if (verbose)
BIO_printf(bio_err, "writing new certificates\n");
for (i = 0; i < sk_X509_num(cert_sk); i++) {
+ ASN1_INTEGER *serialNumber = X509_get_serialNumber(x);
int k;
char *n;
x = sk_X509_value(cert_sk, i);
- j = x->cert_info->serialNumber->length;
- p = (const char *)x->cert_info->serialNumber->data;
+ j = ASN1_STRING_length(serialNumber);
+ p = (const char *)ASN1_STRING_data(serialNumber);
if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) {
BIO_printf(bio_err, "certificate file name too long\n");
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
- X509_CINF *ci;
X509_NAME_ENTRY *ne;
X509_NAME_ENTRY *tne, *push;
EVP_PKEY *pktmp;
if (selfsign)
CAname = X509_NAME_dup(name);
else
- CAname = X509_NAME_dup(x509->cert_info->subject);
+ CAname = X509_NAME_dup(X509_get_subject_name(x509));
if (CAname == NULL)
goto end;
str = str2 = NULL;
if ((ret = X509_new()) == NULL)
goto end;
- ci = ret->cert_info;
#ifdef X509_V3
/* Make it an X509 v3 certificate. */
goto end;
#endif
- if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+ if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
goto end;
if (selfsign) {
if (!X509_set_issuer_name(ret, subject))
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
- if (ci->version == NULL)
- if ((ci->version = ASN1_INTEGER_new()) == NULL)
- goto end;
- ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
-
- /*
- * Free the current entries if any, there should not be any I believe
- */
- sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
-
- ci->extensions = NULL;
+ X509_set_version(ret, 2);
/* Initialize the context structure */
if (selfsign)
goto end;
}
- if (badsig)
- x->signature->data[x->signature->length - 1] ^= 0x1;
+ if (badsig) {
+ ASN1_BIT_STRING *signature;
+ unsigned char *s;
+ X509_get0_signature(&signature, NULL, x);
+ s = ASN1_STRING_data(signature);
+ s[ASN1_STRING_length(signature) - 1] ^= 0x1;
+ }
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
static int ocsp_check_delegated(X509 *x, int flags)
{
- X509_check_purpose(x, -1, 0);
- if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
+ if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
+ && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
return 1;
OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
return 0;
{
int ret;
ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
- pcert->cert_info->issuer);
+ X509_get_issuer_name(pcert));
if (ret)
return ret;
- return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
- ri->issuer_and_serial->serial);
+ return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
+ ri->issuer_and_serial->serial);
}
/* int */
goto end;
tsa_name->type = GEN_DIRNAME;
tsa_name->d.dirn =
- X509_NAME_dup(ctx->signer_cert->cert_info->subject);
+ X509_NAME_dup(X509_get_subject_name(ctx->signer_cert));
if (!tsa_name->d.dirn)
goto end;
if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
if ((name = GENERAL_NAME_new()) == NULL)
goto err;
name->type = GEN_DIRNAME;
- if ((name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)) == NULL)
+ if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
goto err;
if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
goto err;
/* Setting the serial number. */
ASN1_INTEGER_free(cid->issuer_serial->serial);
if (!(cid->issuer_serial->serial =
- ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
+ ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
goto err;
}
STACK_OF(X509) *chain);
static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si);
static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
PKCS7 *token, TS_TST_INFO *tst_info);
static int ts_check_status_info(TS_RESP *response);
sizeof(cert->sha1_hash))) {
/* Check the issuer/serial as well if specified. */
ESS_ISSUER_SERIAL *is = cid->issuer_serial;
- if (!is || !ts_issuer_serial_cmp(is, cert->cert_info))
+ if (!is || !ts_issuer_serial_cmp(is, cert))
return i;
}
}
return -1;
}
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
{
GENERAL_NAME *issuer;
- if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1)
+ if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1)
return -1;
/* Check the issuer first. It must be a directory name. */
issuer = sk_GENERAL_NAME_value(is->issuer, 0);
if (issuer->type != GEN_DIRNAME
- || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
+ || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
return -1;
/* Check the serial number, too. */
- if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber))
+ if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
return -1;
return 0;
/* Check the subject name first. */
if (tsa_name->type == GEN_DIRNAME
- && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
+ && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
return 1;
/* Check all the alternative names. */
break;
}
- i = OBJ_obj2nid(x->sig_alg->algorithm);
+ i = X509_get_signature_nid(x);
if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
switch (i) {
* explicit_policy value at this point.
*/
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
X509_check_purpose(x, -1, -1);
cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
/*
* If inconsistent extensions keep a note of it but continue
*/
- if (x->ex_flags & EXFLAG_INVALID_POLICY)
+ if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1;
/*
* Otherwise if we have no data (hence no CertificatePolicies) and
else if ((ret == 1) && !cache->data)
ret = 2;
if (explicit_policy > 0) {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
explicit_policy--;
if ((cache->explicit_skip != -1)
&& (cache->explicit_skip < explicit_policy))
goto bad_tree;
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
level++;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
cache = policy_cache_set(x);
X509_up_ref(x);
level->cert = x;
* Any matching allowed if certificate is self issued and not the
* last in the chain.
*/
- if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+ if (!(ex_flags & EXFLAG_SI) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
} else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
any_skip--;
if ((cache->any_skip >= 0)
&& (cache->any_skip < any_skip))
if (map_skip == 0)
level->flags |= X509_V_FLAG_INHIBIT_MAP;
else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
map_skip--;
if ((cache->map_skip >= 0)
&& (cache->map_skip < map_skip))
if (sk_X509_num(chain) > 0) {
/* See if last cert is self signed */
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- X509_check_purpose(x, -1, 0);
- if (x->ex_flags & EXFLAG_SS) {
+ if (X509_get_extension_flags(x) & EXFLAG_SS) {
x = sk_X509_pop(chain);
X509_free(x);
}
int have_ecdh_tmp, ecdh_ok;
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
- int signature_nid = 0, pk_nid = 0, md_nid = 0;
+ int pk_nid = 0, md_nid = 0;
#endif
if (c == NULL)
return;
*/
#ifndef OPENSSL_NO_EC
if (have_ecc_cert) {
+ uint32_t ex_kusage;
cpk = &c->pkeys[SSL_PKEY_ECC];
x = cpk->x509;
- /* This call populates extension flags (ex_flags) */
- X509_check_purpose(x, -1, 0);
- ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
- (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
- ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
- (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+ ex_kusage = X509_get_key_usage(x);
+ ecdh_ok = ex_kusage & X509v3_KU_KEY_AGREEMENT;
+ ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
EVP_PKEY_free(ecc_pkey);
- if ((x->sig_alg) && (x->sig_alg->algorithm)) {
- signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
- OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
- }
+ OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (ecdh_ok) {
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
s->s3->tmp.export_mask_a = emask_a;
}
-/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-
#ifndef OPENSSL_NO_EC
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
- int signature_nid = 0, md_nid = 0, pk_nid = 0;
+ int md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
+ uint32_t ex_kusage = X509_get_key_usage(x);
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
return 0;
}
- /* This call populates the ex_flags field correctly */
- X509_check_purpose(x, -1, 0);
- if ((x->sig_alg) && (x->sig_alg->algorithm)) {
- signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
- OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
- }
+ OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
+
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
/* key usage, if present, must allow key agreement */
- if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
+ if (!(ex_kusage & X509v3_KU_KEY_AGREEMENT)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
}
if (alg_a & SSL_aECDSA) {
/* key usage, if present, must allow signing */
- if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
+ if (!(ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_SIGNING);
return 0;
if (ok == 1) {
X509 *xs = ctx->current_cert;
- if (xs->ex_flags & EXFLAG_PROXY) {
+ if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
get_proxy_auth_ex_data_idx
());
projects / oweals / openssl.git / commitdiff