From: Dr. Stephen Henson Date: Wed, 17 Feb 1999 23:22:57 +0000 (+0000) Subject: Oops! Remeber to include the other patches this time... X-Git-Tag: OpenSSL_0_9_2b~142 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0be9747b39568ff4974335836369726f8b3bcf35;p=oweals%2Fopenssl.git Oops! Remeber to include the other patches this time... --- diff --git a/apps/openssl.cnf b/apps/openssl.cnf index e5e2eee56f..fbf0a1ba7f 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -127,7 +127,11 @@ basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl @@ -147,6 +151,8 @@ basicConstraints = CA:true subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true diff --git a/crypto/asn1/asn1.err b/crypto/asn1/asn1.err index c2210ccc0a..92acb0a06e 100644 --- a/crypto/asn1/asn1.err +++ b/crypto/asn1/asn1.err @@ -70,6 +70,7 @@ #define ASN1_F_D2I_PKCS7_SIGNED 152 #define ASN1_F_D2I_PKCS7_SIGNER_INFO 153 #define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE 154 +#define ASN1_F_D2I_PKEY_USAGE_PERIOD 239 #define ASN1_F_D2I_PRIVATEKEY 155 #define ASN1_F_D2I_PUBLICKEY 156 #define ASN1_F_D2I_RSAPRIVATEKEY 157 @@ -120,6 +121,7 @@ #define ASN1_F_PKCS7_SIGNED_NEW 199 #define ASN1_F_PKCS7_SIGNER_INFO_NEW 200 #define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW 201 +#define ASN1_F_PKEY_USAGE_PERIOD_NEW 240 #define ASN1_F_X509_ALGOR_NEW 202 #define ASN1_F_X509_ATTRIBUTE_NEW 203 #define ASN1_F_X509_CINF_NEW 204 diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 5f0627dbd3..0f74f40e65 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -760,6 +760,7 @@ ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(); #define ASN1_F_D2I_PKCS7_SIGNED 152 #define ASN1_F_D2I_PKCS7_SIGNER_INFO 153 #define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE 154 +#define ASN1_F_D2I_PKEY_USAGE_PERIOD 239 #define ASN1_F_D2I_PRIVATEKEY 155 #define ASN1_F_D2I_PUBLICKEY 156 #define ASN1_F_D2I_RSAPRIVATEKEY 157 @@ -810,6 +811,7 @@ ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(); #define ASN1_F_PKCS7_SIGNED_NEW 199 #define ASN1_F_PKCS7_SIGNER_INFO_NEW 200 #define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW 201 +#define ASN1_F_PKEY_USAGE_PERIOD_NEW 240 #define ASN1_F_X509_ALGOR_NEW 202 #define ASN1_F_X509_ATTRIBUTE_NEW 203 #define ASN1_F_X509_CINF_NEW 204 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 2bb83240f3..aead3126cc 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -132,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNED,0), "D2I_PKCS7_SIGNED"}, {ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNER_INFO,0), "D2I_PKCS7_SIGNER_INFO"}, {ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGN_ENVELOPE,0), "D2I_PKCS7_SIGN_ENVELOPE"}, +{ERR_PACK(0,ASN1_F_D2I_PKEY_USAGE_PERIOD,0), "D2I_PKEY_USAGE_PERIOD"}, {ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0), "D2I_PRIVATEKEY"}, {ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0), "D2I_PUBLICKEY"}, {ERR_PACK(0,ASN1_F_D2I_RSAPRIVATEKEY,0), "D2I_RSAPRIVATEKEY"}, @@ -182,6 +183,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_PKCS7_SIGNED_NEW,0), "PKCS7_SIGNED_NEW"}, {ERR_PACK(0,ASN1_F_PKCS7_SIGNER_INFO_NEW,0), "PKCS7_SIGNER_INFO_NEW"}, {ERR_PACK(0,ASN1_F_PKCS7_SIGN_ENVELOPE_NEW,0), "PKCS7_SIGN_ENVELOPE_NEW"}, +{ERR_PACK(0,ASN1_F_PKEY_USAGE_PERIOD_NEW,0), "PKEY_USAGE_PERIOD_NEW"}, {ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0), "X509_ALGOR_NEW"}, {ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0), "X509_ATTRIBUTE_NEW"}, {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0), "X509_CINF_NEW"}, diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index 3608bbed94..500cfd3935 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -23,9 +23,10 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \ -v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c +v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \ +v3_pku.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ -v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o +v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o SRC= $(LIBSRC) diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c index e3b84601be..bef9b77943 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509v3/v3_akey.c @@ -175,11 +175,97 @@ STACK *extlist; return extlist; } +/* Currently two options: + * keyid: use the issuers subject keyid, the value 'always' means its is + * an error if the issuer certificate doesn't have a key id. + * issuer: use the issuers cert issuer and serial number. The default is + * to only use this if keyid is not present. With the option 'always' + * this is always included. + */ + static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(method, ctx, values) X509V3_EXT_METHOD *method; X509V3_CTX *ctx; STACK *values; { +char keyid=0, issuer=0; +int i; +CONF_VALUE *cnf; +ASN1_OCTET_STRING *ikeyid = NULL; +X509_NAME *isname = NULL; +STACK * gens = NULL; +GENERAL_NAME *gen = NULL; +ASN1_INTEGER *serial = NULL; +X509_EXTENSION *ext; +X509 *cert; +AUTHORITY_KEYID *akeyid; +for(i = 0; i < sk_num(values); i++) { + cnf = (CONF_VALUE *)sk_value(values, i); + if(!strcmp(cnf->name, "keyid")) { + keyid = 1; + if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2; + } else if(!strcmp(cnf->name, "issuer")) { + issuer = 1; + if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2; + } else { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION); + ERR_add_error_data(2, "name=", cnf->name); + return NULL; + } +} + + + +if(!ctx || !ctx->issuer_cert) { + if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new(); + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE); + return NULL; +} + +cert = ctx->issuer_cert; + +if(keyid) { + i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); + if((i >= 0) && (ext = X509_get_ext(cert, i))) + ikeyid = (ASN1_OCTET_STRING *) X509V3_EXT_d2i(ext); + if(keyid==2 && !ikeyid) { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); + return NULL; + } +} + +if((issuer && !ikeyid) || (issuer == 2)) { + isname = X509_NAME_dup(X509_get_issuer_name(cert)); + serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert)); + if(!isname || !serial) { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); + goto err; + } +} + +if(!(akeyid = AUTHORITY_KEYID_new())) goto err; + +if(isname) { + if(!(gens = sk_new(NULL)) || !(gen = GENERAL_NAME_new()) + || !sk_push(gens, (char *)gen)) { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE); + goto err; + } + gen->type = GEN_DIRNAME; + gen->d.dirn = isname; +} + +akeyid->issuer = gens; +akeyid->serial = serial; +akeyid->keyid = ikeyid; + +return akeyid; + +err: +X509_NAME_free(isname); +ASN1_INTEGER_free(serial); +ASN1_OCTET_STRING_free(ikeyid); return NULL; + } diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c index 3fb21fbe25..c9e9cbaadf 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509v3/v3_lib.c @@ -147,6 +147,7 @@ X509V3_EXT_METHOD *ext; } extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; +extern X509V3_EXT_METHOD v3_pkey_usage_period; extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; int X509V3_add_standard_extensions() @@ -159,5 +160,19 @@ int X509V3_add_standard_extensions() X509V3_EXT_add(&v3_ext_ku); X509V3_EXT_add(&v3_skey_id); X509V3_EXT_add(&v3_akey_id); + X509V3_EXT_add(&v3_pkey_usage_period); return 1; } + +/* Return an extension internal structure */ + +char *X509V3_EXT_d2i(ext) +X509_EXTENSION *ext; +{ + X509V3_EXT_METHOD *method; + unsigned char *p; + if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL; + p = ext->value->data; + return method->d2i(NULL, &p, ext->value->length); +} + diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index 7cbb821817..50dff95263 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -70,6 +70,7 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0), "S2I_S2I_SKEY_ID"}, {ERR_PACK(0,X509V3_F_STRING_TO_HEX,0), "string_to_hex"}, {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"}, +{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"}, {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"}, {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"}, {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"}, @@ -103,9 +104,13 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_INVALID_NULL_NAME ,"invalid null name"}, {X509V3_R_INVALID_NULL_VALUE ,"invalid null value"}, {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, +{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, +{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, +{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, +{X509V3_R_UNKNOWN_OPTION ,"unknown option"}, {X509V3_R_UNSUPPORTED_OPTION ,"unsupported option"}, {0,NULL}, }; diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err index 1aa2a8a87d..0b9fb62d2b 100644 --- a/crypto/x509v3/x509v3.err +++ b/crypto/x509v3/x509v3.err @@ -8,6 +8,7 @@ #define X509V3_F_S2I_S2I_SKEY_ID 115 #define X509V3_F_STRING_TO_HEX 113 #define X509V3_F_V2I_ASN1_BIT_STRING 101 +#define X509V3_F_V2I_AUTHORITY_KEYID 119 #define X509V3_F_V2I_BASIC_CONSTRAINTS 102 #define X509V3_F_V2I_EXT_KU 103 #define X509V3_F_V2I_GENERAL_NAME 117 @@ -38,7 +39,11 @@ #define X509V3_R_INVALID_NULL_NAME 108 #define X509V3_R_INVALID_NULL_VALUE 109 #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 +#define X509V3_R_NO_ISSUER_CERTIFICATE 121 #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 +#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 +#define X509V3_R_UNKNOWN_OPTION 120 #define X509V3_R_UNSUPPORTED_OPTION 117 diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 09cf489802..75a18b908a 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -141,6 +141,11 @@ STACK *issuer; ASN1_INTEGER *serial; } AUTHORITY_KEYID; +typedef struct { +ASN1_GENERALIZEDTIME *notBefore; +ASN1_GENERALIZEDTIME *notAfter; +} PKEY_USAGE_PERIOD; + typedef struct { #define GEN_OTHERNAME (0|V_ASN1_CONTEXT_SPECIFIC) @@ -211,6 +216,11 @@ AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, lo AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a); +int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp); +PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, unsigned char **pp, long length); +PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void); +void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a); + STACK *GENERAL_NAMES_new(void); void GENERAL_NAMES_free(STACK *a); STACK *d2i_GENERAL_NAMES(STACK **a, unsigned char **pp, long length); @@ -248,6 +258,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext); X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); int X509V3_add_standard_extensions(void); STACK *X509V3_parse_list(char *line); +char *X509V3_EXT_d2i(X509_EXTENSION *ext); char *hex_to_string(unsigned char *buffer, long len); unsigned char *string_to_hex(char *str, long *len); @@ -271,6 +282,11 @@ void GENERAL_NAME_free(); STACK *i2v_GENERAL_NAME(); GENERAL_NAME *v2i_GENERAL_NAME(); +int i2d_PKEY_USAGE_PERIOD(); +PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(); +PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(); +void PKEY_USAGE_PERIOD_free(); + STACK *GENERAL_NAMES_new(): void GENERAL_NAMES_free(): STACK *d2i_GENERAL_NAMES(); @@ -307,6 +323,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get(); X509V3_EXT_METHOD *X509V3_EXT_get_nid(); int X509V3_add_standard_extensions(); STACK *X509V3_parse_list(); +char *X509V3_EXT_get_d2i(); char *hex_to_string(); unsigned char *string_to_hex(); @@ -327,6 +344,7 @@ int X509V3_EXT_print_fp(); #define X509V3_F_S2I_S2I_SKEY_ID 115 #define X509V3_F_STRING_TO_HEX 113 #define X509V3_F_V2I_ASN1_BIT_STRING 101 +#define X509V3_F_V2I_AUTHORITY_KEYID 119 #define X509V3_F_V2I_BASIC_CONSTRAINTS 102 #define X509V3_F_V2I_EXT_KU 103 #define X509V3_F_V2I_GENERAL_NAME 117 @@ -357,9 +375,13 @@ int X509V3_EXT_print_fp(); #define X509V3_R_INVALID_NULL_NAME 108 #define X509V3_R_INVALID_NULL_VALUE 109 #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 +#define X509V3_R_NO_ISSUER_CERTIFICATE 121 #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 +#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 +#define X509V3_R_UNKNOWN_OPTION 120 #define X509V3_R_UNSUPPORTED_OPTION 117 #ifdef __cplusplus