summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r--src/lib/libcrypto/x509/by_dir.c482
-rw-r--r--src/lib/libcrypto/x509/by_file.c300
-rw-r--r--src/lib/libcrypto/x509/x509.h1286
-rw-r--r--src/lib/libcrypto/x509/x509_att.c359
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c331
-rw-r--r--src/lib/libcrypto/x509/x509_d2.c107
-rw-r--r--src/lib/libcrypto/x509/x509_def.c81
-rw-r--r--src/lib/libcrypto/x509/x509_err.c164
-rw-r--r--src/lib/libcrypto/x509/x509_ext.c210
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c716
-rw-r--r--src/lib/libcrypto/x509/x509_obj.c226
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c114
-rw-r--r--src/lib/libcrypto/x509/x509_req.c316
-rw-r--r--src/lib/libcrypto/x509/x509_set.c150
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c288
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c193
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c274
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2219
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h567
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c438
-rw-r--r--src/lib/libcrypto/x509/x509cset.c170
-rw-r--r--src/lib/libcrypto/x509/x509name.c383
-rw-r--r--src/lib/libcrypto/x509/x509rset.c83
-rw-r--r--src/lib/libcrypto/x509/x509spki.c121
-rw-r--r--src/lib/libcrypto/x509/x509type.c125
-rw-r--r--src/lib/libcrypto/x509/x_all.c516
26 files changed, 10219 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
new file mode 100644
index 0000000000..27ca5150c1
--- /dev/null
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -0,0 +1,482 @@
1/* crypto/x509/by_dir.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64
65#ifndef NO_SYS_TYPES_H
66# include <sys/types.h>
67#endif
68#ifndef OPENSSL_NO_POSIX_IO
69# include <sys/stat.h>
70#endif
71
72#include <openssl/lhash.h>
73#include <openssl/x509.h>
74
75
76typedef struct lookup_dir_hashes_st
77 {
78 unsigned long hash;
79 int suffix;
80 } BY_DIR_HASH;
81
82typedef struct lookup_dir_entry_st
83 {
84 char *dir;
85 int dir_type;
86 STACK_OF(BY_DIR_HASH) *hashes;
87 } BY_DIR_ENTRY;
88
89typedef struct lookup_dir_st
90 {
91 BUF_MEM *buffer;
92 STACK_OF(BY_DIR_ENTRY) *dirs;
93 } BY_DIR;
94
95DECLARE_STACK_OF(BY_DIR_HASH)
96DECLARE_STACK_OF(BY_DIR_ENTRY)
97
98static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
99 char **ret);
100static int new_dir(X509_LOOKUP *lu);
101static void free_dir(X509_LOOKUP *lu);
102static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
103static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
104 X509_OBJECT *ret);
105X509_LOOKUP_METHOD x509_dir_lookup=
106 {
107 "Load certs from files in a directory",
108 new_dir, /* new */
109 free_dir, /* free */
110 NULL, /* init */
111 NULL, /* shutdown */
112 dir_ctrl, /* ctrl */
113 get_cert_by_subject, /* get_by_subject */
114 NULL, /* get_by_issuer_serial */
115 NULL, /* get_by_fingerprint */
116 NULL, /* get_by_alias */
117 };
118
119X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
120 {
121 return(&x509_dir_lookup);
122 }
123
124static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
125 char **retp)
126 {
127 int ret=0;
128 BY_DIR *ld;
129 char *dir = NULL;
130
131 ld=(BY_DIR *)ctx->method_data;
132
133 switch (cmd)
134 {
135 case X509_L_ADD_DIR:
136 if (argl == X509_FILETYPE_DEFAULT)
137 {
138 dir=(char *)getenv(X509_get_default_cert_dir_env());
139 if (dir)
140 ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
141 else
142 ret=add_cert_dir(ld,X509_get_default_cert_dir(),
143 X509_FILETYPE_PEM);
144 if (!ret)
145 {
146 X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
147 }
148 }
149 else
150 ret=add_cert_dir(ld,argp,(int)argl);
151 break;
152 }
153 return(ret);
154 }
155
156static int new_dir(X509_LOOKUP *lu)
157 {
158 BY_DIR *a;
159
160 if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
161 return(0);
162 if ((a->buffer=BUF_MEM_new()) == NULL)
163 {
164 OPENSSL_free(a);
165 return(0);
166 }
167 a->dirs=NULL;
168 lu->method_data=(char *)a;
169 return(1);
170 }
171
172static void by_dir_hash_free(BY_DIR_HASH *hash)
173 {
174 OPENSSL_free(hash);
175 }
176
177static int by_dir_hash_cmp(const BY_DIR_HASH * const *a,
178 const BY_DIR_HASH * const *b)
179 {
180 if ((*a)->hash > (*b)->hash)
181 return 1;
182 if ((*a)->hash < (*b)->hash)
183 return -1;
184 return 0;
185 }
186
187static void by_dir_entry_free(BY_DIR_ENTRY *ent)
188 {
189 if (ent->dir)
190 OPENSSL_free(ent->dir);
191 if (ent->hashes)
192 sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
193 OPENSSL_free(ent);
194 }
195
196static void free_dir(X509_LOOKUP *lu)
197 {
198 BY_DIR *a;
199
200 a=(BY_DIR *)lu->method_data;
201 if (a->dirs != NULL)
202 sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
203 if (a->buffer != NULL)
204 BUF_MEM_free(a->buffer);
205 OPENSSL_free(a);
206 }
207
208static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
209 {
210 int j,len;
211 const char *s,*ss,*p;
212
213 if (dir == NULL || !*dir)
214 {
215 X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
216 return 0;
217 }
218
219 s=dir;
220 p=s;
221 for (;;p++)
222 {
223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
224 {
225 BY_DIR_ENTRY *ent;
226 ss=s;
227 s=p+1;
228 len=(int)(p-ss);
229 if (len == 0) continue;
230 for (j=0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++)
231 {
232 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
233 if (strlen(ent->dir) == (size_t)len &&
234 strncmp(ent->dir,ss,(unsigned int)len) == 0)
235 break;
236 }
237 if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
238 continue;
239 if (ctx->dirs == NULL)
240 {
241 ctx->dirs = sk_BY_DIR_ENTRY_new_null();
242 if (!ctx->dirs)
243 {
244 X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE);
245 return 0;
246 }
247 }
248 ent = OPENSSL_malloc(sizeof(BY_DIR_ENTRY));
249 if (!ent)
250 return 0;
251 ent->dir_type = type;
252 ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
253 ent->dir = OPENSSL_malloc((unsigned int)len+1);
254 if (!ent->dir || !ent->hashes)
255 {
256 by_dir_entry_free(ent);
257 return 0;
258 }
259 strncpy(ent->dir,ss,(unsigned int)len);
260 ent->dir[len] = '\0';
261 if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent))
262 {
263 by_dir_entry_free(ent);
264 return 0;
265 }
266 }
267 if (*p == '\0')
268 break;
269 }
270 return 1;
271 }
272
273static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
274 X509_OBJECT *ret)
275 {
276 BY_DIR *ctx;
277 union {
278 struct {
279 X509 st_x509;
280 X509_CINF st_x509_cinf;
281 } x509;
282 struct {
283 X509_CRL st_crl;
284 X509_CRL_INFO st_crl_info;
285 } crl;
286 } data;
287 int ok=0;
288 int i,j,k;
289 unsigned long h;
290 BUF_MEM *b=NULL;
291 X509_OBJECT stmp,*tmp;
292 const char *postfix="";
293
294 if (name == NULL) return(0);
295
296 stmp.type=type;
297 if (type == X509_LU_X509)
298 {
299 data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
300 data.x509.st_x509_cinf.subject=name;
301 stmp.data.x509= &data.x509.st_x509;
302 postfix="";
303 }
304 else if (type == X509_LU_CRL)
305 {
306 data.crl.st_crl.crl= &data.crl.st_crl_info;
307 data.crl.st_crl_info.issuer=name;
308 stmp.data.crl= &data.crl.st_crl;
309 postfix="r";
310 }
311 else
312 {
313 X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
314 goto finish;
315 }
316
317 if ((b=BUF_MEM_new()) == NULL)
318 {
319 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB);
320 goto finish;
321 }
322
323 ctx=(BY_DIR *)xl->method_data;
324
325 h=X509_NAME_hash(name);
326 for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
327 {
328 BY_DIR_ENTRY *ent;
329 int idx;
330 BY_DIR_HASH htmp, *hent;
331 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
332 j=strlen(ent->dir)+1+8+6+1+1;
333 if (!BUF_MEM_grow(b,j))
334 {
335 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
336 goto finish;
337 }
338 if (type == X509_LU_CRL && ent->hashes)
339 {
340 htmp.hash = h;
341 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
342 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
343 if (idx >= 0)
344 {
345 hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
346 k = hent->suffix;
347 }
348 else
349 {
350 hent = NULL;
351 k=0;
352 }
353 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
354 }
355 else
356 {
357 k = 0;
358 hent = NULL;
359 }
360 for (;;)
361 {
362 char c = '/';
363#ifdef OPENSSL_SYS_VMS
364 c = ent->dir[strlen(ent->dir)-1];
365 if (c != ':' && c != '>' && c != ']')
366 {
367 /* If no separator is present, we assume the
368 directory specifier is a logical name, and
369 add a colon. We really should use better
370 VMS routines for merging things like this,
371 but this will do for now...
372 -- Richard Levitte */
373 c = ':';
374 }
375 else
376 {
377 c = '\0';
378 }
379#endif
380 if (c == '\0')
381 {
382 /* This is special. When c == '\0', no
383 directory separator should be added. */
384 BIO_snprintf(b->data,b->max,
385 "%s%08lx.%s%d",ent->dir,h,
386 postfix,k);
387 }
388 else
389 {
390 BIO_snprintf(b->data,b->max,
391 "%s%c%08lx.%s%d",ent->dir,c,h,
392 postfix,k);
393 }
394#ifndef OPENSSL_NO_POSIX_IO
395#ifdef _WIN32
396#define stat _stat
397#endif
398 {
399 struct stat st;
400 if (stat(b->data,&st) < 0)
401 break;
402 }
403#endif
404 /* found one. */
405 if (type == X509_LU_X509)
406 {
407 if ((X509_load_cert_file(xl,b->data,
408 ent->dir_type)) == 0)
409 break;
410 }
411 else if (type == X509_LU_CRL)
412 {
413 if ((X509_load_crl_file(xl,b->data,
414 ent->dir_type)) == 0)
415 break;
416 }
417 /* else case will caught higher up */
418 k++;
419 }
420
421 /* we have added it to the cache so now pull
422 * it out again */
423 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
424 j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
425 if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
426 else tmp = NULL;
427 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
428
429
430 /* If a CRL, update the last file suffix added for this */
431
432 if (type == X509_LU_CRL)
433 {
434 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
435 /* Look for entry again in case another thread added
436 * an entry first.
437 */
438 if (!hent)
439 {
440 htmp.hash = h;
441 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
442 if (idx >= 0)
443 hent =
444 sk_BY_DIR_HASH_value(ent->hashes, idx);
445 }
446 if (!hent)
447 {
448 hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
449 hent->hash = h;
450 hent->suffix = k;
451 if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
452 {
453 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
454 OPENSSL_free(hent);
455 ok = 0;
456 goto finish;
457 }
458 }
459 else if (hent->suffix < k)
460 hent->suffix = k;
461
462 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
463
464 }
465
466 if (tmp != NULL)
467 {
468 ok=1;
469 ret->type=tmp->type;
470 memcpy(&ret->data,&tmp->data,sizeof(ret->data));
471 /* If we were going to up the reference count,
472 * we would need to do it on a perl 'type'
473 * basis */
474 /* CRYPTO_add(&tmp->data.x509->references,1,
475 CRYPTO_LOCK_X509);*/
476 goto finish;
477 }
478 }
479finish:
480 if (b != NULL) BUF_MEM_free(b);
481 return(ok);
482 }
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
new file mode 100644
index 0000000000..57b08ee094
--- /dev/null
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -0,0 +1,300 @@
1/* crypto/x509/by_file.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/x509.h>
67#include <openssl/pem.h>
68
69#ifndef OPENSSL_NO_STDIO
70
71static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
72 long argl, char **ret);
73X509_LOOKUP_METHOD x509_file_lookup=
74 {
75 "Load file into cache",
76 NULL, /* new */
77 NULL, /* free */
78 NULL, /* init */
79 NULL, /* shutdown */
80 by_file_ctrl, /* ctrl */
81 NULL, /* get_by_subject */
82 NULL, /* get_by_issuer_serial */
83 NULL, /* get_by_fingerprint */
84 NULL, /* get_by_alias */
85 };
86
87X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
88 {
89 return(&x509_file_lookup);
90 }
91
92static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
93 char **ret)
94 {
95 int ok=0;
96 char *file;
97
98 switch (cmd)
99 {
100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT)
102 {
103 file = (char *)getenv(X509_get_default_cert_file_env());
104 if (file)
105 ok = (X509_load_cert_crl_file(ctx,file,
106 X509_FILETYPE_PEM) != 0);
107
108 else
109 ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
110 X509_FILETYPE_PEM) != 0);
111
112 if (!ok)
113 {
114 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
115 }
116 }
117 else
118 {
119 if(argl == X509_FILETYPE_PEM)
120 ok = (X509_load_cert_crl_file(ctx,argp,
121 X509_FILETYPE_PEM) != 0);
122 else
123 ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
124 }
125 break;
126 }
127 return(ok);
128 }
129
130int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
131 {
132 int ret=0;
133 BIO *in=NULL;
134 int i,count=0;
135 X509 *x=NULL;
136
137 if (file == NULL) return(1);
138 in=BIO_new(BIO_s_file_internal());
139
140 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
141 {
142 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
143 goto err;
144 }
145
146 if (type == X509_FILETYPE_PEM)
147 {
148 for (;;)
149 {
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL)
152 {
153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0))
155 {
156 ERR_clear_error();
157 break;
158 }
159 else
160 {
161 X509err(X509_F_X509_LOAD_CERT_FILE,
162 ERR_R_PEM_LIB);
163 goto err;
164 }
165 }
166 i=X509_STORE_add_cert(ctx->store_ctx,x);
167 if (!i) goto err;
168 count++;
169 X509_free(x);
170 x=NULL;
171 }
172 ret=count;
173 }
174 else if (type == X509_FILETYPE_ASN1)
175 {
176 x=d2i_X509_bio(in,NULL);
177 if (x == NULL)
178 {
179 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB);
180 goto err;
181 }
182 i=X509_STORE_add_cert(ctx->store_ctx,x);
183 if (!i) goto err;
184 ret=i;
185 }
186 else
187 {
188 X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE);
189 goto err;
190 }
191err:
192 if (x != NULL) X509_free(x);
193 if (in != NULL) BIO_free(in);
194 return(ret);
195 }
196
197int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
198 {
199 int ret=0;
200 BIO *in=NULL;
201 int i,count=0;
202 X509_CRL *x=NULL;
203
204 if (file == NULL) return(1);
205 in=BIO_new(BIO_s_file_internal());
206
207 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
208 {
209 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
210 goto err;
211 }
212
213 if (type == X509_FILETYPE_PEM)
214 {
215 for (;;)
216 {
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL)
219 {
220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0))
222 {
223 ERR_clear_error();
224 break;
225 }
226 else
227 {
228 X509err(X509_F_X509_LOAD_CRL_FILE,
229 ERR_R_PEM_LIB);
230 goto err;
231 }
232 }
233 i=X509_STORE_add_crl(ctx->store_ctx,x);
234 if (!i) goto err;
235 count++;
236 X509_CRL_free(x);
237 x=NULL;
238 }
239 ret=count;
240 }
241 else if (type == X509_FILETYPE_ASN1)
242 {
243 x=d2i_X509_CRL_bio(in,NULL);
244 if (x == NULL)
245 {
246 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
247 goto err;
248 }
249 i=X509_STORE_add_crl(ctx->store_ctx,x);
250 if (!i) goto err;
251 ret=i;
252 }
253 else
254 {
255 X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
256 goto err;
257 }
258err:
259 if (x != NULL) X509_CRL_free(x);
260 if (in != NULL) BIO_free(in);
261 return(ret);
262 }
263
264int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
265{
266 STACK_OF(X509_INFO) *inf;
267 X509_INFO *itmp;
268 BIO *in;
269 int i, count = 0;
270 if(type != X509_FILETYPE_PEM)
271 return X509_load_cert_file(ctx, file, type);
272 in = BIO_new_file(file, "r");
273 if(!in) {
274 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
275 return 0;
276 }
277 inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
278 BIO_free(in);
279 if(!inf) {
280 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
281 return 0;
282 }
283 for(i = 0; i < sk_X509_INFO_num(inf); i++) {
284 itmp = sk_X509_INFO_value(inf, i);
285 if(itmp->x509) {
286 X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
287 count++;
288 }
289 if(itmp->crl) {
290 X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
291 count++;
292 }
293 }
294 sk_X509_INFO_pop_free(inf, X509_INFO_free);
295 return count;
296}
297
298
299#endif /* OPENSSL_NO_STDIO */
300
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
new file mode 100644
index 0000000000..e6f8a40395
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509.h
@@ -0,0 +1,1286 @@
1/* crypto/x509/x509.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * ECDH support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
63
64#ifndef HEADER_X509_H
65#define HEADER_X509_H
66
67#include <openssl/e_os2.h>
68#include <openssl/symhacks.h>
69#ifndef OPENSSL_NO_BUFFER
70#include <openssl/buffer.h>
71#endif
72#ifndef OPENSSL_NO_EVP
73#include <openssl/evp.h>
74#endif
75#ifndef OPENSSL_NO_BIO
76#include <openssl/bio.h>
77#endif
78#include <openssl/stack.h>
79#include <openssl/asn1.h>
80#include <openssl/safestack.h>
81
82#ifndef OPENSSL_NO_EC
83#include <openssl/ec.h>
84#endif
85
86#ifndef OPENSSL_NO_ECDSA
87#include <openssl/ecdsa.h>
88#endif
89
90#ifndef OPENSSL_NO_ECDH
91#include <openssl/ecdh.h>
92#endif
93
94#ifndef OPENSSL_NO_DEPRECATED
95#ifndef OPENSSL_NO_RSA
96#include <openssl/rsa.h>
97#endif
98#ifndef OPENSSL_NO_DSA
99#include <openssl/dsa.h>
100#endif
101#ifndef OPENSSL_NO_DH
102#include <openssl/dh.h>
103#endif
104#endif
105
106#ifndef OPENSSL_NO_SHA
107#include <openssl/sha.h>
108#endif
109#include <openssl/ossl_typ.h>
110
111#ifdef __cplusplus
112extern "C" {
113#endif
114
115#ifdef OPENSSL_SYS_WIN32
116/* Under Win32 these are defined in wincrypt.h */
117#undef X509_NAME
118#undef X509_CERT_PAIR
119#undef X509_EXTENSIONS
120#endif
121
122#define X509_FILETYPE_PEM 1
123#define X509_FILETYPE_ASN1 2
124#define X509_FILETYPE_DEFAULT 3
125
126#define X509v3_KU_DIGITAL_SIGNATURE 0x0080
127#define X509v3_KU_NON_REPUDIATION 0x0040
128#define X509v3_KU_KEY_ENCIPHERMENT 0x0020
129#define X509v3_KU_DATA_ENCIPHERMENT 0x0010
130#define X509v3_KU_KEY_AGREEMENT 0x0008
131#define X509v3_KU_KEY_CERT_SIGN 0x0004
132#define X509v3_KU_CRL_SIGN 0x0002
133#define X509v3_KU_ENCIPHER_ONLY 0x0001
134#define X509v3_KU_DECIPHER_ONLY 0x8000
135#define X509v3_KU_UNDEF 0xffff
136
137typedef struct X509_objects_st
138 {
139 int nid;
140 int (*a2i)(void);
141 int (*i2a)(void);
142 } X509_OBJECTS;
143
144struct X509_algor_st
145 {
146 ASN1_OBJECT *algorithm;
147 ASN1_TYPE *parameter;
148 } /* X509_ALGOR */;
149
150DECLARE_ASN1_SET_OF(X509_ALGOR)
151
152typedef STACK_OF(X509_ALGOR) X509_ALGORS;
153
154typedef struct X509_val_st
155 {
156 ASN1_TIME *notBefore;
157 ASN1_TIME *notAfter;
158 } X509_VAL;
159
160struct X509_pubkey_st
161 {
162 X509_ALGOR *algor;
163 ASN1_BIT_STRING *public_key;
164 EVP_PKEY *pkey;
165 };
166
167typedef struct X509_sig_st
168 {
169 X509_ALGOR *algor;
170 ASN1_OCTET_STRING *digest;
171 } X509_SIG;
172
173typedef struct X509_name_entry_st
174 {
175 ASN1_OBJECT *object;
176 ASN1_STRING *value;
177 int set;
178 int size; /* temp variable */
179 } X509_NAME_ENTRY;
180
181DECLARE_STACK_OF(X509_NAME_ENTRY)
182DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
183
184/* we always keep X509_NAMEs in 2 forms. */
185struct X509_name_st
186 {
187 STACK_OF(X509_NAME_ENTRY) *entries;
188 int modified; /* true if 'bytes' needs to be built */
189#ifndef OPENSSL_NO_BUFFER
190 BUF_MEM *bytes;
191#else
192 char *bytes;
193#endif
194/* unsigned long hash; Keep the hash around for lookups */
195 unsigned char *canon_enc;
196 int canon_enclen;
197 } /* X509_NAME */;
198
199DECLARE_STACK_OF(X509_NAME)
200
201#define X509_EX_V_NETSCAPE_HACK 0x8000
202#define X509_EX_V_INIT 0x0001
203typedef struct X509_extension_st
204 {
205 ASN1_OBJECT *object;
206 ASN1_BOOLEAN critical;
207 ASN1_OCTET_STRING *value;
208 } X509_EXTENSION;
209
210typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
211
212DECLARE_STACK_OF(X509_EXTENSION)
213DECLARE_ASN1_SET_OF(X509_EXTENSION)
214
215/* a sequence of these are used */
216typedef struct x509_attributes_st
217 {
218 ASN1_OBJECT *object;
219 int single; /* 0 for a set, 1 for a single item (which is wrong) */
220 union {
221 char *ptr;
222/* 0 */ STACK_OF(ASN1_TYPE) *set;
223/* 1 */ ASN1_TYPE *single;
224 } value;
225 } X509_ATTRIBUTE;
226
227DECLARE_STACK_OF(X509_ATTRIBUTE)
228DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
229
230
231typedef struct X509_req_info_st
232 {
233 ASN1_ENCODING enc;
234 ASN1_INTEGER *version;
235 X509_NAME *subject;
236 X509_PUBKEY *pubkey;
237 /* d=2 hl=2 l= 0 cons: cont: 00 */
238 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
239 } X509_REQ_INFO;
240
241typedef struct X509_req_st
242 {
243 X509_REQ_INFO *req_info;
244 X509_ALGOR *sig_alg;
245 ASN1_BIT_STRING *signature;
246 int references;
247 } X509_REQ;
248
249typedef struct x509_cinf_st
250 {
251 ASN1_INTEGER *version; /* [ 0 ] default of v1 */
252 ASN1_INTEGER *serialNumber;
253 X509_ALGOR *signature;
254 X509_NAME *issuer;
255 X509_VAL *validity;
256 X509_NAME *subject;
257 X509_PUBKEY *key;
258 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
259 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
260 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
261 ASN1_ENCODING enc;
262 } X509_CINF;
263
264/* This stuff is certificate "auxiliary info"
265 * it contains details which are useful in certificate
266 * stores and databases. When used this is tagged onto
267 * the end of the certificate itself
268 */
269
270typedef struct x509_cert_aux_st
271 {
272 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
273 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
274 ASN1_UTF8STRING *alias; /* "friendly name" */
275 ASN1_OCTET_STRING *keyid; /* key id of private key */
276 STACK_OF(X509_ALGOR) *other; /* other unspecified info */
277 } X509_CERT_AUX;
278
279struct x509_st
280 {
281 X509_CINF *cert_info;
282 X509_ALGOR *sig_alg;
283 ASN1_BIT_STRING *signature;
284 int valid;
285 int references;
286 char *name;
287 CRYPTO_EX_DATA ex_data;
288 /* These contain copies of various extension values */
289 long ex_pathlen;
290 long ex_pcpathlen;
291 unsigned long ex_flags;
292 unsigned long ex_kusage;
293 unsigned long ex_xkusage;
294 unsigned long ex_nscert;
295 ASN1_OCTET_STRING *skid;
296 AUTHORITY_KEYID *akid;
297 X509_POLICY_CACHE *policy_cache;
298 STACK_OF(DIST_POINT) *crldp;
299 STACK_OF(GENERAL_NAME) *altname;
300 NAME_CONSTRAINTS *nc;
301#ifndef OPENSSL_NO_RFC3779
302 STACK_OF(IPAddressFamily) *rfc3779_addr;
303 struct ASIdentifiers_st *rfc3779_asid;
304#endif
305#ifndef OPENSSL_NO_SHA
306 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
307#endif
308 X509_CERT_AUX *aux;
309 } /* X509 */;
310
311DECLARE_STACK_OF(X509)
312DECLARE_ASN1_SET_OF(X509)
313
314/* This is used for a table of trust checking functions */
315
316typedef struct x509_trust_st {
317 int trust;
318 int flags;
319 int (*check_trust)(struct x509_trust_st *, X509 *, int);
320 char *name;
321 int arg1;
322 void *arg2;
323} X509_TRUST;
324
325DECLARE_STACK_OF(X509_TRUST)
326
327typedef struct x509_cert_pair_st {
328 X509 *forward;
329 X509 *reverse;
330} X509_CERT_PAIR;
331
332/* standard trust ids */
333
334#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */
335
336#define X509_TRUST_COMPAT 1
337#define X509_TRUST_SSL_CLIENT 2
338#define X509_TRUST_SSL_SERVER 3
339#define X509_TRUST_EMAIL 4
340#define X509_TRUST_OBJECT_SIGN 5
341#define X509_TRUST_OCSP_SIGN 6
342#define X509_TRUST_OCSP_REQUEST 7
343#define X509_TRUST_TSA 8
344
345/* Keep these up to date! */
346#define X509_TRUST_MIN 1
347#define X509_TRUST_MAX 8
348
349
350/* trust_flags values */
351#define X509_TRUST_DYNAMIC 1
352#define X509_TRUST_DYNAMIC_NAME 2
353
354/* check_trust return codes */
355
356#define X509_TRUST_TRUSTED 1
357#define X509_TRUST_REJECTED 2
358#define X509_TRUST_UNTRUSTED 3
359
360/* Flags for X509_print_ex() */
361
362#define X509_FLAG_COMPAT 0
363#define X509_FLAG_NO_HEADER 1L
364#define X509_FLAG_NO_VERSION (1L << 1)
365#define X509_FLAG_NO_SERIAL (1L << 2)
366#define X509_FLAG_NO_SIGNAME (1L << 3)
367#define X509_FLAG_NO_ISSUER (1L << 4)
368#define X509_FLAG_NO_VALIDITY (1L << 5)
369#define X509_FLAG_NO_SUBJECT (1L << 6)
370#define X509_FLAG_NO_PUBKEY (1L << 7)
371#define X509_FLAG_NO_EXTENSIONS (1L << 8)
372#define X509_FLAG_NO_SIGDUMP (1L << 9)
373#define X509_FLAG_NO_AUX (1L << 10)
374#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
375
376/* Flags specific to X509_NAME_print_ex() */
377
378/* The field separator information */
379
380#define XN_FLAG_SEP_MASK (0xf << 16)
381
382#define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */
383#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */
384#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */
385#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */
386#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */
387
388#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */
389
390/* How the field name is shown */
391
392#define XN_FLAG_FN_MASK (0x3 << 21)
393
394#define XN_FLAG_FN_SN 0 /* Object short name */
395#define XN_FLAG_FN_LN (1 << 21) /* Object long name */
396#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */
397#define XN_FLAG_FN_NONE (3 << 21) /* No field names */
398
399#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */
400
401/* This determines if we dump fields we don't recognise:
402 * RFC2253 requires this.
403 */
404
405#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
406
407#define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 characters */
408
409/* Complete set of RFC2253 flags */
410
411#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
412 XN_FLAG_SEP_COMMA_PLUS | \
413 XN_FLAG_DN_REV | \
414 XN_FLAG_FN_SN | \
415 XN_FLAG_DUMP_UNKNOWN_FIELDS)
416
417/* readable oneline form */
418
419#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
420 ASN1_STRFLGS_ESC_QUOTE | \
421 XN_FLAG_SEP_CPLUS_SPC | \
422 XN_FLAG_SPC_EQ | \
423 XN_FLAG_FN_SN)
424
425/* readable multiline form */
426
427#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
428 ASN1_STRFLGS_ESC_MSB | \
429 XN_FLAG_SEP_MULTILINE | \
430 XN_FLAG_SPC_EQ | \
431 XN_FLAG_FN_LN | \
432 XN_FLAG_FN_ALIGN)
433
434struct x509_revoked_st
435 {
436 ASN1_INTEGER *serialNumber;
437 ASN1_TIME *revocationDate;
438 STACK_OF(X509_EXTENSION) /* optional */ *extensions;
439 /* Set up if indirect CRL */
440 STACK_OF(GENERAL_NAME) *issuer;
441 /* Revocation reason */
442 int reason;
443 int sequence; /* load sequence */
444 };
445
446DECLARE_STACK_OF(X509_REVOKED)
447DECLARE_ASN1_SET_OF(X509_REVOKED)
448
449typedef struct X509_crl_info_st
450 {
451 ASN1_INTEGER *version;
452 X509_ALGOR *sig_alg;
453 X509_NAME *issuer;
454 ASN1_TIME *lastUpdate;
455 ASN1_TIME *nextUpdate;
456 STACK_OF(X509_REVOKED) *revoked;
457 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
458 ASN1_ENCODING enc;
459 } X509_CRL_INFO;
460
461struct X509_crl_st
462 {
463 /* actual signature */
464 X509_CRL_INFO *crl;
465 X509_ALGOR *sig_alg;
466 ASN1_BIT_STRING *signature;
467 int references;
468 int flags;
469 /* Copies of various extensions */
470 AUTHORITY_KEYID *akid;
471 ISSUING_DIST_POINT *idp;
472 /* Convenient breakdown of IDP */
473 int idp_flags;
474 int idp_reasons;
475 /* CRL and base CRL numbers for delta processing */
476 ASN1_INTEGER *crl_number;
477 ASN1_INTEGER *base_crl_number;
478#ifndef OPENSSL_NO_SHA
479 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
480#endif
481 STACK_OF(GENERAL_NAMES) *issuers;
482 const X509_CRL_METHOD *meth;
483 void *meth_data;
484 } /* X509_CRL */;
485
486DECLARE_STACK_OF(X509_CRL)
487DECLARE_ASN1_SET_OF(X509_CRL)
488
489typedef struct private_key_st
490 {
491 int version;
492 /* The PKCS#8 data types */
493 X509_ALGOR *enc_algor;
494 ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */
495
496 /* When decrypted, the following will not be NULL */
497 EVP_PKEY *dec_pkey;
498
499 /* used to encrypt and decrypt */
500 int key_length;
501 char *key_data;
502 int key_free; /* true if we should auto free key_data */
503
504 /* expanded version of 'enc_algor' */
505 EVP_CIPHER_INFO cipher;
506
507 int references;
508 } X509_PKEY;
509
510#ifndef OPENSSL_NO_EVP
511typedef struct X509_info_st
512 {
513 X509 *x509;
514 X509_CRL *crl;
515 X509_PKEY *x_pkey;
516
517 EVP_CIPHER_INFO enc_cipher;
518 int enc_len;
519 char *enc_data;
520
521 int references;
522 } X509_INFO;
523
524DECLARE_STACK_OF(X509_INFO)
525#endif
526
527/* The next 2 structures and their 8 routines were sent to me by
528 * Pat Richard <patr@x509.com> and are used to manipulate
529 * Netscapes spki structures - useful if you are writing a CA web page
530 */
531typedef struct Netscape_spkac_st
532 {
533 X509_PUBKEY *pubkey;
534 ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */
535 } NETSCAPE_SPKAC;
536
537typedef struct Netscape_spki_st
538 {
539 NETSCAPE_SPKAC *spkac; /* signed public key and challenge */
540 X509_ALGOR *sig_algor;
541 ASN1_BIT_STRING *signature;
542 } NETSCAPE_SPKI;
543
544/* Netscape certificate sequence structure */
545typedef struct Netscape_certificate_sequence
546 {
547 ASN1_OBJECT *type;
548 STACK_OF(X509) *certs;
549 } NETSCAPE_CERT_SEQUENCE;
550
551/* Unused (and iv length is wrong)
552typedef struct CBCParameter_st
553 {
554 unsigned char iv[8];
555 } CBC_PARAM;
556*/
557
558/* Password based encryption structure */
559
560typedef struct PBEPARAM_st {
561ASN1_OCTET_STRING *salt;
562ASN1_INTEGER *iter;
563} PBEPARAM;
564
565/* Password based encryption V2 structures */
566
567typedef struct PBE2PARAM_st {
568X509_ALGOR *keyfunc;
569X509_ALGOR *encryption;
570} PBE2PARAM;
571
572typedef struct PBKDF2PARAM_st {
573ASN1_TYPE *salt; /* Usually OCTET STRING but could be anything */
574ASN1_INTEGER *iter;
575ASN1_INTEGER *keylength;
576X509_ALGOR *prf;
577} PBKDF2PARAM;
578
579
580/* PKCS#8 private key info structure */
581
582struct pkcs8_priv_key_info_st
583 {
584 int broken; /* Flag for various broken formats */
585#define PKCS8_OK 0
586#define PKCS8_NO_OCTET 1
587#define PKCS8_EMBEDDED_PARAM 2
588#define PKCS8_NS_DB 3
589#define PKCS8_NEG_PRIVKEY 4
590 ASN1_INTEGER *version;
591 X509_ALGOR *pkeyalg;
592 ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
593 STACK_OF(X509_ATTRIBUTE) *attributes;
594 };
595
596#ifdef __cplusplus
597}
598#endif
599
600#include <openssl/x509_vfy.h>
601#include <openssl/pkcs7.h>
602
603#ifdef __cplusplus
604extern "C" {
605#endif
606
607#define X509_EXT_PACK_UNKNOWN 1
608#define X509_EXT_PACK_STRING 2
609
610#define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
611/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
612#define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
613#define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
614#define X509_extract_key(x) X509_get_pubkey(x) /*****/
615#define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
616#define X509_REQ_get_subject_name(x) ((x)->req_info->subject)
617#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
618#define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
619#define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
620
621#define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version)
622#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
623#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
624#define X509_CRL_get_issuer(x) ((x)->crl->issuer)
625#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
626
627void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
628X509_CRL_METHOD *X509_CRL_METHOD_new(
629 int (*crl_init)(X509_CRL *crl),
630 int (*crl_free)(X509_CRL *crl),
631 int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
632 ASN1_INTEGER *ser, X509_NAME *issuer),
633 int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
634void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
635
636void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
637void *X509_CRL_get_meth_data(X509_CRL *crl);
638
639/* This one is only used so that a binary form can output, as in
640 * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */
641#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
642
643
644const char *X509_verify_cert_error_string(long n);
645
646#ifndef OPENSSL_NO_EVP
647int X509_verify(X509 *a, EVP_PKEY *r);
648
649int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
650int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
651int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
652
653NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
654char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
655EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
656int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
657
658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
659
660int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
661
662int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
663int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
664int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
665int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
666
667int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
668 unsigned char *md, unsigned int *len);
669int X509_digest(const X509 *data,const EVP_MD *type,
670 unsigned char *md, unsigned int *len);
671int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
672 unsigned char *md, unsigned int *len);
673int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
674 unsigned char *md, unsigned int *len);
675int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
676 unsigned char *md, unsigned int *len);
677#endif
678
679#ifndef OPENSSL_NO_FP_API
680X509 *d2i_X509_fp(FILE *fp, X509 **x509);
681int i2d_X509_fp(FILE *fp,X509 *x509);
682X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
683int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
684X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
685int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
686#ifndef OPENSSL_NO_RSA
687RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
688int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
689RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
690int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
691RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
692int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
693#endif
694#ifndef OPENSSL_NO_DSA
695DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
696int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
697DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
698int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
699#endif
700#ifndef OPENSSL_NO_EC
701EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
702int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
703EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
704int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
705#endif
706X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
707int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
708PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
709 PKCS8_PRIV_KEY_INFO **p8inf);
710int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
711int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
712int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
713EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
714int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
715EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
716#endif
717
718#ifndef OPENSSL_NO_BIO
719X509 *d2i_X509_bio(BIO *bp,X509 **x509);
720int i2d_X509_bio(BIO *bp,X509 *x509);
721X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
722int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
723X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
724int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
725#ifndef OPENSSL_NO_RSA
726RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
727int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
728RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
729int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
730RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
731int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
732#endif
733#ifndef OPENSSL_NO_DSA
734DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
735int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
736DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
737int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
738#endif
739#ifndef OPENSSL_NO_EC
740EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
741int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
742EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
743int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
744#endif
745X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
746int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
747PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
748 PKCS8_PRIV_KEY_INFO **p8inf);
749int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
750int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
751int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
752EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
753int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
754EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
755#endif
756
757X509 *X509_dup(X509 *x509);
758X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
759X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
760X509_CRL *X509_CRL_dup(X509_CRL *crl);
761X509_REQ *X509_REQ_dup(X509_REQ *req);
762X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
763int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
764void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
765 X509_ALGOR *algor);
766
767X509_NAME *X509_NAME_dup(X509_NAME *xn);
768X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
769
770int X509_cmp_time(const ASN1_TIME *s, time_t *t);
771int X509_cmp_current_time(const ASN1_TIME *s);
772ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
773ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s,
774 int offset_day, long offset_sec, time_t *t);
775ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj);
776
777const char * X509_get_default_cert_area(void );
778const char * X509_get_default_cert_dir(void );
779const char * X509_get_default_cert_file(void );
780const char * X509_get_default_cert_dir_env(void );
781const char * X509_get_default_cert_file_env(void );
782const char * X509_get_default_private_dir(void );
783
784X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
785X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
786
787DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
788DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
789DECLARE_ASN1_FUNCTIONS(X509_VAL)
790
791DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
792
793int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
794EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
795int X509_get_pubkey_parameters(EVP_PKEY *pkey,
796 STACK_OF(X509) *chain);
797int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
798EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
799 long length);
800#ifndef OPENSSL_NO_RSA
801int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
802RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
803 long length);
804#endif
805#ifndef OPENSSL_NO_DSA
806int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
807DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
808 long length);
809#endif
810#ifndef OPENSSL_NO_EC
811int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
812EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
813 long length);
814#endif
815
816DECLARE_ASN1_FUNCTIONS(X509_SIG)
817DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
818DECLARE_ASN1_FUNCTIONS(X509_REQ)
819
820DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
821X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
822
823DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
824DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
825
826DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
827
828DECLARE_ASN1_FUNCTIONS(X509_NAME)
829
830int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
831
832DECLARE_ASN1_FUNCTIONS(X509_CINF)
833
834DECLARE_ASN1_FUNCTIONS(X509)
835DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
836
837DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
838
839int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
840 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
841int X509_set_ex_data(X509 *r, int idx, void *arg);
842void *X509_get_ex_data(X509 *r, int idx);
843int i2d_X509_AUX(X509 *a,unsigned char **pp);
844X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
845
846int X509_alias_set1(X509 *x, unsigned char *name, int len);
847int X509_keyid_set1(X509 *x, unsigned char *id, int len);
848unsigned char * X509_alias_get0(X509 *x, int *len);
849unsigned char * X509_keyid_get0(X509 *x, int *len);
850int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
851int X509_TRUST_set(int *t, int trust);
852int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
853int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
854void X509_trust_clear(X509 *x);
855void X509_reject_clear(X509 *x);
856
857DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
858DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
859DECLARE_ASN1_FUNCTIONS(X509_CRL)
860
861int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
862int X509_CRL_get0_by_serial(X509_CRL *crl,
863 X509_REVOKED **ret, ASN1_INTEGER *serial);
864int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
865
866X509_PKEY * X509_PKEY_new(void );
867void X509_PKEY_free(X509_PKEY *a);
868int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
869X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
870
871DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
872DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
873DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
874
875#ifndef OPENSSL_NO_EVP
876X509_INFO * X509_INFO_new(void);
877void X509_INFO_free(X509_INFO *a);
878char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
879
880int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
881 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
882
883int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
884 unsigned char *md,unsigned int *len);
885
886int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
887 X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
888 char *data,EVP_PKEY *pkey, const EVP_MD *type);
889
890int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
891 unsigned char *md,unsigned int *len);
892
893int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
894 ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
895
896int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
897 ASN1_BIT_STRING *signature,
898 void *data, EVP_PKEY *pkey, const EVP_MD *type);
899#endif
900
901int X509_set_version(X509 *x,long version);
902int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
903ASN1_INTEGER * X509_get_serialNumber(X509 *x);
904int X509_set_issuer_name(X509 *x, X509_NAME *name);
905X509_NAME * X509_get_issuer_name(X509 *a);
906int X509_set_subject_name(X509 *x, X509_NAME *name);
907X509_NAME * X509_get_subject_name(X509 *a);
908int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
909int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
910int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
911EVP_PKEY * X509_get_pubkey(X509 *x);
912ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
913int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
914
915int X509_REQ_set_version(X509_REQ *x,long version);
916int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
917int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
918EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req);
919int X509_REQ_extension_nid(int nid);
920int * X509_REQ_get_extension_nids(void);
921void X509_REQ_set_extension_nids(int *nids);
922STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
923int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
924 int nid);
925int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
926int X509_REQ_get_attr_count(const X509_REQ *req);
927int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
928 int lastpos);
929int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
930 int lastpos);
931X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
932X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
933int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
934int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
935 const ASN1_OBJECT *obj, int type,
936 const unsigned char *bytes, int len);
937int X509_REQ_add1_attr_by_NID(X509_REQ *req,
938 int nid, int type,
939 const unsigned char *bytes, int len);
940int X509_REQ_add1_attr_by_txt(X509_REQ *req,
941 const char *attrname, int type,
942 const unsigned char *bytes, int len);
943
944int X509_CRL_set_version(X509_CRL *x, long version);
945int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
946int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
947int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
948int X509_CRL_sort(X509_CRL *crl);
949
950int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
951int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
952
953int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
954
955int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
956
957int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
958unsigned long X509_issuer_and_serial_hash(X509 *a);
959
960int X509_issuer_name_cmp(const X509 *a, const X509 *b);
961unsigned long X509_issuer_name_hash(X509 *a);
962
963int X509_subject_name_cmp(const X509 *a, const X509 *b);
964unsigned long X509_subject_name_hash(X509 *x);
965
966#ifndef OPENSSL_NO_MD5
967unsigned long X509_issuer_name_hash_old(X509 *a);
968unsigned long X509_subject_name_hash_old(X509 *x);
969#endif
970
971int X509_cmp(const X509 *a, const X509 *b);
972int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
973unsigned long X509_NAME_hash(X509_NAME *x);
974unsigned long X509_NAME_hash_old(X509_NAME *x);
975
976int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
977int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
978#ifndef OPENSSL_NO_FP_API
979int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
980int X509_print_fp(FILE *bp,X509 *x);
981int X509_CRL_print_fp(FILE *bp,X509_CRL *x);
982int X509_REQ_print_fp(FILE *bp,X509_REQ *req);
983int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
984#endif
985
986#ifndef OPENSSL_NO_BIO
987int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
988int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
989int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
990int X509_print(BIO *bp,X509 *x);
991int X509_ocspid_print(BIO *bp,X509 *x);
992int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
993int X509_CRL_print(BIO *bp,X509_CRL *x);
994int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
995int X509_REQ_print(BIO *bp,X509_REQ *req);
996#endif
997
998int X509_NAME_entry_count(X509_NAME *name);
999int X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
1000 char *buf,int len);
1001int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
1002 char *buf,int len);
1003
1004/* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
1005 * lastpos, search after that position on. */
1006int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
1007int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
1008 int lastpos);
1009X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
1010X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
1011int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
1012 int loc, int set);
1013int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1014 unsigned char *bytes, int len, int loc, int set);
1015int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1016 unsigned char *bytes, int len, int loc, int set);
1017X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1018 const char *field, int type, const unsigned char *bytes, int len);
1019X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1020 int type,unsigned char *bytes, int len);
1021int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1022 const unsigned char *bytes, int len, int loc, int set);
1023X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1024 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1025 int len);
1026int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1027 ASN1_OBJECT *obj);
1028int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1029 const unsigned char *bytes, int len);
1030ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1031ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1032
1033int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1034int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1035 int nid, int lastpos);
1036int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1037 ASN1_OBJECT *obj,int lastpos);
1038int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1039 int crit, int lastpos);
1040X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
1041X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
1042STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
1043 X509_EXTENSION *ex, int loc);
1044
1045int X509_get_ext_count(X509 *x);
1046int X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
1047int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
1048int X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
1049X509_EXTENSION *X509_get_ext(X509 *x, int loc);
1050X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
1051int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
1052void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
1053int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
1054 unsigned long flags);
1055
1056int X509_CRL_get_ext_count(X509_CRL *x);
1057int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
1058int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
1059int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
1060X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
1061X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
1062int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
1063void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
1064int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
1065 unsigned long flags);
1066
1067int X509_REVOKED_get_ext_count(X509_REVOKED *x);
1068int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
1069int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
1070int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
1071X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
1072X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
1073int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
1074void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
1075int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
1076 unsigned long flags);
1077
1078X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
1079 int nid, int crit, ASN1_OCTET_STRING *data);
1080X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
1081 ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data);
1082int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj);
1083int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1084int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1085 ASN1_OCTET_STRING *data);
1086ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex);
1087ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
1088int X509_EXTENSION_get_critical(X509_EXTENSION *ex);
1089
1090int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
1091int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
1092 int lastpos);
1093int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
1094 int lastpos);
1095X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
1096X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
1097STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
1098 X509_ATTRIBUTE *attr);
1099STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
1100 const ASN1_OBJECT *obj, int type,
1101 const unsigned char *bytes, int len);
1102STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
1103 int nid, int type,
1104 const unsigned char *bytes, int len);
1105STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
1106 const char *attrname, int type,
1107 const unsigned char *bytes, int len);
1108void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
1109 ASN1_OBJECT *obj, int lastpos, int type);
1110X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
1111 int atrtype, const void *data, int len);
1112X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
1113 const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
1114X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
1115 const char *atrname, int type, const unsigned char *bytes, int len);
1116int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
1117int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
1118void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
1119 int atrtype, void *data);
1120int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
1121ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
1122ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
1123
1124int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
1125int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
1126 int lastpos);
1127int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
1128 int lastpos);
1129X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
1130X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
1131int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
1132int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
1133 const ASN1_OBJECT *obj, int type,
1134 const unsigned char *bytes, int len);
1135int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
1136 int nid, int type,
1137 const unsigned char *bytes, int len);
1138int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
1139 const char *attrname, int type,
1140 const unsigned char *bytes, int len);
1141
1142int X509_verify_cert(X509_STORE_CTX *ctx);
1143
1144/* lookup a cert from a X509 STACK */
1145X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
1146 ASN1_INTEGER *serial);
1147X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
1148
1149DECLARE_ASN1_FUNCTIONS(PBEPARAM)
1150DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
1151DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
1152
1153int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
1154 const unsigned char *salt, int saltlen);
1155
1156X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
1157 const unsigned char *salt, int saltlen);
1158X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
1159 unsigned char *salt, int saltlen);
1160X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1161 unsigned char *salt, int saltlen,
1162 unsigned char *aiv, int prf_nid);
1163
1164/* PKCS#8 utilities */
1165
1166DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
1167
1168EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
1169PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
1170PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
1171PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
1172
1173int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
1174 int version, int ptype, void *pval,
1175 unsigned char *penc, int penclen);
1176int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
1177 const unsigned char **pk, int *ppklen,
1178 X509_ALGOR **pa,
1179 PKCS8_PRIV_KEY_INFO *p8);
1180
1181int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1182 int ptype, void *pval,
1183 unsigned char *penc, int penclen);
1184int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
1185 const unsigned char **pk, int *ppklen,
1186 X509_ALGOR **pa,
1187 X509_PUBKEY *pub);
1188
1189int X509_check_trust(X509 *x, int id, int flags);
1190int X509_TRUST_get_count(void);
1191X509_TRUST * X509_TRUST_get0(int idx);
1192int X509_TRUST_get_by_id(int id);
1193int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
1194 char *name, int arg1, void *arg2);
1195void X509_TRUST_cleanup(void);
1196int X509_TRUST_get_flags(X509_TRUST *xp);
1197char *X509_TRUST_get0_name(X509_TRUST *xp);
1198int X509_TRUST_get_trust(X509_TRUST *xp);
1199
1200/* BEGIN ERROR CODES */
1201/* The following lines are auto generated by the script mkerr.pl. Any changes
1202 * made after this point may be overwritten when the script is next run.
1203 */
1204void ERR_load_X509_strings(void);
1205
1206/* Error codes for the X509 functions. */
1207
1208/* Function codes. */
1209#define X509_F_ADD_CERT_DIR 100
1210#define X509_F_BY_FILE_CTRL 101
1211#define X509_F_CHECK_POLICY 145
1212#define X509_F_DIR_CTRL 102
1213#define X509_F_GET_CERT_BY_SUBJECT 103
1214#define X509_F_NETSCAPE_SPKI_B64_DECODE 129
1215#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130
1216#define X509_F_X509AT_ADD1_ATTR 135
1217#define X509_F_X509V3_ADD_EXT 104
1218#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136
1219#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137
1220#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140
1221#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
1222#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
1223#define X509_F_X509_CHECK_PRIVATE_KEY 128
1224#define X509_F_X509_CRL_PRINT_FP 147
1225#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
1226#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
1227#define X509_F_X509_GET_PUBKEY_PARAMETERS 110
1228#define X509_F_X509_LOAD_CERT_CRL_FILE 132
1229#define X509_F_X509_LOAD_CERT_FILE 111
1230#define X509_F_X509_LOAD_CRL_FILE 112
1231#define X509_F_X509_NAME_ADD_ENTRY 113
1232#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114
1233#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131
1234#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115
1235#define X509_F_X509_NAME_ONELINE 116
1236#define X509_F_X509_NAME_PRINT 117
1237#define X509_F_X509_PRINT_EX_FP 118
1238#define X509_F_X509_PUBKEY_GET 119
1239#define X509_F_X509_PUBKEY_SET 120
1240#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
1241#define X509_F_X509_REQ_PRINT_EX 121
1242#define X509_F_X509_REQ_PRINT_FP 122
1243#define X509_F_X509_REQ_TO_X509 123
1244#define X509_F_X509_STORE_ADD_CERT 124
1245#define X509_F_X509_STORE_ADD_CRL 125
1246#define X509_F_X509_STORE_CTX_GET1_ISSUER 146
1247#define X509_F_X509_STORE_CTX_INIT 143
1248#define X509_F_X509_STORE_CTX_NEW 142
1249#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134
1250#define X509_F_X509_TO_X509_REQ 126
1251#define X509_F_X509_TRUST_ADD 133
1252#define X509_F_X509_TRUST_SET 141
1253#define X509_F_X509_VERIFY_CERT 127
1254
1255/* Reason codes. */
1256#define X509_R_BAD_X509_FILETYPE 100
1257#define X509_R_BASE64_DECODE_ERROR 118
1258#define X509_R_CANT_CHECK_DH_KEY 114
1259#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
1260#define X509_R_ERR_ASN1_LIB 102
1261#define X509_R_INVALID_DIRECTORY 113
1262#define X509_R_INVALID_FIELD_NAME 119
1263#define X509_R_INVALID_TRUST 123
1264#define X509_R_KEY_TYPE_MISMATCH 115
1265#define X509_R_KEY_VALUES_MISMATCH 116
1266#define X509_R_LOADING_CERT_DIR 103
1267#define X509_R_LOADING_DEFAULTS 104
1268#define X509_R_METHOD_NOT_SUPPORTED 124
1269#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
1270#define X509_R_PUBLIC_KEY_DECODE_ERROR 125
1271#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
1272#define X509_R_SHOULD_RETRY 106
1273#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 107
1274#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 108
1275#define X509_R_UNKNOWN_KEY_TYPE 117
1276#define X509_R_UNKNOWN_NID 109
1277#define X509_R_UNKNOWN_PURPOSE_ID 121
1278#define X509_R_UNKNOWN_TRUST_ID 120
1279#define X509_R_UNSUPPORTED_ALGORITHM 111
1280#define X509_R_WRONG_LOOKUP_TYPE 112
1281#define X509_R_WRONG_TYPE 122
1282
1283#ifdef __cplusplus
1284}
1285#endif
1286#endif
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
new file mode 100644
index 0000000000..98460e8921
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -0,0 +1,359 @@
1/* crypto/x509/x509_att.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
69{
70 return sk_X509_ATTRIBUTE_num(x);
71}
72
73int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
74 int lastpos)
75{
76 ASN1_OBJECT *obj;
77
78 obj=OBJ_nid2obj(nid);
79 if (obj == NULL) return(-2);
80 return(X509at_get_attr_by_OBJ(x,obj,lastpos));
81}
82
83int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
84 int lastpos)
85{
86 int n;
87 X509_ATTRIBUTE *ex;
88
89 if (sk == NULL) return(-1);
90 lastpos++;
91 if (lastpos < 0)
92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++)
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos);
99 }
100 return(-1);
101}
102
103X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
104{
105 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
106 return NULL;
107 else
108 return sk_X509_ATTRIBUTE_value(x,loc);
109}
110
111X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
112{
113 X509_ATTRIBUTE *ret;
114
115 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
116 return(NULL);
117 ret=sk_X509_ATTRIBUTE_delete(x,loc);
118 return(ret);
119}
120
121STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
122 X509_ATTRIBUTE *attr)
123{
124 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126
127 if (x == NULL)
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2;
131 }
132
133 if (*x == NULL)
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err;
137 }
138 else
139 sk= *x;
140
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
142 goto err2;
143 if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
144 goto err;
145 if (*x == NULL)
146 *x=sk;
147 return(sk);
148err:
149 X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
150err2:
151 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
152 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
153 return(NULL);
154}
155
156STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
157 const ASN1_OBJECT *obj, int type,
158 const unsigned char *bytes, int len)
159{
160 X509_ATTRIBUTE *attr;
161 STACK_OF(X509_ATTRIBUTE) *ret;
162 attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
163 if(!attr) return 0;
164 ret = X509at_add1_attr(x, attr);
165 X509_ATTRIBUTE_free(attr);
166 return ret;
167}
168
169STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
170 int nid, int type,
171 const unsigned char *bytes, int len)
172{
173 X509_ATTRIBUTE *attr;
174 STACK_OF(X509_ATTRIBUTE) *ret;
175 attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
176 if(!attr) return 0;
177 ret = X509at_add1_attr(x, attr);
178 X509_ATTRIBUTE_free(attr);
179 return ret;
180}
181
182STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
183 const char *attrname, int type,
184 const unsigned char *bytes, int len)
185{
186 X509_ATTRIBUTE *attr;
187 STACK_OF(X509_ATTRIBUTE) *ret;
188 attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
189 if(!attr) return 0;
190 ret = X509at_add1_attr(x, attr);
191 X509_ATTRIBUTE_free(attr);
192 return ret;
193}
194
195void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
196 ASN1_OBJECT *obj, int lastpos, int type)
197{
198 int i;
199 X509_ATTRIBUTE *at;
200 i = X509at_get_attr_by_OBJ(x, obj, lastpos);
201 if (i == -1)
202 return NULL;
203 if ((lastpos <= -2) && (X509at_get_attr_by_OBJ(x, obj, i) != -1))
204 return NULL;
205 at = X509at_get_attr(x, i);
206 if (lastpos <= -3 && (X509_ATTRIBUTE_count(at) != 1))
207 return NULL;
208 return X509_ATTRIBUTE_get0_data(at, 0, type, NULL);
209}
210
211X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
212 int atrtype, const void *data, int len)
213{
214 ASN1_OBJECT *obj;
215 X509_ATTRIBUTE *ret;
216
217 obj=OBJ_nid2obj(nid);
218 if (obj == NULL)
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL);
222 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret);
226}
227
228X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
229 const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
230{
231 X509_ATTRIBUTE *ret;
232
233 if ((attr == NULL) || (*attr == NULL))
234 {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL);
239 }
240 }
241 else
242 ret= *attr;
243
244 if (!X509_ATTRIBUTE_set1_object(ret,obj))
245 goto err;
246 if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
247 goto err;
248
249 if ((attr != NULL) && (*attr == NULL)) *attr=ret;
250 return(ret);
251err:
252 if ((attr == NULL) || (ret != *attr))
253 X509_ATTRIBUTE_free(ret);
254 return(NULL);
255}
256
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len)
259 {
260 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr;
262
263 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL)
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname);
269 return(NULL);
270 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj);
273 return nattr;
274 }
275
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{
278 if ((attr == NULL) || (obj == NULL))
279 return(0);
280 ASN1_OBJECT_free(attr->object);
281 attr->object=OBJ_dup(obj);
282 return(1);
283}
284
285int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
286{
287 ASN1_TYPE *ttmp;
288 ASN1_STRING *stmp = NULL;
289 int atype = 0;
290 if (!attr) return 0;
291 if(attrtype & MBSTRING_FLAG) {
292 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
293 OBJ_obj2nid(attr->object));
294 if(!stmp) {
295 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
296 return 0;
297 }
298 atype = stmp->type;
299 } else if (len != -1){
300 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
301 if(!ASN1_STRING_set(stmp, data, len)) goto err;
302 atype = attrtype;
303 }
304 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
305 attr->single = 0;
306 /* This is a bit naughty because the attribute should really have
307 * at least one value but some types use and zero length SET and
308 * require this.
309 */
310 if (attrtype == 0)
311 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG))
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err;
317 }
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1;
322 err:
323 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
324 return 0;
325}
326
327int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
328{
329 if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
330 if(attr->value.single) return 1;
331 return 0;
332}
333
334ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
335{
336 if (attr == NULL) return(NULL);
337 return(attr->object);
338}
339
340void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
341 int atrtype, void *data)
342{
343 ASN1_TYPE *ttmp;
344 ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
345 if(!ttmp) return NULL;
346 if(atrtype != ASN1_TYPE_get(ttmp)){
347 X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
348 return NULL;
349 }
350 return ttmp->value.ptr;
351}
352
353ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
354{
355 if (attr == NULL) return(NULL);
356 if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
357 if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
358 else return attr->value.single;
359}
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
new file mode 100644
index 0000000000..4bc9da07e0
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -0,0 +1,331 @@
1/* crypto/x509/x509_cmp.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <ctype.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 {
69 int i;
70 X509_CINF *ai,*bi;
71
72 ai=a->cert_info;
73 bi=b->cert_info;
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 }
78
79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 {
82 unsigned long ret=0;
83 EVP_MD_CTX ctx;
84 unsigned char md[16];
85 char *f;
86
87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f);
90 EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
91 EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
92 OPENSSL_free(f);
93 EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
94 (unsigned long)a->cert_info->serialNumber->length);
95 EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
96 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
97 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
98 )&0xffffffffL;
99 EVP_MD_CTX_cleanup(&ctx);
100 return(ret);
101 }
102#endif
103
104int X509_issuer_name_cmp(const X509 *a, const X509 *b)
105 {
106 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
107 }
108
109int X509_subject_name_cmp(const X509 *a, const X509 *b)
110 {
111 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
112 }
113
114int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
115 {
116 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
117 }
118
119#ifndef OPENSSL_NO_SHA
120int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
121 {
122 return memcmp(a->sha1_hash, b->sha1_hash, 20);
123 }
124#endif
125
126X509_NAME *X509_get_issuer_name(X509 *a)
127 {
128 return(a->cert_info->issuer);
129 }
130
131unsigned long X509_issuer_name_hash(X509 *x)
132 {
133 return(X509_NAME_hash(x->cert_info->issuer));
134 }
135
136#ifndef OPENSSL_NO_MD5
137unsigned long X509_issuer_name_hash_old(X509 *x)
138 {
139 return(X509_NAME_hash_old(x->cert_info->issuer));
140 }
141#endif
142
143X509_NAME *X509_get_subject_name(X509 *a)
144 {
145 return(a->cert_info->subject);
146 }
147
148ASN1_INTEGER *X509_get_serialNumber(X509 *a)
149 {
150 return(a->cert_info->serialNumber);
151 }
152
153unsigned long X509_subject_name_hash(X509 *x)
154 {
155 return(X509_NAME_hash(x->cert_info->subject));
156 }
157
158#ifndef OPENSSL_NO_MD5
159unsigned long X509_subject_name_hash_old(X509 *x)
160 {
161 return(X509_NAME_hash_old(x->cert_info->subject));
162 }
163#endif
164
165#ifndef OPENSSL_NO_SHA
166/* Compare two certificates: they must be identical for
167 * this to work. NB: Although "cmp" operations are generally
168 * prototyped to take "const" arguments (eg. for use in
169 * STACKs), the way X509 handling is - these operations may
170 * involve ensuring the hashes are up-to-date and ensuring
171 * certain cert information is cached. So this is the point
172 * where the "depth-first" constification tree has to halt
173 * with an evil cast.
174 */
175int X509_cmp(const X509 *a, const X509 *b)
176{
177 /* ensure hash is valid */
178 X509_check_purpose((X509 *)a, -1, 0);
179 X509_check_purpose((X509 *)b, -1, 0);
180
181 return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
182}
183#endif
184
185
186int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
187 {
188 int ret;
189
190 /* Ensure canonical encoding is present and up to date */
191
192 if (!a->canon_enc || a->modified)
193 {
194 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
195 if (ret < 0)
196 return -2;
197 }
198
199 if (!b->canon_enc || b->modified)
200 {
201 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
202 if (ret < 0)
203 return -2;
204 }
205
206 ret = a->canon_enclen - b->canon_enclen;
207
208 if (ret)
209 return ret;
210
211 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
212
213 }
214
215unsigned long X509_NAME_hash(X509_NAME *x)
216 {
217 unsigned long ret=0;
218 unsigned char md[SHA_DIGEST_LENGTH];
219
220 /* Make sure X509_NAME structure contains valid cached encoding */
221 i2d_X509_NAME(x,NULL);
222 EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
223
224 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
225 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
226 )&0xffffffffL;
227 return(ret);
228 }
229
230
231#ifndef OPENSSL_NO_MD5
232/* I now DER encode the name and hash it. Since I cache the DER encoding,
233 * this is reasonably efficient. */
234
235unsigned long X509_NAME_hash_old(X509_NAME *x)
236 {
237 unsigned long ret=0;
238 unsigned char md[16];
239
240 /* Make sure X509_NAME structure contains valid cached encoding */
241 i2d_X509_NAME(x,NULL);
242 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
243
244 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
245 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
246 )&0xffffffffL;
247 return(ret);
248 }
249#endif
250
251/* Search a stack of X509 for a match */
252X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
253 ASN1_INTEGER *serial)
254 {
255 int i;
256 X509_CINF cinf;
257 X509 x,*x509=NULL;
258
259 if(!sk) return NULL;
260
261 x.cert_info= &cinf;
262 cinf.serialNumber=serial;
263 cinf.issuer=name;
264
265 for (i=0; i<sk_X509_num(sk); i++)
266 {
267 x509=sk_X509_value(sk,i);
268 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
269 return(x509);
270 }
271 return(NULL);
272 }
273
274X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
275 {
276 X509 *x509;
277 int i;
278
279 for (i=0; i<sk_X509_num(sk); i++)
280 {
281 x509=sk_X509_value(sk,i);
282 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
283 return(x509);
284 }
285 return(NULL);
286 }
287
288EVP_PKEY *X509_get_pubkey(X509 *x)
289 {
290 if ((x == NULL) || (x->cert_info == NULL))
291 return(NULL);
292 return(X509_PUBKEY_get(x->cert_info->key));
293 }
294
295ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
296 {
297 if(!x) return NULL;
298 return x->cert_info->key->public_key;
299 }
300
301int X509_check_private_key(X509 *x, EVP_PKEY *k)
302 {
303 EVP_PKEY *xk;
304 int ret;
305
306 xk=X509_get_pubkey(x);
307
308 if (xk)
309 ret = EVP_PKEY_cmp(xk, k);
310 else
311 ret = -2;
312
313 switch (ret)
314 {
315 case 1:
316 break;
317 case 0:
318 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
319 break;
320 case -1:
321 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
322 break;
323 case -2:
324 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
325 }
326 if (xk)
327 EVP_PKEY_free(xk);
328 if (ret > 0)
329 return 1;
330 return 0;
331 }
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
new file mode 100644
index 0000000000..51410cfd1a
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_d2.c
@@ -0,0 +1,107 @@
1/* crypto/x509/x509_d2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 {
67 X509_LOOKUP *lookup;
68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
70 if (lookup == NULL) return(0);
71 X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
72
73 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
74 if (lookup == NULL) return(0);
75 X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
76
77 /* clear any errors */
78 ERR_clear_error();
79
80 return(1);
81 }
82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path)
85 {
86 X509_LOOKUP *lookup;
87
88 if (file != NULL)
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0);
94 }
95 if (path != NULL)
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0);
101 }
102 if ((path == NULL) && (file == NULL))
103 return(0);
104 return(1);
105 }
106
107#endif
diff --git a/src/lib/libcrypto/x509/x509_def.c b/src/lib/libcrypto/x509/x509_def.c
new file mode 100644
index 0000000000..e0ac151a76
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_def.c
@@ -0,0 +1,81 @@
1/* crypto/x509/x509_def.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64const char *X509_get_default_private_dir(void)
65 { return(X509_PRIVATE_DIR); }
66
67const char *X509_get_default_cert_area(void)
68 { return(X509_CERT_AREA); }
69
70const char *X509_get_default_cert_dir(void)
71 { return(X509_CERT_DIR); }
72
73const char *X509_get_default_cert_file(void)
74 { return(X509_CERT_FILE); }
75
76const char *X509_get_default_cert_dir_env(void)
77 { return(X509_CERT_DIR_EVP); }
78
79const char *X509_get_default_cert_file_env(void)
80 { return(X509_CERT_FILE_EVP); }
81
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
new file mode 100644
index 0000000000..a01402f416
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -0,0 +1,164 @@
1/* crypto/x509/x509_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70
71static ERR_STRING_DATA X509_str_functs[]=
72 {
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
76{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
77{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
79{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
80{ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
81{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"},
82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
84{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
85{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"},
86{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"},
87{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"},
88{ERR_FUNC(X509_F_X509_CRL_PRINT_FP), "X509_CRL_print_fp"},
89{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
90{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
91{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"},
92{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"},
93{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"},
94{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"},
95{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"},
96{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"},
97{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT), "X509_NAME_ENTRY_create_by_txt"},
98{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"},
99{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
100{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
101{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
102{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
103{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
104{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"},
105{ERR_FUNC(X509_F_X509_REQ_PRINT_EX), "X509_REQ_print_ex"},
106{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"},
107{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"},
108{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"},
109{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"},
110{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER), "X509_STORE_CTX_get1_issuer"},
111{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"},
112{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
113{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"},
114{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"},
115{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"},
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL}
119 };
120
121static ERR_STRING_DATA X509_str_reasons[]=
122 {
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
126{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
127{ERR_REASON(X509_R_ERR_ASN1_LIB) ,"err asn1 lib"},
128{ERR_REASON(X509_R_INVALID_DIRECTORY) ,"invalid directory"},
129{ERR_REASON(X509_R_INVALID_FIELD_NAME) ,"invalid field name"},
130{ERR_REASON(X509_R_INVALID_TRUST) ,"invalid trust"},
131{ERR_REASON(X509_R_KEY_TYPE_MISMATCH) ,"key type mismatch"},
132{ERR_REASON(X509_R_KEY_VALUES_MISMATCH) ,"key values mismatch"},
133{ERR_REASON(X509_R_LOADING_CERT_DIR) ,"loading cert dir"},
134{ERR_REASON(X509_R_LOADING_DEFAULTS) ,"loading defaults"},
135{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED) ,"method not supported"},
136{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
137{ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR),"public key decode error"},
138{ERR_REASON(X509_R_PUBLIC_KEY_ENCODE_ERROR),"public key encode error"},
139{ERR_REASON(X509_R_SHOULD_RETRY) ,"should retry"},
140{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
141{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
142{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE) ,"unknown key type"},
143{ERR_REASON(X509_R_UNKNOWN_NID) ,"unknown nid"},
144{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID) ,"unknown purpose id"},
145{ERR_REASON(X509_R_UNKNOWN_TRUST_ID) ,"unknown trust id"},
146{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL}
150 };
151
152#endif
153
154void ERR_load_X509_strings(void)
155 {
156#ifndef OPENSSL_NO_ERR
157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
159 {
160 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 }
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
new file mode 100644
index 0000000000..e7fdacb5e4
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ext.c
@@ -0,0 +1,210 @@
1/* crypto/x509/x509_ext.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68
69int X509_CRL_get_ext_count(X509_CRL *x)
70 {
71 return(X509v3_get_ext_count(x->crl->extensions));
72 }
73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 {
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 }
78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 {
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 }
83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 {
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 }
88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 {
91 return(X509v3_get_ext(x->crl->extensions,loc));
92 }
93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 {
96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 }
98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{
101 return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
102}
103
104int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
105 unsigned long flags)
106{
107 return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
108}
109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 {
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 }
114
115int X509_get_ext_count(X509 *x)
116 {
117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 }
119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 {
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 }
124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 {
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 }
129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 {
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 }
134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 {
137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 }
139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 {
142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 }
144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 {
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 }
149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{
152 return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
153}
154
155int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
156 unsigned long flags)
157{
158 return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
159 flags);
160}
161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 {
164 return(X509v3_get_ext_count(x->extensions));
165 }
166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 {
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 }
171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos)
174 {
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 }
177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 {
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 }
182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 {
185 return(X509v3_get_ext(x->extensions,loc));
186 }
187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 {
190 return(X509v3_delete_ext(x->extensions,loc));
191 }
192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 {
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 }
197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{
200 return X509V3_get_d2i(x->extensions, nid, crit, idx);
201}
202
203int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
204 unsigned long flags)
205{
206 return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
207}
208
209IMPLEMENT_STACK_OF(X509_EXTENSION)
210IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
new file mode 100644
index 0000000000..3a6e04a1de
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -0,0 +1,716 @@
1/* crypto/x509/x509_lu.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/x509.h>
63#include <openssl/x509v3.h>
64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 {
67 X509_LOOKUP *ret;
68
69 ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
70 if (ret == NULL) return NULL;
71
72 ret->init=0;
73 ret->skip=0;
74 ret->method=method;
75 ret->method_data=NULL;
76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret))
78 {
79 OPENSSL_free(ret);
80 return NULL;
81 }
82 return ret;
83 }
84
85void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 {
87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL))
90 ctx->method->free(ctx);
91 OPENSSL_free(ctx);
92 }
93
94int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 {
96 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx);
99 else
100 return 1;
101 }
102
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 {
105 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx);
108 else
109 return 1;
110 }
111
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret)
114 {
115 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else
119 return 1;
120 }
121
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret)
124 {
125 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
126 return X509_LU_FAIL;
127 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret);
129 }
130
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 {
134 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 }
139
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret)
142 {
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 }
147
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret)
150 {
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 }
155
156
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 {
159 int ret;
160
161 ret=((*a)->type - (*b)->type);
162 if (ret) return ret;
163 switch ((*a)->type)
164 {
165 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break;
168 case X509_LU_CRL:
169 ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
170 break;
171 default:
172 /* abort(); */
173 return 0;
174 }
175 return ret;
176 }
177
178X509_STORE *X509_STORE_new(void)
179 {
180 X509_STORE *ret;
181
182 if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
183 return NULL;
184 ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
185 ret->cache=1;
186 ret->get_cert_methods=sk_X509_LOOKUP_new_null();
187 ret->verify=0;
188 ret->verify_cb=0;
189
190 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
191 return NULL;
192
193 ret->get_issuer = 0;
194 ret->check_issued = 0;
195 ret->check_revocation = 0;
196 ret->get_crl = 0;
197 ret->check_crl = 0;
198 ret->cert_crl = 0;
199 ret->lookup_certs = 0;
200 ret->lookup_crls = 0;
201 ret->cleanup = 0;
202
203 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
204 {
205 sk_X509_OBJECT_free(ret->objs);
206 OPENSSL_free(ret);
207 return NULL;
208 }
209
210 ret->references=1;
211 return ret;
212 }
213
214static void cleanup(X509_OBJECT *a)
215 {
216 if (a->type == X509_LU_X509)
217 {
218 X509_free(a->data.x509);
219 }
220 else if (a->type == X509_LU_CRL)
221 {
222 X509_CRL_free(a->data.crl);
223 }
224 else
225 {
226 /* abort(); */
227 }
228
229 OPENSSL_free(a);
230 }
231
232void X509_STORE_free(X509_STORE *vfy)
233 {
234 int i;
235 STACK_OF(X509_LOOKUP) *sk;
236 X509_LOOKUP *lu;
237
238 if (vfy == NULL)
239 return;
240
241 sk=vfy->get_cert_methods;
242 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
243 {
244 lu=sk_X509_LOOKUP_value(sk,i);
245 X509_LOOKUP_shutdown(lu);
246 X509_LOOKUP_free(lu);
247 }
248 sk_X509_LOOKUP_free(sk);
249 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
250
251 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
252 if (vfy->param)
253 X509_VERIFY_PARAM_free(vfy->param);
254 OPENSSL_free(vfy);
255 }
256
257X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
258 {
259 int i;
260 STACK_OF(X509_LOOKUP) *sk;
261 X509_LOOKUP *lu;
262
263 sk=v->get_cert_methods;
264 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
265 {
266 lu=sk_X509_LOOKUP_value(sk,i);
267 if (m == lu->method)
268 {
269 return lu;
270 }
271 }
272 /* a new one */
273 lu=X509_LOOKUP_new(m);
274 if (lu == NULL)
275 return NULL;
276 else
277 {
278 lu->store_ctx=v;
279 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
280 return lu;
281 else
282 {
283 X509_LOOKUP_free(lu);
284 return NULL;
285 }
286 }
287 }
288
289int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
290 X509_OBJECT *ret)
291 {
292 X509_STORE *ctx=vs->ctx;
293 X509_LOOKUP *lu;
294 X509_OBJECT stmp,*tmp;
295 int i,j;
296
297 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
298 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
299 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
300
301 if (tmp == NULL || type == X509_LU_CRL)
302 {
303 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
304 {
305 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
306 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
307 if (j < 0)
308 {
309 vs->current_method=j;
310 return j;
311 }
312 else if (j)
313 {
314 tmp= &stmp;
315 break;
316 }
317 }
318 vs->current_method=0;
319 if (tmp == NULL)
320 return 0;
321 }
322
323/* if (ret->data.ptr != NULL)
324 X509_OBJECT_free_contents(ret); */
325
326 ret->type=tmp->type;
327 ret->data.ptr=tmp->data.ptr;
328
329 X509_OBJECT_up_ref_count(ret);
330
331 return 1;
332 }
333
334int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
335 {
336 X509_OBJECT *obj;
337 int ret=1;
338
339 if (x == NULL) return 0;
340 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
341 if (obj == NULL)
342 {
343 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
344 return 0;
345 }
346 obj->type=X509_LU_X509;
347 obj->data.x509=x;
348
349 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
350
351 X509_OBJECT_up_ref_count(obj);
352
353 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
354 {
355 X509_OBJECT_free_contents(obj);
356 OPENSSL_free(obj);
357 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
358 ret=0;
359 }
360 else sk_X509_OBJECT_push(ctx->objs, obj);
361
362 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
363
364 return ret;
365 }
366
367int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
368 {
369 X509_OBJECT *obj;
370 int ret=1;
371
372 if (x == NULL) return 0;
373 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
374 if (obj == NULL)
375 {
376 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
377 return 0;
378 }
379 obj->type=X509_LU_CRL;
380 obj->data.crl=x;
381
382 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
383
384 X509_OBJECT_up_ref_count(obj);
385
386 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
387 {
388 X509_OBJECT_free_contents(obj);
389 OPENSSL_free(obj);
390 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
391 ret=0;
392 }
393 else sk_X509_OBJECT_push(ctx->objs, obj);
394
395 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
396
397 return ret;
398 }
399
400void X509_OBJECT_up_ref_count(X509_OBJECT *a)
401 {
402 switch (a->type)
403 {
404 case X509_LU_X509:
405 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
406 break;
407 case X509_LU_CRL:
408 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
409 break;
410 }
411 }
412
413void X509_OBJECT_free_contents(X509_OBJECT *a)
414 {
415 switch (a->type)
416 {
417 case X509_LU_X509:
418 X509_free(a->data.x509);
419 break;
420 case X509_LU_CRL:
421 X509_CRL_free(a->data.crl);
422 break;
423 }
424 }
425
426static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
427 X509_NAME *name, int *pnmatch)
428 {
429 X509_OBJECT stmp;
430 X509 x509_s;
431 X509_CINF cinf_s;
432 X509_CRL crl_s;
433 X509_CRL_INFO crl_info_s;
434 int idx;
435
436 stmp.type=type;
437 switch (type)
438 {
439 case X509_LU_X509:
440 stmp.data.x509= &x509_s;
441 x509_s.cert_info= &cinf_s;
442 cinf_s.subject=name;
443 break;
444 case X509_LU_CRL:
445 stmp.data.crl= &crl_s;
446 crl_s.crl= &crl_info_s;
447 crl_info_s.issuer=name;
448 break;
449 default:
450 /* abort(); */
451 return -1;
452 }
453
454 idx = sk_X509_OBJECT_find(h,&stmp);
455 if (idx >= 0 && pnmatch)
456 {
457 int tidx;
458 const X509_OBJECT *tobj, *pstmp;
459 *pnmatch = 1;
460 pstmp = &stmp;
461 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
462 {
463 tobj = sk_X509_OBJECT_value(h, tidx);
464 if (x509_object_cmp(&tobj, &pstmp))
465 break;
466 (*pnmatch)++;
467 }
468 }
469 return idx;
470 }
471
472
473int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
474 X509_NAME *name)
475 {
476 return x509_object_idx_cnt(h, type, name, NULL);
477 }
478
479X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
480 X509_NAME *name)
481 {
482 int idx;
483 idx = X509_OBJECT_idx_by_subject(h, type, name);
484 if (idx==-1) return NULL;
485 return sk_X509_OBJECT_value(h, idx);
486 }
487
488STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
489 {
490 int i, idx, cnt;
491 STACK_OF(X509) *sk;
492 X509 *x;
493 X509_OBJECT *obj;
494 sk = sk_X509_new_null();
495 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
496 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
497 if (idx < 0)
498 {
499 /* Nothing found in cache: do lookup to possibly add new
500 * objects to cache
501 */
502 X509_OBJECT xobj;
503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
504 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
505 {
506 sk_X509_free(sk);
507 return NULL;
508 }
509 X509_OBJECT_free_contents(&xobj);
510 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
511 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
512 if (idx < 0)
513 {
514 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
515 sk_X509_free(sk);
516 return NULL;
517 }
518 }
519 for (i = 0; i < cnt; i++, idx++)
520 {
521 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
522 x = obj->data.x509;
523 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
524 if (!sk_X509_push(sk, x))
525 {
526 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
527 X509_free(x);
528 sk_X509_pop_free(sk, X509_free);
529 return NULL;
530 }
531 }
532 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
533 return sk;
534
535 }
536
537STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
538 {
539 int i, idx, cnt;
540 STACK_OF(X509_CRL) *sk;
541 X509_CRL *x;
542 X509_OBJECT *obj, xobj;
543 sk = sk_X509_CRL_new_null();
544 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
545 /* Check cache first */
546 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
547
548 /* Always do lookup to possibly add new CRLs to cache
549 */
550 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
551 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
552 {
553 sk_X509_CRL_free(sk);
554 return NULL;
555 }
556 X509_OBJECT_free_contents(&xobj);
557 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
558 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
559 if (idx < 0)
560 {
561 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
562 sk_X509_CRL_free(sk);
563 return NULL;
564 }
565
566 for (i = 0; i < cnt; i++, idx++)
567 {
568 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
569 x = obj->data.crl;
570 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
571 if (!sk_X509_CRL_push(sk, x))
572 {
573 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
574 X509_CRL_free(x);
575 sk_X509_CRL_pop_free(sk, X509_CRL_free);
576 return NULL;
577 }
578 }
579 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
580 return sk;
581 }
582
583X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
584 {
585 int idx, i;
586 X509_OBJECT *obj;
587 idx = sk_X509_OBJECT_find(h, x);
588 if (idx == -1) return NULL;
589 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
590 return sk_X509_OBJECT_value(h, idx);
591 for (i = idx; i < sk_X509_OBJECT_num(h); i++)
592 {
593 obj = sk_X509_OBJECT_value(h, i);
594 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
595 return NULL;
596 if (x->type == X509_LU_X509)
597 {
598 if (!X509_cmp(obj->data.x509, x->data.x509))
599 return obj;
600 }
601 else if (x->type == X509_LU_CRL)
602 {
603 if (!X509_CRL_match(obj->data.crl, x->data.crl))
604 return obj;
605 }
606 else
607 return obj;
608 }
609 return NULL;
610 }
611
612
613/* Try to get issuer certificate from store. Due to limitations
614 * of the API this can only retrieve a single certificate matching
615 * a given subject name. However it will fill the cache with all
616 * matching certificates, so we can examine the cache for all
617 * matches.
618 *
619 * Return values are:
620 * 1 lookup successful.
621 * 0 certificate not found.
622 * -1 some other error.
623 */
624int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
625 {
626 X509_NAME *xn;
627 X509_OBJECT obj, *pobj;
628 int i, ok, idx, ret;
629 xn=X509_get_issuer_name(x);
630 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
631 if (ok != X509_LU_X509)
632 {
633 if (ok == X509_LU_RETRY)
634 {
635 X509_OBJECT_free_contents(&obj);
636 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
637 return -1;
638 }
639 else if (ok != X509_LU_FAIL)
640 {
641 X509_OBJECT_free_contents(&obj);
642 /* not good :-(, break anyway */
643 return -1;
644 }
645 return 0;
646 }
647 /* If certificate matches all OK */
648 if (ctx->check_issued(ctx, x, obj.data.x509))
649 {
650 *issuer = obj.data.x509;
651 return 1;
652 }
653 X509_OBJECT_free_contents(&obj);
654
655 /* Else find index of first cert accepted by 'check_issued' */
656 ret = 0;
657 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
658 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
659 if (idx != -1) /* should be true as we've had at least one match */
660 {
661 /* Look through all matching certs for suitable issuer */
662 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
663 {
664 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
665 /* See if we've run past the matches */
666 if (pobj->type != X509_LU_X509)
667 break;
668 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
669 break;
670 if (ctx->check_issued(ctx, x, pobj->data.x509))
671 {
672 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1;
675 break;
676 }
677 }
678 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
680 return ret;
681 }
682
683int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
684 {
685 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
686 }
687
688int X509_STORE_set_depth(X509_STORE *ctx, int depth)
689 {
690 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
691 return 1;
692 }
693
694int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
695 {
696 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
697 }
698
699int X509_STORE_set_trust(X509_STORE *ctx, int trust)
700 {
701 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
702 }
703
704int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
705 {
706 return X509_VERIFY_PARAM_set1(ctx->param, param);
707 }
708
709void X509_STORE_set_verify_cb(X509_STORE *ctx,
710 int (*verify_cb)(int, X509_STORE_CTX *))
711 {
712 ctx->verify_cb = verify_cb;
713 }
714
715IMPLEMENT_STACK_OF(X509_LOOKUP)
716IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
new file mode 100644
index 0000000000..21fed9f838
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_obj.c
@@ -0,0 +1,226 @@
1/* crypto/x509/x509_obj.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64#include <openssl/buffer.h>
65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 {
68 X509_NAME_ENTRY *ne;
69int i;
70 int n,lold,l,l1,l2,num,j,type;
71 const char *s;
72 char *p;
73 unsigned char *q;
74 BUF_MEM *b=NULL;
75 static const char hex[17]="0123456789ABCDEF";
76 int gs_doit[4];
77 char tmp_buf[80];
78#ifdef CHARSET_EBCDIC
79 char ebcdic_buf[1024];
80#endif
81
82 if (buf == NULL)
83 {
84 if ((b=BUF_MEM_new()) == NULL) goto err;
85 if (!BUF_MEM_grow(b,200)) goto err;
86 b->data[0]='\0';
87 len=200;
88 }
89 if (a == NULL)
90 {
91 if(b)
92 {
93 buf=b->data;
94 OPENSSL_free(b);
95 }
96 strncpy(buf,"NO X509_NAME",len);
97 buf[len-1]='\0';
98 return buf;
99 }
100
101 len--; /* space for '\0' */
102 l=0;
103 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
104 {
105 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
106 n=OBJ_obj2nid(ne->object);
107 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
108 {
109 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
110 s=tmp_buf;
111 }
112 l1=strlen(s);
113
114 type=ne->value->type;
115 num=ne->value->length;
116 q=ne->value->data;
117#ifdef CHARSET_EBCDIC
118 if (type == V_ASN1_GENERALSTRING ||
119 type == V_ASN1_VISIBLESTRING ||
120 type == V_ASN1_PRINTABLESTRING ||
121 type == V_ASN1_TELETEXSTRING ||
122 type == V_ASN1_VISIBLESTRING ||
123 type == V_ASN1_IA5STRING) {
124 ascii2ebcdic(ebcdic_buf, q,
125 (num > sizeof ebcdic_buf)
126 ? sizeof ebcdic_buf : num);
127 q=ebcdic_buf;
128 }
129#endif
130
131 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
132 {
133 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
134 for (j=0; j<num; j++)
135 if (q[j] != 0) gs_doit[j&3]=1;
136
137 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
138 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
139 else
140 {
141 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
142 gs_doit[3]=1;
143 }
144 }
145 else
146 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
147
148 for (l2=j=0; j<num; j++)
149 {
150 if (!gs_doit[j&3]) continue;
151 l2++;
152#ifndef CHARSET_EBCDIC
153 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
154#else
155 if ((os_toascii[q[j]] < os_toascii[' ']) ||
156 (os_toascii[q[j]] > os_toascii['~'])) l2+=3;
157#endif
158 }
159
160 lold=l;
161 l+=1+l1+1+l2;
162 if (b != NULL)
163 {
164 if (!BUF_MEM_grow(b,l+1)) goto err;
165 p= &(b->data[lold]);
166 }
167 else if (l > len)
168 {
169 break;
170 }
171 else
172 p= &(buf[lold]);
173 *(p++)='/';
174 memcpy(p,s,(unsigned int)l1); p+=l1;
175 *(p++)='=';
176
177#ifndef CHARSET_EBCDIC /* q was assigned above already. */
178 q=ne->value->data;
179#endif
180
181 for (j=0; j<num; j++)
182 {
183 if (!gs_doit[j&3]) continue;
184#ifndef CHARSET_EBCDIC
185 n=q[j];
186 if ((n < ' ') || (n > '~'))
187 {
188 *(p++)='\\';
189 *(p++)='x';
190 *(p++)=hex[(n>>4)&0x0f];
191 *(p++)=hex[n&0x0f];
192 }
193 else
194 *(p++)=n;
195#else
196 n=os_toascii[q[j]];
197 if ((n < os_toascii[' ']) ||
198 (n > os_toascii['~']))
199 {
200 *(p++)='\\';
201 *(p++)='x';
202 *(p++)=hex[(n>>4)&0x0f];
203 *(p++)=hex[n&0x0f];
204 }
205 else
206 *(p++)=q[j];
207#endif
208 }
209 *p='\0';
210 }
211 if (b != NULL)
212 {
213 p=b->data;
214 OPENSSL_free(b);
215 }
216 else
217 p=buf;
218 if (i == 0)
219 *p = '\0';
220 return(p);
221err:
222 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
223 if (b != NULL) BUF_MEM_free(b);
224 return(NULL);
225 }
226
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
new file mode 100644
index 0000000000..254a14693d
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -0,0 +1,114 @@
1/* crypto/x509/x509_r2x.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/x509.h>
65#include <openssl/objects.h>
66#include <openssl/buffer.h>
67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 {
70 X509 *ret=NULL;
71 X509_CINF *xi=NULL;
72 X509_NAME *xn;
73
74 if ((ret=X509_new()) == NULL)
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err;
78 }
79
80 /* duplicate the request */
81 xi=ret->cert_info;
82
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */
89 }
90
91 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
93 goto err;
94 if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
95 goto err;
96
97 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
98 goto err;
99 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
100 goto err;
101
102 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
103
104 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err;
106 if (0)
107 {
108err:
109 X509_free(ret);
110 ret=NULL;
111 }
112 return(ret);
113 }
114
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
new file mode 100644
index 0000000000..48183dc00c
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -0,0 +1,316 @@
1/* crypto/x509/x509_req.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/asn1t.h>
65#include <openssl/x509.h>
66#include <openssl/objects.h>
67#include <openssl/buffer.h>
68#include <openssl/pem.h>
69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 {
72 X509_REQ *ret;
73 X509_REQ_INFO *ri;
74 int i;
75 EVP_PKEY *pktmp;
76
77 ret=X509_REQ_new();
78 if (ret == NULL)
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err;
82 }
83
84 ri=ret->req_info;
85
86 ri->version->length=1;
87 ri->version->data=(unsigned char *)OPENSSL_malloc(1);
88 if (ri->version->data == NULL) goto err;
89 ri->version->data[0]=0; /* version == 0 */
90
91 if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
92 goto err;
93
94 pktmp = X509_get_pubkey(x);
95 i=X509_REQ_set_pubkey(ret,pktmp);
96 EVP_PKEY_free(pktmp);
97 if (!i) goto err;
98
99 if (pkey != NULL)
100 {
101 if (!X509_REQ_sign(ret,pkey,md))
102 goto err;
103 }
104 return(ret);
105err:
106 X509_REQ_free(ret);
107 return(NULL);
108 }
109
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 {
112 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey));
115 }
116
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 {
119 EVP_PKEY *xk=NULL;
120 int ok=0;
121
122 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k))
124 {
125 case 1:
126 ok=1;
127 break;
128 case 0:
129 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
130 break;
131 case -1:
132 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
133 break;
134 case -2:
135#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC)
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break;
140 }
141#endif
142#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH)
144 {
145 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break;
148 }
149#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 }
152
153 EVP_PKEY_free(xk);
154 return(ok);
155 }
156
157/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are
159 * used and there may be more: so the list is configurable.
160 */
161
162static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
163
164static int *ext_nids = ext_nid_list;
165
166int X509_REQ_extension_nid(int req_nid)
167{
168 int i, nid;
169 for(i = 0; ; i++) {
170 nid = ext_nids[i];
171 if(nid == NID_undef) return 0;
172 else if (req_nid == nid) return 1;
173 }
174}
175
176int *X509_REQ_get_extension_nids(void)
177{
178 return ext_nids;
179}
180
181void X509_REQ_set_extension_nids(int *nids)
182{
183 ext_nids = nids;
184}
185
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 {
188 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL;
190 int idx, *pnid;
191 const unsigned char *p;
192
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1)
199 continue;
200 attr = X509_REQ_get_attr(req, idx);
201 if(attr->single) ext = attr->value.single;
202 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break;
205 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL;
208 p = ext->value.sequence->data;
209 return (STACK_OF(X509_EXTENSION) *)
210 ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
211 ASN1_ITEM_rptr(X509_EXTENSIONS));
212}
213
214/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
215 * in case we want to create a non standard one.
216 */
217
218int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
219 int nid)
220{
221 ASN1_TYPE *at = NULL;
222 X509_ATTRIBUTE *attr = NULL;
223 if(!(at = ASN1_TYPE_new()) ||
224 !(at->value.sequence = ASN1_STRING_new())) goto err;
225
226 at->type = V_ASN1_SEQUENCE;
227 /* Generate encoding of extensions */
228 at->value.sequence->length =
229 ASN1_item_i2d((ASN1_VALUE *)exts,
230 &at->value.sequence->data,
231 ASN1_ITEM_rptr(X509_EXTENSIONS));
232 if(!(attr = X509_ATTRIBUTE_new())) goto err;
233 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
234 if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
235 at = NULL;
236 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes)
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err;
242 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1;
245 err:
246 X509_ATTRIBUTE_free(attr);
247 ASN1_TYPE_free(at);
248 return 0;
249}
250/* This is the normal usage: use the "official" OID */
251int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
252{
253 return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
254}
255
256/* Request attribute functions */
257
258int X509_REQ_get_attr_count(const X509_REQ *req)
259{
260 return X509at_get_attr_count(req->req_info->attributes);
261}
262
263int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
264 int lastpos)
265{
266 return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
267}
268
269int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
270 int lastpos)
271{
272 return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
273}
274
275X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
276{
277 return X509at_get_attr(req->req_info->attributes, loc);
278}
279
280X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
281{
282 return X509at_delete_attr(req->req_info->attributes, loc);
283}
284
285int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
286{
287 if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
288 return 0;
289}
290
291int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
292 const ASN1_OBJECT *obj, int type,
293 const unsigned char *bytes, int len)
294{
295 if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
296 type, bytes, len)) return 1;
297 return 0;
298}
299
300int X509_REQ_add1_attr_by_NID(X509_REQ *req,
301 int nid, int type,
302 const unsigned char *bytes, int len)
303{
304 if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
305 type, bytes, len)) return 1;
306 return 0;
307}
308
309int X509_REQ_add1_attr_by_txt(X509_REQ *req,
310 const char *attrname, int type,
311 const unsigned char *bytes, int len)
312{
313 if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
314 type, bytes, len)) return 1;
315 return 0;
316}
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
new file mode 100644
index 0000000000..4b94fc5847
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -0,0 +1,150 @@
1/* crypto/x509/x509_set.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_set_version(X509 *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL)
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 }
76
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 {
79 ASN1_INTEGER *in;
80
81 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber;
83 if (in != serial)
84 {
85 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL)
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in;
90 }
91 }
92 return(in != NULL);
93 }
94
95int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 {
97 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name));
99 }
100
101int X509_set_subject_name(X509 *x, X509_NAME *name)
102 {
103 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name));
105 }
106
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 {
109 ASN1_TIME *in;
110
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore;
113 if (in != tm)
114 {
115 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL)
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in;
120 }
121 }
122 return(in != NULL);
123 }
124
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 {
127 ASN1_TIME *in;
128
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter;
131 if (in != tm)
132 {
133 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL)
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in;
138 }
139 }
140 return(in != NULL);
141 }
142
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 {
145 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 }
148
149
150
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
new file mode 100644
index 0000000000..a6cb9c8b1b
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -0,0 +1,288 @@
1/* x509_trs.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63
64static int tr_cmp(const X509_TRUST * const *a,
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p);
67
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
69static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
70static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
71
72static int obj_trust(int id, X509 *x, int flags);
73static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
74
75/* WARNING: the following table should be kept in order of trust
76 * and without any gaps so we can just subtract the minimum trust
77 * value to get an index into the table
78 */
79
80static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89};
90
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
92
93IMPLEMENT_STACK_OF(X509_TRUST)
94
95static STACK_OF(X509_TRUST) *trtable = NULL;
96
97static int tr_cmp(const X509_TRUST * const *a,
98 const X509_TRUST * const *b)
99{
100 return (*a)->trust - (*b)->trust;
101}
102
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{
105 int (*oldtrust)(int , X509 *, int);
106 oldtrust = default_trust;
107 default_trust = trust;
108 return oldtrust;
109}
110
111
112int X509_check_trust(X509 *x, int id, int flags)
113{
114 X509_TRUST *pt;
115 int idx;
116 if(id == -1) return 1;
117 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags);
121}
122
123int X509_TRUST_get_count(void)
124{
125 if(!trtable) return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127}
128
129X509_TRUST * X509_TRUST_get0(int idx)
130{
131 if(idx < 0) return NULL;
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134}
135
136int X509_TRUST_get_by_id(int id)
137{
138 X509_TRUST tmp;
139 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
141 return id - X509_TRUST_MIN;
142 tmp.trust = id;
143 if(!trtable) return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1;
146 return idx + X509_TRUST_COUNT;
147}
148
149int X509_TRUST_set(int *t, int trust)
150{
151 if(X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0;
154 }
155 *t = trust;
156 return 1;
157}
158
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
160 char *name, int arg1, void *arg2)
161{
162 int idx;
163 X509_TRUST *trtmp;
164 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */
167 flags |= X509_TRUST_DYNAMIC_NAME;
168 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */
171 if(idx == -1) {
172 if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx);
178
179 /* OPENSSL_free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
181 /* dup supplied name */
182 if(!(trtmp->name = BUF_strdup(name))) {
183 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
184 return 0;
185 }
186 /* Keep the dynamic flag of existing entry */
187 trtmp->flags &= X509_TRUST_DYNAMIC;
188 /* Set all other flags */
189 trtmp->flags |= flags;
190
191 trtmp->trust = id;
192 trtmp->check_trust = ck;
193 trtmp->arg1 = arg1;
194 trtmp->arg2 = arg2;
195
196 /* If its a new entry manage the dynamic table */
197 if(idx == -1) {
198 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
199 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
200 return 0;
201 }
202 if (!sk_X509_TRUST_push(trtable, trtmp)) {
203 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
204 return 0;
205 }
206 }
207 return 1;
208}
209
210static void trtable_free(X509_TRUST *p)
211 {
212 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC)
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 OPENSSL_free(p->name);
217 OPENSSL_free(p);
218 }
219 }
220
221void X509_TRUST_cleanup(void)
222{
223 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL;
227}
228
229int X509_TRUST_get_flags(X509_TRUST *xp)
230{
231 return xp->flags;
232}
233
234char *X509_TRUST_get0_name(X509_TRUST *xp)
235{
236 return xp->name;
237}
238
239int X509_TRUST_get_trust(X509_TRUST *xp)
240{
241 return xp->trust;
242}
243
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{
246 if(x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed
250 */
251 return trust_compat(trust, x, flags);
252}
253
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{
256 if(x->aux) return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED;
258}
259
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{
262 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
264 else return X509_TRUST_UNTRUSTED;
265}
266
267static int obj_trust(int id, X509 *x, int flags)
268{
269 ASN1_OBJECT *obj;
270 int i;
271 X509_CERT_AUX *ax;
272 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED;
274 if(ax->reject) {
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
278 }
279 }
280 if(ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
284 }
285 }
286 return X509_TRUST_UNTRUSTED;
287}
288
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
new file mode 100644
index 0000000000..c44f753c46
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -0,0 +1,193 @@
1/* crypto/x509/x509_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/evp.h>
67#include <openssl/asn1.h>
68#include <openssl/x509.h>
69#include <openssl/objects.h>
70
71const char *X509_verify_cert_error_string(long n)
72 {
73 static char buf[100];
74
75 switch ((int)n)
76 {
77 case X509_V_OK:
78 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
80 return("unable to get issuer certificate");
81 case X509_V_ERR_UNABLE_TO_GET_CRL:
82 return("unable to get certificate CRL");
83 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
84 return("unable to decrypt certificate's signature");
85 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
86 return("unable to decrypt CRL's signature");
87 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
88 return("unable to decode issuer public key");
89 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
90 return("certificate signature failure");
91 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
92 return("CRL signature failure");
93 case X509_V_ERR_CERT_NOT_YET_VALID:
94 return("certificate is not yet valid");
95 case X509_V_ERR_CRL_NOT_YET_VALID:
96 return("CRL is not yet valid");
97 case X509_V_ERR_CERT_HAS_EXPIRED:
98 return("certificate has expired");
99 case X509_V_ERR_CRL_HAS_EXPIRED:
100 return("CRL has expired");
101 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
102 return("format error in certificate's notBefore field");
103 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
104 return("format error in certificate's notAfter field");
105 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
106 return("format error in CRL's lastUpdate field");
107 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
108 return("format error in CRL's nextUpdate field");
109 case X509_V_ERR_OUT_OF_MEM:
110 return("out of memory");
111 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
112 return("self signed certificate");
113 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
114 return("self signed certificate in certificate chain");
115 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
116 return("unable to get local issuer certificate");
117 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
118 return("unable to verify the first certificate");
119 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
120 return("certificate chain too long");
121 case X509_V_ERR_CERT_REVOKED:
122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy certificates not allowed, please set the appropriate flag");
133 case X509_V_ERR_INVALID_PURPOSE:
134 return ("unsupported certificate purpose");
135 case X509_V_ERR_CERT_UNTRUSTED:
136 return ("certificate not trusted");
137 case X509_V_ERR_CERT_REJECTED:
138 return ("certificate rejected");
139 case X509_V_ERR_APPLICATION_VERIFICATION:
140 return("application verification failure");
141 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
142 return("subject issuer mismatch");
143 case X509_V_ERR_AKID_SKID_MISMATCH:
144 return("authority and subject key identifier mismatch");
145 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
146 return("authority and issuer serial number mismatch");
147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
148 return("key usage does not include certificate signing");
149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
150 return("unable to get CRL issuer certificate");
151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
152 return("unhandled critical extension");
153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
154 return("key usage does not include CRL signing");
155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158 return("unhandled critical CRL extension");
159 case X509_V_ERR_INVALID_EXTENSION:
160 return("invalid or inconsistent certificate extension");
161 case X509_V_ERR_INVALID_POLICY_EXTENSION:
162 return("invalid or inconsistent certificate policy extension");
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 return("no explicit policy");
165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
166 return("Different CRL scope");
167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
168 return("Unsupported extension feature");
169 case X509_V_ERR_UNNESTED_RESOURCE:
170 return("RFC 3779 resource not subset of parent's resources");
171
172 case X509_V_ERR_PERMITTED_VIOLATION:
173 return("permitted subtree violation");
174 case X509_V_ERR_EXCLUDED_VIOLATION:
175 return("excluded subtree violation");
176 case X509_V_ERR_SUBTREE_MINMAX:
177 return("name constraints minimum and maximum not supported");
178 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
179 return("unsupported name constraint type");
180 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
181 return("unsupported or invalid name constraint syntax");
182 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
183 return("unsupported or invalid name syntax");
184 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
185 return("CRL path validation error");
186
187 default:
188 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf);
190 }
191 }
192
193
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
new file mode 100644
index 0000000000..42e6f0ab05
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -0,0 +1,274 @@
1/* crypto/x509/x509_v3.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 {
70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x));
72 }
73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos)
76 {
77 ASN1_OBJECT *obj;
78
79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 }
83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos)
86 {
87 int n;
88 X509_EXTENSION *ex;
89
90 if (sk == NULL) return(-1);
91 lastpos++;
92 if (lastpos < 0)
93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++)
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos);
100 }
101 return(-1);
102 }
103
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos)
106 {
107 int n;
108 X509_EXTENSION *ex;
109
110 if (sk == NULL) return(-1);
111 lastpos++;
112 if (lastpos < 0)
113 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++)
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit))
120 return(lastpos);
121 }
122 return(-1);
123 }
124
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 {
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL;
129 else
130 return sk_X509_EXTENSION_value(x,loc);
131 }
132
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 {
135 X509_EXTENSION *ret;
136
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret);
141 }
142
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc)
145 {
146 X509_EXTENSION *new_ex=NULL;
147 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL;
149
150 if (x == NULL)
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2;
154 }
155
156 if (*x == NULL)
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err;
160 }
161 else
162 sk= *x;
163
164 n=sk_X509_EXTENSION_num(sk);
165 if (loc > n) loc=n;
166 else if (loc < 0) loc=n;
167
168 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
169 goto err2;
170 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
171 goto err;
172 if (*x == NULL)
173 *x=sk;
174 return(sk);
175err:
176 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
177err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL);
181 }
182
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data)
185 {
186 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret;
188
189 obj=OBJ_nid2obj(nid);
190 if (obj == NULL)
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL);
194 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret);
198 }
199
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 {
203 X509_EXTENSION *ret;
204
205 if ((ex == NULL) || (*ex == NULL))
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL)
208 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL);
211 }
212 }
213 else
214 ret= *ex;
215
216 if (!X509_EXTENSION_set_object(ret,obj))
217 goto err;
218 if (!X509_EXTENSION_set_critical(ret,crit))
219 goto err;
220 if (!X509_EXTENSION_set_data(ret,data))
221 goto err;
222
223 if ((ex != NULL) && (*ex == NULL)) *ex=ret;
224 return(ret);
225err:
226 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret);
228 return(NULL);
229 }
230
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 {
233 if ((ex == NULL) || (obj == NULL))
234 return(0);
235 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj);
237 return(1);
238 }
239
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 {
242 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1;
244 return(1);
245 }
246
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 {
249 int i;
250
251 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0);
254 return(1);
255 }
256
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 {
259 if (ex == NULL) return(NULL);
260 return(ex->object);
261 }
262
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 {
265 if (ex == NULL) return(NULL);
266 return(ex->value);
267 }
268
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 {
271 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1;
273 return 0;
274 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
new file mode 100644
index 0000000000..701ec565e9
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -0,0 +1,2219 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0;
160 int num;
161 int (*cb)(int xok,X509_STORE_CTX *xctx);
162 STACK_OF(X509) *sktmp=NULL;
163 if (ctx->cert == NULL)
164 {
165 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
166 return -1;
167 }
168
169 cb=ctx->verify_cb;
170
171 /* first we make sure the chain we are going to build is
172 * present and that the first entry is in place */
173 if (ctx->chain == NULL)
174 {
175 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
176 (!sk_X509_push(ctx->chain,ctx->cert)))
177 {
178 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
179 goto end;
180 }
181 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
182 ctx->last_untrusted=1;
183 }
184
185 /* We use a temporary STACK so we can chop and hack at it */
186 if (ctx->untrusted != NULL
187 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
188 {
189 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
190 goto end;
191 }
192
193 num=sk_X509_num(ctx->chain);
194 x=sk_X509_value(ctx->chain,num-1);
195 depth=param->depth;
196
197
198 for (;;)
199 {
200 /* If we have enough, we break */
201 if (depth < num) break; /* FIXME: If this happens, we should take
202 * note of it and, if appropriate, use the
203 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
204 * code later.
205 */
206
207 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break;
210
211 /* If we were passed a cert chain, use it first */
212 if (ctx->untrusted != NULL)
213 {
214 xtmp=find_issuer(ctx, sktmp,x);
215 if (xtmp != NULL)
216 {
217 if (!sk_X509_push(ctx->chain,xtmp))
218 {
219 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
220 goto end;
221 }
222 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
223 (void)sk_X509_delete_ptr(sktmp,xtmp);
224 ctx->last_untrusted++;
225 x=xtmp;
226 num++;
227 /* reparse the full chain for
228 * the next one */
229 continue;
230 }
231 }
232 break;
233 }
234
235 /* at this point, chain should contain a list of untrusted
236 * certificates. We now need to add at least one trusted one,
237 * if possible, otherwise we complain. */
238
239 /* Examine last certificate in chain and see if it
240 * is self signed.
241 */
242
243 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x))
247 {
248 /* we have a self signed certificate */
249 if (sk_X509_num(ctx->chain) == 1)
250 {
251 /* We have a single self signed certificate: see if
252 * we can find it in the store. We must have an exact
253 * match to avoid possible impersonation.
254 */
255 ok = ctx->get_issuer(&xtmp, ctx, x);
256 if ((ok <= 0) || X509_cmp(x, xtmp))
257 {
258 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
259 ctx->current_cert=x;
260 ctx->error_depth=i-1;
261 if (ok == 1) X509_free(xtmp);
262 bad_chain = 1;
263 ok=cb(0,ctx);
264 if (!ok) goto end;
265 }
266 else
267 {
268 /* We have a match: replace certificate with store version
269 * so we get any trust settings.
270 */
271 X509_free(x);
272 x = xtmp;
273 (void)sk_X509_set(ctx->chain, i - 1, x);
274 ctx->last_untrusted=0;
275 }
276 }
277 else
278 {
279 /* extract and save self signed certificate for later use */
280 chain_ss=sk_X509_pop(ctx->chain);
281 ctx->last_untrusted--;
282 num--;
283 x=sk_X509_value(ctx->chain,num-1);
284 }
285 }
286
287 /* We now lookup certs from the certificate store */
288 for (;;)
289 {
290 /* If we have enough, we break */
291 if (depth < num) break;
292
293 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break;
296
297 ok = ctx->get_issuer(&xtmp, ctx, x);
298
299 if (ok < 0) return ok;
300 if (ok == 0) break;
301
302 x = xtmp;
303 if (!sk_X509_push(ctx->chain,x))
304 {
305 X509_free(xtmp);
306 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
307 return 0;
308 }
309 num++;
310 }
311
312 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314
315 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x))
317 {
318 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
319 {
320 if (ctx->last_untrusted >= num)
321 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
322 else
323 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
324 ctx->current_cert=x;
325 }
326 else
327 {
328
329 sk_X509_push(ctx->chain,chain_ss);
330 num++;
331 ctx->last_untrusted=num;
332 ctx->current_cert=chain_ss;
333 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
334 chain_ss=NULL;
335 }
336
337 ctx->error_depth=num-1;
338 bad_chain = 1;
339 ok=cb(0,ctx);
340 if (!ok) goto end;
341 }
342
343 /* We have the chain complete: now we need to check its purpose */
344 ok = check_chain_extensions(ctx);
345
346 if (!ok) goto end;
347
348 /* Check name constraints */
349
350 ok = check_name_constraints(ctx);
351
352 if (!ok) goto end;
353
354 /* The chain extensions are OK: check trust */
355
356 if (param->trust > 0) ok = check_trust(ctx);
357
358 if (!ok) goto end;
359
360 /* We may as well copy down any DSA parameters that are required */
361 X509_get_pubkey_parameters(NULL,ctx->chain);
362
363 /* Check revocation status: we do this after copying parameters
364 * because they may be needed for CRL signature verification.
365 */
366
367 ok = ctx->check_revocation(ctx);
368 if(!ok) goto end;
369
370 /* At this point, we have a chain and need to verify it */
371 if (ctx->verify != NULL)
372 ok=ctx->verify(ctx);
373 else
374 ok=internal_verify(ctx);
375 if(!ok) goto end;
376
377#ifndef OPENSSL_NO_RFC3779
378 /* RFC 3779 path validation, now that CRL check has been done */
379 ok = v3_asid_validate_path(ctx);
380 if (!ok) goto end;
381 ok = v3_addr_validate_path(ctx);
382 if (!ok) goto end;
383#endif
384
385 /* If we get this far evaluate policies */
386 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
387 ok = ctx->check_policy(ctx);
388 if(!ok) goto end;
389 if (0)
390 {
391end:
392 X509_get_pubkey_parameters(NULL,ctx->chain);
393 }
394 if (sktmp != NULL) sk_X509_free(sktmp);
395 if (chain_ss != NULL) X509_free(chain_ss);
396 return ok;
397 }
398
399
400/* Given a STACK_OF(X509) find the issuer of cert (if any)
401 */
402
403static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
404{
405 int i;
406 X509 *issuer;
407 for (i = 0; i < sk_X509_num(sk); i++)
408 {
409 issuer = sk_X509_value(sk, i);
410 if (ctx->check_issued(ctx, x, issuer))
411 return issuer;
412 }
413 return NULL;
414}
415
416/* Given a possible certificate and issuer check them */
417
418static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
419{
420 int ret;
421 ret = X509_check_issued(issuer, x);
422 if (ret == X509_V_OK)
423 return 1;
424 /* If we haven't asked for issuer errors don't set ctx */
425 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
426 return 0;
427
428 ctx->error = ret;
429 ctx->current_cert = x;
430 ctx->current_issuer = issuer;
431 return ctx->verify_cb(0, ctx);
432 return 0;
433}
434
435/* Alternative lookup method: look from a STACK stored in other_ctx */
436
437static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
438{
439 *issuer = find_issuer(ctx, ctx->other_ctx, x);
440 if (*issuer)
441 {
442 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
443 return 1;
444 }
445 else
446 return 0;
447}
448
449
450/* Check a certificate chains extensions for consistency
451 * with the supplied purpose
452 */
453
454static int check_chain_extensions(X509_STORE_CTX *ctx)
455{
456#ifdef OPENSSL_NO_CHAIN_VERIFY
457 return 1;
458#else
459 int i, ok=0, must_be_ca, plen = 0;
460 X509 *x;
461 int (*cb)(int xok,X509_STORE_CTX *xctx);
462 int proxy_path_length = 0;
463 int purpose;
464 int allow_proxy_certs;
465 cb=ctx->verify_cb;
466
467 /* must_be_ca can have 1 of 3 values:
468 -1: we accept both CA and non-CA certificates, to allow direct
469 use of self-signed certificates (which are marked as CA).
470 0: we only accept non-CA certificates. This is currently not
471 used, but the possibility is present for future extensions.
472 1: we only accept CA certificates. This is currently used for
473 all certificates in the chain except the leaf certificate.
474 */
475 must_be_ca = -1;
476
477 /* CRL path validation */
478 if (ctx->parent)
479 {
480 allow_proxy_certs = 0;
481 purpose = X509_PURPOSE_CRL_SIGN;
482 }
483 else
484 {
485 allow_proxy_certs =
486 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
487 /* A hack to keep people who don't want to modify their
488 software happy */
489 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
490 allow_proxy_certs = 1;
491 purpose = ctx->param->purpose;
492 }
493
494 /* Check all untrusted certificates */
495 for (i = 0; i < ctx->last_untrusted; i++)
496 {
497 int ret;
498 x = sk_X509_value(ctx->chain, i);
499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
500 && (x->ex_flags & EXFLAG_CRITICAL))
501 {
502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
503 ctx->error_depth = i;
504 ctx->current_cert = x;
505 ok=cb(0,ctx);
506 if (!ok) goto end;
507 }
508 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
509 {
510 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 ok=cb(0,ctx);
514 if (!ok) goto end;
515 }
516 ret = X509_check_ca(x);
517 switch(must_be_ca)
518 {
519 case -1:
520 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
521 && (ret != 1) && (ret != 0))
522 {
523 ret = 0;
524 ctx->error = X509_V_ERR_INVALID_CA;
525 }
526 else
527 ret = 1;
528 break;
529 case 0:
530 if (ret != 0)
531 {
532 ret = 0;
533 ctx->error = X509_V_ERR_INVALID_NON_CA;
534 }
535 else
536 ret = 1;
537 break;
538 default:
539 if ((ret == 0)
540 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
541 && (ret != 1)))
542 {
543 ret = 0;
544 ctx->error = X509_V_ERR_INVALID_CA;
545 }
546 else
547 ret = 1;
548 break;
549 }
550 if (ret == 0)
551 {
552 ctx->error_depth = i;
553 ctx->current_cert = x;
554 ok=cb(0,ctx);
555 if (!ok) goto end;
556 }
557 if (ctx->param->purpose > 0)
558 {
559 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
560 if ((ret == 0)
561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
562 && (ret != 1)))
563 {
564 ctx->error = X509_V_ERR_INVALID_PURPOSE;
565 ctx->error_depth = i;
566 ctx->current_cert = x;
567 ok=cb(0,ctx);
568 if (!ok) goto end;
569 }
570 }
571 /* Check pathlen if not self issued */
572 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
573 && (x->ex_pathlen != -1)
574 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
575 {
576 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
577 ctx->error_depth = i;
578 ctx->current_cert = x;
579 ok=cb(0,ctx);
580 if (!ok) goto end;
581 }
582 /* Increment path length if not self issued */
583 if (!(x->ex_flags & EXFLAG_SI))
584 plen++;
585 /* If this certificate is a proxy certificate, the next
586 certificate must be another proxy certificate or a EE
587 certificate. If not, the next certificate must be a
588 CA certificate. */
589 if (x->ex_flags & EXFLAG_PROXY)
590 {
591 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
592 {
593 ctx->error =
594 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
595 ctx->error_depth = i;
596 ctx->current_cert = x;
597 ok=cb(0,ctx);
598 if (!ok) goto end;
599 }
600 proxy_path_length++;
601 must_be_ca = 0;
602 }
603 else
604 must_be_ca = 1;
605 }
606 ok = 1;
607 end:
608 return ok;
609#endif
610}
611
612static int check_name_constraints(X509_STORE_CTX *ctx)
613 {
614 X509 *x;
615 int i, j, rv;
616 /* Check name constraints for all certificates */
617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
618 {
619 x = sk_X509_value(ctx->chain, i);
620 /* Ignore self issued certs unless last in chain */
621 if (i && (x->ex_flags & EXFLAG_SI))
622 continue;
623 /* Check against constraints for all certificates higher in
624 * chain including trust anchor. Trust anchor not strictly
625 * speaking needed but if it includes constraints it is to be
626 * assumed it expects them to be obeyed.
627 */
628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
629 {
630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
631 if (nc)
632 {
633 rv = NAME_CONSTRAINTS_check(x, nc);
634 if (rv != X509_V_OK)
635 {
636 ctx->error = rv;
637 ctx->error_depth = i;
638 ctx->current_cert = x;
639 if (!ctx->verify_cb(0,ctx))
640 return 0;
641 }
642 }
643 }
644 }
645 return 1;
646 }
647
648static int check_trust(X509_STORE_CTX *ctx)
649{
650#ifdef OPENSSL_NO_CHAIN_VERIFY
651 return 1;
652#else
653 int i, ok;
654 X509 *x;
655 int (*cb)(int xok,X509_STORE_CTX *xctx);
656 cb=ctx->verify_cb;
657/* For now just check the last certificate in the chain */
658 i = sk_X509_num(ctx->chain) - 1;
659 x = sk_X509_value(ctx->chain, i);
660 ok = X509_check_trust(x, ctx->param->trust, 0);
661 if (ok == X509_TRUST_TRUSTED)
662 return 1;
663 ctx->error_depth = i;
664 ctx->current_cert = x;
665 if (ok == X509_TRUST_REJECTED)
666 ctx->error = X509_V_ERR_CERT_REJECTED;
667 else
668 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
669 ok = cb(0, ctx);
670 return ok;
671#endif
672}
673
674static int check_revocation(X509_STORE_CTX *ctx)
675 {
676 int i, last, ok;
677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
678 return 1;
679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
680 last = sk_X509_num(ctx->chain) - 1;
681 else
682 {
683 /* If checking CRL paths this isn't the EE certificate */
684 if (ctx->parent)
685 return 1;
686 last = 0;
687 }
688 for(i = 0; i <= last; i++)
689 {
690 ctx->error_depth = i;
691 ok = check_cert(ctx);
692 if (!ok) return ok;
693 }
694 return 1;
695 }
696
697static int check_cert(X509_STORE_CTX *ctx)
698 {
699 X509_CRL *crl = NULL, *dcrl = NULL;
700 X509 *x;
701 int ok, cnum;
702 cnum = ctx->error_depth;
703 x = sk_X509_value(ctx->chain, cnum);
704 ctx->current_cert = x;
705 ctx->current_issuer = NULL;
706 ctx->current_crl_score = 0;
707 ctx->current_reasons = 0;
708 while (ctx->current_reasons != CRLDP_ALL_REASONS)
709 {
710 /* Try to retrieve relevant CRL */
711 if (ctx->get_crl)
712 ok = ctx->get_crl(ctx, &crl, x);
713 else
714 ok = get_crl_delta(ctx, &crl, &dcrl, x);
715 /* If error looking up CRL, nothing we can do except
716 * notify callback
717 */
718 if(!ok)
719 {
720 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
721 ok = ctx->verify_cb(0, ctx);
722 goto err;
723 }
724 ctx->current_crl = crl;
725 ok = ctx->check_crl(ctx, crl);
726 if (!ok)
727 goto err;
728
729 if (dcrl)
730 {
731 ok = ctx->check_crl(ctx, dcrl);
732 if (!ok)
733 goto err;
734 ok = ctx->cert_crl(ctx, dcrl, x);
735 if (!ok)
736 goto err;
737 }
738 else
739 ok = 1;
740
741 /* Don't look in full CRL if delta reason is removefromCRL */
742 if (ok != 2)
743 {
744 ok = ctx->cert_crl(ctx, crl, x);
745 if (!ok)
746 goto err;
747 }
748
749 X509_CRL_free(crl);
750 X509_CRL_free(dcrl);
751 crl = NULL;
752 dcrl = NULL;
753 }
754 err:
755 X509_CRL_free(crl);
756 X509_CRL_free(dcrl);
757
758 ctx->current_crl = NULL;
759 return ok;
760
761 }
762
763/* Check CRL times against values in X509_STORE_CTX */
764
765static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
766 {
767 time_t *ptime;
768 int i;
769 if (notify)
770 ctx->current_crl = crl;
771 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
772 ptime = &ctx->param->check_time;
773 else
774 ptime = NULL;
775
776 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
777 if (i == 0)
778 {
779 if (!notify)
780 return 0;
781 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
782 if (!ctx->verify_cb(0, ctx))
783 return 0;
784 }
785
786 if (i > 0)
787 {
788 if (!notify)
789 return 0;
790 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
791 if (!ctx->verify_cb(0, ctx))
792 return 0;
793 }
794
795 if(X509_CRL_get_nextUpdate(crl))
796 {
797 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
798
799 if (i == 0)
800 {
801 if (!notify)
802 return 0;
803 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
804 if (!ctx->verify_cb(0, ctx))
805 return 0;
806 }
807 /* Ignore expiry of base CRL is delta is valid */
808 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
809 {
810 if (!notify)
811 return 0;
812 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
813 if (!ctx->verify_cb(0, ctx))
814 return 0;
815 }
816 }
817
818 if (notify)
819 ctx->current_crl = NULL;
820
821 return 1;
822 }
823
824static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
825 X509 **pissuer, int *pscore, unsigned int *preasons,
826 STACK_OF(X509_CRL) *crls)
827 {
828 int i, crl_score, best_score = *pscore;
829 unsigned int reasons, best_reasons = 0;
830 X509 *x = ctx->current_cert;
831 X509_CRL *crl, *best_crl = NULL;
832 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
833
834 for (i = 0; i < sk_X509_CRL_num(crls); i++)
835 {
836 crl = sk_X509_CRL_value(crls, i);
837 reasons = *preasons;
838 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
839
840 if (crl_score > best_score)
841 {
842 best_crl = crl;
843 best_crl_issuer = crl_issuer;
844 best_score = crl_score;
845 best_reasons = reasons;
846 }
847 }
848
849 if (best_crl)
850 {
851 if (*pcrl)
852 X509_CRL_free(*pcrl);
853 *pcrl = best_crl;
854 *pissuer = best_crl_issuer;
855 *pscore = best_score;
856 *preasons = best_reasons;
857 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
858 if (*pdcrl)
859 {
860 X509_CRL_free(*pdcrl);
861 *pdcrl = NULL;
862 }
863 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
864 }
865
866 if (best_score >= CRL_SCORE_VALID)
867 return 1;
868
869 return 0;
870 }
871
872/* Compare two CRL extensions for delta checking purposes. They should be
873 * both present or both absent. If both present all fields must be identical.
874 */
875
876static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
877 {
878 ASN1_OCTET_STRING *exta, *extb;
879 int i;
880 i = X509_CRL_get_ext_by_NID(a, nid, 0);
881 if (i >= 0)
882 {
883 /* Can't have multiple occurrences */
884 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
885 return 0;
886 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
887 }
888 else
889 exta = NULL;
890
891 i = X509_CRL_get_ext_by_NID(b, nid, 0);
892
893 if (i >= 0)
894 {
895
896 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
897 return 0;
898 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
899 }
900 else
901 extb = NULL;
902
903 if (!exta && !extb)
904 return 1;
905
906 if (!exta || !extb)
907 return 0;
908
909
910 if (ASN1_OCTET_STRING_cmp(exta, extb))
911 return 0;
912
913 return 1;
914 }
915
916/* See if a base and delta are compatible */
917
918static int check_delta_base(X509_CRL *delta, X509_CRL *base)
919 {
920 /* Delta CRL must be a delta */
921 if (!delta->base_crl_number)
922 return 0;
923 /* Base must have a CRL number */
924 if (!base->crl_number)
925 return 0;
926 /* Issuer names must match */
927 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
928 X509_CRL_get_issuer(delta)))
929 return 0;
930 /* AKID and IDP must match */
931 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
932 return 0;
933 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
934 return 0;
935 /* Delta CRL base number must not exceed Full CRL number. */
936 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
937 return 0;
938 /* Delta CRL number must exceed full CRL number */
939 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
940 return 1;
941 return 0;
942 }
943
944/* For a given base CRL find a delta... maybe extend to delta scoring
945 * or retrieve a chain of deltas...
946 */
947
948static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
949 X509_CRL *base, STACK_OF(X509_CRL) *crls)
950 {
951 X509_CRL *delta;
952 int i;
953 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
954 return;
955 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
956 return;
957 for (i = 0; i < sk_X509_CRL_num(crls); i++)
958 {
959 delta = sk_X509_CRL_value(crls, i);
960 if (check_delta_base(delta, base))
961 {
962 if (check_crl_time(ctx, delta, 0))
963 *pscore |= CRL_SCORE_TIME_DELTA;
964 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
965 *dcrl = delta;
966 return;
967 }
968 }
969 *dcrl = NULL;
970 }
971
972/* For a given CRL return how suitable it is for the supplied certificate 'x'.
973 * The return value is a mask of several criteria.
974 * If the issuer is not the certificate issuer this is returned in *pissuer.
975 * The reasons mask is also used to determine if the CRL is suitable: if
976 * no new reasons the CRL is rejected, otherwise reasons is updated.
977 */
978
979static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
980 unsigned int *preasons,
981 X509_CRL *crl, X509 *x)
982 {
983
984 int crl_score = 0;
985 unsigned int tmp_reasons = *preasons, crl_reasons;
986
987 /* First see if we can reject CRL straight away */
988
989 /* Invalid IDP cannot be processed */
990 if (crl->idp_flags & IDP_INVALID)
991 return 0;
992 /* Reason codes or indirect CRLs need extended CRL support */
993 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
994 {
995 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
996 return 0;
997 }
998 else if (crl->idp_flags & IDP_REASONS)
999 {
1000 /* If no new reasons reject */
1001 if (!(crl->idp_reasons & ~tmp_reasons))
1002 return 0;
1003 }
1004 /* Don't process deltas at this stage */
1005 else if (crl->base_crl_number)
1006 return 0;
1007 /* If issuer name doesn't match certificate need indirect CRL */
1008 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1009 {
1010 if (!(crl->idp_flags & IDP_INDIRECT))
1011 return 0;
1012 }
1013 else
1014 crl_score |= CRL_SCORE_ISSUER_NAME;
1015
1016 if (!(crl->flags & EXFLAG_CRITICAL))
1017 crl_score |= CRL_SCORE_NOCRITICAL;
1018
1019 /* Check expiry */
1020 if (check_crl_time(ctx, crl, 0))
1021 crl_score |= CRL_SCORE_TIME;
1022
1023 /* Check authority key ID and locate certificate issuer */
1024 crl_akid_check(ctx, crl, pissuer, &crl_score);
1025
1026 /* If we can't locate certificate issuer at this point forget it */
1027
1028 if (!(crl_score & CRL_SCORE_AKID))
1029 return 0;
1030
1031 /* Check cert for matching CRL distribution points */
1032
1033 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1034 {
1035 /* If no new reasons reject */
1036 if (!(crl_reasons & ~tmp_reasons))
1037 return 0;
1038 tmp_reasons |= crl_reasons;
1039 crl_score |= CRL_SCORE_SCOPE;
1040 }
1041
1042 *preasons = tmp_reasons;
1043
1044 return crl_score;
1045
1046 }
1047
1048static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1049 X509 **pissuer, int *pcrl_score)
1050 {
1051 X509 *crl_issuer = NULL;
1052 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1053 int cidx = ctx->error_depth;
1054 int i;
1055
1056 if (cidx != sk_X509_num(ctx->chain) - 1)
1057 cidx++;
1058
1059 crl_issuer = sk_X509_value(ctx->chain, cidx);
1060
1061 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1062 {
1063 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1064 {
1065 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1066 *pissuer = crl_issuer;
1067 return;
1068 }
1069 }
1070
1071 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1072 {
1073 crl_issuer = sk_X509_value(ctx->chain, cidx);
1074 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1075 continue;
1076 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1077 {
1078 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1079 *pissuer = crl_issuer;
1080 return;
1081 }
1082 }
1083
1084 /* Anything else needs extended CRL support */
1085
1086 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1087 return;
1088
1089 /* Otherwise the CRL issuer is not on the path. Look for it in the
1090 * set of untrusted certificates.
1091 */
1092 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1093 {
1094 crl_issuer = sk_X509_value(ctx->untrusted, i);
1095 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1096 continue;
1097 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1098 {
1099 *pissuer = crl_issuer;
1100 *pcrl_score |= CRL_SCORE_AKID;
1101 return;
1102 }
1103 }
1104 }
1105
1106/* Check the path of a CRL issuer certificate. This creates a new
1107 * X509_STORE_CTX and populates it with most of the parameters from the
1108 * parent. This could be optimised somewhat since a lot of path checking
1109 * will be duplicated by the parent, but this will rarely be used in
1110 * practice.
1111 */
1112
1113static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1114 {
1115 X509_STORE_CTX crl_ctx;
1116 int ret;
1117 /* Don't allow recursive CRL path validation */
1118 if (ctx->parent)
1119 return 0;
1120 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1121 return -1;
1122
1123 crl_ctx.crls = ctx->crls;
1124 /* Copy verify params across */
1125 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1126
1127 crl_ctx.parent = ctx;
1128 crl_ctx.verify_cb = ctx->verify_cb;
1129
1130 /* Verify CRL issuer */
1131 ret = X509_verify_cert(&crl_ctx);
1132
1133 if (ret <= 0)
1134 goto err;
1135
1136 /* Check chain is acceptable */
1137
1138 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1139 err:
1140 X509_STORE_CTX_cleanup(&crl_ctx);
1141 return ret;
1142 }
1143
1144/* RFC3280 says nothing about the relationship between CRL path
1145 * and certificate path, which could lead to situations where a
1146 * certificate could be revoked or validated by a CA not authorised
1147 * to do so. RFC5280 is more strict and states that the two paths must
1148 * end in the same trust anchor, though some discussions remain...
1149 * until this is resolved we use the RFC5280 version
1150 */
1151
1152static int check_crl_chain(X509_STORE_CTX *ctx,
1153 STACK_OF(X509) *cert_path,
1154 STACK_OF(X509) *crl_path)
1155 {
1156 X509 *cert_ta, *crl_ta;
1157 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1158 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1159 if (!X509_cmp(cert_ta, crl_ta))
1160 return 1;
1161 return 0;
1162 }
1163
1164/* Check for match between two dist point names: three separate cases.
1165 * 1. Both are relative names and compare X509_NAME types.
1166 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1167 * 3. Both are full names and compare two GENERAL_NAMES.
1168 * 4. One is NULL: automatic match.
1169 */
1170
1171
1172static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1173 {
1174 X509_NAME *nm = NULL;
1175 GENERAL_NAMES *gens = NULL;
1176 GENERAL_NAME *gena, *genb;
1177 int i, j;
1178 if (!a || !b)
1179 return 1;
1180 if (a->type == 1)
1181 {
1182 if (!a->dpname)
1183 return 0;
1184 /* Case 1: two X509_NAME */
1185 if (b->type == 1)
1186 {
1187 if (!b->dpname)
1188 return 0;
1189 if (!X509_NAME_cmp(a->dpname, b->dpname))
1190 return 1;
1191 else
1192 return 0;
1193 }
1194 /* Case 2: set name and GENERAL_NAMES appropriately */
1195 nm = a->dpname;
1196 gens = b->name.fullname;
1197 }
1198 else if (b->type == 1)
1199 {
1200 if (!b->dpname)
1201 return 0;
1202 /* Case 2: set name and GENERAL_NAMES appropriately */
1203 gens = a->name.fullname;
1204 nm = b->dpname;
1205 }
1206
1207 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1208 if (nm)
1209 {
1210 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1211 {
1212 gena = sk_GENERAL_NAME_value(gens, i);
1213 if (gena->type != GEN_DIRNAME)
1214 continue;
1215 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1216 return 1;
1217 }
1218 return 0;
1219 }
1220
1221 /* Else case 3: two GENERAL_NAMES */
1222
1223 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1224 {
1225 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1226 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1227 {
1228 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1229 if (!GENERAL_NAME_cmp(gena, genb))
1230 return 1;
1231 }
1232 }
1233
1234 return 0;
1235
1236 }
1237
1238static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1239 {
1240 int i;
1241 X509_NAME *nm = X509_CRL_get_issuer(crl);
1242 /* If no CRLissuer return is successful iff don't need a match */
1243 if (!dp->CRLissuer)
1244 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1245 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1246 {
1247 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1248 if (gen->type != GEN_DIRNAME)
1249 continue;
1250 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1251 return 1;
1252 }
1253 return 0;
1254 }
1255
1256/* Check CRLDP and IDP */
1257
1258static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1259 unsigned int *preasons)
1260 {
1261 int i;
1262 if (crl->idp_flags & IDP_ONLYATTR)
1263 return 0;
1264 if (x->ex_flags & EXFLAG_CA)
1265 {
1266 if (crl->idp_flags & IDP_ONLYUSER)
1267 return 0;
1268 }
1269 else
1270 {
1271 if (crl->idp_flags & IDP_ONLYCA)
1272 return 0;
1273 }
1274 *preasons = crl->idp_reasons;
1275 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1276 {
1277 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1278 if (crldp_check_crlissuer(dp, crl, crl_score))
1279 {
1280 if (!crl->idp ||
1281 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1282 {
1283 *preasons &= dp->dp_reasons;
1284 return 1;
1285 }
1286 }
1287 }
1288 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1289 return 1;
1290 return 0;
1291 }
1292
1293/* Retrieve CRL corresponding to current certificate.
1294 * If deltas enabled try to find a delta CRL too
1295 */
1296
1297static int get_crl_delta(X509_STORE_CTX *ctx,
1298 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1299 {
1300 int ok;
1301 X509 *issuer = NULL;
1302 int crl_score = 0;
1303 unsigned int reasons;
1304 X509_CRL *crl = NULL, *dcrl = NULL;
1305 STACK_OF(X509_CRL) *skcrl;
1306 X509_NAME *nm = X509_get_issuer_name(x);
1307 reasons = ctx->current_reasons;
1308 ok = get_crl_sk(ctx, &crl, &dcrl,
1309 &issuer, &crl_score, &reasons, ctx->crls);
1310
1311 if (ok)
1312 goto done;
1313
1314 /* Lookup CRLs from store */
1315
1316 skcrl = ctx->lookup_crls(ctx, nm);
1317
1318 /* If no CRLs found and a near match from get_crl_sk use that */
1319 if (!skcrl && crl)
1320 goto done;
1321
1322 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1323
1324 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1325
1326 done:
1327
1328 /* If we got any kind of CRL use it and return success */
1329 if (crl)
1330 {
1331 ctx->current_issuer = issuer;
1332 ctx->current_crl_score = crl_score;
1333 ctx->current_reasons = reasons;
1334 *pcrl = crl;
1335 *pdcrl = dcrl;
1336 return 1;
1337 }
1338
1339 return 0;
1340 }
1341
1342/* Check CRL validity */
1343static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1344 {
1345 X509 *issuer = NULL;
1346 EVP_PKEY *ikey = NULL;
1347 int ok = 0, chnum, cnum;
1348 cnum = ctx->error_depth;
1349 chnum = sk_X509_num(ctx->chain) - 1;
1350 /* if we have an alternative CRL issuer cert use that */
1351 if (ctx->current_issuer)
1352 issuer = ctx->current_issuer;
1353
1354 /* Else find CRL issuer: if not last certificate then issuer
1355 * is next certificate in chain.
1356 */
1357 else if (cnum < chnum)
1358 issuer = sk_X509_value(ctx->chain, cnum + 1);
1359 else
1360 {
1361 issuer = sk_X509_value(ctx->chain, chnum);
1362 /* If not self signed, can't check signature */
1363 if(!ctx->check_issued(ctx, issuer, issuer))
1364 {
1365 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1366 ok = ctx->verify_cb(0, ctx);
1367 if(!ok) goto err;
1368 }
1369 }
1370
1371 if(issuer)
1372 {
1373 /* Skip most tests for deltas because they have already
1374 * been done
1375 */
1376 if (!crl->base_crl_number)
1377 {
1378 /* Check for cRLSign bit if keyUsage present */
1379 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1380 !(issuer->ex_kusage & KU_CRL_SIGN))
1381 {
1382 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1383 ok = ctx->verify_cb(0, ctx);
1384 if(!ok) goto err;
1385 }
1386
1387 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1388 {
1389 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1390 ok = ctx->verify_cb(0, ctx);
1391 if(!ok) goto err;
1392 }
1393
1394 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1395 {
1396 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1397 {
1398 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1399 ok = ctx->verify_cb(0, ctx);
1400 if(!ok) goto err;
1401 }
1402 }
1403
1404 if (crl->idp_flags & IDP_INVALID)
1405 {
1406 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1407 ok = ctx->verify_cb(0, ctx);
1408 if(!ok) goto err;
1409 }
1410
1411
1412 }
1413
1414 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1415 {
1416 ok = check_crl_time(ctx, crl, 1);
1417 if (!ok)
1418 goto err;
1419 }
1420
1421 /* Attempt to get issuer certificate public key */
1422 ikey = X509_get_pubkey(issuer);
1423
1424 if(!ikey)
1425 {
1426 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1427 ok = ctx->verify_cb(0, ctx);
1428 if (!ok) goto err;
1429 }
1430 else
1431 {
1432 /* Verify CRL signature */
1433 if(X509_CRL_verify(crl, ikey) <= 0)
1434 {
1435 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1436 ok = ctx->verify_cb(0, ctx);
1437 if (!ok) goto err;
1438 }
1439 }
1440 }
1441
1442 ok = 1;
1443
1444 err:
1445 EVP_PKEY_free(ikey);
1446 return ok;
1447 }
1448
1449/* Check certificate against CRL */
1450static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1451 {
1452 int ok;
1453 X509_REVOKED *rev;
1454 /* The rules changed for this... previously if a CRL contained
1455 * unhandled critical extensions it could still be used to indicate
1456 * a certificate was revoked. This has since been changed since
1457 * critical extension can change the meaning of CRL entries.
1458 */
1459 if (crl->flags & EXFLAG_CRITICAL)
1460 {
1461 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1462 return 1;
1463 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1464 ok = ctx->verify_cb(0, ctx);
1465 if(!ok)
1466 return 0;
1467 }
1468 /* Look for serial number of certificate in CRL
1469 * If found make sure reason is not removeFromCRL.
1470 */
1471 if (X509_CRL_get0_by_cert(crl, &rev, x))
1472 {
1473 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1474 return 2;
1475 ctx->error = X509_V_ERR_CERT_REVOKED;
1476 ok = ctx->verify_cb(0, ctx);
1477 if (!ok)
1478 return 0;
1479 }
1480
1481 return 1;
1482 }
1483
1484static int check_policy(X509_STORE_CTX *ctx)
1485 {
1486 int ret;
1487 if (ctx->parent)
1488 return 1;
1489 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1490 ctx->param->policies, ctx->param->flags);
1491 if (ret == 0)
1492 {
1493 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1494 return 0;
1495 }
1496 /* Invalid or inconsistent extensions */
1497 if (ret == -1)
1498 {
1499 /* Locate certificates with bad extensions and notify
1500 * callback.
1501 */
1502 X509 *x;
1503 int i;
1504 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1505 {
1506 x = sk_X509_value(ctx->chain, i);
1507 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1508 continue;
1509 ctx->current_cert = x;
1510 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1511 if(!ctx->verify_cb(0, ctx))
1512 return 0;
1513 }
1514 return 1;
1515 }
1516 if (ret == -2)
1517 {
1518 ctx->current_cert = NULL;
1519 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1520 return ctx->verify_cb(0, ctx);
1521 }
1522
1523 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1524 {
1525 ctx->current_cert = NULL;
1526 ctx->error = X509_V_OK;
1527 if (!ctx->verify_cb(2, ctx))
1528 return 0;
1529 }
1530
1531 return 1;
1532 }
1533
1534static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1535 {
1536 time_t *ptime;
1537 int i;
1538
1539 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1540 ptime = &ctx->param->check_time;
1541 else
1542 ptime = NULL;
1543
1544 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1545 if (i == 0)
1546 {
1547 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1548 ctx->current_cert=x;
1549 if (!ctx->verify_cb(0, ctx))
1550 return 0;
1551 }
1552
1553 if (i > 0)
1554 {
1555 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1556 ctx->current_cert=x;
1557 if (!ctx->verify_cb(0, ctx))
1558 return 0;
1559 }
1560
1561 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1562 if (i == 0)
1563 {
1564 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1565 ctx->current_cert=x;
1566 if (!ctx->verify_cb(0, ctx))
1567 return 0;
1568 }
1569
1570 if (i < 0)
1571 {
1572 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1573 ctx->current_cert=x;
1574 if (!ctx->verify_cb(0, ctx))
1575 return 0;
1576 }
1577
1578 return 1;
1579 }
1580
1581static int internal_verify(X509_STORE_CTX *ctx)
1582 {
1583 int ok=0,n;
1584 X509 *xs,*xi;
1585 EVP_PKEY *pkey=NULL;
1586 int (*cb)(int xok,X509_STORE_CTX *xctx);
1587
1588 cb=ctx->verify_cb;
1589
1590 n=sk_X509_num(ctx->chain);
1591 ctx->error_depth=n-1;
1592 n--;
1593 xi=sk_X509_value(ctx->chain,n);
1594
1595 if (ctx->check_issued(ctx, xi, xi))
1596 xs=xi;
1597 else
1598 {
1599 if (n <= 0)
1600 {
1601 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1602 ctx->current_cert=xi;
1603 ok=cb(0,ctx);
1604 goto end;
1605 }
1606 else
1607 {
1608 n--;
1609 ctx->error_depth=n;
1610 xs=sk_X509_value(ctx->chain,n);
1611 }
1612 }
1613
1614/* ctx->error=0; not needed */
1615 while (n >= 0)
1616 {
1617 ctx->error_depth=n;
1618
1619 /* Skip signature check for self signed certificates unless
1620 * explicitly asked for. It doesn't add any security and
1621 * just wastes time.
1622 */
1623 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1624 {
1625 if ((pkey=X509_get_pubkey(xi)) == NULL)
1626 {
1627 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1628 ctx->current_cert=xi;
1629 ok=(*cb)(0,ctx);
1630 if (!ok) goto end;
1631 }
1632 else if (X509_verify(xs,pkey) <= 0)
1633 {
1634 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1635 ctx->current_cert=xs;
1636 ok=(*cb)(0,ctx);
1637 if (!ok)
1638 {
1639 EVP_PKEY_free(pkey);
1640 goto end;
1641 }
1642 }
1643 EVP_PKEY_free(pkey);
1644 pkey=NULL;
1645 }
1646
1647 xs->valid = 1;
1648
1649 ok = check_cert_time(ctx, xs);
1650 if (!ok)
1651 goto end;
1652
1653 /* The last error (if any) is still in the error value */
1654 ctx->current_issuer=xi;
1655 ctx->current_cert=xs;
1656 ok=(*cb)(1,ctx);
1657 if (!ok) goto end;
1658
1659 n--;
1660 if (n >= 0)
1661 {
1662 xi=xs;
1663 xs=sk_X509_value(ctx->chain,n);
1664 }
1665 }
1666 ok=1;
1667end:
1668 return ok;
1669 }
1670
1671int X509_cmp_current_time(const ASN1_TIME *ctm)
1672{
1673 return X509_cmp_time(ctm, NULL);
1674}
1675
1676int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1677 {
1678 char *str;
1679 ASN1_TIME atm;
1680 long offset;
1681 char buff1[24],buff2[24],*p;
1682 int i,j;
1683
1684 p=buff1;
1685 i=ctm->length;
1686 str=(char *)ctm->data;
1687 if (ctm->type == V_ASN1_UTCTIME)
1688 {
1689 if ((i < 11) || (i > 17)) return 0;
1690 memcpy(p,str,10);
1691 p+=10;
1692 str+=10;
1693 }
1694 else
1695 {
1696 if (i < 13) return 0;
1697 memcpy(p,str,12);
1698 p+=12;
1699 str+=12;
1700 }
1701
1702 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1703 { *(p++)='0'; *(p++)='0'; }
1704 else
1705 {
1706 *(p++)= *(str++);
1707 *(p++)= *(str++);
1708 /* Skip any fractional seconds... */
1709 if (*str == '.')
1710 {
1711 str++;
1712 while ((*str >= '0') && (*str <= '9')) str++;
1713 }
1714
1715 }
1716 *(p++)='Z';
1717 *(p++)='\0';
1718
1719 if (*str == 'Z')
1720 offset=0;
1721 else
1722 {
1723 if ((*str != '+') && (*str != '-'))
1724 return 0;
1725 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1726 offset+=(str[3]-'0')*10+(str[4]-'0');
1727 if (*str == '-')
1728 offset= -offset;
1729 }
1730 atm.type=ctm->type;
1731 atm.flags = 0;
1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2;
1734
1735 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1736 return 0;
1737
1738 if (ctm->type == V_ASN1_UTCTIME)
1739 {
1740 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1741 if (i < 50) i+=100; /* cf. RFC 2459 */
1742 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1743 if (j < 50) j+=100;
1744
1745 if (i < j) return -1;
1746 if (i > j) return 1;
1747 }
1748 i=strcmp(buff1,buff2);
1749 if (i == 0) /* wait a second then return younger :-) */
1750 return -1;
1751 else
1752 return i;
1753 }
1754
1755ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1756{
1757 return X509_time_adj(s, adj, NULL);
1758}
1759
1760ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1761 {
1762 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1763 }
1764
1765ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1766 int offset_day, long offset_sec, time_t *in_tm)
1767 {
1768 time_t t;
1769
1770 if (in_tm) t = *in_tm;
1771 else time(&t);
1772
1773 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1774 {
1775 if (s->type == V_ASN1_UTCTIME)
1776 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1777 if (s->type == V_ASN1_GENERALIZEDTIME)
1778 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1779 offset_sec);
1780 }
1781 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1782 }
1783
1784int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1785 {
1786 EVP_PKEY *ktmp=NULL,*ktmp2;
1787 int i,j;
1788
1789 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1790
1791 for (i=0; i<sk_X509_num(chain); i++)
1792 {
1793 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1794 if (ktmp == NULL)
1795 {
1796 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1797 return 0;
1798 }
1799 if (!EVP_PKEY_missing_parameters(ktmp))
1800 break;
1801 else
1802 {
1803 EVP_PKEY_free(ktmp);
1804 ktmp=NULL;
1805 }
1806 }
1807 if (ktmp == NULL)
1808 {
1809 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1810 return 0;
1811 }
1812
1813 /* first, populate the other certs */
1814 for (j=i-1; j >= 0; j--)
1815 {
1816 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1817 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1818 EVP_PKEY_free(ktmp2);
1819 }
1820
1821 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1822 EVP_PKEY_free(ktmp);
1823 return 1;
1824 }
1825
1826int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1827 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1828 {
1829 /* This function is (usually) called only once, by
1830 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1831 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1832 new_func, dup_func, free_func);
1833 }
1834
1835int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1836 {
1837 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1838 }
1839
1840void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1841 {
1842 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1843 }
1844
1845int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1846 {
1847 return ctx->error;
1848 }
1849
1850void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1851 {
1852 ctx->error=err;
1853 }
1854
1855int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1856 {
1857 return ctx->error_depth;
1858 }
1859
1860X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1861 {
1862 return ctx->current_cert;
1863 }
1864
1865STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1866 {
1867 return ctx->chain;
1868 }
1869
1870STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1871 {
1872 int i;
1873 X509 *x;
1874 STACK_OF(X509) *chain;
1875 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1876 for (i = 0; i < sk_X509_num(chain); i++)
1877 {
1878 x = sk_X509_value(chain, i);
1879 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1880 }
1881 return chain;
1882 }
1883
1884X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1885 {
1886 return ctx->current_issuer;
1887 }
1888
1889X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1890 {
1891 return ctx->current_crl;
1892 }
1893
1894X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1895 {
1896 return ctx->parent;
1897 }
1898
1899void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1900 {
1901 ctx->cert=x;
1902 }
1903
1904void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1905 {
1906 ctx->untrusted=sk;
1907 }
1908
1909void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1910 {
1911 ctx->crls=sk;
1912 }
1913
1914int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1915 {
1916 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1917 }
1918
1919int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1920 {
1921 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1922 }
1923
1924/* This function is used to set the X509_STORE_CTX purpose and trust
1925 * values. This is intended to be used when another structure has its
1926 * own trust and purpose values which (if set) will be inherited by
1927 * the ctx. If they aren't set then we will usually have a default
1928 * purpose in mind which should then be used to set the trust value.
1929 * An example of this is SSL use: an SSL structure will have its own
1930 * purpose and trust settings which the application can set: if they
1931 * aren't set then we use the default of SSL client/server.
1932 */
1933
1934int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1935 int purpose, int trust)
1936{
1937 int idx;
1938 /* If purpose not set use default */
1939 if (!purpose) purpose = def_purpose;
1940 /* If we have a purpose then check it is valid */
1941 if (purpose)
1942 {
1943 X509_PURPOSE *ptmp;
1944 idx = X509_PURPOSE_get_by_id(purpose);
1945 if (idx == -1)
1946 {
1947 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1948 X509_R_UNKNOWN_PURPOSE_ID);
1949 return 0;
1950 }
1951 ptmp = X509_PURPOSE_get0(idx);
1952 if (ptmp->trust == X509_TRUST_DEFAULT)
1953 {
1954 idx = X509_PURPOSE_get_by_id(def_purpose);
1955 if (idx == -1)
1956 {
1957 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1958 X509_R_UNKNOWN_PURPOSE_ID);
1959 return 0;
1960 }
1961 ptmp = X509_PURPOSE_get0(idx);
1962 }
1963 /* If trust not set then get from purpose default */
1964 if (!trust) trust = ptmp->trust;
1965 }
1966 if (trust)
1967 {
1968 idx = X509_TRUST_get_by_id(trust);
1969 if (idx == -1)
1970 {
1971 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1972 X509_R_UNKNOWN_TRUST_ID);
1973 return 0;
1974 }
1975 }
1976
1977 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1978 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1979 return 1;
1980}
1981
1982X509_STORE_CTX *X509_STORE_CTX_new(void)
1983{
1984 X509_STORE_CTX *ctx;
1985 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1986 if (!ctx)
1987 {
1988 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1989 return NULL;
1990 }
1991 memset(ctx, 0, sizeof(X509_STORE_CTX));
1992 return ctx;
1993}
1994
1995void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1996{
1997 X509_STORE_CTX_cleanup(ctx);
1998 OPENSSL_free(ctx);
1999}
2000
2001int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2002 STACK_OF(X509) *chain)
2003 {
2004 int ret = 1;
2005 ctx->ctx=store;
2006 ctx->current_method=0;
2007 ctx->cert=x509;
2008 ctx->untrusted=chain;
2009 ctx->crls = NULL;
2010 ctx->last_untrusted=0;
2011 ctx->other_ctx=NULL;
2012 ctx->valid=0;
2013 ctx->chain=NULL;
2014 ctx->error=0;
2015 ctx->explicit_policy=0;
2016 ctx->error_depth=0;
2017 ctx->current_cert=NULL;
2018 ctx->current_issuer=NULL;
2019 ctx->current_crl=NULL;
2020 ctx->current_crl_score=0;
2021 ctx->current_reasons=0;
2022 ctx->tree = NULL;
2023 ctx->parent = NULL;
2024
2025 ctx->param = X509_VERIFY_PARAM_new();
2026
2027 if (!ctx->param)
2028 {
2029 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2030 return 0;
2031 }
2032
2033 /* Inherit callbacks and flags from X509_STORE if not set
2034 * use defaults.
2035 */
2036
2037
2038 if (store)
2039 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2040 else
2041 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2042
2043 if (store)
2044 {
2045 ctx->verify_cb = store->verify_cb;
2046 ctx->cleanup = store->cleanup;
2047 }
2048 else
2049 ctx->cleanup = 0;
2050
2051 if (ret)
2052 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2053 X509_VERIFY_PARAM_lookup("default"));
2054
2055 if (ret == 0)
2056 {
2057 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2058 return 0;
2059 }
2060
2061 if (store && store->check_issued)
2062 ctx->check_issued = store->check_issued;
2063 else
2064 ctx->check_issued = check_issued;
2065
2066 if (store && store->get_issuer)
2067 ctx->get_issuer = store->get_issuer;
2068 else
2069 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2070
2071 if (store && store->verify_cb)
2072 ctx->verify_cb = store->verify_cb;
2073 else
2074 ctx->verify_cb = null_callback;
2075
2076 if (store && store->verify)
2077 ctx->verify = store->verify;
2078 else
2079 ctx->verify = internal_verify;
2080
2081 if (store && store->check_revocation)
2082 ctx->check_revocation = store->check_revocation;
2083 else
2084 ctx->check_revocation = check_revocation;
2085
2086 if (store && store->get_crl)
2087 ctx->get_crl = store->get_crl;
2088 else
2089 ctx->get_crl = NULL;
2090
2091 if (store && store->check_crl)
2092 ctx->check_crl = store->check_crl;
2093 else
2094 ctx->check_crl = check_crl;
2095
2096 if (store && store->cert_crl)
2097 ctx->cert_crl = store->cert_crl;
2098 else
2099 ctx->cert_crl = cert_crl;
2100
2101 if (store && store->lookup_certs)
2102 ctx->lookup_certs = store->lookup_certs;
2103 else
2104 ctx->lookup_certs = X509_STORE_get1_certs;
2105
2106 if (store && store->lookup_crls)
2107 ctx->lookup_crls = store->lookup_crls;
2108 else
2109 ctx->lookup_crls = X509_STORE_get1_crls;
2110
2111 ctx->check_policy = check_policy;
2112
2113
2114 /* This memset() can't make any sense anyway, so it's removed. As
2115 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2116 * corresponding "new" here and remove this bogus initialisation. */
2117 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2118 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2119 &(ctx->ex_data)))
2120 {
2121 OPENSSL_free(ctx);
2122 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2123 return 0;
2124 }
2125 return 1;
2126 }
2127
2128/* Set alternative lookup method: just a STACK of trusted certificates.
2129 * This avoids X509_STORE nastiness where it isn't needed.
2130 */
2131
2132void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2133{
2134 ctx->other_ctx = sk;
2135 ctx->get_issuer = get_issuer_sk;
2136}
2137
2138void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2139 {
2140 if (ctx->cleanup) ctx->cleanup(ctx);
2141 if (ctx->param != NULL)
2142 {
2143 if (ctx->parent == NULL)
2144 X509_VERIFY_PARAM_free(ctx->param);
2145 ctx->param=NULL;
2146 }
2147 if (ctx->tree != NULL)
2148 {
2149 X509_policy_tree_free(ctx->tree);
2150 ctx->tree=NULL;
2151 }
2152 if (ctx->chain != NULL)
2153 {
2154 sk_X509_pop_free(ctx->chain,X509_free);
2155 ctx->chain=NULL;
2156 }
2157 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2158 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2159 }
2160
2161void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2162 {
2163 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2164 }
2165
2166void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2167 {
2168 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2169 }
2170
2171void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2172 {
2173 X509_VERIFY_PARAM_set_time(ctx->param, t);
2174 }
2175
2176void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2177 int (*verify_cb)(int, X509_STORE_CTX *))
2178 {
2179 ctx->verify_cb=verify_cb;
2180 }
2181
2182X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2183 {
2184 return ctx->tree;
2185 }
2186
2187int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2188 {
2189 return ctx->explicit_policy;
2190 }
2191
2192int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2193 {
2194 const X509_VERIFY_PARAM *param;
2195 param = X509_VERIFY_PARAM_lookup(name);
2196 if (!param)
2197 return 0;
2198 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2199 }
2200
2201X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2202 {
2203 return ctx->param;
2204 }
2205
2206void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2207 {
2208 if (ctx->param)
2209 X509_VERIFY_PARAM_free(ctx->param);
2210 ctx->param = param;
2211 }
2212
2213IMPLEMENT_STACK_OF(X509)
2214IMPLEMENT_ASN1_SET_OF(X509)
2215
2216IMPLEMENT_STACK_OF(X509_NAME)
2217
2218IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2219IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
new file mode 100644
index 0000000000..fe09b30aaa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -0,0 +1,567 @@
1/* crypto/x509/x509_vfy.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_X509_H
60#include <openssl/x509.h>
61/* openssl/x509.h ends up #include-ing this file at about the only
62 * appropriate moment. */
63#endif
64
65#ifndef HEADER_X509_VFY_H
66#define HEADER_X509_VFY_H
67
68#include <openssl/opensslconf.h>
69#ifndef OPENSSL_NO_LHASH
70#include <openssl/lhash.h>
71#endif
72#include <openssl/bio.h>
73#include <openssl/crypto.h>
74#include <openssl/symhacks.h>
75
76#ifdef __cplusplus
77extern "C" {
78#endif
79
80#if 0
81/* Outer object */
82typedef struct x509_hash_dir_st
83 {
84 int num_dirs;
85 char **dirs;
86 int *dirs_type;
87 int num_dirs_alloced;
88 } X509_HASH_DIR_CTX;
89#endif
90
91typedef struct x509_file_st
92 {
93 int num_paths; /* number of paths to files or directories */
94 int num_alloced;
95 char **paths; /* the list of paths or directories */
96 int *path_type;
97 } X509_CERT_FILE_CTX;
98
99/*******************************/
100/*
101SSL_CTX -> X509_STORE
102 -> X509_LOOKUP
103 ->X509_LOOKUP_METHOD
104 -> X509_LOOKUP
105 ->X509_LOOKUP_METHOD
106
107SSL -> X509_STORE_CTX
108 ->X509_STORE
109
110The X509_STORE holds the tables etc for verification stuff.
111A X509_STORE_CTX is used while validating a single certificate.
112The X509_STORE has X509_LOOKUPs for looking up certs.
113The X509_STORE then calls a function to actually verify the
114certificate chain.
115*/
116
117#define X509_LU_RETRY -1
118#define X509_LU_FAIL 0
119#define X509_LU_X509 1
120#define X509_LU_CRL 2
121#define X509_LU_PKEY 3
122
123typedef struct x509_object_st
124 {
125 /* one of the above types */
126 int type;
127 union {
128 char *ptr;
129 X509 *x509;
130 X509_CRL *crl;
131 EVP_PKEY *pkey;
132 } data;
133 } X509_OBJECT;
134
135typedef struct x509_lookup_st X509_LOOKUP;
136
137DECLARE_STACK_OF(X509_LOOKUP)
138DECLARE_STACK_OF(X509_OBJECT)
139
140/* This is a static that defines the function interface */
141typedef struct x509_lookup_method_st
142 {
143 const char *name;
144 int (*new_item)(X509_LOOKUP *ctx);
145 void (*free)(X509_LOOKUP *ctx);
146 int (*init)(X509_LOOKUP *ctx);
147 int (*shutdown)(X509_LOOKUP *ctx);
148 int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl,
149 char **ret);
150 int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name,
151 X509_OBJECT *ret);
152 int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name,
153 ASN1_INTEGER *serial,X509_OBJECT *ret);
154 int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type,
155 unsigned char *bytes,int len,
156 X509_OBJECT *ret);
157 int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len,
158 X509_OBJECT *ret);
159 } X509_LOOKUP_METHOD;
160
161/* This structure hold all parameters associated with a verify operation
162 * by including an X509_VERIFY_PARAM structure in related structures the
163 * parameters used can be customized
164 */
165
166typedef struct X509_VERIFY_PARAM_st
167 {
168 char *name;
169 time_t check_time; /* Time to use */
170 unsigned long inh_flags; /* Inheritance flags */
171 unsigned long flags; /* Various verify flags */
172 int purpose; /* purpose to check untrusted certificates */
173 int trust; /* trust setting to check */
174 int depth; /* Verify depth */
175 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
176 } X509_VERIFY_PARAM;
177
178DECLARE_STACK_OF(X509_VERIFY_PARAM)
179
180/* This is used to hold everything. It is used for all certificate
181 * validation. Once we have a certificate chain, the 'verify'
182 * function is then called to actually check the cert chain. */
183struct x509_store_st
184 {
185 /* The following is a cache of trusted certs */
186 int cache; /* if true, stash any hits */
187 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
188
189 /* These are external lookup methods */
190 STACK_OF(X509_LOOKUP) *get_cert_methods;
191
192 X509_VERIFY_PARAM *param;
193
194 /* Callbacks for various operations */
195 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
196 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
197 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
198 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
199 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
200 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
201 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
202 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
203 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
204 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
205 int (*cleanup)(X509_STORE_CTX *ctx);
206
207 CRYPTO_EX_DATA ex_data;
208 int references;
209 } /* X509_STORE */;
210
211int X509_STORE_set_depth(X509_STORE *store, int depth);
212
213#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
214#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func))
215
216/* This is the functions plus an instance of the local variables. */
217struct x509_lookup_st
218 {
219 int init; /* have we been started */
220 int skip; /* don't use us. */
221 X509_LOOKUP_METHOD *method; /* the functions */
222 char *method_data; /* method data */
223
224 X509_STORE *store_ctx; /* who owns us */
225 } /* X509_LOOKUP */;
226
227/* This is a used when verifying cert chains. Since the
228 * gathering of the cert chain can take some time (and have to be
229 * 'retried', this needs to be kept and passed around. */
230struct x509_store_ctx_st /* X509_STORE_CTX */
231 {
232 X509_STORE *ctx;
233 int current_method; /* used when looking up certs */
234
235 /* The following are set by the caller */
236 X509 *cert; /* The cert to check */
237 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
238 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
239
240 X509_VERIFY_PARAM *param;
241 void *other_ctx; /* Other info for use with get_issuer() */
242
243 /* Callbacks for various operations */
244 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
245 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
246 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
247 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
248 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
249 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
250 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
251 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
252 int (*check_policy)(X509_STORE_CTX *ctx);
253 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
254 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
255 int (*cleanup)(X509_STORE_CTX *ctx);
256
257 /* The following is built up */
258 int valid; /* if 0, rebuild chain */
259 int last_untrusted; /* index of last untrusted cert */
260 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
261 X509_POLICY_TREE *tree; /* Valid policy tree */
262
263 int explicit_policy; /* Require explicit policy value */
264
265 /* When something goes wrong, this is why */
266 int error_depth;
267 int error;
268 X509 *current_cert;
269 X509 *current_issuer; /* cert currently being tested as valid issuer */
270 X509_CRL *current_crl; /* current CRL */
271
272 int current_crl_score; /* score of current CRL */
273 unsigned int current_reasons; /* Reason mask */
274
275 X509_STORE_CTX *parent; /* For CRL path validation: parent context */
276
277 CRYPTO_EX_DATA ex_data;
278 } /* X509_STORE_CTX */;
279
280void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
281
282#define X509_STORE_CTX_set_app_data(ctx,data) \
283 X509_STORE_CTX_set_ex_data(ctx,0,data)
284#define X509_STORE_CTX_get_app_data(ctx) \
285 X509_STORE_CTX_get_ex_data(ctx,0)
286
287#define X509_L_FILE_LOAD 1
288#define X509_L_ADD_DIR 2
289
290#define X509_LOOKUP_load_file(x,name,type) \
291 X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
292
293#define X509_LOOKUP_add_dir(x,name,type) \
294 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
295
296#define X509_V_OK 0
297/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
298
299#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
300#define X509_V_ERR_UNABLE_TO_GET_CRL 3
301#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
302#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
303#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
304#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
305#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
306#define X509_V_ERR_CERT_NOT_YET_VALID 9
307#define X509_V_ERR_CERT_HAS_EXPIRED 10
308#define X509_V_ERR_CRL_NOT_YET_VALID 11
309#define X509_V_ERR_CRL_HAS_EXPIRED 12
310#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
311#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
312#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
313#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
314#define X509_V_ERR_OUT_OF_MEM 17
315#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
316#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
317#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
318#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
319#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
320#define X509_V_ERR_CERT_REVOKED 23
321#define X509_V_ERR_INVALID_CA 24
322#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
323#define X509_V_ERR_INVALID_PURPOSE 26
324#define X509_V_ERR_CERT_UNTRUSTED 27
325#define X509_V_ERR_CERT_REJECTED 28
326/* These are 'informational' when looking for issuer cert */
327#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
328#define X509_V_ERR_AKID_SKID_MISMATCH 30
329#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
330#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
331
332#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
333#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
334#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
335#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
336#define X509_V_ERR_INVALID_NON_CA 37
337#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
338#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
339#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
340
341#define X509_V_ERR_INVALID_EXTENSION 41
342#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
343#define X509_V_ERR_NO_EXPLICIT_POLICY 43
344#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
345#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
346
347#define X509_V_ERR_UNNESTED_RESOURCE 46
348
349#define X509_V_ERR_PERMITTED_VIOLATION 47
350#define X509_V_ERR_EXCLUDED_VIOLATION 48
351#define X509_V_ERR_SUBTREE_MINMAX 49
352#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
353#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
354#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
355#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
356
357/* The application is not happy */
358#define X509_V_ERR_APPLICATION_VERIFICATION 50
359
360/* Certificate verify flags */
361
362/* Send issuer+subject checks to verify_cb */
363#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
364/* Use check time instead of current time */
365#define X509_V_FLAG_USE_CHECK_TIME 0x2
366/* Lookup CRLs */
367#define X509_V_FLAG_CRL_CHECK 0x4
368/* Lookup CRLs for whole chain */
369#define X509_V_FLAG_CRL_CHECK_ALL 0x8
370/* Ignore unhandled critical extensions */
371#define X509_V_FLAG_IGNORE_CRITICAL 0x10
372/* Disable workarounds for broken certificates */
373#define X509_V_FLAG_X509_STRICT 0x20
374/* Enable proxy certificate validation */
375#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
376/* Enable policy checking */
377#define X509_V_FLAG_POLICY_CHECK 0x80
378/* Policy variable require-explicit-policy */
379#define X509_V_FLAG_EXPLICIT_POLICY 0x100
380/* Policy variable inhibit-any-policy */
381#define X509_V_FLAG_INHIBIT_ANY 0x200
382/* Policy variable inhibit-policy-mapping */
383#define X509_V_FLAG_INHIBIT_MAP 0x400
384/* Notify callback that policy is OK */
385#define X509_V_FLAG_NOTIFY_POLICY 0x800
386/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
387#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
388/* Delta CRL support */
389#define X509_V_FLAG_USE_DELTAS 0x2000
390/* Check selfsigned CA signature */
391#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
392
393
394#define X509_VP_FLAG_DEFAULT 0x1
395#define X509_VP_FLAG_OVERWRITE 0x2
396#define X509_VP_FLAG_RESET_FLAGS 0x4
397#define X509_VP_FLAG_LOCKED 0x8
398#define X509_VP_FLAG_ONCE 0x10
399
400/* Internal use: mask of policy related options */
401#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
402 | X509_V_FLAG_EXPLICIT_POLICY \
403 | X509_V_FLAG_INHIBIT_ANY \
404 | X509_V_FLAG_INHIBIT_MAP)
405
406int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
407 X509_NAME *name);
408X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
409X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
410void X509_OBJECT_up_ref_count(X509_OBJECT *a);
411void X509_OBJECT_free_contents(X509_OBJECT *a);
412X509_STORE *X509_STORE_new(void );
413void X509_STORE_free(X509_STORE *v);
414
415STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
416STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
417int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
418int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
419int X509_STORE_set_trust(X509_STORE *ctx, int trust);
420int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
421
422void X509_STORE_set_verify_cb(X509_STORE *ctx,
423 int (*verify_cb)(int, X509_STORE_CTX *));
424
425X509_STORE_CTX *X509_STORE_CTX_new(void);
426
427int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
428
429void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
430int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
431 X509 *x509, STACK_OF(X509) *chain);
432void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
433void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
434
435X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
436
437X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
438X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
439
440int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
441int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
442
443int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
444 X509_OBJECT *ret);
445
446int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
447 long argl, char **ret);
448
449#ifndef OPENSSL_NO_STDIO
450int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
451int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
452int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
453#endif
454
455
456X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
457void X509_LOOKUP_free(X509_LOOKUP *ctx);
458int X509_LOOKUP_init(X509_LOOKUP *ctx);
459int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
460 X509_OBJECT *ret);
461int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
462 ASN1_INTEGER *serial, X509_OBJECT *ret);
463int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
464 unsigned char *bytes, int len, X509_OBJECT *ret);
465int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
466 int len, X509_OBJECT *ret);
467int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
468
469#ifndef OPENSSL_NO_STDIO
470int X509_STORE_load_locations (X509_STORE *ctx,
471 const char *file, const char *dir);
472int X509_STORE_set_default_paths(X509_STORE *ctx);
473#endif
474
475int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
476 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
477int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
478void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
479int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
480void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
481int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
482X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
483X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
484X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
485X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
486STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
487STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
488void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
489void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
490void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
491int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
492int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
493int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
494 int purpose, int trust);
495void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
496void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
497 time_t t);
498void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
499 int (*verify_cb)(int, X509_STORE_CTX *));
500
501X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
502int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
503
504X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
505void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
506int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
507
508/* X509_VERIFY_PARAM functions */
509
510X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
511void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
512int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
513 const X509_VERIFY_PARAM *from);
514int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
515 const X509_VERIFY_PARAM *from);
516int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
517int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
518int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
519 unsigned long flags);
520unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
521int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
522int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
523void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
524void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
525int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
526 ASN1_OBJECT *policy);
527int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
528 STACK_OF(ASN1_OBJECT) *policies);
529int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
530
531int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
532const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
533void X509_VERIFY_PARAM_table_cleanup(void);
534
535int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
536 STACK_OF(X509) *certs,
537 STACK_OF(ASN1_OBJECT) *policy_oids,
538 unsigned int flags);
539
540void X509_policy_tree_free(X509_POLICY_TREE *tree);
541
542int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
543X509_POLICY_LEVEL *
544 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
545
546STACK_OF(X509_POLICY_NODE) *
547 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
548
549STACK_OF(X509_POLICY_NODE) *
550 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
551
552int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
553
554X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
555
556const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
557
558STACK_OF(POLICYQUALINFO) *
559 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
560const X509_POLICY_NODE *
561 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
562
563#ifdef __cplusplus
564}
565#endif
566#endif
567
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
new file mode 100644
index 0000000000..dfd89d89fa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -0,0 +1,438 @@
1/* x509_vpm.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include "cryptlib.h"
62#include <openssl/crypto.h>
63#include <openssl/lhash.h>
64#include <openssl/buffer.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* X509_VERIFY_PARAM functions */
69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 {
72 if (!param)
73 return;
74 param->name = NULL;
75 param->purpose = 0;
76 param->trust = 0;
77 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
78 param->inh_flags = 0;
79 param->flags = 0;
80 param->depth = -1;
81 if (param->policies)
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL;
85 }
86 }
87
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 {
90 X509_VERIFY_PARAM *param;
91 param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param);
94 return param;
95 }
96
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 {
99 x509_verify_param_zero(param);
100 OPENSSL_free(param);
101 }
102
103/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen.
105 *
106 * 1. If a child structure needs to have its values initialized from a parent
107 * they are simply copied across. For example SSL_CTX copied to SSL.
108 * 2. If the structure should take on values only if they are currently unset.
109 * For example the values in an SSL structure will take appropriate value
110 * for SSL servers or clients but only if the application has not set new
111 * ones.
112 *
113 * The "inh_flags" field determines how this function behaves.
114 *
115 * Normally any values which are set in the default are not copied from the
116 * destination and verify flags are ORed together.
117 *
118 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
119 * to the destination. Effectively the values in "to" become default values
120 * which will be used only if nothing new is set in "from".
121 *
122 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
123 * they are set or not. Flags is still Ored though.
124 *
125 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
126 * of ORed.
127 *
128 * If X509_VP_FLAG_LOCKED is set then no values are copied.
129 *
130 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
131 * after the next call.
132 */
133
134/* Macro to test if a field should be copied from src to dest */
135
136#define test_x509_verify_param_copy(field, def) \
137 (to_overwrite || \
138 ((src->field != def) && (to_default || (dest->field == def))))
139
140/* Macro to test and copy a field if necessary */
141
142#define x509_verify_param_copy(field, def) \
143 if (test_x509_verify_param_copy(field, def)) \
144 dest->field = src->field
145
146
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src)
149 {
150 unsigned long inh_flags;
151 int to_default, to_overwrite;
152 if (!src)
153 return 1;
154 inh_flags = dest->inh_flags | src->inh_flags;
155
156 if (inh_flags & X509_VP_FLAG_ONCE)
157 dest->inh_flags = 0;
158
159 if (inh_flags & X509_VP_FLAG_LOCKED)
160 return 1;
161
162 if (inh_flags & X509_VP_FLAG_DEFAULT)
163 to_default = 1;
164 else
165 to_default = 0;
166
167 if (inh_flags & X509_VP_FLAG_OVERWRITE)
168 to_overwrite = 1;
169 else
170 to_overwrite = 0;
171
172 x509_verify_param_copy(purpose, 0);
173 x509_verify_param_copy(trust, 0);
174 x509_verify_param_copy(depth, -1);
175
176 /* If overwrite or check time not set, copy across */
177
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
179 {
180 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */
183 }
184
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0;
187
188 dest->flags |= src->flags;
189
190 if (test_x509_verify_param_copy(policies, NULL))
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0;
194 }
195
196 return 1;
197 }
198
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from)
201 {
202 unsigned long save_flags = to->inh_flags;
203 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags;
207 return ret;
208 }
209
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 {
212 if (param->name)
213 OPENSSL_free(param->name);
214 param->name = BUF_strdup(name);
215 if (param->name)
216 return 1;
217 return 0;
218 }
219
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 {
222 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1;
226 }
227
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 {
230 param->flags &= ~flags;
231 return 1;
232 }
233
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 {
236 return param->flags;
237 }
238
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 {
241 return X509_PURPOSE_set(&param->purpose, purpose);
242 }
243
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 {
246 return X509_TRUST_set(&param->trust, trust);
247 }
248
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 {
251 param->depth = depth;
252 }
253
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 {
256 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 }
259
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 {
262 if (!param->policies)
263 {
264 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies)
266 return 0;
267 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0;
270 return 1;
271 }
272
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies)
275 {
276 int i;
277 ASN1_OBJECT *oid, *doid;
278 if (!param)
279 return 0;
280 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282
283 if (!policies)
284 {
285 param->policies = NULL;
286 return 1;
287 }
288
289 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies)
291 return 0;
292
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid);
297 if (!doid)
298 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid))
300 {
301 ASN1_OBJECT_free(doid);
302 return 0;
303 }
304 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1;
307 }
308
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 {
311 return param->depth;
312 }
313
314/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table.
316 * NB: the 'name' field *must* be in alphabetical order because it
317 * will be searched using OBJ_search.
318 */
319
320static const X509_VERIFY_PARAM default_table[] = {
321 {
322 "default", /* X509 default parameters */
323 0, /* Check time */
324 0, /* internal flags */
325 0, /* flags */
326 0, /* purpose */
327 0, /* trust */
328 100, /* depth */
329 NULL /* policies */
330 },
331 {
332 "pkcs7", /* S/MIME sign parameters */
333 0, /* Check time */
334 0, /* internal flags */
335 0, /* flags */
336 X509_PURPOSE_SMIME_SIGN, /* purpose */
337 X509_TRUST_EMAIL, /* trust */
338 -1, /* depth */
339 NULL /* policies */
340 },
341 {
342 "smime_sign", /* S/MIME sign parameters */
343 0, /* Check time */
344 0, /* internal flags */
345 0, /* flags */
346 X509_PURPOSE_SMIME_SIGN, /* purpose */
347 X509_TRUST_EMAIL, /* trust */
348 -1, /* depth */
349 NULL /* policies */
350 },
351 {
352 "ssl_client", /* SSL/TLS client parameters */
353 0, /* Check time */
354 0, /* internal flags */
355 0, /* flags */
356 X509_PURPOSE_SSL_CLIENT, /* purpose */
357 X509_TRUST_SSL_CLIENT, /* trust */
358 -1, /* depth */
359 NULL /* policies */
360 },
361 {
362 "ssl_server", /* SSL/TLS server parameters */
363 0, /* Check time */
364 0, /* internal flags */
365 0, /* flags */
366 X509_PURPOSE_SSL_SERVER, /* purpose */
367 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */
369 NULL /* policies */
370 }};
371
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375
376 {
377 return strcmp(a->name, b->name);
378 }
379
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table);
382IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
383 table);
384
385static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b)
387 {
388 return strcmp((*a)->name, (*b)->name);
389 }
390
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 {
393 int idx;
394 X509_VERIFY_PARAM *ptmp;
395 if (!param_table)
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table)
399 return 0;
400 }
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1)
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0;
413 return 1;
414 }
415
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 {
418 int idx;
419 X509_VERIFY_PARAM pm;
420
421 pm.name = (char *)name;
422 if (param_table)
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 }
428 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 }
431
432void X509_VERIFY_PARAM_table_cleanup(void)
433 {
434 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free);
437 param_table = NULL;
438 }
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
new file mode 100644
index 0000000000..3109defb0b
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -0,0 +1,170 @@
1/* crypto/x509/x509cset.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_CRL_set_version(X509_CRL *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->crl->version == NULL)
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 }
76
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 {
79 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name));
81 }
82
83
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 {
86 ASN1_TIME *in;
87
88 if (x == NULL) return(0);
89 in=x->crl->lastUpdate;
90 if (in != tm)
91 {
92 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL)
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in;
97 }
98 }
99 return(in != NULL);
100 }
101
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 {
104 ASN1_TIME *in;
105
106 if (x == NULL) return(0);
107 in=x->crl->nextUpdate;
108 if (in != tm)
109 {
110 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL)
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in;
115 }
116 }
117 return(in != NULL);
118 }
119
120int X509_CRL_sort(X509_CRL *c)
121 {
122 int i;
123 X509_REVOKED *r;
124 /* sort the data so it will be written in serial
125 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i;
131 }
132 c->crl->enc.modified = 1;
133 return 1;
134 }
135
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 {
138 ASN1_TIME *in;
139
140 if (x == NULL) return(0);
141 in=x->revocationDate;
142 if (in != tm)
143 {
144 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL)
146 {
147 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in;
149 }
150 }
151 return(in != NULL);
152 }
153
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 {
156 ASN1_INTEGER *in;
157
158 if (x == NULL) return(0);
159 in=x->serialNumber;
160 if (in != serial)
161 {
162 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL)
164 {
165 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in;
167 }
168 }
169 return(in != NULL);
170 }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
new file mode 100644
index 0000000000..27bc4dc9a3
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -0,0 +1,383 @@
1/* crypto/x509/x509name.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 {
69 ASN1_OBJECT *obj;
70
71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 }
75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len)
78 {
79 int i;
80 ASN1_STRING *data;
81
82 i=X509_NAME_get_index_by_OBJ(name,obj,-1);
83 if (i < 0) return(-1);
84 data=X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
85 i=(data->length > (len-1))?(len-1):data->length;
86 if (buf == NULL) return(data->length);
87 memcpy(buf,data->data,i);
88 buf[i]='\0';
89 return(i);
90 }
91
92int X509_NAME_entry_count(X509_NAME *name)
93 {
94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 }
97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 {
100 ASN1_OBJECT *obj;
101
102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 }
106
107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos)
110 {
111 int n;
112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk;
114
115 if (name == NULL) return(-1);
116 if (lastpos < 0)
117 lastpos= -1;
118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++)
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos);
125 }
126 return(-1);
127 }
128
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 {
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0)
133 return(NULL);
134 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 }
137
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 {
140 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk;
143
144 if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
145 || loc < 0)
146 return(NULL);
147 sk=name->entries;
148 ret=sk_X509_NAME_ENTRY_delete(sk,loc);
149 n=sk_X509_NAME_ENTRY_num(sk);
150 name->modified=1;
151 if (loc == n) return(ret);
152
153 /* else we need to fixup the set field */
154 if (loc != 0)
155 set_prev=(sk_X509_NAME_ENTRY_value(sk,loc-1))->set;
156 else
157 set_prev=ret->set-1;
158 set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
159
160 /* set_prev is the previous set
161 * set is the current set
162 * set_next is the following
163 * prev 1 1 1 1 1 1 1 1
164 * set 1 1 2 2
165 * next 1 1 2 2 2 2 3 2
166 * so basically only if prev and next differ by 2, then
167 * re-number down by 1 */
168 if (set_prev+1 < set_next)
169 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret);
172 }
173
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set)
176{
177 X509_NAME_ENTRY *ne;
178 int ret;
179 ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
180 if(!ne) return 0;
181 ret = X509_NAME_add_entry(name, ne, loc, set);
182 X509_NAME_ENTRY_free(ne);
183 return ret;
184}
185
186int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
187 unsigned char *bytes, int len, int loc, int set)
188{
189 X509_NAME_ENTRY *ne;
190 int ret;
191 ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
192 if(!ne) return 0;
193 ret = X509_NAME_add_entry(name, ne, loc, set);
194 X509_NAME_ENTRY_free(ne);
195 return ret;
196}
197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 const unsigned char *bytes, int len, int loc, int set)
200{
201 X509_NAME_ENTRY *ne;
202 int ret;
203 ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
204 if(!ne) return 0;
205 ret = X509_NAME_add_entry(name, ne, loc, set);
206 X509_NAME_ENTRY_free(ne);
207 return ret;
208}
209
210/* if set is -1, append to previous set, 0 'a new one', and 1,
211 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set)
214 {
215 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk;
218
219 if (name == NULL) return(0);
220 sk=name->entries;
221 n=sk_X509_NAME_ENTRY_num(sk);
222 if (loc > n) loc=n;
223 else if (loc < 0) loc=n;
224
225 name->modified=1;
226
227 if (set == -1)
228 {
229 if (loc == 0)
230 {
231 set=0;
232 inc=1;
233 }
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0;
238 }
239 }
240 else /* if (set >= 0) */
241 {
242 if (loc >= n)
243 {
244 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else
247 set=0;
248 }
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0;
252 }
253
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err;
256 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262 if (inc)
263 {
264 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 }
268 return(1);
269err:
270 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name);
272 return(0);
273 }
274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len)
277 {
278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry;
280
281 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL)
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field);
287 return(NULL);
288 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj);
291 return nentry;
292 }
293
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len)
296 {
297 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry;
299
300 obj=OBJ_nid2obj(nid);
301 if (obj == NULL)
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL);
305 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj);
308 return nentry;
309 }
310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 {
314 X509_NAME_ENTRY *ret;
315
316 if ((ne == NULL) || (*ne == NULL))
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL);
320 }
321 else
322 ret= *ne;
323
324 if (!X509_NAME_ENTRY_set_object(ret,obj))
325 goto err;
326 if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
327 goto err;
328
329 if ((ne != NULL) && (*ne == NULL)) *ne=ret;
330 return(ret);
331err:
332 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret);
334 return(NULL);
335 }
336
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 {
339 if ((ne == NULL) || (obj == NULL))
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0);
343 }
344 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1);
347 }
348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len)
351 {
352 int i;
353
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
355 if((type > 0) && (type & MBSTRING_FLAG))
356 return ASN1_STRING_set_by_NID(&ne->value, bytes,
357 len, type,
358 OBJ_obj2nid(ne->object)) ? 1 : 0;
359 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0);
362 if (type != V_ASN1_UNDEF)
363 {
364 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else
367 ne->value->type=type;
368 }
369 return(1);
370 }
371
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 {
374 if (ne == NULL) return(NULL);
375 return(ne->object);
376 }
377
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 {
380 if (ne == NULL) return(NULL);
381 return(ne->value);
382 }
383
diff --git a/src/lib/libcrypto/x509/x509rset.c b/src/lib/libcrypto/x509/x509rset.c
new file mode 100644
index 0000000000..d9f6b57372
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509rset.c
@@ -0,0 +1,83 @@
1/* crypto/x509/x509rset.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_REQ_set_version(X509_REQ *x, long version)
67 {
68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 }
71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 {
74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name));
76 }
77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 {
80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 }
83
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
new file mode 100644
index 0000000000..02a203d72c
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -0,0 +1,121 @@
1/* x509spki.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509.h>
62
63int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
64{
65 if ((x == NULL) || (x->spkac == NULL)) return(0);
66 return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
67}
68
69EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
70{
71 if ((x == NULL) || (x->spkac == NULL))
72 return(NULL);
73 return(X509_PUBKEY_get(x->spkac->pubkey));
74}
75
76/* Load a Netscape SPKI from a base64 encoded string */
77
78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
79{
80 unsigned char *spki_der;
81 const unsigned char *p;
82 int spki_len;
83 NETSCAPE_SPKI *spki;
84 if(len <= 0) len = strlen(str);
85 if (!(spki_der = OPENSSL_malloc(len + 1))) {
86 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
90 if(spki_len < 0) {
91 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
92 X509_R_BASE64_DECODE_ERROR);
93 OPENSSL_free(spki_der);
94 return NULL;
95 }
96 p = spki_der;
97 spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
98 OPENSSL_free(spki_der);
99 return spki;
100}
101
102/* Generate a base64 encoded string from an SPKI */
103
104char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
105{
106 unsigned char *der_spki, *p;
107 char *b64_str;
108 int der_len;
109 der_len = i2d_NETSCAPE_SPKI(spki, NULL);
110 der_spki = OPENSSL_malloc(der_len);
111 b64_str = OPENSSL_malloc(der_len * 2);
112 if(!der_spki || !b64_str) {
113 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 p = der_spki;
117 i2d_NETSCAPE_SPKI(spki, &p);
118 EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
119 OPENSSL_free(der_spki);
120 return b64_str;
121}
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
new file mode 100644
index 0000000000..3385ad3f67
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -0,0 +1,125 @@
1/* crypto/x509/x509type.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/evp.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 {
67 EVP_PKEY *pk;
68 int ret=0,i;
69
70 if (x == NULL) return(0);
71
72 if (pkey == NULL)
73 pk=X509_get_pubkey(x);
74 else
75 pk=pkey;
76
77 if (pk == NULL) return(0);
78
79 switch (pk->type)
80 {
81 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */
84 ret|=EVP_PKT_ENC;
85 break;
86 case EVP_PKEY_DSA:
87 ret=EVP_PK_DSA|EVP_PKT_SIGN;
88 break;
89 case EVP_PKEY_EC:
90 ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
91 break;
92 case EVP_PKEY_DH:
93 ret=EVP_PK_DH|EVP_PKT_EXCH;
94 break;
95 case NID_id_GostR3410_94:
96 case NID_id_GostR3410_2001:
97 ret=EVP_PKT_EXCH|EVP_PKT_SIGN;
98 break;
99 default:
100 break;
101 }
102
103 i=X509_get_signature_type(x);
104 switch (i)
105 {
106 case EVP_PKEY_RSA:
107 ret|=EVP_PKS_RSA;
108 break;
109 case EVP_PKEY_DSA:
110 ret|=EVP_PKS_DSA;
111 break;
112 case EVP_PKEY_EC:
113 ret|=EVP_PKS_EC;
114 break;
115 default:
116 break;
117 }
118
119 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
120 for, not bytes */
121 ret|=EVP_PKT_EXP;
122 if(pkey==NULL) EVP_PKEY_free(pk);
123 return(ret);
124 }
125
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
new file mode 100644
index 0000000000..8ec88c215a
--- /dev/null
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -0,0 +1,516 @@
1/* crypto/x509/x_all.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/buffer.h>
63#include <openssl/asn1.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#ifndef OPENSSL_NO_RSA
67#include <openssl/rsa.h>
68#endif
69#ifndef OPENSSL_NO_DSA
70#include <openssl/dsa.h>
71#endif
72
73int X509_verify(X509 *a, EVP_PKEY *r)
74 {
75 return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
76 a->signature,a->cert_info,r));
77 }
78
79int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
80 {
81 return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
82 a->sig_alg,a->signature,a->req_info,r));
83 }
84
85int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
86 {
87 return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
88 a->sig_algor,a->signature,a->spkac,r));
89 }
90
91int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
92 {
93 x->cert_info->enc.modified = 1;
94 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
95 x->sig_alg, x->signature, x->cert_info,pkey,md));
96 }
97
98int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
99 {
100 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
101 x->signature, x->req_info,pkey,md));
102 }
103
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 {
106 x->crl->enc.modified = 1;
107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
108 x->sig_alg, x->signature, x->crl,pkey,md));
109 }
110
111int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
112 {
113 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
114 x->signature, x->spkac,pkey,md));
115 }
116
117#ifndef OPENSSL_NO_FP_API
118X509 *d2i_X509_fp(FILE *fp, X509 **x509)
119 {
120 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
121 }
122
123int i2d_X509_fp(FILE *fp, X509 *x509)
124 {
125 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
126 }
127#endif
128
129X509 *d2i_X509_bio(BIO *bp, X509 **x509)
130 {
131 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
132 }
133
134int i2d_X509_bio(BIO *bp, X509 *x509)
135 {
136 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
137 }
138
139#ifndef OPENSSL_NO_FP_API
140X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
141 {
142 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
143 }
144
145int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
146 {
147 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
148 }
149#endif
150
151X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
152 {
153 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
154 }
155
156int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
157 {
158 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
159 }
160
161#ifndef OPENSSL_NO_FP_API
162PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
163 {
164 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
165 }
166
167int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
168 {
169 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
170 }
171#endif
172
173PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
174 {
175 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
176 }
177
178int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
179 {
180 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
181 }
182
183#ifndef OPENSSL_NO_FP_API
184X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
185 {
186 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
187 }
188
189int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
190 {
191 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
192 }
193#endif
194
195X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
196 {
197 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
198 }
199
200int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
201 {
202 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
203 }
204
205#ifndef OPENSSL_NO_RSA
206
207#ifndef OPENSSL_NO_FP_API
208RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
209 {
210 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
211 }
212
213int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
214 {
215 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
216 }
217
218RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
219 {
220 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
221 }
222
223
224RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
225 {
226 return ASN1_d2i_fp((void *(*)(void))
227 RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
228 (void **)rsa);
229 }
230
231int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
232 {
233 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
234 }
235
236int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
237 {
238 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
239 }
240#endif
241
242RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
243 {
244 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
245 }
246
247int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
248 {
249 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
250 }
251
252RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
253 {
254 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
255 }
256
257
258RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
259 {
260 return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
261 }
262
263int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
264 {
265 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
266 }
267
268int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
269 {
270 return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
271 }
272#endif
273
274#ifndef OPENSSL_NO_DSA
275#ifndef OPENSSL_NO_FP_API
276DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
277 {
278 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
279 }
280
281int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
282 {
283 return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
284 }
285
286DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
287 {
288 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
289 }
290
291int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
292 {
293 return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
294 }
295#endif
296
297DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
298 {
299 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
300);
301 }
302
303int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
304 {
305 return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
306 }
307
308DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
309 {
310 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
311 }
312
313int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
314 {
315 return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
316 }
317
318#endif
319
320#ifndef OPENSSL_NO_EC
321#ifndef OPENSSL_NO_FP_API
322EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
323 {
324 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
325 }
326
327int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
328 {
329 return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
330 }
331
332EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
333 {
334 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
335 }
336
337int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
338 {
339 return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
340 }
341#endif
342EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
343 {
344 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
345 }
346
347int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
348 {
349 return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
350 }
351
352EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
353 {
354 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
355 }
356
357int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
358 {
359 return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
360 }
361#endif
362
363
364int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
365 unsigned int *len)
366 {
367 ASN1_BIT_STRING *key;
368 key = X509_get0_pubkey_bitstr(data);
369 if(!key) return 0;
370 return EVP_Digest(key->data, key->length, md, len, type, NULL);
371 }
372
373int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
374 unsigned int *len)
375 {
376 return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
377 }
378
379int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
380 unsigned int *len)
381 {
382 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
383 }
384
385int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
386 unsigned int *len)
387 {
388 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
389 }
390
391int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
392 unsigned int *len)
393 {
394 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
395 }
396
397int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
398 unsigned char *md, unsigned int *len)
399 {
400 return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
401 (char *)data,md,len));
402 }
403
404
405#ifndef OPENSSL_NO_FP_API
406X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
407 {
408 return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
409 }
410
411int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
412 {
413 return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
414 }
415#endif
416
417X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
418 {
419 return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
420 }
421
422int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
423 {
424 return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
425 }
426
427#ifndef OPENSSL_NO_FP_API
428PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
429 PKCS8_PRIV_KEY_INFO **p8inf)
430 {
431 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
432 d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
433 }
434
435int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
436 {
437 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
438 p8inf);
439 }
440
441int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
442 {
443 PKCS8_PRIV_KEY_INFO *p8inf;
444 int ret;
445 p8inf = EVP_PKEY2PKCS8(key);
446 if(!p8inf) return 0;
447 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
448 PKCS8_PRIV_KEY_INFO_free(p8inf);
449 return ret;
450 }
451
452int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
453 {
454 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
455 }
456
457EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
458{
459 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
460}
461
462int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
463 {
464 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
465 }
466
467EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
468{
469 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
470}
471
472#endif
473
474PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
475 PKCS8_PRIV_KEY_INFO **p8inf)
476 {
477 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
478 d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
479 }
480
481int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
482 {
483 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
484 p8inf);
485 }
486
487int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
488 {
489 PKCS8_PRIV_KEY_INFO *p8inf;
490 int ret;
491 p8inf = EVP_PKEY2PKCS8(key);
492 if(!p8inf) return 0;
493 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
494 PKCS8_PRIV_KEY_INFO_free(p8inf);
495 return ret;
496 }
497
498int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
499 {
500 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
501 }
502
503EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
504 {
505 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
506 }
507
508int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
509 {
510 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
511 }
512
513EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
514 {
515 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
516 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-09 06:41:31 +0000