From e3e571925c40f4d9e0adfc7704e5df2057a13a19 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 31 Aug 2015 21:30:13 +0100 Subject: [PATCH] make X509_CRL opaque Reviewed-by: Tim Hudson --- apps/crl.c | 9 ++++-- crypto/asn1/t_crl.c | 1 + crypto/asn1/x_crl.c | 1 + crypto/include/internal/x509_int.h | 33 +++++++++++++++++++++ crypto/x509/by_dir.c | 1 + crypto/x509/x509_ext.c | 1 + crypto/x509/x509_lu.c | 1 + crypto/x509/x509_vfy.c | 1 + crypto/x509/x509cset.c | 35 ++++++++++++++++++++++ crypto/x509v3/v3_conf.c | 1 + include/openssl/x509.h | 47 ++++++------------------------ 11 files changed, 91 insertions(+), 40 deletions(-) diff --git a/apps/crl.c b/apps/crl.c index b4c9c75384..c0bf8749d2 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -358,8 +358,13 @@ int crl_main(int argc, char **argv) goto end; } - if (badsig) - x->signature->data[x->signature->length - 1] ^= 0x1; + if (badsig) { + ASN1_BIT_STRING *sig; + unsigned char *psig; + X509_CRL_get0_signature(&sig, NULL, x); + psig = ASN1_STRING_data(sig); + psig[ASN1_STRING_length(sig) - 1] ^= 0x1; + } if (outformat == FORMAT_ASN1) i = (int)i2d_X509_CRL_bio(out, x); diff --git a/crypto/asn1/t_crl.c b/crypto/asn1/t_crl.c index 96c5226a5c..06c61eae4e 100644 --- a/crypto/asn1/t_crl.c +++ b/crypto/asn1/t_crl.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" #include #ifndef OPENSSL_NO_STDIO diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index d264ec7091..73f78c4175 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -61,6 +61,7 @@ #include #include "asn1_locl.h" #include +#include "internal/x509_int.h" #include static int X509_REVOKED_cmp(const X509_REVOKED *const *a, diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 70abb2cd45..846a320902 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -105,3 +105,36 @@ struct X509_req_st { ASN1_BIT_STRING *signature; int references; }; + +struct X509_crl_info_st { + ASN1_INTEGER *version; + X509_ALGOR *sig_alg; + X509_NAME *issuer; + ASN1_TIME *lastUpdate; + ASN1_TIME *nextUpdate; + STACK_OF(X509_REVOKED) *revoked; + STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; +}; + +struct X509_crl_st { + /* actual signature */ + X509_CRL_INFO *crl; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + int references; + int flags; + /* Copies of various extensions */ + AUTHORITY_KEYID *akid; + ISSUING_DIST_POINT *idp; + /* Convenient breakdown of IDP */ + int idp_flags; + int idp_reasons; + /* CRL and base CRL numbers for delta processing */ + ASN1_INTEGER *crl_number; + ASN1_INTEGER *base_crl_number; + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + STACK_OF(GENERAL_NAMES) *issuers; + const X509_CRL_METHOD *meth; + void *meth_data; +}; diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index cc91db84bc..bd6c3c8d6d 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -71,6 +71,7 @@ #include #include +#include "internal/x509_int.h" typedef struct lookup_dir_hashes_st { unsigned long hash; diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c index 6bba5bbe7f..dc4670b89d 100644 --- a/crypto/x509/x509_ext.c +++ b/crypto/x509/x509_ext.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" #include int X509_CRL_get_ext_count(X509_CRL *x) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 3dae7fa41a..2bd8de63c9 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -60,6 +60,7 @@ #include "internal/cryptlib.h" #include #include +#include "internal/x509_int.h" #include #include "x509_lcl.h" diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 45d53a0f48..1376e4486b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -69,6 +69,7 @@ #include #include #include +#include "internal/x509_int.h" #include "x509_lcl.h" /* CRL score values */ diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index c6873240af..ca3f6968af 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" int X509_CRL_set_version(X509_CRL *x, long version) { @@ -137,6 +138,40 @@ void X509_CRL_up_ref(X509_CRL *crl) CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL); } +long X509_CRL_get_version(X509_CRL *crl) +{ + return ASN1_INTEGER_get(crl->crl->version); +} + +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl) +{ + return crl->crl->lastUpdate; +} + +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl) +{ + return crl->crl->nextUpdate; +} + +X509_NAME *X509_CRL_get_issuer(X509_CRL *crl) +{ + return crl->crl->issuer; +} + +STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) +{ + return crl->crl->revoked; +} + +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + const X509_CRL *crl) +{ + if (psig) + *psig = crl->signature; + if (palg) + *palg = crl->sig_alg; +} + int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) { ASN1_TIME *in; diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 38f198ee8a..f1f8bb42d0 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -63,6 +63,7 @@ #include "internal/cryptlib.h" #include #include +#include "internal/x509_int.h" #include static int v3_check_critical(char **value); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index d1ecb29162..708a695876 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -340,38 +340,7 @@ struct x509_revoked_st { DECLARE_STACK_OF(X509_REVOKED) -typedef struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR *sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - STACK_OF(X509_REVOKED) *revoked; - STACK_OF(X509_EXTENSION) /* [0] */ *extensions; - ASN1_ENCODING enc; -} X509_CRL_INFO; - -struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO *crl; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - int references; - int flags; - /* Copies of various extensions */ - AUTHORITY_KEYID *akid; - ISSUING_DIST_POINT *idp; - /* Convenient breakdown of IDP */ - int idp_flags; - int idp_reasons; - /* CRL and base CRL numbers for delta processing */ - ASN1_INTEGER *crl_number; - ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; - STACK_OF(GENERAL_NAMES) *issuers; - const X509_CRL_METHOD *meth; - void *meth_data; -} /* X509_CRL */ ; +typedef struct X509_crl_info_st X509_CRL_INFO; DECLARE_STACK_OF(X509_CRL) @@ -494,12 +463,6 @@ extern "C" { # define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) # define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm)) -# define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version) -# define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate) -# define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate) -# define X509_CRL_get_issuer(x) ((x)->crl->issuer) -# define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) - void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl), int (*crl_free) (X509_CRL *crl), @@ -834,6 +797,14 @@ int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); void X509_CRL_up_ref(X509_CRL *crl); +long X509_CRL_get_version(X509_CRL *crl); +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); +X509_NAME *X509_CRL_get_issuer(X509_CRL *crl); +STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + const X509_CRL *crl); + int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); -- 2.25.1