diff options
author | Richard Levitte <levitte@openssl.org> | 2004-12-28 00:21:35 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2004-12-28 00:21:35 +0000 |
commit | 6951c23afd4e7951451a4d90023111a06e86589f (patch) | |
tree | 0eca84b83a120737ac41da268b6baba4484ded68 | |
parent | de421076a5e0cbf31268c8769f5ac0889bef79ba (diff) |
Add functionality needed to process proxy certificates.
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | apps/openssl-vms.cnf | 53 | ||||
-rw-r--r-- | apps/openssl.cnf | 53 | ||||
-rw-r--r-- | crypto/objects/obj_dat.h | 38 | ||||
-rw-r--r-- | crypto/objects/obj_mac.h | 24 | ||||
-rw-r--r-- | crypto/objects/obj_mac.num | 5 | ||||
-rw-r--r-- | crypto/objects/objects.txt | 7 | ||||
-rw-r--r-- | crypto/x509/x509.h | 1 | ||||
-rw-r--r-- | crypto/x509/x509_txt.c | 12 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 25 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 8 | ||||
-rw-r--r-- | crypto/x509v3/Makefile.ssl | 34 | ||||
-rw-r--r-- | crypto/x509v3/ext_dat.h | 3 | ||||
-rw-r--r-- | crypto/x509v3/v3_pci.c | 307 | ||||
-rw-r--r-- | crypto/x509v3/v3_pcia.c | 55 | ||||
-rw-r--r-- | crypto/x509v3/v3_purp.c | 24 | ||||
-rw-r--r-- | crypto/x509v3/v3err.c | 8 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 26 | ||||
-rw-r--r-- | test/CAss.cnf | 4 | ||||
-rw-r--r-- | test/Makefile.ssl | 10 | ||||
-rw-r--r-- | test/P1ss.cnf | 37 | ||||
-rw-r--r-- | test/P2ss.cnf | 45 | ||||
-rw-r--r-- | test/Uss.cnf | 8 | ||||
-rw-r--r-- | test/testss | 76 | ||||
-rwxr-xr-x | util/libeay.num | 902 |
25 files changed, 1290 insertions, 480 deletions
@@ -4,6 +4,11 @@ Changes between 0.9.7e and 0.9.8 [xx XXX xxxx] + *) Add processing of proxy certificates (see RFC 3820). This work was + sponsored by KTH (The Royal Institute of Technology in Stockholm) and + EGEE (Enabling Grids for E-science in Europe). + [Richard Levitte] + *) RC4 performance overhaul on modern architectures/implementations, such as Intel P4, IA-64 and AMD64. [Andy Polyakov] diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 05663c95b7..130b430d42 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 8941f454f8..6d731cbe8b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 7a5138276e..c2a707a984 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 746 -#define NUM_SN 742 -#define NUM_LN 742 -#define NUM_OBJ 704 +#define NUM_NID 751 +#define NUM_SN 747 +#define NUM_LN 747 +#define NUM_OBJ 709 -static unsigned char lvalues[4963]={ +static unsigned char lvalues[5002]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -772,6 +772,11 @@ static unsigned char lvalues[4963]={ 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4935] OBJ_sha384 */ 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4944] OBJ_sha512 */ 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4953] OBJ_sha224 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15, /* [4962] OBJ_id_ppl */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E, /* [4969] OBJ_proxyCertInfo */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00, /* [4977] OBJ_id_ppl_anyLanguage */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01, /* [4985] OBJ_id_ppl_inheritAll */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02, /* [4993] OBJ_Independent */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1932,6 +1937,14 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"SHA224","sha224",NID_sha224,9,&(lvalues[4953]),0}, {"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL}, {"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL}, +{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4962]),0}, +{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8, + &(lvalues[4969]),0}, +{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8, + &(lvalues[4977]),0}, +{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8, + &(lvalues[4985]),0}, +{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4993]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2271,6 +2284,10 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[271]),/* "id-pkix1-explicit-93" */ &(nid_objs[270]),/* "id-pkix1-implicit-88" */ &(nid_objs[272]),/* "id-pkix1-implicit-93" */ +&(nid_objs[746]),/* "id-ppl" */ +&(nid_objs[748]),/* "id-ppl-anyLanguage" */ +&(nid_objs[750]),/* "id-ppl-independent" */ +&(nid_objs[749]),/* "id-ppl-inheritAll" */ &(nid_objs[267]),/* "id-qcs" */ &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */ &(nid_objs[259]),/* "id-qt" */ @@ -2453,6 +2470,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[415]),/* "prime256v1" */ &(nid_objs[385]),/* "private" */ &(nid_objs[84]),/* "privateKeyUsagePeriod" */ +&(nid_objs[747]),/* "proxyCertInfo" */ &(nid_objs[510]),/* "pseudonym" */ &(nid_objs[435]),/* "pss" */ &(nid_objs[286]),/* "qcStatements" */ @@ -2683,6 +2701,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[363]),/* "AD Time Stamping" */ &(nid_objs[405]),/* "ANSI X9.62" */ &(nid_objs[368]),/* "Acceptable OCSP Responses" */ +&(nid_objs[748]),/* "Any language" */ &(nid_objs[177]),/* "Authority Information Access" */ &(nid_objs[365]),/* "Basic OCSP Response" */ &(nid_objs[285]),/* "Biometric Info" */ @@ -2705,6 +2724,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[296]),/* "IPSec User" */ &(nid_objs[182]),/* "ISO Member Body" */ &(nid_objs[183]),/* "ISO US Member Body" */ +&(nid_objs[750]),/* "Independent" */ +&(nid_objs[749]),/* "Inherit all" */ &(nid_objs[647]),/* "International Organizations" */ &(nid_objs[142]),/* "Invalidity Date" */ &(nid_objs[504]),/* "MIME MHS" */ @@ -2748,6 +2769,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[164]),/* "Policy Qualifier CPS" */ &(nid_objs[165]),/* "Policy Qualifier User Notice" */ &(nid_objs[385]),/* "Private" */ +&(nid_objs[747]),/* "Proxy Certificate Information" */ &(nid_objs[ 1]),/* "RSA Data Security, Inc." */ &(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */ &(nid_objs[188]),/* "S/MIME" */ @@ -3009,6 +3031,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[271]),/* "id-pkix1-explicit-93" */ &(nid_objs[270]),/* "id-pkix1-implicit-88" */ &(nid_objs[272]),/* "id-pkix1-implicit-93" */ +&(nid_objs[746]),/* "id-ppl" */ &(nid_objs[267]),/* "id-qcs" */ &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */ &(nid_objs[259]),/* "id-qt" */ @@ -3727,6 +3750,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[266]),/* OBJ_id_aca 1 3 6 1 5 5 7 10 */ &(nid_objs[267]),/* OBJ_id_qcs 1 3 6 1 5 5 7 11 */ &(nid_objs[268]),/* OBJ_id_cct 1 3 6 1 5 5 7 12 */ +&(nid_objs[746]),/* OBJ_id_ppl 1 3 6 1 5 5 7 21 */ &(nid_objs[176]),/* OBJ_id_ad 1 3 6 1 5 5 7 48 */ &(nid_objs[507]),/* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */ &(nid_objs[508]),/* OBJ_id_hex_multipart_message 1 3 6 1 7 1 1 2 */ @@ -3801,6 +3825,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[292]),/* OBJ_sbqp_routerIdentifier 1 3 6 1 5 5 7 1 9 */ &(nid_objs[397]),/* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */ &(nid_objs[398]),/* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ +&(nid_objs[747]),/* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */ &(nid_objs[164]),/* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ &(nid_objs[165]),/* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ &(nid_objs[293]),/* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -3871,6 +3896,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[360]),/* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ &(nid_objs[361]),/* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ &(nid_objs[362]),/* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */ +&(nid_objs[748]),/* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */ +&(nid_objs[749]),/* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */ +&(nid_objs[750]),/* OBJ_Independent 1 3 6 1 5 5 7 21 2 */ &(nid_objs[178]),/* OBJ_ad_OCSP 1 3 6 1 5 5 7 48 1 */ &(nid_objs[179]),/* OBJ_ad_ca_issuers 1 3 6 1 5 5 7 48 2 */ &(nid_objs[363]),/* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index e53aadb6c6..322577094a 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -1265,6 +1265,10 @@ #define NID_id_cct 268 #define OBJ_id_cct OBJ_id_pkix,12L +#define SN_id_ppl "id-ppl" +#define NID_id_ppl 746 +#define OBJ_id_ppl OBJ_id_pkix,21L + #define SN_id_ad "id-ad" #define NID_id_ad 176 #define OBJ_id_ad OBJ_id_pkix,48L @@ -1380,6 +1384,11 @@ #define NID_sinfo_access 398 #define OBJ_sinfo_access OBJ_id_pe,11L +#define SN_proxyCertInfo "proxyCertInfo" +#define LN_proxyCertInfo "Proxy Certificate Information" +#define NID_proxyCertInfo 747 +#define OBJ_proxyCertInfo OBJ_id_pe,14L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1704,6 +1713,21 @@ #define NID_id_cct_PKIResponse 362 #define OBJ_id_cct_PKIResponse OBJ_id_cct,3L +#define SN_id_ppl_anyLanguage "id-ppl-anyLanguage" +#define LN_id_ppl_anyLanguage "Any language" +#define NID_id_ppl_anyLanguage 748 +#define OBJ_id_ppl_anyLanguage OBJ_id_ppl,0L + +#define SN_id_ppl_inheritAll "id-ppl-inheritAll" +#define LN_id_ppl_inheritAll "Inherit all" +#define NID_id_ppl_inheritAll 749 +#define OBJ_id_ppl_inheritAll OBJ_id_ppl,1L + +#define SN_Independent "id-ppl-independent" +#define LN_Independent "Independent" +#define NID_Independent 750 +#define OBJ_Independent OBJ_id_ppl,2L + #define SN_ad_OCSP "OCSP" #define LN_ad_OCSP "OCSP" #define NID_ad_OCSP 178 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index c5dd8db1d3..180d20f1bc 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -743,3 +743,8 @@ sha512 742 sha224 743 ipsec3 744 ipsec4 745 +id_ppl 746 +proxyCertInfo 747 +id_ppl_anyLanguage 748 +id_ppl_inheritAll 749 +Independent 750 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index f2ea4a4db0..46a405b3e6 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -405,6 +405,7 @@ id-pkix 9 : id-pda id-pkix 10 : id-aca id-pkix 11 : id-qcs id-pkix 12 : id-cct +id-pkix 21 : id-ppl id-pkix 48 : id-ad # PKIX Modules @@ -439,6 +440,7 @@ id-pe 9 : sbqp-routerIdentifier id-pe 10 : ac-proxying !Cname sinfo-access id-pe 11 : subjectInfoAccess : Subject Information Access +id-pe 14 : proxyCertInfo : Proxy Certificate Information # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -554,6 +556,11 @@ id-cct 1 : id-cct-crs id-cct 2 : id-cct-PKIData id-cct 3 : id-cct-PKIResponse +# Predefined Proxy Certificate policy languages +id-ppl 0 : id-ppl-anyLanguage : Any language +id-ppl 1 : id-ppl-inheritAll : Inherit all +id-ppl 2 : id-ppl-independent : Independent + # access descriptors for authority info access extension !Cname ad-OCSP id-ad 1 : OCSP : OCSP diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 016164cb68..46673fddd1 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -280,6 +280,7 @@ struct x509_st CRYPTO_EX_DATA ex_data; /* These contain copies of various extension values */ long ex_pathlen; + long ex_pcpathlen; unsigned long ex_flags; unsigned long ex_kusage; unsigned long ex_xkusage; diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 57ff33dc19..247e7e178a 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -126,6 +126,8 @@ const char *X509_verify_cert_error_string(long n) return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -142,28 +144,22 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - case X509_V_ERR_INVALID_EXTENSION: return("invalid or inconsistent certificate extension"); - case X509_V_ERR_INVALID_POLICY_EXTENSION: return("invalid or inconsistent certificate policy extension"); - case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c6c83ad72f..cbdd978a7d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -389,6 +389,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; cb=ctx->verify_cb; /* must_be_ca can have 1 of 3 values: @@ -472,7 +473,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -480,8 +481,26 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - /* The next certificate must be a CA */ - must_be_ca = 1; + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) + { + ctx->error = + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 5f49c2a8b7..33ace72671 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -323,10 +323,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 #define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_INVALID_EXTENSION 38 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 39 -#define X509_V_ERR_NO_EXPLICIT_POLICY 40 +#define X509_V_ERR_INVALID_EXTENSION 40 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 41 +#define X509_V_ERR_NO_EXPLICIT_POLICY 42 /* The application is not happy */ diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index 57c236e3d2..f91301188c 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -26,13 +26,13 @@ LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ -v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c pcy_cache.c pcy_node.c \ -pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c +v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \ +pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ -v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o pcy_cache.o pcy_node.o \ -pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o +v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \ +pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o SRC= $(LIBSRC) @@ -410,6 +410,32 @@ v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c +v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h +v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c +v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h +v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 7be8565189..3ee4bffe39 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold; +extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; @@ -112,6 +112,7 @@ static X509V3_EXT_METHOD *standard_exts[] = { #ifndef OPENSSL_NO_OCSP &v3_crl_hold, #endif +&v3_pci, &v3_policy_mappings, &v3_name_constraints, &v3_inhibit_anyp diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c new file mode 100644 index 0000000000..42fb0d74df --- /dev/null +++ b/crypto/x509v3/v3_pci.c @@ -0,0 +1,307 @@ +/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */ +/* Contributed to the OpenSSL Project 2004 + * by Richard Levitte (richard@levitte.org) + */ +/* Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/conf.h> +#include <openssl/x509v3.h> + +static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, + BIO *out, int indent); +static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *str); + +X509V3_EXT_METHOD v3_pci = + { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), + 0,0,0,0, + 0,0, + NULL, NULL, + (X509V3_EXT_I2R)i2r_pci, + (X509V3_EXT_R2I)r2i_pci, + NULL, + }; + +static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, + BIO *out, int indent) + { + BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); + if (pci->pcPathLengthConstraint) + i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); + else + BIO_printf(out, "infinite"); + BIO_puts(out, "\n"); + BIO_printf(out, "%*sPolicy Language: ", indent, ""); + i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); + BIO_puts(out, "\n"); + if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) + BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + pci->proxyPolicy->policy->data); + return 1; + } + +static int process_pci_value(CONF_VALUE *val, + ASN1_OBJECT **language, ASN1_INTEGER **pathlen, + ASN1_OCTET_STRING **policy) + { + int free_policy = 0; + + if (strcmp(val->name, "language") == 0) + { + if (*language) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED); + X509V3_conf_err(val); + return 0; + } + if (!(*language = OBJ_txt2obj(val->value, 0))) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER); + X509V3_conf_err(val); + return 0; + } + } + else if (strcmp(val->name, "pathlen") == 0) + { + if (*pathlen) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED); + X509V3_conf_err(val); + return 0; + } + if (!X509V3_get_value_int(val, pathlen)) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH); + X509V3_conf_err(val); + return 0; + } + } + else if (strcmp(val->name, "policy") == 0) + { + unsigned char *tmp_data = NULL; + long val_len; + if (!*policy) + { + *policy = ASN1_OCTET_STRING_new(); + if (!*policy) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + X509V3_conf_err(val); + return 0; + } + free_policy = 1; + } + if (strncmp(val->value, "hex:", 4) == 0) + { + unsigned char *tmp_data2 = + string_to_hex(val->value + 4, &val_len); + + if (!tmp_data2) goto err; + + tmp_data = OPENSSL_realloc((*policy)->data, + (*policy)->length + val_len + 1); + if (tmp_data) + { + (*policy)->data = tmp_data; + memcpy(&(*policy)->data[(*policy)->length], + tmp_data2, val_len); + (*policy)->length += val_len; + (*policy)->data[(*policy)->length] = '\0'; + } + } + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; + int n; + BIO *b = BIO_new_file(val->value + 5, "r"); + if (!b) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); + X509V3_conf_err(val); + goto err; + } + while((n = BIO_read(b, buf, sizeof(buf))) > 0 + || (n == 0 && BIO_should_retry(b))) + { + if (!n) continue; + + tmp_data = OPENSSL_realloc((*policy)->data, + (*policy)->length + n + 1); + + if (!tmp_data) + break; + + (*policy)->data = tmp_data; + memcpy(&(*policy)->data[(*policy)->length], + buf, n); + (*policy)->length += n; + (*policy)->data[(*policy)->length] = '\0'; + } + + if (n < 0) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); + X509V3_conf_err(val); + goto err; + } + } + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val-& |