135{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED) ,"method not supported"},
136{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
137{ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR),"public key decode error"},
138{ERR_REASON(X509_R_PUBLIC_KEY_ENCODE_ERROR),"public key encode error"},
139{ERR_REASON(X509_R_SHOULD_RETRY) ,"should retry"},
140{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
141{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
142{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE) ,"unknown key type"},
143{ERR_REASON(X509_R_UNKNOWN_NID) ,"unknown nid"},
144{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID) ,"unknown purpose id"},
145{ERR_REASON(X509_R_UNKNOWN_TRUST_ID) ,"unknown trust id"},
146{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL}
150 };
151
152#endif
153
154void ERR_load_X509_strings(void)
155 {
156#ifndef OPENSSL_NO_ERR
157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
159 {
160 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 }
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
deleted file mode 100644
index e7fdacb5e4..0000000000
--- a/src/lib/libcrypto/x509/x509_ext.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/* crypto/x509/x509_ext.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68
69int X509_CRL_get_ext_count(X509_CRL *x)
70 {
71 return(X509v3_get_ext_count(x->crl->extensions));
72 }
73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 {
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 }
78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 {
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 }
83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 {
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 }
88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 {
91 return(X509v3_get_ext(x->crl->extensions,loc));
92 }
93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 {
96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 }
98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{
101 return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
102}
103
104int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
105 unsigned long flags)
106{
107 return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
108}
109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 {
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 }
114
115int X509_get_ext_count(X509 *x)
116 {
117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 }
119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 {
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 }
124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 {
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 }
129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 {
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 }
134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 {
137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 }
139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 {
142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 }
144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 {
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 }
149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{
152 return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
153}
154
155int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
156 unsigned long flags)
157{
158 return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
159 flags);
160}
161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 {
164 return(X509v3_get_ext_count(x->extensions));
165 }
166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 {
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 }
171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos)
174 {
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 }
177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 {
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 }
182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 {
185 return(X509v3_get_ext(x->extensions,loc));
186 }
187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 {
190 return(X509v3_delete_ext(x->extensions,loc));
191 }
192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 {
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 }
197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{
200 return X509V3_get_d2i(x->extensions, nid, crit, idx);
201}
202
203int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
204 unsigned long flags)
205{
206 return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
207}
208
209IMPLEMENT_STACK_OF(X509_EXTENSION)
210IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
deleted file mode 100644
index 38525a8cdd..0000000000
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ /dev/null
@@ -1,716 +0,0 @@
1/* crypto/x509/x509_lu.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/x509.h>
63#include <openssl/x509v3.h>
64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 {
67 X509_LOOKUP *ret;
68
69 ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
70 if (ret == NULL) return NULL;
71
72 ret->init=0;
73 ret->skip=0;
74 ret->method=method;
75 ret->method_data=NULL;
76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret))
78 {
79 OPENSSL_free(ret);
80 return NULL;
81 }
82 return ret;
83 }
84
85void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 {
87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL))
90 (*ctx->method->free)(ctx);
91 OPENSSL_free(ctx);
92 }
93
94int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 {
96 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx);
99 else
100 return 1;
101 }
102
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 {
105 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx);
108 else
109 return 1;
110 }
111
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret)
114 {
115 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else
119 return 1;
120 }
121
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret)
124 {
125 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
126 return X509_LU_FAIL;
127 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret);
129 }
130
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 {
134 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 }
139
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret)
142 {
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 }
147
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret)
150 {
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 }
155
156
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 {
159 int ret;
160
161 ret=((*a)->type - (*b)->type);
162 if (ret) return ret;
163 switch ((*a)->type)
164 {
165 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break;
168 case X509_LU_CRL:
169 ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
170 break;
171 default:
172 /* abort(); */
173 return 0;
174 }
175 return ret;
176 }
177
178X509_STORE *X509_STORE_new(void)
179 {
180 X509_STORE *ret;
181
182 if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
183 return NULL;
184 ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
185 ret->cache=1;
186 ret->get_cert_methods=sk_X509_LOOKUP_new_null();
187 ret->verify=0;
188 ret->verify_cb=0;
189
190 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
191 return NULL;
192
193 ret->get_issuer = 0;
194 ret->check_issued = 0;
195 ret->check_revocation = 0;
196 ret->get_crl = 0;
197 ret->check_crl = 0;
198 ret->cert_crl = 0;
199 ret->lookup_certs = 0;
200 ret->lookup_crls = 0;
201 ret->cleanup = 0;
202
203 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
204 {
205 sk_X509_OBJECT_free(ret->objs);
206 OPENSSL_free(ret);
207 return NULL;
208 }
209
210 ret->references=1;
211 return ret;
212 }
213
214static void cleanup(X509_OBJECT *a)
215 {
216 if (a->type == X509_LU_X509)
217 {
218 X509_free(a->data.x509);
219 }
220 else if (a->type == X509_LU_CRL)
221 {
222 X509_CRL_free(a->data.crl);
223 }
224 else
225 {
226 /* abort(); */
227 }
228
229 OPENSSL_free(a);
230 }
231
232void X509_STORE_free(X509_STORE *vfy)
233 {
234 int i;
235 STACK_OF(X509_LOOKUP) *sk;
236 X509_LOOKUP *lu;
237
238 if (vfy == NULL)
239 return;
240
241 sk=vfy->get_cert_methods;
242 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
243 {
244 lu=sk_X509_LOOKUP_value(sk,i);
245 X509_LOOKUP_shutdown(lu);
246 X509_LOOKUP_free(lu);
247 }
248 sk_X509_LOOKUP_free(sk);
249 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
250
251 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
252 if (vfy->param)
253 X509_VERIFY_PARAM_free(vfy->param);
254 OPENSSL_free(vfy);
255 }
256
257X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
258 {
259 int i;
260 STACK_OF(X509_LOOKUP) *sk;
261 X509_LOOKUP *lu;
262
263 sk=v->get_cert_methods;
264 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
265 {
266 lu=sk_X509_LOOKUP_value(sk,i);
267 if (m == lu->method)
268 {
269 return lu;
270 }
271 }
272 /* a new one */
273 lu=X509_LOOKUP_new(m);
274 if (lu == NULL)
275 return NULL;
276 else
277 {
278 lu->store_ctx=v;
279 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
280 return lu;
281 else
282 {
283 X509_LOOKUP_free(lu);
284 return NULL;
285 }
286 }
287 }
288
289int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
290 X509_OBJECT *ret)
291 {
292 X509_STORE *ctx=vs->ctx;
293 X509_LOOKUP *lu;
294 X509_OBJECT stmp,*tmp;
295 int i,j;
296
297 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
298 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
299 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
300
301 if (tmp == NULL || type == X509_LU_CRL)
302 {
303 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
304 {
305 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
306 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
307 if (j < 0)
308 {
309 vs->current_method=j;
310 return j;
311 }
312 else if (j)
313 {
314 tmp= &stmp;
315 break;
316 }
317 }
318 vs->current_method=0;
319 if (tmp == NULL)
320 return 0;
321 }
322
323/* if (ret->data.ptr != NULL)
324 X509_OBJECT_free_contents(ret); */
325
326 ret->type=tmp->type;
327 ret->data.ptr=tmp->data.ptr;
328
329 X509_OBJECT_up_ref_count(ret);
330
331 return 1;
332 }
333
334int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
335 {
336 X509_OBJECT *obj;
337 int ret=1;
338
339 if (x == NULL) return 0;
340 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
341 if (obj == NULL)
342 {
343 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
344 return 0;
345 }
346 obj->type=X509_LU_X509;
347 obj->data.x509=x;
348
349 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
350
351 X509_OBJECT_up_ref_count(obj);
352
353 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
354 {
355 X509_OBJECT_free_contents(obj);
356 OPENSSL_free(obj);
357 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
358 ret=0;
359 }
360 else sk_X509_OBJECT_push(ctx->objs, obj);
361
362 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
363
364 return ret;
365 }
366
367int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
368 {
369 X509_OBJECT *obj;
370 int ret=1;
371
372 if (x == NULL) return 0;
373 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
374 if (obj == NULL)
375 {
376 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
377 return 0;
378 }
379 obj->type=X509_LU_CRL;
380 obj->data.crl=x;
381
382 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
383
384 X509_OBJECT_up_ref_count(obj);
385
386 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
387 {
388 X509_OBJECT_free_contents(obj);
389 OPENSSL_free(obj);
390 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
391 ret=0;
392 }
393 else sk_X509_OBJECT_push(ctx->objs, obj);
394
395 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
396
397 return ret;
398 }
399
400void X509_OBJECT_up_ref_count(X509_OBJECT *a)
401 {
402 switch (a->type)
403 {
404 case X509_LU_X509:
405 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
406 break;
407 case X509_LU_CRL:
408 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
409 break;
410 }
411 }
412
413void X509_OBJECT_free_contents(X509_OBJECT *a)
414 {
415 switch (a->type)
416 {
417 case X509_LU_X509:
418 X509_free(a->data.x509);
419 break;
420 case X509_LU_CRL:
421 X509_CRL_free(a->data.crl);
422 break;
423 }
424 }
425
426static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
427 X509_NAME *name, int *pnmatch)
428 {
429 X509_OBJECT stmp;
430 X509 x509_s;
431 X509_CINF cinf_s;
432 X509_CRL crl_s;
433 X509_CRL_INFO crl_info_s;
434 int idx;
435
436 stmp.type=type;
437 switch (type)
438 {
439 case X509_LU_X509:
440 stmp.data.x509= &x509_s;
441 x509_s.cert_info= &cinf_s;
442 cinf_s.subject=name;
443 break;
444 case X509_LU_CRL:
445 stmp.data.crl= &crl_s;
446 crl_s.crl= &crl_info_s;
447 crl_info_s.issuer=name;
448 break;
449 default:
450 /* abort(); */
451 return -1;
452 }
453
454 idx = sk_X509_OBJECT_find(h,&stmp);
455 if (idx >= 0 && pnmatch)
456 {
457 int tidx;
458 const X509_OBJECT *tobj, *pstmp;
459 *pnmatch = 1;
460 pstmp = &stmp;
461 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
462 {
463 tobj = sk_X509_OBJECT_value(h, tidx);
464 if (x509_object_cmp(&tobj, &pstmp))
465 break;
466 (*pnmatch)++;
467 }
468 }
469 return idx;
470 }
471
472
473int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
474 X509_NAME *name)
475 {
476 return x509_object_idx_cnt(h, type, name, NULL);
477 }
478
479X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
480 X509_NAME *name)
481 {
482 int idx;
483 idx = X509_OBJECT_idx_by_subject(h, type, name);
484 if (idx==-1) return NULL;
485 return sk_X509_OBJECT_value(h, idx);
486 }
487
488STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
489 {
490 int i, idx, cnt;
491 STACK_OF(X509) *sk;
492 X509 *x;
493 X509_OBJECT *obj;
494 sk = sk_X509_new_null();
495 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
496 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
497 if (idx < 0)
498 {
499 /* Nothing found in cache: do lookup to possibly add new
500 * objects to cache
501 */
502 X509_OBJECT xobj;
503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
504 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
505 {
506 sk_X509_free(sk);
507 return NULL;
508 }
509 X509_OBJECT_free_contents(&xobj);
510 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
511 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
512 if (idx < 0)
513 {
514 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
515 sk_X509_free(sk);
516 return NULL;
517 }
518 }
519 for (i = 0; i < cnt; i++, idx++)
520 {
521 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
522 x = obj->data.x509;
523 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
524 if (!sk_X509_push(sk, x))
525 {
526 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
527 X509_free(x);
528 sk_X509_pop_free(sk, X509_free);
529 return NULL;
530 }
531 }
532 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
533 return sk;
534
535 }
536
537STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
538 {
539 int i, idx, cnt;
540 STACK_OF(X509_CRL) *sk;
541 X509_CRL *x;
542 X509_OBJECT *obj, xobj;
543 sk = sk_X509_CRL_new_null();
544 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
545 /* Check cache first */
546 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
547
548 /* Always do lookup to possibly add new CRLs to cache
549 */
550 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
551 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
552 {
553 sk_X509_CRL_free(sk);
554 return NULL;
555 }
556 X509_OBJECT_free_contents(&xobj);
557 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
558 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
559 if (idx < 0)
560 {
561 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
562 sk_X509_CRL_free(sk);
563 return NULL;
564 }
565
566 for (i = 0; i < cnt; i++, idx++)
567 {
568 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
569 x = obj->data.crl;
570 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
571 if (!sk_X509_CRL_push(sk, x))
572 {
573 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
574 X509_CRL_free(x);
575 sk_X509_CRL_pop_free(sk, X509_CRL_free);
576 return NULL;
577 }
578 }
579 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
580 return sk;
581 }
582
583X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
584 {
585 int idx, i;
586 X509_OBJECT *obj;
587 idx = sk_X509_OBJECT_find(h, x);
588 if (idx == -1) return NULL;
589 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
590 return sk_X509_OBJECT_value(h, idx);
591 for (i = idx; i < sk_X509_OBJECT_num(h); i++)
592 {
593 obj = sk_X509_OBJECT_value(h, i);
594 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
595 return NULL;
596 if (x->type == X509_LU_X509)
597 {
598 if (!X509_cmp(obj->data.x509, x->data.x509))
599 return obj;
600 }
601 else if (x->type == X509_LU_CRL)
602 {
603 if (!X509_CRL_match(obj->data.crl, x->data.crl))
604 return obj;
605 }
606 else
607 return obj;
608 }
609 return NULL;
610 }
611
612
613/* Try to get issuer certificate from store. Due to limitations
614 * of the API this can only retrieve a single certificate matching
615 * a given subject name. However it will fill the cache with all
616 * matching certificates, so we can examine the cache for all
617 * matches.
618 *
619 * Return values are:
620 * 1 lookup successful.
621 * 0 certificate not found.
622 * -1 some other error.
623 */
624int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
625 {
626 X509_NAME *xn;
627 X509_OBJECT obj, *pobj;
628 int i, ok, idx, ret;
629 xn=X509_get_issuer_name(x);
630 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
631 if (ok != X509_LU_X509)
632 {
633 if (ok == X509_LU_RETRY)
634 {
635 X509_OBJECT_free_contents(&obj);
636 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
637 return -1;
638 }
639 else if (ok != X509_LU_FAIL)
640 {
641 X509_OBJECT_free_contents(&obj);
642 /* not good :-(, break anyway */
643 return -1;
644 }
645 return 0;
646 }
647 /* If certificate matches all OK */
648 if (ctx->check_issued(ctx, x, obj.data.x509))
649 {
650 *issuer = obj.data.x509;
651 return 1;
652 }
653 X509_OBJECT_free_contents(&obj);
654
655 /* Else find index of first cert accepted by 'check_issued' */
656 ret = 0;
657 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
658 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
659 if (idx != -1) /* should be true as we've had at least one match */
660 {
661 /* Look through all matching certs for suitable issuer */
662 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
663 {
664 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
665 /* See if we've run past the matches */
666 if (pobj->type != X509_LU_X509)
667 break;
668 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
669 break;
670 if (ctx->check_issued(ctx, x, pobj->data.x509))
671 {
672 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1;
675 break;
676 }
677 }
678 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
680 return ret;
681 }
682
683int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
684 {
685 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
686 }
687
688int X509_STORE_set_depth(X509_STORE *ctx, int depth)
689 {
690 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
691 return 1;
692 }
693
694int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
695 {
696 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
697 }
698
699int X509_STORE_set_trust(X509_STORE *ctx, int trust)
700 {
701 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
702 }
703
704int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
705 {
706 return X509_VERIFY_PARAM_set1(ctx->param, param);
707 }
708
709void X509_STORE_set_verify_cb(X509_STORE *ctx,
710 int (*verify_cb)(int, X509_STORE_CTX *))
711 {
712 ctx->verify_cb = verify_cb;
713 }
714
715IMPLEMENT_STACK_OF(X509_LOOKUP)
716IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
deleted file mode 100644
index 21fed9f838..0000000000
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* crypto/x509/x509_obj.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64#include <openssl/buffer.h>
65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 {
68 X509_NAME_ENTRY *ne;
69int i;
70 int n,lold,l,l1,l2,num,j,type;
71 const char *s;
72 char *p;
73 unsigned char *q;
74 BUF_MEM *b=NULL;
75 static const char hex[17]="0123456789ABCDEF";
76 int gs_doit[4];
77 char tmp_buf[80];
78#ifdef CHARSET_EBCDIC
79 char ebcdic_buf[1024];
80#endif
81
82 if (buf == NULL)
83 {
84 if ((b=BUF_MEM_new()) == NULL) goto err;
85 if (!BUF_MEM_grow(b,200)) goto err;
86 b->data[0]='\0';
87 len=200;
88 }
89 if (a == NULL)
90 {
91 if(b)
92 {
93 buf=b->data;
94 OPENSSL_free(b);
95 }
96 strncpy(buf,"NO X509_NAME",len);
97 buf[len-1]='\0';
98 return buf;
99 }
100
101 len--; /* space for '\0' */
102 l=0;
103 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
104 {
105 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
106 n=OBJ_obj2nid(ne->object);
107 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
108 {
109 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
110 s=tmp_buf;
111 }
112 l1=strlen(s);
113
114 type=ne->value->type;
115 num=ne->value->length;
116 q=ne->value->data;
117#ifdef CHARSET_EBCDIC
118 if (type == V_ASN1_GENERALSTRING ||
119 type == V_ASN1_VISIBLESTRING ||
120 type == V_ASN1_PRINTABLESTRING ||
121 type == V_ASN1_TELETEXSTRING ||
122 type == V_ASN1_VISIBLESTRING ||
123 type == V_ASN1_IA5STRING) {
124 ascii2ebcdic(ebcdic_buf, q,
125 (num > sizeof ebcdic_buf)
126 ? sizeof ebcdic_buf : num);
127 q=ebcdic_buf;
128 }
129#endif
130
131 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
132 {
133 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
134 for (j=0; j<num; j++)
135 if (q[j] != 0) gs_doit[j&3]=1;
136
137 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
138 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
139 else
140 {
141 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
142 gs_doit[3]=1;
143 }
144 }
145 else
146 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
147
148 for (l2=j=0; j<num; j++)
149 {
150 if (!gs_doit[j&3]) continue;
151 l2++;
152#ifndef CHARSET_EBCDIC
153 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
154#else
155 if ((os_toascii[q[j]] < os_toascii[' ']) ||
156 (os_toascii[q[j]] > os_toascii['~'])) l2+=3;
157#endif
158 }
159
160 lold=l;
161 l+=1+l1+1+l2;
162 if (b != NULL)
163 {
164 if (!BUF_MEM_grow(b,l+1)) goto err;
165 p= &(b->data[lold]);
166 }
167 else if (l > len)
168 {
169 break;
170 }
171 else
172 p= &(buf[lold]);
173 *(p++)='/';
174 memcpy(p,s,(unsigned int)l1); p+=l1;
175 *(p++)='=';
176
177#ifndef CHARSET_EBCDIC /* q was assigned above already. */
178 q=ne->value->data;
179#endif
180
181 for (j=0; j<num; j++)
182 {
183 if (!gs_doit[j&3]) continue;
184#ifndef CHARSET_EBCDIC
185 n=q[j];
186 if ((n < ' ') || (n > '~'))
187 {
188 *(p++)='\\';
189 *(p++)='x';
190 *(p++)=hex[(n>>4)&0x0f];
191 *(p++)=hex[n&0x0f];
192 }
193 else
194 *(p++)=n;
195#else
196 n=os_toascii[q[j]];
197 if ((n < os_toascii[' ']) ||
198 (n > os_toascii['~']))
199 {
200 *(p++)='\\';
201 *(p++)='x';
202 *(p++)=hex[(n>>4)&0x0f];
203 *(p++)=hex[n&0x0f];
204 }
205 else
206 *(p++)=q[j];
207#endif
208 }
209 *p='\0';
210 }
211 if (b != NULL)
212 {
213 p=b->data;
214 OPENSSL_free(b);
215 }
216 else
217 p=buf;
218 if (i == 0)
219 *p = '\0';
220 return(p);
221err:
222 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
223 if (b != NULL) BUF_MEM_free(b);
224 return(NULL);
225 }
226
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
deleted file mode 100644
index 254a14693d..0000000000
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ /dev/null
@@ -1,114 +0,0 @@
1/* crypto/x509/x509_r2x.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/x509.h>
65#include <openssl/objects.h>
66#include <openssl/buffer.h>
67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 {
70 X509 *ret=NULL;
71 X509_CINF *xi=NULL;
72 X509_NAME *xn;
73
74 if ((ret=X509_new()) == NULL)
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err;
78 }
79
80 /* duplicate the request */
81 xi=ret->cert_info;
82
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */
89 }
90
91 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
93 goto err;
94 if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
95 goto err;
96
97 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
98 goto err;
99 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
100 goto err;
101
102 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
103
104 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err;
106 if (0)
107 {
108err:
109 X509_free(ret);
110 ret=NULL;
111 }
112 return(ret);
113 }
114
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
deleted file mode 100644
index 48183dc00c..0000000000
--- a/src/lib/libcrypto/x509/x509_req.c
+++ /dev/null
@@ -1,316 +0,0 @@
1/* crypto/x509/x509_req.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/asn1t.h>
65#include <openssl/x509.h>
66#include <openssl/objects.h>
67#include <openssl/buffer.h>
68#include <openssl/pem.h>
69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 {
72 X509_REQ *ret;
73 X509_REQ_INFO *ri;
74 int i;
75 EVP_PKEY *pktmp;
76
77 ret=X509_REQ_new();
78 if (ret == NULL)
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err;
82 }
83
84 ri=ret->req_info;
85
86 ri->version->length=1;
87 ri->version->data=(unsigned char *)OPENSSL_malloc(1);
88 if (ri->version->data == NULL) goto err;
89 ri->version->data[0]=0; /* version == 0 */
90
91 if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
92 goto err;
93
94 pktmp = X509_get_pubkey(x);
95 i=X509_REQ_set_pubkey(ret,pktmp);
96 EVP_PKEY_free(pktmp);
97 if (!i) goto err;
98
99 if (pkey != NULL)
100 {
101 if (!X509_REQ_sign(ret,pkey,md))
102 goto err;
103 }
104 return(ret);
105err:
106 X509_REQ_free(ret);
107 return(NULL);
108 }
109
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 {
112 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey));
115 }
116
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 {
119 EVP_PKEY *xk=NULL;
120 int ok=0;
121
122 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k))
124 {
125 case 1:
126 ok=1;
127 break;
128 case 0:
129 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
130 break;
131 case -1:
132 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
133 break;
134 case -2:
135#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC)
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break;
140 }
141#endif
142#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH)
144 {
145 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break;
148 }
149#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 }
152
153 EVP_PKEY_free(xk);
154 return(ok);
155 }
156
157/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are
159 * used and there may be more: so the list is configurable.
160 */
161
162static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
163
164static int *ext_nids = ext_nid_list;
165
166int X509_REQ_extension_nid(int req_nid)
167{
168 int i, nid;
169 for(i = 0; ; i++) {
170 nid = ext_nids[i];
171 if(nid == NID_undef) return 0;
172 else if (req_nid == nid) return 1;
173 }
174}
175
176int *X509_REQ_get_extension_nids(void)
177{
178 return ext_nids;
179}
180
181void X509_REQ_set_extension_nids(int *nids)
182{
183 ext_nids = nids;
184}
185
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 {
188 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL;
190 int idx, *pnid;
191 const unsigned char *p;
192
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1)
199 continue;
200 attr = X509_REQ_get_attr(req, idx);
201 if(attr->single) ext = attr->value.single;
202 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break;
205 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL;
208 p = ext->value.sequence->data;
209 return (STACK_OF(X509_EXTENSION) *)
210 ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
211 ASN1_ITEM_rptr(X509_EXTENSIONS));
212}
213
214/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
215 * in case we want to create a non standard one.
216 */
217
218int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
219 int nid)
220{
221 ASN1_TYPE *at = NULL;
222 X509_ATTRIBUTE *attr = NULL;
223 if(!(at = ASN1_TYPE_new()) ||
224 !(at->value.sequence = ASN1_STRING_new())) goto err;
225
226 at->type = V_ASN1_SEQUENCE;
227 /* Generate encoding of extensions */
228 at->value.sequence->length =
229 ASN1_item_i2d((ASN1_VALUE *)exts,
230 &at->value.sequence->data,
231 ASN1_ITEM_rptr(X509_EXTENSIONS));
232 if(!(attr = X509_ATTRIBUTE_new())) goto err;
233 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
234 if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
235 at = NULL;
236 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes)
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err;
242 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1;
245 err:
246 X509_ATTRIBUTE_free(attr);
247 ASN1_TYPE_free(at);
248 return 0;
249}
250/* This is the normal usage: use the "official" OID */
251int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
252{
253 return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
254}
255
256/* Request attribute functions */
257
258int X509_REQ_get_attr_count(const X509_REQ *req)
259{
260 return X509at_get_attr_count(req->req_info->attributes);
261}
262
263int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
264 int lastpos)
265{
266 return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
267}
268
269int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
270 int lastpos)
271{
272 return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
273}
274
275X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
276{
277 return X509at_get_attr(req->req_info->attributes, loc);
278}
279
280X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
281{
282 return X509at_delete_attr(req->req_info->attributes, loc);
283}
284
285int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
286{
287 if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
288 return 0;
289}
290
291int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
292 const ASN1_OBJECT *obj, int type,
293 const unsigned char *bytes, int len)
294{
295 if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
296 type, bytes, len)) return 1;
297 return 0;
298}
299
300int X509_REQ_add1_attr_by_NID(X509_REQ *req,
301 int nid, int type,
302 const unsigned char *bytes, int len)
303{
304 if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
305 type, bytes, len)) return 1;
306 return 0;
307}
308
309int X509_REQ_add1_attr_by_txt(X509_REQ *req,
310 const char *attrname, int type,
311 const unsigned char *bytes, int len)
312{
313 if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
314 type, bytes, len)) return 1;
315 return 0;
316}
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
deleted file mode 100644
index 4b94fc5847..0000000000
--- a/src/lib/libcrypto/x509/x509_set.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* crypto/x509/x509_set.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_set_version(X509 *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL)
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 }
76
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 {
79 ASN1_INTEGER *in;
80
81 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber;
83 if (in != serial)
84 {
85 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL)
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in;
90 }
91 }
92 return(in != NULL);
93 }
94
95int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 {
97 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name));
99 }
100
101int X509_set_subject_name(X509 *x, X509_NAME *name)
102 {
103 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name));
105 }
106
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 {
109 ASN1_TIME *in;
110
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore;
113 if (in != tm)
114 {
115 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL)
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in;
120 }
121 }
122 return(in != NULL);
123 }
124
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 {
127 ASN1_TIME *in;
128
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter;
131 if (in != tm)
132 {
133 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL)
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in;
138 }
139 }
140 return(in != NULL);
141 }
142
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 {
145 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 }
148
149
150
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
deleted file mode 100644
index a6cb9c8b1b..0000000000
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ /dev/null
@@ -1,288 +0,0 @@
1/* x509_trs.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63
64static int tr_cmp(const X509_TRUST * const *a,
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p);
67
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
69static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
70static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
71
72static int obj_trust(int id, X509 *x, int flags);
73static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
74
75/* WARNING: the following table should be kept in order of trust
76 * and without any gaps so we can just subtract the minimum trust
77 * value to get an index into the table
78 */
79
80static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89};
90
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
92
93IMPLEMENT_STACK_OF(X509_TRUST)
94
95static STACK_OF(X509_TRUST) *trtable = NULL;
96
97static int tr_cmp(const X509_TRUST * const *a,
98 const X509_TRUST * const *b)
99{
100 return (*a)->trust - (*b)->trust;
101}
102
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{
105 int (*oldtrust)(int , X509 *, int);
106 oldtrust = default_trust;
107 default_trust = trust;
108 return oldtrust;
109}
110
111
112int X509_check_trust(X509 *x, int id, int flags)
113{
114 X509_TRUST *pt;
115 int idx;
116 if(id == -1) return 1;
117 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags);
121}
122
123int X509_TRUST_get_count(void)
124{
125 if(!trtable) return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127}
128
129X509_TRUST * X509_TRUST_get0(int idx)
130{
131 if(idx < 0) return NULL;
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134}
135
136int X509_TRUST_get_by_id(int id)
137{
138 X509_TRUST tmp;
139 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
141 return id - X509_TRUST_MIN;
142 tmp.trust = id;
143 if(!trtable) return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1;
146 return idx + X509_TRUST_COUNT;
147}
148
149int X509_TRUST_set(int *t, int trust)
150{
151 if(X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0;
154 }
155 *t = trust;
156 return 1;
157}
158
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
160 char *name, int arg1, void *arg2)
161{
162 int idx;
163 X509_TRUST *trtmp;
164 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */
167 flags |= X509_TRUST_DYNAMIC_NAME;
168 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */
171 if(idx == -1) {
172 if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx);
178
179 /* OPENSSL_free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
181 /* dup supplied name */
182 if(!(trtmp->name = BUF_strdup(name))) {
183 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
184 return 0;
185 }
186 /* Keep the dynamic flag of existing entry */
187 trtmp->flags &= X509_TRUST_DYNAMIC;
188 /* Set all other flags */
189 trtmp->flags |= flags;
190
191 trtmp->trust = id;
192 trtmp->check_trust = ck;
193 trtmp->arg1 = arg1;
194 trtmp->arg2 = arg2;
195
196 /* If its a new entry manage the dynamic table */
197 if(idx == -1) {
198 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
199 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
200 return 0;
201 }
202 if (!sk_X509_TRUST_push(trtable, trtmp)) {
203 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
204 return 0;
205 }
206 }
207 return 1;
208}
209
210static void trtable_free(X509_TRUST *p)
211 {
212 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC)
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 OPENSSL_free(p->name);
217 OPENSSL_free(p);
218 }
219 }
220
221void X509_TRUST_cleanup(void)
222{
223 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL;
227}
228
229int X509_TRUST_get_flags(X509_TRUST *xp)
230{
231 return xp->flags;
232}
233
234char *X509_TRUST_get0_name(X509_TRUST *xp)
235{
236 return xp->name;
237}
238
239int X509_TRUST_get_trust(X509_TRUST *xp)
240{
241 return xp->trust;
242}
243
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{
246 if(x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed
250 */
251 return trust_compat(trust, x, flags);
252}
253
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{
256 if(x->aux) return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED;
258}
259
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{
262 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
264 else return X509_TRUST_UNTRUSTED;
265}
266
267static int obj_trust(int id, X509 *x, int flags)
268{
269 ASN1_OBJECT *obj;
270 int i;
271 X509_CERT_AUX *ax;
272 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED;
274 if(ax->reject) {
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
278 }
279 }
280 if(ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
284 }
285 }
286 return X509_TRUST_UNTRUSTED;
287}
288
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
deleted file mode 100644
index c44f753c46..0000000000
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ /dev/null
@@ -1,193 +0,0 @@
1/* crypto/x509/x509_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/evp.h>
67#include <openssl/asn1.h>
68#include <openssl/x509.h>
69#include <openssl/objects.h>
70
71const char *X509_verify_cert_error_string(long n)
72 {
73 static char buf[100];
74
75 switch ((int)n)
76 {
77 case X509_V_OK:
78 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
80 return("unable to get issuer certificate");
81 case X509_V_ERR_UNABLE_TO_GET_CRL:
82 return("unable to get certificate CRL");
83 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
84 return("unable to decrypt certificate's signature");
85 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
86 return("unable to decrypt CRL's signature");
87 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
88 return("unable to decode issuer public key");
89 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
90 return("certificate signature failure");
91 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
92 return("CRL signature failure");
93 case X509_V_ERR_CERT_NOT_YET_VALID:
94 return("certificate is not yet valid");
95 case X509_V_ERR_CRL_NOT_YET_VALID:
96 return("CRL is not yet valid");
97 case X509_V_ERR_CERT_HAS_EXPIRED:
98 return("certificate has expired");
99 case X509_V_ERR_CRL_HAS_EXPIRED:
100 return("CRL has expired");
101 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
102 return("format error in certificate's notBefore field");
103 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
104 return("format error in certificate's notAfter field");
105 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
106 return("format error in CRL's lastUpdate field");
107 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
108 return("format error in CRL's nextUpdate field");
109 case X509_V_ERR_OUT_OF_MEM:
110 return("out of memory");
111 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
112 return("self signed certificate");
113 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
114 return("self signed certificate in certificate chain");
115 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
116 return("unable to get local issuer certificate");
117 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
118 return("unable to verify the first certificate");
119 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
120 return("certificate chain too long");
121 case X509_V_ERR_CERT_REVOKED:
122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy certificates not allowed, please set the appropriate flag");
133 case X509_V_ERR_INVALID_PURPOSE:
134 return ("unsupported certificate purpose");
135 case X509_V_ERR_CERT_UNTRUSTED:
136 return ("certificate not trusted");
137 case X509_V_ERR_CERT_REJECTED:
138 return ("certificate rejected");
139 case X509_V_ERR_APPLICATION_VERIFICATION:
140 return("application verification failure");
141 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
142 return("subject issuer mismatch");
143 case X509_V_ERR_AKID_SKID_MISMATCH:
144 return("authority and subject key identifier mismatch");
145 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
146 return("authority and issuer serial number mismatch");
147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
148 return("key usage does not include certificate signing");
149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
150 return("unable to get CRL issuer certificate");
151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
152 return("unhandled critical extension");
153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
154 return("key usage does not include CRL signing");
155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158 return("unhandled critical CRL extension");
159 case X509_V_ERR_INVALID_EXTENSION:
160 return("invalid or inconsistent certificate extension");
161 case X509_V_ERR_INVALID_POLICY_EXTENSION:
162 return("invalid or inconsistent certificate policy extension");
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 return("no explicit policy");
165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
166 return("Different CRL scope");
167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
168 return("Unsupported extension feature");
169 case X509_V_ERR_UNNESTED_RESOURCE:
170 return("RFC 3779 resource not subset of parent's resources");
171
172 case X509_V_ERR_PERMITTED_VIOLATION:
173 return("permitted subtree violation");
174 case X509_V_ERR_EXCLUDED_VIOLATION:
175 return("excluded subtree violation");
176 case X509_V_ERR_SUBTREE_MINMAX:
177 return("name constraints minimum and maximum not supported");
178 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
179 return("unsupported name constraint type");
180 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
181 return("unsupported or invalid name constraint syntax");
182 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
183 return("unsupported or invalid name syntax");
184 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
185 return("CRL path validation error");
186
187 default:
188 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf);
190 }
191 }
192
193
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
deleted file mode 100644
index 42e6f0ab05..0000000000
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ /dev/null
@@ -1,274 +0,0 @@
1/* crypto/x509/x509_v3.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 {
70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x));
72 }
73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos)
76 {
77 ASN1_OBJECT *obj;
78
79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 }
83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos)
86 {
87 int n;
88 X509_EXTENSION *ex;
89
90 if (sk == NULL) return(-1);
91 lastpos++;
92 if (lastpos < 0)
93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++)
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos);
100 }
101 return(-1);
102 }
103
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos)
106 {
107 int n;
108 X509_EXTENSION *ex;
109
110 if (sk == NULL) return(-1);
111 lastpos++;
112 if (lastpos < 0)
113 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++)
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit))
120 return(lastpos);
121 }
122 return(-1);
123 }
124
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 {
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL;
129 else
130 return sk_X509_EXTENSION_value(x,loc);
131 }
132
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 {
135 X509_EXTENSION *ret;
136
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret);
141 }
142
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc)
145 {
146 X509_EXTENSION *new_ex=NULL;
147 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL;
149
150 if (x == NULL)
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2;
154 }
155
156 if (*x == NULL)
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err;
160 }
161 else
162 sk= *x;
163
164 n=sk_X509_EXTENSION_num(sk);
165 if (loc > n) loc=n;
166 else if (loc < 0) loc=n;
167
168 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
169 goto err2;
170 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
171 goto err;
172 if (*x == NULL)
173 *x=sk;
174 return(sk);
175err:
176 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
177err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL);
181 }
182
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data)
185 {
186 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret;
188
189 obj=OBJ_nid2obj(nid);
190 if (obj == NULL)
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL);
194 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret);
198 }
199
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 {
203 X509_EXTENSION *ret;
204
205 if ((ex == NULL) || (*ex == NULL))
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL)
208 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL);
211 }
212 }
213 else
214 ret= *ex;
215
216 if (!X509_EXTENSION_set_object(ret,obj))
217 goto err;
218 if (!X509_EXTENSION_set_critical(ret,crit))
219 goto err;
220 if (!X509_EXTENSION_set_data(ret,data))
221 goto err;
222
223 if ((ex != NULL) && (*ex == NULL)) *ex=ret;
224 return(ret);
225err:
226 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret);
228 return(NULL);
229 }
230
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 {
233 if ((ex == NULL) || (obj == NULL))
234 return(0);
235 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj);
237 return(1);
238 }
239
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 {
242 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1;
244 return(1);
245 }
246
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 {
249 int i;
250
251 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0);
254 return(1);
255 }
256
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 {
259 if (ex == NULL) return(NULL);
260 return(ex->object);
261 }
262
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 {
265 if (ex == NULL) return(NULL);
266 return(ex->value);
267 }
268
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 {
271 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1;
273 return 0;
274 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
deleted file mode 100644
index b0779db023..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ /dev/null
@@ -1,2214 +0,0 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param;
158 int depth,i,ok=0;
159 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL;
162 if (ctx->cert == NULL)
163 {
164 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
165 return -1;
166 }
167
168 cb=ctx->verify_cb;
169
170 /* first we make sure the chain we are going to build is
171 * present and that the first entry is in place */
172 if (ctx->chain == NULL)
173 {
174 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
175 (!sk_X509_push(ctx->chain,ctx->cert)))
176 {
177 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
178 goto end;
179 }
180 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
181 ctx->last_untrusted=1;
182 }
183
184 /* We use a temporary STACK so we can chop and hack at it */
185 if (ctx->untrusted != NULL
186 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
187 {
188 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
189 goto end;
190 }
191
192 num=sk_X509_num(ctx->chain);
193 x=sk_X509_value(ctx->chain,num-1);
194 depth=param->depth;
195
196
197 for (;;)
198 {
199 /* If we have enough, we break */
200 if (depth < num) break; /* FIXME: If this happens, we should take
201 * note of it and, if appropriate, use the
202 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
203 * code later.
204 */
205
206 /* If we are self signed, we break */
207 if (ctx->check_issued(ctx, x,x)) break;
208
209 /* If we were passed a cert chain, use it first */
210 if (ctx->untrusted != NULL)
211 {
212 xtmp=find_issuer(ctx, sktmp,x);
213 if (xtmp != NULL)
214 {
215 if (!sk_X509_push(ctx->chain,xtmp))
216 {
217 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
218 goto end;
219 }
220 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
221 (void)sk_X509_delete_ptr(sktmp,xtmp);
222 ctx->last_untrusted++;
223 x=xtmp;
224 num++;
225 /* reparse the full chain for
226 * the next one */
227 continue;
228 }
229 }
230 break;
231 }
232
233 /* at this point, chain should contain a list of untrusted
234 * certificates. We now need to add at least one trusted one,
235 * if possible, otherwise we complain. */
236
237 /* Examine last certificate in chain and see if it
238 * is self signed.
239 */
240
241 i=sk_X509_num(ctx->chain);
242 x=sk_X509_value(ctx->chain,i-1);
243 if (ctx->check_issued(ctx, x, x))
244 {
245 /* we have a self signed certificate */
246 if (sk_X509_num(ctx->chain) == 1)
247 {
248 /* We have a single self signed certificate: see if
249 * we can find it in the store. We must have an exact
250 * match to avoid possible impersonation.
251 */
252 ok = ctx->get_issuer(&xtmp, ctx, x);
253 if ((ok <= 0) || X509_cmp(x, xtmp))
254 {
255 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
256 ctx->current_cert=x;
257 ctx->error_depth=i-1;
258 if (ok == 1) X509_free(xtmp);
259 bad_chain = 1;
260 ok=cb(0,ctx);
261 if (!ok) goto end;
262 }
263 else
264 {
265 /* We have a match: replace certificate with store version
266 * so we get any trust settings.
267 */
268 X509_free(x);
269 x = xtmp;
270 (void)sk_X509_set(ctx->chain, i - 1, x);
271 ctx->last_untrusted=0;
272 }
273 }
274 else
275 {
276 /* extract and save self signed certificate for later use */
277 chain_ss=sk_X509_pop(ctx->chain);
278 ctx->last_untrusted--;
279 num--;
280 x=sk_X509_value(ctx->chain,num-1);
281 }
282 }
283
284 /* We now lookup certs from the certificate store */
285 for (;;)
286 {
287 /* If we have enough, we break */
288 if (depth < num) break;
289
290 /* If we are self signed, we break */
291 if (ctx->check_issued(ctx,x,x)) break;
292
293 ok = ctx->get_issuer(&xtmp, ctx, x);
294
295 if (ok < 0) return ok;
296 if (ok == 0) break;
297
298 x = xtmp;
299 if (!sk_X509_push(ctx->chain,x))
300 {
301 X509_free(xtmp);
302 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
303 return 0;
304 }
305 num++;
306 }
307
308 /* we now have our chain, lets check it... */
309
310 /* Is last certificate looked up self signed? */
311 if (!ctx->check_issued(ctx,x,x))
312 {
313 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
314 {
315 if (ctx->last_untrusted >= num)
316 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
317 else
318 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
319 ctx->current_cert=x;
320 }
321 else
322 {
323
324 sk_X509_push(ctx->chain,chain_ss);
325 num++;
326 ctx->last_untrusted=num;
327 ctx->current_cert=chain_ss;
328 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
329 chain_ss=NULL;
330 }
331
332 ctx->error_depth=num-1;
333 bad_chain = 1;
334 ok=cb(0,ctx);
335 if (!ok) goto end;
336 }
337
338 /* We have the chain complete: now we need to check its purpose */
339 ok = check_chain_extensions(ctx);
340
341 if (!ok) goto end;
342
343 /* Check name constraints */
344
345 ok = check_name_constraints(ctx);
346
347 if (!ok) goto end;
348
349 /* The chain extensions are OK: check trust */
350
351 if (param->trust > 0) ok = check_trust(ctx);
352
353 if (!ok) goto end;
354
355 /* We may as well copy down any DSA parameters that are required */
356 X509_get_pubkey_parameters(NULL,ctx->chain);
357
358 /* Check revocation status: we do this after copying parameters
359 * because they may be needed for CRL signature verification.
360 */
361
362 ok = ctx->check_revocation(ctx);
363 if(!ok) goto end;
364
365 /* At this point, we have a chain and need to verify it */
366 if (ctx->verify != NULL)
367 ok=ctx->verify(ctx);
368 else
369 ok=internal_verify(ctx);
370 if(!ok) goto end;
371
372#ifndef OPENSSL_NO_RFC3779
373 /* RFC 3779 path validation, now that CRL check has been done */
374 ok = v3_asid_validate_path(ctx);
375 if (!ok) goto end;
376 ok = v3_addr_validate_path(ctx);
377 if (!ok) goto end;
378#endif
379
380 /* If we get this far evaluate policies */
381 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
382 ok = ctx->check_policy(ctx);
383 if(!ok) goto end;
384 if (0)
385 {
386end:
387 X509_get_pubkey_parameters(NULL,ctx->chain);
388 }
389 if (sktmp != NULL) sk_X509_free(sktmp);
390 if (chain_ss != NULL) X509_free(chain_ss);
391 return ok;
392 }
393
394
395/* Given a STACK_OF(X509) find the issuer of cert (if any)
396 */
397
398static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
399{
400 int i;
401 X509 *issuer;
402 for (i = 0; i < sk_X509_num(sk); i++)
403 {
404 issuer = sk_X509_value(sk, i);
405 if (ctx->check_issued(ctx, x, issuer))
406 return issuer;
407 }
408 return NULL;
409}
410
411/* Given a possible certificate and issuer check them */
412
413static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
414{
415 int ret;
416 ret = X509_check_issued(issuer, x);
417 if (ret == X509_V_OK)
418 return 1;
419 /* If we haven't asked for issuer errors don't set ctx */
420 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
421 return 0;
422
423 ctx->error = ret;
424 ctx->current_cert = x;
425 ctx->current_issuer = issuer;
426 return ctx->verify_cb(0, ctx);
427 return 0;
428}
429
430/* Alternative lookup method: look from a STACK stored in other_ctx */
431
432static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
433{
434 *issuer = find_issuer(ctx, ctx->other_ctx, x);
435 if (*issuer)
436 {
437 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
438 return 1;
439 }
440 else
441 return 0;
442}
443
444
445/* Check a certificate chains extensions for consistency
446 * with the supplied purpose
447 */
448
449static int check_chain_extensions(X509_STORE_CTX *ctx)
450{
451#ifdef OPENSSL_NO_CHAIN_VERIFY
452 return 1;
453#else
454 int i, ok=0, must_be_ca, plen = 0;
455 X509 *x;
456 int (*cb)(int xok,X509_STORE_CTX *xctx);
457 int proxy_path_length = 0;
458 int purpose;
459 int allow_proxy_certs;
460 cb=ctx->verify_cb;
461
462 /* must_be_ca can have 1 of 3 values:
463 -1: we accept both CA and non-CA certificates, to allow direct
464 use of self-signed certificates (which are marked as CA).
465 0: we only accept non-CA certificates. This is currently not
466 used, but the possibility is present for future extensions.
467 1: we only accept CA certificates. This is currently used for
468 all certificates in the chain except the leaf certificate.
469 */
470 must_be_ca = -1;
471
472 /* CRL path validation */
473 if (ctx->parent)
474 {
475 allow_proxy_certs = 0;
476 purpose = X509_PURPOSE_CRL_SIGN;
477 }
478 else
479 {
480 allow_proxy_certs =
481 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
482 /* A hack to keep people who don't want to modify their
483 software happy */
484 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
485 allow_proxy_certs = 1;
486 purpose = ctx->param->purpose;
487 }
488
489 /* Check all untrusted certificates */
490 for (i = 0; i < ctx->last_untrusted; i++)
491 {
492 int ret;
493 x = sk_X509_value(ctx->chain, i);
494 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
495 && (x->ex_flags & EXFLAG_CRITICAL))
496 {
497 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
498 ctx->error_depth = i;
499 ctx->current_cert = x;
500 ok=cb(0,ctx);
501 if (!ok) goto end;
502 }
503 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
504 {
505 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
506 ctx->error_depth = i;
507 ctx->current_cert = x;
508 ok=cb(0,ctx);
509 if (!ok) goto end;
510 }
511 ret = X509_check_ca(x);
512 switch(must_be_ca)
513 {
514 case -1:
515 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
516 && (ret != 1) && (ret != 0))
517 {
518 ret = 0;
519 ctx->error = X509_V_ERR_INVALID_CA;
520 }
521 else
522 ret = 1;
523 break;
524 case 0:
525 if (ret != 0)
526 {
527 ret = 0;
528 ctx->error = X509_V_ERR_INVALID_NON_CA;
529 }
530 else
531 ret = 1;
532 break;
533 default:
534 if ((ret == 0)
535 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
536 && (ret != 1)))
537 {
538 ret = 0;
539 ctx->error = X509_V_ERR_INVALID_CA;
540 }
541 else
542 ret = 1;
543 break;
544 }
545 if (ret == 0)
546 {
547 ctx->error_depth = i;
548 ctx->current_cert = x;
549 ok=cb(0,ctx);
550 if (!ok) goto end;
551 }
552 if (ctx->param->purpose > 0)
553 {
554 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
555 if ((ret == 0)
556 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
557 && (ret != 1)))
558 {
559 ctx->error = X509_V_ERR_INVALID_PURPOSE;
560 ctx->error_depth = i;
561 ctx->current_cert = x;
562 ok=cb(0,ctx);
563 if (!ok) goto end;
564 }
565 }
566 /* Check pathlen if not self issued */
567 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
568 && (x->ex_pathlen != -1)
569 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
570 {
571 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
572 ctx->error_depth = i;
573 ctx->current_cert = x;
574 ok=cb(0,ctx);
575 if (!ok) goto end;
576 }
577 /* Increment path length if not self issued */
578 if (!(x->ex_flags & EXFLAG_SI))
579 plen++;
580 /* If this certificate is a proxy certificate, the next
581 certificate must be another proxy certificate or a EE
582 certificate. If not, the next certificate must be a
583 CA certificate. */
584 if (x->ex_flags & EXFLAG_PROXY)
585 {
586 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
587 {
588 ctx->error =
589 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
590 ctx->error_depth = i;
591 ctx->current_cert = x;
592 ok=cb(0,ctx);
593 if (!ok) goto end;
594 }
595 proxy_path_length++;
596 must_be_ca = 0;
597 }
598 else
599 must_be_ca = 1;
600 }
601 ok = 1;
602 end:
603 return ok;
604#endif
605}
606
607static int check_name_constraints(X509_STORE_CTX *ctx)
608 {
609 X509 *x;
610 int i, j, rv;
611 /* Check name constraints for all certificates */
612 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
613 {
614 x = sk_X509_value(ctx->chain, i);
615 /* Ignore self issued certs unless last in chain */
616 if (i && (x->ex_flags & EXFLAG_SI))
617 continue;
618 /* Check against constraints for all certificates higher in
619 * chain including trust anchor. Trust anchor not strictly
620 * speaking needed but if it includes constraints it is to be
621 * assumed it expects them to be obeyed.
622 */
623 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
624 {
625 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
626 if (nc)
627 {
628 rv = NAME_CONSTRAINTS_check(x, nc);
629 if (rv != X509_V_OK)
630 {
631 ctx->error = rv;
632 ctx->error_depth = i;
633 ctx->current_cert = x;
634 if (!ctx->verify_cb(0,ctx))
635 return 0;
636 }
637 }
638 }
639 }
640 return 1;
641 }
642
643static int check_trust(X509_STORE_CTX *ctx)
644{
645#ifdef OPENSSL_NO_CHAIN_VERIFY
646 return 1;
647#else
648 int i, ok;
649 X509 *x;
650 int (*cb)(int xok,X509_STORE_CTX *xctx);
651 cb=ctx->verify_cb;
652/* For now just check the last certificate in the chain */
653 i = sk_X509_num(ctx->chain) - 1;
654 x = sk_X509_value(ctx->chain, i);
655 ok = X509_check_trust(x, ctx->param->trust, 0);
656 if (ok == X509_TRUST_TRUSTED)
657 return 1;
658 ctx->error_depth = i;
659 ctx->current_cert = x;
660 if (ok == X509_TRUST_REJECTED)
661 ctx->error = X509_V_ERR_CERT_REJECTED;
662 else
663 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
664 ok = cb(0, ctx);
665 return ok;
666#endif
667}
668
669static int check_revocation(X509_STORE_CTX *ctx)
670 {
671 int i, last, ok;
672 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
673 return 1;
674 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
675 last = sk_X509_num(ctx->chain) - 1;
676 else
677 {
678 /* If checking CRL paths this isn't the EE certificate */
679 if (ctx->parent)
680 return 1;
681 last = 0;
682 }
683 for(i = 0; i <= last; i++)
684 {
685 ctx->error_depth = i;
686 ok = check_cert(ctx);
687 if (!ok) return ok;
688 }
689 return 1;
690 }
691
692static int check_cert(X509_STORE_CTX *ctx)
693 {
694 X509_CRL *crl = NULL, *dcrl = NULL;
695 X509 *x;
696 int ok, cnum;
697 cnum = ctx->error_depth;
698 x = sk_X509_value(ctx->chain, cnum);
699 ctx->current_cert = x;
700 ctx->current_issuer = NULL;
701 ctx->current_crl_score = 0;
702 ctx->current_reasons = 0;
703 while (ctx->current_reasons != CRLDP_ALL_REASONS)
704 {
705 /* Try to retrieve relevant CRL */
706 if (ctx->get_crl)
707 ok = ctx->get_crl(ctx, &crl, x);
708 else
709 ok = get_crl_delta(ctx, &crl, &dcrl, x);
710 /* If error looking up CRL, nothing we can do except
711 * notify callback
712 */
713 if(!ok)
714 {
715 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
716 ok = ctx->verify_cb(0, ctx);
717 goto err;
718 }
719 ctx->current_crl = crl;
720 ok = ctx->check_crl(ctx, crl);
721 if (!ok)
722 goto err;
723
724 if (dcrl)
725 {
726 ok = ctx->check_crl(ctx, dcrl);
727 if (!ok)
728 goto err;
729 ok = ctx->cert_crl(ctx, dcrl, x);
730 if (!ok)
731 goto err;
732 }
733 else
734 ok = 1;
735
736 /* Don't look in full CRL if delta reason is removefromCRL */
737 if (ok != 2)
738 {
739 ok = ctx->cert_crl(ctx, crl, x);
740 if (!ok)
741 goto err;
742 }
743
744 X509_CRL_free(crl);
745 X509_CRL_free(dcrl);
746 crl = NULL;
747 dcrl = NULL;
748 }
749 err:
750 X509_CRL_free(crl);
751 X509_CRL_free(dcrl);
752
753 ctx->current_crl = NULL;
754 return ok;
755
756 }
757
758/* Check CRL times against values in X509_STORE_CTX */
759
760static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
761 {
762 time_t *ptime;
763 int i;
764 if (notify)
765 ctx->current_crl = crl;
766 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
767 ptime = &ctx->param->check_time;
768 else
769 ptime = NULL;
770
771 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
772 if (i == 0)
773 {
774 if (!notify)
775 return 0;
776 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
777 if (!ctx->verify_cb(0, ctx))
778 return 0;
779 }
780
781 if (i > 0)
782 {
783 if (!notify)
784 return 0;
785 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
786 if (!ctx->verify_cb(0, ctx))
787 return 0;
788 }
789
790 if(X509_CRL_get_nextUpdate(crl))
791 {
792 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
793
794 if (i == 0)
795 {
796 if (!notify)
797 return 0;
798 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
799 if (!ctx->verify_cb(0, ctx))
800 return 0;
801 }
802 /* Ignore expiry of base CRL is delta is valid */
803 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
804 {
805 if (!notify)
806 return 0;
807 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
808 if (!ctx->verify_cb(0, ctx))
809 return 0;
810 }
811 }
812
813 if (notify)
814 ctx->current_crl = NULL;
815
816 return 1;
817 }
818
819static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
820 X509 **pissuer, int *pscore, unsigned int *preasons,
821 STACK_OF(X509_CRL) *crls)
822 {
823 int i, crl_score, best_score = *pscore;
824 unsigned int reasons, best_reasons = 0;
825 X509 *x = ctx->current_cert;
826 X509_CRL *crl, *best_crl = NULL;
827 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
828
829 for (i = 0; i < sk_X509_CRL_num(crls); i++)
830 {
831 crl = sk_X509_CRL_value(crls, i);
832 reasons = *preasons;
833 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
834
835 if (crl_score > best_score)
836 {
837 best_crl = crl;
838 best_crl_issuer = crl_issuer;
839 best_score = crl_score;
840 best_reasons = reasons;
841 }
842 }
843
844 if (best_crl)
845 {
846 if (*pcrl)
847 X509_CRL_free(*pcrl);
848 *pcrl = best_crl;
849 *pissuer = best_crl_issuer;
850 *pscore = best_score;
851 *preasons = best_reasons;
852 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
853 if (*pdcrl)
854 {
855 X509_CRL_free(*pdcrl);
856 *pdcrl = NULL;
857 }
858 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
859 }
860
861 if (best_score >= CRL_SCORE_VALID)
862 return 1;
863
864 return 0;
865 }
866
867/* Compare two CRL extensions for delta checking purposes. They should be
868 * both present or both absent. If both present all fields must be identical.
869 */
870
871static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
872 {
873 ASN1_OCTET_STRING *exta, *extb;
874 int i;
875 i = X509_CRL_get_ext_by_NID(a, nid, 0);
876 if (i >= 0)
877 {
878 /* Can't have multiple occurrences */
879 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
880 return 0;
881 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
882 }
883 else
884 exta = NULL;
885
886 i = X509_CRL_get_ext_by_NID(b, nid, 0);
887
888 if (i >= 0)
889 {
890
891 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
892 return 0;
893 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
894 }
895 else
896 extb = NULL;
897
898 if (!exta && !extb)
899 return 1;
900
901 if (!exta || !extb)
902 return 0;
903
904
905 if (ASN1_OCTET_STRING_cmp(exta, extb))
906 return 0;
907
908 return 1;
909 }
910
911/* See if a base and delta are compatible */
912
913static int check_delta_base(X509_CRL *delta, X509_CRL *base)
914 {
915 /* Delta CRL must be a delta */
916 if (!delta->base_crl_number)
917 return 0;
918 /* Base must have a CRL number */
919 if (!base->crl_number)
920 return 0;
921 /* Issuer names must match */
922 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
923 X509_CRL_get_issuer(delta)))
924 return 0;
925 /* AKID and IDP must match */
926 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
927 return 0;
928 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
929 return 0;
930 /* Delta CRL base number must not exceed Full CRL number. */
931 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
932 return 0;
933 /* Delta CRL number must exceed full CRL number */
934 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
935 return 1;
936 return 0;
937 }
938
939/* For a given base CRL find a delta... maybe extend to delta scoring
940 * or retrieve a chain of deltas...
941 */
942
943static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
944 X509_CRL *base, STACK_OF(X509_CRL) *crls)
945 {
946 X509_CRL *delta;
947 int i;
948 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
949 return;
950 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
951 return;
952 for (i = 0; i < sk_X509_CRL_num(crls); i++)
953 {
954 delta = sk_X509_CRL_value(crls, i);
955 if (check_delta_base(delta, base))
956 {
957 if (check_crl_time(ctx, delta, 0))
958 *pscore |= CRL_SCORE_TIME_DELTA;
959 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
960 *dcrl = delta;
961 return;
962 }
963 }
964 *dcrl = NULL;
965 }
966
967/* For a given CRL return how suitable it is for the supplied certificate 'x'.
968 * The return value is a mask of several criteria.
969 * If the issuer is not the certificate issuer this is returned in *pissuer.
970 * The reasons mask is also used to determine if the CRL is suitable: if
971 * no new reasons the CRL is rejected, otherwise reasons is updated.
972 */
973
974static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
975 unsigned int *preasons,
976 X509_CRL *crl, X509 *x)
977 {
978
979 int crl_score = 0;
980 unsigned int tmp_reasons = *preasons, crl_reasons;
981
982 /* First see if we can reject CRL straight away */
983
984 /* Invalid IDP cannot be processed */
985 if (crl->idp_flags & IDP_INVALID)
986 return 0;
987 /* Reason codes or indirect CRLs need extended CRL support */
988 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
989 {
990 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
991 return 0;
992 }
993 else if (crl->idp_flags & IDP_REASONS)
994 {
995 /* If no new reasons reject */
996 if (!(crl->idp_reasons & ~tmp_reasons))
997 return 0;
998 }
999 /* Don't process deltas at this stage */
1000 else if (crl->base_crl_number)
1001 return 0;
1002 /* If issuer name doesn't match certificate need indirect CRL */
1003 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1004 {
1005 if (!(crl->idp_flags & IDP_INDIRECT))
1006 return 0;
1007 }
1008 else
1009 crl_score |= CRL_SCORE_ISSUER_NAME;
1010
1011 if (!(crl->flags & EXFLAG_CRITICAL))
1012 crl_score |= CRL_SCORE_NOCRITICAL;
1013
1014 /* Check expiry */
1015 if (check_crl_time(ctx, crl, 0))
1016 crl_score |= CRL_SCORE_TIME;
1017
1018 /* Check authority key ID and locate certificate issuer */
1019 crl_akid_check(ctx, crl, pissuer, &crl_score);
1020
1021 /* If we can't locate certificate issuer at this point forget it */
1022
1023 if (!(crl_score & CRL_SCORE_AKID))
1024 return 0;
1025
1026 /* Check cert for matching CRL distribution points */
1027
1028 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1029 {
1030 /* If no new reasons reject */
1031 if (!(crl_reasons & ~tmp_reasons))
1032 return 0;
1033 tmp_reasons |= crl_reasons;
1034 crl_score |= CRL_SCORE_SCOPE;
1035 }
1036
1037 *preasons = tmp_reasons;
1038
1039 return crl_score;
1040
1041 }
1042
1043static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1044 X509 **pissuer, int *pcrl_score)
1045 {
1046 X509 *crl_issuer = NULL;
1047 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1048 int cidx = ctx->error_depth;
1049 int i;
1050
1051 if (cidx != sk_X509_num(ctx->chain) - 1)
1052 cidx++;
1053
1054 crl_issuer = sk_X509_value(ctx->chain, cidx);
1055
1056 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1057 {
1058 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1059 {
1060 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1061 *pissuer = crl_issuer;
1062 return;
1063 }
1064 }
1065
1066 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1067 {
1068 crl_issuer = sk_X509_value(ctx->chain, cidx);
1069 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1070 continue;
1071 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1072 {
1073 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1074 *pissuer = crl_issuer;
1075 return;
1076 }
1077 }
1078
1079 /* Anything else needs extended CRL support */
1080
1081 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1082 return;
1083
1084 /* Otherwise the CRL issuer is not on the path. Look for it in the
1085 * set of untrusted certificates.
1086 */
1087 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1088 {
1089 crl_issuer = sk_X509_value(ctx->untrusted, i);
1090 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1091 continue;
1092 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1093 {
1094 *pissuer = crl_issuer;
1095 *pcrl_score |= CRL_SCORE_AKID;
1096 return;
1097 }
1098 }
1099 }
1100
1101/* Check the path of a CRL issuer certificate. This creates a new
1102 * X509_STORE_CTX and populates it with most of the parameters from the
1103 * parent. This could be optimised somewhat since a lot of path checking
1104 * will be duplicated by the parent, but this will rarely be used in
1105 * practice.
1106 */
1107
1108static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1109 {
1110 X509_STORE_CTX crl_ctx;
1111 int ret;
1112 /* Don't allow recursive CRL path validation */
1113 if (ctx->parent)
1114 return 0;
1115 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1116 return -1;
1117
1118 crl_ctx.crls = ctx->crls;
1119 /* Copy verify params across */
1120 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1121
1122 crl_ctx.parent = ctx;
1123 crl_ctx.verify_cb = ctx->verify_cb;
1124
1125 /* Verify CRL issuer */
1126 ret = X509_verify_cert(&crl_ctx);
1127
1128 if (ret <= 0)
1129 goto err;
1130
1131 /* Check chain is acceptable */
1132
1133 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1134 err:
1135 X509_STORE_CTX_cleanup(&crl_ctx);
1136 return ret;
1137 }
1138
1139/* RFC3280 says nothing about the relationship between CRL path
1140 * and certificate path, which could lead to situations where a
1141 * certificate could be revoked or validated by a CA not authorised
1142 * to do so. RFC5280 is more strict and states that the two paths must
1143 * end in the same trust anchor, though some discussions remain...
1144 * until this is resolved we use the RFC5280 version
1145 */
1146
1147static int check_crl_chain(X509_STORE_CTX *ctx,
1148 STACK_OF(X509) *cert_path,
1149 STACK_OF(X509) *crl_path)
1150 {
1151 X509 *cert_ta, *crl_ta;
1152 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1153 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1154 if (!X509_cmp(cert_ta, crl_ta))
1155 return 1;
1156 return 0;
1157 }
1158
1159/* Check for match between two dist point names: three separate cases.
1160 * 1. Both are relative names and compare X509_NAME types.
1161 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1162 * 3. Both are full names and compare two GENERAL_NAMES.
1163 * 4. One is NULL: automatic match.
1164 */
1165
1166
1167static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1168 {
1169 X509_NAME *nm = NULL;
1170 GENERAL_NAMES *gens = NULL;
1171 GENERAL_NAME *gena, *genb;
1172 int i, j;
1173 if (!a || !b)
1174 return 1;
1175 if (a->type == 1)
1176 {
1177 if (!a->dpname)
1178 return 0;
1179 /* Case 1: two X509_NAME */
1180 if (b->type == 1)
1181 {
1182 if (!b->dpname)
1183 return 0;
1184 if (!X509_NAME_cmp(a->dpname, b->dpname))
1185 return 1;
1186 else
1187 return 0;
1188 }
1189 /* Case 2: set name and GENERAL_NAMES appropriately */
1190 nm = a->dpname;
1191 gens = b->name.fullname;
1192 }
1193 else if (b->type == 1)
1194 {
1195 if (!b->dpname)
1196 return 0;
1197 /* Case 2: set name and GENERAL_NAMES appropriately */
1198 gens = a->name.fullname;
1199 nm = b->dpname;
1200 }
1201
1202 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1203 if (nm)
1204 {
1205 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1206 {
1207 gena = sk_GENERAL_NAME_value(gens, i);
1208 if (gena->type != GEN_DIRNAME)
1209 continue;
1210 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1211 return 1;
1212 }
1213 return 0;
1214 }
1215
1216 /* Else case 3: two GENERAL_NAMES */
1217
1218 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1219 {
1220 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1221 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1222 {
1223 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1224 if (!GENERAL_NAME_cmp(gena, genb))
1225 return 1;
1226 }
1227 }
1228
1229 return 0;
1230
1231 }
1232
1233static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1234 {
1235 int i;
1236 X509_NAME *nm = X509_CRL_get_issuer(crl);
1237 /* If no CRLissuer return is successful iff don't need a match */
1238 if (!dp->CRLissuer)
1239 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1240 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1241 {
1242 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1243 if (gen->type != GEN_DIRNAME)
1244 continue;
1245 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1246 return 1;
1247 }
1248 return 0;
1249 }
1250
1251/* Check CRLDP and IDP */
1252
1253static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1254 unsigned int *preasons)
1255 {
1256 int i;
1257 if (crl->idp_flags & IDP_ONLYATTR)
1258 return 0;
1259 if (x->ex_flags & EXFLAG_CA)
1260 {
1261 if (crl->idp_flags & IDP_ONLYUSER)
1262 return 0;
1263 }
1264 else
1265 {
1266 if (crl->idp_flags & IDP_ONLYCA)
1267 return 0;
1268 }
1269 *preasons = crl->idp_reasons;
1270 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1271 {
1272 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1273 if (crldp_check_crlissuer(dp, crl, crl_score))
1274 {
1275 if (!crl->idp ||
1276 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1277 {
1278 *preasons &= dp->dp_reasons;
1279 return 1;
1280 }
1281 }
1282 }
1283 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1284 return 1;
1285 return 0;
1286 }
1287
1288/* Retrieve CRL corresponding to current certificate.
1289 * If deltas enabled try to find a delta CRL too
1290 */
1291
1292static int get_crl_delta(X509_STORE_CTX *ctx,
1293 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1294 {
1295 int ok;
1296 X509 *issuer = NULL;
1297 int crl_score = 0;
1298 unsigned int reasons;
1299 X509_CRL *crl = NULL, *dcrl = NULL;
1300 STACK_OF(X509_CRL) *skcrl;
1301 X509_NAME *nm = X509_get_issuer_name(x);
1302 reasons = ctx->current_reasons;
1303 ok = get_crl_sk(ctx, &crl, &dcrl,
1304 &issuer, &crl_score, &reasons, ctx->crls);
1305
1306 if (ok)
1307 goto done;
1308
1309 /* Lookup CRLs from store */
1310
1311 skcrl = ctx->lookup_crls(ctx, nm);
1312
1313 /* If no CRLs found and a near match from get_crl_sk use that */
1314 if (!skcrl && crl)
1315 goto done;
1316
1317 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1318
1319 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1320
1321 done:
1322
1323 /* If we got any kind of CRL use it and return success */
1324 if (crl)
1325 {
1326 ctx->current_issuer = issuer;
1327 ctx->current_crl_score = crl_score;
1328 ctx->current_reasons = reasons;
1329 *pcrl = crl;
1330 *pdcrl = dcrl;
1331 return 1;
1332 }
1333
1334 return 0;
1335 }
1336
1337/* Check CRL validity */
1338static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1339 {
1340 X509 *issuer = NULL;
1341 EVP_PKEY *ikey = NULL;
1342 int ok = 0, chnum, cnum;
1343 cnum = ctx->error_depth;
1344 chnum = sk_X509_num(ctx->chain) - 1;
1345 /* if we have an alternative CRL issuer cert use that */
1346 if (ctx->current_issuer)
1347 issuer = ctx->current_issuer;
1348
1349 /* Else find CRL issuer: if not last certificate then issuer
1350 * is next certificate in chain.
1351 */
1352 else if (cnum < chnum)
1353 issuer = sk_X509_value(ctx->chain, cnum + 1);
1354 else
1355 {
1356 issuer = sk_X509_value(ctx->chain, chnum);
1357 /* If not self signed, can't check signature */
1358 if(!ctx->check_issued(ctx, issuer, issuer))
1359 {
1360 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1361 ok = ctx->verify_cb(0, ctx);
1362 if(!ok) goto err;
1363 }
1364 }
1365
1366 if(issuer)
1367 {
1368 /* Skip most tests for deltas because they have already
1369 * been done
1370 */
1371 if (!crl->base_crl_number)
1372 {
1373 /* Check for cRLSign bit if keyUsage present */
1374 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1375 !(issuer->ex_kusage & KU_CRL_SIGN))
1376 {
1377 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1378 ok = ctx->verify_cb(0, ctx);
1379 if(!ok) goto err;
1380 }
1381
1382 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1383 {
1384 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1385 ok = ctx->verify_cb(0, ctx);
1386 if(!ok) goto err;
1387 }
1388
1389 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1390 {
1391 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1392 {
1393 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1394 ok = ctx->verify_cb(0, ctx);
1395 if(!ok) goto err;
1396 }
1397 }
1398
1399 if (crl->idp_flags & IDP_INVALID)
1400 {
1401 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1402 ok = ctx->verify_cb(0, ctx);
1403 if(!ok) goto err;
1404 }
1405
1406
1407 }
1408
1409 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1410 {
1411 ok = check_crl_time(ctx, crl, 1);
1412 if (!ok)
1413 goto err;
1414 }
1415
1416 /* Attempt to get issuer certificate public key */
1417 ikey = X509_get_pubkey(issuer);
1418
1419 if(!ikey)
1420 {
1421 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1422 ok = ctx->verify_cb(0, ctx);
1423 if (!ok) goto err;
1424 }
1425 else
1426 {
1427 /* Verify CRL signature */
1428 if(X509_CRL_verify(crl, ikey) <= 0)
1429 {
1430 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1431 ok = ctx->verify_cb(0, ctx);
1432 if (!ok) goto err;
1433 }
1434 }
1435 }
1436
1437 ok = 1;
1438
1439 err:
1440 EVP_PKEY_free(ikey);
1441 return ok;
1442 }
1443
1444/* Check certificate against CRL */
1445static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1446 {
1447 int ok;
1448 X509_REVOKED *rev;
1449 /* The rules changed for this... previously if a CRL contained
1450 * unhandled critical extensions it could still be used to indicate
1451 * a certificate was revoked. This has since been changed since
1452 * critical extension can change the meaning of CRL entries.
1453 */
1454 if (crl->flags & EXFLAG_CRITICAL)
1455 {
1456 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1457 return 1;
1458 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1459 ok = ctx->verify_cb(0, ctx);
1460 if(!ok)
1461 return 0;
1462 }
1463 /* Look for serial number of certificate in CRL
1464 * If found make sure reason is not removeFromCRL.
1465 */
1466 if (X509_CRL_get0_by_cert(crl, &rev, x))
1467 {
1468 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1469 return 2;
1470 ctx->error = X509_V_ERR_CERT_REVOKED;
1471 ok = ctx->verify_cb(0, ctx);
1472 if (!ok)
1473 return 0;
1474 }
1475
1476 return 1;
1477 }
1478
1479static int check_policy(X509_STORE_CTX *ctx)
1480 {
1481 int ret;
1482 if (ctx->parent)
1483 return 1;
1484 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1485 ctx->param->policies, ctx->param->flags);
1486 if (ret == 0)
1487 {
1488 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1489 return 0;
1490 }
1491 /* Invalid or inconsistent extensions */
1492 if (ret == -1)
1493 {
1494 /* Locate certificates with bad extensions and notify
1495 * callback.
1496 */
1497 X509 *x;
1498 int i;
1499 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1500 {
1501 x = sk_X509_value(ctx->chain, i);
1502 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1503 continue;
1504 ctx->current_cert = x;
1505 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1506 if(!ctx->verify_cb(0, ctx))
1507 return 0;
1508 }
1509 return 1;
1510 }
1511 if (ret == -2)
1512 {
1513 ctx->current_cert = NULL;
1514 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1515 return ctx->verify_cb(0, ctx);
1516 }
1517
1518 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1519 {
1520 ctx->current_cert = NULL;
1521 ctx->error = X509_V_OK;
1522 if (!ctx->verify_cb(2, ctx))
1523 return 0;
1524 }
1525
1526 return 1;
1527 }
1528
1529static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1530 {
1531 time_t *ptime;
1532 int i;
1533
1534 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1535 ptime = &ctx->param->check_time;
1536 else
1537 ptime = NULL;
1538
1539 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1540 if (i == 0)
1541 {
1542 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1543 ctx->current_cert=x;
1544 if (!ctx->verify_cb(0, ctx))
1545 return 0;
1546 }
1547
1548 if (i > 0)
1549 {
1550 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1551 ctx->current_cert=x;
1552 if (!ctx->verify_cb(0, ctx))
1553 return 0;
1554 }
1555
1556 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1557 if (i == 0)
1558 {
1559 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1560 ctx->current_cert=x;
1561 if (!ctx->verify_cb(0, ctx))
1562 return 0;
1563 }
1564
1565 if (i < 0)
1566 {
1567 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1568 ctx->current_cert=x;
1569 if (!ctx->verify_cb(0, ctx))
1570 return 0;
1571 }
1572
1573 return 1;
1574 }
1575
1576static int internal_verify(X509_STORE_CTX *ctx)
1577 {
1578 int ok=0,n;
1579 X509 *xs,*xi;
1580 EVP_PKEY *pkey=NULL;
1581 int (*cb)(int xok,X509_STORE_CTX *xctx);
1582
1583 cb=ctx->verify_cb;
1584
1585 n=sk_X509_num(ctx->chain);
1586 ctx->error_depth=n-1;
1587 n--;
1588 xi=sk_X509_value(ctx->chain,n);
1589
1590 if (ctx->check_issued(ctx, xi, xi))
1591 xs=xi;
1592 else
1593 {
1594 if (n <= 0)
1595 {
1596 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1597 ctx->current_cert=xi;
1598 ok=cb(0,ctx);
1599 goto end;
1600 }
1601 else
1602 {
1603 n--;
1604 ctx->error_depth=n;
1605 xs=sk_X509_value(ctx->chain,n);
1606 }
1607 }
1608
1609/* ctx->error=0; not needed */
1610 while (n >= 0)
1611 {
1612 ctx->error_depth=n;
1613
1614 /* Skip signature check for self signed certificates unless
1615 * explicitly asked for. It doesn't add any security and
1616 * just wastes time.
1617 */
1618 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1619 {
1620 if ((pkey=X509_get_pubkey(xi)) == NULL)
1621 {
1622 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1623 ctx->current_cert=xi;
1624 ok=(*cb)(0,ctx);
1625 if (!ok) goto end;
1626 }
1627 else if (X509_verify(xs,pkey) <= 0)
1628 {
1629 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1630 ctx->current_cert=xs;
1631 ok=(*cb)(0,ctx);
1632 if (!ok)
1633 {
1634 EVP_PKEY_free(pkey);
1635 goto end;
1636 }
1637 }
1638 EVP_PKEY_free(pkey);
1639 pkey=NULL;
1640 }
1641
1642 xs->valid = 1;
1643
1644 ok = check_cert_time(ctx, xs);
1645 if (!ok)
1646 goto end;
1647
1648 /* The last error (if any) is still in the error value */
1649 ctx->current_issuer=xi;
1650 ctx->current_cert=xs;
1651 ok=(*cb)(1,ctx);
1652 if (!ok) goto end;
1653
1654 n--;
1655 if (n >= 0)
1656 {
1657 xi=xs;
1658 xs=sk_X509_value(ctx->chain,n);
1659 }
1660 }
1661 ok=1;
1662end:
1663 return ok;
1664 }
1665
1666int X509_cmp_current_time(const ASN1_TIME *ctm)
1667{
1668 return X509_cmp_time(ctm, NULL);
1669}
1670
1671int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1672 {
1673 char *str;
1674 ASN1_TIME atm;
1675 long offset;
1676 char buff1[24],buff2[24],*p;
1677 int i,j;
1678
1679 p=buff1;
1680 i=ctm->length;
1681 str=(char *)ctm->data;
1682 if (ctm->type == V_ASN1_UTCTIME)
1683 {
1684 if ((i < 11) || (i > 17)) return 0;
1685 memcpy(p,str,10);
1686 p+=10;
1687 str+=10;
1688 }
1689 else
1690 {
1691 if (i < 13) return 0;
1692 memcpy(p,str,12);
1693 p+=12;
1694 str+=12;
1695 }
1696
1697 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1698 { *(p++)='0'; *(p++)='0'; }
1699 else
1700 {
1701 *(p++)= *(str++);
1702 *(p++)= *(str++);
1703 /* Skip any fractional seconds... */
1704 if (*str == '.')
1705 {
1706 str++;
1707 while ((*str >= '0') && (*str <= '9')) str++;
1708 }
1709
1710 }
1711 *(p++)='Z';
1712 *(p++)='\0';
1713
1714 if (*str == 'Z')
1715 offset=0;
1716 else
1717 {
1718 if ((*str != '+') && (*str != '-'))
1719 return 0;
1720 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1721 offset+=(str[3]-'0')*10+(str[4]-'0');
1722 if (*str == '-')
1723 offset= -offset;
1724 }
1725 atm.type=ctm->type;
1726 atm.flags = 0;
1727 atm.length=sizeof(buff2);
1728 atm.data=(unsigned char *)buff2;
1729
1730 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1731 return 0;
1732
1733 if (ctm->type == V_ASN1_UTCTIME)
1734 {
1735 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1736 if (i < 50) i+=100; /* cf. RFC 2459 */
1737 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1738 if (j < 50) j+=100;
1739
1740 if (i < j) return -1;
1741 if (i > j) return 1;
1742 }
1743 i=strcmp(buff1,buff2);
1744 if (i == 0) /* wait a second then return younger :-) */
1745 return -1;
1746 else
1747 return i;
1748 }
1749
1750ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1751{
1752 return X509_time_adj(s, adj, NULL);
1753}
1754
1755ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1756 {
1757 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1758 }
1759
1760ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1761 int offset_day, long offset_sec, time_t *in_tm)
1762 {
1763 time_t t;
1764
1765 if (in_tm) t = *in_tm;
1766 else time(&t);
1767
1768 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1769 {
1770 if (s->type == V_ASN1_UTCTIME)
1771 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1772 if (s->type == V_ASN1_GENERALIZEDTIME)
1773 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1774 offset_sec);
1775 }
1776 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1777 }
1778
1779int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1780 {
1781 EVP_PKEY *ktmp=NULL,*ktmp2;
1782 int i,j;
1783
1784 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1785
1786 for (i=0; i<sk_X509_num(chain); i++)
1787 {
1788 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1789 if (ktmp == NULL)
1790 {
1791 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1792 return 0;
1793 }
1794 if (!EVP_PKEY_missing_parameters(ktmp))
1795 break;
1796 else
1797 {
1798 EVP_PKEY_free(ktmp);
1799 ktmp=NULL;
1800 }
1801 }
1802 if (ktmp == NULL)
1803 {
1804 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1805 return 0;
1806 }
1807
1808 /* first, populate the other certs */
1809 for (j=i-1; j >= 0; j--)
1810 {
1811 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1812 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1813 EVP_PKEY_free(ktmp2);
1814 }
1815
1816 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1817 EVP_PKEY_free(ktmp);
1818 return 1;
1819 }
1820
1821int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1822 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1823 {
1824 /* This function is (usually) called only once, by
1825 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1826 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1827 new_func, dup_func, free_func);
1828 }
1829
1830int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1831 {
1832 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1833 }
1834
1835void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1836 {
1837 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1838 }
1839
1840int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1841 {
1842 return ctx->error;
1843 }
1844
1845void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1846 {
1847 ctx->error=err;
1848 }
1849
1850int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1851 {
1852 return ctx->error_depth;
1853 }
1854
1855X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1856 {
1857 return ctx->current_cert;
1858 }
1859
1860STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1861 {
1862 return ctx->chain;
1863 }
1864
1865STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1866 {
1867 int i;
1868 X509 *x;
1869 STACK_OF(X509) *chain;
1870 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1871 for (i = 0; i < sk_X509_num(chain); i++)
1872 {
1873 x = sk_X509_value(chain, i);
1874 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1875 }
1876 return chain;
1877 }
1878
1879X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1880 {
1881 return ctx->current_issuer;
1882 }
1883
1884X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1885 {
1886 return ctx->current_crl;
1887 }
1888
1889X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1890 {
1891 return ctx->parent;
1892 }
1893
1894void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1895 {
1896 ctx->cert=x;
1897 }
1898
1899void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1900 {
1901 ctx->untrusted=sk;
1902 }
1903
1904void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1905 {
1906 ctx->crls=sk;
1907 }
1908
1909int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1910 {
1911 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1912 }
1913
1914int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1915 {
1916 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1917 }
1918
1919/* This function is used to set the X509_STORE_CTX purpose and trust
1920 * values. This is intended to be used when another structure has its
1921 * own trust and purpose values which (if set) will be inherited by
1922 * the ctx. If they aren't set then we will usually have a default
1923 * purpose in mind which should then be used to set the trust value.
1924 * An example of this is SSL use: an SSL structure will have its own
1925 * purpose and trust settings which the application can set: if they
1926 * aren't set then we use the default of SSL client/server.
1927 */
1928
1929int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1930 int purpose, int trust)
1931{
1932 int idx;
1933 /* If purpose not set use default */
1934 if (!purpose) purpose = def_purpose;
1935 /* If we have a purpose then check it is valid */
1936 if (purpose)
1937 {
1938 X509_PURPOSE *ptmp;
1939 idx = X509_PURPOSE_get_by_id(purpose);
1940 if (idx == -1)
1941 {
1942 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1943 X509_R_UNKNOWN_PURPOSE_ID);
1944 return 0;
1945 }
1946 ptmp = X509_PURPOSE_get0(idx);
1947 if (ptmp->trust == X509_TRUST_DEFAULT)
1948 {
1949 idx = X509_PURPOSE_get_by_id(def_purpose);
1950 if (idx == -1)
1951 {
1952 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1953 X509_R_UNKNOWN_PURPOSE_ID);
1954 return 0;
1955 }
1956 ptmp = X509_PURPOSE_get0(idx);
1957 }
1958 /* If trust not set then get from purpose default */
1959 if (!trust) trust = ptmp->trust;
1960 }
1961 if (trust)
1962 {
1963 idx = X509_TRUST_get_by_id(trust);
1964 if (idx == -1)
1965 {
1966 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1967 X509_R_UNKNOWN_TRUST_ID);
1968 return 0;
1969 }
1970 }
1971
1972 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1973 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1974 return 1;
1975}
1976
1977X509_STORE_CTX *X509_STORE_CTX_new(void)
1978{
1979 X509_STORE_CTX *ctx;
1980 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1981 if (!ctx)
1982 {
1983 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1984 return NULL;
1985 }
1986 memset(ctx, 0, sizeof(X509_STORE_CTX));
1987 return ctx;
1988}
1989
1990void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1991{
1992 X509_STORE_CTX_cleanup(ctx);
1993 OPENSSL_free(ctx);
1994}
1995
1996int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1997 STACK_OF(X509) *chain)
1998 {
1999 int ret = 1;
2000 ctx->ctx=store;
2001 ctx->current_method=0;
2002 ctx->cert=x509;
2003 ctx->untrusted=chain;
2004 ctx->crls = NULL;
2005 ctx->last_untrusted=0;
2006 ctx->other_ctx=NULL;
2007 ctx->valid=0;
2008 ctx->chain=NULL;
2009 ctx->error=0;
2010 ctx->explicit_policy=0;
2011 ctx->error_depth=0;
2012 ctx->current_cert=NULL;
2013 ctx->current_issuer=NULL;
2014 ctx->current_crl=NULL;
2015 ctx->current_crl_score=0;
2016 ctx->current_reasons=0;
2017 ctx->tree = NULL;
2018 ctx->parent = NULL;
2019
2020 ctx->param = X509_VERIFY_PARAM_new();
2021
2022 if (!ctx->param)
2023 {
2024 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2025 return 0;
2026 }
2027
2028 /* Inherit callbacks and flags from X509_STORE if not set
2029 * use defaults.
2030 */
2031
2032
2033 if (store)
2034 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2035 else
2036 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2037
2038 if (store)
2039 {
2040 ctx->verify_cb = store->verify_cb;
2041 ctx->cleanup = store->cleanup;
2042 }
2043 else
2044 ctx->cleanup = 0;
2045
2046 if (ret)
2047 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2048 X509_VERIFY_PARAM_lookup("default"));
2049
2050 if (ret == 0)
2051 {
2052 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2053 return 0;
2054 }
2055
2056 if (store && store->check_issued)
2057 ctx->check_issued = store->check_issued;
2058 else
2059 ctx->check_issued = check_issued;
2060
2061 if (store && store->get_issuer)
2062 ctx->get_issuer = store->get_issuer;
2063 else
2064 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2065
2066 if (store && store->verify_cb)
2067 ctx->verify_cb = store->verify_cb;
2068 else
2069 ctx->verify_cb = null_callback;
2070
2071 if (store && store->verify)
2072 ctx->verify = store->verify;
2073 else
2074 ctx->verify = internal_verify;
2075
2076 if (store && store->check_revocation)
2077 ctx->check_revocation = store->check_revocation;
2078 else
2079 ctx->check_revocation = check_revocation;
2080
2081 if (store && store->get_crl)
2082 ctx->get_crl = store->get_crl;
2083 else
2084 ctx->get_crl = NULL;
2085
2086 if (store && store->check_crl)
2087 ctx->check_crl = store->check_crl;
2088 else
2089 ctx->check_crl = check_crl;
2090
2091 if (store && store->cert_crl)
2092 ctx->cert_crl = store->cert_crl;
2093 else
2094 ctx->cert_crl = cert_crl;
2095
2096 if (store && store->lookup_certs)
2097 ctx->lookup_certs = store->lookup_certs;
2098 else
2099 ctx->lookup_certs = X509_STORE_get1_certs;
2100
2101 if (store && store->lookup_crls)
2102 ctx->lookup_crls = store->lookup_crls;
2103 else
2104 ctx->lookup_crls = X509_STORE_get1_crls;
2105
2106 ctx->check_policy = check_policy;
2107
2108
2109 /* This memset() can't make any sense anyway, so it's removed. As
2110 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2111 * corresponding "new" here and remove this bogus initialisation. */
2112 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2113 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2114 &(ctx->ex_data)))
2115 {
2116 OPENSSL_free(ctx);
2117 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2118 return 0;
2119 }
2120 return 1;
2121 }
2122
2123/* Set alternative lookup method: just a STACK of trusted certificates.
2124 * This avoids X509_STORE nastiness where it isn't needed.
2125 */
2126
2127void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2128{
2129 ctx->other_ctx = sk;
2130 ctx->get_issuer = get_issuer_sk;
2131}
2132
2133void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2134 {
2135 if (ctx->cleanup) ctx->cleanup(ctx);
2136 if (ctx->param != NULL)
2137 {
2138 if (ctx->parent == NULL)
2139 X509_VERIFY_PARAM_free(ctx->param);
2140 ctx->param=NULL;
2141 }
2142 if (ctx->tree != NULL)
2143 {
2144 X509_policy_tree_free(ctx->tree);
2145 ctx->tree=NULL;
2146 }
2147 if (ctx->chain != NULL)
2148 {
2149 sk_X509_pop_free(ctx->chain,X509_free);
2150 ctx->chain=NULL;
2151 }
2152 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2153 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2154 }
2155
2156void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2157 {
2158 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2159 }
2160
2161void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2162 {
2163 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2164 }
2165
2166void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2167 {
2168 X509_VERIFY_PARAM_set_time(ctx->param, t);
2169 }
2170
2171void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2172 int (*verify_cb)(int, X509_STORE_CTX *))
2173 {
2174 ctx->verify_cb=verify_cb;
2175 }
2176
2177X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2178 {
2179 return ctx->tree;
2180 }
2181
2182int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2183 {
2184 return ctx->explicit_policy;
2185 }
2186
2187int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2188 {
2189 const X509_VERIFY_PARAM *param;
2190 param = X509_VERIFY_PARAM_lookup(name);
2191 if (!param)
2192 return 0;
2193 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2194 }
2195
2196X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2197 {
2198 return ctx->param;
2199 }
2200
2201void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2202 {
2203 if (ctx->param)
2204 X509_VERIFY_PARAM_free(ctx->param);
2205 ctx->param = param;
2206 }
2207
2208IMPLEMENT_STACK_OF(X509)
2209IMPLEMENT_ASN1_SET_OF(X509)
2210
2211IMPLEMENT_STACK_OF(X509_NAME)
2212
2213IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2214IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
deleted file mode 100644
index fe09b30aaa..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ /dev/null
@@ -1,567 +0,0 @@
1/* crypto/x509/x509_vfy.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_X509_H
60#include <openssl/x509.h>
61/* openssl/x509.h ends up #include-ing this file at about the only
62 * appropriate moment. */
63#endif
64
65#ifndef HEADER_X509_VFY_H
66#define HEADER_X509_VFY_H
67
68#include <openssl/opensslconf.h>
69#ifndef OPENSSL_NO_LHASH
70#include <openssl/lhash.h>
71#endif
72#include <openssl/bio.h>
73#include <openssl/crypto.h>
74#include <openssl/symhacks.h>
75
76#ifdef __cplusplus
77extern "C" {
78#endif
79
80#if 0
81/* Outer object */
82typedef struct x509_hash_dir_st
83 {
84 int num_dirs;
85 char **dirs;
86 int *dirs_type;
87 int num_dirs_alloced;
88 } X509_HASH_DIR_CTX;
89#endif
90
91typedef struct x509_file_st
92 {
93 int num_paths; /* number of paths to files or directories */
94 int num_alloced;
95 char **paths; /* the list of paths or directories */
96 int *path_type;
97 } X509_CERT_FILE_CTX;
98
99/*******************************/
100/*
101SSL_CTX -> X509_STORE
102 -> X509_LOOKUP
103 ->X509_LOOKUP_METHOD
104 -> X509_LOOKUP
105 ->X509_LOOKUP_METHOD
106
107SSL -> X509_STORE_CTX
108 ->X509_STORE
109
110The X509_STORE holds the tables etc for verification stuff.
111A X509_STORE_CTX is used while validating a single certificate.
112The X509_STORE has X509_LOOKUPs for looking up certs.
113The X509_STORE then calls a function to actually verify the
114certificate chain.
115*/
116
117#define X509_LU_RETRY -1
118#define X509_LU_FAIL 0
119#define X509_LU_X509 1
120#define X509_LU_CRL 2
121#define X509_LU_PKEY 3
122
123typedef struct x509_object_st
124 {
125 /* one of the above types */
126 int type;
127 union {
128 char *ptr;
129 X509 *x509;
130 X509_CRL *crl;
131 EVP_PKEY *pkey;
132 } data;
133 } X509_OBJECT;
134
135typedef struct x509_lookup_st X509_LOOKUP;
136
137DECLARE_STACK_OF(X509_LOOKUP)
138DECLARE_STACK_OF(X509_OBJECT)
139
140/* This is a static that defines the function interface */
141typedef struct x509_lookup_method_st
142 {
143 const char *name;
144 int (*new_item)(X509_LOOKUP *ctx);
145 void (*free)(X509_LOOKUP *ctx);
146 int (*init)(X509_LOOKUP *ctx);
147 int (*shutdown)(X509_LOOKUP *ctx);
148 int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl,
149 char **ret);
150 int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name,
151 X509_OBJECT *ret);
152 int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name,
153 ASN1_INTEGER *serial,X509_OBJECT *ret);
154 int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type,
155 unsigned char *bytes,int len,
156 X509_OBJECT *ret);
157 int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len,
158 X509_OBJECT *ret);
159 } X509_LOOKUP_METHOD;
160
161/* This structure hold all parameters associated with a verify operation
162 * by including an X509_VERIFY_PARAM structure in related structures the
163 * parameters used can be customized
164 */
165
166typedef struct X509_VERIFY_PARAM_st
167 {
168 char *name;
169 time_t check_time; /* Time to use */
170 unsigned long inh_flags; /* Inheritance flags */
171 unsigned long flags; /* Various verify flags */
172 int purpose; /* purpose to check untrusted certificates */
173 int trust; /* trust setting to check */
174 int depth; /* Verify depth */
175 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
176 } X509_VERIFY_PARAM;
177
178DECLARE_STACK_OF(X509_VERIFY_PARAM)
179
180/* This is used to hold everything. It is used for all certificate
181 * validation. Once we have a certificate chain, the 'verify'
182 * function is then called to actually check the cert chain. */
183struct x509_store_st
184 {
185 /* The following is a cache of trusted certs */
186 int cache; /* if true, stash any hits */
187 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
188
189 /* These are external lookup methods */
190 STACK_OF(X509_LOOKUP) *get_cert_methods;
191
192 X509_VERIFY_PARAM *param;
193
194 /* Callbacks for various operations */
195 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
196 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
197 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
198 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
199 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
200 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
201 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
202 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
203 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
204 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
205 int (*cleanup)(X509_STORE_CTX *ctx);
206
207 CRYPTO_EX_DATA ex_data;
208 int references;
209 } /* X509_STORE */;
210
211int X509_STORE_set_depth(X509_STORE *store, int depth);
212
213#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
214#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func))
215
216/* This is the functions plus an instance of the local variables. */
217struct x509_lookup_st
218 {
219 int init; /* have we been started */
220 int skip; /* don't use us. */
221 X509_LOOKUP_METHOD *method; /* the functions */
222 char *method_data; /* method data */
223
224 X509_STORE *store_ctx; /* who owns us */
225 } /* X509_LOOKUP */;
226
227/* This is a used when verifying cert chains. Since the
228 * gathering of the cert chain can take some time (and have to be
229 * 'retried', this needs to be kept and passed around. */
230struct x509_store_ctx_st /* X509_STORE_CTX */
231 {
232 X509_STORE *ctx;
233 int current_method; /* used when looking up certs */
234
235 /* The following are set by the caller */
236 X509 *cert; /* The cert to check */
237 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
238 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
239
240 X509_VERIFY_PARAM *param;
241 void *other_ctx; /* Other info for use with get_issuer() */
242
243 /* Callbacks for various operations */
244 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
245 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
246 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
247 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
248 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
249 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
250 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
251 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
252 int (*check_policy)(X509_STORE_CTX *ctx);
253 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
254 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
255 int (*cleanup)(X509_STORE_CTX *ctx);
256
257 /* The following is built up */
258 int valid; /* if 0, rebuild chain */
259 int last_untrusted; /* index of last untrusted cert */
260 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
261 X509_POLICY_TREE *tree; /* Valid policy tree */
262
263 int explicit_policy; /* Require explicit policy value */
264
265 /* When something goes wrong, this is why */
266 int error_depth;
267 int error;
268 X509 *current_cert;
269 X509 *current_issuer; /* cert currently being tested as valid issuer */
270 X509_CRL *current_crl; /* current CRL */
271
272 int current_crl_score; /* score of current CRL */
273 unsigned int current_reasons; /* Reason mask */
274
275 X509_STORE_CTX *parent; /* For CRL path validation: parent context */
276
277 CRYPTO_EX_DATA ex_data;
278 } /* X509_STORE_CTX */;
279
280void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
281
282#define X509_STORE_CTX_set_app_data(ctx,data) \
283 X509_STORE_CTX_set_ex_data(ctx,0,data)
284#define X509_STORE_CTX_get_app_data(ctx) \
285 X509_STORE_CTX_get_ex_data(ctx,0)
286
287#define X509_L_FILE_LOAD 1
288#define X509_L_ADD_DIR 2
289
290#define X509_LOOKUP_load_file(x,name,type) \
291 X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
292
293#define X509_LOOKUP_add_dir(x,name,type) \
294 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
295
296#define X509_V_OK 0
297/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
298
299#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
300#define X509_V_ERR_UNABLE_TO_GET_CRL 3
301#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
302#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
303#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
304#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
305#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
306#define X509_V_ERR_CERT_NOT_YET_VALID 9
307#define X509_V_ERR_CERT_HAS_EXPIRED 10
308#define X509_V_ERR_CRL_NOT_YET_VALID 11
309#define X509_V_ERR_CRL_HAS_EXPIRED 12
310#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
311#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
312#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
313#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
314#define X509_V_ERR_OUT_OF_MEM 17
315#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
316#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
317#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
318#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
319#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
320#define X509_V_ERR_CERT_REVOKED 23
321#define X509_V_ERR_INVALID_CA 24
322#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
323#define X509_V_ERR_INVALID_PURPOSE 26
324#define X509_V_ERR_CERT_UNTRUSTED 27
325#define X509_V_ERR_CERT_REJECTED 28
326/* These are 'informational' when looking for issuer cert */
327#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
328#define X509_V_ERR_AKID_SKID_MISMATCH 30
329#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
330#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
331
332#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
333#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
334#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
335#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
336#define X509_V_ERR_INVALID_NON_CA 37
337#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
338#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
339#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
340
341#define X509_V_ERR_INVALID_EXTENSION 41
342#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
343#define X509_V_ERR_NO_EXPLICIT_POLICY 43
344#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
345#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
346
347#define X509_V_ERR_UNNESTED_RESOURCE 46
348
349#define X509_V_ERR_PERMITTED_VIOLATION 47
350#define X509_V_ERR_EXCLUDED_VIOLATION 48
351#define X509_V_ERR_SUBTREE_MINMAX 49
352#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
353#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
354#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
355#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
356
357/* The application is not happy */
358#define X509_V_ERR_APPLICATION_VERIFICATION 50
359
360/* Certificate verify flags */
361
362/* Send issuer+subject checks to verify_cb */
363#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
364/* Use check time instead of current time */
365#define X509_V_FLAG_USE_CHECK_TIME 0x2
366/* Lookup CRLs */
367#define X509_V_FLAG_CRL_CHECK 0x4
368/* Lookup CRLs for whole chain */
369#define X509_V_FLAG_CRL_CHECK_ALL 0x8
370/* Ignore unhandled critical extensions */
371#define X509_V_FLAG_IGNORE_CRITICAL 0x10
372/* Disable workarounds for broken certificates */
373#define X509_V_FLAG_X509_STRICT 0x20
374/* Enable proxy certificate validation */
375#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
376/* Enable policy checking */
377#define X509_V_FLAG_POLICY_CHECK 0x80
378/* Policy variable require-explicit-policy */
379#define X509_V_FLAG_EXPLICIT_POLICY 0x100
380/* Policy variable inhibit-any-policy */
381#define X509_V_FLAG_INHIBIT_ANY 0x200
382/* Policy variable inhibit-policy-mapping */
383#define X509_V_FLAG_INHIBIT_MAP 0x400
384/* Notify callback that policy is OK */
385#define X509_V_FLAG_NOTIFY_POLICY 0x800
386/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
387#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
388/* Delta CRL support */
389#define X509_V_FLAG_USE_DELTAS 0x2000
390/* Check selfsigned CA signature */
391#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
392
393
394#define X509_VP_FLAG_DEFAULT 0x1
395#define X509_VP_FLAG_OVERWRITE 0x2
396#define X509_VP_FLAG_RESET_FLAGS 0x4
397#define X509_VP_FLAG_LOCKED 0x8
398#define X509_VP_FLAG_ONCE 0x10
399
400/* Internal use: mask of policy related options */
401#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
402 | X509_V_FLAG_EXPLICIT_POLICY \
403 | X509_V_FLAG_INHIBIT_ANY \
404 | X509_V_FLAG_INHIBIT_MAP)
405
406int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
407 X509_NAME *name);
408X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
409X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
410void X509_OBJECT_up_ref_count(X509_OBJECT *a);
411void X509_OBJECT_free_contents(X509_OBJECT *a);
412X509_STORE *X509_STORE_new(void );
413void X509_STORE_free(X509_STORE *v);
414
415STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
416STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
417int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
418int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
419int X509_STORE_set_trust(X509_STORE *ctx, int trust);
420int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
421
422void X509_STORE_set_verify_cb(X509_STORE *ctx,
423 int (*verify_cb)(int, X509_STORE_CTX *));
424
425X509_STORE_CTX *X509_STORE_CTX_new(void);
426
427int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
428
429void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
430int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
431 X509 *x509, STACK_OF(X509) *chain);
432void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
433void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
434
435X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
436
437X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
438X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
439
440int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
441int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
442
443int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
444 X509_OBJECT *ret);
445
446int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
447 long argl, char **ret);
448
449#ifndef OPENSSL_NO_STDIO
450int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
451int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
452int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
453#endif
454
455
456X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
457void X509_LOOKUP_free(X509_LOOKUP *ctx);
458int X509_LOOKUP_init(X509_LOOKUP *ctx);
459int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
460 X509_OBJECT *ret);
461int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
462 ASN1_INTEGER *serial, X509_OBJECT *ret);
463int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
464 unsigned char *bytes, int len, X509_OBJECT *ret);
465int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
466 int len, X509_OBJECT *ret);
467int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
468
469#ifndef OPENSSL_NO_STDIO
470int X509_STORE_load_locations (X509_STORE *ctx,
471 const char *file, const char *dir);
472int X509_STORE_set_default_paths(X509_STORE *ctx);
473#endif
474
475int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
476 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
477int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
478void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
479int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
480void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
481int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
482X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
483X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
484X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
485X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
486STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
487STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
488void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
489void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
490void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
491int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
492int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
493int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
494 int purpose, int trust);
495void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
496void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
497 time_t t);
498void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
499 int (*verify_cb)(int, X509_STORE_CTX *));
500
501X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
502int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
503
504X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
505void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
506int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
507
508/* X509_VERIFY_PARAM functions */
509
510X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
511void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
512int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
513 const X509_VERIFY_PARAM *from);
514int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
515 const X509_VERIFY_PARAM *from);
516int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
517int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
518int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
519 unsigned long flags);
520unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
521int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
522int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
523void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
524void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
525int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
526 ASN1_OBJECT *policy);
527int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
528 STACK_OF(ASN1_OBJECT) *policies);
529int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
530
531int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
532const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
533void X509_VERIFY_PARAM_table_cleanup(void);
534
535int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
536 STACK_OF(X509) *certs,
537 STACK_OF(ASN1_OBJECT) *policy_oids,
538 unsigned int flags);
539
540void X509_policy_tree_free(X509_POLICY_TREE *tree);
541
542int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
543X509_POLICY_LEVEL *
544 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
545
546STACK_OF(X509_POLICY_NODE) *
547 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
548
549STACK_OF(X509_POLICY_NODE) *
550 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
551
552int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
553
554X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
555
556const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
557
558STACK_OF(POLICYQUALINFO) *
559 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
560const X509_POLICY_NODE *
561 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
562
563#ifdef __cplusplus
564}
565#endif
566#endif
567
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
deleted file mode 100644
index dfd89d89fa..0000000000
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ /dev/null
@@ -1,438 +0,0 @@
1/* x509_vpm.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include "cryptlib.h"
62#include <openssl/crypto.h>
63#include <openssl/lhash.h>
64#include <openssl/buffer.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* X509_VERIFY_PARAM functions */
69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 {
72 if (!param)
73 return;
74 param->name = NULL;
75 param->purpose = 0;
76 param->trust = 0;
77 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
78 param->inh_flags = 0;
79 param->flags = 0;
80 param->depth = -1;
81 if (param->policies)
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL;
85 }
86 }
87
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 {
90 X509_VERIFY_PARAM *param;
91 param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param);
94 return param;
95 }
96
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 {
99 x509_verify_param_zero(param);
100 OPENSSL_free(param);
101 }
102
103/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen.
105 *
106 * 1. If a child structure needs to have its values initialized from a parent
107 * they are simply copied across. For example SSL_CTX copied to SSL.
108 * 2. If the structure should take on values only if they are currently unset.
109 * For example the values in an SSL structure will take appropriate value
110 * for SSL servers or clients but only if the application has not set new
111 * ones.
112 *
113 * The "inh_flags" field determines how this function behaves.
114 *
115 * Normally any values which are set in the default are not copied from the
116 * destination and verify flags are ORed together.
117 *
118 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
119 * to the destination. Effectively the values in "to" become default values
120 * which will be used only if nothing new is set in "from".
121 *
122 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
123 * they are set or not. Flags is still Ored though.
124 *
125 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
126 * of ORed.
127 *
128 * If X509_VP_FLAG_LOCKED is set then no values are copied.
129 *
130 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
131 * after the next call.
132 */
133
134/* Macro to test if a field should be copied from src to dest */
135
136#define test_x509_verify_param_copy(field, def) \
137 (to_overwrite || \
138 ((src->field != def) && (to_default || (dest->field == def))))
139
140/* Macro to test and copy a field if necessary */
141
142#define x509_verify_param_copy(field, def) \
143 if (test_x509_verify_param_copy(field, def)) \
144 dest->field = src->field
145
146
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src)
149 {
150 unsigned long inh_flags;
151 int to_default, to_overwrite;
152 if (!src)
153 return 1;
154 inh_flags = dest->inh_flags | src->inh_flags;
155
156 if (inh_flags & X509_VP_FLAG_ONCE)
157 dest->inh_flags = 0;
158
159 if (inh_flags & X509_VP_FLAG_LOCKED)
160 return 1;
161
162 if (inh_flags & X509_VP_FLAG_DEFAULT)
163 to_default = 1;
164 else
165 to_default = 0;
166
167 if (inh_flags & X509_VP_FLAG_OVERWRITE)
168 to_overwrite = 1;
169 else
170 to_overwrite = 0;
171
172 x509_verify_param_copy(purpose, 0);
173 x509_verify_param_copy(trust, 0);
174 x509_verify_param_copy(depth, -1);
175
176 /* If overwrite or check time not set, copy across */
177
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
179 {
180 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */
183 }
184
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0;
187
188 dest->flags |= src->flags;
189
190 if (test_x509_verify_param_copy(policies, NULL))
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0;
194 }
195
196 return 1;
197 }
198
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from)
201 {
202 unsigned long save_flags = to->inh_flags;
203 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags;
207 return ret;
208 }
209
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 {
212 if (param->name)
213 OPENSSL_free(param->name);
214 param->name = BUF_strdup(name);
215 if (param->name)
216 return 1;
217 return 0;
218 }
219
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 {
222 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1;
226 }
227
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 {
230 param->flags &= ~flags;
231 return 1;
232 }
233
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 {
236 return param->flags;
237 }
238
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 {
241 return X509_PURPOSE_set(&param->purpose, purpose);
242 }
243
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 {
246 return X509_TRUST_set(&param->trust, trust);
247 }
248
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 {
251 param->depth = depth;
252 }
253
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 {
256 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 }
259
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 {
262 if (!param->policies)
263 {
264 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies)
266 return 0;
267 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0;
270 return 1;
271 }
272
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies)
275 {
276 int i;
277 ASN1_OBJECT *oid, *doid;
278 if (!param)
279 return 0;
280 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282
283 if (!policies)
284 {
285 param->policies = NULL;
286 return 1;
287 }
288
289 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies)
291 return 0;
292
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid);
297 if (!doid)
298 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid))
300 {
301 ASN1_OBJECT_free(doid);
302 return 0;
303 }
304 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1;
307 }
308
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 {
311 return param->depth;
312 }
313
314/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table.
316 * NB: the 'name' field *must* be in alphabetical order because it
317 * will be searched using OBJ_search.
318 */
319
320static const X509_VERIFY_PARAM default_table[] = {
321 {
322 "default", /* X509 default parameters */
323 0, /* Check time */
324 0, /* internal flags */
325 0, /* flags */
326 0, /* purpose */
327 0, /* trust */
328 100, /* depth */
329 NULL /* policies */
330 },
331 {
332 "pkcs7", /* S/MIME sign parameters */
333 0, /* Check time */
334 0, /* internal flags */
335 0, /* flags */
336 X509_PURPOSE_SMIME_SIGN, /* purpose */
337 X509_TRUST_EMAIL, /* trust */
338 -1, /* depth */
339 NULL /* policies */
340 },
341 {
342 "smime_sign", /* S/MIME sign parameters */
343 0, /* Check time */
344 0, /* internal flags */
345 0, /* flags */
346 X509_PURPOSE_SMIME_SIGN, /* purpose */
347 X509_TRUST_EMAIL, /* trust */
348 -1, /* depth */
349 NULL /* policies */
350 },
351 {
352 "ssl_client", /* SSL/TLS client parameters */
353 0, /* Check time */
354 0, /* internal flags */
355 0, /* flags */
356 X509_PURPOSE_SSL_CLIENT, /* purpose */
357 X509_TRUST_SSL_CLIENT, /* trust */
358 -1, /* depth */
359 NULL /* policies */
360 },
361 {
362 "ssl_server", /* SSL/TLS server parameters */
363 0, /* Check time */
364 0, /* internal flags */
365 0, /* flags */
366 X509_PURPOSE_SSL_SERVER, /* purpose */
367 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */
369 NULL /* policies */
370 }};
371
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375
376 {
377 return strcmp(a->name, b->name);
378 }
379
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table);
382IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
383 table);
384
385static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b)
387 {
388 return strcmp((*a)->name, (*b)->name);
389 }
390
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 {
393 int idx;
394 X509_VERIFY_PARAM *ptmp;
395 if (!param_table)
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table)
399 return 0;
400 }
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1)
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0;
413 return 1;
414 }
415
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 {
418 int idx;
419 X509_VERIFY_PARAM pm;
420
421 pm.name = (char *)name;
422 if (param_table)
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 }
428 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 }
431
432void X509_VERIFY_PARAM_table_cleanup(void)
433 {
434 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free);
437 param_table = NULL;
438 }
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
deleted file mode 100644
index 3109defb0b..0000000000
--- a/src/lib/libcrypto/x509/x509cset.c
+++ /dev/null
@@ -1,170 +0,0 @@
1/* crypto/x509/x509cset.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_CRL_set_version(X509_CRL *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->crl->version == NULL)
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 }
76
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 {
79 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name));
81 }
82
83
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 {
86 ASN1_TIME *in;
87
88 if (x == NULL) return(0);
89 in=x->crl->lastUpdate;
90 if (in != tm)
91 {
92 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL)
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in;
97 }
98 }
99 return(in != NULL);
100 }
101
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 {
104 ASN1_TIME *in;
105
106 if (x == NULL) return(0);
107 in=x->crl->nextUpdate;
108 if (in != tm)
109 {
110 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL)
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in;
115 }
116 }
117 return(in != NULL);
118 }
119
120int X509_CRL_sort(X509_CRL *c)
121 {
122 int i;
123 X509_REVOKED *r;
124 /* sort the data so it will be written in serial
125 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i;
131 }
132 c->crl->enc.modified = 1;
133 return 1;
134 }
135
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 {
138 ASN1_TIME *in;
139
140 if (x == NULL) return(0);
141 in=x->revocationDate;
142 if (in != tm)
143 {
144 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL)
146 {
147 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in;
149 }
150 }
151 return(in != NULL);
152 }
153
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 {
156 ASN1_INTEGER *in;
157
158 if (x == NULL) return(0);
159 in=x->serialNumber;
160 if (in != serial)
161 {
162 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL)
164 {
165 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in;
167 }
168 }
169 return(in != NULL);
170 }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
deleted file mode 100644
index 27bc4dc9a3..0000000000
--- a/src/lib/libcrypto/x509/x509name.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* crypto/x509/x509name.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 {
69 ASN1_OBJECT *obj;
70
71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 }
75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len)
78 {
79 int i;
80 ASN1_STRING *data;
81
82 i=X509_NAME_get_index_by_OBJ(name,obj,-1);
83 if (i < 0) return(-1);
84 data=X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
85 i=(data->length > (len-1))?(len-1):data->length;
86 if (buf == NULL) return(data->length);
87 memcpy(buf,data->data,i);
88 buf[i]='\0';
89 return(i);
90 }
91
92int X509_NAME_entry_count(X509_NAME *name)
93 {
94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 }
97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 {
100 ASN1_OBJECT *obj;
101
102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 }
106
107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos)
110 {
111 int n;
112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk;
114
115 if (name == NULL) return(-1);
116 if (lastpos < 0)
117 lastpos= -1;
118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++)
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos);
125 }
126 return(-1);
127 }
128
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 {
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0)
133 return(NULL);
134 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 }
137
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 {
140 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk;
143
144 if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
145 || loc < 0)
146 return(NULL);
147 sk=name->entries;
148 ret=sk_X509_NAME_ENTRY_delete(sk,loc);
149 n=sk_X509_NAME_ENTRY_num(sk);
150 name->modified=1;
151 if (loc == n) return(ret);
152
153 /* else we need to fixup the set field */
154 if (loc != 0)
155 set_prev=(sk_X509_NAME_ENTRY_value(sk,loc-1))->set;
156 else
157 set_prev=ret->set-1;
158 set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
159
160 /* set_prev is the previous set
161 * set is the current set
162 * set_next is the following
163 * prev 1 1 1 1 1 1 1 1
164 * set 1 1 2 2
165 * next 1 1 2 2 2 2 3 2
166 * so basically only if prev and next differ by 2, then
167 * re-number down by 1 */
168 if (set_prev+1 < set_next)
169 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret);
172 }
173
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set)
176{
177 X509_NAME_ENTRY *ne;
178 int ret;
179 ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
180 if(!ne) return 0;
181 ret = X509_NAME_add_entry(name, ne, loc, set);
182 X509_NAME_ENTRY_free(ne);
183 return ret;
184}
185
186int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
187 unsigned char *bytes, int len, int loc, int set)
188{
189 X509_NAME_ENTRY *ne;
190 int ret;
191 ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
192 if(!ne) return 0;
193 ret = X509_NAME_add_entry(name, ne, loc, set);
194 X509_NAME_ENTRY_free(ne);
195 return ret;
196}
197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 const unsigned char *bytes, int len, int loc, int set)
200{
201 X509_NAME_ENTRY *ne;
202 int ret;
203 ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
204 if(!ne) return 0;
205 ret = X509_NAME_add_entry(name, ne, loc, set);
206 X509_NAME_ENTRY_free(ne);
207 return ret;
208}
209
210/* if set is -1, append to previous set, 0 'a new one', and 1,
211 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set)
214 {
215 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk;
218
219 if (name == NULL) return(0);
220 sk=name->entries;
221 n=sk_X509_NAME_ENTRY_num(sk);
222 if (loc > n) loc=n;
223 else if (loc < 0) loc=n;
224
225 name->modified=1;
226
227 if (set == -1)
228 {
229 if (loc == 0)
230 {
231 set=0;
232 inc=1;
233 }
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0;
238 }
239 }
240 else /* if (set >= 0) */
241 {
242 if (loc >= n)
243 {
244 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else
247 set=0;
248 }
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0;
252 }
253
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err;
256 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262 if (inc)
263 {
264 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 }
268 return(1);
269err:
270 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name);
272 return(0);
273 }
274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len)
277 {
278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry;
280
281 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL)
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field);
287 return(NULL);
288 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj);
291 return nentry;
292 }
293
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len)
296 {
297 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry;
299
300 obj=OBJ_nid2obj(nid);
301 if (obj == NULL)
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL);
305 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj);
308 return nentry;
309 }
310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 {
314 X509_NAME_ENTRY *ret;
315
316 if ((ne == NULL) || (*ne == NULL))
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL);
320 }
321 else
322 ret= *ne;
323
324 if (!X509_NAME_ENTRY_set_object(ret,obj))
325 goto err;
326 if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
327 goto err;
328
329 if ((ne != NULL) && (*ne == NULL)) *ne=ret;
330 return(ret);
331err:
332 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret);
334 return(NULL);
335 }
336
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 {
339 if ((ne == NULL) || (obj == NULL))
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0);
343 }
344 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1);
347 }
348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len)
351 {
352 int i;
353
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
355 if((type > 0) && (type & MBSTRING_FLAG))
356 return ASN1_STRING_set_by_NID(&ne->value, bytes,
357 len, type,
358 OBJ_obj2nid(ne->object)) ? 1 : 0;
359 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0);
362 if (type != V_ASN1_UNDEF)
363 {
364 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else
367 ne->value->type=type;
368 }
369 return(1);
370 }
371
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 {
374 if (ne == NULL) return(NULL);
375 return(ne->object);
376 }
377
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 {
380 if (ne == NULL) return(NULL);
381 return(ne->value);
382 }
383
diff --git a/src/lib/libcrypto/x509/x509rset.c b/src/lib/libcrypto/x509/x509rset.c
deleted file mode 100644
index d9f6b57372..0000000000
--- a/src/lib/libcrypto/x509/x509rset.c
+++ /dev/null
@@ -1,83 +0,0 @@
1/* crypto/x509/x509rset.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_REQ_set_version(X509_REQ *x, long version)
67 {
68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 }
71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 {
74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name));
76 }
77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 {
80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 }
83
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
deleted file mode 100644
index 02a203d72c..0000000000
--- a/src/lib/libcrypto/x509/x509spki.c
+++ /dev/null
@@ -1,121 +0,0 @@
1/* x509spki.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509.h>
62
63int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
64{
65 if ((x == NULL) || (x->spkac == NULL)) return(0);
66 return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
67}
68
69EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
70{
71 if ((x == NULL) || (x->spkac == NULL))
72 return(NULL);
73 return(X509_PUBKEY_get(x->spkac->pubkey));
74}
75
76/* Load a Netscape SPKI from a base64 encoded string */
77
78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
79{
80 unsigned char *spki_der;
81 const unsigned char *p;
82 int spki_len;
83 NETSCAPE_SPKI *spki;
84 if(len <= 0) len = strlen(str);
85 if (!(spki_der = OPENSSL_malloc(len + 1))) {
86 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
90 if(spki_len < 0) {
91 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
92 X509_R_BASE64_DECODE_ERROR);
93 OPENSSL_free(spki_der);
94 return NULL;
95 }
96 p = spki_der;
97 spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
98 OPENSSL_free(spki_der);
99 return spki;
100}
101
102/* Generate a base64 encoded string from an SPKI */
103
104char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
105{
106 unsigned char *der_spki, *p;
107 char *b64_str;
108 int der_len;
109 der_len = i2d_NETSCAPE_SPKI(spki, NULL);
110 der_spki = OPENSSL_malloc(der_len);
111 b64_str = OPENSSL_malloc(der_len * 2);
112 if(!der_spki || !b64_str) {
113 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 p = der_spki;
117 i2d_NETSCAPE_SPKI(spki, &p);
118 EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
119 OPENSSL_free(der_spki);
120 return b64_str;
121}
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
deleted file mode 100644
index 9702ec5310..0000000000
--- a/src/lib/libcrypto/x509/x509type.c
+++ /dev/null
@@ -1,131 +0,0 @@
1/* crypto/x509/x509type.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/evp.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 {
67 EVP_PKEY *pk;
68 int ret=0,i;
69
70 if (x == NULL) return(0);
71
72 if (pkey == NULL)
73 pk=X509_get_pubkey(x);
74 else
75 pk=pkey;
76
77 if (pk == NULL) return(0);
78
79 switch (pk->type)
80 {
81 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */
84 ret|=EVP_PKT_ENC;
85 break;
86 case EVP_PKEY_DSA:
87 ret=EVP_PK_DSA|EVP_PKT_SIGN;
88 break;
89 case EVP_PKEY_EC:
90 ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
91 break;
92 case EVP_PKEY_DH:
93 ret=EVP_PK_DH|EVP_PKT_EXCH;
94 break;
95 case NID_id_GostR3410_94:
96 case NID_id_GostR3410_2001:
97 ret=EVP_PKT_EXCH|EVP_PKT_SIGN;
98 break;
99 default:
100 break;
101 }
102
103 i=OBJ_obj2nid(x->sig_alg->algorithm);
104 if (i && OBJ_find_sigid_algs(i, NULL, &i))
105 {
106
107 switch (i)
108 {
109 case NID_rsaEncryption:
110 case NID_rsa:
111 ret|=EVP_PKS_RSA;
112 break;
113 case NID_dsa:
114 case NID_dsa_2:
115 ret|=EVP_PKS_DSA;
116 break;
117 case NID_X9_62_id_ecPublicKey:
118 ret|=EVP_PKS_EC;
119 break;
120 default:
121 break;
122 }
123 }
124
125 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
126 for, not bytes */
127 ret|=EVP_PKT_EXP;
128 if(pkey==NULL) EVP_PKEY_free(pk);
129 return(ret);
130 }
131
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
deleted file mode 100644
index b94aeeb873..0000000000
--- a/src/lib/libcrypto/x509/x_all.c
+++ /dev/null
@@ -1,535 +0,0 @@
1/* crypto/x509/x_all.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/buffer.h>
63#include <openssl/asn1.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#ifndef OPENSSL_NO_RSA
67#include <openssl/rsa.h>
68#endif
69#ifndef OPENSSL_NO_DSA
70#include <openssl/dsa.h>
71#endif
72
73int X509_verify(X509 *a, EVP_PKEY *r)
74 {
75 return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
76 a->signature,a->cert_info,r));
77 }
78
79int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
80 {
81 return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
82 a->sig_alg,a->signature,a->req_info,r));
83 }
84
85int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
86 {
87 return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
88 a->sig_algor,a->signature,a->spkac,r));
89 }
90
91int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
92 {
93 x->cert_info->enc.modified = 1;
94 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
95 x->sig_alg, x->signature, x->cert_info,pkey,md));
96 }
97
98int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
99 {
100 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
101 x->cert_info->signature,
102 x->sig_alg, x->signature, x->cert_info, ctx);
103 }
104
105int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
106 {
107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
108 x->signature, x->req_info,pkey,md));
109 }
110
111int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
112 {
113 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
114 x->sig_alg, NULL, x->signature, x->req_info, ctx);
115 }
116
117int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
118 {
119 x->crl->enc.modified = 1;
120 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
121 x->sig_alg, x->signature, x->crl,pkey,md));
122 }
123
124int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
125 {
126 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
127 x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
128 }
129
130int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
131 {
132 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
133 x->signature, x->spkac,pkey,md));
134 }
135
136#ifndef OPENSSL_NO_FP_API
137X509 *d2i_X509_fp(FILE *fp, X509 **x509)
138 {
139 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
140 }
141
142int i2d_X509_fp(FILE *fp, X509 *x509)
143 {
144 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
145 }
146#endif
147
148X509 *d2i_X509_bio(BIO *bp, X509 **x509)
149 {
150 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
151 }
152
153int i2d_X509_bio(BIO *bp, X509 *x509)
154 {
155 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
156 }
157
158#ifndef OPENSSL_NO_FP_API
159X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
160 {
161 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
162 }
163
164int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
165 {
166 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
167 }
168#endif
169
170X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
171 {
172 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
173 }
174
175int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
176 {
177 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
178 }
179
180#ifndef OPENSSL_NO_FP_API
181PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
182 {
183 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
184 }
185
186int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
187 {
188 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
189 }
190#endif
191
192PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
193 {
194 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
195 }
196
197int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
198 {
199 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
200 }
201
202#ifndef OPENSSL_NO_FP_API
203X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
204 {
205 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
206 }
207
208int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
209 {
210 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
211 }
212#endif
213
214X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
215 {
216 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
217 }
218
219int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
220 {
221 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
222 }
223
224#ifndef OPENSSL_NO_RSA
225
226#ifndef OPENSSL_NO_FP_API
227RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
228 {
229 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
230 }
231
232int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
233 {
234 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
235 }
236
237RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
238 {
239 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
240 }
241
242
243RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
244 {
245 return ASN1_d2i_fp((void *(*)(void))
246 RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
247 (void **)rsa);
248 }
249
250int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
251 {
252 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
253 }
254
255int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
256 {
257 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
258 }
259#endif
260
261RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
262 {
263 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
264 }
265
266int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
267 {
268 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
269 }
270
271RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
272 {
273 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
274 }
275
276
277RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
278 {
279 return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
280 }
281
282int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
283 {
284 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
285 }
286
287int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
288 {
289 return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
290 }
291#endif
292
293#ifndef OPENSSL_NO_DSA
294#ifndef OPENSSL_NO_FP_API
295DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
296 {
297 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
298 }
299
300int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
301 {
302 return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
303 }
304
305DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
306 {
307 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
308 }
309
310int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
311 {
312 return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
313 }
314#endif
315
316DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
317 {
318 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
319);
320 }
321
322int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
323 {
324 return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
325 }
326
327DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
328 {
329 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
330 }
331
332int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
333 {
334 return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
335 }
336
337#endif
338
339#ifndef OPENSSL_NO_EC
340#ifndef OPENSSL_NO_FP_API
341EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
342 {
343 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
344 }
345
346int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
347 {
348 return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
349 }
350
351EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
352 {
353 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
354 }
355
356int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
357 {
358 return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
359 }
360#endif
361EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
362 {
363 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
364 }
365
366int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
367 {
368 return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
369 }
370
371EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
372 {
373 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
374 }
375
376int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
377 {
378 return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
379 }
380#endif
381
382
383int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
384 unsigned int *len)
385 {
386 ASN1_BIT_STRING *key;
387 key = X509_get0_pubkey_bitstr(data);
388 if(!key) return 0;
389 return EVP_Digest(key->data, key->length, md, len, type, NULL);
390 }
391
392int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
393 unsigned int *len)
394 {
395 return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
396 }
397
398int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
399 unsigned int *len)
400 {
401 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
402 }
403
404int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
405 unsigned int *len)
406 {
407 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
408 }
409
410int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
411 unsigned int *len)
412 {
413 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
414 }
415
416int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
417 unsigned char *md, unsigned int *len)
418 {
419 return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
420 (char *)data,md,len));
421 }
422
423
424#ifndef OPENSSL_NO_FP_API
425X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
426 {
427 return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
428 }
429
430int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
431 {
432 return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
433 }
434#endif
435
436X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
437 {
438 return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
439 }
440
441int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
442 {
443 return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
444 }
445
446#ifndef OPENSSL_NO_FP_API
447PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
448 PKCS8_PRIV_KEY_INFO **p8inf)
449 {
450 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
451 d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
452 }
453
454int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
455 {
456 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
457 p8inf);
458 }
459
460int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
461 {
462 PKCS8_PRIV_KEY_INFO *p8inf;
463 int ret;
464 p8inf = EVP_PKEY2PKCS8(key);
465 if(!p8inf) return 0;
466 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
467 PKCS8_PRIV_KEY_INFO_free(p8inf);
468 return ret;
469 }
470
471int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
472 {
473 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
474 }
475
476EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
477{
478 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
479}
480
481int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
482 {
483 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
484 }
485
486EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
487{
488 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
489}
490
491#endif
492
493PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
494 PKCS8_PRIV_KEY_INFO **p8inf)
495 {
496 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
497 d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
498 }
499
500int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
501 {
502 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
503 p8inf);
504 }
505
506int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
507 {
508 PKCS8_PRIV_KEY_INFO *p8inf;
509 int ret;
510 p8inf = EVP_PKEY2PKCS8(key);
511 if(!p8inf) return 0;
512 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
513 PKCS8_PRIV_KEY_INFO_free(p8inf);
514 return ret;
515 }
516
517int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
518 {
519 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
520 }
521
522EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
523 {
524 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
525 }
526
527int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
528 {
529 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
530 }
531
532EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
533 {
534 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
535 }
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
deleted file mode 100644
index 76daee6fcd..0000000000
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ /dev/null
@@ -1,132 +0,0 @@
1/* ext_dat.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* This file contains a table of "standard" extensions */
59
60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
70extern X509V3_EXT_METHOD v3_addr, v3_asid;
71
72/* This table will be searched using OBJ_bsearch so it *must* kept in
73 * order of the ext_nid values.
74 */
75
76static const X509V3_EXT_METHOD *standard_exts[] = {
77&v3_nscert,
78&v3_ns_ia5_list[0],
79&v3_ns_ia5_list[1],
80&v3_ns_ia5_list[2],
81&v3_ns_ia5_list[3],
82&v3_ns_ia5_list[4],
83&v3_ns_ia5_list[5],
84&v3_ns_ia5_list[6],
85&v3_skey_id,
86&v3_key_usage,
87&v3_pkey_usage_period,
88&v3_alt[0],
89&v3_alt[1],
90&v3_bcons,
91&v3_crl_num,
92&v3_cpols,
93&v3_akey_id,
94&v3_crld,
95&v3_ext_ku,
96&v3_delta_crl,
97&v3_crl_reason,
98#ifndef OPENSSL_NO_OCSP
99&v3_crl_invdate,
100#endif
101&v3_sxnet,
102&v3_info,
103#ifndef OPENSSL_NO_RFC3779
104&v3_addr,
105&v3_asid,
106#endif
107#ifndef OPENSSL_NO_OCSP
108&v3_ocsp_nonce,
109&v3_ocsp_crlid,
110&v3_ocsp_accresp,
111&v3_ocsp_nocheck,
112&v3_ocsp_acutoff,
113&v3_ocsp_serviceloc,
114#endif
115&v3_sinfo,
116&v3_policy_constraints,
117#ifndef OPENSSL_NO_OCSP
118&v3_crl_hold,
119#endif
120&v3_pci,
121&v3_name_constraints,
122&v3_policy_mappings,
123&v3_inhibit_anyp,
124&v3_idp,
125&v3_alt[2],
126&v3_freshest_crl,
127};
128
129/* Number of standard extensions */
130
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
deleted file mode 100644
index 172b7e7ee4..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ /dev/null
@@ -1,286 +0,0 @@
1/* pcy_cache.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68
69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */
72
73static int policy_cache_create(X509 *x,
74 CERTIFICATEPOLICIES *policies, int crit)
75 {
76 int i;
77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy;
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++)
87 {
88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit);
90 if (!data)
91 goto bad_policy;
92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found.
94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
96 {
97 if (cache->anyPolicy)
98 {
99 ret = -1;
100 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
105 {
106 ret = -1;
107 goto bad_policy;
108 }
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy;
111 data = NULL;
112 }
113 ret = 1;
114 bad_policy:
115 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data)
118 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0)
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL;
124 }
125 return ret;
126 }
127
128
129static int policy_cache_new(X509 *x)
130 {
131 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i;
137 cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache)
139 return 0;
140 cache->anyPolicy = NULL;
141 cache->data = NULL;
142 cache->any_skip = -1;
143 cache->explicit_skip = -1;
144 cache->map_skip = -1;
145
146 x->policy_cache = cache;
147
148 /* Handle requireExplicitPolicy *first*. Need to process this
149 * even if we don't have any policies.
150 */
151 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
152
153 if (!ext_pcons)
154 {
155 if (i != -1)
156 goto bad_cache;
157 }
158 else
159 {
160 if (!ext_pcons->requireExplicitPolicy
161 && !ext_pcons->inhibitPolicyMapping)
162 goto bad_cache;
163 if (!policy_cache_set_int(&cache->explicit_skip,
164 ext_pcons->requireExplicitPolicy))
165 goto bad_cache;
166 if (!policy_cache_set_int(&cache->map_skip,
167 ext_pcons->inhibitPolicyMapping))
168 goto bad_cache;
169 }
170
171 /* Process CertificatePolicies */
172
173 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
174 /* If no CertificatePolicies extension or problem decoding then
175 * there is no point continuing because the valid policies will be
176 * NULL.
177 */
178 if (!ext_cpols)
179 {
180 /* If not absent some problem with extension */
181 if (i != -1)
182 goto bad_cache;
183 return 1;
184 }
185
186 i = policy_cache_create(x, ext_cpols, i);
187
188 /* NB: ext_cpols freed by policy_cache_set_policies */
189
190 if (i <= 0)
191 return i;
192
193 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
194
195 if (!ext_pmaps)
196 {
197 /* If not absent some problem with extension */
198 if (i != -1)
199 goto bad_cache;
200 }
201 else
202 {
203 i = policy_cache_set_mapping(x, ext_pmaps);
204 if (i <= 0)
205 goto bad_cache;
206 }
207
208 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
209
210 if (!ext_any)
211 {
212 if (i != -1)
213 goto bad_cache;
214 }
215 else if (!policy_cache_set_int(&cache->any_skip, ext_any))
216 goto bad_cache;
217
218 if (0)
219 {
220 bad_cache:
221 x->ex_flags |= EXFLAG_INVALID_POLICY;
222 }
223
224 if(ext_pcons)
225 POLICY_CONSTRAINTS_free(ext_pcons);
226
227 if (ext_any)
228 ASN1_INTEGER_free(ext_any);
229
230 return 1;
231
232
233}
234
235void policy_cache_free(X509_POLICY_CACHE *cache)
236 {
237 if (!cache)
238 return;
239 if (cache->anyPolicy)
240 policy_data_free(cache->anyPolicy);
241 if (cache->data)
242 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
243 OPENSSL_free(cache);
244 }
245
246const X509_POLICY_CACHE *policy_cache_set(X509 *x)
247 {
248
249 if (x->policy_cache == NULL)
250 {
251 CRYPTO_w_lock(CRYPTO_LOCK_X509);
252 policy_cache_new(x);
253 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
254 }
255
256 return x->policy_cache;
257
258 }
259
260X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
261 const ASN1_OBJECT *id)
262 {
263 int idx;
264 X509_POLICY_DATA tmp;
265 tmp.valid_policy = (ASN1_OBJECT *)id;
266 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
267 if (idx == -1)
268 return NULL;
269 return sk_X509_POLICY_DATA_value(cache->data, idx);
270 }
271
272static int policy_data_cmp(const X509_POLICY_DATA * const *a,
273 const X509_POLICY_DATA * const *b)
274 {
275 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
276 }
277
278static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
279 {
280 if (value == NULL)
281 return 1;
282 if (value->type == V_ASN1_NEG_INTEGER)
283 return 0;
284 *out = ASN1_INTEGER_get(value);
285 return 1;
286 }
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
deleted file mode 100644
index 3444b03195..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ /dev/null
@@ -1,135 +0,0 @@
1/* pcy_data.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Policy Node routines */
66
67void policy_data_free(X509_POLICY_DATA *data)
68 {
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 OPENSSL_free(data);
76 }
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
86 const ASN1_OBJECT *cid, int crit)
87 {
88 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id;
90 if (!policy && !cid)
91 return NULL;
92 if (cid)
93 {
94 id = OBJ_dup(cid);
95 if (!id)
96 return NULL;
97 }
98 else
99 id = NULL;
100 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
101 if (!ret)
102 return NULL;
103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
104 if (!ret->expected_policy_set)
105 {
106 OPENSSL_free(ret);
107 if (id)
108 ASN1_OBJECT_free(id);
109 return NULL;
110 }
111
112 if (crit)
113 ret->flags = POLICY_DATA_FLAG_CRITICAL;
114 else
115 ret->flags = 0;
116
117 if (id)
118 ret->valid_policy = id;
119 else
120 {
121 ret->valid_policy = policy->policyid;
122 policy->policyid = NULL;
123 }
124
125 if (policy)
126 {
127 ret->qualifier_set = policy->qualifiers;
128 policy->qualifiers = NULL;
129 }
130 else
131 ret->qualifier_set = NULL;
132
133 return ret;
134 }
135
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
deleted file mode 100644
index ccff92846e..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ /dev/null
@@ -1,212 +0,0 @@
1/* pcy_int.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
61
62DECLARE_STACK_OF(X509_POLICY_DATA)
63
64/* Internal structures */
65
66/* This structure and the field names correspond to the Policy 'node' of
67 * RFC3280. NB this structure contains no pointers to parent or child
68 * data: X509_POLICY_NODE contains that. This means that the main policy data
69 * can be kept static and cached with the certificate.
70 */
71
72struct X509_POLICY_DATA_st
73 {
74 unsigned int flags;
75 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79 };
80
81/* X509_POLICY_DATA flags values */
82
83/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted.
85 */
86
87#define POLICY_DATA_FLAG_MAPPED 0x1
88
89/* This flag indicates the data doesn't correspond to a policy in Certificate
90 * Policies: it has been mapped to any policy.
91 */
92
93#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
94
95/* AND with flags to see if any mapping has occurred */
96
97#define POLICY_DATA_FLAG_MAP_MASK 0x3
98
99/* qualifiers are shared and shouldn't be freed */
100
101#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
102
103/* Parent node is an extra node and should be freed */
104
105#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
106
107/* Corresponding CertificatePolicies is critical */
108
109#define POLICY_DATA_FLAG_CRITICAL 0x10
110
111/* This structure is cached with a certificate */
112
113struct X509_POLICY_CACHE_st {
114 /* anyPolicy data or NULL if no anyPolicy */
115 X509_POLICY_DATA *anyPolicy;
116 /* other policy data */
117 STACK_OF(X509_POLICY_DATA) *data;
118 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
119 long any_skip;
120 /* If policyConstraints and requireExplicitPolicy present this is its
121 * value or -1 if absent.
122 */
123 long explicit_skip;
124 /* If policyConstraints and policyMapping present this is its
125 * value or -1 if absent.
126 */
127 long map_skip;
128 };
129
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131
132/* This structure represents the relationship between nodes */
133
134struct X509_POLICY_NODE_st
135 {
136 /* node data this refers to */
137 const X509_POLICY_DATA *data;
138 /* Parent node */
139 X509_POLICY_NODE *parent;
140 /* Number of child nodes */
141 int nchild;
142 };
143
144struct X509_POLICY_LEVEL_st
145 {
146 /* Cert for this level */
147 X509 *cert;
148 /* nodes at this level */
149 STACK_OF(X509_POLICY_NODE) *nodes;
150 /* anyPolicy node */
151 X509_POLICY_NODE *anyPolicy;
152 /* Extra data */
153 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
154 unsigned int flags;
155 };
156
157struct X509_POLICY_TREE_st
158 {
159 /* This is the tree 'level' data */
160 X509_POLICY_LEVEL *levels;
161 int nlevel;
162 /* Extra policy data when additional nodes (not from the certificate)
163 * are required.
164 */
165 STACK_OF(X509_POLICY_DATA) *extra_data;
166 /* This is the authority constained policy set */
167 STACK_OF(X509_POLICY_NODE) *auth_policies;
168 STACK_OF(X509_POLICY_NODE) *user_policies;
169 unsigned int flags;
170 };
171
172/* Set if anyPolicy present in user policies */
173#define POLICY_FLAG_ANY_POLICY 0x2
174
175/* Useful macros */
176
177#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
178#define node_critical(node) node_data_critical(node->data)
179
180/* Internal functions */
181
182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
183 int crit);
184void policy_data_free(X509_POLICY_DATA *data);
185
186X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
187 const ASN1_OBJECT *id);
188int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
189
190
191STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
192
193void policy_cache_init(void);
194
195void policy_cache_free(X509_POLICY_CACHE *cache);
196
197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent,
199 const ASN1_OBJECT *id);
200
201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
202 const ASN1_OBJECT *id);
203
204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
205 const X509_POLICY_DATA *data,
206 X509_POLICY_NODE *parent,
207 X509_POLICY_TREE *tree);
208void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
211
212const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
deleted file mode 100644
index 93bfd92703..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,167 +0,0 @@
1/* pcy_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66/* accessor functions */
67
68/* X509_POLICY_TREE stuff */
69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
71 {
72 if (!tree)
73 return 0;
74 return tree->nlevel;
75 }
76
77X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 {
80 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL;
82 return tree->levels + i;
83 }
84
85STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 {
88 if (!tree)
89 return NULL;
90 return tree->auth_policies;
91 }
92
93STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 {
96 if (!tree)
97 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies;
100 else
101 return tree->user_policies;
102 }
103
104/* X509_POLICY_LEVEL stuff */
105
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107 {
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118 }
119
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
121 {
122 if (!level)
123 return NULL;
124 if (level->anyPolicy)
125 {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 }
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
136 {
137 if (!node)
138 return NULL;
139 return node->data->valid_policy;
140 }
141
142#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
144 {
145 if (node_critical(node))
146 return 1;
147 return 0;
148 }
149#endif
150
151STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 {
154 if (!node)
155 return NULL;
156 return node->data->qualifier_set;
157 }
158
159const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 {
162 if (!node)
163 return NULL;
164 return node->parent;
165 }
166
167
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
deleted file mode 100644
index 21163b529d..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ /dev/null
@@ -1,132 +0,0 @@
1/* pcy_map.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Set policy mapping entries in cache.
66 * Note: this modifies the passed POLICY_MAPPINGS structure
67 */
68
69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70 {
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76 if (sk_POLICY_MAPPING_num(maps) == 0)
77 {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
82 {
83 map = sk_POLICY_MAPPING_value(maps, i);
84 /* Reject if map to or from anyPolicy */
85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy))
87 {
88 ret = -1;
89 goto bad_mapping;
90 }
91
92 /* Attempt to find matching policy data */
93 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
94 /* If we don't have anyPolicy can't map */
95 if (!data && !cache->anyPolicy)
96 continue;
97
98 /* Create a NODE from anyPolicy */
99 if (!data)
100 {
101 data = policy_data_new(NULL, map->issuerDomainPolicy,
102 cache->anyPolicy->flags
103 & POLICY_DATA_FLAG_CRITICAL);
104 if (!data)
105 goto bad_mapping;
106 data->qualifier_set = cache->anyPolicy->qualifier_set;
107 /*map->issuerDomainPolicy = NULL;*/
108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
110 if (!sk_X509_POLICY_DATA_push(cache->data, data))
111 {
112 policy_data_free(data);
113 goto bad_mapping;
114 }
115 }
116 else
117 data->flags |= POLICY_DATA_FLAG_MAPPED;
118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
119 map->subjectDomainPolicy))
120 goto bad_mapping;
121 map->subjectDomainPolicy = NULL;
122
123 }
124
125 ret = 1;
126 bad_mapping:
127 if (ret == -1)
128 x->ex_flags |= EXFLAG_INVALID_POLICY;
129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
130 return ret;
131
132 }
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
deleted file mode 100644
index bd1e7f1ae8..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ /dev/null
@@ -1,197 +0,0 @@
1/* pcy_node.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int node_cmp(const X509_POLICY_NODE * const *a,
66 const X509_POLICY_NODE * const *b)
67 {
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 }
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 {
73 return sk_X509_POLICY_NODE_new(node_cmp);
74 }
75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
77 const ASN1_OBJECT *id)
78 {
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91
92 }
93
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
95 const X509_POLICY_NODE *parent,
96 const ASN1_OBJECT *id)
97 {
98 X509_POLICY_NODE *node;
99 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
101 {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent)
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node;
107 }
108 }
109 return NULL;
110 }
111
112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
113 const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent,
115 X509_POLICY_TREE *tree)
116 {
117 X509_POLICY_NODE *node;
118 node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
119 if (!node)
120 return NULL;
121 node->data = data;
122 node->parent = parent;
123 node->nchild = 0;
124 if (level)
125 {
126 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
127 {
128 if (level->anyPolicy)
129 goto node_error;
130 level->anyPolicy = node;
131 }
132 else
133 {
134
135 if (!level->nodes)
136 level->nodes = policy_node_cmp_new();
137 if (!level->nodes)
138 goto node_error;
139 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
140 goto node_error;
141 }
142 }
143
144 if (tree)
145 {
146 if (!tree->extra_data)
147 tree->extra_data = sk_X509_POLICY_DATA_new_null();
148 if (!tree->extra_data)
149 goto node_error;
150 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
151 goto node_error;
152 }
153
154 if (parent)
155 parent->nchild++;
156
157 return node;
158
159 node_error:
160 policy_node_free(node);
161 return 0;
162
163 }
164
165void policy_node_free(X509_POLICY_NODE *node)
166 {
167 OPENSSL_free(node);
168 }
169
170/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy.
172 */
173
174int policy_node_match(const X509_POLICY_LEVEL *lvl,
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
176 {
177 int i;
178 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data;
180
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP)
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK))
183 {
184 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1;
186 return 0;
187 }
188
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++)
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid))
193 return 1;
194 }
195 return 0;
196
197 }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
deleted file mode 100644
index bb9777348f..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ /dev/null
@@ -1,872 +0,0 @@
1/* pcy_tree.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Enable this to print out the complete policy tree at various point during
66 * evaluation.
67 */
68
69/*#define OPENSSL_POLICY_DEBUG*/
70
71#ifdef OPENSSL_POLICY_DEBUG
72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
74 X509_POLICY_NODE *node, int indent)
75 {
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP)
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else
80 {
81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i)
89 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 }
94 }
95
96static void tree_print(char *str, X509_POLICY_TREE *tree,
97 X509_POLICY_LEVEL *curr)
98 {
99 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node;
101 int i;
102 BIO *err;
103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr)
105 curr = tree->levels + tree->nlevel;
106 else
107 curr++;
108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++)
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 }
121 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 }
124
125 BIO_free(err);
126
127 }
128#else
129
130#define tree_print(a,b,c) /* */
131
132#endif
133
134/* Initialize policy tree. Return values:
135 * 0 Some internal error occured.
136 * -1 Inconsistent or invalid extensions in certificates.
137 * 1 Tree initialized OK.
138 * 2 Policy tree is empty.
139 * 5 Tree OK and requireExplicitPolicy true.
140 * 6 Tree empty and requireExplicitPolicy true.
141 */
142
143static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
144 unsigned int flags)
145 {
146 X509_POLICY_TREE *tree;
147 X509_POLICY_LEVEL *level;
148 const X509_POLICY_CACHE *cache;
149 X509_POLICY_DATA *data = NULL;
150 X509 *x;
151 int ret = 1;
152 int i, n;
153 int explicit_policy;
154 int any_skip;
155 int map_skip;
156 *ptree = NULL;
157 n = sk_X509_num(certs);
158
159#if 0
160 /* Disable policy mapping for now... */
161 flags |= X509_V_FLAG_INHIBIT_MAP;
162#endif
163
164 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
165 explicit_policy = 0;
166 else
167 explicit_policy = n + 1;
168
169 if (flags & X509_V_FLAG_INHIBIT_ANY)
170 any_skip = 0;
171 else
172 any_skip = n + 1;
173
174 if (flags & X509_V_FLAG_INHIBIT_MAP)
175 map_skip = 0;
176 else
177 map_skip = n + 1;
178
179 /* Can't do anything with just a trust anchor */
180 if (n == 1)
181 return 1;
182 /* First setup policy cache in all certificates apart from the
183 * trust anchor. Note any bad cache results on the way. Also can
184 * calculate explicit_policy value at this point.
185 */
186 for (i = n - 2; i >= 0; i--)
187 {
188 x = sk_X509_value(certs, i);
189 X509_check_purpose(x, -1, -1);
190 cache = policy_cache_set(x);
191 /* If cache NULL something bad happened: return immediately */
192 if (cache == NULL)
193 return 0;
194 /* If inconsistent extensions keep a note of it but continue */
195 if (x->ex_flags & EXFLAG_INVALID_POLICY)
196 ret = -1;
197 /* Otherwise if we have no data (hence no CertificatePolicies)
198 * and haven't already set an inconsistent code note it.
199 */
200 else if ((ret == 1) && !cache->data)
201 ret = 2;
202 if (explicit_policy > 0)
203 {
204 if (!(x->ex_flags & EXFLAG_SI))
205 explicit_policy--;
206 if ((cache->explicit_skip != -1)
207 && (cache->explicit_skip < explicit_policy))
208 explicit_policy = cache->explicit_skip;
209 }
210 }
211
212 if (ret != 1)
213 {
214 if (ret == 2 && !explicit_policy)
215 return 6;
216 return ret;
217 }
218
219
220 /* If we get this far initialize the tree */
221
222 tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
223
224 if (!tree)
225 return 0;
226
227 tree->flags = 0;
228 tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
229 tree->nlevel = 0;
230 tree->extra_data = NULL;
231 tree->auth_policies = NULL;
232 tree->user_policies = NULL;
233
234 if (!tree->levels)
235 {
236 OPENSSL_free(tree);
237 return 0;
238 }
239
240 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
241
242 tree->nlevel = n;
243
244 level = tree->levels;
245
246 /* Root data: initialize to anyPolicy */
247
248 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
249
250 if (!data || !level_add_node(level, data, NULL, tree))
251 goto bad_tree;
252
253 for (i = n - 2; i >= 0; i--)
254 {
255 level++;
256 x = sk_X509_value(certs, i);
257 cache = policy_cache_set(x);
258 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
259 level->cert = x;
260
261 if (!cache->anyPolicy)
262 level->flags |= X509_V_FLAG_INHIBIT_ANY;
263
264 /* Determine inhibit any and inhibit map flags */
265 if (any_skip == 0)
266 {
267 /* Any matching allowed if certificate is self
268 * issued and not the last in the chain.
269 */
270 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
271 level->flags |= X509_V_FLAG_INHIBIT_ANY;
272 }
273 else
274 {
275 if (!(x->ex_flags & EXFLAG_SI))
276 any_skip--;
277 if ((cache->any_skip >= 0)
278 && (cache->any_skip < any_skip))
279 any_skip = cache->any_skip;
280 }
281
282 if (map_skip == 0)
283 level->flags |= X509_V_FLAG_INHIBIT_MAP;
284 else
285 {
286 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--;
288 if ((cache->map_skip >= 0)
289 && (cache->map_skip < map_skip))
290 map_skip = cache->map_skip;
291 }
292
293 }
294
295 *ptree = tree;
296
297 if (explicit_policy)
298 return 1;
299 else
300 return 5;
301
302 bad_tree:
303
304 X509_policy_tree_free(tree);
305
306 return 0;
307
308 }
309
310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node;
315 int i, matched = 0;
316 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy))
321 {
322 if (!level_add_node(curr, data, node, NULL))
323 return 0;
324 matched = 1;
325 }
326 }
327 if (!matched && last->anyPolicy)
328 {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0;
331 }
332 return 1;
333 }
334
335/* This corresponds to RFC3280 6.1.3(d)(1):
336 * link any data from CertificatePolicies onto matching parent
337 * or anyPolicy if no match.
338 */
339
340static int tree_link_nodes(X509_POLICY_LEVEL *curr,
341 const X509_POLICY_CACHE *cache)
342 {
343 int i;
344 X509_POLICY_DATA *data;
345
346 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
347 {
348 data = sk_X509_POLICY_DATA_value(cache->data, i);
349 /* If a node is mapped any it doesn't have a corresponding
350 * CertificatePolicies entry.
351 * However such an identical node would be created
352 * if anyPolicy matching is enabled because there would be
353 * no match with the parent valid_policy_set. So we create
354 * link because then it will have the mapping flags
355 * right and we can prune it later.
356 */
357#if 0
358 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
359 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
360 continue;
361#endif
362 /* Look for matching nodes in previous level */
363 if (!tree_link_matching_nodes(curr, data))
364 return 0;
365 }
366 return 1;
367 }
368
369/* This corresponds to RFC3280 6.1.3(d)(2):
370 * Create new data for any unmatched policies in the parent and link
371 * to anyPolicy.
372 */
373
374static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
375 const X509_POLICY_CACHE *cache,
376 const ASN1_OBJECT *id,
377 X509_POLICY_NODE *node,
378 X509_POLICY_TREE *tree)
379 {
380 X509_POLICY_DATA *data;
381 if (id == NULL)
382 id = node->data->valid_policy;
383 /* Create a new node with qualifiers from anyPolicy and
384 * id from unmatched node.
385 */
386 data = policy_data_new(NULL, id, node_critical(node));
387
388 if (data == NULL)
389 return 0;
390 /* Curr may not have anyPolicy */
391 data->qualifier_set = cache->anyPolicy->qualifier_set;
392 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
393 if (!level_add_node(curr, data, node, tree))
394 {
395 policy_data_free(data);
396 return 0;
397 }
398
399 return 1;
400 }
401
402static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
403 const X509_POLICY_CACHE *cache,
404 X509_POLICY_NODE *node,
405 X509_POLICY_TREE *tree)
406 {
407 const X509_POLICY_LEVEL *last = curr - 1;
408 int i;
409
410 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP)
411 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
412 {
413 /* If no policy mapping: matched if one child present */
414 if (node->nchild)
415 return 1;
416 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
417 return 0;
418 /* Add it */
419 }
420 else
421 {
422 /* If mapping: matched if one child per expected policy set */
423 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
424 if (node->nchild == sk_ASN1_OBJECT_num(expset))
425 return 1;
426 /* Locate unmatched nodes */
427 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
428 {
429 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
430 if (level_find_node(curr, node, oid))
431 continue;
432 if (!tree_add_unmatched(curr, cache, oid, node, tree))
433 return 0;
434 }
435
436 }
437
438 return 1;
439
440 }
441
442static int tree_link_any(X509_POLICY_LEVEL *curr,
443 const X509_POLICY_CACHE *cache,
444 X509_POLICY_TREE *tree)
445 {
446 int i;
447 /*X509_POLICY_DATA *data;*/
448 X509_POLICY_NODE *node;
449 X509_POLICY_LEVEL *last = curr - 1;
450
451 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
452 {
453 node = sk_X509_POLICY_NODE_value(last->nodes, i);
454
455 if (!tree_link_unmatched(curr, cache, node, tree))
456 return 0;
457
458#if 0
459
460 /* Skip any node with any children: we only want unmathced
461 * nodes.
462 *
463 * Note: need something better for policy mapping
464 * because each node may have multiple children
465 */
466 if (node->nchild)
467 continue;
468
469 /* Create a new node with qualifiers from anyPolicy and
470 * id from unmatched node.
471 */
472 data = policy_data_new(NULL, node->data->valid_policy,
473 node_critical(node));
474
475 if (data == NULL)
476 return 0;
477 /* Curr may not have anyPolicy */
478 data->qualifier_set = cache->anyPolicy->qualifier_set;
479 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
480 if (!level_add_node(curr, data, node, tree))
481 {
482 policy_data_free(data);
483 return 0;
484 }
485
486#endif
487
488 }
489 /* Finally add link to anyPolicy */
490 if (last->anyPolicy)
491 {
492 if (!level_add_node(curr, cache->anyPolicy,
493 last->anyPolicy, NULL))
494 return 0;
495 }
496 return 1;
497 }
498
499/* Prune the tree: delete any child mapped child data on the current level
500 * then proceed up the tree deleting any data with no children. If we ever
501 * have no data on a level we can halt because the tree will be empty.
502 */
503
504static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
505 {
506 STACK_OF(X509_POLICY_NODE) *nodes;
507 X509_POLICY_NODE *node;
508 int i;
509 nodes = curr->nodes;
510 if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
511 {
512 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
513 {
514 node = sk_X509_POLICY_NODE_value(nodes, i);
515 /* Delete any mapped data: see RFC3280 XXXX */
516 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
517 {
518 node->parent->nchild--;
519 OPENSSL_free(node);
520 (void)sk_X509_POLICY_NODE_delete(nodes,i);
521 }
522 }
523 }
524
525 for(;;) {
526 --curr;
527 nodes = curr->nodes;
528 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
529 {
530 node = sk_X509_POLICY_NODE_value(nodes, i);
531 if (node->nchild == 0)
532 {
533 node->parent->nchild--;
534 OPENSSL_free(node);
535 (void)sk_X509_POLICY_NODE_delete(nodes, i);
536 }
537 }
538 if (curr->anyPolicy && !curr->anyPolicy->nchild)
539 {
540 if (curr->anyPolicy->parent)
541 curr->anyPolicy->parent->nchild--;
542 OPENSSL_free(curr->anyPolicy);
543 curr->anyPolicy = NULL;
544 }
545 if (curr == tree->levels)
546 {
547 /* If we zapped anyPolicy at top then tree is empty */
548 if (!curr->anyPolicy)
549 return 2;
550 return 1;
551 }
552 }
553
554 return 1;
555
556 }
557
558static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
559 X509_POLICY_NODE *pcy)
560 {
561 if (!*pnodes)
562 {
563 *pnodes = policy_node_cmp_new();
564 if (!*pnodes)
565 return 0;
566 }
567 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
568 return 1;
569
570 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
571 return 0;
572
573 return 1;
574
575 }
576
577/* Calculate the authority set based on policy tree.
578 * The 'pnodes' parameter is used as a store for the set of policy nodes
579 * used to calculate the user set. If the authority set is not anyPolicy
580 * then pnodes will just point to the authority set. If however the authority
581 * set is anyPolicy then the set of valid policies (other than anyPolicy)
582 * is store in pnodes. The return value of '2' is used in this case to indicate
583 * that pnodes should be freed.
584 */
585
586static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
587 STACK_OF(X509_POLICY_NODE) **pnodes)
588 {
589 X509_POLICY_LEVEL *curr;
590 X509_POLICY_NODE *node, *anyptr;
591 STACK_OF(X509_POLICY_NODE) **addnodes;
592 int i, j;
593 curr = tree->levels + tree->nlevel - 1;
594
595 /* If last level contains anyPolicy set is anyPolicy */
596 if (curr->anyPolicy)
597 {
598 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
599 return 0;
600 addnodes = pnodes;
601 }
602 else
603 /* Add policies to authority set */
604 addnodes = &tree->auth_policies;
605
606 curr = tree->levels;
607 for (i = 1; i < tree->nlevel; i++)
608 {
609 /* If no anyPolicy node on this this level it can't
610 * appear on lower levels so end search.
611 */
612 if (!(anyptr = curr->anyPolicy))
613 break;
614 curr++;
615 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
616 {
617 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
618 if ((node->parent == anyptr)
619 && !tree_add_auth_node(addnodes, node))
620 return 0;
621 }
622 }
623
624 if (addnodes == pnodes)
625 return 2;
626
627 *pnodes = tree->auth_policies;
628
629 return 1;
630 }
631
632static int tree_calculate_user_set(X509_POLICY_TREE *tree,
633 STACK_OF(ASN1_OBJECT) *policy_oids,
634 STACK_OF(X509_POLICY_NODE) *auth_nodes)
635 {
636 int i;
637 X509_POLICY_NODE *node;
638 ASN1_OBJECT *oid;
639
640 X509_POLICY_NODE *anyPolicy;
641 X509_POLICY_DATA *extra;
642
643 /* Check if anyPolicy present in authority constrained policy set:
644 * this will happen if it is a leaf node.
645 */
646
647 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
648 return 1;
649
650 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
651
652 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
653 {
654 oid = sk_ASN1_OBJECT_value(policy_oids, i);
655 if (OBJ_obj2nid(oid) == NID_any_policy)
656 {
657 tree->flags |= POLICY_FLAG_ANY_POLICY;
658 return 1;
659 }
660 }
661
662 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
663 {
664 oid = sk_ASN1_OBJECT_value(policy_oids, i);
665 node = tree_find_sk(auth_nodes, oid);
666 if (!node)
667 {
668 if (!anyPolicy)
669 continue;
670 /* Create a new node with policy ID from user set
671 * and qualifiers from anyPolicy.
672 */
673 extra = policy_data_new(NULL, oid,
674 node_critical(anyPolicy));
675 if (!extra)
676 return 0;
677 extra->qualifier_set = anyPolicy->data->qualifier_set;
678 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
679 | POLICY_DATA_FLAG_EXTRA_NODE;
680 node = level_add_node(NULL, extra, anyPolicy->parent,
681 tree);
682 }
683 if (!tree->user_policies)
684 {
685 tree->user_policies = sk_X509_POLICY_NODE_new_null();
686 if (!tree->user_policies)
687 return 1;
688 }
689 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
690 return 0;
691 }
692 return 1;
693
694 }
695
696static int tree_evaluate(X509_POLICY_TREE *tree)
697 {
698 int ret, i;
699 X509_POLICY_LEVEL *curr = tree->levels + 1;
700 const X509_POLICY_CACHE *cache;
701
702 for(i = 1; i < tree->nlevel; i++, curr++)
703 {
704 cache = policy_cache_set(curr->cert);
705 if (!tree_link_nodes(curr, cache))
706 return 0;
707
708 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
709 && !tree_link_any(curr, cache, tree))
710 return 0;
711 tree_print("before tree_prune()", tree, curr);
712 ret = tree_prune(tree, curr);
713 if (ret != 1)
714 return ret;
715 }
716
717 return 1;
718
719 }
720
721static void exnode_free(X509_POLICY_NODE *node)
722 {
723 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
724 OPENSSL_free(node);
725 }
726
727
728void X509_policy_tree_free(X509_POLICY_TREE *tree)
729 {
730 X509_POLICY_LEVEL *curr;
731 int i;
732
733 if (!tree)
734 return;
735
736 sk_X509_POLICY_NODE_free(tree->auth_policies);
737 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
738
739 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
740 {
741 if (curr->cert)
742 X509_free(curr->cert);
743 if (curr->nodes)
744 sk_X509_POLICY_NODE_pop_free(curr->nodes,
745 policy_node_free);
746 if (curr->anyPolicy)
747 policy_node_free(curr->anyPolicy);
748 }
749
750 if (tree->extra_data)
751 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
752 policy_data_free);
753
754 OPENSSL_free(tree->levels);
755 OPENSSL_free(tree);
756
757 }
758
759/* Application policy checking function.
760 * Return codes:
761 * 0 Internal Error.
762 * 1 Successful.
763 * -1 One or more certificates contain invalid or inconsistent extensions
764 * -2 User constrained policy set empty and requireExplicit true.
765 */
766
767int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
768 STACK_OF(X509) *certs,
769 STACK_OF(ASN1_OBJECT) *policy_oids,
770 unsigned int flags)
771 {
772 int ret;
773 X509_POLICY_TREE *tree = NULL;
774 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
775 *ptree = NULL;
776
777 *pexplicit_policy = 0;
778 ret = tree_init(&tree, certs, flags);
779
780 switch (ret)
781 {
782
783 /* Tree empty requireExplicit False: OK */
784 case 2:
785 return 1;
786
787 /* Some internal error */
788 case -1:
789 return -1;
790
791 /* Some internal error */
792 case 0:
793 return 0;
794
795 /* Tree empty requireExplicit True: Error */
796
797 case 6:
798 *pexplicit_policy = 1;
799 return -2;
800
801 /* Tree OK requireExplicit True: OK and continue */
802 case 5:
803 *pexplicit_policy = 1;
804 break;
805
806 /* Tree OK: continue */
807
808 case 1:
809 if (!tree)
810 /*
811 * tree_init() returns success and a null tree
812 * if it's just looking at a trust anchor.
813 * I'm not sure that returning success here is
814 * correct, but I'm sure that reporting this
815 * as an internal error which our caller
816 * interprets as a malloc failure is wrong.
817 */
818 return 1;
819 break;
820 }
821
822 if (!tree) goto error;
823 ret = tree_evaluate(tree);
824
825 tree_print("tree_evaluate()", tree, NULL);
826
827 if (ret <= 0)
828 goto error;
829
830 /* Return value 2 means tree empty */
831 if (ret == 2)
832 {
833 X509_policy_tree_free(tree);
834 if (*pexplicit_policy)
835 return -2;
836 else
837 return 1;
838 }
839
840 /* Tree is not empty: continue */
841
842 ret = tree_calculate_authority_set(tree, &auth_nodes);
843
844 if (!ret)
845 goto error;
846
847 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
848 goto error;
849
850 if (ret == 2)
851 sk_X509_POLICY_NODE_free(auth_nodes);
852
853 if (tree)
854 *ptree = tree;
855
856 if (*pexplicit_policy)
857 {
858 nodes = X509_policy_tree_get0_user_policies(tree);
859 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
860 return -2;
861 }
862
863 return 1;
864
865 error:
866
867 X509_policy_tree_free(tree);
868
869 return 0;
870
871 }
872
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
deleted file mode 100644
index c6b68ee221..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ /dev/null
@@ -1,208 +0,0 @@
1/* v3_akey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
67 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
68static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
70
71const X509V3_EXT_METHOD v3_akey_id =
72 {
73 NID_authority_key_identifier,
74 X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
75 0,0,0,0,
76 0,0,
77 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
78 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
79 0,0,
80 NULL
81 };
82
83static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
84 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
85{
86 char *tmp;
87 if(akeyid->keyid) {
88 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
89 X509V3_add_value("keyid", tmp, &extlist);
90 OPENSSL_free(tmp);
91 }
92 if(akeyid->issuer)
93 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
94 if(akeyid->serial) {
95 tmp = hex_to_string(akeyid->serial->data,
96 akeyid->serial->length);
97 X509V3_add_value("serial", tmp, &extlist);
98 OPENSSL_free(tmp);
99 }
100 return extlist;
101}
102
103/* Currently two options:
104 * keyid: use the issuers subject keyid, the value 'always' means its is
105 * an error if the issuer certificate doesn't have a key id.
106 * issuer: use the issuers cert issuer and serial number. The default is
107 * to only use this if keyid is not present. With the option 'always'
108 * this is always included.
109 */
110
111static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
112 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
113 {
114 char keyid=0, issuer=0;
115 int i;
116 CONF_VALUE *cnf;
117 ASN1_OCTET_STRING *ikeyid = NULL;
118 X509_NAME *isname = NULL;
119 GENERAL_NAMES * gens = NULL;
120 GENERAL_NAME *gen = NULL;
121 ASN1_INTEGER *serial = NULL;
122 X509_EXTENSION *ext;
123 X509 *cert;
124 AUTHORITY_KEYID *akeyid;
125
126 for(i = 0; i < sk_CONF_VALUE_num(values); i++)
127 {
128 cnf = sk_CONF_VALUE_value(values, i);
129 if(!strcmp(cnf->name, "keyid"))
130 {
131 keyid = 1;
132 if(cnf->value && !strcmp(cnf->value, "always"))
133 keyid = 2;
134 }
135 else if(!strcmp(cnf->name, "issuer"))
136 {
137 issuer = 1;
138 if(cnf->value && !strcmp(cnf->value, "always"))
139 issuer = 2;
140 }
141 else
142 {
143 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
144 ERR_add_error_data(2, "name=", cnf->name);
145 return NULL;
146 }
147 }
148
149 if(!ctx || !ctx->issuer_cert)
150 {
151 if(ctx && (ctx->flags==CTX_TEST))
152 return AUTHORITY_KEYID_new();
153 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
154 return NULL;
155 }
156
157 cert = ctx->issuer_cert;
158
159 if(keyid)
160 {
161 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
162 if((i >= 0) && (ext = X509_get_ext(cert, i)))
163 ikeyid = X509V3_EXT_d2i(ext);
164 if(keyid==2 && !ikeyid)
165 {
166 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
167 return NULL;
168 }
169 }
170
171 if((issuer && !ikeyid) || (issuer == 2))
172 {
173 isname = X509_NAME_dup(X509_get_issuer_name(cert));
174 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
175 if(!isname || !serial)
176 {
177 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
178 goto err;
179 }
180 }
181
182 if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
183
184 if(isname)
185 {
186 if(!(gens = sk_GENERAL_NAME_new_null())
187 || !(gen = GENERAL_NAME_new())
188 || !sk_GENERAL_NAME_push(gens, gen))
189 {
190 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
191 goto err;
192 }
193 gen->type = GEN_DIRNAME;
194 gen->d.dirn = isname;
195 }
196
197 akeyid->issuer = gens;
198 akeyid->serial = serial;
199 akeyid->keyid = ikeyid;
200
201 return akeyid;
202
203 err:
204 X509_NAME_free(isname);
205 M_ASN1_INTEGER_free(serial);
206 M_ASN1_OCTET_STRING_free(ikeyid);
207 return NULL;
208 }
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
deleted file mode 100644
index 2c50f7360e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ /dev/null
@@ -1,72 +0,0 @@
1/* v3_akey_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(AUTHORITY_KEYID) = {
67 ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
68 ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
69 ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
70} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
71
72IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
deleted file mode 100644
index 91aefcddc1..0000000000
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ /dev/null
@@ -1,614 +0,0 @@
1/* v3_alt.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
65static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
66static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
67static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
68static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
69static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
70
71const X509V3_EXT_METHOD v3_alt[] = {
72{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
76(X509V3_EXT_V2I)v2i_subject_alt,
77NULL, NULL, NULL},
78
79{ NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
800,0,0,0,
810,0,
82(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
83(X509V3_EXT_V2I)v2i_issuer_alt,
84NULL, NULL, NULL},
85
86{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
870,0,0,0,
880,0,
89(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
90NULL, NULL, NULL, NULL},
91};
92
93STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
94 GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
95{
96 int i;
97 GENERAL_NAME *gen;
98 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
99 gen = sk_GENERAL_NAME_value(gens, i);
100 ret = i2v_GENERAL_NAME(method, gen, ret);
101 }
102 if(!ret) return sk_CONF_VALUE_new_null();
103 return ret;
104}
105
106STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
107 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
108{
109 unsigned char *p;
110 char oline[256], htmp[5];
111 int i;
112 switch (gen->type)
113 {
114 case GEN_OTHERNAME:
115 X509V3_add_value("othername","<unsupported>", &ret);
116 break;
117
118 case GEN_X400:
119 X509V3_add_value("X400Name","<unsupported>", &ret);
120 break;
121
122 case GEN_EDIPARTY:
123 X509V3_add_value("EdiPartyName","<unsupported>", &ret);
124 break;
125
126 case GEN_EMAIL:
127 X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
128 break;
129
130 case GEN_DNS:
131 X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
132 break;
133
134 case GEN_URI:
135 X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
136 break;
137
138 case GEN_DIRNAME:
139 X509_NAME_oneline(gen->d.dirn, oline, 256);
140 X509V3_add_value("DirName",oline, &ret);
141 break;
142
143 case GEN_IPADD:
144 p = gen->d.ip->data;
145 if(gen->d.ip->length == 4)
146 BIO_snprintf(oline, sizeof oline,
147 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
148 else if(gen->d.ip->length == 16)
149 {
150 oline[0] = 0;
151 for (i = 0; i < 8; i++)
152 {
153 BIO_snprintf(htmp, sizeof htmp,
154 "%X", p[0] << 8 | p[1]);
155 p += 2;
156 strlcat(oline, htmp, sizeof(oline));
157 if (i != 7)
158 strlcat(oline, ":", sizeof(oline));
159 }
160 }
161 else
162 {
163 X509V3_add_value("IP Address","<invalid>", &ret);
164 break;
165 }
166 X509V3_add_value("IP Address",oline, &ret);
167 break;
168
169 case GEN_RID:
170 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
171 X509V3_add_value("Registered ID",oline, &ret);
172 break;
173 }
174 return ret;
175}
176
177int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
178{
179 unsigned char *p;
180 int i;
181 switch (gen->type)
182 {
183 case GEN_OTHERNAME:
184 BIO_printf(out, "othername:<unsupported>");
185 break;
186
187 case GEN_X400:
188 BIO_printf(out, "X400Name:<unsupported>");
189 break;
190
191 case GEN_EDIPARTY:
192 /* Maybe fix this: it is supported now */
193 BIO_printf(out, "EdiPartyName:<unsupported>");
194 break;
195
196 case GEN_EMAIL:
197 BIO_printf(out, "email:%s",gen->d.ia5->data);
198 break;
199
200 case GEN_DNS:
201 BIO_printf(out, "DNS:%s",gen->d.ia5->data);
202 break;
203
204 case GEN_URI:
205 BIO_printf(out, "URI:%s",gen->d.ia5->data);
206 break;
207
208 case GEN_DIRNAME:
209 BIO_printf(out, "DirName: ");
210 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
211 break;
212
213 case GEN_IPADD:
214 p = gen->d.ip->data;
215 if(gen->d.ip->length == 4)
216 BIO_printf(out, "IP Address:%d.%d.%d.%d",
217 p[0], p[1], p[2], p[3]);
218 else if(gen->d.ip->length == 16)
219 {
220 BIO_printf(out, "IP Address");
221 for (i = 0; i < 8; i++)
222 {
223 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
224 p += 2;
225 }
226 BIO_puts(out, "\n");
227 }
228 else
229 {
230 BIO_printf(out,"IP Address:<invalid>");
231 break;
232 }
233 break;
234
235 case GEN_RID:
236 BIO_printf(out, "Registered ID");
237 i2a_ASN1_OBJECT(out, gen->d.rid);
238 break;
239 }
240 return 1;
241}
242
243static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
245{
246 GENERAL_NAMES *gens = NULL;
247 CONF_VALUE *cnf;
248 int i;
249 if(!(gens = sk_GENERAL_NAME_new_null())) {
250 X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
251 return NULL;
252 }
253 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
254 cnf = sk_CONF_VALUE_value(nval, i);
255 if(!name_cmp(cnf->name, "issuer") && cnf->value &&
256 !strcmp(cnf->value, "copy")) {
257 if(!copy_issuer(ctx, gens)) goto err;
258 } else {
259 GENERAL_NAME *gen;
260 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
261 goto err;
262 sk_GENERAL_NAME_push(gens, gen);
263 }
264 }
265 return gens;
266 err:
267 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
268 return NULL;
269}
270
271/* Append subject altname of issuer to issuer alt name of subject */
272
273static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
274{
275 GENERAL_NAMES *ialt;
276 GENERAL_NAME *gen;
277 X509_EXTENSION *ext;
278 int i;
279 if(ctx && (ctx->flags == CTX_TEST)) return 1;
280 if(!ctx || !ctx->issuer_cert) {
281 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
282 goto err;
283 }
284 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
285 if(i < 0) return 1;
286 if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
287 !(ialt = X509V3_EXT_d2i(ext)) ) {
288 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
289 goto err;
290 }
291
292 for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
293 gen = sk_GENERAL_NAME_value(ialt, i);
294 if(!sk_GENERAL_NAME_push(gens, gen)) {
295 X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
296 goto err;
297 }
298 }
299 sk_GENERAL_NAME_free(ialt);
300
301 return 1;
302
303 err:
304 return 0;
305
306}
307
308static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
309 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
310{
311 GENERAL_NAMES *gens = NULL;
312 CONF_VALUE *cnf;
313 int i;
314 if(!(gens = sk_GENERAL_NAME_new_null())) {
315 X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
316 return NULL;
317 }
318 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
319 cnf = sk_CONF_VALUE_value(nval, i);
320 if(!name_cmp(cnf->name, "email") && cnf->value &&
321 !strcmp(cnf->value, "copy")) {
322 if(!copy_email(ctx, gens, 0)) goto err;
323 } else if(!name_cmp(cnf->name, "email") && cnf->value &&
324 !strcmp(cnf->value, "move")) {
325 if(!copy_email(ctx, gens, 1)) goto err;
326 } else {
327 GENERAL_NAME *gen;
328 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
329 goto err;
330 sk_GENERAL_NAME_push(gens, gen);
331 }
332 }
333 return gens;
334 err:
335 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
336 return NULL;
337}
338
339/* Copy any email addresses in a certificate or request to
340 * GENERAL_NAMES
341 */
342
343static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
344{
345 X509_NAME *nm;
346 ASN1_IA5STRING *email = NULL;
347 X509_NAME_ENTRY *ne;
348 GENERAL_NAME *gen = NULL;
349 int i;
350 if(ctx != NULL && ctx->flags == CTX_TEST)
351 return 1;
352 if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
353 X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
354 goto err;
355 }
356 /* Find the subject name */
357 if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
358 else nm = X509_REQ_get_subject_name(ctx->subject_req);
359
360 /* Now add any email address(es) to STACK */
361 i = -1;
362 while((i = X509_NAME_get_index_by_NID(nm,
363 NID_pkcs9_emailAddress, i)) >= 0) {
364 ne = X509_NAME_get_entry(nm, i);
365 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
366 if (move_p)
367 {
368 X509_NAME_delete_entry(nm, i);
369 X509_NAME_ENTRY_free(ne);
370 i--;
371 }
372 if(!email || !(gen = GENERAL_NAME_new())) {
373 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
374 goto err;
375 }
376 gen->d.ia5 = email;
377 email = NULL;
378 gen->type = GEN_EMAIL;
379 if(!sk_GENERAL_NAME_push(gens, gen)) {
380 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
381 goto err;
382 }
383 gen = NULL;
384 }
385
386
387 return 1;
388
389 err:
390 GENERAL_NAME_free(gen);
391 M_ASN1_IA5STRING_free(email);
392 return 0;
393
394}
395
396GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
397 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
398{
399 GENERAL_NAME *gen;
400 GENERAL_NAMES *gens = NULL;
401 CONF_VALUE *cnf;
402 int i;
403 if(!(gens = sk_GENERAL_NAME_new_null())) {
404 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
405 return NULL;
406 }
407 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
408 cnf = sk_CONF_VALUE_value(nval, i);
409 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
410 sk_GENERAL_NAME_push(gens, gen);
411 }
412 return gens;
413 err:
414 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
415 return NULL;
416}
417
418GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
419 CONF_VALUE *cnf)
420 {
421 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
422 }
423
424GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
425 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
426 int gen_type, char *value, int is_nc)
427 {
428 char is_string = 0;
429 GENERAL_NAME *gen = NULL;
430
431 if(!value)
432 {
433 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
434 return NULL;
435 }
436
437 if (out)
438 gen = out;
439 else
440 {
441 gen = GENERAL_NAME_new();
442 if(gen == NULL)
443 {
444 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
445 return NULL;
446 }
447 }
448
449 switch (gen_type)
450 {
451 case GEN_URI:
452 case GEN_EMAIL:
453 case GEN_DNS:
454 is_string = 1;
455 break;
456
457 case GEN_RID:
458 {
459 ASN1_OBJECT *obj;
460 if(!(obj = OBJ_txt2obj(value,0)))
461 {
462 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
463 ERR_add_error_data(2, "value=", value);
464 goto err;
465 }
466 gen->d.rid = obj;
467 }
468 break;
469
470 case GEN_IPADD:
471 if (is_nc)
472 gen->d.ip = a2i_IPADDRESS_NC(value);
473 else
474 gen->d.ip = a2i_IPADDRESS(value);
475 if(gen->d.ip == NULL)
476 {
477 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
478 ERR_add_error_data(2, "value=", value);
479 goto err;
480 }
481 break;
482
483 case GEN_DIRNAME:
484 if (!do_dirname(gen, value, ctx))
485 {
486 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
487 goto err;
488 }
489 break;
490
491 case GEN_OTHERNAME:
492 if (!do_othername(gen, value, ctx))
493 {
494 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
495 goto err;
496 }
497 break;
498 default:
499 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
500 goto err;
501 }
502
503 if(is_string)
504 {
505 if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
506 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
507 strlen(value)))
508 {
509 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
510 goto err;
511 }
512 }
513
514 gen->type = gen_type;
515
516 return gen;
517
518 err:
519 if (!out)
520 GENERAL_NAME_free(gen);
521 return NULL;
522 }
523
524GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
525 const X509V3_EXT_METHOD *method,
526 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
527 {
528 int type;
529
530 char *name, *value;
531
532 name = cnf->name;
533 value = cnf->value;
534
535 if(!value)
536 {
537 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
538 return NULL;
539 }
540
541 if(!name_cmp(name, "email"))
542 type = GEN_EMAIL;
543 else if(!name_cmp(name, "URI"))
544 type = GEN_URI;
545 else if(!name_cmp(name, "DNS"))
546 type = GEN_DNS;
547 else if(!name_cmp(name, "RID"))
548 type = GEN_RID;
549 else if(!name_cmp(name, "IP"))
550 type = GEN_IPADD;
551 else if(!name_cmp(name, "dirName"))
552 type = GEN_DIRNAME;
553 else if(!name_cmp(name, "otherName"))
554 type = GEN_OTHERNAME;
555 else
556 {
557 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
558 ERR_add_error_data(2, "name=", name);
559 return NULL;
560 }
561
562 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
563
564 }
565
566static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
567 {
568 char *objtmp = NULL, *p;
569 int objlen;
570 if (!(p = strchr(value, ';')))
571 return 0;
572 if (!(gen->d.otherName = OTHERNAME_new()))
573 return 0;
574 /* Free this up because we will overwrite it.
575 * no need to free type_id because it is static
576 */
577 ASN1_TYPE_free(gen->d.otherName->value);
578 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
579 return 0;
580 objlen = p - value;
581 objtmp = OPENSSL_malloc(objlen + 1);
582 strncpy(objtmp, value, objlen);
583 objtmp[objlen] = 0;
584 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
585 OPENSSL_free(objtmp);
586 if (!gen->d.otherName->type_id)
587 return 0;
588 return 1;
589 }
590
591static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
592 {
593 int ret;
594 STACK_OF(CONF_VALUE) *sk;
595 X509_NAME *nm;
596 if (!(nm = X509_NAME_new()))
597 return 0;
598 sk = X509V3_get_section(ctx, value);
599 if (!sk)
600 {
601 X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
602 ERR_add_error_data(2, "section=", value);
603 X509_NAME_free(nm);
604 return 0;
605 }
606 /* FIXME: should allow other character types... */
607 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
608 if (!ret)
609 X509_NAME_free(nm);
610 gen->d.dirn = nm;
611 X509V3_section_free(ctx, sk);
612
613 return ret;
614 }
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
deleted file mode 100644
index 82aa488f75..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ /dev/null
@@ -1,124 +0,0 @@
1/* v3_bcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
68static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69
70const X509V3_EXT_METHOD v3_bcons = {
71NID_basic_constraints, 0,
72ASN1_ITEM_ref(BASIC_CONSTRAINTS),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
76(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
77NULL,NULL,
78NULL
79};
80
81ASN1_SEQUENCE(BASIC_CONSTRAINTS) = {
82 ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),
83 ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)
85
86IMPLEMENT_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
87
88
89static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
90 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
91{
92 X509V3_add_value_bool("CA", bcons->ca, &extlist);
93 X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
94 return extlist;
95}
96
97static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
98 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
99{
100 BASIC_CONSTRAINTS *bcons=NULL;
101 CONF_VALUE *val;
102 int i;
103 if(!(bcons = BASIC_CONSTRAINTS_new())) {
104 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
105 return NULL;
106 }
107 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
108 val = sk_CONF_VALUE_value(values, i);
109 if(!strcmp(val->name, "CA")) {
110 if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
111 } else if(!strcmp(val->name, "pathlen")) {
112 if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
113 } else {
114 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
115 X509V3_conf_err(val);
116 goto err;
117 }
118 }
119 return bcons;
120 err:
121 BASIC_CONSTRAINTS_free(bcons);
122 return NULL;
123}
124
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
deleted file mode 100644
index 058d0d4dce..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ /dev/null
@@ -1,141 +0,0 @@
1/* v3_bitst.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static BIT_STRING_BITNAME ns_cert_type_table[] = {
65{0, "SSL Client", "client"},
66{1, "SSL Server", "server"},
67{2, "S/MIME", "email"},
68{3, "Object Signing", "objsign"},
69{4, "Unused", "reserved"},
70{5, "SSL CA", "sslCA"},
71{6, "S/MIME CA", "emailCA"},
72{7, "Object Signing CA", "objCA"},
73{-1, NULL, NULL}
74};
75
76static BIT_STRING_BITNAME key_usage_type_table[] = {
77{0, "Digital Signature", "digitalSignature"},
78{1, "Non Repudiation", "nonRepudiation"},
79{2, "Key Encipherment", "keyEncipherment"},
80{3, "Data Encipherment", "dataEncipherment"},
81{4, "Key Agreement", "keyAgreement"},
82{5, "Certificate Sign", "keyCertSign"},
83{6, "CRL Sign", "cRLSign"},
84{7, "Encipher Only", "encipherOnly"},
85{8, "Decipher Only", "decipherOnly"},
86{-1, NULL, NULL}
87};
88
89
90
91const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
92const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
93
94STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
95 ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
96{
97 BIT_STRING_BITNAME *bnam;
98 for(bnam =method->usr_data; bnam->lname; bnam++) {
99 if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
100 X509V3_add_value(bnam->lname, NULL, &ret);
101 }
102 return ret;
103}
104
105ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
107{
108 CONF_VALUE *val;
109 ASN1_BIT_STRING *bs;
110 int i;
111 BIT_STRING_BITNAME *bnam;
112 if(!(bs = M_ASN1_BIT_STRING_new())) {
113 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
117 val = sk_CONF_VALUE_value(nval, i);
118 for(bnam = method->usr_data; bnam->lname; bnam++) {
119 if(!strcmp(bnam->sname, val->name) ||
120 !strcmp(bnam->lname, val->name) ) {
121 if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
122 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
123 ERR_R_MALLOC_FAILURE);
124 M_ASN1_BIT_STRING_free(bs);
125 return NULL;
126 }
127 break;
128 }
129 }
130 if(!bnam->lname) {
131 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
132 X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
133 X509V3_conf_err(val);
134 M_ASN1_BIT_STRING_free(bs);
135 return NULL;
136 }
137 }
138 return bs;
139}
140
141
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
deleted file mode 100644
index 6730f9a6ee..0000000000
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ /dev/null
@@ -1,525 +0,0 @@
1/* v3_conf.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60
61
62#include <stdio.h>
63#include <ctype.h>
64#include "cryptlib.h"
65#include <openssl/conf.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
73static char *conf_lhash_get_string(void *db, char *section, char *value);
74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
75static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
76 int crit, void *ext_struc);
77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
78/* CONF *conf: Config file */
79/* char *name: Name */
80/* char *value: Value */
81X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
82 char *value)
83 {
84 int crit;
85 int ext_type;
86 X509_EXTENSION *ret;
87 crit = v3_check_critical(&value);
88 if ((ext_type = v3_check_generic(&value)))
89 return v3_generic_extension(name, value, crit, ext_type, ctx);
90 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
91 if (!ret)
92 {
93 X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
94 ERR_add_error_data(4,"name=", name, ", value=", value);
95 }
96 return ret;
97 }
98
99/* CONF *conf: Config file */
100/* char *value: Value */
101X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
102 char *value)
103 {
104 int crit;
105 int ext_type;
106 crit = v3_check_critical(&value);
107 if ((ext_type = v3_check_generic(&value)))
108 return v3_generic_extension(OBJ_nid2sn(ext_nid),
109 value, crit, ext_type, ctx);
110 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
111 }
112
113/* CONF *conf: Config file */
114/* char *value: Value */
115static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
116 int crit, char *value)
117 {
118 const X509V3_EXT_METHOD *method;
119 X509_EXTENSION *ext;
120 STACK_OF(CONF_VALUE) *nval;
121 void *ext_struc;
122 if (ext_nid == NID_undef)
123 {
124 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
125 return NULL;
126 }
127 if (!(method = X509V3_EXT_get_nid(ext_nid)))
128 {
129 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
130 return NULL;
131 }
132 /* Now get internal extension representation based on type */
133 if (method->v2i)
134 {
135 if(*value == '@') nval = NCONF_get_section(conf, value + 1);
136 else nval = X509V3_parse_list(value);
137 if(sk_CONF_VALUE_num(nval) <= 0)
138 {
139 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
140 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
141 return NULL;
142 }
143 ext_struc = method->v2i(method, ctx, nval);
144 if(*value != '@') sk_CONF_VALUE_pop_free(nval,
145 X509V3_conf_free);
146 if(!ext_struc) return NULL;
147 }
148 else if(method->s2i)
149 {
150 if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
151 }
152 else if(method->r2i)
153 {
154 if(!ctx->db || !ctx->db_meth)
155 {
156 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
157 return NULL;
158 }
159 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
160 }
161 else
162 {
163 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
164 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
165 return NULL;
166 }
167
168 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
169 if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
170 else method->ext_free(ext_struc);
171 return ext;
172
173 }
174
175static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
176 int crit, void *ext_struc)
177 {
178 unsigned char *ext_der;
179 int ext_len;
180 ASN1_OCTET_STRING *ext_oct;
181 X509_EXTENSION *ext;
182 /* Convert internal representation to DER */
183 if (method->it)
184 {
185 ext_der = NULL;
186 ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
187 if (ext_len < 0) goto merr;
188 }
189 else
190 {
191 unsigned char *p;
192 ext_len = method->i2d(ext_struc, NULL);
193 if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
194 p = ext_der;
195 method->i2d(ext_struc, &p);
196 }
197 if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
198 ext_oct->data = ext_der;
199 ext_oct->length = ext_len;
200
201 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
202 if (!ext) goto merr;
203 M_ASN1_OCTET_STRING_free(ext_oct);
204
205 return ext;
206
207 merr:
208 X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
209 return NULL;
210
211 }
212
213/* Given an internal structure, nid and critical flag create an extension */
214
215X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
216 {
217 const X509V3_EXT_METHOD *method;
218 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
219 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
220 return NULL;
221 }
222 return do_ext_i2d(method, ext_nid, crit, ext_struc);
223}
224
225/* Check the extension string for critical flag */
226static int v3_check_critical(char **value)
227{
228 char *p = *value;
229 if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
230 p+=9;
231 while(isspace((unsigned char)*p)) p++;
232 *value = p;
233 return 1;
234}
235
236/* Check extension string for generic extension and return the type */
237static int v3_check_generic(char **value)
238{
239 int gen_type = 0;
240 char *p = *value;
241 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
242 {
243 p+=4;
244 gen_type = 1;
245 }
246 else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
247 {
248 p+=5;
249 gen_type = 2;
250 }
251 else
252 return 0;
253
254 while (isspace((unsigned char)*p)) p++;
255 *value = p;
256 return gen_type;
257}
258
259/* Create a generic extension: for now just handle DER type */
260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
261 int crit, int gen_type,
262 X509V3_CTX *ctx)
263 {
264 unsigned char *ext_der=NULL;
265 long ext_len;
266 ASN1_OBJECT *obj=NULL;
267 ASN1_OCTET_STRING *oct=NULL;
268 X509_EXTENSION *extension=NULL;
269 if (!(obj = OBJ_txt2obj(ext, 0)))
270 {
271 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
272 ERR_add_error_data(2, "name=", ext);
273 goto err;
274 }
275
276 if (gen_type == 1)
277 ext_der = string_to_hex(value, &ext_len);
278 else if (gen_type == 2)
279 ext_der = generic_asn1(value, ctx, &ext_len);
280
281 if (ext_der == NULL)
282 {
283 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
284 ERR_add_error_data(2, "value=", value);
285 goto err;
286 }
287
288 if (!(oct = M_ASN1_OCTET_STRING_new()))
289 {
290 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
291 goto err;
292 }
293
294 oct->data = ext_der;
295 oct->length = ext_len;
296 ext_der = NULL;
297
298 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
299
300 err:
301 ASN1_OBJECT_free(obj);
302 M_ASN1_OCTET_STRING_free(oct);
303 if(ext_der) OPENSSL_free(ext_der);
304 return extension;
305
306 }
307
308static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
309 {
310 ASN1_TYPE *typ;
311 unsigned char *ext_der = NULL;
312 typ = ASN1_generate_v3(value, ctx);
313 if (typ == NULL)
314 return NULL;
315 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
316 ASN1_TYPE_free(typ);
317 return ext_der;
318 }
319
320/* This is the main function: add a bunch of extensions based on a config file
321 * section to an extension STACK.
322 */
323
324
325int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
326 STACK_OF(X509_EXTENSION) **sk)
327 {
328 X509_EXTENSION *ext;
329 STACK_OF(CONF_VALUE) *nval;
330 CONF_VALUE *val;
331 int i;
332 if (!(nval = NCONF_get_section(conf, section))) return 0;
333 for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
334 {
335 val = sk_CONF_VALUE_value(nval, i);
336 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
337 return 0;
338 if (sk) X509v3_add_ext(sk, ext, -1);
339 X509_EXTENSION_free(ext);
340 }
341 return 1;
342 }
343
344/* Convenience functions to add extensions to a certificate, CRL and request */
345
346int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
347 X509 *cert)
348 {
349 STACK_OF(X509_EXTENSION) **sk = NULL;
350 if (cert)
351 sk = &cert->cert_info->extensions;
352 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
353 }
354
355/* Same as above but for a CRL */
356
357int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
358 X509_CRL *crl)
359 {
360 STACK_OF(X509_EXTENSION) **sk = NULL;
361 if (crl)
362 sk = &crl->crl->extensions;
363 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
364 }
365
366/* Add extensions to certificate request */
367
368int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
369 X509_REQ *req)
370 {
371 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
372 int i;
373 if (req)
374 sk = &extlist;
375 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
376 if (!i || !sk)
377 return i;
378 i = X509_REQ_add_extensions(req, extlist);
379 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
380 return i;
381 }
382
383/* Config database functions */
384
385char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
386 {
387 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
388 {
389 X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
390 return NULL;
391 }
392 if (ctx->db_meth->get_string)
393 return ctx->db_meth->get_string(ctx->db, name, section);
394 return NULL;
395 }
396
397STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
398 {
399 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
400 {
401 X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
402 return NULL;
403 }
404 if (ctx->db_meth->get_section)
405 return ctx->db_meth->get_section(ctx->db, section);
406 return NULL;
407 }
408
409void X509V3_string_free(X509V3_CTX *ctx, char *str)
410 {
411 if (!str) return;
412 if (ctx->db_meth->free_string)
413 ctx->db_meth->free_string(ctx->db, str);
414 }
415
416void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
417 {
418 if (!section) return;
419 if (ctx->db_meth->free_section)
420 ctx->db_meth->free_section(ctx->db, section);
421 }
422
423static char *nconf_get_string(void *db, char *section, char *value)
424 {
425 return NCONF_get_string(db, section, value);
426 }
427
428static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
429 {
430 return NCONF_get_section(db, section);
431 }
432
433static X509V3_CONF_METHOD nconf_method = {
434nconf_get_string,
435nconf_get_section,
436NULL,
437NULL
438};
439
440void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
441 {
442 ctx->db_meth = &nconf_method;
443 ctx->db = conf;
444 }
445
446void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
447 X509_CRL *crl, int flags)
448 {
449 ctx->issuer_cert = issuer;
450 ctx->subject_cert = subj;
451 ctx->crl = crl;
452 ctx->subject_req = req;
453 ctx->flags = flags;
454 }
455
456/* Old conf compatibility functions */
457
458X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
459 char *name, char *value)
460 {
461 CONF ctmp;
462 CONF_set_nconf(&ctmp, conf);
463 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
464 }
465
466/* LHASH *conf: Config file */
467/* char *value: Value */
468X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
469 int ext_nid, char *value)
470 {
471 CONF ctmp;
472 CONF_set_nconf(&ctmp, conf);
473 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
474 }
475
476static char *conf_lhash_get_string(void *db, char *section, char *value)
477 {
478 return CONF_get_string(db, section, value);
479 }
480
481static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
482 {
483 return CONF_get_section(db, section);
484 }
485
486static X509V3_CONF_METHOD conf_lhash_method = {
487conf_lhash_get_string,
488conf_lhash_get_section,
489NULL,
490NULL
491};
492
493void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
494 {
495 ctx->db_meth = &conf_lhash_method;
496 ctx->db = lhash;
497 }
498
499int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
500 char *section, X509 *cert)
501 {
502 CONF ctmp;
503 CONF_set_nconf(&ctmp, conf);
504 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
505 }
506
507/* Same as above but for a CRL */
508
509int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
510 char *section, X509_CRL *crl)
511 {
512 CONF ctmp;
513 CONF_set_nconf(&ctmp, conf);
514 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
515 }
516
517/* Add extensions to certificate request */
518
519int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
520 char *section, X509_REQ *req)
521 {
522 CONF ctmp;
523 CONF_set_nconf(&ctmp, conf);
524 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
525 }
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
deleted file mode 100644
index 1f0798b946..0000000000
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ /dev/null
@@ -1,457 +0,0 @@
1/* v3_cpols.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66#include "pcy_int.h"
67
68/* Certificate policies extension support: this one is a bit complex... */
69
70static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
71static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
72static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
73static void print_notice(BIO *out, USERNOTICE *notice, int indent);
74static POLICYINFO *policy_section(X509V3_CTX *ctx,
75 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
76static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
77 STACK_OF(CONF_VALUE) *unot, int ia5org);
78static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
79
80const X509V3_EXT_METHOD v3_cpols = {
81NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
820,0,0,0,
830,0,
840,0,
85(X509V3_EXT_I2R)i2r_certpol,
86(X509V3_EXT_R2I)r2i_certpol,
87NULL
88};
89
90ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
91 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
92ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
93
94IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
95
96ASN1_SEQUENCE(POLICYINFO) = {
97 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
98 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
99} ASN1_SEQUENCE_END(POLICYINFO)
100
101IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
102
103ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
104
105ASN1_ADB(POLICYQUALINFO) = {
106 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
107 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
108} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
109
110ASN1_SEQUENCE(POLICYQUALINFO) = {
111 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
112 ASN1_ADB_OBJECT(POLICYQUALINFO)
113} ASN1_SEQUENCE_END(POLICYQUALINFO)
114
115IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
116
117ASN1_SEQUENCE(USERNOTICE) = {
118 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
119 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
120} ASN1_SEQUENCE_END(USERNOTICE)
121
122IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
123
124ASN1_SEQUENCE(NOTICEREF) = {
125 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
126 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
127} ASN1_SEQUENCE_END(NOTICEREF)
128
129IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
130
131static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
132 X509V3_CTX *ctx, char *value)
133{
134 STACK_OF(POLICYINFO) *pols = NULL;
135 char *pstr;
136 POLICYINFO *pol;
137 ASN1_OBJECT *pobj;
138 STACK_OF(CONF_VALUE) *vals;
139 CONF_VALUE *cnf;
140 int i, ia5org;
141 pols = sk_POLICYINFO_new_null();
142 if (pols == NULL) {
143 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
144 return NULL;
145 }
146 vals = X509V3_parse_list(value);
147 if (vals == NULL) {
148 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
149 goto err;
150 }
151 ia5org = 0;
152 for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
153 cnf = sk_CONF_VALUE_value(vals, i);
154 if(cnf->value || !cnf->name ) {
155 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
156 X509V3_conf_err(cnf);
157 goto err;
158 }
159 pstr = cnf->name;
160 if(!strcmp(pstr,"ia5org")) {
161 ia5org = 1;
162 continue;
163 } else if(*pstr == '@') {
164 STACK_OF(CONF_VALUE) *polsect;
165 polsect = X509V3_get_section(ctx, pstr + 1);
166 if(!polsect) {
167 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
168
169 X509V3_conf_err(cnf);
170 goto err;
171 }
172 pol = policy_section(ctx, polsect, ia5org);
173 X509V3_section_free(ctx, polsect);
174 if(!pol) goto err;
175 } else {
176 if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
177 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
178 X509V3_conf_err(cnf);
179 goto err;
180 }
181 pol = POLICYINFO_new();
182 pol->policyid = pobj;
183 }
184 if (!sk_POLICYINFO_push(pols, pol)){
185 POLICYINFO_free(pol);
186 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
187 goto err;
188 }
189 }
190 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
191 return pols;
192 err:
193 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
194 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
195 return NULL;
196}
197
198static POLICYINFO *policy_section(X509V3_CTX *ctx,
199 STACK_OF(CONF_VALUE) *polstrs, int ia5org)
200{
201 int i;
202 CONF_VALUE *cnf;
203 POLICYINFO *pol;
204 POLICYQUALINFO *qual;
205 if(!(pol = POLICYINFO_new())) goto merr;
206 for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
207 cnf = sk_CONF_VALUE_value(polstrs, i);
208 if(!strcmp(cnf->name, "policyIdentifier")) {
209 ASN1_OBJECT *pobj;
210 if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
211 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
212 X509V3_conf_err(cnf);
213 goto err;
214 }
215 pol->policyid = pobj;
216
217 } else if(!name_cmp(cnf->name, "CPS")) {
218 if(!pol->qualifiers) pol->qualifiers =
219 sk_POLICYQUALINFO_new_null();
220 if(!(qual = POLICYQUALINFO_new())) goto merr;
221 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
222 goto merr;
223 qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
224 qual->d.cpsuri = M_ASN1_IA5STRING_new();
225 if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
226 strlen(cnf->value))) goto merr;
227 } else if(!name_cmp(cnf->name, "userNotice")) {
228 STACK_OF(CONF_VALUE) *unot;
229 if(*cnf->value != '@') {
230 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
231 X509V3_conf_err(cnf);
232 goto err;
233 }
234 unot = X509V3_get_section(ctx, cnf->value + 1);
235 if(!unot) {
236 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
237
238 X509V3_conf_err(cnf);
239 goto err;
240 }
241 qual = notice_section(ctx, unot, ia5org);
242 X509V3_section_free(ctx, unot);
243 if(!qual) goto err;
244 if(!pol->qualifiers) pol->qualifiers =
245 sk_POLICYQUALINFO_new_null();
246 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
247 goto merr;
248 } else {
249 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
250
251 X509V3_conf_err(cnf);
252 goto err;
253 }
254 }
255 if(!pol->policyid) {
256 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
257 goto err;
258 }
259
260 return pol;
261
262 merr:
263 X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
264
265 err:
266 POLICYINFO_free(pol);
267 return NULL;
268
269
270}
271
272static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
273 STACK_OF(CONF_VALUE) *unot, int ia5org)
274{
275 int i, ret;
276 CONF_VALUE *cnf;
277 USERNOTICE *not;
278 POLICYQUALINFO *qual;
279 if(!(qual = POLICYQUALINFO_new())) goto merr;
280 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
281 if(!(not = USERNOTICE_new())) goto merr;
282 qual->d.usernotice = not;
283 for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
284 cnf = sk_CONF_VALUE_value(unot, i);
285 if(!strcmp(cnf->name, "explicitText")) {
286 not->exptext = M_ASN1_VISIBLESTRING_new();
287 if(!ASN1_STRING_set(not->exptext, cnf->value,
288 strlen(cnf->value))) goto merr;
289 } else if(!strcmp(cnf->name, "organization")) {
290 NOTICEREF *nref;
291 if(!not->noticeref) {
292 if(!(nref = NOTICEREF_new())) goto merr;
293 not->noticeref = nref;
294 } else nref = not->noticeref;
295 if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
296 else nref->organization->type = V_ASN1_VISIBLESTRING;
297 if(!ASN1_STRING_set(nref->organization, cnf->value,
298 strlen(cnf->value))) goto merr;
299 } else if(!strcmp(cnf->name, "noticeNumbers")) {
300 NOTICEREF *nref;
301 STACK_OF(CONF_VALUE) *nos;
302 if(!not->noticeref) {
303 if(!(nref = NOTICEREF_new())) goto merr;
304 not->noticeref = nref;
305 } else nref = not->noticeref;
306 nos = X509V3_parse_list(cnf->value);
307 if(!nos || !sk_CONF_VALUE_num(nos)) {
308 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
309 X509V3_conf_err(cnf);
310 goto err;
311 }
312 ret = nref_nos(nref->noticenos, nos);
313 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
314 if (!ret)
315 goto err;
316 } else {
317 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
318 X509V3_conf_err(cnf);
319 goto err;
320 }
321 }
322
323 if(not->noticeref &&
324 (!not->noticeref->noticenos || !not->noticeref->organization)) {
325 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
326 goto err;
327 }
328
329 return qual;
330
331 merr:
332 X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
333
334 err:
335 POLICYQUALINFO_free(qual);
336 return NULL;
337}
338
339static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
340{
341 CONF_VALUE *cnf;
342 ASN1_INTEGER *aint;
343
344 int i;
345
346 for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
347 cnf = sk_CONF_VALUE_value(nos, i);
348 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
349 X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
350 goto err;
351 }
352 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
353 }
354 return 1;
355
356 merr:
357 X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
358
359 err:
360 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
361 return 0;
362}
363
364
365static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
366 BIO *out, int indent)
367{
368 int i;
369 POLICYINFO *pinfo;
370 /* First print out the policy OIDs */
371 for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
372 pinfo = sk_POLICYINFO_value(pol, i);
373 BIO_printf(out, "%*sPolicy: ", indent, "");
374 i2a_ASN1_OBJECT(out, pinfo->policyid);
375 BIO_puts(out, "\n");
376 if(pinfo->qualifiers)
377 print_qualifiers(out, pinfo->qualifiers, indent + 2);
378 }
379 return 1;
380}
381
382static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
383 int indent)
384{
385 POLICYQUALINFO *qualinfo;
386 int i;
387 for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
388 qualinfo = sk_POLICYQUALINFO_value(quals, i);
389 switch(OBJ_obj2nid(qualinfo->pqualid))
390 {
391 case NID_id_qt_cps:
392 BIO_printf(out, "%*sCPS: %s\n", indent, "",
393 qualinfo->d.cpsuri->data);
394 break;
395
396 case NID_id_qt_unotice:
397 BIO_printf(out, "%*sUser Notice:\n", indent, "");
398 print_notice(out, qualinfo->d.usernotice, indent + 2);
399 break;
400
401 default:
402 BIO_printf(out, "%*sUnknown Qualifier: ",
403 indent + 2, "");
404
405 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
406 BIO_puts(out, "\n");
407 break;
408 }
409 }
410}
411
412static void print_notice(BIO *out, USERNOTICE *notice, int indent)
413{
414 int i;
415 if(notice->noticeref) {
416 NOTICEREF *ref;
417 ref = notice->noticeref;
418 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
419 ref->organization->data);
420 BIO_printf(out, "%*sNumber%s: ", indent, "",
421 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
422 for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
423 ASN1_INTEGER *num;
424 char *tmp;
425 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
426 if(i) BIO_puts(out, ", ");
427 tmp = i2s_ASN1_INTEGER(NULL, num);
428 BIO_puts(out, tmp);
429 OPENSSL_free(tmp);
430 }
431 BIO_puts(out, "\n");
432 }
433 if(notice->exptext)
434 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
435 notice->exptext->data);
436}
437
438void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
439 {
440 const X509_POLICY_DATA *dat = node->data;
441
442 BIO_printf(out, "%*sPolicy: ", indent, "");
443
444 i2a_ASN1_OBJECT(out, dat->valid_policy);
445 BIO_puts(out, "\n");
446 BIO_printf(out, "%*s%s\n", indent + 2, "",
447 node_data_critical(dat) ? "Critical" : "Non Critical");
448 if (dat->qualifier_set)
449 print_qualifiers(out, dat->qualifier_set, indent + 2);
450 else
451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
452 }
453
454
455IMPLEMENT_STACK_OF(X509_POLICY_NODE)
456IMPLEMENT_STACK_OF(X509_POLICY_DATA)
457
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
deleted file mode 100644
index 790a6dd032..0000000000
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ /dev/null
@@ -1,616 +0,0 @@
1/* v3_crld.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_crld(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
69 int indent);
70
71const X509V3_EXT_METHOD v3_crld =
72 {
73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
74 0,0,0,0,
75 0,0,
76 0,
77 v2i_crld,
78 i2r_crldp,0,
79 NULL
80 };
81
82const X509V3_EXT_METHOD v3_freshest_crl =
83 {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0,0,0,0,
86 0,0,
87 0,
88 v2i_crld,
89 i2r_crldp,0,
90 NULL
91 };
92
93static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
94 {
95 STACK_OF(CONF_VALUE) *gnsect;
96 STACK_OF(GENERAL_NAME) *gens;
97 if (*sect == '@')
98 gnsect = X509V3_get_section(ctx, sect + 1);
99 else
100 gnsect = X509V3_parse_list(sect);
101 if (!gnsect)
102 {
103 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104 X509V3_R_SECTION_NOT_FOUND);
105 return NULL;
106 }
107 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
108 if (*sect == '@')
109 X509V3_section_free(ctx, gnsect);
110 else
111 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
112 return gens;
113 }
114
115static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
116 CONF_VALUE *cnf)
117 {
118 STACK_OF(GENERAL_NAME) *fnm = NULL;
119 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120 if (!strncmp(cnf->name, "fullname", 9))
121 {
122 fnm = gnames_from_sectname(ctx, cnf->value);
123 if (!fnm)
124 goto err;
125 }
126 else if (!strcmp(cnf->name, "relativename"))
127 {
128 int ret;
129 STACK_OF(CONF_VALUE) *dnsect;
130 X509_NAME *nm;
131 nm = X509_NAME_new();
132 if (!nm)
133 return -1;
134 dnsect = X509V3_get_section(ctx, cnf->value);
135 if (!dnsect)
136 {
137 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138 X509V3_R_SECTION_NOT_FOUND);
139 return -1;
140 }
141 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142 X509V3_section_free(ctx, dnsect);
143 rnm = nm->entries;
144 nm->entries = NULL;
145 X509_NAME_free(nm);
146 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
147 goto err;
148 /* Since its a name fragment can't have more than one
149 * RDNSequence
150 */
151 if (sk_X509_NAME_ENTRY_value(rnm,
152 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
153 {
154 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155 X509V3_R_INVALID_MULTIPLE_RDNS);
156 goto err;
157 }
158 }
159 else
160 return 0;
161
162 if (*pdp)
163 {
164 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165 X509V3_R_DISTPOINT_ALREADY_SET);
166 goto err;
167 }
168
169 *pdp = DIST_POINT_NAME_new();
170 if (!*pdp)
171 goto err;
172 if (fnm)
173 {
174 (*pdp)->type = 0;
175 (*pdp)->name.fullname = fnm;
176 }
177 else
178 {
179 (*pdp)->type = 1;
180 (*pdp)->name.relativename = rnm;
181 }
182
183 return 1;
184
185 err:
186 if (fnm)
187 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
188 if (rnm)
189 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
190 return -1;
191 }
192
193static const BIT_STRING_BITNAME reason_flags[] = {
194{0, "Unused", "unused"},
195{1, "Key Compromise", "keyCompromise"},
196{2, "CA Compromise", "CACompromise"},
197{3, "Affiliation Changed", "affiliationChanged"},
198{4, "Superseded", "superseded"},
199{5, "Cessation Of Operation", "cessationOfOperation"},
200{6, "Certificate Hold", "certificateHold"},
201{7, "Privilege Withdrawn", "privilegeWithdrawn"},
202{8, "AA Compromise", "AACompromise"},
203{-1, NULL, NULL}
204};
205
206static int set_reasons(ASN1_BIT_STRING **preas, char *value)
207 {
208 STACK_OF(CONF_VALUE) *rsk = NULL;
209 const BIT_STRING_BITNAME *pbn;
210 const char *bnam;
211 int i, ret = 0;
212 rsk = X509V3_parse_list(value);
213 if (!rsk)
214 return 0;
215 if (*preas)
216 return 0;
217 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
218 {
219 bnam = sk_CONF_VALUE_value(rsk, i)->name;
220 if (!*preas)
221 {
222 *preas = ASN1_BIT_STRING_new();
223 if (!*preas)
224 goto err;
225 }
226 for (pbn = reason_flags; pbn->lname; pbn++)
227 {
228 if (!strcmp(pbn->sname, bnam))
229 {
230 if (!ASN1_BIT_STRING_set_bit(*preas,
231 pbn->bitnum, 1))
232 goto err;
233 break;
234 }
235 }
236 if (!pbn->lname)
237 goto err;
238 }
239 ret = 1;
240
241 err:
242 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
243 return ret;
244 }
245
246static int print_reasons(BIO *out, const char *rname,
247 ASN1_BIT_STRING *rflags, int indent)
248 {
249 int first = 1;
250 const BIT_STRING_BITNAME *pbn;
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++)
253 {
254 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
255 {
256 if (first)
257 first = 0;
258 else
259 BIO_puts(out, ", ");
260 BIO_puts(out, pbn->lname);
261 }
262 }
263 if (first)
264 BIO_puts(out, "<EMPTY>\n");
265 else
266 BIO_puts(out, "\n");
267 return 1;
268 }
269
270static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271 STACK_OF(CONF_VALUE) *nval)
272 {
273 int i;
274 CONF_VALUE *cnf;
275 DIST_POINT *point = NULL;
276 point = DIST_POINT_new();
277 if (!point)
278 goto err;
279 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
280 {
281 int ret;
282 cnf = sk_CONF_VALUE_value(nval, i);
283 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
284 if (ret > 0)
285 continue;
286 if (ret < 0)
287 goto err;
288 if (!strcmp(cnf->name, "reasons"))
289 {
290 if (!set_reasons(&point->reasons, cnf->value))
291 goto err;
292 }
293 else if (!strcmp(cnf->name, "CRLissuer"))
294 {
295 point->CRLissuer =
296 gnames_from_sectname(ctx, cnf->value);
297 if (!point->CRLissuer)
298 goto err;
299 }
300 }
301
302 return point;
303
304
305 err:
306 if (point)
307 DIST_POINT_free(point);
308 return NULL;
309 }
310
311static void *v2i_crld(const X509V3_EXT_METHOD *method,
312 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
313 {
314 STACK_OF(DIST_POINT) *crld = NULL;
315 GENERAL_NAMES *gens = NULL;
316 GENERAL_NAME *gen = NULL;
317 CONF_VALUE *cnf;
318 int i;
319 if(!(crld = sk_DIST_POINT_new_null())) goto merr;
320 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
321 DIST_POINT *point;
322 cnf = sk_CONF_VALUE_value(nval, i);
323 if (!cnf->value)
324 {
325 STACK_OF(CONF_VALUE) *dpsect;
326 dpsect = X509V3_get_section(ctx, cnf->name);
327 if (!dpsect)
328 goto err;
329 point = crldp_from_section(ctx, dpsect);
330 X509V3_section_free(ctx, dpsect);
331 if (!point)
332 goto err;
333 if(!sk_DIST_POINT_push(crld, point))
334 {
335 DIST_POINT_free(point);
336 goto merr;
337 }
338 }
339 else
340 {
341 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if(!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if(!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if(!(point = DIST_POINT_new()))
349 goto merr;
350 if(!sk_DIST_POINT_push(crld, point))
351 {
352 DIST_POINT_free(point);
353 goto merr;
354 }
355 if(!(point->distpoint = DIST_POINT_NAME_new()))
356 goto merr;
357 point->distpoint->name.fullname = gens;
358 point->distpoint->type = 0;
359 gens = NULL;
360 }
361 }
362 return crld;
363
364 merr:
365 X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
366 err:
367 GENERAL_NAME_free(gen);
368 GENERAL_NAMES_free(gens);
369 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
370 return NULL;
371}
372
373IMPLEMENT_STACK_OF(DIST_POINT)
374IMPLEMENT_ASN1_SET_OF(DIST_POINT)
375
376static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
377 void *exarg)
378 {
379 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
380
381 switch(operation)
382 {
383 case ASN1_OP_NEW_POST:
384 dpn->dpname = NULL;
385 break;
386
387 case ASN1_OP_FREE_POST:
388 if (dpn->dpname)
389 X509_NAME_free(dpn->dpname);
390 break;
391 }
392 return 1;
393 }
394
395
396ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
397 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
398 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
399} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
400
401
402IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
403
404ASN1_SEQUENCE(DIST_POINT) = {
405 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
406 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
407 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
408} ASN1_SEQUENCE_END(DIST_POINT)
409
410IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
411
412ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
413 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
414ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
415
416IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
417
418ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
426
427IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
428
429static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
430 int indent);
431static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432 STACK_OF(CONF_VALUE) *nval);
433
434const X509V3_EXT_METHOD v3_idp =
435 {
436 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437 ASN1_ITEM_ref(ISSUING_DIST_POINT),
438 0,0,0,0,
439 0,0,
440 0,
441 v2i_idp,
442 i2r_idp,0,
443 NULL
444 };
445
446static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447 STACK_OF(CONF_VALUE) *nval)
448 {
449 ISSUING_DIST_POINT *idp = NULL;
450 CONF_VALUE *cnf;
451 char *name, *val;
452 int i, ret;
453 idp = ISSUING_DIST_POINT_new();
454 if (!idp)
455 goto merr;
456 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
457 {
458 cnf = sk_CONF_VALUE_value(nval, i);
459 name = cnf->name;
460 val = cnf->value;
461 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
462 if (ret > 0)
463 continue;
464 if (ret < 0)
465 goto err;
466 if (!strcmp(name, "onlyuser"))
467 {
468 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
469 goto err;
470 }
471 else if (!strcmp(name, "onlyCA"))
472 {
473 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
474 goto err;
475 }
476 else if (!strcmp(name, "onlyAA"))
477 {
478 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
479 goto err;
480 }
481 else if (!strcmp(name, "indirectCRL"))
482 {
483 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
484 goto err;
485 }
486 else if (!strcmp(name, "onlysomereasons"))
487 {
488 if (!set_reasons(&idp->onlysomereasons, val))
489 goto err;
490 }
491 else
492 {
493 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494 X509V3_conf_err(cnf);
495 goto err;
496 }
497 }
498 return idp;
499
500 merr:
501 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
502 err:
503 ISSUING_DIST_POINT_free(idp);
504 return NULL;
505 }
506
507static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
508 {
509 int i;
510 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
511 {
512 BIO_printf(out, "%*s", indent + 2, "");
513 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
514 BIO_puts(out, "\n");
515 }
516 return 1;
517 }
518
519static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
520 {
521 if (dpn->type == 0)
522 {
523 BIO_printf(out, "%*sFull Name:\n", indent, "");
524 print_gens(out, dpn->name.fullname, indent);
525 }
526 else
527 {
528 X509_NAME ntmp;
529 ntmp.entries = dpn->name.relativename;
530 BIO_printf(out, "%*sRelative Name:\n%*s",
531 indent, "", indent + 2, "");
532 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
533 BIO_puts(out, "\n");
534 }
535 return 1;
536 }
537
538static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
539 int indent)
540 {
541 ISSUING_DIST_POINT *idp = pidp;
542 if (idp->distpoint)
543 print_distpoint(out, idp->distpoint, indent);
544 if (idp->onlyuser > 0)
545 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
546 if (idp->onlyCA > 0)
547 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548 if (idp->indirectCRL > 0)
549 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550 if (idp->onlysomereasons)
551 print_reasons(out, "Only Some Reasons",
552 idp->onlysomereasons, indent);
553 if (idp->onlyattr > 0)
554 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
557 && (idp->onlyattr <= 0))
558 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
559
560 return 1;
561 }
562
563static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
564 int indent)
565 {
566 STACK_OF(DIST_POINT) *crld = pcrldp;
567 DIST_POINT *point;
568 int i;
569 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
570 {
571 BIO_puts(out, "\n");
572 point = sk_DIST_POINT_value(crld, i);
573 if(point->distpoint)
574 print_distpoint(out, point->distpoint, indent);
575 if(point->reasons)
576 print_reasons(out, "Reasons", point->reasons,
577 indent);
578 if(point->CRLissuer)
579 {
580 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581 print_gens(out, point->CRLissuer, indent);
582 }
583 }
584 return 1;
585 }
586
587int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
588 {
589 int i;
590 STACK_OF(X509_NAME_ENTRY) *frag;
591 X509_NAME_ENTRY *ne;
592 if (!dpn || (dpn->type != 1))
593 return 1;
594 frag = dpn->name.relativename;
595 dpn->dpname = X509_NAME_dup(iname);
596 if (!dpn->dpname)
597 return 0;
598 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
599 {
600 ne = sk_X509_NAME_ENTRY_value(frag, i);
601 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
602 {
603 X509_NAME_free(dpn->dpname);
604 dpn->dpname = NULL;
605 return 0;
606 }
607 }
608 /* generate cached encoding of name */
609 if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
610 {
611 X509_NAME_free(dpn->dpname);
612 dpn->dpname = NULL;
613 return 0;
614 }
615 return 1;
616 }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
deleted file mode 100644
index c0575e368d..0000000000
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ /dev/null
@@ -1,97 +0,0 @@
1/* v3_enum.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68{CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69{CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75{-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
800,0,0,0,
81(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
820,
830,0,0,0,
84crl_reasons};
85
86
87char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
88 ASN1_ENUMERATED *e)
89{
90 ENUMERATED_NAMES *enam;
91 long strval;
92 strval = ASN1_ENUMERATED_get(e);
93 for(enam = method->usr_data; enam->lname; enam++) {
94 if(strval == enam->bitnum) return BUF_strdup(enam->lname);
95 }
96 return i2s_ASN1_ENUMERATED(method, e);
97}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
deleted file mode 100644
index 1c66532757..0000000000
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ /dev/null
@@ -1,144 +0,0 @@
1/* v3_extku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx,
68 STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
70 void *eku, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_ext_ku = {
73 NID_ext_key_usage, 0,
74 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
75 0,0,0,0,
76 0,0,
77 i2v_EXTENDED_KEY_USAGE,
78 v2i_EXTENDED_KEY_USAGE,
79 0,0,
80 NULL
81};
82
83/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
84const X509V3_EXT_METHOD v3_ocsp_accresp = {
85 NID_id_pkix_OCSP_acceptableResponses, 0,
86 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
87 0,0,0,0,
88 0,0,
89 i2v_EXTENDED_KEY_USAGE,
90 v2i_EXTENDED_KEY_USAGE,
91 0,0,
92 NULL
93};
94
95ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) =
96 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT)
97ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
98
99IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
100
101static STACK_OF(CONF_VALUE) *
102 i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
103 STACK_OF(CONF_VALUE) *ext_list)
104{
105 EXTENDED_KEY_USAGE *eku = a;
106 int i;
107 ASN1_OBJECT *obj;
108 char obj_tmp[80];
109 for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
110 obj = sk_ASN1_OBJECT_value(eku, i);
111 i2t_ASN1_OBJECT(obj_tmp, 80, obj);
112 X509V3_add_value(NULL, obj_tmp, &ext_list);
113 }
114 return ext_list;
115}
116
117static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
118 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
119{
120 EXTENDED_KEY_USAGE *extku;
121 char *extval;
122 ASN1_OBJECT *objtmp;
123 CONF_VALUE *val;
124 int i;
125
126 if(!(extku = sk_ASN1_OBJECT_new_null())) {
127 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
128 return NULL;
129 }
130
131 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
132 val = sk_CONF_VALUE_value(nval, i);
133 if(val->value) extval = val->value;
134 else extval = val->name;
135 if(!(objtmp = OBJ_txt2obj(extval, 0))) {
136 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
137 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
138 X509V3_conf_err(val);
139 return NULL;
140 }
141 sk_ASN1_OBJECT_push(extku, objtmp);
142 }
143 return extku;
144}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
deleted file mode 100644
index b628357301..0000000000
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ /dev/null
@@ -1,252 +0,0 @@
1/* v3_genn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(OTHERNAME) = {
67 ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
68 /* Maybe have a true ANY DEFINED BY later */
69 ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0)
70} ASN1_SEQUENCE_END(OTHERNAME)
71
72IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
73
74ASN1_SEQUENCE(EDIPARTYNAME) = {
75 ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
76 ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
77} ASN1_SEQUENCE_END(EDIPARTYNAME)
78
79IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
80
81ASN1_CHOICE(GENERAL_NAME) = {
82 ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
83 ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
84 ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
85 /* Don't decode this */
86 ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
87 /* X509_NAME is a CHOICE type so use EXPLICIT */
88 ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
89 ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
90 ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI),
91 ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),
92 ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID)
93} ASN1_CHOICE_END(GENERAL_NAME)
94
95IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME)
96
97ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME)
99ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
100
101IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
102
103GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
104 {
105 return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
106 (d2i_of_void *) d2i_GENERAL_NAME,
107 (char *) a);
108 }
109
110/* Returns 0 if they are equal, != 0 otherwise. */
111int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
112 {
113 int result = -1;
114
115 if (!a || !b || a->type != b->type) return -1;
116 switch(a->type)
117 {
118 case GEN_X400:
119 case GEN_EDIPARTY:
120 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
121 break;
122
123 case GEN_OTHERNAME:
124 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
125 break;
126
127 case GEN_EMAIL:
128 case GEN_DNS:
129 case GEN_URI:
130 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
131 break;
132
133 case GEN_DIRNAME:
134 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
135 break;
136
137 case GEN_IPADD:
138 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
139 break;
140
141 case GEN_RID:
142 result = OBJ_cmp(a->d.rid, b->d.rid);
143 break;
144 }
145 return result;
146 }
147
148/* Returns 0 if they are equal, != 0 otherwise. */
149int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
150 {
151 int result = -1;
152
153 if (!a || !b) return -1;
154 /* Check their type first. */
155 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
156 return result;
157 /* Check the value. */
158 result = ASN1_TYPE_cmp(a->value, b->value);
159 return result;
160 }
161
162void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
163 {
164 switch(type)
165 {
166 case GEN_X400:
167 case GEN_EDIPARTY:
168 a->d.other = value;
169 break;
170
171 case GEN_OTHERNAME:
172 a->d.otherName = value;
173 break;
174
175 case GEN_EMAIL:
176 case GEN_DNS:
177 case GEN_URI:
178 a->d.ia5 = value;
179 break;
180
181 case GEN_DIRNAME:
182 a->d.dirn = value;
183 break;
184
185 case GEN_IPADD:
186 a->d.ip = value;
187 break;
188
189 case GEN_RID:
190 a->d.rid = value;
191 break;
192 }
193 a->type = type;
194 }
195
196void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
197 {
198 if (ptype)
199 *ptype = a->type;
200 switch(a->type)
201 {
202 case GEN_X400:
203 case GEN_EDIPARTY:
204 return a->d.other;
205
206 case GEN_OTHERNAME:
207 return a->d.otherName;
208
209 case GEN_EMAIL:
210 case GEN_DNS:
211 case GEN_URI:
212 return a->d.ia5;
213
214 case GEN_DIRNAME:
215 return a->d.dirn;
216
217 case GEN_IPADD:
218 return a->d.ip;
219
220 case GEN_RID:
221 return a->d.rid;
222
223 default:
224 return NULL;
225 }
226 }
227
228int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
229 ASN1_OBJECT *oid, ASN1_TYPE *value)
230 {
231 OTHERNAME *oth;
232 oth = OTHERNAME_new();
233 if (!oth)
234 return 0;
235 oth->type_id = oid;
236 oth->value = value;
237 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
238 return 1;
239 }
240
241int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
242 ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
243 {
244 if (gen->type != GEN_OTHERNAME)
245 return 0;
246 if (poid)
247 *poid = gen->d.otherName->type_id;
248 if (pvalue)
249 *pvalue = gen->d.otherName->value;
250 return 1;
251 }
252
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
deleted file mode 100644
index 4ff12b52b5..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ /dev/null
@@ -1,116 +0,0 @@
1/* v3_ia5.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
67static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
68const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
69EXT_IA5STRING(NID_netscape_base_url),
70EXT_IA5STRING(NID_netscape_revocation_url),
71EXT_IA5STRING(NID_netscape_ca_revocation_url),
72EXT_IA5STRING(NID_netscape_renewal_url),
73EXT_IA5STRING(NID_netscape_ca_policy_url),
74EXT_IA5STRING(NID_netscape_ssl_server_name),
75EXT_IA5STRING(NID_netscape_comment),
76EXT_END
77};
78
79
80static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
81 ASN1_IA5STRING *ia5)
82{
83 char *tmp;
84 if(!ia5 || !ia5->length) return NULL;
85 if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
86 X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 memcpy(tmp, ia5->data, ia5->length);
90 tmp[ia5->length] = 0;
91 return tmp;
92}
93
94static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
95 X509V3_CTX *ctx, char *str)
96{
97 ASN1_IA5STRING *ia5;
98 if(!str) {
99 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
100 return NULL;
101 }
102 if(!(ia5 = M_ASN1_IA5STRING_new())) goto err;
103 if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
104 strlen(str))) {
105 M_ASN1_IA5STRING_free(ia5);
106 goto err;
107 }
108#ifdef CHARSET_EBCDIC
109 ebcdic2ascii(ia5->data, ia5->data, ia5->length);
110#endif /*CHARSET_EBCDIC*/
111 return ia5;
112 err:
113 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115}
116
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
deleted file mode 100644
index e1b8699f92..0000000000
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ /dev/null
@@ -1,193 +0,0 @@
1/* v3_info.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
67 AUTHORITY_INFO_ACCESS *ainfo,
68 STACK_OF(CONF_VALUE) *ret);
69static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
71
72const X509V3_EXT_METHOD v3_info =
73{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
740,0,0,0,
750,0,
76(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
77(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
780,0,
79NULL};
80
81const X509V3_EXT_METHOD v3_sinfo =
82{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
830,0,0,0,
840,0,
85(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
86(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
870,0,
88NULL};
89
90ASN1_SEQUENCE(ACCESS_DESCRIPTION) = {
91 ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),
92 ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME)
93} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)
94
95IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
96
97ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION)
99ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)
100
101IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
102
103static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
104 AUTHORITY_INFO_ACCESS *ainfo,
105 STACK_OF(CONF_VALUE) *ret)
106{
107 ACCESS_DESCRIPTION *desc;
108 int i,nlen;
109 char objtmp[80], *ntmp;
110 CONF_VALUE *vtmp;
111 for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
112 desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
113 ret = i2v_GENERAL_NAME(method, desc->location, ret);
114 if(!ret) break;
115 vtmp = sk_CONF_VALUE_value(ret, i);
116 i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
117 nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
118 ntmp = OPENSSL_malloc(nlen);
119 if(!ntmp) {
120 X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
121 ERR_R_MALLOC_FAILURE);
122 return NULL;
123 }
124 BUF_strlcpy(ntmp, objtmp, nlen);
125 BUF_strlcat(ntmp, " - ", nlen);
126 BUF_strlcat(ntmp, vtmp->name, nlen);
127 OPENSSL_free(vtmp->name);
128 vtmp->name = ntmp;
129
130 }
131 if(!ret) return sk_CONF_VALUE_new_null();
132 return ret;
133}
134
135static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
136 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
137{
138 AUTHORITY_INFO_ACCESS *ainfo = NULL;
139 CONF_VALUE *cnf, ctmp;
140 ACCESS_DESCRIPTION *acc;
141 int i, objlen;
142 char *objtmp, *ptmp;
143 if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
144 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
145 return NULL;
146 }
147 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
148 cnf = sk_CONF_VALUE_value(nval, i);
149 if(!(acc = ACCESS_DESCRIPTION_new())
150 || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
151 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154 ptmp = strchr(cnf->name, ';');
155 if(!ptmp) {
156 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
157 goto err;
158 }
159 objlen = ptmp - cnf->name;
160 ctmp.name = ptmp + 1;
161 ctmp.value = cnf->value;
162 if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
163 goto err;
164 if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
165 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
166 goto err;
167 }
168 strncpy(objtmp, cnf->name, objlen);
169 objtmp[objlen] = 0;
170 acc->method = OBJ_txt2obj(objtmp, 0);
171 if(!acc->method) {
172 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
173 ERR_add_error_data(2, "value=", objtmp);
174 OPENSSL_free(objtmp);
175 goto err;
176 }
177 OPENSSL_free(objtmp);
178
179 }
180 return ainfo;
181 err:
182 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
183 return NULL;
184}
185
186int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
187 {
188 i2a_ASN1_OBJECT(bp, a->method);
189#ifdef UNDEF
190 i2a_GENERAL_NAME(bp, a->location);
191#endif
192 return 2;
193 }
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
deleted file mode 100644
index 4bfd14cf46..0000000000
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ /dev/null
@@ -1,89 +0,0 @@
1/* v3_int.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
65 0,0,0,0,
66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
67 0,
68 0,0,0,0, NULL};
69
70const X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0,
75 0,0,0,0, NULL};
76
77static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
78 {
79 return s2i_ASN1_INTEGER(meth, value);
80 }
81
82const X509V3_EXT_METHOD v3_inhibit_anyp = {
83 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
84 0,0,0,0,
85 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
86 (X509V3_EXT_S2I)s2i_asn1_int,
87 0,0,0,0, NULL};
88
89
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
deleted file mode 100644
index 0f1e1d4422..0000000000
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ /dev/null
@@ -1,309 +0,0 @@
1/* v3_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65#include "ext_dat.h"
66
67static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
68
69static int ext_cmp(const X509V3_EXT_METHOD * const *a,
70 const X509V3_EXT_METHOD * const *b);
71static void ext_list_free(X509V3_EXT_METHOD *ext);
72
73int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
74{
75 if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
76 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
77 return 0;
78 }
79 if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
80 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
81 return 0;
82 }
83 return 1;
84}
85
86static int ext_cmp(const X509V3_EXT_METHOD * const *a,
87 const X509V3_EXT_METHOD * const *b)
88{
89 return ((*a)->ext_nid - (*b)->ext_nid);
90}
91
92DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
93 ext);
94IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96
97const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
98{
99 X509V3_EXT_METHOD tmp;
100 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
101 int idx;
102 if(nid < 0) return NULL;
103 tmp.ext_nid = nid;
104 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
105 if(ret) return *ret;
106 if(!ext_list) return NULL;
107 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
108 if(idx == -1) return NULL;
109 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
110}
111
112const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
113{
114 int nid;
115 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
116 return X509V3_EXT_get_nid(nid);
117}
118
119
120int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
121{
122 for(;extlist->ext_nid!=-1;extlist++)
123 if(!X509V3_EXT_add(extlist)) return 0;
124 return 1;
125}
126
127int X509V3_EXT_add_alias(int nid_to, int nid_from)
128{
129 const X509V3_EXT_METHOD *ext;
130 X509V3_EXT_METHOD *tmpext;
131
132 if(!(ext = X509V3_EXT_get_nid(nid_from))) {
133 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
134 return 0;
135 }
136 if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
137 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
138 return 0;
139 }
140 *tmpext = *ext;
141 tmpext->ext_nid = nid_to;
142 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
143 return X509V3_EXT_add(tmpext);
144}
145
146void X509V3_EXT_cleanup(void)
147{
148 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
149 ext_list = NULL;
150}
151
152static void ext_list_free(X509V3_EXT_METHOD *ext)
153{
154 if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext);
155}
156
157/* Legacy function: we don't need to add standard extensions
158 * any more because they are now kept in ext_dat.h.
159 */
160
161int X509V3_add_standard_extensions(void)
162{
163 return 1;
164}
165
166/* Return an extension internal structure */
167
168void *X509V3_EXT_d2i(X509_EXTENSION *ext)
169{
170 const X509V3_EXT_METHOD *method;
171 const unsigned char *p;
172
173 if(!(method = X509V3_EXT_get(ext))) return NULL;
174 p = ext->value->data;
175 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
176 return method->d2i(NULL, &p, ext->value->length);
177}
178
179/* Get critical flag and decoded version of extension from a NID.
180 * The "idx" variable returns the last found extension and can
181 * be used to retrieve multiple extensions of the same NID.
182 * However multiple extensions with the same NID is usually
183 * due to a badly encoded certificate so if idx is NULL we
184 * choke if multiple extensions exist.
185 * The "crit" variable is set to the critical value.
186 * The return value is the decoded extension or NULL on
187 * error. The actual error can have several different causes,
188 * the value of *crit reflects the cause:
189 * >= 0, extension found but not decoded (reflects critical value).
190 * -1 extension not found.
191 * -2 extension occurs more than once.
192 */
193
194void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
195{
196 int lastpos, i;
197 X509_EXTENSION *ex, *found_ex = NULL;
198 if(!x) {
199 if(idx) *idx = -1;
200 if(crit) *crit = -1;
201 return NULL;
202 }
203 if(idx) lastpos = *idx + 1;
204 else lastpos = 0;
205 if(lastpos < 0) lastpos = 0;
206 for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++)
207 {
208 ex = sk_X509_EXTENSION_value(x, i);
209 if(OBJ_obj2nid(ex->object) == nid) {
210 if(idx) {
211 *idx = i;
212 found_ex = ex;
213 break;
214 } else if(found_ex) {
215 /* Found more than one */
216 if(crit) *crit = -2;
217 return NULL;
218 }
219 found_ex = ex;
220 }
221 }
222 if(found_ex) {
223 /* Found it */
224 if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
225 return X509V3_EXT_d2i(found_ex);
226 }
227
228 /* Extension not found */
229 if(idx) *idx = -1;
230 if(crit) *crit = -1;
231 return NULL;
232}
233
234/* This function is a general extension append, replace and delete utility.
235 * The precise operation is governed by the 'flags' value. The 'crit' and
236 * 'value' arguments (if relevant) are the extensions internal structure.
237 */
238
239int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
240 int crit, unsigned long flags)
241{
242 int extidx = -1;
243 int errcode;
244 X509_EXTENSION *ext, *extmp;
245 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
246
247 /* If appending we don't care if it exists, otherwise
248 * look for existing extension.
249 */
250 if(ext_op != X509V3_ADD_APPEND)
251 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
252
253 /* See if extension exists */
254 if(extidx >= 0) {
255 /* If keep existing, nothing to do */
256 if(ext_op == X509V3_ADD_KEEP_EXISTING)
257 return 1;
258 /* If default then its an error */
259 if(ext_op == X509V3_ADD_DEFAULT) {
260 errcode = X509V3_R_EXTENSION_EXISTS;
261 goto err;
262 }
263 /* If delete, just delete it */
264 if(ext_op == X509V3_ADD_DELETE) {
265 if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1;
266 return 1;
267 }
268 } else {
269 /* If replace existing or delete, error since
270 * extension must exist
271 */
272 if((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
273 (ext_op == X509V3_ADD_DELETE)) {
274 errcode = X509V3_R_EXTENSION_NOT_FOUND;
275 goto err;
276 }
277 }
278
279 /* If we get this far then we have to create an extension:
280 * could have some flags for alternative encoding schemes...
281 */
282
283 ext = X509V3_EXT_i2d(nid, crit, value);
284
285 if(!ext) {
286 X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
287 return 0;
288 }
289
290 /* If extension exists replace it.. */
291 if(extidx >= 0) {
292 extmp = sk_X509_EXTENSION_value(*x, extidx);
293 X509_EXTENSION_free(extmp);
294 if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1;
295 return 1;
296 }
297
298 if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1;
299 if(!sk_X509_EXTENSION_push(*x, ext)) return -1;
300
301 return 1;
302
303 err:
304 if(!(flags & X509V3_ADD_SILENT))
305 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
306 return 0;
307}
308
309IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
deleted file mode 100644
index a01dc64dd2..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ /dev/null
@@ -1,505 +0,0 @@
1/* v3_ncons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees,
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0,0,0,0,
86 0,0,
87 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS,0,
89 NULL
90};
91
92ASN1_SEQUENCE(GENERAL_SUBTREE) = {
93 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
94 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
95 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
96} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
97
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104
105
106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
108
109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
111 {
112 int i;
113 CONF_VALUE tval, *val;
114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
115 NAME_CONSTRAINTS *ncons = NULL;
116 GENERAL_SUBTREE *sub = NULL;
117 ncons = NAME_CONSTRAINTS_new();
118 if (!ncons)
119 goto memerr;
120 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
121 {
122 val = sk_CONF_VALUE_value(nval, i);
123 if (!strncmp(val->name, "permitted", 9) && val->name[9])
124 {
125 ptree = &ncons->permittedSubtrees;
126 tval.name = val->name + 10;
127 }
128 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
129 {
130 ptree = &ncons->excludedSubtrees;
131 tval.name = val->name + 9;
132 }
133 else
134 {
135 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
136 goto err;
137 }
138 tval.value = val->value;
139 sub = GENERAL_SUBTREE_new();
140 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
141 goto err;
142 if (!*ptree)
143 *ptree = sk_GENERAL_SUBTREE_new_null();
144 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
145 goto memerr;
146 sub = NULL;
147 }
148
149 return ncons;
150
151 memerr:
152 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
153 err:
154 if (ncons)
155 NAME_CONSTRAINTS_free(ncons);
156 if (sub)
157 GENERAL_SUBTREE_free(sub);
158
159 return NULL;
160 }
161
162
163
164
165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
166 BIO *bp, int ind)
167 {
168 NAME_CONSTRAINTS *ncons = a;
169 do_i2r_name_constraints(method, ncons->permittedSubtrees,
170 bp, ind, "Permitted");
171 do_i2r_name_constraints(method, ncons->excludedSubtrees,
172 bp, ind, "Excluded");
173 return 1;
174 }
175
176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
177 STACK_OF(GENERAL_SUBTREE) *trees,
178 BIO *bp, int ind, char *name)
179 {
180 GENERAL_SUBTREE *tree;
181 int i;
182 if (sk_GENERAL_SUBTREE_num(trees) > 0)
183 BIO_printf(bp, "%*s%s:\n", ind, "", name);
184 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
185 {
186 tree = sk_GENERAL_SUBTREE_value(trees, i);
187 BIO_printf(bp, "%*s", ind + 2, "");
188 if (tree->base->type == GEN_IPADD)
189 print_nc_ipadd(bp, tree->base->d.ip);
190 else
191 GENERAL_NAME_print(bp, tree->base);
192 BIO_puts(bp, "\n");
193 }
194 return 1;
195 }
196
197static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
198 {
199 int i, len;
200 unsigned char *p;
201 p = ip->data;
202 len = ip->length;
203 BIO_puts(bp, "IP:");
204 if(len == 8)
205 {
206 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
207 p[0], p[1], p[2], p[3],
208 p[4], p[5], p[6], p[7]);
209 }
210 else if(len == 32)
211 {
212 for (i = 0; i < 16; i++)
213 {
214 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
215 p += 2;
216 if (i == 7)
217 BIO_puts(bp, "/");
218 else if (i != 15)
219 BIO_puts(bp, ":");
220 }
221 }
222 else
223 BIO_printf(bp, "IP Address:<invalid>");
224 return 1;
225 }
226
227/* Check a certificate conforms to a specified set of constraints.
228 * Return values:
229 * X509_V_OK: All constraints obeyed.
230 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
231 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
232 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
235 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
236
237 */
238
239int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
240 {
241 int r, i;
242 X509_NAME *nm;
243
244 nm = X509_get_subject_name(x);
245
246 if (X509_NAME_entry_count(nm) > 0)
247 {
248 GENERAL_NAME gntmp;
249 gntmp.type = GEN_DIRNAME;
250 gntmp.d.directoryName = nm;
251
252 r = nc_match(&gntmp, nc);
253
254 if (r != X509_V_OK)
255 return r;
256
257 gntmp.type = GEN_EMAIL;
258
259
260 /* Process any email address attributes in subject name */
261
262 for (i = -1;;)
263 {
264 X509_NAME_ENTRY *ne;
265 i = X509_NAME_get_index_by_NID(nm,
266 NID_pkcs9_emailAddress,
267 i);
268 if (i == -1)
269 break;
270 ne = X509_NAME_get_entry(nm, i);
271 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
272 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
273 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
274
275 r = nc_match(&gntmp, nc);
276
277 if (r != X509_V_OK)
278 return r;
279 }
280
281 }
282
283 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++)
284 {
285 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
286 r = nc_match(gen, nc);
287 if (r != X509_V_OK)
288 return r;
289 }
290
291 return X509_V_OK;
292
293 }
294
295static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
296 {
297 GENERAL_SUBTREE *sub;
298 int i, r, match = 0;
299
300 /* Permitted subtrees: if any subtrees exist of matching the type
301 * at least one subtree must match.
302 */
303
304 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
305 {
306 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
307 if (gen->type != sub->base->type)
308 continue;
309 if (sub->minimum || sub->maximum)
310 return X509_V_ERR_SUBTREE_MINMAX;
311 /* If we already have a match don't bother trying any more */
312 if (match == 2)
313 continue;
314 if (match == 0)
315 match = 1;
316 r = nc_match_single(gen, sub->base);
317 if (r == X509_V_OK)
318 match = 2;
319 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
320 return r;
321 }
322
323 if (match == 1)
324 return X509_V_ERR_PERMITTED_VIOLATION;
325
326 /* Excluded subtrees: must not match any of these */
327
328 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++)
329 {
330 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
331 if (gen->type != sub->base->type)
332 continue;
333 if (sub->minimum || sub->maximum)
334 return X509_V_ERR_SUBTREE_MINMAX;
335
336 r = nc_match_single(gen, sub->base);
337 if (r == X509_V_OK)
338 return X509_V_ERR_EXCLUDED_VIOLATION;
339 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
340 return r;
341
342 }
343
344 return X509_V_OK;
345
346 }
347
348static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
349 {
350 switch(base->type)
351 {
352 case GEN_DIRNAME:
353 return nc_dn(gen->d.directoryName, base->d.directoryName);
354
355 case GEN_DNS:
356 return nc_dns(gen->d.dNSName, base->d.dNSName);
357
358 case GEN_EMAIL:
359 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
360
361 case GEN_URI:
362 return nc_uri(gen->d.uniformResourceIdentifier,
363 base->d.uniformResourceIdentifier);
364
365 default:
366 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
367 }
368
369 }
370
371/* directoryName name constraint matching.
372 * The canonical encoding of X509_NAME makes this comparison easy. It is
373 * matched if the subtree is a subset of the name.
374 */
375
376static int nc_dn(X509_NAME *nm, X509_NAME *base)
377 {
378 /* Ensure canonical encodings are up to date. */
379 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
380 return X509_V_ERR_OUT_OF_MEM;
381 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
382 return X509_V_ERR_OUT_OF_MEM;
383 if (base->canon_enclen > nm->canon_enclen)
384 return X509_V_ERR_PERMITTED_VIOLATION;
385 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
386 return X509_V_ERR_PERMITTED_VIOLATION;
387 return X509_V_OK;
388 }
389
390static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
391 {
392 char *baseptr = (char *)base->data;
393 char *dnsptr = (char *)dns->data;
394 /* Empty matches everything */
395 if (!*baseptr)
396 return X509_V_OK;
397 /* Otherwise can add zero or more components on the left so
398 * compare RHS and if dns is longer and expect '.' as preceding
399 * character.
400 */
401 if (dns->length > base->length)
402 {
403 dnsptr += dns->length - base->length;
404 if (dnsptr[-1] != '.')
405 return X509_V_ERR_PERMITTED_VIOLATION;
406 }
407
408 if (strcasecmp(baseptr, dnsptr))
409 return X509_V_ERR_PERMITTED_VIOLATION;
410
411 return X509_V_OK;
412
413 }
414
415static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
416 {
417 const char *baseptr = (char *)base->data;
418 const char *emlptr = (char *)eml->data;
419
420 const char *baseat = strchr(baseptr, '@');
421 const char *emlat = strchr(emlptr, '@');
422 if (!emlat)
423 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
424 /* Special case: inital '.' is RHS match */
425 if (!baseat && (*baseptr == '.'))
426 {
427 if (eml->length > base->length)
428 {
429 emlptr += eml->length - base->length;
430 if (!strcasecmp(baseptr, emlptr))
431 return X509_V_OK;
432 }
433 return X509_V_ERR_PERMITTED_VIOLATION;
434 }
435
436 /* If we have anything before '@' match local part */
437
438 if (baseat)
439 {
440 if (baseat != baseptr)
441 {
442 if ((baseat - baseptr) != (emlat - emlptr))
443 return X509_V_ERR_PERMITTED_VIOLATION;
444 /* Case sensitive match of local part */
445 if (strncmp(baseptr, emlptr, emlat - emlptr))
446 return X509_V_ERR_PERMITTED_VIOLATION;
447 }
448 /* Position base after '@' */
449 baseptr = baseat + 1;
450 }
451 emlptr = emlat + 1;
452 /* Just have hostname left to match: case insensitive */
453 if (strcasecmp(baseptr, emlptr))
454 return X509_V_ERR_PERMITTED_VIOLATION;
455
456 return X509_V_OK;
457
458 }
459
460static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
461 {
462 const char *baseptr = (char *)base->data;
463 const char *hostptr = (char *)uri->data;
464 const char *p = strchr(hostptr, ':');
465 int hostlen;
466 /* Check for foo:// and skip past it */
467 if (!p || (p[1] != '/') || (p[2] != '/'))
468 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
469 hostptr = p + 3;
470
471 /* Determine length of hostname part of URI */
472
473 /* Look for a port indicator as end of hostname first */
474
475 p = strchr(hostptr, ':');
476 /* Otherwise look for trailing slash */
477 if (!p)
478 p = strchr(hostptr, '/');
479
480 if (!p)
481 hostlen = strlen(hostptr);
482 else
483 hostlen = p - hostptr;
484
485 if (hostlen == 0)
486 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
487
488 /* Special case: inital '.' is RHS match */
489 if (*baseptr == '.')
490 {
491 if (hostlen > base->length)
492 {
493 p = hostptr + hostlen - base->length;
494 if (!strncasecmp(p, baseptr, base->length))
495 return X509_V_OK;
496 }
497 return X509_V_ERR_PERMITTED_VIOLATION;
498 }
499
500 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen))
501 return X509_V_ERR_PERMITTED_VIOLATION;
502
503 return X509_V_OK;
504
505 }
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
deleted file mode 100644
index 0c165af314..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,289 +0,0 @@
1/* v3_ocsp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef OPENSSL_NO_OCSP
60
61#include <stdio.h>
62#include "cryptlib.h"
63#include <openssl/conf.h>
64#include <openssl/asn1.h>
65#include <openssl/ocsp.h>
66#include <openssl/x509v3.h>
67
68/* OCSP extensions and a couple of CRL entry extensions
69 */
70
71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72 BIO *out, int indent);
73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent);
77
78static void *ocsp_nonce_new(void);
79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
81static void ocsp_nonce_free(void *a);
82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent);
84
85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
86 void *nocheck, BIO *out, int indent);
87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind);
91
92const X509V3_EXT_METHOD v3_ocsp_crlid = {
93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
94 0,0,0,0,
95 0,0,
96 0,0,
97 i2r_ocsp_crlid,0,
98 NULL
99};
100
101const X509V3_EXT_METHOD v3_ocsp_acutoff = {
102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
103 0,0,0,0,
104 0,0,
105 0,0,
106 i2r_ocsp_acutoff,0,
107 NULL
108};
109
110const X509V3_EXT_METHOD v3_crl_invdate = {
111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
112 0,0,0,0,
113 0,0,
114 0,0,
115 i2r_ocsp_acutoff,0,
116 NULL
117};
118
119const X509V3_EXT_METHOD v3_crl_hold = {
120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
121 0,0,0,0,
122 0,0,
123 0,0,
124 i2r_object,0,
125 NULL
126};
127
128const X509V3_EXT_METHOD v3_ocsp_nonce = {
129 NID_id_pkix_OCSP_Nonce, 0, NULL,
130 ocsp_nonce_new,
131 ocsp_nonce_free,
132 d2i_ocsp_nonce,
133 i2d_ocsp_nonce,
134 0,0,
135 0,0,
136 i2r_ocsp_nonce,0,
137 NULL
138};
139
140const X509V3_EXT_METHOD v3_ocsp_nocheck = {
141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
142 0,0,0,0,
143 0,s2i_ocsp_nocheck,
144 0,0,
145 i2r_ocsp_nocheck,0,
146 NULL
147};
148
149const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
151 0,0,0,0,
152 0,0,
153 0,0,
154 i2r_ocsp_serviceloc,0,
155 NULL
156};
157
158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
159 int ind)
160{
161 OCSP_CRLID *a = in;
162 if (a->crlUrl)
163 {
164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
166 if (BIO_write(bp, "\n", 1) <= 0) goto err;
167 }
168 if (a->crlNum)
169 {
170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
172 if (BIO_write(bp, "\n", 1) <= 0) goto err;
173 }
174 if (a->crlTime)
175 {
176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
178 if (BIO_write(bp, "\n", 1) <= 0) goto err;
179 }
180 return 1;
181 err:
182 return 0;
183}
184
185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
186 BIO *bp, int ind)
187{
188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
190 return 1;
191}
192
193
194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
195 int ind)
196{
197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
199 return 1;
200}
201
202/* OCSP nonce. This is needs special treatment because it doesn't have
203 * an ASN1 encoding at all: it just contains arbitrary data.
204 */
205
206static void *ocsp_nonce_new(void)
207{
208 return ASN1_OCTET_STRING_new();
209}
210
211static int i2d_ocsp_nonce(void *a, unsigned char **pp)
212{
213 ASN1_OCTET_STRING *os = a;
214 if(pp) {
215 memcpy(*pp, os->data, os->length);
216 *pp += os->length;
217 }
218 return os->length;
219}
220
221static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
222{
223 ASN1_OCTET_STRING *os, **pos;
224 pos = a;
225 if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
226 else os = *pos;
227 if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
228
229 *pp += length;
230
231 if(pos) *pos = os;
232 return os;
233
234 err:
235 if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
236 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
237 return NULL;
238}
239
240static void ocsp_nonce_free(void *a)
241{
242 M_ASN1_OCTET_STRING_free(a);
243}
244
245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
246 BIO *out, int indent)
247{
248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
250 return 1;
251}
252
253/* Nocheck is just a single NULL. Don't print anything and always set it */
254
255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
256 BIO *out, int indent)
257{
258 return 1;
259}
260
261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
262 const char *str)
263{
264 return ASN1_NULL_new();
265}
266
267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
268 BIO *bp, int ind)
269 {
270 int i;
271 OCSP_SERVICELOC *a = in;
272 ACCESS_DESCRIPTION *ad;
273
274 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
275 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
276 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
277 {
278 ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
279 if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0)
280 goto err;
281 if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
282 if(BIO_puts(bp, " - ") <= 0) goto err;
283 if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
284 }
285 return 1;
286err:
287 return 0;
288 }
289#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
deleted file mode 100644
index 0dcfa004fe..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ /dev/null
@@ -1,328 +0,0 @@
1/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include "cryptlib.h"
39#include <openssl/conf.h>
40#include <openssl/x509v3.h>
41
42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43 BIO *out, int indent);
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str);
46
47const X509V3_EXT_METHOD v3_pci =
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0,
50 0,0,
51 NULL, NULL,
52 (X509V3_EXT_I2R)i2r_pci,
53 (X509V3_EXT_R2I)r2i_pci,
54 NULL,
55 };
56
57static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58 BIO *out, int indent)
59 {
60 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61 if (pci->pcPathLengthConstraint)
62 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63 else
64 BIO_printf(out, "infinite");
65 BIO_puts(out, "\n");
66 BIO_printf(out, "%*sPolicy Language: ", indent, "");
67 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68 BIO_puts(out, "\n");
69 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71 pci->proxyPolicy->policy->data);
72 return 1;
73 }
74
75static int process_pci_value(CONF_VALUE *val,
76 ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77 ASN1_OCTET_STRING **policy)
78 {
79 int free_policy = 0;
80
81 if (strcmp(val->name, "language") == 0)
82 {
83 if (*language)
84 {
85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val);
87 return 0;
88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0)))
90 {
91 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val);
93 return 0;
94 }
95 }
96 else if (strcmp(val->name, "pathlen") == 0)
97 {
98 if (*pathlen)
99 {
100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101 X509V3_conf_err(val);
102 return 0;
103 }
104 if (!X509V3_get_value_int(val, pathlen))
105 {
106 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val);
108 return 0;
109 }
110 }
111 else if (strcmp(val->name, "policy") == 0)
112 {
113 unsigned char *tmp_data = NULL;
114 long val_len;
115 if (!*policy)
116 {
117 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy)
119 {
120 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val);
122 return 0;
123 }
124 free_policy = 1;
125 }
126 if (strncmp(val->value, "hex:", 4) == 0)
127 {
128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len);
130
131 if (!tmp_data2)
132 {
133 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134 X509V3_conf_err(val);
135 goto err;
136 }
137
138 tmp_data = OPENSSL_realloc((*policy)->data,
139 (*policy)->length + val_len + 1);
140 if (tmp_data)
141 {
142 (*policy)->data = tmp_data;
143 memcpy(&(*policy)->data[(*policy)->length],
144 tmp_data2, val_len);
145 (*policy)->length += val_len;
146 (*policy)->data[(*policy)->length] = '\0';
147 }
148 else
149 {
150 OPENSSL_free(tmp_data2);
151 /* realloc failure implies the original data space is b0rked too! */
152 (*policy)->data = NULL;
153 (*policy)->length = 0;
154 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155 X509V3_conf_err(val);
156 goto err;
157 }
158 OPENSSL_free(tmp_data2);
159 }
160 else if (strncmp(val->value, "file:", 5) == 0)
161 {
162 unsigned char buf[2048];
163 int n;
164 BIO *b = BIO_new_file(val->value + 5, "r");
165 if (!b)
166 {
167 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
168 X509V3_conf_err(val);
169 goto err;
170 }
171 while((n = BIO_read(b, buf, sizeof(buf))) > 0
172 || (n == 0 && BIO_should_retry(b)))
173 {
174 if (!n) continue;
175
176 tmp_data = OPENSSL_realloc((*policy)->data,
177 (*policy)->length + n + 1);
178
179 if (!tmp_data)
180 break;
181
182 (*policy)->data = tmp_data;
183 memcpy(&(*policy)->data[(*policy)->length],
184 buf, n);
185 (*policy)->length += n;
186 (*policy)->data[(*policy)->length] = '\0';
187 }
188 BIO_free_all(b);
189
190 if (n < 0)
191 {
192 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
193 X509V3_conf_err(val);
194 goto err;
195 }
196 }
197 else if (strncmp(val->value, "text:", 5) == 0)
198 {
199 val_len = strlen(val->value + 5);
200 tmp_data = OPENSSL_realloc((*policy)->data,
201 (*policy)->length + val_len + 1);
202 if (tmp_data)
203 {
204 (*policy)->data = tmp_data;
205 memcpy(&(*policy)->data[(*policy)->length],
206 val->value + 5, val_len);
207 (*policy)->length += val_len;
208 (*policy)->data[(*policy)->length] = '\0';
209 }
210 else
211 {
212 /* realloc failure implies the original data space is b0rked too! */
213 (*policy)->data = NULL;
214 (*policy)->length = 0;
215 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
216 X509V3_conf_err(val);
217 goto err;
218 }
219 }
220 else
221 {
222 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
223 X509V3_conf_err(val);
224 goto err;
225 }
226 if (!tmp_data)
227 {
228 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
229 X509V3_conf_err(val);
230 goto err;
231 }
232 }
233 return 1;
234err:
235 if (free_policy)
236 {
237 ASN1_OCTET_STRING_free(*policy);
238 *policy = NULL;
239 }
240 return 0;
241 }
242
243static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, char *value)
245 {
246 PROXY_CERT_INFO_EXTENSION *pci = NULL;
247 STACK_OF(CONF_VALUE) *vals;
248 ASN1_OBJECT *language = NULL;
249 ASN1_INTEGER *pathlen = NULL;
250 ASN1_OCTET_STRING *policy = NULL;
251 int i, j;
252
253 vals = X509V3_parse_list(value);
254 for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
255 {
256 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
257 if (!cnf->name || (*cnf->name != '@' && !cnf->value))
258 {
259 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
260 X509V3_conf_err(cnf);
261 goto err;
262 }
263 if (*cnf->name == '@')
264 {
265 STACK_OF(CONF_VALUE) *sect;
266 int success_p = 1;
267
268 sect = X509V3_get_section(ctx, cnf->name + 1);
269 if (!sect)
270 {
271 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
272 X509V3_conf_err(cnf);
273 goto err;
274 }
275 for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
276 {
277 success_p =
278 process_pci_value(sk_CONF_VALUE_value(sect, j),
279 &language, &pathlen, &policy);
280 }
281 X509V3_section_free(ctx, sect);
282 if (!success_p)
283 goto err;
284 }
285 else
286 {
287 if (!process_pci_value(cnf,
288 &language, &pathlen, &policy))
289 {
290 X509V3_conf_err(cnf);
291 goto err;
292 }
293 }
294 }
295
296 /* Language is mandatory */
297 if (!language)
298 {
299 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
300 goto err;
301 }
302 i = OBJ_obj2nid(language);
303 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
304 {
305 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
306 goto err;
307 }
308
309 pci = PROXY_CERT_INFO_EXTENSION_new();
310 if (!pci)
311 {
312 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
313 goto err;
314 }
315
316 pci->proxyPolicy->policyLanguage = language; language = NULL;
317 pci->proxyPolicy->policy = policy; policy = NULL;
318 pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
319 goto end;
320err:
321 if (language) { ASN1_OBJECT_free(language); language = NULL; }
322 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
323 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
324 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
325end:
326 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327 return pci;
328 }
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
deleted file mode 100644
index bb362e0e5a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcia.c
+++ /dev/null
@@ -1,55 +0,0 @@
1/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41ASN1_SEQUENCE(PROXY_POLICY) =
42 {
43 ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
44 ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
45} ASN1_SEQUENCE_END(PROXY_POLICY)
46
47IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
48
49ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
50 {
51 ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
52 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
53} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
54
55IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
deleted file mode 100644
index 30ca652351..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ /dev/null
@@ -1,140 +0,0 @@
1/* v3_pcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *
68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
69 STACK_OF(CONF_VALUE) *extlist);
70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx,
72 STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75NID_policy_constraints, 0,
76ASN1_ITEM_ref(POLICY_CONSTRAINTS),
770,0,0,0,
780,0,
79i2v_POLICY_CONSTRAINTS,
80v2i_POLICY_CONSTRAINTS,
81NULL,NULL,
82NULL
83};
84
85ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
86 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
87 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
88} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
89
90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
91
92
93static STACK_OF(CONF_VALUE) *
94i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
95 STACK_OF(CONF_VALUE) *extlist)
96{
97 POLICY_CONSTRAINTS *pcons = a;
98 X509V3_add_value_int("Require Explicit Policy",
99 pcons->requireExplicitPolicy, &extlist);
100 X509V3_add_value_int("Inhibit Policy Mapping",
101 pcons->inhibitPolicyMapping, &extlist);
102 return extlist;
103}
104
105static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx,
107 STACK_OF(CONF_VALUE) *values)
108{
109 POLICY_CONSTRAINTS *pcons=NULL;
110 CONF_VALUE *val;
111 int i;
112 if(!(pcons = POLICY_CONSTRAINTS_new())) {
113 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
117 val = sk_CONF_VALUE_value(values, i);
118 if(!strcmp(val->name, "requireExplicitPolicy")) {
119 if(!X509V3_get_value_int(val,
120 &pcons->requireExplicitPolicy)) goto err;
121 } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
122 if(!X509V3_get_value_int(val,
123 &pcons->inhibitPolicyMapping)) goto err;
124 } else {
125 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
126 X509V3_conf_err(val);
127 goto err;
128 }
129 }
130 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
131 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
132 goto err;
133 }
134
135 return pcons;
136 err:
137 POLICY_CONSTRAINTS_free(pcons);
138 return NULL;
139}
140
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
deleted file mode 100644
index 076f3ff48e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ /dev/null
@@ -1,108 +0,0 @@
1/* v3_pku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
66/*
67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
68*/
69const X509V3_EXT_METHOD v3_pkey_usage_period = {
70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
710,0,0,0,
720,0,0,0,
73(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
74NULL
75};
76
77ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
78 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0),
79 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1)
80} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD)
81
82IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
83
84static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
85 PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
86{
87 BIO_printf(out, "%*s", indent, "");
88 if(usage->notBefore) {
89 BIO_write(out, "Not Before: ", 12);
90 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
91 if(usage->notAfter) BIO_write(out, ", ", 2);
92 }
93 if(usage->notAfter) {
94 BIO_write(out, "Not After: ", 11);
95 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
96 }
97 return 1;
98}
99
100/*
101static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
102X509V3_EXT_METHOD *method;
103X509V3_CTX *ctx;
104STACK_OF(CONF_VALUE) *values;
105{
106return NULL;
107}
108*/
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
deleted file mode 100644
index 865bcd3980..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ /dev/null
@@ -1,155 +0,0 @@
1/* v3_pmaps.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps,
70 STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 NID_policy_mappings, 0,
74 ASN1_ITEM_ref(POLICY_MAPPINGS),
75 0,0,0,0,
76 0,0,
77 i2v_POLICY_MAPPINGS,
78 v2i_POLICY_MAPPINGS,
79 0,0,
80 NULL
81};
82
83ASN1_SEQUENCE(POLICY_MAPPING) = {
84 ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
85 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
86} ASN1_SEQUENCE_END(POLICY_MAPPING)
87
88ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
89 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
90 POLICY_MAPPING)
91ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92
93IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
94
95
96static STACK_OF(CONF_VALUE) *
97i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
98 STACK_OF(CONF_VALUE) *ext_list)
99{
100 POLICY_MAPPINGS *pmaps = a;
101 POLICY_MAPPING *pmap;
102 int i;
103 char obj_tmp1[80];
104 char obj_tmp2[80];
105 for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
106 pmap = sk_POLICY_MAPPING_value(pmaps, i);
107 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
108 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
109 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
110 }
111 return ext_list;
112}
113
114static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
115 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
116{
117 POLICY_MAPPINGS *pmaps;
118 POLICY_MAPPING *pmap;
119 ASN1_OBJECT *obj1, *obj2;
120 CONF_VALUE *val;
121 int i;
122
123 if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
124 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
125 return NULL;
126 }
127
128 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
129 val = sk_CONF_VALUE_value(nval, i);
130 if(!val->value || !val->name) {
131 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
132 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
133 X509V3_conf_err(val);
134 return NULL;
135 }
136 obj1 = OBJ_txt2obj(val->name, 0);
137 obj2 = OBJ_txt2obj(val->value, 0);
138 if(!obj1 || !obj2) {
139 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
140 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
141 X509V3_conf_err(val);
142 return NULL;
143 }
144 pmap = POLICY_MAPPING_new();
145 if (!pmap) {
146 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
147 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
148 return NULL;
149 }
150 pmap->issuerDomainPolicy = obj1;
151 pmap->subjectDomainPolicy = obj2;
152 sk_POLICY_MAPPING_push(pmaps, pmap);
153 }
154 return pmaps;
155}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
deleted file mode 100644
index 3146218708..0000000000
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ /dev/null
@@ -1,234 +0,0 @@
1/* v3_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);
68
69/* Print out a name+value stack */
70
71void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
72{
73 int i;
74 CONF_VALUE *nval;
75 if(!val) return;
76 if(!ml || !sk_CONF_VALUE_num(val)) {
77 BIO_printf(out, "%*s", indent, "");
78 if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
79 }
80 for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
81 if(ml) BIO_printf(out, "%*s", indent, "");
82 else if(i > 0) BIO_printf(out, ", ");
83 nval = sk_CONF_VALUE_value(val, i);
84 if(!nval->name) BIO_puts(out, nval->value);
85 else if(!nval->value) BIO_puts(out, nval->name);
86#ifndef CHARSET_EBCDIC
87 else BIO_printf(out, "%s:%s", nval->name, nval->value);
88#else
89 else {
90 int len;
91 char *tmp;
92 len = strlen(nval->value)+1;
93 tmp = OPENSSL_malloc(len);
94 if (tmp)
95 {
96 ascii2ebcdic(tmp, nval->value, len);
97 BIO_printf(out, "%s:%s", nval->name, tmp);
98 OPENSSL_free(tmp);
99 }
100 }
101#endif
102 if(ml) BIO_puts(out, "\n");
103 }
104}
105
106/* Main routine: print out a general extension */
107
108int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
109{
110 void *ext_str = NULL;
111 char *value = NULL;
112 const unsigned char *p;
113 const X509V3_EXT_METHOD *method;
114 STACK_OF(CONF_VALUE) *nval = NULL;
115 int ok = 1;
116
117 if(!(method = X509V3_EXT_get(ext)))
118 return unknown_ext_print(out, ext, flag, indent, 0);
119 p = ext->value->data;
120 if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
121 else ext_str = method->d2i(NULL, &p, ext->value->length);
122
123 if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if(method->i2s) {
126 if(!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130#ifndef CHARSET_EBCDIC
131 BIO_printf(out, "%*s%s", indent, "", value);
132#else
133 {
134 int len;
135 char *tmp;
136 len = strlen(value)+1;
137 tmp = OPENSSL_malloc(len);
138 if (tmp)
139 {
140 ascii2ebcdic(tmp, value, len);
141 BIO_printf(out, "%*s%s", indent, "", tmp);
142 OPENSSL_free(tmp);
143 }
144 }
145#endif
146 } else if(method->i2v) {
147 if(!(nval = method->i2v(method, ext_str, NULL))) {
148 ok = 0;
149 goto err;
150 }
151 X509V3_EXT_val_prn(out, nval, indent,
152 method->ext_flags & X509V3_EXT_MULTILINE);
153 } else if(method->i2r) {
154 if(!method->i2r(method, ext_str, out, indent)) ok = 0;
155 } else ok = 0;
156
157 err:
158 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
159 if(value) OPENSSL_free(value);
160 if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
161 else method->ext_free(ext_str);
162 return ok;
163}
164
165int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
166{
167 int i, j;
168
169 if(sk_X509_EXTENSION_num(exts) <= 0) return 1;
170
171 if(title)
172 {
173 BIO_printf(bp,"%*s%s:\n",indent, "", title);
174 indent += 4;
175 }
176
177 for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
178 {
179 ASN1_OBJECT *obj;
180 X509_EXTENSION *ex;
181 ex=sk_X509_EXTENSION_value(exts, i);
182 if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
183 obj=X509_EXTENSION_get_object(ex);
184 i2a_ASN1_OBJECT(bp,obj);
185 j=X509_EXTENSION_get_critical(ex);
186 if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
187 return 0;
188 if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
189 {
190 BIO_printf(bp, "%*s", indent + 4, "");
191 M_ASN1_OCTET_STRING_print(bp,ex->value);
192 }
193 if (BIO_write(bp,"\n",1) <= 0) return 0;
194 }
195 return 1;
196}
197
198static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)
199{
200 switch(flag & X509V3_EXT_UNKNOWN_MASK) {
201
202 case X509V3_EXT_DEFAULT:
203 return 0;
204
205 case X509V3_EXT_ERROR_UNKNOWN:
206 if(supported)
207 BIO_printf(out, "%*s<Parse Error>", indent, "");
208 else
209 BIO_printf(out, "%*s<Not Supported>", indent, "");
210 return 1;
211
212 case X509V3_EXT_PARSE_UNKNOWN:
213 return ASN1_parse_dump(out,
214 ext->value->data, ext->value->length, indent, -1);
215 case X509V3_EXT_DUMP_UNKNOWN:
216 return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);
217
218 default:
219 return 1;
220 }
221}
222
223
224#ifndef OPENSSL_NO_FP_API
225int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
226{
227 BIO *bio_tmp;
228 int ret;
229 if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
230 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
231 BIO_free(bio_tmp);
232 return ret;
233}
234#endif
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 181bd34979..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,767 +0,0 @@
1/* v3_purp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62#include <openssl/x509_vfy.h>
63
64static void x509v3_cache_extensions(X509 *x);
65
66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
70static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
77
78static int xp_cmp(const X509_PURPOSE * const *a,
79 const X509_PURPOSE * const *b);
80static void xptable_free(X509_PURPOSE *p);
81
82static X509_PURPOSE xstandard[] = {
83 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
84 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
85 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
86 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
87 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
88 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
89 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
90 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
91 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
92};
93
94#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
95
96IMPLEMENT_STACK_OF(X509_PURPOSE)
97
98static STACK_OF(X509_PURPOSE) *xptable = NULL;
99
100static int xp_cmp(const X509_PURPOSE * const *a,
101 const X509_PURPOSE * const *b)
102{
103 return (*a)->purpose - (*b)->purpose;
104}
105
106/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const
108 * things. */
109int X509_check_purpose(X509 *x, int id, int ca)
110{
111 int idx;
112 const X509_PURPOSE *pt;
113 if(!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 }
118 if(id == -1) return 1;
119 idx = X509_PURPOSE_get_by_id(id);
120 if(idx == -1) return -1;
121 pt = X509_PURPOSE_get0(idx);
122 return pt->check_purpose(pt, x, ca);
123}
124
125int X509_PURPOSE_set(int *p, int purpose)
126{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0;
130 }
131 *p = purpose;
132 return 1;
133}
134
135int X509_PURPOSE_get_count(void)
136{
137 if(!xptable) return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
139}
140
141X509_PURPOSE * X509_PURPOSE_get0(int idx)
142{
143 if(idx < 0) return NULL;
144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
146}
147
148int X509_PURPOSE_get_by_sname(char *sname)
149{
150 int i;
151 X509_PURPOSE *xptmp;
152 for(i = 0; i < X509_PURPOSE_get_count(); i++) {
153 xptmp = X509_PURPOSE_get0(i);
154 if(!strcmp(xptmp->sname, sname)) return i;
155 }
156 return -1;
157}
158
159int X509_PURPOSE_get_by_id(int purpose)
160{
161 X509_PURPOSE tmp;
162 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN;
165 tmp.purpose = purpose;
166 if(!xptable) return -1;
167 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1;
169 return idx + X509_PURPOSE_COUNT;
170}
171
172int X509_PURPOSE_add(int id, int trust, int flags,
173 int (*ck)(const X509_PURPOSE *, const X509 *, int),
174 char *name, char *sname, void *arg)
175{
176 int idx;
177 X509_PURPOSE *ptmp;
178 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */
181 flags |= X509_PURPOSE_DYNAMIC_NAME;
182 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */
185 if(idx == -1) {
186 if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
188 return 0;
189 }
190 ptmp->flags = X509_PURPOSE_DYNAMIC;
191 } else ptmp = X509_PURPOSE_get0(idx);
192
193 /* OPENSSL_free existing name if dynamic */
194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
195 OPENSSL_free(ptmp->name);
196 OPENSSL_free(ptmp->sname);
197 }
198 /* dup supplied name */
199 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
203 return 0;
204 }
205 /* Keep the dynamic flag of existing entry */
206 ptmp->flags &= X509_PURPOSE_DYNAMIC;
207 /* Set all other flags */
208 ptmp->flags |= flags;
209
210 ptmp->purpose = id;
211 ptmp->trust = trust;
212 ptmp->check_purpose = ck;
213 ptmp->usr_data = arg;
214
215 /* If its a new entry manage the dynamic table */
216 if(idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
219 return 0;
220 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
223 return 0;
224 }
225 }
226 return 1;
227}
228
229static void xptable_free(X509_PURPOSE *p)
230 {
231 if(!p) return;
232 if (p->flags & X509_PURPOSE_DYNAMIC)
233 {
234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
235 OPENSSL_free(p->name);
236 OPENSSL_free(p->sname);
237 }
238 OPENSSL_free(p);
239 }
240 }
241
242void X509_PURPOSE_cleanup(void)
243{
244 unsigned int i;
245 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
247 xptable = NULL;
248}
249
250int X509_PURPOSE_get_id(X509_PURPOSE *xp)
251{
252 return xp->purpose;
253}
254
255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
256{
257 return xp->name;
258}
259
260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
261{
262 return xp->sname;
263}
264
265int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
266{
267 return xp->trust;
268}
269
270static int nid_cmp(const int *a, const int *b)
271 {
272 return *a - *b;
273 }
274
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277
278int X509_supported_extension(X509_EXTENSION *ex)
279 {
280 /* This table is a list of the NIDs of supported extensions:
281 * that is those which are used by the verify process. If
282 * an extension is critical and doesn't appear in this list
283 * then the verify process will normally reject the certificate.
284 * The list must be kept in numerical order because it will be
285 * searched using bsearch.
286 */
287
288 static const int supported_nids[] = {
289 NID_netscape_cert_type, /* 71 */
290 NID_key_usage, /* 83 */
291 NID_subject_alt_name, /* 85 */
292 NID_basic_constraints, /* 87 */
293 NID_certificate_policies, /* 89 */
294 NID_ext_key_usage, /* 126 */
295#ifndef OPENSSL_NO_RFC3779
296 NID_sbgp_ipAddrBlock, /* 290 */
297 NID_sbgp_autonomousSysNum, /* 291 */
298#endif
299 NID_policy_constraints, /* 401 */
300 NID_proxyCertInfo, /* 663 */
301 NID_name_constraints, /* 666 */
302 NID_policy_mappings, /* 747 */
303 NID_inhibit_any_policy /* 748 */
304 };
305
306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
307
308 if (ex_nid == NID_undef)
309 return 0;
310
311 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
312 sizeof(supported_nids)/sizeof(int)))
313 return 1;
314 return 0;
315 }
316
317static void setup_dp(X509 *x, DIST_POINT *dp)
318 {
319 X509_NAME *iname = NULL;
320 int i;
321 if (dp->reasons)
322 {
323 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 }
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME)
337 {
338 iname = gen->d.directoryName;
339 break;
340 }
341 }
342 if (!iname)
343 iname = X509_get_issuer_name(x);
344
345 DIST_POINT_set_dpname(dp->distpoint, iname);
346
347 }
348
349static void setup_crldp(X509 *x)
350 {
351 int i;
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 }
356
357static void x509v3_cache_extensions(X509 *x)
358{
359 BASIC_CONSTRAINTS *bs;
360 PROXY_CERT_INFO_EXTENSION *pci;
361 ASN1_BIT_STRING *usage;
362 ASN1_BIT_STRING *ns;
363 EXTENDED_KEY_USAGE *extusage;
364 X509_EXTENSION *ex;
365
366 int i;
367 if(x->ex_flags & EXFLAG_SET) return;
368#ifndef OPENSSL_NO_SHA
369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
370#endif
371 /* Does subject name match issuer ? */
372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
373 x->ex_flags |= EXFLAG_SI;
374 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */
377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
378 if(bs->ca) x->ex_flags |= EXFLAG_CA;
379 if(bs->pathlen) {
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
381 || !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
385 } else x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS;
388 }
389 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
391 if (x->ex_flags & EXFLAG_CA
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
394 x->ex_flags |= EXFLAG_INVALID;
395 }
396 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY;
402 }
403 /* Handle key usage */
404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
405 if(usage->length > 0) {
406 x->ex_kusage = usage->data[0];
407 if(usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage);
412 }
413 x->ex_xkusage = 0;
414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
415 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
418 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER;
420 break;
421
422 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break;
425
426 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME;
428 break;
429
430 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN;
432 break;
433
434 case NID_ms_sgc:
435 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC;
437 break;
438
439 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break;
442
443 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP;
445 break;
446
447 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS;
449 break;
450 }
451 }
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 }
454
455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
456 if(ns->length > 0) x->ex_nscert = ns->data[0];
457 else x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns);
460 }
461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1))
466 x->ex_flags |= EXFLAG_INVALID;
467 setup_crldp(x);
468
469#ifndef OPENSSL_NO_RFC3779
470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
472 NULL, NULL);
473#endif
474 for (i = 0; i < X509_get_ext_count(x); i++)
475 {
476 ex = X509_get_ext(x, i);
477 if (!X509_EXTENSION_get_critical(ex))
478 continue;
479 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
480 == NID_freshest_crl)
481 x->ex_flags |= EXFLAG_FRESHEST;
482 if (!X509_supported_extension(ex))
483 {
484 x->ex_flags |= EXFLAG_CRITICAL;
485 break;
486 }
487 }
488 x->ex_flags |= EXFLAG_SET;
489}
490
491/* CA checks common to all purposes
492 * return codes:
493 * 0 not a CA
494 * 1 is a CA
495 * 2 basicConstraints absent so "maybe" a CA
496 * 3 basicConstraints absent but self signed V1.
497 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
498 */
499
500#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
501#define ku_reject(x, usage) \
502 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
503#define xku_reject(x, usage) \
504 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
505#define ns_reject(x, usage) \
506 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
507
508static int check_ca(const X509 *x)
509{
510 /* keyUsage if present should allow cert signing */
511 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
512 if(x->ex_flags & EXFLAG_BCONS) {
513 if(x->ex_flags & EXFLAG_CA) return 1;
514 /* If basicConstraints says not a CA then say so */
515 else return 0;
516 } else {
517 /* we support V1 roots for... uh, I don't really know why. */
518 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
519 /* If key usage present it must have certSign so tolerate it */
520 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
521 /* Older certificates could have Netscape-specific CA types */
522 else if (x->ex_flags & EXFLAG_NSCERT
523 && x->ex_nscert & NS_ANY_CA) return 5;
524 /* can this still be regarded a CA certificate? I doubt it */
525 return 0;
526 }
527}
528
529int X509_check_ca(X509 *x)
530{
531 if(!(x->ex_flags & EXFLAG_SET)) {
532 CRYPTO_w_lock(CRYPTO_LOCK_X509);
533 x509v3_cache_extensions(x);
534 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
535 }
536
537 return check_ca(x);
538}
539
540/* Check SSL CA: common checks for SSL client and server */
541static int check_ssl_ca(const X509 *x)
542{
543 int ca_ret;
544 ca_ret = check_ca(x);
545 if(!ca_ret) return 0;
546 /* check nsCertType if present */
547 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
548 else return 0;
549}
550
551
552static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
553{
554 if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
555 if(ca) return check_ssl_ca(x);
556 /* We need to do digital signatures with it */
557 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
558 /* nsCertType if present should allow SSL client use */
559 if(ns_reject(x, NS_SSL_CLIENT)) return 0;
560 return 1;
561}
562
563static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
564{
565 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
566 if(ca) return check_ssl_ca(x);
567
568 if(ns_reject(x, NS_SSL_SERVER)) return 0;
569 /* Now as for keyUsage: we'll at least need to sign OR encipher */
570 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
571
572 return 1;
573
574}
575
576static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
577{
578 int ret;
579 ret = check_purpose_ssl_server(xp, x, ca);
580 if(!ret || ca) return ret;
581 /* We need to encipher or Netscape complains */
582 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
583 return ret;
584}
585
586/* common S/MIME checks */
587static int purpose_smime(const X509 *x, int ca)
588{
589 if(xku_reject(x,XKU_SMIME)) return 0;
590 if(ca) {
591 int ca_ret;
592 ca_ret = check_ca(x);
593 if(!ca_ret) return 0;
594 /* check nsCertType if present */
595 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
596 else return 0;
597 }
598 if(x->ex_flags & EXFLAG_NSCERT) {
599 if(x->ex_nscert & NS_SMIME) return 1;
600 /* Workaround for some buggy certificates */
601 if(x->ex_nscert & NS_SSL_CLIENT) return 2;
602 return 0;
603 }
604 return 1;
605}
606
607static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
608{
609 int ret;
610 ret = purpose_smime(x, ca);
611 if(!ret || ca) return ret;
612 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
613 return ret;
614}
615
616static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
617{
618 int ret;
619 ret = purpose_smime(x, ca);
620 if(!ret || ca) return ret;
621 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
622 return ret;
623}
624
625static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
626{
627 if(ca) {
628 int ca_ret;
629 if((ca_ret = check_ca(x)) != 2) return ca_ret;
630 else return 0;
631 }
632 if(ku_reject(x, KU_CRL_SIGN)) return 0;
633 return 1;
634}
635
636/* OCSP helper: this is *not* a full OCSP check. It just checks that
637 * each CA is valid. Additional checks must be made on the chain.
638 */
639
640static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
641{
642 /* Must be a valid CA. Should we really support the "I don't know"
643 value (2)? */
644 if(ca) return check_ca(x);
645 /* leaf certificate is checked in OCSP_verify() */
646 return 1;
647}
648
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
650 int ca)
651{
652 int i_ext;
653
654 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x);
656
657 /*
658 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected).
662 */
663 if ((x->ex_flags & EXFLAG_KUSAGE)
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0;
667
668 /* Only time stamp key usage is permitted and it's required. */
669 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
670 return 0;
671
672 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
674 if (i_ext >= 0)
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext))
678 return 0;
679 }
680
681 return 1;
682}
683
684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
685{
686 return 1;
687}
688
689/* Various checks to see if one certificate issued the second.
690 * This can be used to prune a set of possible issuer certificates
691 * which have been looked up using some simple method such as by
692 * subject name.
693 * These are:
694 * 1. Check issuer_name(subject) == subject_name(issuer)
695 * 2. If akid(subject) exists check it matches issuer
696 * 3. If key_usage(issuer) exists check it supports certificate signing
697 * returns 0 for OK, positive for reason for mismatch, reasons match
698 * codes for X509_verify_cert()
699 */
700
701int X509_check_issued(X509 *issuer, X509 *subject)
702{
703 if(X509_NAME_cmp(X509_get_subject_name(issuer),
704 X509_get_issuer_name(subject)))
705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
706 x509v3_cache_extensions(issuer);
707 x509v3_cache_extensions(subject);
708
709 if(subject->akid)
710 {
711 int ret = X509_check_akid(issuer, subject->akid);
712 if (ret != X509_V_OK)
713 return ret;
714 }
715
716 if(subject->ex_flags & EXFLAG_PROXY)
717 {
718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
719 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
720 }
721 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
722 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
723 return X509_V_OK;
724}
725
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
727 {
728
729 if(!akid)
730 return X509_V_OK;
731
732 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */
737 if(akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */
741 if(akid->issuer)
742 {
743 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any
746 * notice of the first.
747 */
748 GENERAL_NAMES *gens;
749 GENERAL_NAME *gen;
750 X509_NAME *nm = NULL;
751 int i;
752 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
754 {
755 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME)
757 {
758 nm = gen->d.dirn;
759 break;
760 }
761 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 }
765 return X509_V_OK;
766 }
767
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
deleted file mode 100644
index 0a984fbaa8..0000000000
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* v3_skey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/x509v3.h>
63
64static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
65const X509V3_EXT_METHOD v3_skey_id = {
66NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
670,0,0,0,
68(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
69(X509V3_EXT_S2I)s2i_skey_id,
700,0,0,0,
71NULL};
72
73char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
74 ASN1_OCTET_STRING *oct)
75{
76 return hex_to_string(oct->data, oct->length);
77}
78
79ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
80 X509V3_CTX *ctx, char *str)
81{
82 ASN1_OCTET_STRING *oct;
83 long length;
84
85 if(!(oct = M_ASN1_OCTET_STRING_new())) {
86 X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89
90 if(!(oct->data = string_to_hex(str, &length))) {
91 M_ASN1_OCTET_STRING_free(oct);
92 return NULL;
93 }
94
95 oct->length = length;
96
97 return oct;
98
99}
100
101static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
102 X509V3_CTX *ctx, char *str)
103{
104 ASN1_OCTET_STRING *oct;
105 ASN1_BIT_STRING *pk;
106 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
107 unsigned int diglen;
108
109 if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
110
111 if(!(oct = M_ASN1_OCTET_STRING_new())) {
112 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
113 return NULL;
114 }
115
116 if(ctx && (ctx->flags == CTX_TEST)) return oct;
117
118 if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
119 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
120 goto err;
121 }
122
123 if(ctx->subject_req)
124 pk = ctx->subject_req->req_info->pubkey->public_key;
125 else pk = ctx->subject_cert->cert_info->key->public_key;
126
127 if(!pk) {
128 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
129 goto err;
130 }
131
132 if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
133 goto err;
134
135 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
136 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
137 goto err;
138 }
139
140 return oct;
141
142 err:
143 M_ASN1_OCTET_STRING_free(oct);
144 return NULL;
145}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
deleted file mode 100644
index 2a6bf11b65..0000000000
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ /dev/null
@@ -1,262 +0,0 @@
1/* v3_sxnet.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66/* Support for Thawte strong extranet extension */
67
68#define SXNET_TEST
69
70static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
71#ifdef SXNET_TEST
72static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
73 STACK_OF(CONF_VALUE) *nval);
74#endif
75const X509V3_EXT_METHOD v3_sxnet = {
76NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
770,0,0,0,
780,0,
790,
80#ifdef SXNET_TEST
81(X509V3_EXT_V2I)sxnet_v2i,
82#else
830,
84#endif
85(X509V3_EXT_I2R)sxnet_i2r,
860,
87NULL
88};
89
90ASN1_SEQUENCE(SXNETID) = {
91 ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER),
92 ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING)
93} ASN1_SEQUENCE_END(SXNETID)
94
95IMPLEMENT_ASN1_FUNCTIONS(SXNETID)
96
97ASN1_SEQUENCE(SXNET) = {
98 ASN1_SIMPLE(SXNET, version, ASN1_INTEGER),
99 ASN1_SEQUENCE_OF(SXNET, ids, SXNETID)
100} ASN1_SEQUENCE_END(SXNET)
101
102IMPLEMENT_ASN1_FUNCTIONS(SXNET)
103
104static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
105 int indent)
106{
107 long v;
108 char *tmp;
109 SXNETID *id;
110 int i;
111 v = ASN1_INTEGER_get(sx->version);
112 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
113 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
114 id = sk_SXNETID_value(sx->ids, i);
115 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
116 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
117 OPENSSL_free(tmp);
118 M_ASN1_OCTET_STRING_print(out, id->user);
119 }
120 return 1;
121}
122
123#ifdef SXNET_TEST
124
125/* NBB: this is used for testing only. It should *not* be used for anything
126 * else because it will just take static IDs from the configuration file and
127 * they should really be separate values for each user.
128 */
129
130
131static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
132 STACK_OF(CONF_VALUE) *nval)
133{
134 CONF_VALUE *cnf;
135 SXNET *sx = NULL;
136 int i;
137 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
138 cnf = sk_CONF_VALUE_value(nval, i);
139 if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
140 return NULL;
141 }
142 return sx;
143}
144
145
146#endif
147
148/* Strong Extranet utility functions */
149
150/* Add an id given the zone as an ASCII number */
151
152int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
153 int userlen)
154{
155 ASN1_INTEGER *izone = NULL;
156 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
157 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
158 return 0;
159 }
160 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
161}
162
163/* Add an id given the zone as an unsigned long */
164
165int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
166 int userlen)
167{
168 ASN1_INTEGER *izone = NULL;
169 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
170 X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
171 M_ASN1_INTEGER_free(izone);
172 return 0;
173 }
174 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
175
176}
177
178/* Add an id given the zone as an ASN1_INTEGER.
179 * Note this version uses the passed integer and doesn't make a copy so don't
180 * free it up afterwards.
181 */
182
183int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
184 int userlen)
185{
186 SXNET *sx = NULL;
187 SXNETID *id = NULL;
188 if(!psx || !zone || !user) {
189 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
190 return 0;
191 }
192 if(userlen == -1) userlen = strlen(user);
193 if(userlen > 64) {
194 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
195 return 0;
196 }
197 if(!*psx) {
198 if(!(sx = SXNET_new())) goto err;
199 if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
200 *psx = sx;
201 } else sx = *psx;
202 if(SXNET_get_id_INTEGER(sx, zone)) {
203 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
204 return 0;
205 }
206
207 if(!(id = SXNETID_new())) goto err;
208 if(userlen == -1) userlen = strlen(user);
209
210 if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
211 if(!sk_SXNETID_push(sx->ids, id)) goto err;
212 id->zone = zone;
213 return 1;
214
215 err:
216 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
217 SXNETID_free(id);
218 SXNET_free(sx);
219 *psx = NULL;
220 return 0;
221}
222
223ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
224{
225 ASN1_INTEGER *izone = NULL;
226 ASN1_OCTET_STRING *oct;
227 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
228 X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
229 return NULL;
230 }
231 oct = SXNET_get_id_INTEGER(sx, izone);
232 M_ASN1_INTEGER_free(izone);
233 return oct;
234}
235
236ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
237{
238 ASN1_INTEGER *izone = NULL;
239 ASN1_OCTET_STRING *oct;
240 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
241 X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
242 M_ASN1_INTEGER_free(izone);
243 return NULL;
244 }
245 oct = SXNET_get_id_INTEGER(sx, izone);
246 M_ASN1_INTEGER_free(izone);
247 return oct;
248}
249
250ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
251{
252 SXNETID *id;
253 int i;
254 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
255 id = sk_SXNETID_value(sx->ids, i);
256 if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
257 }
258 return NULL;
259}
260
261IMPLEMENT_STACK_OF(SXNETID)
262IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
deleted file mode 100644
index e030234540..0000000000
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ /dev/null
@@ -1,874 +0,0 @@
1/* v3_utl.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60
61#include <stdio.h>
62#include <ctype.h>
63#include "cryptlib.h"
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66#include <openssl/bn.h>
67
68static char *strip_spaces(char *name);
69static int sk_strcmp(const char * const *a, const char * const *b);
70static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
71static void str_free(OPENSSL_STRING str);
72static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
73
74static int ipv4_from_asc(unsigned char *v4, const char *in);
75static int ipv6_from_asc(unsigned char *v6, const char *in);
76static int ipv6_cb(const char *elem, int len, void *usr);
77static int ipv6_hex(unsigned char *out, const char *in, int inlen);
78
79/* Add a CONF_VALUE name value pair to stack */
80
81int X509V3_add_value(const char *name, const char *value,
82 STACK_OF(CONF_VALUE) **extlist)
83{
84 CONF_VALUE *vtmp = NULL;
85 char *tname = NULL, *tvalue = NULL;
86 if(name && !(tname = BUF_strdup(name))) goto err;
87 if(value && !(tvalue = BUF_strdup(value))) goto err;
88 if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
89 if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
90 vtmp->section = NULL;
91 vtmp->name = tname;
92 vtmp->value = tvalue;
93 if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
94 return 1;
95 err:
96 X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
97 if(vtmp) OPENSSL_free(vtmp);
98 if(tname) OPENSSL_free(tname);
99 if(tvalue) OPENSSL_free(tvalue);
100 return 0;
101}
102
103int X509V3_add_value_uchar(const char *name, const unsigned char *value,
104 STACK_OF(CONF_VALUE) **extlist)
105 {
106 return X509V3_add_value(name,(const char *)value,extlist);
107 }
108
109/* Free function for STACK_OF(CONF_VALUE) */
110
111void X509V3_conf_free(CONF_VALUE *conf)
112{
113 if(!conf) return;
114 if(conf->name) OPENSSL_free(conf->name);
115 if(conf->value) OPENSSL_free(conf->value);
116 if(conf->section) OPENSSL_free(conf->section);
117 OPENSSL_free(conf);
118}
119
120int X509V3_add_value_bool(const char *name, int asn1_bool,
121 STACK_OF(CONF_VALUE) **extlist)
122{
123 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
124 return X509V3_add_value(name, "FALSE", extlist);
125}
126
127int X509V3_add_value_bool_nf(char *name, int asn1_bool,
128 STACK_OF(CONF_VALUE) **extlist)
129{
130 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
131 return 1;
132}
133
134
135char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
136{
137 BIGNUM *bntmp = NULL;
138 char *strtmp = NULL;
139 if(!a) return NULL;
140 if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
141 !(strtmp = BN_bn2dec(bntmp)) )
142 X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
143 BN_free(bntmp);
144 return strtmp;
145}
146
147char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
148{
149 BIGNUM *bntmp = NULL;
150 char *strtmp = NULL;
151 if(!a) return NULL;
152 if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
153 !(strtmp = BN_bn2dec(bntmp)) )
154 X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
155 BN_free(bntmp);
156 return strtmp;
157}
158
159ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
160{
161 BIGNUM *bn = NULL;
162 ASN1_INTEGER *aint;
163 int isneg, ishex;
164 int ret;
165 if (!value) {
166 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
167 return 0;
168 }
169 bn = BN_new();
170 if (value[0] == '-') {
171 value++;
172 isneg = 1;
173 } else isneg = 0;
174
175 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
176 value += 2;
177 ishex = 1;
178 } else ishex = 0;
179
180 if (ishex) ret = BN_hex2bn(&bn, value);
181 else ret = BN_dec2bn(&bn, value);
182
183 if (!ret || value[ret]) {
184 BN_free(bn);
185 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
186 return 0;
187 }
188
189 if (isneg && BN_is_zero(bn)) isneg = 0;
190
191 aint = BN_to_ASN1_INTEGER(bn, NULL);
192 BN_free(bn);
193 if (!aint) {
194 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
195 return 0;
196 }
197 if (isneg) aint->type |= V_ASN1_NEG;
198 return aint;
199}
200
201int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
202 STACK_OF(CONF_VALUE) **extlist)
203{
204 char *strtmp;
205 int ret;
206 if(!aint) return 1;
207 if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
208 ret = X509V3_add_value(name, strtmp, extlist);
209 OPENSSL_free(strtmp);
210 return ret;
211}
212
213int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
214{
215 char *btmp;
216 if(!(btmp = value->value)) goto err;
217 if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
218 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
219 || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
220 *asn1_bool = 0xff;
221 return 1;
222 } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
223 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
224 || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
225 *asn1_bool = 0;
226 return 1;
227 }
228 err:
229 X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
230 X509V3_conf_err(value);
231 return 0;
232}
233
234int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
235{
236 ASN1_INTEGER *itmp;
237 if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
238 X509V3_conf_err(value);
239 return 0;
240 }
241 *aint = itmp;
242 return 1;
243}
244
245#define HDR_NAME 1
246#define HDR_VALUE 2
247
248/*#define DEBUG*/
249
250STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
251{
252 char *p, *q, c;
253 char *ntmp, *vtmp;
254 STACK_OF(CONF_VALUE) *values = NULL;
255 char *linebuf;
256 int state;
257 /* We are going to modify the line so copy it first */
258 linebuf = BUF_strdup(line);
259 state = HDR_NAME;
260 ntmp = NULL;
261 /* Go through all characters */
262 for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
263
264 switch(state) {
265 case HDR_NAME:
266 if(c == ':') {
267 state = HDR_VALUE;
268 *p = 0;
269 ntmp = strip_spaces(q);
270 if(!ntmp) {
271 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
272 goto err;
273 }
274 q = p + 1;
275 } else if(c == ',') {
276 *p = 0;
277 ntmp = strip_spaces(q);
278 q = p + 1;
279#if 0
280 printf("%s\n", ntmp);
281#endif
282 if(!ntmp) {
283 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
284 goto err;
285 }
286 X509V3_add_value(ntmp, NULL, &values);
287 }
288 break ;
289
290 case HDR_VALUE:
291 if(c == ',') {
292 state = HDR_NAME;
293 *p = 0;
294 vtmp = strip_spaces(q);
295#if 0
296 printf("%s\n", ntmp);
297#endif
298 if(!vtmp) {
299 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
300 goto err;
301 }
302 X509V3_add_value(ntmp, vtmp, &values);
303 ntmp = NULL;
304 q = p + 1;
305 }
306
307 }
308 }
309
310 if(state == HDR_VALUE) {
311 vtmp = strip_spaces(q);
312#if 0
313 printf("%s=%s\n", ntmp, vtmp);
314#endif
315 if(!vtmp) {
316 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
317 goto err;
318 }
319 X509V3_add_value(ntmp, vtmp, &values);
320 } else {
321 ntmp = strip_spaces(q);
322#if 0
323 printf("%s\n", ntmp);
324#endif
325 if(!ntmp) {
326 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
327 goto err;
328 }
329 X509V3_add_value(ntmp, NULL, &values);
330 }
331OPENSSL_free(linebuf);
332return values;
333
334err:
335OPENSSL_free(linebuf);
336sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
337return NULL;
338
339}
340
341/* Delete leading and trailing spaces from a string */
342static char *strip_spaces(char *name)
343{
344 char *p, *q;
345 /* Skip over leading spaces */
346 p = name;
347 while(*p && isspace((unsigned char)*p)) p++;
348 if(!*p) return NULL;
349 q = p + strlen(p) - 1;
350 while((q != p) && isspace((unsigned char)*q)) q--;
351 if(p != q) q[1] = 0;
352 if(!*p) return NULL;
353 return p;
354}
355
356/* hex string utilities */
357
358/* Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
359 * hex representation
360 * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
361 */
362
363char *hex_to_string(const unsigned char *buffer, long len)
364{
365 char *tmp, *q;
366 const unsigned char *p;
367 int i;
368 const static char hexdig[] = "0123456789ABCDEF";
369 if(!buffer || !len) return NULL;
370 if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
371 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
372 return NULL;
373 }
374 q = tmp;
375 for(i = 0, p = buffer; i < len; i++,p++) {
376 *q++ = hexdig[(*p >> 4) & 0xf];
377 *q++ = hexdig[*p & 0xf];
378 *q++ = ':';
379 }
380 q[-1] = 0;
381#ifdef CHARSET_EBCDIC
382 ebcdic2ascii(tmp, tmp, q - tmp - 1);
383#endif
384
385 return tmp;
386}
387
388/* Give a string of hex digits convert to
389 * a buffer
390 */
391
392unsigned char *string_to_hex(const char *str, long *len)
393{
394 unsigned char *hexbuf, *q;
395 unsigned char ch, cl, *p;
396 if(!str) {
397 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
398 return NULL;
399 }
400 if(!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) goto err;
401 for(p = (unsigned char *)str, q = hexbuf; *p;) {
402 ch = *p++;
403#ifdef CHARSET_EBCDIC
404 ch = os_toebcdic[ch];
405#endif
406 if(ch == ':') continue;
407 cl = *p++;
408#ifdef CHARSET_EBCDIC
409 cl = os_toebcdic[cl];
410#endif
411 if(!cl) {
412 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
413 OPENSSL_free(hexbuf);
414 return NULL;
415 }
416 if(isupper(ch)) ch = tolower(ch);
417 if(isupper(cl)) cl = tolower(cl);
418
419 if((ch >= '0') && (ch <= '9')) ch -= '0';
420 else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
421 else goto badhex;
422
423 if((cl >= '0') && (cl <= '9')) cl -= '0';
424 else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
425 else goto badhex;
426
427 *q++ = (ch << 4) | cl;
428 }
429
430 if(len) *len = q - hexbuf;
431
432 return hexbuf;
433
434 err:
435 if(hexbuf) OPENSSL_free(hexbuf);
436 X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
437 return NULL;
438
439 badhex:
440 OPENSSL_free(hexbuf);
441 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
442 return NULL;
443
444}
445
446/* V2I name comparison function: returns zero if 'name' matches
447 * cmp or cmp.*
448 */
449
450int name_cmp(const char *name, const char *cmp)
451{
452 int len, ret;
453 char c;
454 len = strlen(cmp);
455 if((ret = strncmp(name, cmp, len))) return ret;
456 c = name[len];
457 if(!c || (c=='.')) return 0;
458 return 1;
459}
460
461static int sk_strcmp(const char * const *a, const char * const *b)
462{
463 return strcmp(*a, *b);
464}
465
466STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
467{
468 GENERAL_NAMES *gens;
469 STACK_OF(OPENSSL_STRING) *ret;
470
471 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
472 ret = get_email(X509_get_subject_name(x), gens);
473 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
474 return ret;
475}
476
477STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
478{
479 AUTHORITY_INFO_ACCESS *info;
480 STACK_OF(OPENSSL_STRING) *ret = NULL;
481 int i;
482
483 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
484 if (!info)
485 return NULL;
486 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++)
487 {
488 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
489 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
490 {
491 if (ad->location->type == GEN_URI)
492 {
493 if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
494 break;
495 }
496 }
497 }
498 AUTHORITY_INFO_ACCESS_free(info);
499 return ret;
500}
501
502STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
503{
504 GENERAL_NAMES *gens;
505 STACK_OF(X509_EXTENSION) *exts;
506 STACK_OF(OPENSSL_STRING) *ret;
507
508 exts = X509_REQ_get_extensions(x);
509 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
510 ret = get_email(X509_REQ_get_subject_name(x), gens);
511 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
512 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
513 return ret;
514}
515
516
517static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
518{
519 STACK_OF(OPENSSL_STRING) *ret = NULL;
520 X509_NAME_ENTRY *ne;
521 ASN1_IA5STRING *email;
522 GENERAL_NAME *gen;
523 int i;
524 /* Now add any email address(es) to STACK */
525 i = -1;
526 /* First supplied X509_NAME */
527 while((i = X509_NAME_get_index_by_NID(name,
528 NID_pkcs9_emailAddress, i)) >= 0) {
529 ne = X509_NAME_get_entry(name, i);
530 email = X509_NAME_ENTRY_get_data(ne);
531 if(!append_ia5(&ret, email)) return NULL;
532 }
533 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
534 {
535 gen = sk_GENERAL_NAME_value(gens, i);
536 if(gen->type != GEN_EMAIL) continue;
537 if(!append_ia5(&ret, gen->d.ia5)) return NULL;
538 }
539 return ret;
540}
541
542static void str_free(OPENSSL_STRING str)
543{
544 OPENSSL_free(str);
545}
546
547static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
548{
549 char *emtmp;
550 /* First some sanity checks */
551 if(email->type != V_ASN1_IA5STRING) return 1;
552 if(!email->data || !email->length) return 1;
553 if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
554 if(!*sk) return 0;
555 /* Don't add duplicates */
556 if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
557 emtmp = BUF_strdup((char *)email->data);
558 if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
559 X509_email_free(*sk);
560 *sk = NULL;
561 return 0;
562 }
563 return 1;
564}
565
566void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
567{
568 sk_OPENSSL_STRING_pop_free(sk, str_free);
569}
570
571/* Convert IP addresses both IPv4 and IPv6 into an
572 * OCTET STRING compatible with RFC3280.
573 */
574
575ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
576 {
577 unsigned char ipout[16];
578 ASN1_OCTET_STRING *ret;
579 int iplen;
580
581 /* If string contains a ':' assume IPv6 */
582
583 iplen = a2i_ipadd(ipout, ipasc);
584
585 if (!iplen)
586 return NULL;
587
588 ret = ASN1_OCTET_STRING_new();
589 if (!ret)
590 return NULL;
591 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
592 {
593 ASN1_OCTET_STRING_free(ret);
594 return NULL;
595 }
596 return ret;
597 }
598
599ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
600 {
601 ASN1_OCTET_STRING *ret = NULL;
602 unsigned char ipout[32];
603 char *iptmp = NULL, *p;
604 int iplen1, iplen2;
605 p = strchr(ipasc,'/');
606 if (!p)
607 return NULL;
608 iptmp = BUF_strdup(ipasc);
609 if (!iptmp)
610 return NULL;
611 p = iptmp + (p - ipasc);
612 *p++ = 0;
613
614 iplen1 = a2i_ipadd(ipout, iptmp);
615
616 if (!iplen1)
617 goto err;
618
619 iplen2 = a2i_ipadd(ipout + iplen1, p);
620
621 OPENSSL_free(iptmp);
622 iptmp = NULL;
623
624 if (!iplen2 || (iplen1 != iplen2))
625 goto err;
626
627 ret = ASN1_OCTET_STRING_new();
628 if (!ret)
629 goto err;
630 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
631 goto err;
632
633 return ret;
634
635 err:
636 if (iptmp)
637 OPENSSL_free(iptmp);
638 if (ret)
639 ASN1_OCTET_STRING_free(ret);
640 return NULL;
641 }
642
643
644int a2i_ipadd(unsigned char *ipout, const char *ipasc)
645 {
646 /* If string contains a ':' assume IPv6 */
647
648 if (strchr(ipasc, ':'))
649 {
650 if (!ipv6_from_asc(ipout, ipasc))
651 return 0;
652 return 16;
653 }
654 else
655 {
656 if (!ipv4_from_asc(ipout, ipasc))
657 return 0;
658 return 4;
659 }
660 }
661
662static int ipv4_from_asc(unsigned char *v4, const char *in)
663 {
664 int a0, a1, a2, a3;
665 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
666 return 0;
667 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
668 || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
669 return 0;
670 v4[0] = a0;
671 v4[1] = a1;
672 v4[2] = a2;
673 v4[3] = a3;
674 return 1;
675 }
676
677typedef struct {
678 /* Temporary store for IPV6 output */
679 unsigned char tmp[16];
680 /* Total number of bytes in tmp */
681 int total;
682 /* The position of a zero (corresponding to '::') */
683 int zero_pos;
684 /* Number of zeroes */
685 int zero_cnt;
686 } IPV6_STAT;
687
688
689static int ipv6_from_asc(unsigned char *v6, const char *in)
690 {
691 IPV6_STAT v6stat;
692 v6stat.total = 0;
693 v6stat.zero_pos = -1;
694 v6stat.zero_cnt = 0;
695 /* Treat the IPv6 representation as a list of values
696 * separated by ':'. The presence of a '::' will parse
697 * as one, two or three zero length elements.
698 */
699 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
700 return 0;
701
702 /* Now for some sanity checks */
703
704 if (v6stat.zero_pos == -1)
705 {
706 /* If no '::' must have exactly 16 bytes */
707 if (v6stat.total != 16)
708 return 0;
709 }
710 else
711 {
712 /* If '::' must have less than 16 bytes */
713 if (v6stat.total == 16)
714 return 0;
715 /* More than three zeroes is an error */
716 if (v6stat.zero_cnt > 3)
717 return 0;
718 /* Can only have three zeroes if nothing else present */
719 else if (v6stat.zero_cnt == 3)
720 {
721 if (v6stat.total > 0)
722 return 0;
723 }
724 /* Can only have two zeroes if at start or end */
725 else if (v6stat.zero_cnt == 2)
726 {
727 if ((v6stat.zero_pos != 0)
728 && (v6stat.zero_pos != v6stat.total))
729 return 0;
730 }
731 else
732 /* Can only have one zero if *not* start or end */
733 {
734 if ((v6stat.zero_pos == 0)
735 || (v6stat.zero_pos == v6stat.total))
736 return 0;
737 }
738 }
739
740 /* Format result */
741
742 if (v6stat.zero_pos >= 0)
743 {
744 /* Copy initial part */
745 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
746 /* Zero middle */
747 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
748 /* Copy final part */
749 if (v6stat.total != v6stat.zero_pos)
750 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
751 v6stat.tmp + v6stat.zero_pos,
752 v6stat.total - v6stat.zero_pos);
753 }
754 else
755 memcpy(v6, v6stat.tmp, 16);
756
757 return 1;
758 }
759
760static int ipv6_cb(const char *elem, int len, void *usr)
761 {
762 IPV6_STAT *s = usr;
763 /* Error if 16 bytes written */
764 if (s->total == 16)
765 return 0;
766 if (len == 0)
767 {
768 /* Zero length element, corresponds to '::' */
769 if (s->zero_pos == -1)
770 s->zero_pos = s->total;
771 /* If we've already got a :: its an error */
772 else if (s->zero_pos != s->total)
773 return 0;
774 s->zero_cnt++;
775 }
776 else
777 {
778 /* If more than 4 characters could be final a.b.c.d form */
779 if (len > 4)
780 {
781 /* Need at least 4 bytes left */
782 if (s->total > 12)
783 return 0;
784 /* Must be end of string */
785 if (elem[len])
786 return 0;
787 if (!ipv4_from_asc(s->tmp + s->total, elem))
788 return 0;
789 s->total += 4;
790 }
791 else
792 {
793 if (!ipv6_hex(s->tmp + s->total, elem, len))
794 return 0;
795 s->total += 2;
796 }
797 }
798 return 1;
799 }
800
801/* Convert a string of up to 4 hex digits into the corresponding
802 * IPv6 form.
803 */
804
805static int ipv6_hex(unsigned char *out, const char *in, int inlen)
806 {
807 unsigned char c;
808 unsigned int num = 0;
809 if (inlen > 4)
810 return 0;
811 while(inlen--)
812 {
813 c = *in++;
814 num <<= 4;
815 if ((c >= '0') && (c <= '9'))
816 num |= c - '0';
817 else if ((c >= 'A') && (c <= 'F'))
818 num |= c - 'A' + 10;
819 else if ((c >= 'a') && (c <= 'f'))
820 num |= c - 'a' + 10;
821 else
822 return 0;
823 }
824 out[0] = num >> 8;
825 out[1] = num & 0xff;
826 return 1;
827 }
828
829
830int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
831 unsigned long chtype)
832 {
833 CONF_VALUE *v;
834 int i, mval;
835 char *p, *type;
836 if (!nm)
837 return 0;
838
839 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
840 {
841 v=sk_CONF_VALUE_value(dn_sk,i);
842 type=v->name;
843 /* Skip past any leading X. X: X, etc to allow for
844 * multiple instances
845 */
846 for(p = type; *p ; p++)
847#ifndef CHARSET_EBCDIC
848 if ((*p == ':') || (*p == ',') || (*p == '.'))
849#else
850 if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
851#endif
852 {
853 p++;
854 if(*p) type = p;
855 break;
856 }
857#ifndef CHARSET_EBCDIC
858 if (*type == '+')
859#else
860 if (*type == os_toascii['+'])
861#endif
862 {
863 mval = -1;
864 type++;
865 }
866 else
867 mval = 0;
868 if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
869 (unsigned char *) v->value,-1,-1,mval))
870 return 0;
871
872 }
873 return 1;
874 }
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
deleted file mode 100644
index f9f6f1f91f..0000000000
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* crypto/x509v3/v3err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
70
71static ERR_STRING_DATA X509V3_str_functs[]=
72 {
73{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
75{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
76{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
77{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
78{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
79{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
80{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
81{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
82{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
83{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
84{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
85{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
86{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
87{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
88{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
89{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
90{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
91{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
92{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
93{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
94{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
95{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
96{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
97{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
98{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
99{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
100{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
101{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
102{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
103{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
104{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
105{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
106{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
107{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
108{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
109{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
110{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
111{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
112{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
113{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
114{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
115{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
116{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
117{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
118{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
119{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
120{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
121{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
122{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
123{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
124{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
125{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
126{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
127{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
128{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
129{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
130{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
131{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
132{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
133{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
134{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
135{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
136{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
137{ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
138{0,NULL}
139 };
140
141static ERR_STRING_DATA X509V3_str_reasons[]=
142 {
143{ERR_REASON(X509V3_R_BAD_IP_ADDRESS) ,"bad ip address"},
144{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"},
145{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
146{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
147{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
148{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
149{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
150{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
151{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
152{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
153{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
154{ERR_REASON(X509V3_R_EXTENSION_EXISTS) ,"extension exists"},
155{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
156{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
157{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
158{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
159{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
160{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
161{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
162{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
163{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
164{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
165{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
166{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
167{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
168{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
169{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
170{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
171{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
172{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
173{ERR_REASON(X509V3_R_INVALID_NUMBER) ,"invalid number"},
174{ERR_REASON(X509V3_R_INVALID_NUMBERS) ,"invalid numbers"},
175{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
176{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"},
177{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
178{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
179{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
180{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
181{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
182{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
183{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
184{ERR_REASON(X509V3_R_MISSING_VALUE) ,"missing value"},
185{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
186{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
187{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
188{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) ,"no issuer details"},
189{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
190{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
191{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"},
192{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
193{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
194{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
195{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
196{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
197{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
198{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
199{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
200{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
201{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
202{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
203{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
204{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
205{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) ,"unknown extension"},
206{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
207{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"},
208{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
209{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) ,"unsupported type"},
210{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"},
211{0,NULL}
212 };
213
214#endif
215
216void ERR_load_X509V3_strings(void)
217 {
218#ifndef OPENSSL_NO_ERR
219
220 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL)
221 {
222 ERR_load_strings(0,X509V3_str_functs);
223 ERR_load_strings(0,X509V3_str_reasons);
224 }
225#endif
226 }
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
deleted file mode 100644
index b308abe7cd..0000000000
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,1007 +0,0 @@
1/* x509v3.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/bio.h>
62#include <openssl/x509.h>
63#include <openssl/conf.h>
64
65#ifdef __cplusplus
66extern "C" {
67#endif
68
69/* Forward reference */
70struct v3_ext_method;
71struct v3_ext_ctx;
72
73/* Useful typedefs */
74
75typedef void * (*X509V3_EXT_NEW)(void);
76typedef void (*X509V3_EXT_FREE)(void *);
77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
79typedef STACK_OF(CONF_VALUE) *
80 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
81 STACK_OF(CONF_VALUE) *extlist);
82typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
83 struct v3_ext_ctx *ctx,
84 STACK_OF(CONF_VALUE) *values);
85typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
86typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
87 struct v3_ext_ctx *ctx, const char *str);
88typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
89 BIO *out, int indent);
90typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
91 struct v3_ext_ctx *ctx, const char *str);
92
93/* V3 extension structure */
94
95struct v3_ext_method {
96int ext_nid;
97int ext_flags;
98/* If this is set the following four fields are ignored */
99ASN1_ITEM_EXP *it;
100/* Old style ASN1 calls */
101X509V3_EXT_NEW ext_new;
102X509V3_EXT_FREE ext_free;
103X509V3_EXT_D2I d2i;
104X509V3_EXT_I2D i2d;
105
106/* The following pair is used for string extensions */
107X509V3_EXT_I2S i2s;
108X509V3_EXT_S2I s2i;
109
110/* The following pair is used for multi-valued extensions */
111X509V3_EXT_I2V i2v;
112X509V3_EXT_V2I v2i;
113
114/* The following are used for raw extensions */
115X509V3_EXT_I2R i2r;
116X509V3_EXT_R2I r2i;
117
118void *usr_data; /* Any extension specific data */
119};
120
121typedef struct X509V3_CONF_METHOD_st {
122char * (*get_string)(void *db, char *section, char *value);
123STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
124void (*free_string)(void *db, char * string);
125void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
126} X509V3_CONF_METHOD;
127
128/* Context specific info */
129struct v3_ext_ctx {
130#define CTX_TEST 0x1
131int flags;
132X509 *issuer_cert;
133X509 *subject_cert;
134X509_REQ *subject_req;
135X509_CRL *crl;
136X509V3_CONF_METHOD *db_meth;
137void *db;
138/* Maybe more here */
139};
140
141typedef struct v3_ext_method X509V3_EXT_METHOD;
142
143DECLARE_STACK_OF(X509V3_EXT_METHOD)
144
145/* ext_flags values */
146#define X509V3_EXT_DYNAMIC 0x1
147#define X509V3_EXT_CTX_DEP 0x2
148#define X509V3_EXT_MULTILINE 0x4
149
150typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
151
152typedef struct BASIC_CONSTRAINTS_st {
153int ca;
154ASN1_INTEGER *pathlen;
155} BASIC_CONSTRAINTS;
156
157
158typedef struct PKEY_USAGE_PERIOD_st {
159ASN1_GENERALIZEDTIME *notBefore;
160ASN1_GENERALIZEDTIME *notAfter;
161} PKEY_USAGE_PERIOD;
162
163typedef struct otherName_st {
164ASN1_OBJECT *type_id;
165ASN1_TYPE *value;
166} OTHERNAME;
167
168typedef struct EDIPartyName_st {
169 ASN1_STRING *nameAssigner;
170 ASN1_STRING *partyName;
171} EDIPARTYNAME;
172
173typedef struct GENERAL_NAME_st {
174
175#define GEN_OTHERNAME 0
176#define GEN_EMAIL 1
177#define GEN_DNS 2
178#define GEN_X400 3
179#define GEN_DIRNAME 4
180#define GEN_EDIPARTY 5
181#define GEN_URI 6
182#define GEN_IPADD 7
183#define GEN_RID 8
184
185int type;
186union {
187 char *ptr;
188 OTHERNAME *otherName; /* otherName */
189 ASN1_IA5STRING *rfc822Name;
190 ASN1_IA5STRING *dNSName;
191 ASN1_TYPE *x400Address;
192 X509_NAME *directoryName;
193 EDIPARTYNAME *ediPartyName;
194 ASN1_IA5STRING *uniformResourceIdentifier;
195 ASN1_OCTET_STRING *iPAddress;
196 ASN1_OBJECT *registeredID;
197
198 /* Old names */
199 ASN1_OCTET_STRING *ip; /* iPAddress */
200 X509_NAME *dirn; /* dirn */
201 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
202 ASN1_OBJECT *rid; /* registeredID */
203 ASN1_TYPE *other; /* x400Address */
204} d;
205} GENERAL_NAME;
206
207typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
208
209typedef struct ACCESS_DESCRIPTION_st {
210 ASN1_OBJECT *method;
211 GENERAL_NAME *location;
212} ACCESS_DESCRIPTION;
213
214typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
215
216typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
217
218DECLARE_STACK_OF(GENERAL_NAME)
219DECLARE_ASN1_SET_OF(GENERAL_NAME)
220
221DECLARE_STACK_OF(ACCESS_DESCRIPTION)
222DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
223
224typedef struct DIST_POINT_NAME_st {
225int type;
226union {
227 GENERAL_NAMES *fullname;
228 STACK_OF(X509_NAME_ENTRY) *relativename;
229} name;
230/* If relativename then this contains the full distribution point name */
231X509_NAME *dpname;
232} DIST_POINT_NAME;
233/* All existing reasons */
234#define CRLDP_ALL_REASONS 0x807f
235
236#define CRL_REASON_NONE -1
237#define CRL_REASON_UNSPECIFIED 0
238#define CRL_REASON_KEY_COMPROMISE 1
239#define CRL_REASON_CA_COMPROMISE 2
240#define CRL_REASON_AFFILIATION_CHANGED 3
241#define CRL_REASON_SUPERSEDED 4
242#define CRL_REASON_CESSATION_OF_OPERATION 5
243#define CRL_REASON_CERTIFICATE_HOLD 6
244#define CRL_REASON_REMOVE_FROM_CRL 8
245#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
246#define CRL_REASON_AA_COMPROMISE 10
247
248struct DIST_POINT_st {
249DIST_POINT_NAME *distpoint;
250ASN1_BIT_STRING *reasons;
251GENERAL_NAMES *CRLissuer;
252int dp_reasons;
253};
254
255typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
256
257DECLARE_STACK_OF(DIST_POINT)
258DECLARE_ASN1_SET_OF(DIST_POINT)
259
260struct AUTHORITY_KEYID_st {
261ASN1_OCTET_STRING *keyid;
262GENERAL_NAMES *issuer;
263ASN1_INTEGER *serial;
264};
265
266/* Strong extranet structures */
267
268typedef struct SXNET_ID_st {
269 ASN1_INTEGER *zone;
270 ASN1_OCTET_STRING *user;
271} SXNETID;
272
273DECLARE_STACK_OF(SXNETID)
274DECLARE_ASN1_SET_OF(SXNETID)
275
276typedef struct SXNET_st {
277 ASN1_INTEGER *version;
278 STACK_OF(SXNETID) *ids;
279} SXNET;
280
281typedef struct NOTICEREF_st {
282 ASN1_STRING *organization;
283 STACK_OF(ASN1_INTEGER) *noticenos;
284} NOTICEREF;
285
286typedef struct USERNOTICE_st {
287 NOTICEREF *noticeref;
288 ASN1_STRING *exptext;
289} USERNOTICE;
290
291typedef struct POLICYQUALINFO_st {
292 ASN1_OBJECT *pqualid;
293 union {
294 ASN1_IA5STRING *cpsuri;
295 USERNOTICE *usernotice;
296 ASN1_TYPE *other;
297 } d;
298} POLICYQUALINFO;
299
300DECLARE_STACK_OF(POLICYQUALINFO)
301DECLARE_ASN1_SET_OF(POLICYQUALINFO)
302
303typedef struct POLICYINFO_st {
304 ASN1_OBJECT *policyid;
305 STACK_OF(POLICYQUALINFO) *qualifiers;
306} POLICYINFO;
307
308typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
309
310DECLARE_STACK_OF(POLICYINFO)
311DECLARE_ASN1_SET_OF(POLICYINFO)
312
313typedef struct POLICY_MAPPING_st {
314 ASN1_OBJECT *issuerDomainPolicy;
315 ASN1_OBJECT *subjectDomainPolicy;
316} POLICY_MAPPING;
317
318DECLARE_STACK_OF(POLICY_MAPPING)
319
320typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
321
322typedef struct GENERAL_SUBTREE_st {
323 GENERAL_NAME *base;
324 ASN1_INTEGER *minimum;
325 ASN1_INTEGER *maximum;
326} GENERAL_SUBTREE;
327
328DECLARE_STACK_OF(GENERAL_SUBTREE)
329
330struct NAME_CONSTRAINTS_st {
331 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
332 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
333};
334
335typedef struct POLICY_CONSTRAINTS_st {
336 ASN1_INTEGER *requireExplicitPolicy;
337 ASN1_INTEGER *inhibitPolicyMapping;
338} POLICY_CONSTRAINTS;
339
340/* Proxy certificate structures, see RFC 3820 */
341typedef struct PROXY_POLICY_st
342 {
343 ASN1_OBJECT *policyLanguage;
344 ASN1_OCTET_STRING *policy;
345 } PROXY_POLICY;
346
347typedef struct PROXY_CERT_INFO_EXTENSION_st
348 {
349 ASN1_INTEGER *pcPathLengthConstraint;
350 PROXY_POLICY *proxyPolicy;
351 } PROXY_CERT_INFO_EXTENSION;
352
353DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
354DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
355
356struct ISSUING_DIST_POINT_st
357 {
358 DIST_POINT_NAME *distpoint;
359 int onlyuser;
360 int onlyCA;
361 ASN1_BIT_STRING *onlysomereasons;
362 int indirectCRL;
363 int onlyattr;
364 };
365
366/* Values in idp_flags field */
367/* IDP present */
368#define IDP_PRESENT 0x1
369/* IDP values inconsistent */
370#define IDP_INVALID 0x2
371/* onlyuser true */
372#define IDP_ONLYUSER 0x4
373/* onlyCA true */
374#define IDP_ONLYCA 0x8
375/* onlyattr true */
376#define IDP_ONLYATTR 0x10
377/* indirectCRL true */
378#define IDP_INDIRECT 0x20
379/* onlysomereasons present */
380#define IDP_REASONS 0x40
381
382#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
383",name:", val->name, ",value:", val->value);
384
385#define X509V3_set_ctx_test(ctx) \
386 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
387#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
388
389#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
390 0,0,0,0, \
391 0,0, \
392 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
393 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
394 NULL, NULL, \
395 table}
396
397#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
398 0,0,0,0, \
399 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
400 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
401 0,0,0,0, \
402 NULL}
403
404#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
405
406
407/* X509_PURPOSE stuff */
408
409#define EXFLAG_BCONS 0x1
410#define EXFLAG_KUSAGE 0x2
411#define EXFLAG_XKUSAGE 0x4
412#define EXFLAG_NSCERT 0x8
413
414#define EXFLAG_CA 0x10
415/* Really self issued not necessarily self signed */
416#define EXFLAG_SI 0x20
417#define EXFLAG_SS 0x20
418#define EXFLAG_V1 0x40
419#define EXFLAG_INVALID 0x80
420#define EXFLAG_SET 0x100
421#define EXFLAG_CRITICAL 0x200
422#define EXFLAG_PROXY 0x400
423
424#define EXFLAG_INVALID_POLICY 0x800
425#define EXFLAG_FRESHEST 0x1000
426
427#define KU_DIGITAL_SIGNATURE 0x0080
428#define KU_NON_REPUDIATION 0x0040
429#define KU_KEY_ENCIPHERMENT 0x0020
430#define KU_DATA_ENCIPHERMENT 0x0010
431#define KU_KEY_AGREEMENT 0x0008
432#define KU_KEY_CERT_SIGN 0x0004
433#define KU_CRL_SIGN 0x0002
434#define KU_ENCIPHER_ONLY 0x0001
435#define KU_DECIPHER_ONLY 0x8000
436
437#define NS_SSL_CLIENT 0x80
438#define NS_SSL_SERVER 0x40
439#define NS_SMIME 0x20
440#define NS_OBJSIGN 0x10
441#define NS_SSL_CA 0x04
442#define NS_SMIME_CA 0x02
443#define NS_OBJSIGN_CA 0x01
444#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
445
446#define XKU_SSL_SERVER 0x1
447#define XKU_SSL_CLIENT 0x2
448#define XKU_SMIME 0x4
449#define XKU_CODE_SIGN 0x8
450#define XKU_SGC 0x10
451#define XKU_OCSP_SIGN 0x20
452#define XKU_TIMESTAMP 0x40
453#define XKU_DVCS 0x80
454
455#define X509_PURPOSE_DYNAMIC 0x1
456#define X509_PURPOSE_DYNAMIC_NAME 0x2
457
458typedef struct x509_purpose_st {
459 int purpose;
460 int trust; /* Default trust ID */
461 int flags;
462 int (*check_purpose)(const struct x509_purpose_st *,
463 const X509 *, int);
464 char *name;
465 char *sname;
466 void *usr_data;
467} X509_PURPOSE;
468
469#define X509_PURPOSE_SSL_CLIENT 1
470#define X509_PURPOSE_SSL_SERVER 2
471#define X509_PURPOSE_NS_SSL_SERVER 3
472#define X509_PURPOSE_SMIME_SIGN 4
473#define X509_PURPOSE_SMIME_ENCRYPT 5
474#define X509_PURPOSE_CRL_SIGN 6
475#define X509_PURPOSE_ANY 7
476#define X509_PURPOSE_OCSP_HELPER 8
477#define X509_PURPOSE_TIMESTAMP_SIGN 9
478
479#define X509_PURPOSE_MIN 1
480#define X509_PURPOSE_MAX 9
481
482/* Flags for X509V3_EXT_print() */
483
484#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
485/* Return error for unknown extensions */
486#define X509V3_EXT_DEFAULT 0
487/* Print error for unknown extensions */
488#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
489/* ASN1 parse unknown extensions */
490#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
491/* BIO_dump unknown extensions */
492#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
493
494/* Flags for X509V3_add1_i2d */
495
496#define X509V3_ADD_OP_MASK 0xfL
497#define X509V3_ADD_DEFAULT 0L
498#define X509V3_ADD_APPEND 1L
499#define X509V3_ADD_REPLACE 2L
500#define X509V3_ADD_REPLACE_EXISTING 3L
501#define X509V3_ADD_KEEP_EXISTING 4L
502#define X509V3_ADD_DELETE 5L
503#define X509V3_ADD_SILENT 0x10
504
505DECLARE_STACK_OF(X509_PURPOSE)
506
507DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
508
509DECLARE_ASN1_FUNCTIONS(SXNET)
510DECLARE_ASN1_FUNCTIONS(SXNETID)
511
512int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
513int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen);
514int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen);
515
516ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
517ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
518ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
519
520DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
521
522DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
523
524DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
525GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
526int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
527
528
529
530ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
531 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
532STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
533 ASN1_BIT_STRING *bits,
534 STACK_OF(CONF_VALUE) *extlist);
535
536STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
537int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
538
539DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
540
541STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
542 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
543GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
544 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
545
546DECLARE_ASN1_FUNCTIONS(OTHERNAME)
547DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
548int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
549void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
550void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
551int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
552 ASN1_OBJECT *oid, ASN1_TYPE *value);
553int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
554 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
555
556char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
557ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
558
559DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
560int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
561
562DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
563DECLARE_ASN1_FUNCTIONS(POLICYINFO)
564DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
565DECLARE_ASN1_FUNCTIONS(USERNOTICE)
566DECLARE_ASN1_FUNCTIONS(NOTICEREF)
567
568DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
569DECLARE_ASN1_FUNCTIONS(DIST_POINT)
570DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
571DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
572
573int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
574
575int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
576
577DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
578DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
579
580DECLARE_ASN1_ITEM(POLICY_MAPPING)
581DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
582DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
583
584DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
585DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
586
587DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
588DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
589
590DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
591DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
592
593GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
594 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
595 int gen_type, char *value, int is_nc);
596
597#ifdef HEADER_CONF_H
598GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
599 CONF_VALUE *cnf);
600GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
601 const X509V3_EXT_METHOD *method,
602 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
603void X509V3_conf_free(CONF_VALUE *val);
604
605X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
606X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
607int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
608int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
609int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
610int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
611
612X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
613 int ext_nid, char *value);
614X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
615 char *name, char *value);
616int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
617 char *section, X509 *cert);
618int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
619 char *section, X509_REQ *req);
620int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
621 char *section, X509_CRL *crl);
622
623int X509V3_add_value_bool_nf(char *name, int asn1_bool,
624 STACK_OF(CONF_VALUE) **extlist);
625int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
626int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
627void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
628void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
629#endif
630
631char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
632STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
633void X509V3_string_free(X509V3_CTX *ctx, char *str);
634void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
635void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
636 X509_REQ *req, X509_CRL *crl, int flags);
637
638int X509V3_add_value(const char *name, const char *value,
639 STACK_OF(CONF_VALUE) **extlist);
640int X509V3_add_value_uchar(const char *name, const unsigned char *value,
641 STACK_OF(CONF_VALUE) **extlist);
642int X509V3_add_value_bool(const char *name, int asn1_bool,
643 STACK_OF(CONF_VALUE) **extlist);
644int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
645 STACK_OF(CONF_VALUE) **extlist);
646char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
647ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
648char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
649char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
650int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
651int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
652int X509V3_EXT_add_alias(int nid_to, int nid_from);
653void X509V3_EXT_cleanup(void);
654
655const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
656const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
657int X509V3_add_standard_extensions(void);
658STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
659void *X509V3_EXT_d2i(X509_EXTENSION *ext);
660void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
661
662
663X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
664int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
665
666char *hex_to_string(const unsigned char *buffer, long len);
667unsigned char *string_to_hex(const char *str, long *len);
668int name_cmp(const char *name, const char *cmp);
669
670void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
671 int ml);
672int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
673int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
674
675int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
676
677int X509_check_ca(X509 *x);
678int X509_check_purpose(X509 *x, int id, int ca);
679int X509_supported_extension(X509_EXTENSION *ex);
680int X509_PURPOSE_set(int *p, int purpose);
681int X509_check_issued(X509 *issuer, X509 *subject);
682int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
683int X509_PURPOSE_get_count(void);
684X509_PURPOSE * X509_PURPOSE_get0(int idx);
685int X509_PURPOSE_get_by_sname(char *sname);
686int X509_PURPOSE_get_by_id(int id);
687int X509_PURPOSE_add(int id, int trust, int flags,
688 int (*ck)(const X509_PURPOSE *, const X509 *, int),
689 char *name, char *sname, void *arg);
690char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
691char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
692int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
693void X509_PURPOSE_cleanup(void);
694int X509_PURPOSE_get_id(X509_PURPOSE *);
695
696STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
697STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
698void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
699STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
700
701ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
702ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
703int a2i_ipadd(unsigned char *ipout, const char *ipasc);
704int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
705 unsigned long chtype);
706
707void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
708DECLARE_STACK_OF(X509_POLICY_NODE)
709
710#ifndef OPENSSL_NO_RFC3779
711
712typedef struct ASRange_st {
713 ASN1_INTEGER *min, *max;
714} ASRange;
715
716#define ASIdOrRange_id 0
717#define ASIdOrRange_range 1
718
719typedef struct ASIdOrRange_st {
720 int type;
721 union {
722 ASN1_INTEGER *id;
723 ASRange *range;
724 } u;
725} ASIdOrRange;
726
727typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
728DECLARE_STACK_OF(ASIdOrRange)
729
730#define ASIdentifierChoice_inherit 0
731#define ASIdentifierChoice_asIdsOrRanges 1
732
733typedef struct ASIdentifierChoice_st {
734 int type;
735 union {
736 ASN1_NULL *inherit;
737 ASIdOrRanges *asIdsOrRanges;
738 } u;
739} ASIdentifierChoice;
740
741typedef struct ASIdentifiers_st {
742 ASIdentifierChoice *asnum, *rdi;
743} ASIdentifiers;
744
745DECLARE_ASN1_FUNCTIONS(ASRange)
746DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
747DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
748DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
749
750
751typedef struct IPAddressRange_st {
752 ASN1_BIT_STRING *min, *max;
753} IPAddressRange;
754
755#define IPAddressOrRange_addressPrefix 0
756#define IPAddressOrRange_addressRange 1
757
758typedef struct IPAddressOrRange_st {
759 int type;
760 union {
761 ASN1_BIT_STRING *addressPrefix;
762 IPAddressRange *addressRange;
763 } u;
764} IPAddressOrRange;
765
766typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
767DECLARE_STACK_OF(IPAddressOrRange)
768
769#define IPAddressChoice_inherit 0
770#define IPAddressChoice_addressesOrRanges 1
771
772typedef struct IPAddressChoice_st {
773 int type;
774 union {
775 ASN1_NULL *inherit;
776 IPAddressOrRanges *addressesOrRanges;
777 } u;
778} IPAddressChoice;
779
780typedef struct IPAddressFamily_st {
781 ASN1_OCTET_STRING *addressFamily;
782 IPAddressChoice *ipAddressChoice;
783} IPAddressFamily;
784
785typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
786DECLARE_STACK_OF(IPAddressFamily)
787
788DECLARE_ASN1_FUNCTIONS(IPAddressRange)
789DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
790DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
791DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
792
793/*
794 * API tag for elements of the ASIdentifer SEQUENCE.
795 */
796#define V3_ASID_ASNUM 0
797#define V3_ASID_RDI 1
798
799/*
800 * AFI values, assigned by IANA. It'd be nice to make the AFI
801 * handling code totally generic, but there are too many little things
802 * that would need to be defined for other address families for it to
803 * be worth the trouble.
804 */
805#define IANA_AFI_IPV4 1
806#define IANA_AFI_IPV6 2
807
808/*
809 * Utilities to construct and extract values from RFC3779 extensions,
810 * since some of the encodings (particularly for IP address prefixes
811 * and ranges) are a bit tedious to work with directly.
812 */
813int v3_asid_add_inherit(ASIdentifiers *asid, int which);
814int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
815 ASN1_INTEGER *min, ASN1_INTEGER *max);
816int v3_addr_add_inherit(IPAddrBlocks *addr,
817 const unsigned afi, const unsigned *safi);
818int v3_addr_add_prefix(IPAddrBlocks *addr,
819 const unsigned afi, const unsigned *safi,
820 unsigned char *a, const int prefixlen);
821int v3_addr_add_range(IPAddrBlocks *addr,
822 const unsigned afi, const unsigned *safi,
823 unsigned char *min, unsigned char *max);
824unsigned v3_addr_get_afi(const IPAddressFamily *f);
825int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
826 unsigned char *min, unsigned char *max,
827 const int length);
828
829/*
830 * Canonical forms.
831 */
832int v3_asid_is_canonical(ASIdentifiers *asid);
833int v3_addr_is_canonical(IPAddrBlocks *addr);
834int v3_asid_canonize(ASIdentifiers *asid);
835int v3_addr_canonize(IPAddrBlocks *addr);
836
837/*
838 * Tests for inheritance and containment.
839 */
840int v3_asid_inherits(ASIdentifiers *asid);
841int v3_addr_inherits(IPAddrBlocks *addr);
842int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
843int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
844
845/*
846 * Check whether RFC 3779 extensions nest properly in chains.
847 */
848int v3_asid_validate_path(X509_STORE_CTX *);
849int v3_addr_validate_path(X509_STORE_CTX *);
850int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
851 ASIdentifiers *ext,
852 int allow_inheritance);
853int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
854 IPAddrBlocks *ext,
855 int allow_inheritance);
856
857#endif /* OPENSSL_NO_RFC3779 */
858
859/* BEGIN ERROR CODES */
860/* The following lines are auto generated by the script mkerr.pl. Any changes
861 * made after this point may be overwritten when the script is next run.
862 */
863void ERR_load_X509V3_strings(void);
864
865/* Error codes for the X509V3 functions. */
866
867/* Function codes. */
868#define X509V3_F_A2I_GENERAL_NAME 164
869#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
870#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
871#define X509V3_F_COPY_EMAIL 122
872#define X509V3_F_COPY_ISSUER 123
873#define X509V3_F_DO_DIRNAME 144
874#define X509V3_F_DO_EXT_CONF 124
875#define X509V3_F_DO_EXT_I2D 135
876#define X509V3_F_DO_EXT_NCONF 151
877#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
878#define X509V3_F_GNAMES_FROM_SECTNAME 156
879#define X509V3_F_HEX_TO_STRING 111
880#define X509V3_F_I2S_ASN1_ENUMERATED 121
881#define X509V3_F_I2S_ASN1_IA5STRING 149
882#define X509V3_F_I2S_ASN1_INTEGER 120
883#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
884#define X509V3_F_NOTICE_SECTION 132
885#define X509V3_F_NREF_NOS 133
886#define X509V3_F_POLICY_SECTION 131
887#define X509V3_F_PROCESS_PCI_VALUE 150
888#define X509V3_F_R2I_CERTPOL 130
889#define X509V3_F_R2I_PCI 155
890#define X509V3_F_S2I_ASN1_IA5STRING 100
891#define X509V3_F_S2I_ASN1_INTEGER 108
892#define X509V3_F_S2I_ASN1_OCTET_STRING 112
893#define X509V3_F_S2I_ASN1_SKEY_ID 114
894#define X509V3_F_S2I_SKEY_ID 115
895#define X509V3_F_SET_DIST_POINT_NAME 158
896#define X509V3_F_STRING_TO_HEX 113
897#define X509V3_F_SXNET_ADD_ID_ASC 125
898#define X509V3_F_SXNET_ADD_ID_INTEGER 126
899#define X509V3_F_SXNET_ADD_ID_ULONG 127
900#define X509V3_F_SXNET_GET_ID_ASC 128
901#define X509V3_F_SXNET_GET_ID_ULONG 129
902#define X509V3_F_V2I_ASIDENTIFIERS 163
903#define X509V3_F_V2I_ASN1_BIT_STRING 101
904#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
905#define X509V3_F_V2I_AUTHORITY_KEYID 119
906#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
907#define X509V3_F_V2I_CRLD 134
908#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
909#define X509V3_F_V2I_GENERAL_NAMES 118
910#define X509V3_F_V2I_GENERAL_NAME_EX 117
911#define X509V3_F_V2I_IDP 157
912#define X509V3_F_V2I_IPADDRBLOCKS 159
913#define X509V3_F_V2I_ISSUER_ALT 153
914#define X509V3_F_V2I_NAME_CONSTRAINTS 147
915#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
916#define X509V3_F_V2I_POLICY_MAPPINGS 145
917#define X509V3_F_V2I_SUBJECT_ALT 154
918#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
919#define X509V3_F_V3_GENERIC_EXTENSION 116
920#define X509V3_F_X509V3_ADD1_I2D 140
921#define X509V3_F_X509V3_ADD_VALUE 105
922#define X509V3_F_X509V3_EXT_ADD 104
923#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
924#define X509V3_F_X509V3_EXT_CONF 107
925#define X509V3_F_X509V3_EXT_I2D 136
926#define X509V3_F_X509V3_EXT_NCONF 152
927#define X509V3_F_X509V3_GET_SECTION 142
928#define X509V3_F_X509V3_GET_STRING 143
929#define X509V3_F_X509V3_GET_VALUE_BOOL 110
930#define X509V3_F_X509V3_PARSE_LIST 109
931#define X509V3_F_X509_PURPOSE_ADD 137
932#define X509V3_F_X509_PURPOSE_SET 141
933
934/* Reason codes. */
935#define X509V3_R_BAD_IP_ADDRESS 118
936#define X509V3_R_BAD_OBJECT 119
937#define X509V3_R_BN_DEC2BN_ERROR 100
938#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
939#define X509V3_R_DIRNAME_ERROR 149
940#define X509V3_R_DISTPOINT_ALREADY_SET 160
941#define X509V3_R_DUPLICATE_ZONE_ID 133
942#define X509V3_R_ERROR_CONVERTING_ZONE 131
943#define X509V3_R_ERROR_CREATING_EXTENSION 144
944#define X509V3_R_ERROR_IN_EXTENSION 128
945#define X509V3_R_EXPECTED_A_SECTION_NAME 137
946#define X509V3_R_EXTENSION_EXISTS 145
947#define X509V3_R_EXTENSION_NAME_ERROR 115
948#define X509V3_R_EXTENSION_NOT_FOUND 102
949#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
950#define X509V3_R_EXTENSION_VALUE_ERROR 116
951#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
952#define X509V3_R_ILLEGAL_HEX_DIGIT 113
953#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
954#define X509V3_R_INVALID_MULTIPLE_RDNS 161
955#define X509V3_R_INVALID_ASNUMBER 162
956#define X509V3_R_INVALID_ASRANGE 163
957#define X509V3_R_INVALID_BOOLEAN_STRING 104
958#define X509V3_R_INVALID_EXTENSION_STRING 105
959#define X509V3_R_INVALID_INHERITANCE 165
960#define X509V3_R_INVALID_IPADDRESS 166
961#define X509V3_R_INVALID_NAME 106
962#define X509V3_R_INVALID_NULL_ARGUMENT 107
963#define X509V3_R_INVALID_NULL_NAME 108
964#define X509V3_R_INVALID_NULL_VALUE 109
965#define X509V3_R_INVALID_NUMBER 140
966#define X509V3_R_INVALID_NUMBERS 141
967#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
968#define X509V3_R_INVALID_OPTION 138
969#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
970#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
971#define X509V3_R_INVALID_PURPOSE 146
972#define X509V3_R_INVALID_SAFI 164
973#define X509V3_R_INVALID_SECTION 135
974#define X509V3_R_INVALID_SYNTAX 143
975#define X509V3_R_ISSUER_DECODE_ERROR 126
976#define X509V3_R_MISSING_VALUE 124
977#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
978#define X509V3_R_NO_CONFIG_DATABASE 136
979#define X509V3_R_NO_ISSUER_CERTIFICATE 121
980#define X509V3_R_NO_ISSUER_DETAILS 127
981#define X509V3_R_NO_POLICY_IDENTIFIER 139
982#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
983#define X509V3_R_NO_PUBLIC_KEY 114
984#define X509V3_R_NO_SUBJECT_DETAILS 125
985#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
986#define X509V3_R_OPERATION_NOT_DEFINED 148
987#define X509V3_R_OTHERNAME_ERROR 147
988#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
989#define X509V3_R_POLICY_PATH_LENGTH 156
990#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
991#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
992#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
993#define X509V3_R_SECTION_NOT_FOUND 150
994#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
995#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
996#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
997#define X509V3_R_UNKNOWN_EXTENSION 129
998#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
999#define X509V3_R_UNKNOWN_OPTION 120
1000#define X509V3_R_UNSUPPORTED_OPTION 117
1001#define X509V3_R_UNSUPPORTED_TYPE 167
1002#define X509V3_R_USER_TOO_LONG 132
1003
1004#ifdef __cplusplus
1005}
1006#endif
1007#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-09 18:34:13 +0000