diff options
Diffstat (limited to 'src/lib/libcrypto/x509v3')
| -rw-r--r-- | src/lib/libcrypto/x509v3/ext_dat.h | 11 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_bitst.c | 7 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_ia5.c | 5 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_int.c | 19 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_pci.c | 313 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_pcia.c | 55 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_purp.c | 75 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3err.c | 14 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/x509v3.h | 31 |
9 files changed, 488 insertions, 42 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h index 5442480595..d8328ac468 100644 --- a/src/lib/libcrypto/x509v3/ext_dat.h +++ b/src/lib/libcrypto/x509v3/ext_dat.h | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| 5 | /* ==================================================================== | 5 | /* ==================================================================== |
| 6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 6 | * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. |
| 7 | * | 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions |
| @@ -60,10 +60,11 @@ | |||
| 60 | extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; | 60 | extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; |
| 61 | extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; | 61 | extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; |
| 62 | extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; | 62 | extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; |
| 63 | extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; | 63 | extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; |
| 64 | extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; | ||
| 64 | extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; | 65 | extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; |
| 65 | extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; | 66 | extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; |
| 66 | extern X509V3_EXT_METHOD v3_crl_hold; | 67 | extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; |
| 67 | 68 | ||
| 68 | /* This table will be searched using OBJ_bsearch so it *must* kept in | 69 | /* This table will be searched using OBJ_bsearch so it *must* kept in |
| 69 | * order of the ext_nid values. | 70 | * order of the ext_nid values. |
| @@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = { | |||
| 89 | &v3_akey_id, | 90 | &v3_akey_id, |
| 90 | &v3_crld, | 91 | &v3_crld, |
| 91 | &v3_ext_ku, | 92 | &v3_ext_ku, |
| 93 | &v3_delta_crl, | ||
| 92 | &v3_crl_reason, | 94 | &v3_crl_reason, |
| 93 | #ifndef OPENSSL_NO_OCSP | 95 | #ifndef OPENSSL_NO_OCSP |
| 94 | &v3_crl_invdate, | 96 | &v3_crl_invdate, |
| @@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = { | |||
| 105 | #endif | 107 | #endif |
| 106 | &v3_sinfo, | 108 | &v3_sinfo, |
| 107 | #ifndef OPENSSL_NO_OCSP | 109 | #ifndef OPENSSL_NO_OCSP |
| 108 | &v3_crl_hold | 110 | &v3_crl_hold, |
| 109 | #endif | 111 | #endif |
| 112 | &v3_pci, | ||
| 110 | }; | 113 | }; |
| 111 | 114 | ||
| 112 | /* Number of standard extensions */ | 115 | /* Number of standard extensions */ |
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c index 16cf125562..274965306d 100644 --- a/src/lib/libcrypto/x509v3/v3_bitst.c +++ b/src/lib/libcrypto/x509v3/v3_bitst.c | |||
| @@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, | |||
| 124 | for(bnam = method->usr_data; bnam->lname; bnam++) { | 124 | for(bnam = method->usr_data; bnam->lname; bnam++) { |
| 125 | if(!strcmp(bnam->sname, val->name) || | 125 | if(!strcmp(bnam->sname, val->name) || |
| 126 | !strcmp(bnam->lname, val->name) ) { | 126 | !strcmp(bnam->lname, val->name) ) { |
| 127 | ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); | 127 | if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) { |
| 128 | X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, | ||
| 129 | ERR_R_MALLOC_FAILURE); | ||
| 130 | M_ASN1_BIT_STRING_free(bs); | ||
| 131 | return NULL; | ||
| 132 | } | ||
| 128 | break; | 133 | break; |
| 129 | } | 134 | } |
| 130 | } | 135 | } |
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c index f9414456de..9683afa47c 100644 --- a/src/lib/libcrypto/x509v3/v3_ia5.c +++ b/src/lib/libcrypto/x509v3/v3_ia5.c | |||
| @@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, | |||
| 82 | { | 82 | { |
| 83 | char *tmp; | 83 | char *tmp; |
| 84 | if(!ia5 || !ia5->length) return NULL; | 84 | if(!ia5 || !ia5->length) return NULL; |
| 85 | if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; | 85 | if(!(tmp = OPENSSL_malloc(ia5->length + 1))) { |
| 86 | X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); | ||
| 87 | return NULL; | ||
| 88 | } | ||
| 86 | memcpy(tmp, ia5->data, ia5->length); | 89 | memcpy(tmp, ia5->data, ia5->length); |
| 87 | tmp[ia5->length] = 0; | 90 | tmp[ia5->length] = 0; |
| 88 | return tmp; | 91 | return tmp; |
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c index f34cbfb731..7a43b4717b 100644 --- a/src/lib/libcrypto/x509v3/v3_int.c +++ b/src/lib/libcrypto/x509v3/v3_int.c | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| 5 | /* ==================================================================== | 5 | /* ==================================================================== |
| 6 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 6 | * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. |
| 7 | * | 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions | 9 | * modification, are permitted provided that the following conditions |
| @@ -61,9 +61,16 @@ | |||
| 61 | #include <openssl/x509v3.h> | 61 | #include <openssl/x509v3.h> |
| 62 | 62 | ||
| 63 | X509V3_EXT_METHOD v3_crl_num = { | 63 | X509V3_EXT_METHOD v3_crl_num = { |
| 64 | NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), | 64 | NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), |
| 65 | 0,0,0,0, | 65 | 0,0,0,0, |
| 66 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, | 66 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, |
| 67 | 0, | 67 | 0, |
| 68 | 0,0,0,0, NULL}; | 68 | 0,0,0,0, NULL}; |
| 69 | |||
| 70 | X509V3_EXT_METHOD v3_delta_crl = { | ||
| 71 | NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), | ||
| 72 | 0,0,0,0, | ||
| 73 | (X509V3_EXT_I2S)i2s_ASN1_INTEGER, | ||
| 74 | 0, | ||
| 75 | 0,0,0,0, NULL}; | ||
| 69 | 76 | ||
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c new file mode 100644 index 0000000000..b32d968619 --- /dev/null +++ b/src/lib/libcrypto/x509v3/v3_pci.c | |||
| @@ -0,0 +1,313 @@ | |||
| 1 | /* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */ | ||
| 2 | /* Contributed to the OpenSSL Project 2004 | ||
| 3 | * by Richard Levitte (richard@levitte.org) | ||
| 4 | */ | ||
| 5 | /* Copyright (c) 2004 Kungliga Tekniska Högskolan | ||
| 6 | * (Royal Institute of Technology, Stockholm, Sweden). | ||
| 7 | * All rights reserved. | ||
| 8 | * | ||
| 9 | * Redistribution and use in source and binary forms, with or without | ||
| 10 | * modification, are permitted provided that the following conditions | ||
| 11 | * are met: | ||
| 12 | * | ||
| 13 | * 1. Redistributions of source code must retain the above copyright | ||
| 14 | * notice, this list of conditions and the following disclaimer. | ||
| 15 | * | ||
| 16 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 17 | * notice, this list of conditions and the following disclaimer in the | ||
| 18 | * documentation and/or other materials provided with the distribution. | ||
| 19 | * | ||
| 20 | * 3. Neither the name of the Institute nor the names of its contributors | ||
| 21 | * may be used to endorse or promote products derived from this software | ||
| 22 | * without specific prior written permission. | ||
| 23 | * | ||
| 24 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND | ||
| 25 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 26 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| 27 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE | ||
| 28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
| 29 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
| 30 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 31 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
| 32 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
| 33 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| 34 | * SUCH DAMAGE. | ||
| 35 | */ | ||
| 36 | |||
| 37 | #include <stdio.h> | ||
| 38 | #include "cryptlib.h" | ||
| 39 | #include <openssl/conf.h> | ||
| 40 | #include <openssl/x509v3.h> | ||
| 41 | |||
| 42 | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, | ||
| 43 | BIO *out, int indent); | ||
| 44 | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, | ||
| 45 | X509V3_CTX *ctx, char *str); | ||
| 46 | |||
| 47 | X509V3_EXT_METHOD v3_pci = | ||
| 48 | { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), | ||
| 49 | 0,0,0,0, | ||
| 50 | 0,0, | ||
| 51 | NULL, NULL, | ||
| 52 | (X509V3_EXT_I2R)i2r_pci, | ||
| 53 | (X509V3_EXT_R2I)r2i_pci, | ||
| 54 | NULL, | ||
| 55 | }; | ||
| 56 | |||
| 57 | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, | ||
| 58 | BIO *out, int indent) | ||
| 59 | { | ||
| 60 | BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); | ||
| 61 | if (pci->pcPathLengthConstraint) | ||
| 62 | i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); | ||
| 63 | else | ||
| 64 | BIO_printf(out, "infinite"); | ||
| 65 | BIO_puts(out, "\n"); | ||
| 66 | BIO_printf(out, "%*sPolicy Language: ", indent, ""); | ||
| 67 | i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); | ||
| 68 | BIO_puts(out, "\n"); | ||
| 69 | if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) | ||
| 70 | BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", | ||
| 71 | pci->proxyPolicy->policy->data); | ||
| 72 | return 1; | ||
| 73 | } | ||
| 74 | |||
| 75 | static int process_pci_value(CONF_VALUE *val, | ||
| 76 | ASN1_OBJECT **language, ASN1_INTEGER **pathlen, | ||
| 77 | ASN1_OCTET_STRING **policy) | ||
| 78 | { | ||
| 79 | int free_policy = 0; | ||
| 80 | |||
| 81 | if (strcmp(val->name, "language") == 0) | ||
| 82 | { | ||
| 83 | if (*language) | ||
| 84 | { | ||
| 85 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED); | ||
| 86 | X509V3_conf_err(val); | ||
| 87 | return 0; | ||
| 88 | } | ||
| 89 | if (!(*language = OBJ_txt2obj(val->value, 0))) | ||
| 90 | { | ||
| 91 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER); | ||
| 92 | X509V3_conf_err(val); | ||
| 93 | return 0; | ||
| 94 | } | ||
| 95 | } | ||
| 96 | else if (strcmp(val->name, "pathlen") == 0) | ||
| 97 | { | ||
| 98 | if (*pathlen) | ||
| 99 | { | ||
| 100 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED); | ||
| 101 | X509V3_conf_err(val); | ||
| 102 | return 0; | ||
| 103 | } | ||
| 104 | if (!X509V3_get_value_int(val, pathlen)) | ||
| 105 | { | ||
| 106 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH); | ||
| 107 | X509V3_conf_err(val); | ||
| 108 | return 0; | ||
| 109 | } | ||
| 110 | } | ||
| 111 | else if (strcmp(val->name, "policy") == 0) | ||
| 112 | { | ||
| 113 | unsigned char *tmp_data = NULL; | ||
| 114 | long val_len; | ||
| 115 | if (!*policy) | ||
| 116 | { | ||
| 117 | *policy = ASN1_OCTET_STRING_new(); | ||
| 118 | if (!*policy) | ||
| 119 | { | ||
| 120 | X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); | ||
| 121 | X509V3_conf_err(val); | ||
| 122 | return 0; | ||
| 123 | } | ||
| 124 | free_policy = 1; | ||
| 125 | } | ||
| 126 | if (strncmp(val->value, "hex:", 4) == 0) | ||
| 127 | { | ||
| 128 | unsigned char *tmp_data2 = | ||
| 129 | string_to_hex(val->value + 4, &val_len); | ||
| 130 | |||
| 131 | if (!tmp_data2) goto err; | ||
| 132 | |||
| 133 | tmp_data = OPENSSL_realloc((*policy)->data, | ||
| 134 | (*policy)->length + val_len + 1); | ||
| 135 | if (tmp_data) | ||
| 136 | { | ||
| 137 | (*policy)->data = tmp_data; | ||
| 138 | memcpy(&(*policy)->data[(*policy)->length], | ||
| 139 | tmp_data2, val_len); | ||
| 140 | (*policy)->length += val_len; | ||
| 141 | (*policy)->data[(*policy)->length] = '\0'; | ||
| 142 | } | ||
| 143 | } | ||
| 144 | else if (strncmp(val->value, "file:", 5) == 0) | ||
| 145 | { | ||
| 146 | unsigned char buf[2048]; | ||
| 147 | int n; | ||
| 148 | BIO *b = BIO_new_file(val->value + 5, "r"); | ||
| 149 | if (!b) | ||
| 150 | { | ||
| 151 | X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); | ||
| 152 | X509V3_conf_err(val); | ||
| 153 | goto err; | ||
| 154 | } | ||
| 155 | while((n = BIO_read(b, buf, sizeof(buf))) > 0 | ||
| 156 | || (n == 0 && BIO_should_retry(b))) | ||
| 157 | { | ||
| 158 | if (!n) continue; | ||
| 159 | |||
| 160 | tmp_data = OPENSSL_realloc((*policy)->data, | ||
| 161 | (*policy)->length + n + 1); | ||
| 162 | |||
| 163 | if (!tmp_data) | ||
| 164 | break; | ||
| 165 | |||
| 166 | (*policy)->data = tmp_data; | ||
| 167 | memcpy(&(*policy)->data[(*policy)->length], | ||
| 168 | buf, n); | ||
| 169 | (*policy)->length += n; | ||
| 170 | (*policy)->data[(*policy)->length] = '\0'; | ||
| 171 | } | ||
| 172 | |||
| 173 | if (n < 0) | ||
| 174 | { | ||
| 175 | X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); | ||
| 176 | X509V3_conf_err(val); | ||
| 177 | goto err; | ||
| 178 | } | ||
| 179 | } | ||
| 180 | else if (strncmp(val->value, "text:", 5) == 0) | ||
| 181 | { | ||
| 182 | val_len = strlen(val->value + 5); | ||
| 183 | tmp_data = OPENSSL_realloc((*policy)->data, | ||
| 184 | (*policy)->length + val_len + 1); | ||
| 185 | if (tmp_data) | ||
| 186 | { | ||
| 187 | (*policy)->data = tmp_data; | ||
| 188 | memcpy(&(*policy)->data[(*policy)->length], | ||
| 189 | val->value + 5, val_len); | ||
| 190 | (*policy)->length += val_len; | ||
| 191 | (*policy)->data[(*policy)->length] = '\0'; | ||
| 192 | } | ||
| 193 | } | ||
| 194 | else | ||
| 195 | { | ||
| 196 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); | ||
| 197 | X509V3_conf_err(val); | ||
| 198 | goto err; | ||
| 199 | } | ||
| 200 | if (!tmp_data) | ||
| 201 | { | ||
| 202 | X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); | ||
| 203 | X509V3_conf_err(val); | ||
| 204 | goto err; | ||
| 205 | } | ||
| 206 | } | ||
| 207 | return 1; | ||
| 208 | err: | ||
| 209 | if (free_policy) | ||
| 210 | { | ||
| 211 | ASN1_OCTET_STRING_free(*policy); | ||
| 212 | *policy = NULL; | ||
| 213 | } | ||
| 214 | return 0; | ||
| 215 | } | ||
| 216 | |||
| 217 | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, | ||
| 218 | X509V3_CTX *ctx, char *value) | ||
| 219 | { | ||
| 220 | PROXY_CERT_INFO_EXTENSION *pci = NULL; | ||
| 221 | STACK_OF(CONF_VALUE) *vals; | ||
| 222 | ASN1_OBJECT *language = NULL; | ||
| 223 | ASN1_INTEGER *pathlen = NULL; | ||
| 224 | ASN1_OCTET_STRING *policy = NULL; | ||
| 225 | int i, j; | ||
| 226 | |||
| 227 | vals = X509V3_parse_list(value); | ||
| 228 | for (i = 0; i < sk_CONF_VALUE_num(vals); i++) | ||
| 229 | { | ||
| 230 | CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); | ||
| 231 | if (!cnf->name || (*cnf->name != '@' && !cnf->value)) | ||
| 232 | { | ||
| 233 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING); | ||
| 234 | X509V3_conf_err(cnf); | ||
| 235 | goto err; | ||
| 236 | } | ||
| 237 | if (*cnf->name == '@') | ||
| 238 | { | ||
| 239 | STACK_OF(CONF_VALUE) *sect; | ||
| 240 | int success_p = 1; | ||
| 241 | |||
| 242 | sect = X509V3_get_section(ctx, cnf->name + 1); | ||
| 243 | if (!sect) | ||
| 244 | { | ||
| 245 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION); | ||
| 246 | X509V3_conf_err(cnf); | ||
| 247 | goto err; | ||
| 248 | } | ||
| 249 | for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) | ||
| 250 | { | ||
| 251 | success_p = | ||
| 252 | process_pci_value(sk_CONF_VALUE_value(sect, j), | ||
| 253 | &language, &pathlen, &policy); | ||
| 254 | } | ||
| 255 | X509V3_section_free(ctx, sect); | ||
| 256 | if (!success_p) | ||
| 257 | goto err; | ||
| 258 | } | ||
| 259 | else | ||
| 260 | { | ||
| 261 | if (!process_pci_value(cnf, | ||
| 262 | &language, &pathlen, &policy)) | ||
| 263 | { | ||
| 264 | X509V3_conf_err(cnf); | ||
| 265 | goto err; | ||
| 266 | } | ||
| 267 | } | ||
| 268 | } | ||
| 269 | |||
| 270 | /* Language is mandatory */ | ||
| 271 | if (!language) | ||
| 272 | { | ||
| 273 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); | ||
| 274 | goto err; | ||
| 275 | } | ||
| 276 | i = OBJ_obj2nid(language); | ||
| 277 | if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) | ||
| 278 | { | ||
| 279 | X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); | ||
| 280 | goto err; | ||
| 281 | } | ||
| 282 | |||
| 283 | pci = PROXY_CERT_INFO_EXTENSION_new(); | ||
| 284 | if (!pci) | ||
| 285 | { | ||
| 286 | X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); | ||
| 287 | goto err; | ||
| 288 | } | ||
| 289 | pci->proxyPolicy = PROXY_POLICY_new(); | ||
| 290 | if (!pci->proxyPolicy) | ||
| 291 | { | ||
| 292 | X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); | ||
| 293 | goto err; | ||
| 294 | } | ||
| 295 | |||
| 296 | pci->proxyPolicy->policyLanguage = language; language = NULL; | ||
| 297 | pci->proxyPolicy->policy = policy; policy = NULL; | ||
| 298 | pci->pcPathLengthConstraint = pathlen; pathlen = NULL; | ||
| 299 | goto end; | ||
| 300 | err: | ||
| 301 | if (language) { ASN1_OBJECT_free(language); language = NULL; } | ||
| 302 | if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } | ||
| 303 | if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } | ||
| 304 | if (pci && pci->proxyPolicy) | ||
| 305 | { | ||
| 306 | PROXY_POLICY_free(pci->proxyPolicy); | ||
| 307 | pci->proxyPolicy = NULL; | ||
| 308 | } | ||
| 309 | if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } | ||
| 310 | end: | ||
| 311 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); | ||
| 312 | return pci; | ||
| 313 | } | ||
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c new file mode 100644 index 0000000000..bb362e0e5a --- /dev/null +++ b/src/lib/libcrypto/x509v3/v3_pcia.c | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | /* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */ | ||
| 2 | /* Contributed to the OpenSSL Project 2004 | ||
| 3 | * by Richard Levitte (richard@levitte.org) | ||
| 4 | */ | ||
| 5 | /* Copyright (c) 2004 Kungliga Tekniska Högskolan | ||
| 6 | * (Royal Institute of Technology, Stockholm, Sweden). | ||
| 7 | * All rights reserved. | ||
| 8 | * | ||
| 9 | * Redistribution and use in source and binary forms, with or without | ||
| 10 | * modification, are permitted provided that the following conditions | ||
| 11 | * are met: | ||
| 12 | * | ||
| 13 | * 1. Redistributions of source code must retain the above copyright | ||
| 14 | * notice, this list of conditions and the following disclaimer. | ||
| 15 | * | ||
| 16 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 17 | * notice, this list of conditions and the following disclaimer in the | ||
| 18 | * documentation and/or other materials provided with the distribution. | ||
| 19 | * | ||
| 20 | * 3. Neither the name of the Institute nor the names of its contributors | ||
| 21 | * may be used to endorse or promote products derived from this software | ||
| 22 | * without specific prior written permission. | ||
| 23 | * | ||
| 24 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND | ||
| 25 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 26 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| 27 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE | ||
| 28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
| 29 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
| 30 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 31 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
| 32 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
| 33 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| 34 | * SUCH DAMAGE. | ||
| 35 | */ | ||
| 36 | |||
| 37 | #include <openssl/asn1.h> | ||
| 38 | #include <openssl/asn1t.h> | ||
| 39 | #include <openssl/x509v3.h> | ||
| 40 | |||
| 41 | ASN1_SEQUENCE(PROXY_POLICY) = | ||
| 42 | { | ||
| 43 | ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT), | ||
| 44 | ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING) | ||
| 45 | } ASN1_SEQUENCE_END(PROXY_POLICY) | ||
| 46 | |||
| 47 | IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY) | ||
| 48 | |||
| 49 | ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = | ||
| 50 | { | ||
| 51 | ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER), | ||
| 52 | ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY) | ||
| 53 | } ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION) | ||
| 54 | |||
| 55 | IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) | ||
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index b3d1ae5d1c..bbdf6da493 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c | |||
| @@ -63,7 +63,6 @@ | |||
| 63 | 63 | ||
| 64 | static void x509v3_cache_extensions(X509 *x); | 64 | static void x509v3_cache_extensions(X509 *x); |
| 65 | 65 | ||
| 66 | static int ca_check(const X509 *x); | ||
| 67 | static int check_ssl_ca(const X509 *x); | 66 | static int check_ssl_ca(const X509 *x); |
| 68 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); | 67 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); |
| 69 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); | 68 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); |
| @@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex) | |||
| 286 | NID_key_usage, /* 83 */ | 285 | NID_key_usage, /* 83 */ |
| 287 | NID_subject_alt_name, /* 85 */ | 286 | NID_subject_alt_name, /* 85 */ |
| 288 | NID_basic_constraints, /* 87 */ | 287 | NID_basic_constraints, /* 87 */ |
| 289 | NID_ext_key_usage /* 126 */ | 288 | NID_ext_key_usage, /* 126 */ |
| 289 | NID_proxyCertInfo /* 661 */ | ||
| 290 | }; | 290 | }; |
| 291 | 291 | ||
| 292 | int ex_nid; | 292 | int ex_nid; |
| @@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex) | |||
| 307 | static void x509v3_cache_extensions(X509 *x) | 307 | static void x509v3_cache_extensions(X509 *x) |
| 308 | { | 308 | { |
| 309 | BASIC_CONSTRAINTS *bs; | 309 | BASIC_CONSTRAINTS *bs; |
| 310 | PROXY_CERT_INFO_EXTENSION *pci; | ||
| 310 | ASN1_BIT_STRING *usage; | 311 | ASN1_BIT_STRING *usage; |
| 311 | ASN1_BIT_STRING *ns; | 312 | ASN1_BIT_STRING *ns; |
| 312 | EXTENDED_KEY_USAGE *extusage; | 313 | EXTENDED_KEY_USAGE *extusage; |
| @@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x) | |||
| 335 | BASIC_CONSTRAINTS_free(bs); | 336 | BASIC_CONSTRAINTS_free(bs); |
| 336 | x->ex_flags |= EXFLAG_BCONS; | 337 | x->ex_flags |= EXFLAG_BCONS; |
| 337 | } | 338 | } |
| 339 | /* Handle proxy certificates */ | ||
| 340 | if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { | ||
| 341 | if (x->ex_flags & EXFLAG_CA | ||
| 342 | || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 | ||
| 343 | || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { | ||
| 344 | x->ex_flags |= EXFLAG_INVALID; | ||
| 345 | } | ||
| 346 | PROXY_CERT_INFO_EXTENSION_free(pci); | ||
| 347 | x->ex_flags |= EXFLAG_PROXY; | ||
| 348 | } | ||
| 338 | /* Handle key usage */ | 349 | /* Handle key usage */ |
| 339 | if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { | 350 | if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { |
| 340 | if(usage->length > 0) { | 351 | if(usage->length > 0) { |
| @@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x) | |||
| 426 | #define ns_reject(x, usage) \ | 437 | #define ns_reject(x, usage) \ |
| 427 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) | 438 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) |
| 428 | 439 | ||
| 429 | static int ca_check(const X509 *x) | 440 | static int check_ca(const X509 *x) |
| 430 | { | 441 | { |
| 431 | /* keyUsage if present should allow cert signing */ | 442 | /* keyUsage if present should allow cert signing */ |
| 432 | if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; | 443 | if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; |
| @@ -435,25 +446,37 @@ static int ca_check(const X509 *x) | |||
| 435 | /* If basicConstraints says not a CA then say so */ | 446 | /* If basicConstraints says not a CA then say so */ |
| 436 | else return 0; | 447 | else return 0; |
| 437 | } else { | 448 | } else { |
| 449 | /* we support V1 roots for... uh, I don't really know why. */ | ||
| 438 | if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; | 450 | if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; |
| 439 | /* If key usage present it must have certSign so tolerate it */ | 451 | /* If key usage present it must have certSign so tolerate it */ |
| 440 | else if (x->ex_flags & EXFLAG_KUSAGE) return 4; | 452 | else if (x->ex_flags & EXFLAG_KUSAGE) return 4; |
| 441 | else return 2; | 453 | /* Older certificates could have Netscape-specific CA types */ |
| 454 | else if (x->ex_flags & EXFLAG_NSCERT | ||
| 455 | && x->ex_nscert & NS_ANY_CA) return 5; | ||
| 456 | /* can this still be regarded a CA certificate? I doubt it */ | ||
| 457 | return 0; | ||
| 442 | } | 458 | } |
| 443 | } | 459 | } |
| 444 | 460 | ||
| 461 | int X509_check_ca(X509 *x) | ||
| 462 | { | ||
| 463 | if(!(x->ex_flags & EXFLAG_SET)) { | ||
| 464 | CRYPTO_w_lock(CRYPTO_LOCK_X509); | ||
| 465 | x509v3_cache_extensions(x); | ||
| 466 | CRYPTO_w_unlock(CRYPTO_LOCK_X509); | ||
| 467 | } | ||
| 468 | |||
| 469 | return check_ca(x); | ||
| 470 | } | ||
| 471 | |||
| 445 | /* Check SSL CA: common checks for SSL client and server */ | 472 | /* Check SSL CA: common checks for SSL client and server */ |
| 446 | static int check_ssl_ca(const X509 *x) | 473 | static int check_ssl_ca(const X509 *x) |
| 447 | { | 474 | { |
| 448 | int ca_ret; | 475 | int ca_ret; |
| 449 | ca_ret = ca_check(x); | 476 | ca_ret = check_ca(x); |
| 450 | if(!ca_ret) return 0; | 477 | if(!ca_ret) return 0; |
| 451 | /* check nsCertType if present */ | 478 | /* check nsCertType if present */ |
| 452 | if(x->ex_flags & EXFLAG_NSCERT) { | 479 | if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; |
| 453 | if(x->ex_nscert & NS_SSL_CA) return ca_ret; | ||
| 454 | return 0; | ||
| 455 | } | ||
| 456 | if(ca_ret != 2) return ca_ret; | ||
| 457 | else return 0; | 480 | else return 0; |
| 458 | } | 481 | } |
| 459 | 482 | ||
| @@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca) | |||
| 498 | if(xku_reject(x,XKU_SMIME)) return 0; | 521 | if(xku_reject(x,XKU_SMIME)) return 0; |
| 499 | if(ca) { | 522 | if(ca) { |
| 500 | int ca_ret; | 523 | int ca_ret; |
| 501 | ca_ret = ca_check(x); | 524 | ca_ret = check_ca(x); |
| 502 | if(!ca_ret) return 0; | 525 | if(!ca_ret) return 0; |
| 503 | /* check nsCertType if present */ | 526 | /* check nsCertType if present */ |
| 504 | if(x->ex_flags & EXFLAG_NSCERT) { | 527 | if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; |
| 505 | if(x->ex_nscert & NS_SMIME_CA) return ca_ret; | ||
| 506 | return 0; | ||
| 507 | } | ||
| 508 | if(ca_ret != 2) return ca_ret; | ||
| 509 | else return 0; | 528 | else return 0; |
| 510 | } | 529 | } |
| 511 | if(x->ex_flags & EXFLAG_NSCERT) { | 530 | if(x->ex_flags & EXFLAG_NSCERT) { |
| @@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) | |||
| 539 | { | 558 | { |
| 540 | if(ca) { | 559 | if(ca) { |
| 541 | int ca_ret; | 560 | int ca_ret; |
| 542 | if((ca_ret = ca_check(x)) != 2) return ca_ret; | 561 | if((ca_ret = check_ca(x)) != 2) return ca_ret; |
| 543 | else return 0; | 562 | else return 0; |
| 544 | } | 563 | } |
| 545 | if(ku_reject(x, KU_CRL_SIGN)) return 0; | 564 | if(ku_reject(x, KU_CRL_SIGN)) return 0; |
| @@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) | |||
| 552 | 571 | ||
| 553 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) | 572 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) |
| 554 | { | 573 | { |
| 555 | /* Must be a valid CA */ | 574 | /* Must be a valid CA. Should we really support the "I don't know" |
| 556 | if(ca) { | 575 | value (2)? */ |
| 557 | int ca_ret; | 576 | if(ca) return check_ca(x); |
| 558 | ca_ret = ca_check(x); | ||
| 559 | if(ca_ret != 2) return ca_ret; | ||
| 560 | if(x->ex_flags & EXFLAG_NSCERT) { | ||
| 561 | if(x->ex_nscert & NS_ANY_CA) return ca_ret; | ||
| 562 | return 0; | ||
| 563 | } | ||
| 564 | return 0; | ||
| 565 | } | ||
| 566 | /* leaf certificate is checked in OCSP_verify() */ | 577 | /* leaf certificate is checked in OCSP_verify() */ |
| 567 | return 1; | 578 | return 1; |
| 568 | } | 579 | } |
| @@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) | |||
| 624 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; | 635 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; |
| 625 | } | 636 | } |
| 626 | } | 637 | } |
| 627 | if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | 638 | if(subject->ex_flags & EXFLAG_PROXY) |
| 639 | { | ||
| 640 | if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) | ||
| 641 | return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; | ||
| 642 | } | ||
| 643 | else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) | ||
| 644 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | ||
| 628 | return X509_V_OK; | 645 | return X509_V_OK; |
| 629 | } | 646 | } |
| 630 | 647 | ||
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c index 6458e95bb9..2df0c3ef01 100644 --- a/src/lib/libcrypto/x509v3/v3err.c +++ b/src/lib/libcrypto/x509v3/v3err.c | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | /* crypto/x509v3/v3err.c */ | 1 | /* crypto/x509v3/v3err.c */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without | 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions | 6 | * modification, are permitted provided that the following conditions |
| @@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]= | |||
| 72 | {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, | 72 | {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, |
| 73 | {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, | 73 | {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, |
| 74 | {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, | 74 | {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, |
| 75 | {ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"}, | ||
| 75 | {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, | 76 | {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, |
| 76 | {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, | 77 | {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, |
| 77 | {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, | 78 | {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, |
| 78 | {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, | 79 | {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, |
| 79 | {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, | 80 | {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, |
| 80 | {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, | 81 | {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, |
| 82 | {ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, | ||
| 81 | {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, | 83 | {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, |
| 82 | {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, | 84 | {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, |
| 83 | {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, | 85 | {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, |
| @@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 128 | {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, | 130 | {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, |
| 129 | {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, | 131 | {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, |
| 130 | {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, | 132 | {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, |
| 133 | {X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, | ||
| 131 | {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, | 134 | {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, |
| 132 | {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, | 135 | {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, |
| 133 | {X509V3_R_INVALID_NAME ,"invalid name"}, | 136 | {X509V3_R_INVALID_NAME ,"invalid name"}, |
| @@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 139 | {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, | 142 | {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, |
| 140 | {X509V3_R_INVALID_OPTION ,"invalid option"}, | 143 | {X509V3_R_INVALID_OPTION ,"invalid option"}, |
| 141 | {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, | 144 | {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, |
| 145 | {X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, | ||
| 146 | {X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, | ||
| 142 | {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, | 147 | {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, |
| 143 | {X509V3_R_INVALID_SECTION ,"invalid section"}, | 148 | {X509V3_R_INVALID_SECTION ,"invalid section"}, |
| 144 | {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, | 149 | {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, |
| @@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]= | |||
| 149 | {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, | 154 | {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, |
| 150 | {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, | 155 | {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, |
| 151 | {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, | 156 | {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, |
| 157 | {X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, | ||
| 152 | {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, | 158 | {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, |
| 153 | {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, | 159 | {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, |
| 154 | {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, | 160 | {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, |
| 161 | {X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, | ||
| 162 | {X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, | ||
| 163 | {X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, | ||
| 164 | {X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, | ||
| 165 | {X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, | ||
| 166 | {X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, | ||
| 155 | {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, | 167 | {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, |
| 156 | {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, | 168 | {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, |
| 157 | {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, | 169 | {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, |
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h index fb07a19016..e6d91251c2 100644 --- a/src/lib/libcrypto/x509v3/x509v3.h +++ b/src/lib/libcrypto/x509v3/x509v3.h | |||
| @@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; | |||
| 287 | DECLARE_STACK_OF(POLICYINFO) | 287 | DECLARE_STACK_OF(POLICYINFO) |
| 288 | DECLARE_ASN1_SET_OF(POLICYINFO) | 288 | DECLARE_ASN1_SET_OF(POLICYINFO) |
| 289 | 289 | ||
| 290 | /* Proxy certificate structures, see RFC 3820 */ | ||
| 291 | typedef struct PROXY_POLICY_st | ||
| 292 | { | ||
| 293 | ASN1_OBJECT *policyLanguage; | ||
| 294 | ASN1_OCTET_STRING *policy; | ||
| 295 | } PROXY_POLICY; | ||
| 296 | |||
| 297 | typedef struct PROXY_CERT_INFO_EXTENSION_st | ||
| 298 | { | ||
| 299 | ASN1_INTEGER *pcPathLengthConstraint; | ||
| 300 | PROXY_POLICY *proxyPolicy; | ||
| 301 | } PROXY_CERT_INFO_EXTENSION; | ||
| 302 | |||
| 303 | DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) | ||
| 304 | DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) | ||
| 305 | |||
| 306 | |||
| 290 | #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ | 307 | #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ |
| 291 | ",name:", val->name, ",value:", val->value); | 308 | ",name:", val->name, ",value:", val->value); |
| 292 | 309 | ||
| @@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) | |||
| 325 | #define EXFLAG_INVALID 0x80 | 342 | #define EXFLAG_INVALID 0x80 |
| 326 | #define EXFLAG_SET 0x100 | 343 | #define EXFLAG_SET 0x100 |
| 327 | #define EXFLAG_CRITICAL 0x200 | 344 | #define EXFLAG_CRITICAL 0x200 |
| 345 | #define EXFLAG_PROXY 0x400 | ||
| 328 | 346 | ||
| 329 | #define KU_DIGITAL_SIGNATURE 0x0080 | 347 | #define KU_DIGITAL_SIGNATURE 0x0080 |
| 330 | #define KU_NON_REPUDIATION 0x0040 | 348 | #define KU_NON_REPUDIATION 0x0040 |
| @@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); | |||
| 527 | 545 | ||
| 528 | int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); | 546 | int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); |
| 529 | 547 | ||
| 548 | int X509_check_ca(X509 *x); | ||
| 530 | int X509_check_purpose(X509 *x, int id, int ca); | 549 | int X509_check_purpose(X509 *x, int id, int ca); |
| 531 | int X509_supported_extension(X509_EXTENSION *ex); | 550 | int X509_supported_extension(X509_EXTENSION *ex); |
| 532 | int X509_PURPOSE_set(int *p, int purpose); | 551 | int X509_PURPOSE_set(int *p, int purpose); |
| @@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void); | |||
| 564 | #define X509V3_F_DO_EXT_I2D 135 | 583 | #define X509V3_F_DO_EXT_I2D 135 |
| 565 | #define X509V3_F_HEX_TO_STRING 111 | 584 | #define X509V3_F_HEX_TO_STRING 111 |
| 566 | #define X509V3_F_I2S_ASN1_ENUMERATED 121 | 585 | #define X509V3_F_I2S_ASN1_ENUMERATED 121 |
| 586 | #define X509V3_F_I2S_ASN1_IA5STRING 142 | ||
| 567 | #define X509V3_F_I2S_ASN1_INTEGER 120 | 587 | #define X509V3_F_I2S_ASN1_INTEGER 120 |
| 568 | #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 | 588 | #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 |
| 569 | #define X509V3_F_NOTICE_SECTION 132 | 589 | #define X509V3_F_NOTICE_SECTION 132 |
| 570 | #define X509V3_F_NREF_NOS 133 | 590 | #define X509V3_F_NREF_NOS 133 |
| 571 | #define X509V3_F_POLICY_SECTION 131 | 591 | #define X509V3_F_POLICY_SECTION 131 |
| 572 | #define X509V3_F_R2I_CERTPOL 130 | 592 | #define X509V3_F_R2I_CERTPOL 130 |
| 593 | #define X509V3_F_R2I_PCI 142 | ||
| 573 | #define X509V3_F_S2I_ASN1_IA5STRING 100 | 594 | #define X509V3_F_S2I_ASN1_IA5STRING 100 |
| 574 | #define X509V3_F_S2I_ASN1_INTEGER 108 | 595 | #define X509V3_F_S2I_ASN1_INTEGER 108 |
| 575 | #define X509V3_F_S2I_ASN1_OCTET_STRING 112 | 596 | #define X509V3_F_S2I_ASN1_OCTET_STRING 112 |
| @@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void); | |||
| 617 | #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 | 638 | #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 |
| 618 | #define X509V3_R_EXTENSION_VALUE_ERROR 116 | 639 | #define X509V3_R_EXTENSION_VALUE_ERROR 116 |
| 619 | #define X509V3_R_ILLEGAL_HEX_DIGIT 113 | 640 | #define X509V3_R_ILLEGAL_HEX_DIGIT 113 |
| 641 | #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 | ||
| 620 | #define X509V3_R_INVALID_BOOLEAN_STRING 104 | 642 | #define X509V3_R_INVALID_BOOLEAN_STRING 104 |
| 621 | #define X509V3_R_INVALID_EXTENSION_STRING 105 | 643 | #define X509V3_R_INVALID_EXTENSION_STRING 105 |
| 622 | #define X509V3_R_INVALID_NAME 106 | 644 | #define X509V3_R_INVALID_NAME 106 |
| @@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void); | |||
| 628 | #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 | 650 | #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 |
| 629 | #define X509V3_R_INVALID_OPTION 138 | 651 | #define X509V3_R_INVALID_OPTION 138 |
| 630 | #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 | 652 | #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 |
| 653 | #define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 | ||
| 654 | #define X509V3_R_INVALID_PROXY_POLICY_SETTING 151 | ||
| 631 | #define X509V3_R_INVALID_PURPOSE 146 | 655 | #define X509V3_R_INVALID_PURPOSE 146 |
| 632 | #define X509V3_R_INVALID_SECTION 135 | 656 | #define X509V3_R_INVALID_SECTION 135 |
| 633 | #define X509V3_R_INVALID_SYNTAX 143 | 657 | #define X509V3_R_INVALID_SYNTAX 143 |
| @@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void); | |||
| 638 | #define X509V3_R_NO_ISSUER_CERTIFICATE 121 | 662 | #define X509V3_R_NO_ISSUER_CERTIFICATE 121 |
| 639 | #define X509V3_R_NO_ISSUER_DETAILS 127 | 663 | #define X509V3_R_NO_ISSUER_DETAILS 127 |
| 640 | #define X509V3_R_NO_POLICY_IDENTIFIER 139 | 664 | #define X509V3_R_NO_POLICY_IDENTIFIER 139 |
| 665 | #define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 | ||
| 641 | #define X509V3_R_NO_PUBLIC_KEY 114 | 666 | #define X509V3_R_NO_PUBLIC_KEY 114 |
| 642 | #define X509V3_R_NO_SUBJECT_DETAILS 125 | 667 | #define X509V3_R_NO_SUBJECT_DETAILS 125 |
| 643 | #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 | 668 | #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 |
| 669 | #define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 | ||
| 670 | #define X509V3_R_POLICY_PATH_LENGTH 152 | ||
| 671 | #define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 | ||
| 672 | #define X509V3_R_POLICY_SYNTAX_NOT 154 | ||
| 673 | #define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 | ||
| 674 | #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 | ||
| 644 | #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 | 675 | #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 |
| 645 | #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 | 676 | #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 |
| 646 | #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 | 677 | #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 |