summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/by_file.c4
-rw-r--r--src/lib/libcrypto/x509/x509.h11
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c48
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c6
-rw-r--r--src/lib/libcrypto/x509/x509_req.c35
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c13
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c131
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h8
-rw-r--r--src/lib/libcrypto/x509/x509cset.c1
-rw-r--r--src/lib/libcrypto/x509/x509name.c10
-rw-r--r--src/lib/libcrypto/x509/x_all.c1
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h11
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c7
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c5
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c19
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c75
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c14
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h31
18 files changed, 325 insertions, 105 deletions
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index b4b04183d0..a5e0d4aefa 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); 150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL) 151 if (x == NULL)
152 { 152 {
153 if ((ERR_GET_REASON(ERR_peek_error()) == 153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0)) 154 PEM_R_NO_START_LINE) && (count > 0))
155 { 155 {
156 ERR_clear_error(); 156 ERR_clear_error();
@@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); 217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL) 218 if (x == NULL)
219 { 219 {
220 if ((ERR_GET_REASON(ERR_peek_error()) == 220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0)) 221 PEM_R_NO_START_LINE) && (count > 0))
222 { 222 {
223 ERR_clear_error(); 223 ERR_clear_error();
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 8d0c7e2e17..e8c1a59cf2 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -410,6 +410,7 @@ typedef struct X509_crl_info_st
410 ASN1_TIME *nextUpdate; 410 ASN1_TIME *nextUpdate;
411 STACK_OF(X509_REVOKED) *revoked; 411 STACK_OF(X509_REVOKED) *revoked;
412 STACK_OF(X509_EXTENSION) /* [0] */ *extensions; 412 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
413 ASN1_ENCODING enc;
413 } X509_CRL_INFO; 414 } X509_CRL_INFO;
414 415
415struct X509_crl_st 416struct X509_crl_st
@@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1037int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, 1038int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1038 unsigned char *bytes, int len, int loc, int set); 1039 unsigned char *bytes, int len, int loc, int set);
1039X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 1040X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1040 char *field, int type, unsigned char *bytes, int len); 1041 const char *field, int type, const unsigned char *bytes, int len);
1041X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, 1042X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1042 int type,unsigned char *bytes, int len); 1043 int type,unsigned char *bytes, int len);
1043int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, 1044int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1044 unsigned char *bytes, int len, int loc, int set); 1045 const unsigned char *bytes, int len, int loc, int set);
1045X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 1046X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1046 ASN1_OBJECT *obj, int type,unsigned char *bytes, 1047 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1047 int len); 1048 int len);
1048int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, 1049int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1049 ASN1_OBJECT *obj); 1050 ASN1_OBJECT *obj);
1050int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 1051int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1051 unsigned char *bytes, int len); 1052 const unsigned char *bytes, int len);
1052ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); 1053ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1053ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); 1054ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1054 1055
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index f460102f49..030d0966fc 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
254 return 0; 254 return 0;
255} 255}
256 256
257static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
258 {
259 int j;
260 j = a->length - b->length;
261 if (j)
262 return j;
263 return memcmp(a->data, b->data, a->length);
264 }
265
266#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
267
257int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) 268int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
258 { 269 {
259 int i,j; 270 int i,j;
260 X509_NAME_ENTRY *na,*nb; 271 X509_NAME_ENTRY *na,*nb;
261 272
262 if (sk_X509_NAME_ENTRY_num(a->entries) 273 unsigned long nabit, nbbit;
263 != sk_X509_NAME_ENTRY_num(b->entries)) 274
264 return sk_X509_NAME_ENTRY_num(a->entries) 275 j = sk_X509_NAME_ENTRY_num(a->entries)
265 -sk_X509_NAME_ENTRY_num(b->entries); 276 - sk_X509_NAME_ENTRY_num(b->entries);
277 if (j)
278 return j;
266 for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) 279 for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
267 { 280 {
268 na=sk_X509_NAME_ENTRY_value(a->entries,i); 281 na=sk_X509_NAME_ENTRY_value(a->entries,i);
269 nb=sk_X509_NAME_ENTRY_value(b->entries,i); 282 nb=sk_X509_NAME_ENTRY_value(b->entries,i);
270 j=na->value->type-nb->value->type; 283 j=na->value->type-nb->value->type;
271 if (j) return(j); 284 if (j)
272 if (na->value->type == V_ASN1_PRINTABLESTRING) 285 {
286 nabit = ASN1_tag2bit(na->value->type);
287 nbbit = ASN1_tag2bit(nb->value->type);
288 if (!(nabit & STR_TYPE_CMP) ||
289 !(nbbit & STR_TYPE_CMP))
290 return j;
291 j = asn1_string_memcmp(na->value, nb->value);
292 }
293 else if (na->value->type == V_ASN1_PRINTABLESTRING)
273 j=nocase_spacenorm_cmp(na->value, nb->value); 294 j=nocase_spacenorm_cmp(na->value, nb->value);
274 else if (na->value->type == V_ASN1_IA5STRING 295 else if (na->value->type == V_ASN1_IA5STRING
275 && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) 296 && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
276 j=nocase_cmp(na->value, nb->value); 297 j=nocase_cmp(na->value, nb->value);
277 else 298 else
278 { 299 j = asn1_string_memcmp(na->value, nb->value);
279 j=na->value->length-nb->value->length;
280 if (j) return(j);
281 j=memcmp(na->value->data,nb->value->data,
282 na->value->length);
283 }
284 if (j) return(j); 300 if (j) return(j);
285 j=na->set-nb->set; 301 j=na->set-nb->set;
286 if (j) return(j); 302 if (j) return(j);
@@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
306 { 322 {
307 unsigned long ret=0; 323 unsigned long ret=0;
308 unsigned char md[16]; 324 unsigned char md[16];
325 EVP_MD_CTX md_ctx;
309 326
310 /* Make sure X509_NAME structure contains valid cached encoding */ 327 /* Make sure X509_NAME structure contains valid cached encoding */
311 i2d_X509_NAME(x,NULL); 328 i2d_X509_NAME(x,NULL);
312 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); 329 EVP_MD_CTX_init(&md_ctx);
330 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
331 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
332 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
333 EVP_DigestFinal_ex(&md_ctx,md,NULL);
334 EVP_MD_CTX_cleanup(&md_ctx);
313 335
314 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 336 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
315 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 337 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index db051033d9..fb8a78dabe 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
92 X509_set_subject_name(ret,X509_NAME_dup(xn)); 92 X509_set_subject_name(ret,X509_NAME_dup(xn));
93 X509_set_issuer_name(ret,X509_NAME_dup(xn)); 93 X509_set_issuer_name(ret,X509_NAME_dup(xn));
94 94
95 X509_gmtime_adj(xi->validity->notBefore,0); 95 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
96 X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days); 96 goto err;
97 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
98 goto err;
97 99
98 X509_set_pubkey(ret,X509_REQ_get_pubkey(r)); 100 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
99 101
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 0affa3bf30..59fc6ca548 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
118 * used and there may be more: so the list is configurable. 118 * used and there may be more: so the list is configurable.
119 */ 119 */
120 120
121static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; 121static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
122 122
123static int *ext_nids = ext_nid_list; 123static int *ext_nids = ext_nid_list;
124 124
@@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids)
143} 143}
144 144
145STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) 145STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
146{ 146 {
147 X509_ATTRIBUTE *attr; 147 X509_ATTRIBUTE *attr;
148 STACK_OF(X509_ATTRIBUTE) *sk;
149 ASN1_TYPE *ext = NULL; 148 ASN1_TYPE *ext = NULL;
150 int i; 149 int idx, *pnid;
151 unsigned char *p; 150 unsigned char *p;
152 if ((req == NULL) || (req->req_info == NULL)) 151
152 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
153 return(NULL); 153 return(NULL);
154 sk=req->req_info->attributes; 154 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
155 if (!sk) return NULL; 155 {
156 for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 156 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
157 attr = sk_X509_ATTRIBUTE_value(sk, i); 157 if (idx == -1)
158 if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) { 158 continue;
159 if(attr->single) ext = attr->value.single; 159 attr = X509_REQ_get_attr(req, idx);
160 else if(sk_ASN1_TYPE_num(attr->value.set)) 160 if(attr->single) ext = attr->value.single;
161 ext = sk_ASN1_TYPE_value(attr->value.set, 0); 161 else if(sk_ASN1_TYPE_num(attr->value.set))
162 break; 162 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
163 break;
163 } 164 }
164 } 165 if(!ext || (ext->type != V_ASN1_SEQUENCE))
165 if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; 166 return NULL;
166 p = ext->value.sequence->data; 167 p = ext->value.sequence->data;
167 return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p, 168 return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
168 ext->value.sequence->length, 169 ext->value.sequence->length,
169 d2i_X509_EXTENSION, X509_EXTENSION_free, 170 d2i_X509_EXTENSION, X509_EXTENSION_free,
170 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); 171 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
171} 172 }
172 173
173/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs 174/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
174 * in case we want to create a non standard one. 175 * in case we want to create a non standard one.
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index e31ebc6741..f19e66a238 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n)
122 return("certificate revoked"); 122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA: 123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate"); 124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
125 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
126 return ("path length constraint exceeded"); 128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy cerificates not allowed, please set the appropriate flag");
127 case X509_V_ERR_INVALID_PURPOSE: 133 case X509_V_ERR_INVALID_PURPOSE:
128 return ("unsupported certificate purpose"); 134 return ("unsupported certificate purpose");
129 case X509_V_ERR_CERT_UNTRUSTED: 135 case X509_V_ERR_CERT_UNTRUSTED:
@@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n)
140 return("authority and issuer serial number mismatch"); 146 return("authority and issuer serial number mismatch");
141 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: 147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
142 return("key usage does not include certificate signing"); 148 return("key usage does not include certificate signing");
143
144 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
145 return("unable to get CRL issuer certificate"); 150 return("unable to get CRL issuer certificate");
146
147 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: 151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
148 return("unhandled critical extension"); 152 return("unhandled critical extension");
149
150 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: 153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
151 return("key usage does not include CRL signing"); 154 return("key usage does not include CRL signing");
152 155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
153 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: 157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
154 return("unhandled critical CRL extension"); 158 return("unhandled critical CRL extension");
155
156 default: 159 default:
157 BIO_snprintf(buf,sizeof buf,"error number %ld",n); 160 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
158 return(buf); 161 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2e4d0b823a..e43c861ee7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -73,7 +73,7 @@
73static int null_callback(int ok,X509_STORE_CTX *e); 73static int null_callback(int ok,X509_STORE_CTX *e);
74static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 74static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
75static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 75static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
76static int check_chain_purpose(X509_STORE_CTX *ctx); 76static int check_chain_extensions(X509_STORE_CTX *ctx);
77static int check_trust(X509_STORE_CTX *ctx); 77static int check_trust(X509_STORE_CTX *ctx);
78static int check_revocation(X509_STORE_CTX *ctx); 78static int check_revocation(X509_STORE_CTX *ctx);
79static int check_cert(X509_STORE_CTX *ctx); 79static int check_cert(X509_STORE_CTX *ctx);
@@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
281 } 281 }
282 282
283 /* We have the chain complete: now we need to check its purpose */ 283 /* We have the chain complete: now we need to check its purpose */
284 if (ctx->purpose > 0) ok = check_chain_purpose(ctx); 284 ok = check_chain_extensions(ctx);
285 285
286 if (!ok) goto end; 286 if (!ok) goto end;
287 287
@@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
365 else 365 else
366 return 0; 366 return 0;
367} 367}
368 368
369 369
370/* Check a certificate chains extensions for consistency 370/* Check a certificate chains extensions for consistency
371 * with the supplied purpose 371 * with the supplied purpose
372 */ 372 */
373 373
374static int check_chain_purpose(X509_STORE_CTX *ctx) 374static int check_chain_extensions(X509_STORE_CTX *ctx)
375{ 375{
376#ifdef OPENSSL_NO_CHAIN_VERIFY 376#ifdef OPENSSL_NO_CHAIN_VERIFY
377 return 1; 377 return 1;
378#else 378#else
379 int i, ok=0; 379 int i, ok=0, must_be_ca;
380 X509 *x; 380 X509 *x;
381 int (*cb)(); 381 int (*cb)();
382 int proxy_path_length = 0;
383 int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
382 cb=ctx->verify_cb; 384 cb=ctx->verify_cb;
385
386 /* must_be_ca can have 1 of 3 values:
387 -1: we accept both CA and non-CA certificates, to allow direct
388 use of self-signed certificates (which are marked as CA).
389 0: we only accept non-CA certificates. This is currently not
390 used, but the possibility is present for future extensions.
391 1: we only accept CA certificates. This is currently used for
392 all certificates in the chain except the leaf certificate.
393 */
394 must_be_ca = -1;
395
396 /* A hack to keep people who don't want to modify their software
397 happy */
398 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
399 allow_proxy_certs = 1;
400
383 /* Check all untrusted certificates */ 401 /* Check all untrusted certificates */
384 for (i = 0; i < ctx->last_untrusted; i++) 402 for (i = 0; i < ctx->last_untrusted; i++)
385 { 403 {
@@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
394 ok=cb(0,ctx); 412 ok=cb(0,ctx);
395 if (!ok) goto end; 413 if (!ok) goto end;
396 } 414 }
397 ret = X509_check_purpose(x, ctx->purpose, i); 415 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
398 if ((ret == 0)
399 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
400 && (ret != 1)))
401 { 416 {
402 if (i) 417 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
418 ctx->error_depth = i;
419 ctx->current_cert = x;
420 ok=cb(0,ctx);
421 if (!ok) goto end;
422 }
423 ret = X509_check_ca(x);
424 switch(must_be_ca)
425 {
426 case -1:
427 if ((ctx->flags & X509_V_FLAG_X509_STRICT)
428 && (ret != 1) && (ret != 0))
429 {
430 ret = 0;
403 ctx->error = X509_V_ERR_INVALID_CA; 431 ctx->error = X509_V_ERR_INVALID_CA;
432 }
404 else 433 else
405 ctx->error = X509_V_ERR_INVALID_PURPOSE; 434 ret = 1;
435 break;
436 case 0:
437 if (ret != 0)
438 {
439 ret = 0;
440 ctx->error = X509_V_ERR_INVALID_NON_CA;
441 }
442 else
443 ret = 1;
444 break;
445 default:
446 if ((ret == 0)
447 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
448 && (ret != 1)))
449 {
450 ret = 0;
451 ctx->error = X509_V_ERR_INVALID_CA;
452 }
453 else
454 ret = 1;
455 break;
456 }
457 if (ret == 0)
458 {
406 ctx->error_depth = i; 459 ctx->error_depth = i;
407 ctx->current_cert = x; 460 ctx->current_cert = x;
408 ok=cb(0,ctx); 461 ok=cb(0,ctx);
409 if (!ok) goto end; 462 if (!ok) goto end;
410 } 463 }
464 if (ctx->purpose > 0)
465 {
466 ret = X509_check_purpose(x, ctx->purpose,
467 must_be_ca > 0);
468 if ((ret == 0)
469 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
470 && (ret != 1)))
471 {
472 ctx->error = X509_V_ERR_INVALID_PURPOSE;
473 ctx->error_depth = i;
474 ctx->current_cert = x;
475 ok=cb(0,ctx);
476 if (!ok) goto end;
477 }
478 }
411 /* Check pathlen */ 479 /* Check pathlen */
412 if ((i > 1) && (x->ex_pathlen != -1) 480 if ((i > 1) && (x->ex_pathlen != -1)
413 && (i > (x->ex_pathlen + 1))) 481 && (i > (x->ex_pathlen + proxy_path_length + 1)))
414 { 482 {
415 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 483 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
416 ctx->error_depth = i; 484 ctx->error_depth = i;
@@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
418 ok=cb(0,ctx); 486 ok=cb(0,ctx);
419 if (!ok) goto end; 487 if (!ok) goto end;
420 } 488 }
489 /* If this certificate is a proxy certificate, the next
490 certificate must be another proxy certificate or a EE
491 certificate. If not, the next certificate must be a
492 CA certificate. */
493 if (x->ex_flags & EXFLAG_PROXY)
494 {
495 PROXY_CERT_INFO_EXTENSION *pci =
496 X509_get_ext_d2i(x, NID_proxyCertInfo,
497 NULL, NULL);
498 if (pci->pcPathLengthConstraint &&
499 ASN1_INTEGER_get(pci->pcPathLengthConstraint)
500 < i)
501 {
502 PROXY_CERT_INFO_EXTENSION_free(pci);
503 ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
504 ctx->error_depth = i;
505 ctx->current_cert = x;
506 ok=cb(0,ctx);
507 if (!ok) goto end;
508 }
509 PROXY_CERT_INFO_EXTENSION_free(pci);
510 proxy_path_length++;
511 must_be_ca = 0;
512 }
513 else
514 must_be_ca = 1;
421 } 515 }
422 ok = 1; 516 ok = 1;
423 end: 517 end:
@@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
627 X509_EXTENSION *ext; 721 X509_EXTENSION *ext;
628 /* Look for serial number of certificate in CRL */ 722 /* Look for serial number of certificate in CRL */
629 rtmp.serialNumber = X509_get_serialNumber(x); 723 rtmp.serialNumber = X509_get_serialNumber(x);
724 /* Sort revoked into serial number order if not already sorted.
725 * Do this under a lock to avoid race condition.
726 */
727 if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
728 {
729 CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
730 sk_X509_REVOKED_sort(crl->crl->revoked);
731 CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
732 }
630 idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); 733 idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
631 /* If found assume revoked: want something cleverer than 734 /* If found assume revoked: want something cleverer than
632 * this to handle entry extensions in V2 CRLs. 735 * this to handle entry extensions in V2 CRLs.
@@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
772 } 875 }
773 876
774 /* The last error (if any) is still in the error value */ 877 /* The last error (if any) is still in the error value */
878 ctx->current_issuer=xi;
775 ctx->current_cert=xs; 879 ctx->current_cert=xs;
776 ok=(*cb)(1,ctx); 880 ok=(*cb)(1,ctx);
777 if (!ok) goto end; 881 if (!ok) goto end;
@@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
851 atm.length=sizeof(buff2); 955 atm.length=sizeof(buff2);
852 atm.data=(unsigned char *)buff2; 956 atm.data=(unsigned char *)buff2;
853 957
854 X509_time_adj(&atm,-offset*60, cmp_time); 958 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
959 return 0;
855 960
856 if (ctm->type == V_ASN1_UTCTIME) 961 if (ctm->type == V_ASN1_UTCTIME)
857 { 962 {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 198495884c..7fd1f0bc4d 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -276,7 +276,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
276#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 276#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
277#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 277#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
278#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 278#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
279#define X509_V_ERR_CERT_NOT_YET_VALID 9 279#define X509_V_ERR_CERT_NOT_YET_VALID 9
280#define X509_V_ERR_CERT_HAS_EXPIRED 10 280#define X509_V_ERR_CERT_HAS_EXPIRED 10
281#define X509_V_ERR_CRL_NOT_YET_VALID 11 281#define X509_V_ERR_CRL_NOT_YET_VALID 11
282#define X509_V_ERR_CRL_HAS_EXPIRED 12 282#define X509_V_ERR_CRL_HAS_EXPIRED 12
@@ -306,6 +306,10 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
306#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 306#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
307#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 307#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
308#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 308#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
309#define X509_V_ERR_INVALID_NON_CA 37
310#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
311#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
312#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
309 313
310/* The application is not happy */ 314/* The application is not happy */
311#define X509_V_ERR_APPLICATION_VERIFICATION 50 315#define X509_V_ERR_APPLICATION_VERIFICATION 50
@@ -324,6 +328,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
324#define X509_V_FLAG_IGNORE_CRITICAL 0x10 328#define X509_V_FLAG_IGNORE_CRITICAL 0x10
325/* Disable workarounds for broken certificates */ 329/* Disable workarounds for broken certificates */
326#define X509_V_FLAG_X509_STRICT 0x20 330#define X509_V_FLAG_X509_STRICT 0x20
331/* Enable proxy certificate validation */
332#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
327 333
328int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, 334int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
329 X509_NAME *name); 335 X509_NAME *name);
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 6cac440ea9..9d1646d5c8 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c)
129 r=sk_X509_REVOKED_value(c->crl->revoked,i); 129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i; 130 r->sequence=i;
131 } 131 }
132 c->crl->enc.modified = 1;
132 return 1; 133 return 1;
133 } 134 }
134 135
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index 4c20e03ece..068abfe5f0 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
195 return ret; 195 return ret;
196} 196}
197 197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, 198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 unsigned char *bytes, int len, int loc, int set) 199 const unsigned char *bytes, int len, int loc, int set)
200{ 200{
201 X509_NAME_ENTRY *ne; 201 X509_NAME_ENTRY *ne;
202 int ret; 202 int ret;
@@ -273,7 +273,7 @@ err:
273 } 273 }
274 274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 char *field, int type, unsigned char *bytes, int len) 276 const char *field, int type, const unsigned char *bytes, int len)
277 { 277 {
278 ASN1_OBJECT *obj; 278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry; 279 X509_NAME_ENTRY *nentry;
@@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
309 } 309 }
310 310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, unsigned char *bytes, int len) 312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 { 313 {
314 X509_NAME_ENTRY *ret; 314 X509_NAME_ENTRY *ret;
315 315
@@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
347 } 347 }
348 348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 unsigned char *bytes, int len) 350 const unsigned char *bytes, int len)
351 { 351 {
352 int i; 352 int i;
353 353
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index fb5015cd4d..ac6dea493a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
103 103
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) 104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 { 105 {
106 x->crl->enc.modified = 1;
106 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg, 107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
107 x->sig_alg, x->signature, x->crl,pkey,md)); 108 x->sig_alg, x->signature, x->crl,pkey,md));
108 } 109 }
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 5442480595..d8328ac468 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -60,10 +60,11 @@
60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; 60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; 61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; 62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; 63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
64extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; 65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
65extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; 66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
66extern X509V3_EXT_METHOD v3_crl_hold; 67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
67 68
68/* This table will be searched using OBJ_bsearch so it *must* kept in 69/* This table will be searched using OBJ_bsearch so it *must* kept in
69 * order of the ext_nid values. 70 * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
89&v3_akey_id, 90&v3_akey_id,
90&v3_crld, 91&v3_crld,
91&v3_ext_ku, 92&v3_ext_ku,
93&v3_delta_crl,
92&v3_crl_reason, 94&v3_crl_reason,
93#ifndef OPENSSL_NO_OCSP 95#ifndef OPENSSL_NO_OCSP
94&v3_crl_invdate, 96&v3_crl_invdate,
@@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = {
105#endif 107#endif
106&v3_sinfo, 108&v3_sinfo,
107#ifndef OPENSSL_NO_OCSP 109#ifndef OPENSSL_NO_OCSP
108&v3_crl_hold 110&v3_crl_hold,
109#endif 111#endif
112&v3_pci,
110}; 113};
111 114
112/* Number of standard extensions */ 115/* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index 16cf125562..274965306d 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
124 for(bnam = method->usr_data; bnam->lname; bnam++) { 124 for(bnam = method->usr_data; bnam->lname; bnam++) {
125 if(!strcmp(bnam->sname, val->name) || 125 if(!strcmp(bnam->sname, val->name) ||
126 !strcmp(bnam->lname, val->name) ) { 126 !strcmp(bnam->lname, val->name) ) {
127 ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); 127 if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
128 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
129 ERR_R_MALLOC_FAILURE);
130 M_ASN1_BIT_STRING_free(bs);
131 return NULL;
132 }
128 break; 133 break;
129 } 134 }
130 } 135 }
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index f9414456de..9683afa47c 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
82{ 82{
83 char *tmp; 83 char *tmp;
84 if(!ia5 || !ia5->length) return NULL; 84 if(!ia5 || !ia5->length) return NULL;
85 if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; 85 if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
86 X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
86 memcpy(tmp, ia5->data, ia5->length); 89 memcpy(tmp, ia5->data, ia5->length);
87 tmp[ia5->length] = 0; 90 tmp[ia5->length] = 0;
88 return tmp; 91 return tmp;
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index f34cbfb731..7a43b4717b 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63X509V3_EXT_METHOD v3_crl_num = { 63X509V3_EXT_METHOD v3_crl_num = {
64NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
650,0,0,0, 65 0,0,0,0,
66(X509V3_EXT_I2S)i2s_ASN1_INTEGER, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
670, 67 0,
680,0,0,0, NULL}; 68 0,0,0,0, NULL};
69
70X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0,
75 0,0,0,0, NULL};
69 76
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b3d1ae5d1c..bbdf6da493 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
63 63
64static void x509v3_cache_extensions(X509 *x); 64static void x509v3_cache_extensions(X509 *x);
65 65
66static int ca_check(const X509 *x);
67static int check_ssl_ca(const X509 *x); 66static int check_ssl_ca(const X509 *x);
68static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); 67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
286 NID_key_usage, /* 83 */ 285 NID_key_usage, /* 83 */
287 NID_subject_alt_name, /* 85 */ 286 NID_subject_alt_name, /* 85 */
288 NID_basic_constraints, /* 87 */ 287 NID_basic_constraints, /* 87 */
289 NID_ext_key_usage /* 126 */ 288 NID_ext_key_usage, /* 126 */
289 NID_proxyCertInfo /* 661 */
290 }; 290 };
291 291
292 int ex_nid; 292 int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
307static void x509v3_cache_extensions(X509 *x) 307static void x509v3_cache_extensions(X509 *x)
308{ 308{
309 BASIC_CONSTRAINTS *bs; 309 BASIC_CONSTRAINTS *bs;
310 PROXY_CERT_INFO_EXTENSION *pci;
310 ASN1_BIT_STRING *usage; 311 ASN1_BIT_STRING *usage;
311 ASN1_BIT_STRING *ns; 312 ASN1_BIT_STRING *ns;
312 EXTENDED_KEY_USAGE *extusage; 313 EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
335 BASIC_CONSTRAINTS_free(bs); 336 BASIC_CONSTRAINTS_free(bs);
336 x->ex_flags |= EXFLAG_BCONS; 337 x->ex_flags |= EXFLAG_BCONS;
337 } 338 }
339 /* Handle proxy certificates */
340 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
341 if (x->ex_flags & EXFLAG_CA
342 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
343 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
344 x->ex_flags |= EXFLAG_INVALID;
345 }
346 PROXY_CERT_INFO_EXTENSION_free(pci);
347 x->ex_flags |= EXFLAG_PROXY;
348 }
338 /* Handle key usage */ 349 /* Handle key usage */
339 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { 350 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
340 if(usage->length > 0) { 351 if(usage->length > 0) {
@@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x)
426#define ns_reject(x, usage) \ 437#define ns_reject(x, usage) \
427 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) 438 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
428 439
429static int ca_check(const X509 *x) 440static int check_ca(const X509 *x)
430{ 441{
431 /* keyUsage if present should allow cert signing */ 442 /* keyUsage if present should allow cert signing */
432 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; 443 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +446,37 @@ static int ca_check(const X509 *x)
435 /* If basicConstraints says not a CA then say so */ 446 /* If basicConstraints says not a CA then say so */
436 else return 0; 447 else return 0;
437 } else { 448 } else {
449 /* we support V1 roots for... uh, I don't really know why. */
438 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; 450 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
439 /* If key usage present it must have certSign so tolerate it */ 451 /* If key usage present it must have certSign so tolerate it */
440 else if (x->ex_flags & EXFLAG_KUSAGE) return 4; 452 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
441 else return 2; 453 /* Older certificates could have Netscape-specific CA types */
454 else if (x->ex_flags & EXFLAG_NSCERT
455 && x->ex_nscert & NS_ANY_CA) return 5;
456 /* can this still be regarded a CA certificate? I doubt it */
457 return 0;
442 } 458 }
443} 459}
444 460
461int X509_check_ca(X509 *x)
462{
463 if(!(x->ex_flags & EXFLAG_SET)) {
464 CRYPTO_w_lock(CRYPTO_LOCK_X509);
465 x509v3_cache_extensions(x);
466 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
467 }
468
469 return check_ca(x);
470}
471
445/* Check SSL CA: common checks for SSL client and server */ 472/* Check SSL CA: common checks for SSL client and server */
446static int check_ssl_ca(const X509 *x) 473static int check_ssl_ca(const X509 *x)
447{ 474{
448 int ca_ret; 475 int ca_ret;
449 ca_ret = ca_check(x); 476 ca_ret = check_ca(x);
450 if(!ca_ret) return 0; 477 if(!ca_ret) return 0;
451 /* check nsCertType if present */ 478 /* check nsCertType if present */
452 if(x->ex_flags & EXFLAG_NSCERT) { 479 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
453 if(x->ex_nscert & NS_SSL_CA) return ca_ret;
454 return 0;
455 }
456 if(ca_ret != 2) return ca_ret;
457 else return 0; 480 else return 0;
458} 481}
459 482
@@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca)
498 if(xku_reject(x,XKU_SMIME)) return 0; 521 if(xku_reject(x,XKU_SMIME)) return 0;
499 if(ca) { 522 if(ca) {
500 int ca_ret; 523 int ca_ret;
501 ca_ret = ca_check(x); 524 ca_ret = check_ca(x);
502 if(!ca_ret) return 0; 525 if(!ca_ret) return 0;
503 /* check nsCertType if present */ 526 /* check nsCertType if present */
504 if(x->ex_flags & EXFLAG_NSCERT) { 527 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
505 if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
506 return 0;
507 }
508 if(ca_ret != 2) return ca_ret;
509 else return 0; 528 else return 0;
510 } 529 }
511 if(x->ex_flags & EXFLAG_NSCERT) { 530 if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
539{ 558{
540 if(ca) { 559 if(ca) {
541 int ca_ret; 560 int ca_ret;
542 if((ca_ret = ca_check(x)) != 2) return ca_ret; 561 if((ca_ret = check_ca(x)) != 2) return ca_ret;
543 else return 0; 562 else return 0;
544 } 563 }
545 if(ku_reject(x, KU_CRL_SIGN)) return 0; 564 if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
552 571
553static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) 572static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
554{ 573{
555 /* Must be a valid CA */ 574 /* Must be a valid CA. Should we really support the "I don't know"
556 if(ca) { 575 value (2)? */
557 int ca_ret; 576 if(ca) return check_ca(x);
558 ca_ret = ca_check(x);
559 if(ca_ret != 2) return ca_ret;
560 if(x->ex_flags & EXFLAG_NSCERT) {
561 if(x->ex_nscert & NS_ANY_CA) return ca_ret;
562 return 0;
563 }
564 return 0;
565 }
566 /* leaf certificate is checked in OCSP_verify() */ 577 /* leaf certificate is checked in OCSP_verify() */
567 return 1; 578 return 1;
568} 579}
@@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
624 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 635 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
625 } 636 }
626 } 637 }
627 if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 638 if(subject->ex_flags & EXFLAG_PROXY)
639 {
640 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
641 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
642 }
643 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
644 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
628 return X509_V_OK; 645 return X509_V_OK;
629} 646}
630 647
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index 6458e95bb9..2df0c3ef01 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
1/* crypto/x509v3/v3err.c */ 1/* crypto/x509v3/v3err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]=
72{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, 72{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"},
73{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, 73{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"},
74{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, 74{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"},
75{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"},
75{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, 76{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"},
76{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, 77{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"},
77{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, 78{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
78{ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, 79{ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"},
79{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, 80{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
80{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, 81{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"},
82{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"},
81{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, 83{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"},
82{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, 84{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"},
83{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, 85{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"},
@@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
128{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, 130{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
129{X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, 131{X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"},
130{X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, 132{X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"},
133{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"},
131{X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, 134{X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"},
132{X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, 135{X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"},
133{X509V3_R_INVALID_NAME ,"invalid name"}, 136{X509V3_R_INVALID_NAME ,"invalid name"},
@@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
139{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, 142{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"},
140{X509V3_R_INVALID_OPTION ,"invalid option"}, 143{X509V3_R_INVALID_OPTION ,"invalid option"},
141{X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, 144{X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"},
145{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
146{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"},
142{X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, 147{X509V3_R_INVALID_PURPOSE ,"invalid purpose"},
143{X509V3_R_INVALID_SECTION ,"invalid section"}, 148{X509V3_R_INVALID_SECTION ,"invalid section"},
144{X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, 149{X509V3_R_INVALID_SYNTAX ,"invalid syntax"},
@@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
149{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, 154{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"},
150{X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, 155{X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"},
151{X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, 156{X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"},
157{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
152{X509V3_R_NO_PUBLIC_KEY ,"no public key"}, 158{X509V3_R_NO_PUBLIC_KEY ,"no public key"},
153{X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, 159{X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"},
154{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, 160{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"},
161{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
162{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"},
163{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
164{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"},
165{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
166{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
155{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, 167{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"},
156{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, 168{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"},
157{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, 169{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"},
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index fb07a19016..e6d91251c2 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
287DECLARE_STACK_OF(POLICYINFO) 287DECLARE_STACK_OF(POLICYINFO)
288DECLARE_ASN1_SET_OF(POLICYINFO) 288DECLARE_ASN1_SET_OF(POLICYINFO)
289 289
290/* Proxy certificate structures, see RFC 3820 */
291typedef struct PROXY_POLICY_st
292 {
293 ASN1_OBJECT *policyLanguage;
294 ASN1_OCTET_STRING *policy;
295 } PROXY_POLICY;
296
297typedef struct PROXY_CERT_INFO_EXTENSION_st
298 {
299 ASN1_INTEGER *pcPathLengthConstraint;
300 PROXY_POLICY *proxyPolicy;
301 } PROXY_CERT_INFO_EXTENSION;
302
303DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
304DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
305
306
290#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ 307#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
291",name:", val->name, ",value:", val->value); 308",name:", val->name, ",value:", val->value);
292 309
@@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
325#define EXFLAG_INVALID 0x80 342#define EXFLAG_INVALID 0x80
326#define EXFLAG_SET 0x100 343#define EXFLAG_SET 0x100
327#define EXFLAG_CRITICAL 0x200 344#define EXFLAG_CRITICAL 0x200
345#define EXFLAG_PROXY 0x400
328 346
329#define KU_DIGITAL_SIGNATURE 0x0080 347#define KU_DIGITAL_SIGNATURE 0x0080
330#define KU_NON_REPUDIATION 0x0040 348#define KU_NON_REPUDIATION 0x0040
@@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
527 545
528int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); 546int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
529 547
548int X509_check_ca(X509 *x);
530int X509_check_purpose(X509 *x, int id, int ca); 549int X509_check_purpose(X509 *x, int id, int ca);
531int X509_supported_extension(X509_EXTENSION *ex); 550int X509_supported_extension(X509_EXTENSION *ex);
532int X509_PURPOSE_set(int *p, int purpose); 551int X509_PURPOSE_set(int *p, int purpose);
@@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void);
564#define X509V3_F_DO_EXT_I2D 135 583#define X509V3_F_DO_EXT_I2D 135
565#define X509V3_F_HEX_TO_STRING 111 584#define X509V3_F_HEX_TO_STRING 111
566#define X509V3_F_I2S_ASN1_ENUMERATED 121 585#define X509V3_F_I2S_ASN1_ENUMERATED 121
586#define X509V3_F_I2S_ASN1_IA5STRING 142
567#define X509V3_F_I2S_ASN1_INTEGER 120 587#define X509V3_F_I2S_ASN1_INTEGER 120
568#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 588#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
569#define X509V3_F_NOTICE_SECTION 132 589#define X509V3_F_NOTICE_SECTION 132
570#define X509V3_F_NREF_NOS 133 590#define X509V3_F_NREF_NOS 133
571#define X509V3_F_POLICY_SECTION 131 591#define X509V3_F_POLICY_SECTION 131
572#define X509V3_F_R2I_CERTPOL 130 592#define X509V3_F_R2I_CERTPOL 130
593#define X509V3_F_R2I_PCI 142
573#define X509V3_F_S2I_ASN1_IA5STRING 100 594#define X509V3_F_S2I_ASN1_IA5STRING 100
574#define X509V3_F_S2I_ASN1_INTEGER 108 595#define X509V3_F_S2I_ASN1_INTEGER 108
575#define X509V3_F_S2I_ASN1_OCTET_STRING 112 596#define X509V3_F_S2I_ASN1_OCTET_STRING 112
@@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void);
617#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 638#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
618#define X509V3_R_EXTENSION_VALUE_ERROR 116 639#define X509V3_R_EXTENSION_VALUE_ERROR 116
619#define X509V3_R_ILLEGAL_HEX_DIGIT 113 640#define X509V3_R_ILLEGAL_HEX_DIGIT 113
641#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153
620#define X509V3_R_INVALID_BOOLEAN_STRING 104 642#define X509V3_R_INVALID_BOOLEAN_STRING 104
621#define X509V3_R_INVALID_EXTENSION_STRING 105 643#define X509V3_R_INVALID_EXTENSION_STRING 105
622#define X509V3_R_INVALID_NAME 106 644#define X509V3_R_INVALID_NAME 106
@@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void);
628#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 650#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
629#define X509V3_R_INVALID_OPTION 138 651#define X509V3_R_INVALID_OPTION 138
630#define X509V3_R_INVALID_POLICY_IDENTIFIER 134 652#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
653#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147
654#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151
631#define X509V3_R_INVALID_PURPOSE 146 655#define X509V3_R_INVALID_PURPOSE 146
632#define X509V3_R_INVALID_SECTION 135 656#define X509V3_R_INVALID_SECTION 135
633#define X509V3_R_INVALID_SYNTAX 143 657#define X509V3_R_INVALID_SYNTAX 143
@@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void);
638#define X509V3_R_NO_ISSUER_CERTIFICATE 121 662#define X509V3_R_NO_ISSUER_CERTIFICATE 121
639#define X509V3_R_NO_ISSUER_DETAILS 127 663#define X509V3_R_NO_ISSUER_DETAILS 127
640#define X509V3_R_NO_POLICY_IDENTIFIER 139 664#define X509V3_R_NO_POLICY_IDENTIFIER 139
665#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148
641#define X509V3_R_NO_PUBLIC_KEY 114 666#define X509V3_R_NO_PUBLIC_KEY 114
642#define X509V3_R_NO_SUBJECT_DETAILS 125 667#define X509V3_R_NO_SUBJECT_DETAILS 125
643#define X509V3_R_ODD_NUMBER_OF_DIGITS 112 668#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
669#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149
670#define X509V3_R_POLICY_PATH_LENGTH 152
671#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150
672#define X509V3_R_POLICY_SYNTAX_NOT 154
673#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155
674#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
644#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 675#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
645#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 676#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
646#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 677#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-04 10:57:06 +0000