From 6447cce37251e6d947279a3fd6874e59ed0d3d2d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 29 Dec 1999 00:40:28 +0000 Subject: [PATCH] Simplify the trust structure: basically zap the bit strings and represent everything by OIDs. --- CHANGES | 13 ++++++ apps/x509.c | 49 ++++++++++------------ crypto/asn1/t_x509a.c | 54 +++++-------------------- crypto/asn1/x_x509a.c | 92 +++++++++++++++++------------------------- crypto/x509/x509.h | 28 ++++--------- crypto/x509/x509_trs.c | 61 +++++++++++++++++++--------- crypto/x509v3/x509v3.h | 1 - util/libeay.num | 8 ++-- 8 files changed, 134 insertions(+), 172 deletions(-) diff --git a/CHANGES b/CHANGES index b612be6577..abef4942d3 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,19 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Simplify the trust setting structure and code. Now we just have + two sequences of OIDs for trusted and rejected settings. These will + typically have values the same as the extended key usage extension + and any application specific purposes. + + The trust checking code now has a default behaviour: it will just + check for an object with the same NID as the passed id. Functions can + be provided to override either the default behaviour or the behaviour + for a given id. SSL client, server and email already have functions + in place for compatability: they check the NID and also return "trusted" + if the certificate is self signed. + [Steve Henson] + *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the traditional format into an EVP_PKEY structure. [Steve Henson] diff --git a/apps/x509.c b/apps/x509.c index 797ee39c7e..04cae31481 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -146,15 +146,16 @@ int MAIN(int argc, char **argv) int ret=1; X509_REQ *req=NULL; X509 *x=NULL,*xca=NULL; + ASN1_OBJECT *objtmp; EVP_PKEY *Upkey=NULL,*CApkey=NULL; int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; - STACK *trust = NULL, *reject = NULL; + STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; - char *alias=NULL, *trstr=NULL; + char *alias=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0; @@ -297,27 +298,25 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-addtrust") == 0) { if (--argc < 1) goto bad; - trstr= *(++argv); - if(!X509_trust_set_bit_asc(NULL, trstr, 0)) { + if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, - "Unknown trust value %s\n", trstr); + "Invalid trust object value %s\n", *argv); goto bad; } - if(!trust) trust = sk_new_null(); - sk_push(trust, trstr); + if(!trust) trust = sk_ASN1_OBJECT_new_null(); + sk_ASN1_OBJECT_push(trust, objtmp); trustout = 1; } else if (strcmp(*argv,"-addreject") == 0) { if (--argc < 1) goto bad; - trstr= *(++argv); - if(!X509_reject_set_bit_asc(NULL, trstr, 0)) { + if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, - "Unknown trust value %s\n", trstr); + "Invalid reject object value %s\n", *argv); goto bad; } - if(!reject) reject = sk_new_null(); - sk_push(reject, trstr); + if(!reject) reject = sk_ASN1_OBJECT_new_null(); + sk_ASN1_OBJECT_push(reject, objtmp); trustout = 1; } else if (strcmp(*argv,"-setalias") == 0) @@ -521,15 +520,9 @@ bad: X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); -#if 0 - X509_PUBKEY_free(ci->key); - ci->key=req->req_info->pubkey; - req->req_info->pubkey=NULL; -#else pkey = X509_REQ_get_pubkey(req); X509_set_pubkey(x,pkey); EVP_PKEY_free(pkey); -#endif } else x=load_cert(infile,informat); @@ -566,23 +559,21 @@ bad: if(alias) X509_alias_set(x, (unsigned char *)alias, -1); - if(clrtrust) X509_trust_set_bit(x, -1, 0); - if(clrreject) X509_reject_set_bit(x, -1, 0); + if(clrtrust) X509_trust_clear(x); + if(clrreject) X509_reject_clear(x); if(trust) { - for(i = 0; i < sk_num(trust); i++) { - trstr = sk_value(trust, i); - X509_trust_set_bit_asc(x, trstr, 1); + for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { + objtmp = sk_ASN1_OBJECT_value(trust, i); + X509_radd_trust_object(x, objtmp); } - sk_free(trust); } if(reject) { - for(i = 0; i < sk_num(reject); i++) { - trstr = sk_value(reject, i); - X509_reject_set_bit_asc(x, trstr, 1); + for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { + objtmp = sk_ASN1_OBJECT_value(reject, i); + X509_radd_reject_object(x, objtmp); } - sk_free(reject); } if (num) @@ -887,6 +878,8 @@ end: EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); X509_REQ_free(rq); + sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); EXIT(ret); } diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c index 0e342723aa..a18ebb586c 100644 --- a/crypto/asn1/t_x509a.c +++ b/crypto/asn1/t_x509a.c @@ -65,73 +65,37 @@ /* X509_CERT_AUX and string set routines */ -static BIT_STRING_BITNAME tbits[] = { -{X509_TRUST_BIT_ALL, "All Purposes", "all"}, -{X509_TRUST_BIT_SSL_CLIENT, "SSL client", "sslclient"}, -{X509_TRUST_BIT_SSL_SERVER, "SSL server", "sslserver"}, -{X509_TRUST_BIT_EMAIL, "S/MIME email", "email"}, -{X509_TRUST_BIT_OBJECT_SIGN, "Object Signing", "objsign"}, -{-1, NULL, NULL} -}; - -int X509_trust_set_bit_asc(X509 *x, char *str, int value) -{ - int bitnum; - bitnum = ASN1_BIT_STRING_num_asc(str, tbits); - if(bitnum < 0) return 0; - if(x) return X509_trust_set_bit(x, bitnum, value); - return 1; -} - -int X509_reject_set_bit_asc(X509 *x, char *str, int value) -{ - int bitnum; - bitnum = ASN1_BIT_STRING_num_asc(str, tbits); - if(bitnum < 0) return 0; - if(x) return X509_reject_set_bit(x, bitnum, value); - return 1; -} - - int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) { char oidstr[80], first; int i; if(!aux) return 1; if(aux->trust) { - BIO_printf(out, "%*sTrusted Uses:\n", indent, ""); - ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2); - } else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, ""); - if(aux->reject) { - BIO_printf(out, "%*sRejected Uses:\n", indent, ""); - ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2); - } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - if(aux->othertrust) { first = 1; - BIO_printf(out, "%*sOther Trusted Uses:\n%*s", + BIO_printf(out, "%*sTrusted Uses:\n%*s", indent, "", indent + 2, ""); - for(i = 0; i < sk_ASN1_OBJECT_num(aux->othertrust); i++) { + for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) { if(!first) BIO_puts(out, ", "); else first = 0; OBJ_obj2txt(oidstr, 80, - sk_ASN1_OBJECT_value(aux->othertrust, i), 0); + sk_ASN1_OBJECT_value(aux->trust, i), 0); BIO_puts(out, oidstr); } BIO_puts(out, "\n"); - } - if(aux->otherreject) { + } else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, ""); + if(aux->reject) { first = 1; - BIO_printf(out, "%*sOther Rejected Uses:\n%*s", + BIO_printf(out, "%*sRejected Uses:\n%*s", indent, "", indent + 2, ""); - for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) { + for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) { if(!first) BIO_puts(out, ", "); else first = 0; OBJ_obj2txt(oidstr, 80, - sk_ASN1_OBJECT_value(aux->otherreject, i), 0); + sk_ASN1_OBJECT_value(aux->reject, i), 0); BIO_puts(out, oidstr); } BIO_puts(out, "\n"); - } + } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data); return 1; diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 1b95764251..0535f39d74 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -78,16 +78,12 @@ X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long len M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING, - V_ASN1_BIT_STRING); - M_ASN1_D2I_get_IMP_opt(ret->reject, d2i_ASN1_BIT_STRING,0, - V_ASN1_BIT_STRING); - - M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust, + M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->trust, d2i_ASN1_OBJECT, ASN1_OBJECT_free); - M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->otherreject, - d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1); + M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->reject, + d2i_ASN1_OBJECT, ASN1_OBJECT_free, 0); M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING); + M_ASN1_D2I_get_opt(ret->keyid, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING); M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE); M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX); @@ -100,9 +96,8 @@ X509_CERT_AUX *X509_CERT_AUX_new() M_ASN1_New_Malloc(ret, X509_CERT_AUX); ret->trust = NULL; ret->reject = NULL; - ret->othertrust = NULL; - ret->otherreject = NULL; ret->alias = NULL; + ret->keyid = NULL; ret->other = NULL; return(ret); M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW); @@ -111,11 +106,10 @@ X509_CERT_AUX *X509_CERT_AUX_new() void X509_CERT_AUX_free(X509_CERT_AUX *a) { if(a == NULL) return; - ASN1_BIT_STRING_free(a->trust); - ASN1_BIT_STRING_free(a->reject); - sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free); - sk_ASN1_OBJECT_pop_free(a->otherreject, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(a->trust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(a->reject, ASN1_OBJECT_free); ASN1_UTF8STRING_free(a->alias); + ASN1_OCTET_STRING_free(a->keyid); ASN1_TYPE_free(a->other); Free((char *)a); } @@ -124,24 +118,20 @@ int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp) { M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_len_IMP_opt(a->reject, i2d_ASN1_BIT_STRING); - - M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); - M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1); + M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT); + M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0); M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING); + M_ASN1_I2D_len(a->keyid, i2d_ASN1_OCTET_STRING); M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE); M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_put_IMP_opt(a->reject, i2d_ASN1_BIT_STRING, 0); - - M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); - M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->otherreject, i2d_ASN1_OBJECT, 1); + M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT); + M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0); M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING); + M_ASN1_I2D_put(a->keyid, i2d_ASN1_OCTET_STRING); M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE); M_ASN1_I2D_finish(); @@ -169,51 +159,41 @@ unsigned char *X509_alias_get(X509 *x, int *len) return x->aux->alias->data; } -int X509_trust_set_bit(X509 *x, int bit, int value) +int X509_radd_trust_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; - if(bit == -1) { - if(x->aux && x->aux->trust) { - ASN1_BIT_STRING_free(x->aux->trust); - x->aux->trust = NULL; - } - return 1; - } + ASN1_OBJECT *objtmp; + if(!(objtmp = OBJ_dup(obj))) return 0; if(!(aux = aux_get(x))) return 0; - if(!aux->trust && !(aux->trust = ASN1_BIT_STRING_new())) return 0; - return ASN1_BIT_STRING_set_bit(aux->trust, bit, value); + if(!aux->trust + && !(aux->trust = sk_ASN1_OBJECT_new_null())) return 0; + return sk_ASN1_OBJECT_push(aux->trust, objtmp); } -int X509_reject_set_bit(X509 *x, int bit, int value) +int X509_radd_reject_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; - if(bit == -1) { - if(x->aux && x->aux->reject) { - ASN1_BIT_STRING_free(x->aux->reject); - x->aux->reject = NULL; - } - return 1; - } + ASN1_OBJECT *objtmp; + if(!(objtmp = OBJ_dup(obj))) return 0; if(!(aux = aux_get(x))) return 0; - if(!aux->reject && !(aux->reject = ASN1_BIT_STRING_new())) return 0; - return ASN1_BIT_STRING_set_bit(aux->reject, bit, value); + if(!aux->reject + && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0; + return sk_ASN1_OBJECT_push(aux->reject, objtmp); } -int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj) +void X509_trust_clear(X509 *x) { - X509_CERT_AUX *aux; - if(!(aux = aux_get(x))) return 0; - if(!aux->othertrust - && !(aux->othertrust = sk_ASN1_OBJECT_new_null())) return 0; - return sk_ASN1_OBJECT_push(aux->othertrust, obj); + if(x->aux && x->aux->trust) { + sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free); + x->aux->trust = NULL; + } } -int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj) +void X509_reject_clear(X509 *x) { - X509_CERT_AUX *aux; - if(!(aux = aux_get(x))) return 0; - if(!aux->otherreject - && !(aux->otherreject = sk_ASN1_OBJECT_new_null())) return 0; - return sk_ASN1_OBJECT_push(aux->otherreject, obj); + if(x->aux && x->aux->reject) { + sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free); + x->aux->reject = NULL; + } } diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 90bebb17a8..a11f9bc02c 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -236,22 +236,12 @@ typedef struct x509_cinf_st * the end of the certificate itself */ -/* Bit values for trust/reject */ - -#define X509_TRUST_BIT_ALL 0 -#define X509_TRUST_BIT_SSL_CLIENT 1 -#define X509_TRUST_BIT_SSL_SERVER 2 -#define X509_TRUST_BIT_EMAIL 3 -#define X509_TRUST_BIT_OBJECT_SIGN 4 - - typedef struct x509_cert_aux_st { - ASN1_BIT_STRING *trust; /* trusted uses */ - ASN1_BIT_STRING *reject; /* rejected uses */ - STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */ - STACK_OF(ASN1_OBJECT) *otherreject; /* extra rejected uses */ + STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ + STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ ASN1_UTF8STRING *alias; /* "friendly name" */ + ASN1_OCTET_STRING *keyid; /* key id of private key */ ASN1_TYPE *other; /* other unspecified info */ } X509_CERT_AUX; @@ -830,13 +820,11 @@ X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp, long length); int X509_alias_set(X509 *x, unsigned char *name, int len); unsigned char * X509_alias_get(X509 *x, int *len); -int X509_trust_set_bit(X509 *x, int bit, int value); -int X509_reject_set_bit(X509 *x, int bit, int value); -int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj); -int X509_add_reject_object(X509 *x, ASN1_OBJECT *obj); - -int X509_trust_set_bit_asc(X509 *x, char *str, int value); -int X509_reject_set_bit_asc(X509 *x, char *str, int value); +int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); +int X509_radd_trust_object(X509 *x, ASN1_OBJECT *obj); +int X509_radd_reject_object(X509 *x, ASN1_OBJECT *obj); +void X509_trust_clear(X509 *x); +void X509_reject_clear(X509 *x); X509_REVOKED * X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *a); diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index f96f5f9b26..8a632db7b0 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -64,9 +64,12 @@ static int tr_cmp(X509_TRUST **a, X509_TRUST **b); static void trtable_free(X509_TRUST *p); -static int trust_1bit(X509_TRUST *trust, X509 *x, int flags); +static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); static int trust_any(X509_TRUST *trust, X509 *x, int flags); +static int obj_trust(int id, X509 *x, int flags); +static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; + /* WARNING: the following table should be kept in order of trust * and without any gaps so we can just subtract the minimum trust * value to get an index into the table @@ -74,10 +77,9 @@ static int trust_any(X509_TRUST *trust, X509 *x, int flags); static X509_TRUST trstandard[] = { {X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL}, -{X509_TRUST_SSL_CLIENT, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_CLIENT, NULL}, -{X509_TRUST_SSL_SERVER, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_SERVER, NULL}, -{X509_TRUST_EMAIL, 0, trust_1bit, "S/MIME email", X509_TRUST_BIT_EMAIL, NULL}, -{X509_TRUST_OBJECT_SIGN, 0, trust_1bit, "Object Signing", X509_TRUST_BIT_OBJECT_SIGN, NULL}, +{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, +{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL}, +{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, }; #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) @@ -91,12 +93,22 @@ static int tr_cmp(X509_TRUST **a, X509_TRUST **b) return (*a)->trust - (*b)->trust; } +int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) +{ +int (*oldtrust)(int , X509 *, int); +oldtrust = default_trust; +default_trust = trust; +return oldtrust; +} + + int X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; int idx; if(id == -1) return 1; - if(!(idx = X509_TRUST_get_by_id(id))) return 0; + if(!(idx = X509_TRUST_get_by_id(id))) + return default_trust(id, x, flags); pt = X509_TRUST_iget(idx); return pt->check_trust(pt, x, flags); } @@ -212,20 +224,9 @@ int X509_TRUST_get_trust(X509_TRUST *xp) return xp->trust; } -static int trust_1bit(X509_TRUST *trust, X509 *x, int flags) +static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - X509_CERT_AUX *ax; - ax = x->aux; - if(ax) { - if(ax->reject - && ( ASN1_BIT_STRING_get_bit(ax->reject, X509_TRUST_BIT_ALL) - || ASN1_BIT_STRING_get_bit(ax->reject, trust->arg1))) - return X509_TRUST_REJECTED; - if(ax->trust && (ASN1_BIT_STRING_get_bit(ax->trust, X509_TRUST_BIT_ALL) - || ASN1_BIT_STRING_get_bit(ax->trust, trust->arg1))) - return X509_TRUST_TRUSTED; - return X509_TRUST_UNTRUSTED; - } + if(x->aux) return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatability * we return trusted if it is self signed */ @@ -234,6 +235,28 @@ static int trust_1bit(X509_TRUST *trust, X509 *x, int flags) else return X509_TRUST_UNTRUSTED; } +static int obj_trust(int id, X509 *x, int flags) +{ + ASN1_OBJECT *obj; + int i; + X509_CERT_AUX *ax; + ax = x->aux; + if(!ax) return X509_TRUST_UNTRUSTED; + if(ax->reject) { + for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + obj = sk_ASN1_OBJECT_value(ax->reject, i); + if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; + } + } + if(ax->trust) { + for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + obj = sk_ASN1_OBJECT_value(ax->trust, i); + if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; + } + } + return X509_TRUST_UNTRUSTED; +} + static int trust_any(X509_TRUST *trust, X509 *x, int flags) { return X509_TRUST_TRUSTED; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 5e988a98b8..b5a89c9cbb 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -542,7 +542,6 @@ char *X509_PURPOSE_iget_name(X509_PURPOSE *xp); char *X509_PURPOSE_iget_sname(X509_PURPOSE *xp); int X509_PURPOSE_get_trust(X509_PURPOSE *xp); void X509_PURPOSE_cleanup(void); -void X509_PURPOSE_add_standard(void); int X509_PURPOSE_get_id(X509_PURPOSE *); /* BEGIN ERROR CODES */ diff --git a/util/libeay.num b/util/libeay.num index b163ab24f3..a83b493007 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -1900,7 +1900,7 @@ sk_ASN1_STRING_TABLE_value 1924 ACCESS_DESCRIPTION_new 1925 X509_CERT_AUX_free 1926 d2i_ACCESS_DESCRIPTION 1927 -X509_PURPOSE_add_standard 1928 +X509_trust_clear 1928 sk_X509_PURPOSE_value 1929 sk_X509_PURPOSE_zero 1930 X509_TRUST_add 1931 @@ -2054,7 +2054,7 @@ X509_trust_set_bit 2078 sk_X509_PURPOSE_delete_ptr 2079 ASN1_BIT_STRING_free 2080 PEM_read_bio_RSA_PUBKEY 2081 -X509_add_reject_object 2082 +X509_radd_reject_object 2082 X509_check_trust 2083 sk_X509_TRUST_new_null 2084 sk_ACCESS_DESCRIPTION_new_null 2085 @@ -2112,7 +2112,7 @@ ASN1_STRING_length_set 2136 DIRECTORYSTRING_new 2137 sk_ASN1_STRING_TABLE_new 2138 sk_X509_TRUST_delete 2139 -X509_add_trust_object 2140 +X509_radd_trust_object 2140 PKCS12_newpass 2141 SMIME_write_PKCS7 2142 SMIME_read_PKCS7 2143 @@ -2156,3 +2156,5 @@ i2d_PrivateKey_fp 2180 d2i_PrivateKey_bio 2181 d2i_PrivateKey_fp 2182 i2d_PrivateKey_bio 2183 +X509_reject_clear 2184 +X509_TRUST_set_default 2185 -- 2.25.1