summaryrefslogtreecommitdiff
path: root/lib/libcrypto/x509v3
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2008-09-06 12:17:55 +0000
committerDamien Miller <djm@cvs.openbsd.org>2008-09-06 12:17:55 +0000
commit96de7a4399a8c71cbb70d6252fa77acfd76b3f09 (patch)
treee6f6e4aad1952944ccd27e9eb47ea48b9a78dde7 /lib/libcrypto/x509v3
parentec7710fe8f10fb624fbc33c0bbad2474e0c26979 (diff)
resolve conflicts
Diffstat (limited to 'lib/libcrypto/x509v3')
-rw-r--r--lib/libcrypto/x509v3/ext_dat.h13
-rw-r--r--lib/libcrypto/x509v3/v3_akey.c190
-rw-r--r--lib/libcrypto/x509v3/v3_alt.c289
-rw-r--r--lib/libcrypto/x509v3/v3_bcons.c2
-rw-r--r--lib/libcrypto/x509v3/v3_bitst.c14
-rw-r--r--lib/libcrypto/x509v3/v3_conf.c73
-rw-r--r--lib/libcrypto/x509v3/v3_cpols.c24
-rw-r--r--lib/libcrypto/x509v3/v3_crld.c2
-rw-r--r--lib/libcrypto/x509v3/v3_enum.c2
-rw-r--r--lib/libcrypto/x509v3/v3_extku.c8
-rw-r--r--lib/libcrypto/x509v3/v3_ia5.c2
-rw-r--r--lib/libcrypto/x509v3/v3_info.c17
-rw-r--r--lib/libcrypto/x509v3/v3_int.c17
-rw-r--r--lib/libcrypto/x509v3/v3_lib.c7
-rw-r--r--lib/libcrypto/x509v3/v3_ocsp.c22
-rw-r--r--lib/libcrypto/x509v3/v3_pku.c2
-rw-r--r--lib/libcrypto/x509v3/v3_prn.c5
-rw-r--r--lib/libcrypto/x509v3/v3_purp.c18
-rw-r--r--lib/libcrypto/x509v3/v3_skey.c10
-rw-r--r--lib/libcrypto/x509v3/v3_sxnet.c6
-rw-r--r--lib/libcrypto/x509v3/v3_utl.c343
-rw-r--r--lib/libcrypto/x509v3/v3err.c52
-rw-r--r--lib/libcrypto/x509v3/x509v3.h281
23 files changed, 1110 insertions, 289 deletions
diff --git a/lib/libcrypto/x509v3/ext_dat.h b/lib/libcrypto/x509v3/ext_dat.h
index d8328ac468c..5c063ac65df 100644
--- a/lib/libcrypto/x509v3/ext_dat.h
+++ b/lib/libcrypto/x509v3/ext_dat.h
@@ -65,6 +65,11 @@ extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
+#ifndef OPENSSL_NO_RFC3779
+extern X509V3_EXT_METHOD v3_addr, v3_asid;
+#endif
/* This table will be searched using OBJ_bsearch so it *must* kept in
* order of the ext_nid values.
@@ -97,6 +102,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
#endif
&v3_sxnet,
&v3_info,
+#ifndef OPENSSL_NO_RFC3779
+&v3_addr,
+&v3_asid,
+#endif
#ifndef OPENSSL_NO_OCSP
&v3_ocsp_nonce,
&v3_ocsp_crlid,
@@ -106,10 +115,14 @@ static X509V3_EXT_METHOD *standard_exts[] = {
&v3_ocsp_serviceloc,
#endif
&v3_sinfo,
+&v3_policy_constraints,
#ifndef OPENSSL_NO_OCSP
&v3_crl_hold,
#endif
&v3_pci,
+&v3_name_constraints,
+&v3_policy_mappings,
+&v3_inhibit_anyp
};
/* Number of standard extensions */
diff --git a/lib/libcrypto/x509v3/v3_akey.c b/lib/libcrypto/x509v3/v3_akey.c
index 97e686f97af..ac0548b7751 100644
--- a/lib/libcrypto/x509v3/v3_akey.c
+++ b/lib/libcrypto/x509v3/v3_akey.c
@@ -68,15 +68,17 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-X509V3_EXT_METHOD v3_akey_id = {
-NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
-0,0,0,0,
-0,0,
-(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
-(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
-0,0,
-NULL
-};
+const X509V3_EXT_METHOD v3_akey_id =
+ {
+ NID_authority_key_identifier,
+ X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
+ 0,0,0,0,
+ 0,0,
+ (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+ (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+ 0,0,
+ NULL
+ };
static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
@@ -108,83 +110,99 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
-{
-char keyid=0, issuer=0;
-int i;
-CONF_VALUE *cnf;
-ASN1_OCTET_STRING *ikeyid = NULL;
-X509_NAME *isname = NULL;
-GENERAL_NAMES * gens = NULL;
-GENERAL_NAME *gen = NULL;
-ASN1_INTEGER *serial = NULL;
-X509_EXTENSION *ext;
-X509 *cert;
-AUTHORITY_KEYID *akeyid;
-for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
- cnf = sk_CONF_VALUE_value(values, i);
- if(!strcmp(cnf->name, "keyid")) {
- keyid = 1;
- if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
- } else if(!strcmp(cnf->name, "issuer")) {
- issuer = 1;
- if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
- } else {
- X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
- ERR_add_error_data(2, "name=", cnf->name);
+ {
+ char keyid=0, issuer=0;
+ int i;
+ CONF_VALUE *cnf;
+ ASN1_OCTET_STRING *ikeyid = NULL;
+ X509_NAME *isname = NULL;
+ GENERAL_NAMES * gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ ASN1_INTEGER *serial = NULL;
+ X509_EXTENSION *ext;
+ X509 *cert;
+ AUTHORITY_KEYID *akeyid;
+
+ for(i = 0; i < sk_CONF_VALUE_num(values); i++)
+ {
+ cnf = sk_CONF_VALUE_value(values, i);
+ if(!strcmp(cnf->name, "keyid"))
+ {
+ keyid = 1;
+ if(cnf->value && !strcmp(cnf->value, "always"))
+ keyid = 2;
+ }
+ else if(!strcmp(cnf->name, "issuer"))
+ {
+ issuer = 1;
+ if(cnf->value && !strcmp(cnf->value, "always"))
+ issuer = 2;
+ }
+ else
+ {
+ X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+ ERR_add_error_data(2, "name=", cnf->name);
+ return NULL;
+ }
+ }
+
+ if(!ctx || !ctx->issuer_cert)
+ {
+ if(ctx && (ctx->flags==CTX_TEST))
+ return AUTHORITY_KEYID_new();
+ X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
return NULL;
- }
-}
-
-if(!ctx || !ctx->issuer_cert) {
- if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
- X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+ }
+
+ cert = ctx->issuer_cert;
+
+ if(keyid)
+ {
+ i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+ if((i >= 0) && (ext = X509_get_ext(cert, i)))
+ ikeyid = X509V3_EXT_d2i(ext);
+ if(keyid==2 && !ikeyid)
+ {
+ X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+ return NULL;
+ }
+ }
+
+ if((issuer && !ikeyid) || (issuer == 2))
+ {
+ isname = X509_NAME_dup(X509_get_issuer_name(cert));
+ serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+ if(!isname || !serial)
+ {
+ X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+ goto err;
+ }
+ }
+
+ if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+ if(isname)
+ {
+ if(!(gens = sk_GENERAL_NAME_new_null())
+ || !(gen = GENERAL_NAME_new())
+ || !sk_GENERAL_NAME_push(gens, gen))
+ {
+ X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ gen->type = GEN_DIRNAME;
+ gen->d.dirn = isname;
+ }
+
+ akeyid->issuer = gens;
+ akeyid->serial = serial;
+ akeyid->keyid = ikeyid;
+
+ return akeyid;
+
+ err:
+ X509_NAME_free(isname);
+ M_ASN1_INTEGER_free(serial);
+ M_ASN1_OCTET_STRING_free(ikeyid);
return NULL;
-}
-
-cert = ctx->issuer_cert;
-
-if(keyid) {
- i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
- if((i >= 0) && (ext = X509_get_ext(cert, i)))
- ikeyid = X509V3_EXT_d2i(ext);
- if(keyid==2 && !ikeyid) {
- X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
- return NULL;
- }
-}
-
-if((issuer && !ikeyid) || (issuer == 2)) {
- isname = X509_NAME_dup(X509_get_issuer_name(cert));
- serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
- if(!isname || !serial) {
- X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
- goto err;
}
-}
-
-if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
-
-if(isname) {
- if(!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new())
- || !sk_GENERAL_NAME_push(gens, gen)) {
- X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- gen->type = GEN_DIRNAME;
- gen->d.dirn = isname;
-}
-
-akeyid->issuer = gens;
-akeyid->serial = serial;
-akeyid->keyid = ikeyid;
-
-return akeyid;
-
-err:
-X509_NAME_free(isname);
-M_ASN1_INTEGER_free(serial);
-M_ASN1_OCTET_STRING_free(ikeyid);
-return NULL;
-
-}
-
diff --git a/lib/libcrypto/x509v3/v3_alt.c b/lib/libcrypto/x509v3/v3_alt.c
index 58b935a3b6b..bb2f5bc54eb 100644
--- a/lib/libcrypto/x509v3/v3_alt.c
+++ b/lib/libcrypto/x509v3/v3_alt.c
@@ -1,9 +1,9 @@
/* v3_alt.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -65,7 +65,10 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx
static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
-X509V3_EXT_METHOD v3_alt[] = {
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+
+const X509V3_EXT_METHOD v3_alt[] = {
{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
0,0,0,0,
0,0,
@@ -98,7 +101,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
{
unsigned char *p;
- char oline[256];
+ char oline[256], htmp[5];
+ int i;
switch (gen->type)
{
case GEN_OTHERNAME:
@@ -132,13 +136,27 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
case GEN_IPADD:
p = gen->d.ip->data;
- /* BUG: doesn't support IPV6 */
- if(gen->d.ip->length != 4) {
+ if(gen->d.ip->length == 4)
+ BIO_snprintf(oline, sizeof oline,
+ "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ else if(gen->d.ip->length == 16)
+ {
+ oline[0] = 0;
+ for (i = 0; i < 8; i++)
+ {
+ BIO_snprintf(htmp, sizeof htmp,
+ "%X", p[0] << 8 | p[1]);
+ p += 2;
+ strcat(oline, htmp);
+ if (i != 7)
+ strcat(oline, ":");
+ }
+ }
+ else
+ {
X509V3_add_value("IP Address","<invalid>", &ret);
break;
- }
- BIO_snprintf(oline, sizeof oline,
- "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ }
X509V3_add_value("IP Address",oline, &ret);
break;
@@ -153,6 +171,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
{
unsigned char *p;
+ int i;
switch (gen->type)
{
case GEN_OTHERNAME:
@@ -187,12 +206,24 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
case GEN_IPADD:
p = gen->d.ip->data;
- /* BUG: doesn't support IPV6 */
- if(gen->d.ip->length != 4) {
+ if(gen->d.ip->length == 4)
+ BIO_printf(out, "IP Address:%d.%d.%d.%d",
+ p[0], p[1], p[2], p[3]);
+ else if(gen->d.ip->length == 16)
+ {
+ BIO_printf(out, "IP Address");
+ for (i = 0; i < 8; i++)
+ {
+ BIO_printf(out, ":%X", p[0] << 8 | p[1]);
+ p += 2;
+ }
+ BIO_puts(out, "\n");
+ }
+ else
+ {
BIO_printf(out,"IP Address:<invalid>");
break;
- }
- BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ }
break;
case GEN_RID:
@@ -210,7 +241,7 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
CONF_VALUE *cnf;
int i;
if(!(gens = sk_GENERAL_NAME_new_null())) {
- X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
return NULL;
}
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -275,7 +306,7 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
CONF_VALUE *cnf;
int i;
if(!(gens = sk_GENERAL_NAME_new_null())) {
- X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
return NULL;
}
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -310,7 +341,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
X509_NAME_ENTRY *ne;
GENERAL_NAME *gen = NULL;
int i;
- if(ctx->flags == CTX_TEST) return 1;
+ if(ctx != NULL && ctx->flags == CTX_TEST)
+ return 1;
if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
goto err;
@@ -378,81 +410,172 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
CONF_VALUE *cnf)
-{
-char is_string = 0;
-int type;
-GENERAL_NAME *gen = NULL;
+ {
+ return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
+ }
-char *name, *value;
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+ X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+ CONF_VALUE *cnf, int is_nc)
+ {
+ char is_string = 0;
+ int type;
+ GENERAL_NAME *gen = NULL;
-name = cnf->name;
-value = cnf->value;
+ char *name, *value;
-if(!value) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
- return NULL;
-}
+ name = cnf->name;
+ value = cnf->value;
-if(!(gen = GENERAL_NAME_new())) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
- return NULL;
-}
+ if(!value)
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
+ return NULL;
+ }
-if(!name_cmp(name, "email")) {
- is_string = 1;
- type = GEN_EMAIL;
-} else if(!name_cmp(name, "URI")) {
- is_string = 1;
- type = GEN_URI;
-} else if(!name_cmp(name, "DNS")) {
- is_string = 1;
- type = GEN_DNS;
-} else if(!name_cmp(name, "RID")) {
- ASN1_OBJECT *obj;
- if(!(obj = OBJ_txt2obj(value,0))) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
- ERR_add_error_data(2, "value=", value);
- goto err;
- }
- gen->d.rid = obj;
- type = GEN_RID;
-} else if(!name_cmp(name, "IP")) {
- int i1,i2,i3,i4;
- unsigned char ip[4];
- if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
- (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
- (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
- ERR_add_error_data(2, "value=", value);
+ if (out)
+ gen = out;
+ else
+ {
+ gen = GENERAL_NAME_new();
+ if(gen == NULL)
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ }
+
+ if(!name_cmp(name, "email"))
+ {
+ is_string = 1;
+ type = GEN_EMAIL;
+ }
+ else if(!name_cmp(name, "URI"))
+ {
+ is_string = 1;
+ type = GEN_URI;
+ }
+ else if(!name_cmp(name, "DNS"))
+ {
+ is_string = 1;
+ type = GEN_DNS;
+ }
+ else if(!name_cmp(name, "RID"))
+ {
+ ASN1_OBJECT *obj;
+ if(!(obj = OBJ_txt2obj(value,0)))
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT);
+ ERR_add_error_data(2, "value=", value);
+ goto err;
+ }
+ gen->d.rid = obj;
+ type = GEN_RID;
+ }
+ else if(!name_cmp(name, "IP"))
+ {
+ if (is_nc)
+ gen->d.ip = a2i_IPADDRESS_NC(value);
+ else
+ gen->d.ip = a2i_IPADDRESS(value);
+ if(gen->d.ip == NULL)
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS);
+ ERR_add_error_data(2, "value=", value);
+ goto err;
+ }
+ type = GEN_IPADD;
+ }
+ else if(!name_cmp(name, "dirName"))
+ {
+ type = GEN_DIRNAME;
+ if (!do_dirname(gen, value, ctx))
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR);
+ goto err;
+ }
+ }
+ else if(!name_cmp(name, "otherName"))
+ {
+ if (!do_othername(gen, value, ctx))
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR);
+ goto err;
+ }
+ type = GEN_OTHERNAME;
+ }
+ else
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
+ ERR_add_error_data(2, "name=", name);
goto err;
- }
- ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
- if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) ||
- !ASN1_STRING_set(gen->d.ip, ip, 4)) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+ }
+
+ if(is_string)
+ {
+ if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
+ !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
+ strlen(value)))
+ {
+ X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
goto err;
- }
- type = GEN_IPADD;
-} else {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
- ERR_add_error_data(2, "name=", name);
- goto err;
-}
+ }
+ }
-if(is_string) {
- if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
- !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
- strlen(value))) {
- X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
- goto err;
- }
-}
+ gen->type = type;
+
+ return gen;
-gen->type = type;
+ err:
+ GENERAL_NAME_free(gen);
+ return NULL;
+ }
-return gen;
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+ {
+ char *objtmp = NULL, *p;
+ int objlen;
+ if (!(p = strchr(value, ';')))
+ return 0;
+ if (!(gen->d.otherName = OTHERNAME_new()))
+ return 0;
+ /* Free this up because we will overwrite it.
+ * no need to free type_id because it is static
+ */
+ ASN1_TYPE_free(gen->d.otherName->value);
+ if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
+ return 0;
+ objlen = p - value;
+ objtmp = OPENSSL_malloc(objlen + 1);
+ strncpy(objtmp, value, objlen);
+ objtmp[objlen] = 0;
+ gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
+ OPENSSL_free(objtmp);
+ if (!gen->d.otherName->type_id)
+ return 0;
+ return 1;
+ }
-err:
-GENERAL_NAME_free(gen);
-return NULL;
-}
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+ {
+ int ret;
+ STACK_OF(CONF_VALUE) *sk;
+ X509_NAME *nm;
+ if (!(nm = X509_NAME_new()))
+ return 0;
+ sk = X509V3_get_section(ctx, value);
+ if (!sk)
+ {
+ X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
+ ERR_add_error_data(2, "section=", value);
+ X509_NAME_free(nm);
+ return 0;
+ }
+ /* FIXME: should allow other character types... */
+ ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
+ if (!ret)
+ X509_NAME_free(nm);
+ gen->d.dirn = nm;
+
+ return ret;
+ }
diff --git a/lib/libcrypto/x509v3/v3_bcons.c b/lib/libcrypto/x509v3/v3_bcons.c
index cbb012715e5..74b1233071c 100644
--- a/lib/libcrypto/x509v3/v3_bcons.c
+++ b/lib/libcrypto/x509v3/v3_bcons.c
@@ -67,7 +67,7 @@
static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-X509V3_EXT_METHOD v3_bcons = {
+const X509V3_EXT_METHOD v3_bcons = {
NID_basic_constraints, 0,
ASN1_ITEM_ref(BASIC_CONSTRAINTS),
0,0,0,0,
diff --git a/lib/libcrypto/x509v3/v3_bitst.c b/lib/libcrypto/x509v3/v3_bitst.c
index 274965306d4..cf31f0816ee 100644
--- a/lib/libcrypto/x509v3/v3_bitst.c
+++ b/lib/libcrypto/x509v3/v3_bitst.c
@@ -61,12 +61,6 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
-static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
- ASN1_BIT_STRING *bits,
- STACK_OF(CONF_VALUE) *extlist);
-
static BIT_STRING_BITNAME ns_cert_type_table[] = {
{0, "SSL Client", "client"},
{1, "SSL Server", "server"},
@@ -94,10 +88,10 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
-X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
-X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
+const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
+const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
-static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
{
BIT_STRING_BITNAME *bnam;
@@ -108,7 +102,7 @@ static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
return ret;
}
-static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
CONF_VALUE *val;
diff --git a/lib/libcrypto/x509v3/v3_conf.c b/lib/libcrypto/x509v3/v3_conf.c
index 1284d5aaa54..2b867305fba 100644
--- a/lib/libcrypto/x509v3/v3_conf.c
+++ b/lib/libcrypto/x509v3/v3_conf.c
@@ -3,7 +3,7 @@
* project 1999.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -69,11 +69,12 @@
static int v3_check_critical(char **value);
static int v3_check_generic(char **value);
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
-static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
static char *conf_lhash_get_string(void *db, char *section, char *value);
static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
int crit, void *ext_struc);
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
/* CONF *conf: Config file */
/* char *name: Name */
/* char *value: Value */
@@ -85,11 +86,11 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
X509_EXTENSION *ret;
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
- return v3_generic_extension(name, value, crit, ext_type);
+ return v3_generic_extension(name, value, crit, ext_type, ctx);
ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
if (!ret)
{
- X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
+ X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
ERR_add_error_data(4,"name=", name, ", value=", value);
}
return ret;
@@ -105,7 +106,7 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
return v3_generic_extension(OBJ_nid2sn(ext_nid),
- value, crit, ext_type);
+ value, crit, ext_type, ctx);
return do_ext_nconf(conf, ctx, ext_nid, crit, value);
}
@@ -120,12 +121,12 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
void *ext_struc;
if (ext_nid == NID_undef)
{
- X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
+ X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
return NULL;
}
if (!(method = X509V3_EXT_get_nid(ext_nid)))
{
- X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
+ X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
return NULL;
}
/* Now get internal extension representation based on type */
@@ -133,9 +134,9 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
{
if(*value == '@') nval = NCONF_get_section(conf, value + 1);
else nval = X509V3_parse_list(value);
- if(!nval)
+ if(sk_CONF_VALUE_num(nval) <= 0)
{
- X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
+ X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
return NULL;
}
@@ -150,16 +151,16 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
}
else if(method->r2i)
{
- if(!ctx->db)
+ if(!ctx->db || !ctx->db_meth)
{
- X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+ X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
}
else
{
- X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+ X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
return NULL;
}
@@ -235,17 +236,29 @@ static int v3_check_critical(char **value)
/* Check extension string for generic extension and return the type */
static int v3_check_generic(char **value)
{
+ int gen_type = 0;
char *p = *value;
- if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0;
- p+=4;
+ if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
+ {
+ p+=4;
+ gen_type = 1;
+ }
+ else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
+ {
+ p+=5;
+ gen_type = 2;
+ }
+ else
+ return 0;
+
while (isspace((unsigned char)*p)) p++;
*value = p;
- return 1;
+ return gen_type;
}
/* Create a generic extension: for now just handle DER type */
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
- int crit, int type)
+ int crit, int gen_type, X509V3_CTX *ctx)
{
unsigned char *ext_der=NULL;
long ext_len;
@@ -259,7 +272,12 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
goto err;
}
- if (!(ext_der = string_to_hex(value, &ext_len)))
+ if (gen_type == 1)
+ ext_der = string_to_hex(value, &ext_len);
+ else if (gen_type == 2)
+ ext_der = generic_asn1(value, ctx, &ext_len);
+
+ if (ext_der == NULL)
{
X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
ERR_add_error_data(2, "value=", value);
@@ -286,6 +304,17 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
}
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
+ {
+ ASN1_TYPE *typ;
+ unsigned char *ext_der = NULL;
+ typ = ASN1_generate_v3(value, ctx);
+ if (typ == NULL)
+ return NULL;
+ *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
+ ASN1_TYPE_free(typ);
+ return ext_der;
+ }
/* This is the main function: add a bunch of extensions based on a config file
* section to an extension STACK.
@@ -354,6 +383,11 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
{
+ if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
+ {
+ X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
+ return NULL;
+ }
if (ctx->db_meth->get_string)
return ctx->db_meth->get_string(ctx->db, name, section);
return NULL;
@@ -361,6 +395,11 @@ char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
{
+ if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
+ {
+ X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
+ return NULL;
+ }
if (ctx->db_meth->get_section)
return ctx->db_meth->get_section(ctx->db, section);
return NULL;
diff --git a/lib/libcrypto/x509v3/v3_cpols.c b/lib/libcrypto/x509v3/v3_cpols.c
index 867525f336a..a40f490aa90 100644
--- a/lib/libcrypto/x509v3/v3_cpols.c
+++ b/lib/libcrypto/x509v3/v3_cpols.c
@@ -3,7 +3,7 @@
* project 1999.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -63,6 +63,8 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "pcy_int.h"
+
/* Certificate policies extension support: this one is a bit complex... */
static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
@@ -75,7 +77,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *unot, int ia5org);
static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
-X509V3_EXT_METHOD v3_cpols = {
+const X509V3_EXT_METHOD v3_cpols = {
NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
0,0,0,0,
0,0,
@@ -348,7 +350,7 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
return 1;
merr:
- X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
err:
sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
@@ -429,3 +431,19 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
notice->exptext->data);
}
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
+ {
+ const X509_POLICY_DATA *dat = node->data;
+
+ BIO_printf(out, "%*sPolicy: ", indent, "");
+
+ i2a_ASN1_OBJECT(out, dat->valid_policy);
+ BIO_puts(out, "\n");
+ BIO_printf(out, "%*s%s\n", indent + 2, "",
+ node_data_critical(dat) ? "Critical" : "Non Critical");
+ if (dat->qualifier_set)
+ print_qualifiers(out, dat->qualifier_set, indent + 2);
+ else
+ BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
+ }
+
diff --git a/lib/libcrypto/x509v3/v3_crld.c b/lib/libcrypto/x509v3/v3_crld.c
index f90829c574e..c6e3ebae7b2 100644
--- a/lib/libcrypto/x509v3/v3_crld.c
+++ b/lib/libcrypto/x509v3/v3_crld.c
@@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-X509V3_EXT_METHOD v3_crld = {
+const X509V3_EXT_METHOD v3_crld = {
NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
diff --git a/lib/libcrypto/x509v3/v3_enum.c b/lib/libcrypto/x509v3/v3_enum.c
index 010c9d6260a..a236cb22e15 100644
--- a/lib/libcrypto/x509v3/v3_enum.c
+++ b/lib/libcrypto/x509v3/v3_enum.c
@@ -72,7 +72,7 @@ static ENUMERATED_NAMES crl_reasons[] = {
{-1, NULL, NULL}
};
-X509V3_EXT_METHOD v3_crl_reason = {
+const X509V3_EXT_METHOD v3_crl_reason = {
NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
0,0,0,0,
(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
diff --git a/lib/libcrypto/x509v3/v3_extku.c b/lib/libcrypto/x509v3/v3_extku.c
index b1cfaba1aa8..a4efe0031e1 100644
--- a/lib/libcrypto/x509v3/v3_extku.c
+++ b/lib/libcrypto/x509v3/v3_extku.c
@@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
void *eku, STACK_OF(CONF_VALUE) *extlist);
-X509V3_EXT_METHOD v3_ext_ku = {
+const X509V3_EXT_METHOD v3_ext_ku = {
NID_ext_key_usage, 0,
ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
0,0,0,0,
@@ -80,7 +80,7 @@ X509V3_EXT_METHOD v3_ext_ku = {
};
/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
-X509V3_EXT_METHOD v3_ocsp_accresp = {
+const X509V3_EXT_METHOD v3_ocsp_accresp = {
NID_id_pkix_OCSP_acceptableResponses, 0,
ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
0,0,0,0,
@@ -122,7 +122,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
int i;
if(!(extku = sk_ASN1_OBJECT_new_null())) {
- X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -132,7 +132,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
else extval = val->name;
if(!(objtmp = OBJ_txt2obj(extval, 0))) {
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
- X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+ X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
diff --git a/lib/libcrypto/x509v3/v3_ia5.c b/lib/libcrypto/x509v3/v3_ia5.c
index 9683afa47c4..b739ccd0361 100644
--- a/lib/libcrypto/x509v3/v3_ia5.c
+++ b/lib/libcrypto/x509v3/v3_ia5.c
@@ -65,7 +65,7 @@
static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
-X509V3_EXT_METHOD v3_ns_ia5_list[] = {
+const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
EXT_IA5STRING(NID_netscape_base_url),
EXT_IA5STRING(NID_netscape_revocation_url),
EXT_IA5STRING(NID_netscape_ca_revocation_url),
diff --git a/lib/libcrypto/x509v3/v3_info.c b/lib/libcrypto/x509v3/v3_info.c
index 53e3f488590..e0ef69de423 100644
--- a/lib/libcrypto/x509v3/v3_info.c
+++ b/lib/libcrypto/x509v3/v3_info.c
@@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-X509V3_EXT_METHOD v3_info =
+const X509V3_EXT_METHOD v3_info =
{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
0,0,0,0,
0,0,
@@ -78,7 +78,7 @@ X509V3_EXT_METHOD v3_info =
0,0,
NULL};
-X509V3_EXT_METHOD v3_sinfo =
+const X509V3_EXT_METHOD v3_sinfo =
{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
0,0,0,0,
0,0,
@@ -141,36 +141,35 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho
int i, objlen;
char *objtmp, *ptmp;
if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
- X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
return NULL;
}
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
cnf = sk_CONF_VALUE_value(nval, i);
if(!(acc = ACCESS_DESCRIPTION_new())
|| !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
- X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
goto err;
}
ptmp = strchr(cnf->name, ';');
if(!ptmp) {
- X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX);
+ X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
goto err;
}
objlen = ptmp - cnf->name;
ctmp.name = ptmp + 1;
ctmp.value = cnf->value;
- GENERAL_NAME_free(acc->location);
- if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
+ if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
goto err;
if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
- X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
goto err;
}
strncpy(objtmp, cnf->name, objlen);
objtmp[objlen] = 0;
acc->method = OBJ_txt2obj(objtmp, 0);
if(!acc->method) {
- X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
+ X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
ERR_add_error_data(2, "value=", objtmp);
OPENSSL_free(objtmp);
goto err;
diff --git a/lib/libcrypto/x509v3/v3_int.c b/lib/libcrypto/x509v3/v3_int.c
index 7a43b4717bc..9a48dc1508d 100644
--- a/lib/libcrypto/x509v3/v3_int.c
+++ b/lib/libcrypto/x509v3/v3_int.c
@@ -60,17 +60,30 @@
#include "cryptlib.h"
#include <openssl/x509v3.h>
-X509V3_EXT_METHOD v3_crl_num = {
+const X509V3_EXT_METHOD v3_crl_num = {
NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
0,
0,0,0,0, NULL};
-X509V3_EXT_METHOD v3_delta_crl = {
+const X509V3_EXT_METHOD v3_delta_crl = {
NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
0,0,0,0,
(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
0,
0,0,0,0, NULL};
+static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
+ {
+ return s2i_ASN1_INTEGER(meth, value);
+ }
+
+const X509V3_EXT_METHOD v3_inhibit_anyp = {
+ NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+ 0,0,0,0,
+ (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+ (X509V3_EXT_S2I)s2i_asn1_int,
+ 0,0,0,0, NULL};
+
+
diff --git a/lib/libcrypto/x509v3/v3_lib.c b/lib/libcrypto/x509v3/v3_lib.c
index ca5a4a4a570..f3015ea610c 100644
--- a/lib/libcrypto/x509v3/v3_lib.c
+++ b/lib/libcrypto/x509v3/v3_lib.c
@@ -162,7 +162,8 @@ int X509V3_add_standard_extensions(void)
void *X509V3_EXT_d2i(X509_EXTENSION *ext)
{
X509V3_EXT_METHOD *method;
- unsigned char *p;
+ const unsigned char *p;
+
if(!(method = X509V3_EXT_get(ext))) return NULL;
p = ext->value->data;
if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
@@ -276,7 +277,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
ext = X509V3_EXT_i2d(nid, crit, value);
if(!ext) {
- X509V3err(X509V3_F_X509V3_ADD_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
+ X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
return 0;
}
@@ -295,7 +296,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
err:
if(!(flags & X509V3_ADD_SILENT))
- X509V3err(X509V3_F_X509V3_ADD_I2D, errcode);
+ X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
return 0;
}
diff --git a/lib/libcrypto/x509v3/v3_ocsp.c b/lib/libcrypto/x509v3/v3_ocsp.c
index 21badc13f9f..62aac063353 100644
--- a/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/lib/libcrypto/x509v3/v3_ocsp.c
@@ -74,15 +74,15 @@ static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent
static void *ocsp_nonce_new(void);
static int i2d_ocsp_nonce(void *a, unsigned char **pp);
-static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
+static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
static void ocsp_nonce_free(void *a);
static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
-X509V3_EXT_METHOD v3_ocsp_crlid = {
+const X509V3_EXT_METHOD v3_ocsp_crlid = {
NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
0,0,0,0,
0,0,
@@ -91,7 +91,7 @@ X509V3_EXT_METHOD v3_ocsp_crlid = {
NULL
};
-X509V3_EXT_METHOD v3_ocsp_acutoff = {
+const X509V3_EXT_METHOD v3_ocsp_acutoff = {
NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
0,0,0,0,
0,0,
@@ -100,7 +100,7 @@ X509V3_EXT_METHOD v3_ocsp_acutoff = {
NULL
};
-X509V3_EXT_METHOD v3_crl_invdate = {
+const X509V3_EXT_METHOD v3_crl_invdate = {
NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
0,0,0,0,
0,0,
@@ -109,7 +109,7 @@ X509V3_EXT_METHOD v3_crl_invdate = {
NULL
};
-X509V3_EXT_METHOD v3_crl_hold = {
+const X509V3_EXT_METHOD v3_crl_hold = {
NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
0,0,0,0,
0,0,
@@ -118,7 +118,7 @@ X509V3_EXT_METHOD v3_crl_hold = {
NULL
};
-X509V3_EXT_METHOD v3_ocsp_nonce = {
+const X509V3_EXT_METHOD v3_ocsp_nonce = {
NID_id_pkix_OCSP_Nonce, 0, NULL,
ocsp_nonce_new,
ocsp_nonce_free,
@@ -130,7 +130,7 @@ X509V3_EXT_METHOD v3_ocsp_nonce = {
NULL
};
-X509V3_EXT_METHOD v3_ocsp_nocheck = {
+const X509V3_EXT_METHOD v3_ocsp_nocheck = {
NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
0,0,0,0,
0,s2i_ocsp_nocheck,
@@ -139,7 +139,7 @@ X509V3_EXT_METHOD v3_ocsp_nocheck = {
NULL
};
-X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
0,0,0,0,
0,0,
@@ -208,7 +208,7 @@ static int i2d_ocsp_nonce(void *a, unsigned char **pp)
return os->length;
}
-static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length)
+static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
{
ASN1_OCTET_STRING *os, **pos;
pos = a;
@@ -246,7 +246,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
return 1;
}
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
{
return ASN1_NULL_new();
}
diff --git a/lib/libcrypto/x509v3/v3_pku.c b/lib/libcrypto/x509v3/v3_pku.c
index 49a2e4697ac..5c4626e89b5 100644
--- a/lib/libcrypto/x509v3/v3_pku.c
+++ b/lib/libcrypto/x509v3/v3_pku.c
@@ -66,7 +66,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *u
/*
static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
*/
-X509V3_EXT_METHOD v3_pkey_usage_period = {
+const X509V3_EXT_METHOD v3_pkey_usage_period = {
NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
0,0,0,0,
0,0,0,0,
diff --git a/lib/libcrypto/x509v3/v3_prn.c b/lib/libcrypto/x509v3/v3_prn.c
index 5d268eb7682..20bd9bda190 100644
--- a/lib/libcrypto/x509v3/v3_prn.c
+++ b/lib/libcrypto/x509v3/v3_prn.c
@@ -109,10 +109,11 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
{
void *ext_str = NULL;
char *value = NULL;
- unsigned char *p;
+ const unsigned char *p;
X509V3_EXT_METHOD *method;
STACK_OF(CONF_VALUE) *nval = NULL;
int ok = 1;
+
if(!(method = X509V3_EXT_get(ext)))
return unknown_ext_print(out, ext, flag, indent, 0);
p = ext->value->data;
@@ -182,7 +183,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp,obj);
j=X509_EXTENSION_get_critical(ex);
- if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+ if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
return 0;
if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
{
diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c
index bbdf6da4937..b2f5cdfa05f 100644
--- a/lib/libcrypto/x509v3/v3_purp.c
+++ b/lib/libcrypto/x509v3/v3_purp.c
@@ -139,7 +139,7 @@ int X509_PURPOSE_get_count(void)
X509_PURPOSE * X509_PURPOSE_get0(int idx)
{
if(idx < 0) return NULL;
- if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+ if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
}
@@ -239,7 +239,7 @@ static void xptable_free(X509_PURPOSE *p)
void X509_PURPOSE_cleanup(void)
{
- int i;
+ unsigned int i;
sk_X509_PURPOSE_pop_free(xptable, xptable_free);
for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
xptable = NULL;
@@ -285,7 +285,12 @@ int X509_supported_extension(X509_EXTENSION *ex)
NID_key_usage, /* 83 */
NID_subject_alt_name, /* 85 */
NID_basic_constraints, /* 87 */
+ NID_certificate_policies, /* 89 */
NID_ext_key_usage, /* 126 */
+#ifndef OPENSSL_NO_RFC3779
+ NID_sbgp_ipAddrBlock, /* 290 */
+ NID_sbgp_autonomousSysNum, /* 291 */
+#endif
NID_proxyCertInfo /* 661 */
};
@@ -343,6 +348,10 @@ static void x509v3_cache_extensions(X509 *x)
|| X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
x->ex_flags |= EXFLAG_INVALID;
}
+ if (pci->pcPathLengthConstraint) {
+ x->ex_pcpathlen =
+ ASN1_INTEGER_get(pci->pcPathLengthConstraint);
+ } else x->ex_pcpathlen = -1;
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
}
@@ -406,6 +415,11 @@ static void x509v3_cache_extensions(X509 *x)
}
x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+#ifndef OPENSSL_NO_RFC3779
+ x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+ x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
+ NULL, NULL);
+#endif
for (i = 0; i < X509_get_ext_count(x); i++)
{
ex = X509_get_ext(x, i);
diff --git a/lib/libcrypto/x509v3/v3_skey.c b/lib/libcrypto/x509v3/v3_skey.c
index c0f044ac1b9..da0a3558f65 100644
--- a/lib/libcrypto/x509v3/v3_skey.c
+++ b/lib/libcrypto/x509v3/v3_skey.c
@@ -62,7 +62,7 @@
#include <openssl/x509v3.h>
static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
-X509V3_EXT_METHOD v3_skey_id = {
+const X509V3_EXT_METHOD v3_skey_id = {
NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
0,0,0,0,
(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
@@ -109,14 +109,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
if(!(oct = M_ASN1_OCTET_STRING_new())) {
- X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
return NULL;
}
if(ctx && (ctx->flags == CTX_TEST)) return oct;
if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
- X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+ X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
goto err;
}
@@ -125,14 +125,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
else pk = ctx->subject_cert->cert_info->key->public_key;
if(!pk) {
- X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+ X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
goto err;
}
EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
- X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
goto err;
}
diff --git a/lib/libcrypto/x509v3/v3_sxnet.c b/lib/libcrypto/x509v3/v3_sxnet.c
index d3f4ba3a724..eaea9ea01b4 100644
--- a/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/lib/libcrypto/x509v3/v3_sxnet.c
@@ -72,7 +72,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval);
#endif
-X509V3_EXT_METHOD v3_sxnet = {
+const X509V3_EXT_METHOD v3_sxnet = {
NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
0,0,0,0,
0,0,
@@ -109,7 +109,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
SXNETID *id;
int i;
v = ASN1_INTEGER_get(sx->version);
- BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v);
+ BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
id = sk_SXNETID_value(sx->ids, i);
tmp = i2s_ASN1_INTEGER(NULL, id->zone);
@@ -154,7 +154,7 @@ int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
{
ASN1_INTEGER *izone = NULL;
if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
- X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+ X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
return 0;
}
return SXNET_add_id_INTEGER(psx, izone, user, userlen);
diff --git a/lib/libcrypto/x509v3/v3_utl.c b/lib/libcrypto/x509v3/v3_utl.c
index f23a8d29a0a..57be441399f 100644
--- a/lib/libcrypto/x509v3/v3_utl.c
+++ b/lib/libcrypto/x509v3/v3_utl.c
@@ -1,9 +1,9 @@
/* v3_utl.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -63,6 +63,7 @@
#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include <openssl/bn.h>
static char *strip_spaces(char *name);
static int sk_strcmp(const char * const *a, const char * const *b);
@@ -70,6 +71,11 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
static void str_free(void *str);
static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
+static int ipv4_from_asc(unsigned char *v4, const char *in);
+static int ipv6_from_asc(unsigned char *v6, const char *in);
+static int ipv6_cb(const char *elem, int len, void *usr);
+static int ipv6_hex(unsigned char *out, const char *in, int inlen);
+
/* Add a CONF_VALUE name value pair to stack */
int X509V3_add_value(const char *name, const char *value,
@@ -156,11 +162,11 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
ASN1_INTEGER *aint;
int isneg, ishex;
int ret;
- bn = BN_new();
if (!value) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
return 0;
}
+ bn = BN_new();
if (value[0] == '-') {
value++;
isneg = 1;
@@ -174,7 +180,8 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
if (ishex) ret = BN_hex2bn(&bn, value);
else ret = BN_dec2bn(&bn, value);
- if (!ret) {
+ if (!ret || value[ret]) {
+ BN_free(bn);
X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
return 0;
}
@@ -358,7 +365,7 @@ char *hex_to_string(unsigned char *buffer, long len)
char *tmp, *q;
unsigned char *p;
int i;
- static char hexdig[] = "0123456789ABCDEF";
+ const static char hexdig[] = "0123456789ABCDEF";
if(!buffer || !len) return NULL;
if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
@@ -466,6 +473,30 @@ STACK *X509_get1_email(X509 *x)
return ret;
}
+STACK *X509_get1_ocsp(X509 *x)
+{
+ AUTHORITY_INFO_ACCESS *info;
+ STACK *ret = NULL;
+ int i;
+ info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
+ if (!info)
+ return NULL;
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++)
+ {
+ ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
+ if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
+ {
+ if (ad->location->type == GEN_URI)
+ {
+ if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
+ break;
+ }
+ }
+ }
+ AUTHORITY_INFO_ACCESS_free(info);
+ return ret;
+}
+
STACK *X509_REQ_get1_email(X509_REQ *x)
{
GENERAL_NAMES *gens;
@@ -533,3 +564,305 @@ void X509_email_free(STACK *sk)
{
sk_pop_free(sk, str_free);
}
+
+/* Convert IP addresses both IPv4 and IPv6 into an
+ * OCTET STRING compatible with RFC3280.
+ */
+
+ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
+ {
+ unsigned char ipout[16];
+ ASN1_OCTET_STRING *ret;
+ int iplen;
+
+ /* If string contains a ':' assume IPv6 */
+
+ iplen = a2i_ipadd(ipout, ipasc);
+
+ if (!iplen)
+ return NULL;
+
+ ret = ASN1_OCTET_STRING_new();
+ if (!ret)
+ return NULL;
+ if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
+ {
+ ASN1_OCTET_STRING_free(ret);
+ return NULL;
+ }
+ return ret;
+ }
+
+ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
+ {
+ ASN1_OCTET_STRING *ret = NULL;
+ unsigned char ipout[32];
+ char *iptmp = NULL, *p;
+ int iplen1, iplen2;
+ p = strchr(ipasc,'/');
+ if (!p)
+ return NULL;
+ iptmp = BUF_strdup(ipasc);
+ if (!iptmp)
+ return NULL;
+ p = iptmp + (p - ipasc);
+ *p++ = 0;
+
+ iplen1 = a2i_ipadd(ipout, iptmp);
+
+ if (!iplen1)
+ goto err;
+
+ iplen2 = a2i_ipadd(ipout + iplen1, p);
+
+ OPENSSL_free(iptmp);
+ iptmp = NULL;
+
+ if (!iplen2 || (iplen1 != iplen2))
+ goto err;
+
+ ret = ASN1_OCTET_STRING_new();
+ if (!ret)
+ goto err;
+ if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
+ goto err;
+
+ return ret;
+
+ err:
+ if (iptmp)
+ OPENSSL_free(iptmp);
+ if (ret)
+ ASN1_OCTET_STRING_free(ret);
+ return NULL;
+ }
+
+
+int a2i_ipadd(unsigned char *ipout, const char *ipasc)
+ {
+ /* If string contains a ':' assume IPv6 */
+
+ if (strchr(ipasc, ':'))
+ {
+ if (!ipv6_from_asc(ipout, ipasc))
+ return 0;
+ return 16;
+ }
+ else
+ {
+ if (!ipv4_from_asc(ipout, ipasc))
+ return 0;
+ return 4;
+ }
+ }
+
+static int ipv4_from_asc(unsigned char *v4, const char *in)
+ {
+ int a0, a1, a2, a3;
+ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ return 0;
+ if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
+ || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
+ return 0;
+ v4[0] = a0;
+ v4[1] = a1;
+ v4[2] = a2;
+ v4[3] = a3;
+ return 1;
+ }
+
+typedef struct {
+ /* Temporary store for IPV6 output */
+ unsigned char tmp[16];
+ /* Total number of bytes in tmp */
+ int total;
+ /* The position of a zero (corresponding to '::') */
+ int zero_pos;
+ /* Number of zeroes */
+ int zero_cnt;
+ } IPV6_STAT;
+
+
+static int ipv6_from_asc(unsigned char *v6, const char *in)
+ {
+ IPV6_STAT v6stat;
+ v6stat.total = 0;
+ v6stat.zero_pos = -1;
+ v6stat.zero_cnt = 0;
+ /* Treat the IPv6 representation as a list of values
+ * separated by ':'. The presence of a '::' will parse
+ * as one, two or three zero length elements.
+ */
+ if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
+ return 0;
+
+ /* Now for some sanity checks */
+
+ if (v6stat.zero_pos == -1)
+ {
+ /* If no '::' must have exactly 16 bytes */
+ if (v6stat.total != 16)
+ return 0;
+ }
+ else
+ {
+ /* If '::' must have less than 16 bytes */
+ if (v6stat.total == 16)
+ return 0;
+ /* More than three zeroes is an error */
+ if (v6stat.zero_cnt > 3)
+ return 0;
+ /* Can only have three zeroes if nothing else present */
+ else if (v6stat.zero_cnt == 3)
+ {
+ if (v6stat.total > 0)
+ return 0;
+ }
+ /* Can only have two zeroes if at start or end */
+ else if (v6stat.zero_cnt == 2)
+ {
+ if ((v6stat.zero_pos != 0)
+ && (v6stat.zero_pos != v6stat.total))
+ return 0;
+ }
+ else
+ /* Can only have one zero if *not* start or end */
+ {
+ if ((v6stat.zero_pos == 0)
+ || (v6stat.zero_pos == v6stat.total))
+ return 0;
+ }
+ }
+
+ /* Format result */
+
+ /* Copy initial part */
+ if (v6stat.zero_pos > 0)
+ memcpy(v6, v6stat.tmp, v6stat.zero_pos);
+ /* Zero middle */
+ if (v6stat.total != 16)
+ memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
+ /* Copy final part */
+ if (v6stat.total != v6stat.zero_pos)
+ memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
+ v6stat.tmp + v6stat.zero_pos,
+ v6stat.total - v6stat.zero_pos);
+
+ return 1;
+ }
+
+static int ipv6_cb(const char *elem, int len, void *usr)
+ {
+ IPV6_STAT *s = usr;
+ /* Error if 16 bytes written */
+ if (s->total == 16)
+ return 0;
+ if (len == 0)
+ {
+ /* Zero length element, corresponds to '::' */
+ if (s->zero_pos == -1)
+ s->zero_pos = s->total;
+ /* If we've already got a :: its an error */
+ else if (s->zero_pos != s->total)
+ return 0;
+ s->zero_cnt++;
+ }
+ else
+ {
+ /* If more than 4 characters could be final a.b.c.d form */
+ if (len > 4)
+ {
+ /* Need at least 4 bytes left */
+ if (s->total > 12)
+ return 0;
+ /* Must be end of string */
+ if (elem[len])
+ return 0;
+ if (!ipv4_from_asc(s->tmp + s->total, elem))
+ return 0;
+ s->total += 4;
+ }
+ else
+ {
+ if (!ipv6_hex(s->tmp + s->total, elem, len))
+ return 0;
+ s->total += 2;
+ }
+ }
+ return 1;
+ }
+
+/* Convert a string of up to 4 hex digits into the corresponding
+ * IPv6 form.
+ */
+
+static int ipv6_hex(unsigned char *out, const char *in, int inlen)
+ {
+ unsigned char c;
+ unsigned int num = 0;
+ if (inlen > 4)
+ return 0;
+ while(inlen--)
+ {
+ c = *in++;
+ num <<= 4;
+ if ((c >= '0') && (c <= '9'))
+ num |= c - '0';
+ else if ((c >= 'A') && (c <= 'F'))
+ num |= c - 'A' + 10;
+ else if ((c >= 'a') && (c <= 'f'))
+ num |= c - 'a' + 10;
+ else
+ return 0;
+ }
+ out[0] = num >> 8;
+ out[1] = num & 0xff;
+ return 1;
+ }
+
+
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype)
+ {
+ CONF_VALUE *v;
+ int i, mval;
+ char *p, *type;
+ if (!nm)
+ return 0;
+
+ for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+ {
+ v=sk_CONF_VALUE_value(dn_sk,i);
+ type=v->name;
+ /* Skip past any leading X. X: X, etc to allow for
+ * multiple instances
+ */
+ for(p = type; *p ; p++)
+#ifndef CHARSET_EBCDIC
+ if ((*p == ':') || (*p == ',') || (*p == '.'))
+#else
+ if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
+#endif
+ {
+ p++;
+ if(*p) type = p;
+ break;
+ }
+#ifndef CHARSET_EBCDIC
+ if (*type == '+')
+#else
+ if (*type == os_toascii['+'])
+#endif
+ {
+ mval = -1;
+ type++;
+ }
+ else
+ mval = 0;
+ if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
+ (unsigned char *) v->value,-1,-1,mval))
+ return 0;
+
+ }
+ return 1;
+ }
diff --git a/lib/libcrypto/x509v3/v3err.c b/lib/libcrypto/x509v3/v3err.c
index e1edaf52482..d538ad8b805 100644
--- a/lib/libcrypto/x509v3/v3err.c
+++ b/lib/libcrypto/x509v3/v3err.c
@@ -70,10 +70,15 @@
static ERR_STRING_DATA X509V3_str_functs[]=
{
+{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
+{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
+{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
+{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
+{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
@@ -82,34 +87,46 @@ static ERR_STRING_DATA X509V3_str_functs[]=
{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
+{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
-{ERR_FUNC(X509V3_F_S2I_S2I_SKEY_ID), "S2I_S2I_SKEY_ID"},
+{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
-{ERR_FUNC(X509V3_F_SXNET_ADD_ASC), "SXNET_ADD_ASC"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
-{ERR_FUNC(X509V3_F_V2I_ACCESS_DESCRIPTION), "V2I_ACCESS_DESCRIPTION"},
-{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "V2I_ASN1_BIT_STRING"},
+{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
+{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
+{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
-{ERR_FUNC(X509V3_F_V2I_EXT_KU), "V2I_EXT_KU"},
-{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME), "v2i_GENERAL_NAME"},
+{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
+{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
+{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
+{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
+{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
+{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
-{ERR_FUNC(X509V3_F_X509V3_ADD_I2D), "X509V3_ADD_I2D"},
+{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
+{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
+{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
@@ -123,6 +140,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"},
{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
+{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
@@ -133,10 +151,15 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
+{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
+{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
+{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
+{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
+{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
@@ -146,9 +169,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"},
{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
-{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER),"invalid proxy policy identifier"},
{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
+{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
@@ -162,12 +185,14 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"},
{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
+{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
+{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
-{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT) ,"policy syntax not"},
{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
+{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
@@ -183,15 +208,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
void ERR_load_X509V3_strings(void)
{
- static int init=1;
+#ifndef OPENSSL_NO_ERR
- if (init)
+ if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL)
{
- init=0;
-#ifndef OPENSSL_NO_ERR
ERR_load_strings(0,X509V3_str_functs);
ERR_load_strings(0,X509V3_str_reasons);
-#endif
-
}
+#endif
}
diff --git a/lib/libcrypto/x509v3/x509v3.h b/lib/libcrypto/x509v3/x509v3.h
index e6d91251c2a..db2b0482c15 100644
--- a/lib/libcrypto/x509v3/x509v3.h
+++ b/lib/libcrypto/x509v3/x509v3.h
@@ -3,7 +3,7 @@
* project 1999.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -74,14 +74,14 @@ struct v3_ext_ctx;
typedef void * (*X509V3_EXT_NEW)(void);
typedef void (*X509V3_EXT_FREE)(void *);
-typedef void * (*X509V3_EXT_D2I)(void *, unsigned char ** , long);
+typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
/* V3 extension structure */
@@ -132,7 +132,6 @@ void *db;
};
typedef struct v3_ext_method X509V3_EXT_METHOD;
-typedef struct v3_ext_ctx X509V3_CTX;
DECLARE_STACK_OF(X509V3_EXT_METHOD)
@@ -287,6 +286,33 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
DECLARE_STACK_OF(POLICYINFO)
DECLARE_ASN1_SET_OF(POLICYINFO)
+typedef struct POLICY_MAPPING_st {
+ ASN1_OBJECT *issuerDomainPolicy;
+ ASN1_OBJECT *subjectDomainPolicy;
+} POLICY_MAPPING;
+
+DECLARE_STACK_OF(POLICY_MAPPING)
+
+typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
+
+typedef struct GENERAL_SUBTREE_st {
+ GENERAL_NAME *base;
+ ASN1_INTEGER *minimum;
+ ASN1_INTEGER *maximum;
+} GENERAL_SUBTREE;
+
+DECLARE_STACK_OF(GENERAL_SUBTREE)
+
+typedef struct NAME_CONSTRAINTS_st {
+ STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
+ STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
+} NAME_CONSTRAINTS;
+
+typedef struct POLICY_CONSTRAINTS_st {
+ ASN1_INTEGER *requireExplicitPolicy;
+ ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
/* Proxy certificate structures, see RFC 3820 */
typedef struct PROXY_POLICY_st
{
@@ -344,6 +370,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
#define EXFLAG_CRITICAL 0x200
#define EXFLAG_PROXY 0x400
+#define EXFLAG_INVALID_POLICY 0x400
+
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040
#define KU_KEY_ENCIPHERMENT 0x0020
@@ -442,6 +470,13 @@ DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
+
+ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+ ASN1_BIT_STRING *bits,
+ STACK_OF(CONF_VALUE) *extlist);
+
STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
@@ -474,8 +509,24 @@ DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
+DECLARE_ASN1_ITEM(POLICY_MAPPING)
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
+DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
+
+DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
+DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
+
+DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
+DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
+
#ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+ CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
void X509V3_conf_free(CONF_VALUE *val);
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -566,7 +617,164 @@ int X509_PURPOSE_get_id(X509_PURPOSE *);
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+STACK *X509_get1_ocsp(X509 *x);
+
+ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
+ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
+int a2i_ipadd(unsigned char *ipout, const char *ipasc);
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
+
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
+
+#ifndef OPENSSL_NO_RFC3779
+
+typedef struct ASRange_st {
+ ASN1_INTEGER *min, *max;
+} ASRange;
+
+#define ASIdOrRange_id 0
+#define ASIdOrRange_range 1
+
+typedef struct ASIdOrRange_st {
+ int type;
+ union {
+ ASN1_INTEGER *id;
+ ASRange *range;
+ } u;
+} ASIdOrRange;
+
+typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
+DECLARE_STACK_OF(ASIdOrRange)
+
+#define ASIdentifierChoice_inherit 0
+#define ASIdentifierChoice_asIdsOrRanges 1
+
+typedef struct ASIdentifierChoice_st {
+ int type;
+ union {
+ ASN1_NULL *inherit;
+ ASIdOrRanges *asIdsOrRanges;
+ } u;
+} ASIdentifierChoice;
+
+typedef struct ASIdentifiers_st {
+ ASIdentifierChoice *asnum, *rdi;
+} ASIdentifiers;
+
+DECLARE_ASN1_FUNCTIONS(ASRange)
+DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
+DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
+DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
+
+
+typedef struct IPAddressRange_st {
+ ASN1_BIT_STRING *min, *max;
+} IPAddressRange;
+
+#define IPAddressOrRange_addressPrefix 0
+#define IPAddressOrRange_addressRange 1
+
+typedef struct IPAddressOrRange_st {
+ int type;
+ union {
+ ASN1_BIT_STRING *addressPrefix;
+ IPAddressRange *addressRange;
+ } u;
+} IPAddressOrRange;
+
+typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
+DECLARE_STACK_OF(IPAddressOrRange)
+
+#define IPAddressChoice_inherit 0
+#define IPAddressChoice_addressesOrRanges 1
+
+typedef struct IPAddressChoice_st {
+ int type;
+ union {
+ ASN1_NULL *inherit;
+ IPAddressOrRanges *addressesOrRanges;
+ } u;
+} IPAddressChoice;
+
+typedef struct IPAddressFamily_st {
+ ASN1_OCTET_STRING *addressFamily;
+ IPAddressChoice *ipAddressChoice;
+} IPAddressFamily;
+
+typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
+DECLARE_STACK_OF(IPAddressFamily)
+
+DECLARE_ASN1_FUNCTIONS(IPAddressRange)
+DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
+DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
+DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
+
+/*
+ * API tag for elements of the ASIdentifer SEQUENCE.
+ */
+#define V3_ASID_ASNUM 0
+#define V3_ASID_RDI 1
+
+/*
+ * AFI values, assigned by IANA. It'd be nice to make the AFI
+ * handling code totally generic, but there are too many little things
+ * that would need to be defined for other address families for it to
+ * be worth the trouble.
+ */
+#define IANA_AFI_IPV4 1
+#define IANA_AFI_IPV6 2
+
+/*
+ * Utilities to construct and extract values from RFC3779 extensions,
+ * since some of the encodings (particularly for IP address prefixes
+ * and ranges) are a bit tedious to work with directly.
+ */
+int v3_asid_add_inherit(ASIdentifiers *asid, int which);
+int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
+ ASN1_INTEGER *min, ASN1_INTEGER *max);
+int v3_addr_add_inherit(IPAddrBlocks *addr,
+ const unsigned afi, const unsigned *safi);
+int v3_addr_add_prefix(IPAddrBlocks *addr,
+ const unsigned afi, const unsigned *safi,
+ unsigned char *a, const int prefixlen);
+int v3_addr_add_range(IPAddrBlocks *addr,
+ const unsigned afi, const unsigned *safi,
+ unsigned char *min, unsigned char *max);
+unsigned v3_addr_get_afi(const IPAddressFamily *f);
+int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
+ unsigned char *min, unsigned char *max,
+ const int length);
+
+/*
+ * Canonical forms.
+ */
+int v3_asid_is_canonical(ASIdentifiers *asid);
+int v3_addr_is_canonical(IPAddrBlocks *addr);
+int v3_asid_canonize(ASIdentifiers *asid);
+int v3_addr_canonize(IPAddrBlocks *addr);
+
+/*
+ * Tests for inheritance and containment.
+ */
+int v3_asid_inherits(ASIdentifiers *asid);
+int v3_addr_inherits(IPAddrBlocks *addr);
+int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
+
+/*
+ * Check whether RFC 3779 extensions nest properly in chains.
+ */
+int v3_asid_validate_path(X509_STORE_CTX *);
+int v3_addr_validate_path(X509_STORE_CTX *);
+int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
+ ASIdentifiers *ext,
+ int allow_inheritance);
+int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+ IPAddrBlocks *ext,
+ int allow_inheritance);
+#endif /* OPENSSL_NO_RFC3779 */
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -577,46 +785,63 @@ void ERR_load_X509V3_strings(void);
/* Error codes for the X509V3 functions. */
/* Function codes. */
+#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 156
+#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 157
#define X509V3_F_COPY_EMAIL 122
#define X509V3_F_COPY_ISSUER 123
+#define X509V3_F_DO_DIRNAME 144
#define X509V3_F_DO_EXT_CONF 124
#define X509V3_F_DO_EXT_I2D 135
+#define X509V3_F_DO_EXT_NCONF 151
+#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
#define X509V3_F_HEX_TO_STRING 111
#define X509V3_F_I2S_ASN1_ENUMERATED 121
-#define X509V3_F_I2S_ASN1_IA5STRING 142
+#define X509V3_F_I2S_ASN1_IA5STRING 149
#define X509V3_F_I2S_ASN1_INTEGER 120
#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
#define X509V3_F_NOTICE_SECTION 132
#define X509V3_F_NREF_NOS 133
#define X509V3_F_POLICY_SECTION 131
+#define X509V3_F_PROCESS_PCI_VALUE 150
#define X509V3_F_R2I_CERTPOL 130
-#define X509V3_F_R2I_PCI 142
+#define X509V3_F_R2I_PCI 155
#define X509V3_F_S2I_ASN1_IA5STRING 100
#define X509V3_F_S2I_ASN1_INTEGER 108
#define X509V3_F_S2I_ASN1_OCTET_STRING 112
#define X509V3_F_S2I_ASN1_SKEY_ID 114
-#define X509V3_F_S2I_S2I_SKEY_ID 115
+#define X509V3_F_S2I_SKEY_ID 115
#define X509V3_F_STRING_TO_HEX 113
-#define X509V3_F_SXNET_ADD_ASC 125
+#define X509V3_F_SXNET_ADD_ID_ASC 125
#define X509V3_F_SXNET_ADD_ID_INTEGER 126
#define X509V3_F_SXNET_ADD_ID_ULONG 127
#define X509V3_F_SXNET_GET_ID_ASC 128
#define X509V3_F_SXNET_GET_ID_ULONG 129
-#define X509V3_F_V2I_ACCESS_DESCRIPTION 139
+#define X509V3_F_V2I_ASIDENTIFIERS 158
#define X509V3_F_V2I_ASN1_BIT_STRING 101
+#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
#define X509V3_F_V2I_CRLD 134
-#define X509V3_F_V2I_EXT_KU 103
-#define X509V3_F_V2I_GENERAL_NAME 117
+#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
#define X509V3_F_V2I_GENERAL_NAMES 118
+#define X509V3_F_V2I_GENERAL_NAME_EX 117
+#define X509V3_F_V2I_IPADDRBLOCKS 159
+#define X509V3_F_V2I_ISSUER_ALT 153
+#define X509V3_F_V2I_NAME_CONSTRAINTS 147
+#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
+#define X509V3_F_V2I_POLICY_MAPPINGS 145
+#define X509V3_F_V2I_SUBJECT_ALT 154
+#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
#define X509V3_F_V3_GENERIC_EXTENSION 116
-#define X509V3_F_X509V3_ADD_I2D 140
+#define X509V3_F_X509V3_ADD1_I2D 140
#define X509V3_F_X509V3_ADD_VALUE 105
#define X509V3_F_X509V3_EXT_ADD 104
#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
#define X509V3_F_X509V3_EXT_CONF 107
#define X509V3_F_X509V3_EXT_I2D 136
+#define X509V3_F_X509V3_EXT_NCONF 152
+#define X509V3_F_X509V3_GET_SECTION 142
+#define X509V3_F_X509V3_GET_STRING 143
#define X509V3_F_X509V3_GET_VALUE_BOOL 110
#define X509V3_F_X509V3_PARSE_LIST 109
#define X509V3_F_X509_PURPOSE_ADD 137
@@ -627,6 +852,7 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_BAD_OBJECT 119
#define X509V3_R_BN_DEC2BN_ERROR 100
#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
+#define X509V3_R_DIRNAME_ERROR 149
#define X509V3_R_DUPLICATE_ZONE_ID 133
#define X509V3_R_ERROR_CONVERTING_ZONE 131
#define X509V3_R_ERROR_CREATING_EXTENSION 144
@@ -637,10 +863,15 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_EXTENSION_NOT_FOUND 102
#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
#define X509V3_R_EXTENSION_VALUE_ERROR 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
#define X509V3_R_ILLEGAL_HEX_DIGIT 113
-#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
+#define X509V3_R_INVALID_ASNUMBER 160
+#define X509V3_R_INVALID_ASRANGE 161
#define X509V3_R_INVALID_BOOLEAN_STRING 104
#define X509V3_R_INVALID_EXTENSION_STRING 105
+#define X509V3_R_INVALID_INHERITANCE 162
+#define X509V3_R_INVALID_IPADDRESS 163
#define X509V3_R_INVALID_NAME 106
#define X509V3_R_INVALID_NULL_ARGUMENT 107
#define X509V3_R_INVALID_NULL_NAME 108
@@ -650,9 +881,9 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
#define X509V3_R_INVALID_OPTION 138
#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
-#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147
-#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
#define X509V3_R_INVALID_PURPOSE 146
+#define X509V3_R_INVALID_SAFI 164
#define X509V3_R_INVALID_SECTION 135
#define X509V3_R_INVALID_SYNTAX 143
#define X509V3_R_ISSUER_DECODE_ERROR 126
@@ -662,16 +893,18 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_NO_ISSUER_CERTIFICATE 121
#define X509V3_R_NO_ISSUER_DETAILS 127
#define X509V3_R_NO_POLICY_IDENTIFIER 139
-#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
#define X509V3_R_NO_PUBLIC_KEY 114
#define X509V3_R_NO_SUBJECT_DETAILS 125
#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
-#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149
-#define X509V3_R_POLICY_PATH_LENGTH 152
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150
-#define X509V3_R_POLICY_SYNTAX_NOT 154
-#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155
-#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
+#define X509V3_R_OPERATION_NOT_DEFINED 148
+#define X509V3_R_OTHERNAME_ERROR 147
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 155
+#define X509V3_R_POLICY_PATH_LENGTH 156
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 157
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
+#define X509V3_R_SECTION_NOT_FOUND 150
#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-12 19:21:59 +0000