diff options
Diffstat (limited to 'src/lib/libcrypto/x509')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 76 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_trs.c | 59 |
2 files changed, 114 insertions, 21 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index f7bc7ea538..f2c4f1dd57 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.27 2023/06/25 13:52:27 tb Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.28 2023/07/02 17:12:17 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -99,18 +99,72 @@ static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b); | |||
| 99 | static void xptable_free(X509_PURPOSE *p); | 99 | static void xptable_free(X509_PURPOSE *p); |
| 100 | 100 | ||
| 101 | static X509_PURPOSE xstandard[] = { | 101 | static X509_PURPOSE xstandard[] = { |
| 102 | {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL}, | 102 | { |
| 103 | {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL}, | 103 | .purpose = X509_PURPOSE_SSL_CLIENT, |
| 104 | {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL}, | 104 | .trust = X509_TRUST_SSL_CLIENT, |
| 105 | {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL}, | 105 | .check_purpose = check_purpose_ssl_client, |
| 106 | {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, | 106 | .name = "SSL client", |
| 107 | {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, | 107 | .sname = "sslclient", |
| 108 | {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, | 108 | }, |
| 109 | {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, | 109 | { |
| 110 | {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL}, | 110 | .purpose = X509_PURPOSE_SSL_SERVER, |
| 111 | .trust = X509_TRUST_SSL_SERVER, | ||
| 112 | .check_purpose = check_purpose_ssl_server, | ||
| 113 | .name = "SSL server", | ||
| 114 | .sname = "sslserver", | ||
| 115 | }, | ||
| 116 | { | ||
| 117 | .purpose = X509_PURPOSE_NS_SSL_SERVER, | ||
| 118 | .trust = X509_TRUST_SSL_SERVER, | ||
| 119 | .check_purpose = check_purpose_ns_ssl_server, | ||
| 120 | .name = "Netscape SSL server", | ||
| 121 | .sname = "nssslserver", | ||
| 122 | }, | ||
| 123 | { | ||
| 124 | .purpose = X509_PURPOSE_SMIME_SIGN, | ||
| 125 | .trust = X509_TRUST_EMAIL, | ||
| 126 | .check_purpose = check_purpose_smime_sign, | ||
| 127 | .name = "S/MIME signing", | ||
| 128 | .sname = "smimesign", | ||
| 129 | }, | ||
| 130 | { | ||
| 131 | .purpose = X509_PURPOSE_SMIME_ENCRYPT, | ||
| 132 | .trust = X509_TRUST_EMAIL, | ||
| 133 | .check_purpose = check_purpose_smime_encrypt, | ||
| 134 | .name = "S/MIME encryption", | ||
| 135 | .sname = "smimeencrypt", | ||
| 136 | }, | ||
| 137 | { | ||
| 138 | .purpose = X509_PURPOSE_CRL_SIGN, | ||
| 139 | .trust = X509_TRUST_COMPAT, | ||
| 140 | .check_purpose = check_purpose_crl_sign, | ||
| 141 | .name = "CRL signing", | ||
| 142 | .sname = "crlsign", | ||
| 143 | }, | ||
| 144 | { | ||
| 145 | .purpose = X509_PURPOSE_ANY, | ||
| 146 | .trust = X509_TRUST_DEFAULT, | ||
| 147 | .check_purpose = no_check, | ||
| 148 | .name = "Any Purpose", | ||
| 149 | .sname = "any", | ||
| 150 | }, | ||
| 151 | { | ||
| 152 | .purpose = X509_PURPOSE_OCSP_HELPER, | ||
| 153 | .trust = X509_TRUST_COMPAT, | ||
| 154 | .check_purpose = ocsp_helper, | ||
| 155 | .name = "OCSP helper", | ||
| 156 | .sname = "ocsphelper", | ||
| 157 | }, | ||
| 158 | { | ||
| 159 | .purpose = X509_PURPOSE_TIMESTAMP_SIGN, | ||
| 160 | .trust = X509_TRUST_TSA, | ||
| 161 | .check_purpose = check_purpose_timestamp_sign, | ||
| 162 | .name = "Time Stamp signing", | ||
| 163 | .sname = "timestampsign", | ||
| 164 | }, | ||
| 111 | }; | 165 | }; |
| 112 | 166 | ||
| 113 | #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) | 167 | #define X509_PURPOSE_COUNT (sizeof(xstandard) / sizeof(xstandard[0])) |
| 114 | 168 | ||
| 115 | static STACK_OF(X509_PURPOSE) *xptable = NULL; | 169 | static STACK_OF(X509_PURPOSE) *xptable = NULL; |
| 116 | 170 | ||
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index e3265918a4..6b935f8bee 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_trs.c,v 1.31 2023/02/16 08:38:17 tb Exp $ */ | 1 | /* $OpenBSD: x509_trs.c,v 1.32 2023/07/02 17:12:17 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| @@ -80,17 +80,56 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; | |||
| 80 | */ | 80 | */ |
| 81 | 81 | ||
| 82 | static X509_TRUST trstandard[] = { | 82 | static X509_TRUST trstandard[] = { |
| 83 | {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, | 83 | { |
| 84 | {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, | 84 | .trust = X509_TRUST_COMPAT, |
| 85 | {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, | 85 | .check_trust = trust_compat, |
| 86 | {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, | 86 | .name = "compatible", |
| 87 | {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, | 87 | }, |
| 88 | {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, | 88 | { |
| 89 | {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, | 89 | .trust = X509_TRUST_SSL_CLIENT, |
| 90 | {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} | 90 | .check_trust = trust_1oidany, |
| 91 | .name = "SSL Client", | ||
| 92 | .arg1 = NID_client_auth, | ||
| 93 | }, | ||
| 94 | { | ||
| 95 | .trust = X509_TRUST_SSL_SERVER, | ||
| 96 | .check_trust = trust_1oidany, | ||
| 97 | .name = "SSL Server", | ||
| 98 | .arg1 = NID_server_auth, | ||
| 99 | }, | ||
| 100 | { | ||
| 101 | .trust = X509_TRUST_EMAIL, | ||
| 102 | .check_trust = trust_1oidany, | ||
| 103 | .name = "S/MIME email", | ||
| 104 | .arg1 = NID_email_protect, | ||
| 105 | }, | ||
| 106 | { | ||
| 107 | .trust = X509_TRUST_OBJECT_SIGN, | ||
| 108 | .check_trust = trust_1oidany, | ||
| 109 | .name = "Object Signer", | ||
| 110 | .arg1 = NID_code_sign, | ||
| 111 | }, | ||
| 112 | { | ||
| 113 | .trust = X509_TRUST_OCSP_SIGN, | ||
| 114 | .check_trust = trust_1oid, | ||
| 115 | .name = "OCSP responder", | ||
| 116 | .arg1 = NID_OCSP_sign, | ||
| 117 | }, | ||
| 118 | { | ||
| 119 | .trust = X509_TRUST_OCSP_REQUEST, | ||
| 120 | .check_trust = trust_1oid, | ||
| 121 | .name = "OCSP request", | ||
| 122 | .arg1 = NID_ad_OCSP, | ||
| 123 | }, | ||
| 124 | { | ||
| 125 | .trust = X509_TRUST_TSA, | ||
| 126 | .check_trust = trust_1oidany, | ||
| 127 | .name = "TSA server", | ||
| 128 | .arg1 = NID_time_stamp, | ||
| 129 | }, | ||
| 91 | }; | 130 | }; |
| 92 | 131 | ||
| 93 | #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) | 132 | #define X509_TRUST_COUNT (sizeof(trstandard) / sizeof(trstandard[0])) |
| 94 | 133 | ||
| 95 | static STACK_OF(X509_TRUST) *trtable = NULL; | 134 | static STACK_OF(X509_TRUST) *trtable = NULL; |
| 96 | 135 | ||