diff options
-rw-r--r-- | CHANGES | 16 | ||||
-rw-r--r-- | apps/x509.c | 94 | ||||
-rw-r--r-- | crypto/asn1/Makefile.ssl | 60 | ||||
-rw-r--r-- | crypto/asn1/a_mbstr.c | 2 | ||||
-rw-r--r-- | crypto/asn1/asn1.h | 17 | ||||
-rw-r--r-- | crypto/asn1/asn1_err.c | 2 | ||||
-rw-r--r-- | crypto/asn1/asn1_mac.h | 14 | ||||
-rw-r--r-- | crypto/asn1/t_bitst.c | 99 | ||||
-rw-r--r-- | crypto/asn1/t_x509.c | 1 | ||||
-rw-r--r-- | crypto/asn1/t_x509a.c | 138 | ||||
-rw-r--r-- | crypto/asn1/x_x509.c | 36 | ||||
-rw-r--r-- | crypto/asn1/x_x509a.c | 218 | ||||
-rw-r--r-- | crypto/dsa/dsa_ossl.c | 4 | ||||
-rw-r--r-- | crypto/pem/pem.h | 3 | ||||
-rw-r--r-- | crypto/pem/pem_all.c | 2 | ||||
-rw-r--r-- | crypto/pem/pem_lib.c | 54 | ||||
-rw-r--r-- | crypto/x509/x509.h | 43 | ||||
-rw-r--r-- | crypto/x509v3/v3_purp.c | 6 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 6 |
19 files changed, 779 insertions, 36 deletions
@@ -4,6 +4,22 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Extensive changes to support certificate auxiliary information. + This involves the use of X509_CERT_AUX structure and X509_AUX + functions. An X509_AUX function such as PEM_read_X509_AUX() + can still read in a certificate file in the usual way but it + will also read in any additional "auxiliary information". By + doing things this way a fair degree of compatability can be + retained: existing certificates can have this information added + using the new 'x509' options. + + Current auxiliary information includes an "alias" and some trust + settings. The trust settings will ultimately be used in enhanced + certificate chain verification routines: currently a certificate + can only be trusted if it is self signed and then it is trusted + for all purposes. + [Steve Henson] + *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The problem was that one of the replacement routines had not been working since SSLeay releases. For now the offending routine has been replaced with diff --git a/apps/x509.c b/apps/x509.c index d88eb56c04..a7f25f0b68 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -102,8 +102,14 @@ static char *x509_usage[]={ " -dates - both Before and After dates\n", " -modulus - print the RSA key modulus\n", " -fingerprint - print the certificate fingerprint\n", +" -alias - output certificate alias\n", " -noout - no certificate output\n", - +" -trustout - output a \"trusted\" certificate\n", +" -clrtrust - clear all trusted purposes\n", +" -clrnotrust - clear all untrusted purposes\n", +" -addtrust arg - mark certificate as trusted for a given purpose\n", +" -addnotrust arg - mark certificate as not trusted for a given purpose\n", +" -setalias arg - set certificate alias\n", " -days arg - How long till expiry of a signed certificate - def 30 days\n", " -signkey arg - self sign cert with arg\n", " -x509toreq - output a certification request object\n", @@ -146,11 +152,14 @@ int MAIN(int argc, char **argv) int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; + STACK *trust = NULL, *notrust = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; + char *alias=NULL, *trstr=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0; + int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0; int C=0; int x509req=0,days=DEF_DAYS,modulus=0; int pprint = 0; @@ -270,6 +279,44 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAserial= *(++argv); } + else if (strcmp(*argv,"-addtrust") == 0) + { + if (--argc < 1) goto bad; + trstr= *(++argv); + if(!X509_trust_set_bit_asc(NULL, trstr, 0)) { + BIO_printf(bio_err, + "Unknown trust value %s\n", trstr); + goto bad; + } + if(!trust) trust = sk_new_null(); + sk_push(trust, trstr); + trustout = 1; + } + else if (strcmp(*argv,"-addnotrust") == 0) + { + if (--argc < 1) goto bad; + trstr= *(++argv); + if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) { + BIO_printf(bio_err, + "Unknown trust value %s\n", trstr); + goto bad; + } + if(!notrust) notrust = sk_new_null(); + sk_push(notrust, trstr); + trustout = 1; + } + else if (strcmp(*argv,"-setalias") == 0) + { + if (--argc < 1) goto bad; + alias= *(++argv); + trustout = 1; + } + else if (strcmp(*argv,"-setalias") == 0) + { + if (--argc < 1) goto bad; + alias= *(++argv); + trustout = 1; + } else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-serial") == 0) @@ -301,6 +348,14 @@ int MAIN(int argc, char **argv) enddate= ++num; else if (strcmp(*argv,"-noout") == 0) noout= ++num; + else if (strcmp(*argv,"-trustout") == 0) + trustout= 1; + else if (strcmp(*argv,"-clrtrust") == 0) + clrtrust= ++num; + else if (strcmp(*argv,"-clrnotrust") == 0) + clrnotrust= ++num; + else if (strcmp(*argv,"-alias") == 0) + aliasout= ++num; else if (strcmp(*argv,"-CAcreateserial") == 0) CA_createserial= ++num; else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) @@ -494,6 +549,27 @@ bad: } } + if(alias) X509_alias_set(x, (unsigned char *)alias, -1); + + if(clrtrust) X509_trust_set_bit(x, -1, 0); + if(clrnotrust) X509_notrust_set_bit(x, -1, 0); + + if(trust) { + for(i = 0; i < sk_num(trust); i++) { + trstr = sk_value(trust, i); + X509_trust_set_bit_asc(x, trstr, 1); + } + sk_free(trust); + } + + if(notrust) { + for(i = 0; i < sk_num(notrust); i++) { + trstr = sk_value(notrust, i); + X509_notrust_set_bit_asc(x, trstr, 1); + } + sk_free(notrust); + } + if (num) { for (i=1; i<=num; i++) @@ -516,6 +592,13 @@ bad: i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber); BIO_printf(STDout,"\n"); } + else if (aliasout == i) + { + unsigned char *alstr; + alstr = X509_alias_get(x, NULL); + if(alstr) BIO_printf(STDout,"%s\n", alstr); + else BIO_puts(STDout,"<No Alias>\n"); + } else if (hash == i) { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); @@ -726,9 +809,10 @@ bad: if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x); - else if (outformat == FORMAT_PEM) - i=PEM_write_bio_X509(out,x); - else if (outformat == FORMAT_NETSCAPE) + else if (outformat == FORMAT_PEM) { + if(trustout) i=PEM_write_bio_X509_AUX(out,x); + else i=PEM_write_bio_X509(out,x); + } else if (outformat == FORMAT_NETSCAPE) { ASN1_HEADER ah; ASN1_OCTET_STRING os; @@ -1070,7 +1154,7 @@ static X509 *load_cert(char *file, int format) ah->data=NULL; } else if (format == FORMAT_PEM) - x=PEM_read_bio_X509(cert,NULL,NULL,NULL); + x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for input cert\n"); goto end; diff --git a/crypto/asn1/Makefile.ssl b/crypto/asn1/Makefile.ssl index f3f9056c54..ccdba3c33c 100644 --- a/crypto/asn1/Makefile.ssl +++ b/crypto/asn1/Makefile.ssl @@ -26,11 +26,11 @@ LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \ a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \ a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \ x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \ - x_name.c x_cinf.c x_x509.c x_crl.c x_info.c x_spki.c nsseq.c \ + x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \ d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \ d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \ d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\ - t_req.c t_x509.c t_crl.c t_pkey.c t_spki.c \ + t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \ p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \ p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \ f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \ @@ -41,11 +41,11 @@ LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \ a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \ a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \ x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \ - x_name.o x_cinf.o x_x509.o x_crl.o x_info.o x_spki.o nsseq.o \ + x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \ d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \ d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \ d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \ - t_req.o t_x509.o t_crl.o t_pkey.o t_spki.o \ + t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \ p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \ p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \ f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \ @@ -804,6 +804,24 @@ p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h +t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h +t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h +t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h +t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h +t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h +t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h @@ -882,6 +900,23 @@ t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h +t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h +t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h +t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h +t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h +t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h +t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h +t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h +t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h +t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h +t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h @@ -1122,3 +1157,20 @@ x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_x509.o: ../../include/openssl/stack.h ../../include/openssl/x509.h x_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h +x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h +x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h +x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h +x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +x_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h +x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h +x_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h +x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h +x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h +x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h +x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 9e7c7c39e5..bc9cb14248 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -144,7 +144,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, ASN1_STRING *dest; unsigned char *p; int nchar; - unsigned char strbuf[32]; + char strbuf[32]; int (*cpyfunc)(unsigned long,void *) = NULL; if(len == -1) len = strlen((const char *)in); if(!mask) mask = dirstring_mask; diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 8c42101d55..7fb9d23821 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -311,6 +311,14 @@ typedef struct asn1_header_st ASN1_METHOD *meth; } ASN1_HEADER; +/* This is used to contain a list of bit names */ +typedef struct BIT_STRING_BITNAME_st { + int bitnum; + const char *lname; + const char *sname; +} BIT_STRING_BITNAME; + + #define M_ASN1_STRING_length(x) ((x)->length) #define M_ASN1_STRING_length_set(x, n) ((x)->length = (n)) #define M_ASN1_STRING_type(x) ((x)->type) @@ -531,6 +539,13 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n); +#ifdef HEADER_BIO_H +int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, + BIT_STRING_BITNAME *tbl, int indent); +#endif +int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl); +int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, + BIT_STRING_BITNAME *tbl); int i2d_ASN1_BOOLEAN(int a,unsigned char **pp); int d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length); @@ -870,6 +885,7 @@ void ASN1_STRING_TABLE_cleanup(void); #define ASN1_F_D2I_X509 159 #define ASN1_F_D2I_X509_ALGOR 160 #define ASN1_F_D2I_X509_ATTRIBUTE 161 +#define ASN1_F_D2I_X509_CERT_AUX 285 #define ASN1_F_D2I_X509_CINF 162 #define ASN1_F_D2I_X509_CRL 163 #define ASN1_F_D2I_X509_CRL_INFO 164 @@ -933,6 +949,7 @@ void ASN1_STRING_TABLE_cleanup(void); #define ASN1_F_USERNOTICE_NEW 275 #define ASN1_F_X509_ALGOR_NEW 202 #define ASN1_F_X509_ATTRIBUTE_NEW 203 +#define ASN1_F_X509_CERT_AUX_NEW 286 #define ASN1_F_X509_CINF_NEW 204 #define ASN1_F_X509_CRL_INFO_NEW 205 #define ASN1_F_X509_CRL_NEW 206 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 3b1fb7b25b..a577dafb89 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -169,6 +169,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509,0), "d2i_X509"}, {ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0), "d2i_X509_ALGOR"}, {ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0), "d2i_X509_ATTRIBUTE"}, +{ERR_PACK(0,ASN1_F_D2I_X509_CERT_AUX,0), "d2i_X509_CERT_AUX"}, {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "d2i_X509_CINF"}, {ERR_PACK(0,ASN1_F_D2I_X509_CRL,0), "d2i_X509_CRL"}, {ERR_PACK(0,ASN1_F_D2I_X509_CRL_INFO,0), "d2i_X509_CRL_INFO"}, @@ -232,6 +233,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0), "USERNOTICE_new"}, {ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0), "X509_ALGOR_new"}, {ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0), "X509_ATTRIBUTE_new"}, +{ERR_PACK(0,ASN1_F_X509_CERT_AUX_NEW,0), "X509_CERT_AUX_new"}, {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0), "X509_CINF_new"}, {ERR_PACK(0,ASN1_F_X509_CRL_INFO_NEW,0), "X509_CRL_INFO_new"}, {ERR_PACK(0,ASN1_F_X509_CRL_NEW,0), "X509_CRL_new"}, diff --git a/crypto/asn1/asn1_mac.h b/crypto/asn1/asn1_mac.h index 93f9c5193c..a9026d7cd4 100644 --- a/crypto/asn1/asn1_mac.h +++ b/crypto/asn1/asn1_mac.h @@ -106,6 +106,20 @@ err:\ #define M_ASN1_D2I_start_sequence() \ if (!asn1_GetSequence(&c,&length)) \ { c.line=__LINE__; goto err; } +/* Begin reading ASN1 without a surrounding sequence */ +#define M_ASN1_D2I_begin() \ + c.slen = length; + +/* End reading ASN1 with no check on length */ +#define M_ASN1_D2I_Finish_nolen() \ + *pp=c.p; \ + if (a != NULL) (*a)=ret; \ + return(ret); \ +err:\ + ASN1_MAC_H_err((e),c.error,c.line); \ + asn1_add_error(*pp,(int)(c.q- *pp)); \ + if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ + return(NULL) #define M_ASN1_D2I_end_sequence() \ (((c.inf&1) == 0)?(c.slen <= 0): \ diff --git a/crypto/asn1/t_bitst.c b/crypto/asn1/t_bitst.c new file mode 100644 index 0000000000..8ee789f082 --- /dev/null +++ b/crypto/asn1/t_bitst.c @@ -0,0 +1,99 @@ +/* t_bitst.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/conf.h> +#include <openssl/x509v3.h> + +int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, + BIT_STRING_BITNAME *tbl, int indent) +{ + BIT_STRING_BITNAME *bnam; + char first = 1; + BIO_printf(out, "%*s", indent, ""); + for(bnam = tbl; bnam->lname; bnam++) { + if(ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) { + if(!first) BIO_puts(out, ", "); + BIO_puts(out, bnam->lname); + first = 0; + } + } + BIO_puts(out, "\n"); + return 1; +} + +int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, + BIT_STRING_BITNAME *tbl) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(name, tbl); + if(bitnum < 0) return 0; + if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value); + return 1; +} + +int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl) +{ + BIT_STRING_BITNAME *bnam; + for(bnam = tbl; bnam->lname; bnam++) { + if(!strcmp(bnam->sname, name) || + !strcmp(bnam->lname, name) ) return bnam->bitnum; + } + return -1; +} diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index 0e2727e470..bf6a797d68 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -219,6 +219,7 @@ int X509_print(BIO *bp, X509 *x) ((i+1) == n)?"":":") <= 0) goto err; } if (BIO_write(bp,"\n",1) != 1) goto err; + if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err; ret=1; err: if (str != NULL) ASN1_STRING_free(str); diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c new file mode 100644 index 0000000000..26d03f5f9b --- /dev/null +++ b/crypto/asn1/t_x509a.c @@ -0,0 +1,138 @@ +/* t_x509a.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/evp.h> +#include <openssl/asn1_mac.h> +#include <openssl/x509.h> + +/* X509_CERT_AUX and string set routines + */ + +static BIT_STRING_BITNAME tbits[] = { +{X509_TRUST_ALL, "All Purposes", "all"}, +{X509_TRUST_SSL_CLIENT, "SSL client", "sslclient"}, +{X509_TRUST_SSL_SERVER, "SSL server", "sslserver"}, +{X509_TRUST_EMAIL, "S/MIME email", "email"}, +{X509_TRUST_OBJECT_SIGN, "Object Signing", "objsign"}, +{-1, NULL, NULL} +}; + +int X509_trust_set_bit_asc(X509 *x, char *str, int value) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(str, tbits); + if(bitnum < 0) return 0; + if(x) return X509_trust_set_bit(x, bitnum, value); + return 1; +} + +int X509_notrust_set_bit_asc(X509 *x, char *str, int value) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(str, tbits); + if(bitnum < 0) return 0; + if(x) return X509_notrust_set_bit(x, bitnum, value); + return 1; +} + + +int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) +{ + char oidstr[80], first; + int i; + if(!aux) return 1; + if(aux->trust) { + BIO_printf(out, "%*sTrusted for:\n", indent, ""); + ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2); + } else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, ""); + if(aux->notrust) { + BIO_printf(out, "%*sUntrusted for:\n", indent, ""); + ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2); + } else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, ""); + if(aux->othertrust) { + first = 1; + BIO_printf(out, "%*sOther Trusted Uses:\n%*s", + indent, "", indent + 2, ""); + for(i = 0; i < sk_ASN1_OBJECT_num(aux->othertrust); i++) { + if(!first) BIO_puts(out, ", "); + else first = 0; + OBJ_obj2txt(oidstr, 80, + sk_ASN1_OBJECT_value(aux->othertrust, i), 0); + BIO_puts(out, oidstr); + } + BIO_puts(out, "\n"); + } + if(aux->othernotrust) { + first = 1; + BIO_printf(out, "%*sOther Untrusted Uses:\n%*s", + indent, "", indent + 2, ""); + for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) { + if(!first) BIO_puts(out, ", "); + else first = 0; + OBJ_obj2txt(oidstr, 80, + sk_ASN1_OBJECT_value(aux->othernotrust, i), 0); + BIO_puts(out, oidstr); + } + BIO_puts(out, "\n"); + } + if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "", + aux->alias->data); + return 1; +} diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 3352c61c60..ee3213045e 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -118,6 +118,7 @@ X509 *X509_new(void) ret->valid=0; ret->ex_flags = 0; ret->name=NULL; + ret->aux=NULL; M_ASN1_New(ret->cert_info,X509_CINF_new); M_ASN1_New(ret->sig_alg,X509_ALGOR_new); M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new); @@ -149,6 +150,7 @@ void X509_free(X509 *a) X509_CINF_free(a->cert_info); X509_ALGOR_free(a->sig_alg); M_ASN1_BIT_STRING_free(a->signature); + X509_CERT_AUX_free(a->aux); if (a->name != NULL) Free(a->name); Free((char *)a); @@ -172,3 +174,37 @@ char *X509_get_ex_data(X509 *r, int idx) return(CRYPTO_get_ex_data(&r->ex_data,idx)); } +/* X509_AUX ASN1 routines. X509_AUX is the name given to + * a certificate with extra info tagged on the end. Since these + * functions set how a certificate is trusted they should only + * be used when the certificate comes from a reliable source + * such as local storage. + * + */ + +X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length) +{ + unsigned char *q; + X509 *ret; + /* Save start position */ + q = *pp; + ret = d2i_X509(a, pp, length); + /* If certificate unreadable then forget it */ + if(!ret) return NULL; + /* update length */ + length -= *pp - q; + if(!length) return ret; + if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err; + return ret; + err: + X509_free(ret); + return NULL; +} + +int i2d_X509_AUX(X509 *a, unsigned char **pp) +{ + int length; + length = i2d_X509(a, pp); + if(a) length += i2d_X509_CERT_AUX(a->aux, pp); + return length; +} diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c new file mode 100644 index 0000000000..4b1f448d84 --- /dev/null +++ b/crypto/asn1/x_x509a.c @@ -0,0 +1,218 @@ +/* a_x509a.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/evp.h> +#include <openssl/asn1_mac.h> +#include <openssl/x509.h> + +/* X509_CERT_AUX routines. These are used to encode additional + * user modifiable data about a certificate. This data is + * appended to the X509 encoding when the *_X509_AUX routines + * are used. This means that the "traditional" X509 routines + * will simply ignore the extra data. + */ + +static X509_CERT_AUX *aux_get(X509 *x); + +X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long length) +{ + M_ASN1_D2I_vars(a, X509_CERT_AUX *, X509_CERT_AUX_new); + + M_ASN1_D2I_Init(); + M_ASN1_D2I_start_sequence(); + + M_ASN1_D2I_get_opt(ret->trust, d2i_ASN1_BIT_STRING, + V_ASN1_BIT_STRING); + M_ASN1_D2I_get_IMP_opt(ret->notrust, d2i_ASN1_BIT_STRING,0, + V_ASN1_BIT_STRING); + + M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->othertrust, + d2i_ASN1_OBJECT, ASN1_OBJECT_free); + M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->othernotrust, + d2i_ASN1_OBJECT, ASN1_OBJECT_free, 1); + M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING); + M_ASN1_D2I_get_opt(ret->other, d2i_ASN1_TYPE, V_ASN1_SEQUENCE); + + M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX); +} + +X509_CERT_AUX *X509_CERT_AUX_new() +{ + X509_CERT_AUX *ret = NULL; + ASN1_CTX c; + M_ASN1_New_Malloc(ret, X509_CERT_AUX); + ret->trust = NULL; + ret->notrust = NULL; + ret->othertrust = NULL; + ret->othernotrust = NULL; + ret->alias = NULL; + ret->other = NULL; + return(ret); + M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW); +} + +void X509_CERT_AUX_free(X509_CERT_AUX *a) +{ + if(a == NULL) return; + ASN1_BIT_STRING_free(a->trust); + ASN1_BIT_STRING_free(a->notrust); + sk_ASN1_OBJECT_pop_free(a->othertrust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(a->othernotrust, ASN1_OBJECT_free); + ASN1_UTF8STRING_free(a->alias); + ASN1_TYPE_free(a->other); +} + +int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp) +{ + M_ASN1_I2D_vars(a); + + M_ASN1_I2D_len(a->trust, i2d_ASN1_BIT_STRING); + M_ASN1_I2D_len_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING); + + M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); + M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1); + + M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING); + M_ASN1_I2D_len(a->other, i2d_ASN1_TYPE); + + M_ASN1_I2D_seq_total(); + + M_ASN1_I2D_put(a->trust, i2d_ASN1_BIT_STRING); + M_ASN1_I2D_put_IMP_opt(a->notrust, i2d_ASN1_BIT_STRING, 0); + + M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->othertrust, i2d_ASN1_OBJECT); + M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->othernotrust, i2d_ASN1_OBJECT, 1); + + M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING); + M_ASN1_I2D_put(a->other, i2d_ASN1_TYPE); + + M_ASN1_I2D_finish(); +} + +static X509_CERT_AUX *aux_get(X509 *x) +{ + if(!x) return NULL; + if(!x->aux && !(x->aux = X509_CERT_AUX_new())) return NULL; + return x->aux; +} + +int X509_alias_set(X509 *x, unsigned char *name, int len) +{ + X509_CERT_AUX *aux; + if(!(aux = aux_get(x))) return 0; + if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0; + return ASN1_STRING_set(aux->alias, name, len); +} + +unsigned char *X509_alias_get(X509 *x, int *len) +{ + if(!x->aux || !x->aux->alias) return NULL; + if(len) *len = x->aux->alias->length; + return x->aux->alias->data; +} + +int X509_trust_set_bit(X509 *x, int bit, int value) +{ + X509_CERT_AUX *aux; + if(bit == -1) { + if(x->aux && x->aux->trust) { + ASN1_BIT_STRING_free(x->aux->trust); + x->aux->trust = NULL; + } + return 1; + } + if(!(aux = aux_get(x))) return 0; + if(!aux->trust && !(aux->trust = ASN1_BIT_STRING_new())) return 0; + return ASN1_BIT_STRING_set_bit(aux->trust, bit, value); +} + +int X509_notrust_set_bit(X509 *x, int bit, int value) +{ + X509_CERT_AUX *aux; + if(bit == -1) { + if(x->aux && x->aux->notrust) { + ASN1_BIT_STRING_free(x->aux->notrust); + x->aux->notrust = NULL; + } + return 1; + } + if(!(aux = aux_get(x))) return 0; + if(!aux->notrust && !(aux->notrust = ASN1_BIT_STRING_new())) return 0; + return ASN1_BIT_STRING_set_bit(aux->notrust, bit, value); +} + +int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj) +{ + X509_CERT_AUX *aux; + if(!(aux = aux_get(x))) return 0; + if(!aux->othertrust + && !(aux->othertrust = sk_ASN1_OBJECT_new_null())) return 0; + return sk_ASN1_OBJECT_push(aux->othertrust, obj); +} + +int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj) +{ + X509_CERT_AUX *aux; + if(!(aux = aux_get(x))) return 0; + if(!aux->othernotrust + && !(aux->othernotrust = sk_ASN1_OBJECT_new_null())) return 0; + return sk_ASN1_OBJECT_push(aux->othernotrust, obj); +} + diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 74a84b6e04..b51cf6ad8d 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -66,7 +66,7 @@ #include <openssl/asn1.h> static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); -int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); +static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); @@ -161,7 +161,7 @@ err: return(ret); } -int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { BN_CTX *ctx; BIGNUM k,*kinv=NULL,*r=NULL; diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h index 1b0c8a0aa5..ce2c1a3596 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -103,6 +103,7 @@ extern "C" { #define PEM_STRING_X509_OLD "X509 CERTIFICATE" #define PEM_STRING_X509 "CERTIFICATE" +#define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE" #define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" #define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" #define PEM_STRING_X509_CRL "X509 CRL" @@ -529,6 +530,8 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str); DECLARE_PEM_rw(X509, X509) +DECLARE_PEM_rw(X509_AUX, X509) + DECLARE_PEM_rw(X509_REQ, X509_REQ) DECLARE_PEM_rw(X509_CRL, X509_CRL) diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index b5857e0ebc..80f4037262 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -67,6 +67,8 @@ IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509) +IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX) + IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ) IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL) diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 3c86a23fc7..a4ea21205c 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -75,6 +75,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; static int def_callback(char *buf, int num, int w, void *userdata); static int load_iv(unsigned char **fromp,unsigned char *to, int num); +static int check_pem(const char *nm, const char *name); static int def_callback(char *buf, int num, int w, void *userdata) { @@ -168,6 +169,43 @@ char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x, } #endif +static int check_pem(const char *nm, const char *name) +{ + /* Normal matching nm and name */ + if (!strcmp(nm,name)) return 1; + + /* Make PEM_STRING_EVP_PKEY match any private key */ + + if(!strcmp(nm,PEM_STRING_PKCS8) && + !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; + + if(!strcmp(nm,PEM_STRING_PKCS8INF) && + !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; + + if(!strcmp(nm,PEM_STRING_RSA) && + !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; + + if(!strcmp(nm,PEM_STRING_DSA) && + !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; + + /* Permit older strings */ + + if(!strcmp(nm,PEM_STRING_X509_OLD) && + !strcmp(name,PEM_STRING_X509)) return 1; + + if(!strcmp(nm,PEM_STRING_X509_REQ_OLD) && + !strcmp(name,PEM_STRING_X509_REQ)) return 1; + + /* Allow normal certs to be read as trusted certs */ + if(!strcmp(nm,PEM_STRING_X509) && + !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1; + + if(!strcmp(nm,PEM_STRING_X509_OLD) && + !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1; + + return 0; +} + char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x, pem_password_cb *cb, void *u) { @@ -185,21 +223,7 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x, ERR_add_error_data(2, "Expecting: ", name); return(NULL); } - if ( (strcmp(nm,name) == 0) || - ((strcmp(nm,PEM_STRING_RSA) == 0) && - (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) || - ((strcmp(nm,PEM_STRING_DSA) == 0) && - (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) || - ((strcmp(nm,PEM_STRING_PKCS8) == 0) && - (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) || - ((strcmp(nm,PEM_STRING_PKCS8INF) == 0) && - (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) || - ((strcmp(nm,PEM_STRING_X509_OLD) == 0) && - (strcmp(name,PEM_STRING_X509) == 0)) || - ((strcmp(nm,PEM_STRING_X509_REQ_OLD) == 0) && - (strcmp(name,PEM_STRING_X509_REQ) == 0)) - ) - break; + if(check_pem(nm, name)) break; Free(nm); Free(header); Free(data); diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 6091ffd4ef..a6e61cf6c7 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -230,6 +230,30 @@ typedef struct x509_cinf_st STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ } X509_CINF; +/* This stuff is certificate "auxiliary info" + * it contains details which are useful in certificate + * stores and databases. When used this is tagged onto + * the end of the certificate itself + */ + +/* Bit values for trust/notrust */ + +#define X509_TRUST_ALL 0 +#define X509_TRUST_SSL_CLIENT 1 +#define X509_TRUST_SSL_SERVER 2 +#define X509_TRUST_EMAIL 3 +#define X509_TRUST_OBJECT_SIGN 4 + +typedef struct x509_cert_aux_st + { + ASN1_BIT_STRING *trust; /* trusted uses */ + ASN1_BIT_STRING *notrust; /* rejected uses */ + STACK_OF(ASN1_OBJECT) *othertrust; /* extra uses */ + STACK_OF(ASN1_OBJECT) *othernotrust; /* extra rejected uses */ + ASN1_UTF8STRING *alias; /* "friendly name" */ + ASN1_TYPE *other; /* other unspecified info */ + } X509_CERT_AUX; + typedef struct x509_st { X509_CINF *cert_info; @@ -245,6 +269,7 @@ typedef struct x509_st unsigned long ex_kusage; unsigned long ex_xkusage; unsigned long ex_nscert; + X509_CERT_AUX *aux; } X509; DECLARE_STACK_OF(X509) @@ -735,6 +760,23 @@ int X509_get_ex_new_index(long argl, char *argp, int (*new_func)(), int (*dup_func)(), void (*free_func)()); int X509_set_ex_data(X509 *r, int idx, char *arg); char *X509_get_ex_data(X509 *r, int idx); +int i2d_X509_AUX(X509 *a,unsigned char **pp); +X509 * d2i_X509_AUX(X509 **a,unsigned char **pp,long length); + +X509_CERT_AUX * X509_CERT_AUX_new(void); +void X509_CERT_AUX_free(X509_CERT_AUX *a); +int i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp); +X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp, + long length); +int X509_alias_set(X509 *x, unsigned char *name, int len); +unsigned char * X509_alias_get(X509 *x, int *len); +int X509_trust_set_bit(X509 *x, int bit, int value); +int X509_notrust_set_bit(X509 *x, int bit, int value); +int X509_add_trust_object(X509 *x, ASN1_OBJECT *obj); +int X509_add_notrust_object(X509 *x, ASN1_OBJECT *obj); + +int X509_trust_set_bit_asc(X509 *x, char *str, int value); +int X509_notrust_set_bit_asc(X509 *x, char *str, int value); X509_REVOKED * X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *a); @@ -840,6 +882,7 @@ int X509_REQ_print_fp(FILE *bp,X509_REQ *req); #ifdef HEADER_BIO_H int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); int X509_print(BIO *bp,X509 *x); +int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent); int X509_CRL_print(BIO *bp,X509_CRL *x); int X509_REQ_print(BIO *bp,X509_REQ *req); #endif diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index f2565e71f3..d7e561e58e 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -62,7 +62,7 @@ static int x509_purpose_get_idx(int id); -void x509v3_cache_extensions(X509 *x); +static void x509v3_cache_extensions(X509 *x); static int ca_check(X509 *x); static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca); @@ -109,7 +109,7 @@ int X509_check_purpose(X509 *x, int id, int ca) return pt->check_purpose(pt, x,ca); } - + static int x509_purpose_get_idx(int id) @@ -191,7 +191,7 @@ char *X509_PURPOSE_get_name(X509_PURPOSE *xp) return xp->purpose_name; } -void x509v3_cache_extensions(X509 *x) +static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; ASN1_BIT_STRING *usage; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 2e2756f72f..d082133911 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -136,12 +136,6 @@ typedef struct v3_ext_ctx X509V3_CTX; #define X509V3_EXT_CTX_DEP 0x2 #define X509V3_EXT_MULTILINE 0x4 -typedef struct BIT_STRING_BITNAME_st { -int bitnum; -const char *lname; -const char *sname; -} BIT_STRING_BITNAME; - typedef BIT_STRING_BITNAME ENUMERATED_NAMES; typedef struct BASIC_CONSTRAINTS_st { |