summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3/v3_purp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509v3/v3_purp.c')
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c550
1 files changed, 319 insertions, 231 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 45d7251c29..2bf110c179 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,19 +64,25 @@
64static void x509v3_cache_extensions(X509 *x); 64static void x509v3_cache_extensions(X509 *x);
65 65
66static int check_ssl_ca(const X509 *x); 66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); 67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 68 int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 69static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
70 int ca);
71static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
72 int ca);
70static int purpose_smime(const X509 *x, int ca); 73static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 74static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); 75 int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 76static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 77 int ca);
78static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
79 int ca);
80static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
81 int ca);
75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); 82static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); 83static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
77 84
78static int xp_cmp(const X509_PURPOSE * const *a, 85static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
79 const X509_PURPOSE * const *b);
80static void xptable_free(X509_PURPOSE *p); 86static void xptable_free(X509_PURPOSE *p);
81 87
82static X509_PURPOSE xstandard[] = { 88static X509_PURPOSE xstandard[] = {
@@ -97,8 +103,8 @@ IMPLEMENT_STACK_OF(X509_PURPOSE)
97 103
98static STACK_OF(X509_PURPOSE) *xptable = NULL; 104static STACK_OF(X509_PURPOSE) *xptable = NULL;
99 105
100static int xp_cmp(const X509_PURPOSE * const *a, 106static int
101 const X509_PURPOSE * const *b) 107xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
102{ 108{
103 return (*a)->purpose - (*b)->purpose; 109 return (*a)->purpose - (*b)->purpose;
104} 110}
@@ -106,25 +112,30 @@ static int xp_cmp(const X509_PURPOSE * const *a,
106/* As much as I'd like to make X509_check_purpose use a "const" X509* 112/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const 113 * I really can't because it does recalculate hashes and do other non-const
108 * things. */ 114 * things. */
109int X509_check_purpose(X509 *x, int id, int ca) 115int
116X509_check_purpose(X509 *x, int id, int ca)
110{ 117{
111 int idx; 118 int idx;
112 const X509_PURPOSE *pt; 119 const X509_PURPOSE *pt;
113 if(!(x->ex_flags & EXFLAG_SET)) { 120
121 if (!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509); 122 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x); 123 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 124 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 } 125 }
118 if(id == -1) return 1; 126 if (id == -1)
127 return 1;
119 idx = X509_PURPOSE_get_by_id(id); 128 idx = X509_PURPOSE_get_by_id(id);
120 if(idx == -1) return -1; 129 if (idx == -1)
130 return -1;
121 pt = X509_PURPOSE_get0(idx); 131 pt = X509_PURPOSE_get0(idx);
122 return pt->check_purpose(pt, x, ca); 132 return pt->check_purpose(pt, x, ca);
123} 133}
124 134
125int X509_PURPOSE_set(int *p, int purpose) 135int
136X509_PURPOSE_set(int *p, int purpose)
126{ 137{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) { 138 if (X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); 139 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0; 140 return 0;
130 } 141 }
@@ -132,49 +143,63 @@ int X509_PURPOSE_set(int *p, int purpose)
132 return 1; 143 return 1;
133} 144}
134 145
135int X509_PURPOSE_get_count(void) 146int
147X509_PURPOSE_get_count(void)
136{ 148{
137 if(!xptable) return X509_PURPOSE_COUNT; 149 if (!xptable)
150 return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; 151 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
139} 152}
140 153
141X509_PURPOSE * X509_PURPOSE_get0(int idx) 154X509_PURPOSE *
155X509_PURPOSE_get0(int idx)
142{ 156{
143 if(idx < 0) return NULL; 157 if (idx < 0)
144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx; 158 return NULL;
159 if (idx < (int)X509_PURPOSE_COUNT)
160 return xstandard + idx;
145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); 161 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
146} 162}
147 163
148int X509_PURPOSE_get_by_sname(char *sname) 164int
165X509_PURPOSE_get_by_sname(char *sname)
149{ 166{
150 int i; 167 int i;
151 X509_PURPOSE *xptmp; 168 X509_PURPOSE *xptmp;
152 for(i = 0; i < X509_PURPOSE_get_count(); i++) { 169
170 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
153 xptmp = X509_PURPOSE_get0(i); 171 xptmp = X509_PURPOSE_get0(i);
154 if(!strcmp(xptmp->sname, sname)) return i; 172 if (!strcmp(xptmp->sname, sname))
173 return i;
155 } 174 }
156 return -1; 175 return -1;
157} 176}
158 177
159int X509_PURPOSE_get_by_id(int purpose) 178int
179X509_PURPOSE_get_by_id(int purpose)
160{ 180{
161 X509_PURPOSE tmp; 181 X509_PURPOSE tmp;
162 int idx; 182 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) 183
184 if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN; 185 return purpose - X509_PURPOSE_MIN;
165 tmp.purpose = purpose; 186 tmp.purpose = purpose;
166 if(!xptable) return -1; 187 if (!xptable)
188 return -1;
167 idx = sk_X509_PURPOSE_find(xptable, &tmp); 189 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1; 190 if (idx == -1)
191 return -1;
169 return idx + X509_PURPOSE_COUNT; 192 return idx + X509_PURPOSE_COUNT;
170} 193}
171 194
172int X509_PURPOSE_add(int id, int trust, int flags, 195int
173 int (*ck)(const X509_PURPOSE *, const X509 *, int), 196X509_PURPOSE_add(int id, int trust, int flags,
174 char *name, char *sname, void *arg) 197 int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,
198 char *sname, void *arg)
175{ 199{
176 int idx; 200 int idx;
177 X509_PURPOSE *ptmp; 201 X509_PURPOSE *ptmp;
202
178 /* This is set according to what we change: application can't set it */ 203 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC; 204 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */ 205 /* This will always be set for application modified trust entries */
@@ -182,24 +207,26 @@ int X509_PURPOSE_add(int id, int trust, int flags,
182 /* Get existing entry if any */ 207 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id); 208 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */ 209 /* Need a new entry */
185 if(idx == -1) { 210 if (idx == -1) {
186 if(!(ptmp = malloc(sizeof(X509_PURPOSE)))) { 211 if (!(ptmp = malloc(sizeof(X509_PURPOSE)))) {
187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 212 X509V3err(X509V3_F_X509_PURPOSE_ADD,
213 ERR_R_MALLOC_FAILURE);
188 return 0; 214 return 0;
189 } 215 }
190 ptmp->flags = X509_PURPOSE_DYNAMIC; 216 ptmp->flags = X509_PURPOSE_DYNAMIC;
191 } else ptmp = X509_PURPOSE_get0(idx); 217 } else
218 ptmp = X509_PURPOSE_get0(idx);
192 219
193 /* free existing name if dynamic */ 220 /* free existing name if dynamic */
194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { 221 if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
195 free(ptmp->name); 222 free(ptmp->name);
196 free(ptmp->sname); 223 free(ptmp->sname);
197 } 224 }
198 /* dup supplied name */ 225 /* dup supplied name */
199 ptmp->name = BUF_strdup(name); 226 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname); 227 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) { 228 if (!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 229 X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
203 return 0; 230 return 0;
204 } 231 }
205 /* Keep the dynamic flag of existing entry */ 232 /* Keep the dynamic flag of existing entry */
@@ -213,70 +240,82 @@ int X509_PURPOSE_add(int id, int trust, int flags,
213 ptmp->usr_data = arg; 240 ptmp->usr_data = arg;
214 241
215 /* If its a new entry manage the dynamic table */ 242 /* If its a new entry manage the dynamic table */
216 if(idx == -1) { 243 if (idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { 244 if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 245 X509V3err(X509V3_F_X509_PURPOSE_ADD,
246 ERR_R_MALLOC_FAILURE);
219 return 0; 247 return 0;
220 } 248 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) { 249 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 250 X509V3err(X509V3_F_X509_PURPOSE_ADD,
251 ERR_R_MALLOC_FAILURE);
223 return 0; 252 return 0;
224 } 253 }
225 } 254 }
226 return 1; 255 return 1;
227} 256}
228 257
229static void xptable_free(X509_PURPOSE *p) 258static void
230 { 259xptable_free(X509_PURPOSE *p)
231 if(!p) return; 260{
232 if (p->flags & X509_PURPOSE_DYNAMIC) 261 if (!p)
233 { 262 return;
263 if (p->flags & X509_PURPOSE_DYNAMIC) {
234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { 264 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
235 free(p->name); 265 free(p->name);
236 free(p->sname); 266 free(p->sname);
237 } 267 }
238 free(p); 268 free(p);
239 }
240 } 269 }
270}
241 271
242void X509_PURPOSE_cleanup(void) 272void
273X509_PURPOSE_cleanup(void)
243{ 274{
244 unsigned int i; 275 unsigned int i;
276
245 sk_X509_PURPOSE_pop_free(xptable, xptable_free); 277 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); 278 for(i = 0; i < X509_PURPOSE_COUNT; i++)
279 xptable_free(xstandard + i);
247 xptable = NULL; 280 xptable = NULL;
248} 281}
249 282
250int X509_PURPOSE_get_id(X509_PURPOSE *xp) 283int
284X509_PURPOSE_get_id(X509_PURPOSE *xp)
251{ 285{
252 return xp->purpose; 286 return xp->purpose;
253} 287}
254 288
255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) 289char *
290X509_PURPOSE_get0_name(X509_PURPOSE *xp)
256{ 291{
257 return xp->name; 292 return xp->name;
258} 293}
259 294
260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) 295char *
296X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
261{ 297{
262 return xp->sname; 298 return xp->sname;
263} 299}
264 300
265int X509_PURPOSE_get_trust(X509_PURPOSE *xp) 301int
302X509_PURPOSE_get_trust(X509_PURPOSE *xp)
266{ 303{
267 return xp->trust; 304 return xp->trust;
268} 305}
269 306
270static int nid_cmp(const int *a, const int *b) 307static int
271 { 308nid_cmp(const int *a, const int *b)
309{
272 return *a - *b; 310 return *a - *b;
273 } 311}
274 312
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid); 313DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid); 314IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277 315
278int X509_supported_extension(X509_EXTENSION *ex) 316int
279 { 317X509_supported_extension(X509_EXTENSION *ex)
318{
280 /* This table is a list of the NIDs of supported extensions: 319 /* This table is a list of the NIDs of supported extensions:
281 * that is those which are used by the verify process. If 320 * that is those which are used by the verify process. If
282 * an extension is critical and doesn't appear in this list 321 * an extension is critical and doesn't appear in this list
@@ -287,11 +326,11 @@ int X509_supported_extension(X509_EXTENSION *ex)
287 326
288 static const int supported_nids[] = { 327 static const int supported_nids[] = {
289 NID_netscape_cert_type, /* 71 */ 328 NID_netscape_cert_type, /* 71 */
290 NID_key_usage, /* 83 */ 329 NID_key_usage, /* 83 */
291 NID_subject_alt_name, /* 85 */ 330 NID_subject_alt_name, /* 85 */
292 NID_basic_constraints, /* 87 */ 331 NID_basic_constraints, /* 87 */
293 NID_certificate_policies, /* 89 */ 332 NID_certificate_policies, /* 89 */
294 NID_ext_key_usage, /* 126 */ 333 NID_ext_key_usage, /* 126 */
295#ifndef OPENSSL_NO_RFC3779 334#ifndef OPENSSL_NO_RFC3779
296 NID_sbgp_ipAddrBlock, /* 290 */ 335 NID_sbgp_ipAddrBlock, /* 290 */
297 NID_sbgp_autonomousSysNum, /* 291 */ 336 NID_sbgp_autonomousSysNum, /* 291 */
@@ -305,56 +344,57 @@ int X509_supported_extension(X509_EXTENSION *ex)
305 344
306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); 345 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
307 346
308 if (ex_nid == NID_undef) 347 if (ex_nid == NID_undef)
309 return 0; 348 return 0;
310 349
311 if (OBJ_bsearch_nid(&ex_nid, supported_nids, 350 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
312 sizeof(supported_nids)/sizeof(int))) 351 sizeof(supported_nids) / sizeof(int)))
313 return 1; 352 return 1;
314 return 0; 353 return 0;
315 } 354}
316 355
317static void setup_dp(X509 *x, DIST_POINT *dp) 356static void
318 { 357setup_dp(X509 *x, DIST_POINT *dp)
358{
319 X509_NAME *iname = NULL; 359 X509_NAME *iname = NULL;
320 int i; 360 int i;
321 if (dp->reasons) 361
322 { 362 if (dp->reasons) {
323 if (dp->reasons->length > 0) 363 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0]; 364 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1) 365 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8); 366 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS; 367 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 } 368 } else
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS; 369 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1)) 370 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return; 371 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 372 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 373 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME) 374 if (gen->type == GEN_DIRNAME) {
337 {
338 iname = gen->d.directoryName; 375 iname = gen->d.directoryName;
339 break; 376 break;
340 }
341 } 377 }
378 }
342 if (!iname) 379 if (!iname)
343 iname = X509_get_issuer_name(x); 380 iname = X509_get_issuer_name(x);
344 381
345 DIST_POINT_set_dpname(dp->distpoint, iname); 382 DIST_POINT_set_dpname(dp->distpoint, iname);
346 383
347 } 384}
348 385
349static void setup_crldp(X509 *x) 386static void
350 { 387setup_crldp(X509 *x)
388{
351 int i; 389 int i;
390
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); 391 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 392 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); 393 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 } 394}
356 395
357static void x509v3_cache_extensions(X509 *x) 396static void
397x509v3_cache_extensions(X509 *x)
358{ 398{
359 BASIC_CONSTRAINTS *bs; 399 BASIC_CONSTRAINTS *bs;
360 PROXY_CERT_INFO_EXTENSION *pci; 400 PROXY_CERT_INFO_EXTENSION *pci;
@@ -362,89 +402,96 @@ static void x509v3_cache_extensions(X509 *x)
362 ASN1_BIT_STRING *ns; 402 ASN1_BIT_STRING *ns;
363 EXTENDED_KEY_USAGE *extusage; 403 EXTENDED_KEY_USAGE *extusage;
364 X509_EXTENSION *ex; 404 X509_EXTENSION *ex;
365 405
366 int i; 406 int i;
367 if(x->ex_flags & EXFLAG_SET) return; 407 if (x->ex_flags & EXFLAG_SET)
408 return;
368#ifndef OPENSSL_NO_SHA 409#ifndef OPENSSL_NO_SHA
369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); 410 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
370#endif 411#endif
371 /* Does subject name match issuer ? */ 412 /* Does subject name match issuer ? */
372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) 413 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
373 x->ex_flags |= EXFLAG_SI; 414 x->ex_flags |= EXFLAG_SI;
374 /* V1 should mean no extensions ... */ 415 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; 416 if (!X509_get_version(x))
417 x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */ 418 /* Handle basic constraints */
377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { 419 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
378 if(bs->ca) x->ex_flags |= EXFLAG_CA; 420 if (bs->ca)
379 if(bs->pathlen) { 421 x->ex_flags |= EXFLAG_CA;
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER) 422 if (bs->pathlen) {
381 || !bs->ca) { 423 if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
424 !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID; 425 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0; 426 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); 427 } else
385 } else x->ex_pathlen = -1; 428 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
429 } else
430 x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs); 431 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS; 432 x->ex_flags |= EXFLAG_BCONS;
388 } 433 }
389 /* Handle proxy certificates */ 434 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { 435 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
391 if (x->ex_flags & EXFLAG_CA 436 if (x->ex_flags & EXFLAG_CA ||
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 437 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { 438 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
394 x->ex_flags |= EXFLAG_INVALID; 439 x->ex_flags |= EXFLAG_INVALID;
395 } 440 }
396 if (pci->pcPathLengthConstraint) { 441 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen = 442 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint); 443 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1; 444 } else
445 x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci); 446 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY; 447 x->ex_flags |= EXFLAG_PROXY;
402 } 448 }
403 /* Handle key usage */ 449 /* Handle key usage */
404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { 450 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
405 if(usage->length > 0) { 451 if (usage->length > 0) {
406 x->ex_kusage = usage->data[0]; 452 x->ex_kusage = usage->data[0];
407 if(usage->length > 1) 453 if (usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8; 454 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0; 455 } else
456 x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE; 457 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage); 458 ASN1_BIT_STRING_free(usage);
412 } 459 }
413 x->ex_xkusage = 0; 460 x->ex_xkusage = 0;
414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { 461 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
415 x->ex_flags |= EXFLAG_XKUSAGE; 462 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { 463 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { 464 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
418 case NID_server_auth: 465 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER; 466 x->ex_xkusage |= XKU_SSL_SERVER;
420 break; 467 break;
421 468
422 case NID_client_auth: 469 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT; 470 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break; 471 break;
425 472
426 case NID_email_protect: 473 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME; 474 x->ex_xkusage |= XKU_SMIME;
428 break; 475 break;
429 476
430 case NID_code_sign: 477 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN; 478 x->ex_xkusage |= XKU_CODE_SIGN;
432 break; 479 break;
433 480
434 case NID_ms_sgc: 481 case NID_ms_sgc:
435 case NID_ns_sgc: 482 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC; 483 x->ex_xkusage |= XKU_SGC;
437 break; 484 break;
438 485
439 case NID_OCSP_sign: 486 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN; 487 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break; 488 break;
442 489
443 case NID_time_stamp: 490 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP; 491 x->ex_xkusage |= XKU_TIMESTAMP;
445 break; 492 break;
446 493
447 case NID_dvcs: 494 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS; 495 x->ex_xkusage |= XKU_DVCS;
449 break; 496 break;
450 } 497 }
@@ -452,14 +499,17 @@ static void x509v3_cache_extensions(X509 *x)
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); 499 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 } 500 }
454 501
455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { 502 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
456 if(ns->length > 0) x->ex_nscert = ns->data[0]; 503 if (ns->length > 0)
457 else x->ex_nscert = 0; 504 x->ex_nscert = ns->data[0];
505 else
506 x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT; 507 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns); 508 ASN1_BIT_STRING_free(ns);
460 } 509 }
461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); 510
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); 511 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
512 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); 513 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); 514 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1)) 515 if (!x->nc && (i != -1))
@@ -467,24 +517,22 @@ static void x509v3_cache_extensions(X509 *x)
467 setup_crldp(x); 517 setup_crldp(x);
468 518
469#ifndef OPENSSL_NO_RFC3779 519#ifndef OPENSSL_NO_RFC3779
470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); 520 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, 521 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
472 NULL, NULL); 522 NULL, NULL);
473#endif 523#endif
474 for (i = 0; i < X509_get_ext_count(x); i++) 524 for (i = 0; i < X509_get_ext_count(x); i++) {
475 {
476 ex = X509_get_ext(x, i); 525 ex = X509_get_ext(x, i);
477 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) 526 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
478 == NID_freshest_crl) 527 NID_freshest_crl)
479 x->ex_flags |= EXFLAG_FRESHEST; 528 x->ex_flags |= EXFLAG_FRESHEST;
480 if (!X509_EXTENSION_get_critical(ex)) 529 if (!X509_EXTENSION_get_critical(ex))
481 continue; 530 continue;
482 if (!X509_supported_extension(ex)) 531 if (!X509_supported_extension(ex)) {
483 {
484 x->ex_flags |= EXFLAG_CRITICAL; 532 x->ex_flags |= EXFLAG_CRITICAL;
485 break; 533 break;
486 }
487 } 534 }
535 }
488 x->ex_flags |= EXFLAG_SET; 536 x->ex_flags |= EXFLAG_SET;
489} 537}
490 538
@@ -505,30 +553,38 @@ static void x509v3_cache_extensions(X509 *x)
505#define ns_reject(x, usage) \ 553#define ns_reject(x, usage) \
506 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) 554 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
507 555
508static int check_ca(const X509 *x) 556static int
557check_ca(const X509 *x)
509{ 558{
510 /* keyUsage if present should allow cert signing */ 559 /* keyUsage if present should allow cert signing */
511 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; 560 if (ku_reject(x, KU_KEY_CERT_SIGN))
512 if(x->ex_flags & EXFLAG_BCONS) { 561 return 0;
513 if(x->ex_flags & EXFLAG_CA) return 1; 562 if (x->ex_flags & EXFLAG_BCONS) {
563 if (x->ex_flags & EXFLAG_CA)
564 return 1;
514 /* If basicConstraints says not a CA then say so */ 565 /* If basicConstraints says not a CA then say so */
515 else return 0; 566 else
567 return 0;
516 } else { 568 } else {
517 /* we support V1 roots for... uh, I don't really know why. */ 569 /* we support V1 roots for... uh, I don't really know why. */
518 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; 570 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
571 return 3;
519 /* If key usage present it must have certSign so tolerate it */ 572 /* If key usage present it must have certSign so tolerate it */
520 else if (x->ex_flags & EXFLAG_KUSAGE) return 4; 573 else if (x->ex_flags & EXFLAG_KUSAGE)
574 return 4;
521 /* Older certificates could have Netscape-specific CA types */ 575 /* Older certificates could have Netscape-specific CA types */
522 else if (x->ex_flags & EXFLAG_NSCERT 576 else if (x->ex_flags & EXFLAG_NSCERT &&
523 && x->ex_nscert & NS_ANY_CA) return 5; 577 x->ex_nscert & NS_ANY_CA)
578 return 5;
524 /* can this still be regarded a CA certificate? I doubt it */ 579 /* can this still be regarded a CA certificate? I doubt it */
525 return 0; 580 return 0;
526 } 581 }
527} 582}
528 583
529int X509_check_ca(X509 *x) 584int
585X509_check_ca(X509 *x)
530{ 586{
531 if(!(x->ex_flags & EXFLAG_SET)) { 587 if (!(x->ex_flags & EXFLAG_SET)) {
532 CRYPTO_w_lock(CRYPTO_LOCK_X509); 588 CRYPTO_w_lock(CRYPTO_LOCK_X509);
533 x509v3_cache_extensions(x); 589 x509v3_cache_extensions(x);
534 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 590 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
@@ -538,131 +594,169 @@ int X509_check_ca(X509 *x)
538} 594}
539 595
540/* Check SSL CA: common checks for SSL client and server */ 596/* Check SSL CA: common checks for SSL client and server */
541static int check_ssl_ca(const X509 *x) 597static int
598check_ssl_ca(const X509 *x)
542{ 599{
543 int ca_ret; 600 int ca_ret;
601
544 ca_ret = check_ca(x); 602 ca_ret = check_ca(x);
545 if(!ca_ret) return 0; 603 if (!ca_ret)
604 return 0;
546 /* check nsCertType if present */ 605 /* check nsCertType if present */
547 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; 606 if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
548 else return 0; 607 return ca_ret;
608 else
609 return 0;
549} 610}
550 611
551 612static int
552static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) 613check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
553{ 614{
554 if(xku_reject(x,XKU_SSL_CLIENT)) return 0; 615 if (xku_reject(x, XKU_SSL_CLIENT))
555 if(ca) return check_ssl_ca(x); 616 return 0;
617 if (ca)
618 return check_ssl_ca(x);
556 /* We need to do digital signatures with it */ 619 /* We need to do digital signatures with it */
557 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; 620 if (ku_reject(x, KU_DIGITAL_SIGNATURE))
558 /* nsCertType if present should allow SSL client use */ 621 return 0;
559 if(ns_reject(x, NS_SSL_CLIENT)) return 0; 622 /* nsCertType if present should allow SSL client use */
623 if (ns_reject(x, NS_SSL_CLIENT))
624 return 0;
560 return 1; 625 return 1;
561} 626}
562 627
563static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) 628static int
629check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
564{ 630{
565 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; 631 if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
566 if(ca) return check_ssl_ca(x); 632 return 0;
633 if (ca)
634 return check_ssl_ca(x);
567 635
568 if(ns_reject(x, NS_SSL_SERVER)) return 0; 636 if (ns_reject(x, NS_SSL_SERVER))
637 return 0;
569 /* Now as for keyUsage: we'll at least need to sign OR encipher */ 638 /* Now as for keyUsage: we'll at least need to sign OR encipher */
570 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; 639 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
571 640 return 0;
572 return 1;
573 641
642 return 1;
574} 643}
575 644
576static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) 645static int
646check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
577{ 647{
578 int ret; 648 int ret;
649
579 ret = check_purpose_ssl_server(xp, x, ca); 650 ret = check_purpose_ssl_server(xp, x, ca);
580 if(!ret || ca) return ret; 651 if (!ret || ca)
652 return ret;
581 /* We need to encipher or Netscape complains */ 653 /* We need to encipher or Netscape complains */
582 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; 654 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
655 return 0;
583 return ret; 656 return ret;
584} 657}
585 658
586/* common S/MIME checks */ 659/* common S/MIME checks */
587static int purpose_smime(const X509 *x, int ca) 660static int
661purpose_smime(const X509 *x, int ca)
588{ 662{
589 if(xku_reject(x,XKU_SMIME)) return 0; 663 if (xku_reject(x, XKU_SMIME))
590 if(ca) { 664 return 0;
665 if (ca) {
591 int ca_ret; 666 int ca_ret;
592 ca_ret = check_ca(x); 667 ca_ret = check_ca(x);
593 if(!ca_ret) return 0; 668 if (!ca_ret)
669 return 0;
594 /* check nsCertType if present */ 670 /* check nsCertType if present */
595 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; 671 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
596 else return 0; 672 return ca_ret;
673 else
674 return 0;
597 } 675 }
598 if(x->ex_flags & EXFLAG_NSCERT) { 676 if (x->ex_flags & EXFLAG_NSCERT) {
599 if(x->ex_nscert & NS_SMIME) return 1; 677 if (x->ex_nscert & NS_SMIME)
678 return 1;
600 /* Workaround for some buggy certificates */ 679 /* Workaround for some buggy certificates */
601 if(x->ex_nscert & NS_SSL_CLIENT) return 2; 680 if (x->ex_nscert & NS_SSL_CLIENT)
681 return 2;
602 return 0; 682 return 0;
603 } 683 }
604 return 1; 684 return 1;
605} 685}
606 686
607static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) 687static int
688check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
608{ 689{
609 int ret; 690 int ret;
691
610 ret = purpose_smime(x, ca); 692 ret = purpose_smime(x, ca);
611 if(!ret || ca) return ret; 693 if (!ret || ca)
612 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; 694 return ret;
695 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
696 return 0;
613 return ret; 697 return ret;
614} 698}
615 699
616static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) 700static int
701check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
617{ 702{
618 int ret; 703 int ret;
704
619 ret = purpose_smime(x, ca); 705 ret = purpose_smime(x, ca);
620 if(!ret || ca) return ret; 706 if (!ret || ca)
621 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; 707 return ret;
708 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
709 return 0;
622 return ret; 710 return ret;
623} 711}
624 712
625static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) 713static int
714check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
626{ 715{
627 if(ca) { 716 if (ca) {
628 int ca_ret; 717 int ca_ret;
629 if((ca_ret = check_ca(x)) != 2) return ca_ret; 718 if ((ca_ret = check_ca(x)) != 2)
630 else return 0; 719 return ca_ret;
720 else
721 return 0;
631 } 722 }
632 if(ku_reject(x, KU_CRL_SIGN)) return 0; 723 if (ku_reject(x, KU_CRL_SIGN))
724 return 0;
633 return 1; 725 return 1;
634} 726}
635 727
636/* OCSP helper: this is *not* a full OCSP check. It just checks that 728/* OCSP helper: this is *not* a full OCSP check. It just checks that
637 * each CA is valid. Additional checks must be made on the chain. 729 * each CA is valid. Additional checks must be made on the chain.
638 */ 730 */
639 731static int
640static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) 732ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
641{ 733{
642 /* Must be a valid CA. Should we really support the "I don't know" 734 /* Must be a valid CA. Should we really support the "I don't know"
643 value (2)? */ 735 value (2)? */
644 if(ca) return check_ca(x); 736 if (ca)
737 return check_ca(x);
645 /* leaf certificate is checked in OCSP_verify() */ 738 /* leaf certificate is checked in OCSP_verify() */
646 return 1; 739 return 1;
647} 740}
648 741
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, 742static int
650 int ca) 743check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
651{ 744{
652 int i_ext; 745 int i_ext;
653 746
654 /* If ca is true we must return if this is a valid CA certificate. */ 747 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x); 748 if (ca)
749 return check_ca(x);
656 750
657 /* 751 /*
658 * Check the optional key usage field: 752 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature 753 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall 754 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected). 755 * be rejected).
662 */ 756 */
663 if ((x->ex_flags & EXFLAG_KUSAGE) 757 if ((x->ex_flags & EXFLAG_KUSAGE) &&
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || 758 ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) 759 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0; 760 return 0;
667 761
668 /* Only time stamp key usage is permitted and it's required. */ 762 /* Only time stamp key usage is permitted and it's required. */
@@ -671,17 +765,17 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
671 765
672 /* Extended Key Usage MUST be critical */ 766 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); 767 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
674 if (i_ext >= 0) 768 if (i_ext >= 0) {
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); 769 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext)) 770 if (!X509_EXTENSION_get_critical(ext))
678 return 0; 771 return 0;
679 } 772 }
680 773
681 return 1; 774 return 1;
682} 775}
683 776
684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) 777static int
778no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
685{ 779{
686 return 1; 780 return 1;
687} 781}
@@ -698,48 +792,45 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
698 * codes for X509_verify_cert() 792 * codes for X509_verify_cert()
699 */ 793 */
700 794
701int X509_check_issued(X509 *issuer, X509 *subject) 795int
796X509_check_issued(X509 *issuer, X509 *subject)
702{ 797{
703 if(X509_NAME_cmp(X509_get_subject_name(issuer), 798 if (X509_NAME_cmp(X509_get_subject_name(issuer),
704 X509_get_issuer_name(subject))) 799 X509_get_issuer_name(subject)))
705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 800 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
706 x509v3_cache_extensions(issuer); 801 x509v3_cache_extensions(issuer);
707 x509v3_cache_extensions(subject); 802 x509v3_cache_extensions(subject);
708 803
709 if(subject->akid) 804 if (subject->akid) {
710 {
711 int ret = X509_check_akid(issuer, subject->akid); 805 int ret = X509_check_akid(issuer, subject->akid);
712 if (ret != X509_V_OK) 806 if (ret != X509_V_OK)
713 return ret; 807 return ret;
714 } 808 }
715 809
716 if(subject->ex_flags & EXFLAG_PROXY) 810 if (subject->ex_flags & EXFLAG_PROXY) {
717 { 811 if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
719 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; 812 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
720 } 813 } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
721 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
722 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 814 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
723 return X509_V_OK; 815 return X509_V_OK;
724} 816}
725 817
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) 818int
727 { 819X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
728 820{
729 if(!akid) 821 if (!akid)
730 return X509_V_OK; 822 return X509_V_OK;
731 823
732 /* Check key ids (if present) */ 824 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid && 825 if (akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) 826 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH; 827 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */ 828 /* Check serial number */
737 if(akid->serial && 829 if (akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) 830 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 831 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */ 832 /* Check issuer name */
741 if(akid->issuer) 833 if (akid->issuer) {
742 {
743 /* Ugh, for some peculiar reason AKID includes 834 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName. 835 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any 836 * There may be more than one but we only take any
@@ -750,18 +841,15 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
750 X509_NAME *nm = NULL; 841 X509_NAME *nm = NULL;
751 int i; 842 int i;
752 gens = akid->issuer; 843 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) 844 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
754 {
755 gen = sk_GENERAL_NAME_value(gens, i); 845 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME) 846 if (gen->type == GEN_DIRNAME) {
757 {
758 nm = gen->d.dirn; 847 nm = gen->d.dirn;
759 break; 848 break;
760 }
761 } 849 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 } 850 }
765 return X509_V_OK; 851 if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
852 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
766 } 853 }
767 854 return X509_V_OK;
855}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-22 10:14:50 +0000