diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 1999-11-04 00:45:35 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 1999-11-04 00:45:35 +0000 |
| commit | ce1b4fe14648007bf054cf54846c0620e4605251 (patch) | |
| tree | e3c5e114c8c622564482e88831ef6c4799fa53cb | |
| parent | ce2c95b2a249256ec92bd060ff083de8e3a22be2 (diff) | |
Allow additional information to be attached to a
certificate: currently this includes trust settings
and a "friendly name".
| -rw-r--r-- | CHANGES | 16 | ||||
| -rw-r--r-- | apps/x509.c | 94 | ||||
| -rw-r--r-- | crypto/asn1/Makefile.ssl | 60 | ||||
| -rw-r--r-- | crypto/asn1/a_mbstr.c | 2 | ||||
| -rw-r--r-- | crypto/asn1/asn1.h | 17 | ||||
| -rw-r--r-- | crypto/asn1/asn1_err.c | 2 | ||||
| -rw-r--r-- | crypto/asn1/asn1_mac.h | 14 | ||||
| -rw-r--r-- | crypto/asn1/t_bitst.c | 99 | ||||
| -rw-r--r-- | crypto/asn1/t_x509.c | 1 | ||||
| -rw-r--r-- | crypto/asn1/t_x509a.c | 138 | ||||
| -rw-r--r-- | crypto/asn1/x_x509.c | 36 | ||||
| -rw-r--r-- | crypto/asn1/x_x509a.c | 218 | ||||
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 4 | ||||
| -rw-r--r-- | crypto/pem/pem.h | 3 | ||||
| -rw-r--r-- | crypto/pem/pem_all.c | 2 | ||||
| -rw-r--r-- | crypto/pem/pem_lib.c | 54 | ||||
| -rw-r--r-- | crypto/x509/x509.h | 43 | ||||
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 6 | ||||
| -rw-r--r-- | crypto/x509v3/x509v3.h | 6 |
19 files changed, 779 insertions, 36 deletions
@@ -4,6 +4,22 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Extensive changes to support certificate auxiliary information. + This involves the use of X509_CERT_AUX structure and X509_AUX + functions. An X509_AUX function such as PEM_read_X509_AUX() + can still read in a certificate file in the usual way but it + will also read in any additional "auxiliary information". By + doing things this way a fair degree of compatability can be + retained: existing certificates can have this information added + using the new 'x509' options. + + Current auxiliary information includes an "alias" and some trust + settings. The trust settings will ultimately be used in enhanced + certificate chain verification routines: currently a certificate + can only be trusted if it is self signed and then it is trusted + for all purposes. + [Steve Henson] + *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The problem was that one of the replacement routines had not been working since SSLeay releases. For now the offending routine has been replaced with diff --git a/apps/x509.c b/apps/x509.c index d88eb56c04..a7f25f0b68 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -102,8 +102,14 @@ static char *x509_usage[]={ " -dates - both Before and After dates\n", " -modulus - print the RSA key modulus\n", " -fingerprint - print the certificate fingerprint\n", +" -alias - output certificate alias\n", " -noout - no certificate output\n", - +" -trustout - output a \"trusted\" certificate\n", +" -clrtrust - clear all trusted purposes\n", +" -clrnotrust - clear all untrusted purposes\n", +" -addtrust arg - mark certificate as trusted for a given purpose\n", +" -addnotrust arg - mark certificate as not trusted for a given purpose\n", +" -setalias arg - set certificate alias\n", " -days arg - How long till expiry of a signed certificate - def 30 days\n", " -signkey arg - self sign cert with arg\n", " -x509toreq - output a certification request object\n", @@ -146,11 +152,14 @@ int MAIN(int argc, char **argv) int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; + STACK *trust = NULL, *notrust = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; + char *alias=NULL, *trstr=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0; + int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0; int C=0; int x509req=0,days=DEF_DAYS,modulus=0; int pprint = 0; @@ -270,6 +279,44 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAserial= *(++argv); } + else if (strcmp(*argv,"-addtrust") == 0) + { + if (--argc < 1) goto bad; + trstr= *(++argv); + if(!X509_trust_set_bit_asc(NULL, trstr, 0)) { + BIO_printf(bio_err, + "Unknown trust value %s\n", trstr); + goto bad; + } + if(!trust) trust = sk_new_null(); + sk_push(trust, trstr); + trustout = 1; + } + else if (strcmp(*argv,"-addnotrust") == 0) + { + if (--argc < 1) goto bad; + trstr= *(++argv); + if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) { + BIO_printf(bio_err, + "Unknown trust value %s\n", trstr); + goto bad; + } + if(!notrust) notrust = sk_new_null(); + sk_push(notrust, trstr); + trustout = 1; + } + else if (strcmp(*argv,"-setalias") == 0) + { + if (--argc < 1) goto bad; + alias= *(++argv); + trustout = 1; + } + else if (strcmp(*argv,"-setalias") == 0) + { + if (--argc < 1) goto bad; + alias= *(++argv); + trustout = 1; + } else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-serial") == 0) @@ -301,6 +348,14 @@ int MAIN(int argc, char **argv) enddate= ++num; else if (strcmp(*argv,"-noout") == 0) noout= ++num; + else if (strcmp(*argv,"-trustout") == 0) + trustout= 1; + else if (strcmp(*argv,"-clrtrust") == 0) + clrtrust= ++num; + else if (strcmp(*argv,"-clrnotrust") == 0) + clrnotrust= ++num; + else if (strcmp(*argv,"-alias") == 0) + aliasout= ++num; else if (strcmp(*argv,"-CAcreateserial") == 0) CA_createserial= ++num; else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) @@ -494,6 +549,27 @@ bad: } } + if(alias) X509_alias_set(x, (unsigned char *)alias, -1); + + if(clrtrust) X509_trust_set_bit(x, -1, 0); + if(clrnotrust) X509_notrust_set_bit(x, -1, 0); + + if(trust) { + for(i = 0; i < sk_num(trust); i++) { + trstr = sk_value(trust, i); + X509_trust_set_bit_asc(x, trstr, 1); + } + sk_free(trust); + } + + if(notrust) { + for(i = 0; i < sk_num(notrust); i++) { + trstr = sk_value(notrust, i); + X509_notrust_set_bit_asc(x, trstr, 1); + } + sk_free(notrust); + } + if (num) { for (i=1; i<=num; i++) @@ -516,6 +592,13 @@ bad: i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber); BIO_printf(STDout,"\n"); } + else if (aliasout == i) + { + unsigned char *alstr; + alstr = X509_alias_get(x, NULL); + if(alstr) BIO_printf(STDout,"%s\n", alstr); + else BIO_puts(STDout,"<No Alias>\n"); + } else if (hash == i) { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); @@ -726,9 +809,10 @@ bad: if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x); - else if (outformat == FORMAT_PEM) - i=PEM_write_bio_X509(out,x); - else if (outformat == FORMAT_NETSCAPE) + else if (outformat == FORMAT_PEM) { + if(trustout) i=PEM_write_bio_X509_AUX(out,x); + else i=PEM_write_bio_X509(out,x); + } else if (outformat == FORMAT_NETSCAPE) { ASN1_HEADER ah; ASN1_OCTET_STRING os; @@ -1070,7 +1154,7 @@ static X509 *load_cert(char *file, int format) ah->data=NULL; } else if (format == FORMAT_PEM) - x=PEM_read_bio_X509(cert,NULL,NULL,NULL); + x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for input cert\n"); goto end; diff --git a/crypto/asn1/Makefile.ssl b/crypto/asn1/Makefile.ssl index f3f9056c54..ccdba3c33c 100644 --- a/crypto/asn1/Makefile.ssl +++ b/crypto/asn1/Makefile.ssl @@ -26,11 +26,11 @@ LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \ a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \ a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \ x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \ - x_name.c x_cinf.c x_x509.c x_crl.c x_info.c x_spki.c nsseq.c \ + x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \ d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \ d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \ d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\ - t_req.c t_x509.c t_crl.c t_pkey.c t_spki.c \ + t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \ p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \ p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \ f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \ @@ -41,11 +41,11 @@ LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \ a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \ a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \ x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \ - x_name.o x_cinf.o x_x509.o x_crl.o x_info.o x_spki.o nsseq.o \ + x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \ d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \ d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \ d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \ - t_req.o t_x509.o t_crl.o t_pkey.o t_spki.o \ + t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \ p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \ p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \ f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \ @@ -804,6 +804,24 @@ p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h +t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h +t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h +t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h +t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h +t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h +t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h @@ -882,6 +900,23 @@ t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h +t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h +t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h +t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h +t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h +t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h +t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h +t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h +t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h +t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h +t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h @@ -1122,3 +1157,20 @@ x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_x509.o: ../../include/openssl/stack.h ../../include/openssl/x509.h x_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h +x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h +x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h +x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h +x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h +x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +x_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h +x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h +x_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h +x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h +x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h +x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h +x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 9e7c7c39e5..bc9cb14248 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -144,7 +144,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, ASN1_STRING *dest; unsigned char *p; int nchar; - unsigned char strbuf[32]; + char strbuf[32]; int (*cpyfunc)(unsigned long,void *) = NULL; if(len == -1) len = strlen((const char *)in); if(!mask) mask = dirstring_mask; diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 8c42101d55..7fb9d23821 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -311,6 +311,14 @@ typedef struct asn1_header_st ASN1_METHOD *meth; } ASN1_HEADER; +/* This is used to contain a list of bit names */ +typedef struct BIT_STRING_BITNAME_st { + int bitnum; + const char *lname; + const char *sname; +} BIT_STRING_BITNAME; + + #define M_ASN1_STRING_length(x) ((x)->length) #define M_ASN1_STRING_length_set(x, n) ((x)->length = (n)) #define M_ASN1_STRING_type(x) ((x)->type) @@ -531,6 +539,13 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n); +#ifdef HEADER_BIO_H +int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, + BIT_STRING_BITNAME *tbl, int indent); +#endif +int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl); +int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, + BIT_STRING_BITNAME *tbl); int i2d_ASN1_BOOLEAN(int a,unsigned char **pp); int d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length); @@ -870,6 +885,7 @@ void ASN1_STRING_TABLE_cleanup(void); #define ASN1_F_D2I_X509 159 #define ASN1_F_D2I_X509_ALGOR 160 #define ASN1_F_D2I_X509_ATTRIBUTE 161 +#define ASN1_F_D2I_X509_CERT_AUX 285 #define ASN1_F_D2I_X509_CINF 162 #define ASN1_F_D2I_X509_CRL 163 #define ASN1_F_D2I_X509_CRL_INFO 164 @@ -933,6 +949,7 @@ void ASN1_STRING_TABLE_cleanup(void); #define ASN1_F_USERNOTICE_NEW 275 #define ASN1_F_X509_ALGOR_NEW 202 #define ASN1_F_X509_ATTRIBUTE_NEW 203 +#define ASN1_F_X509_CERT_AUX_NEW 286 #define ASN1_F_X509_CINF_NEW 204 #define ASN1_F_X509_CRL_INFO_NEW 205 #define ASN1_F_X509_CRL_NEW 206 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 3b1fb7b25b..a577dafb89 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -169,6 +169,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509,0), "d2i_X509"}, {ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0), "d2i_X509_ALGOR"}, {ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0), "d2i_X509_ATTRIBUTE"}, +{ERR_PACK(0,ASN1_F_D2I_X509_CERT_AUX,0), "d2i_X509_CERT_AUX"}, {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "d2i_X509_CINF"}, {ERR_PACK(0,ASN1_F_D2I_X509_CRL,0), "d2i_X509_CRL"}, {ERR_PACK(0,ASN1_F_D2I_X509_CRL_INFO,0), "d2i_X509_CRL_INFO"}, @@ -232,6 +233,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0), "USERNOTICE_new"}, {ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0), "X509_ALGOR_new"}, {ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0), "X509_ATTRIBUTE_new"}, +{ERR_PACK(0,ASN1_F_X509_CERT_AUX_NEW,0), "X509_CERT_AUX_new"}, {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0), "X509_CINF_new"}, {ERR_PACK(0,ASN1_F_X509_CRL_INFO_NEW,0), "X509_CRL_INFO_new"}, {ERR_PACK(0,ASN1_F_X509_CRL_NEW,0), "X509_CRL_new"}, diff --git a/crypto/asn1/asn1_mac.h b/crypto/asn1/asn1_mac.h index 93f9c5193c..a9026d7cd4 100644 --- a/crypto/asn1/asn1_mac.h +++ b/crypto/asn1/asn1_mac.h @@ -106,6 +106,20 @@ err:\ #define M_ASN1_D2I_start_sequence() \ if (!asn1_GetSequence(&c,&length)) \ { c.line=__LINE__; goto err; } +/* Begin reading ASN1 without a surrounding sequence */ +#define M_ASN1_D2I_begin() \ + c.slen = length; + +/* End reading ASN1 with no check on length */ +#define M_ASN1_D2I_Finish_nolen() \ + *pp=c.p; \ + if (a != NULL) (*a)=ret; \ + return(ret); \ +err:\ + ASN1_MAC_H_err((e),c.error,c.line); \ + asn1_add_error(*pp,(int)(c.q- *pp)); \ + if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ + return(NULL) #define M_ASN1_D2I_end_sequence() \ (((c.inf&1) == 0)?(c.slen <= 0): \ diff --git a/crypto/asn1/t_bitst.c b/crypto/asn1/t_bitst.c new file mode 100644 index 0000000000..8ee789f082 --- /dev/null +++ b/crypto/asn1/t_bitst.c @@ -0,0 +1,99 @@ +/* t_bitst.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/conf.h> +#include <openssl/x509v3.h> + +int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, + BIT_STRING_BITNAME *tbl, int indent) +{ + BIT_STRING_BITNAME *bnam; + char first = 1; + BIO_printf(out, "%*s", indent, ""); + for(bnam = tbl; bnam->lname; bnam++) { + if(ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) { + if(!first) BIO_puts(out, ", "); + BIO_puts(out, bnam->lname); + first = 0; + } + } + BIO_puts(out, "\n"); + return 1; +} + +int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, + BIT_STRING_BITNAME *tbl) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(name, tbl); + if(bitnum < 0) return 0; + if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value); + return 1; +} + +int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl) +{ + BIT_STRING_BITNAME *bnam; + for(bnam = tbl; bnam->lname; bnam++) { + if(!strcmp(bnam->sname, name) || + !strcmp(bnam->lname, name) ) return bnam->bitnum; + } + return -1; +} diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index 0e2727e470..bf6a797d68 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -219,6 +219,7 @@ int X509_print(BIO *bp, X509 *x) ((i+1) == n)?"":":") <= 0) goto err; } if (BIO_write(bp,"\n",1) != 1) goto err; + if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err; ret=1; err: if (str != NULL) ASN1_STRING_free(str); diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c new file mode 100644 index 0000000000..26d03f5f9b --- /dev/null +++ b/crypto/asn1/t_x509a.c @@ -0,0 +1,138 @@ +/* t_x509a.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/evp.h> +#include <openssl/asn1_mac.h> +#include <openssl/x509.h> + +/* X509_CERT_AUX and string set routines + */ + +static BIT_STRING_BITNAME tbits[] = { +{X509_TRUST_ALL, "All Purposes", "all"}, +{X509_TRUST_SSL_CLIENT, "SSL client", "sslclient"}, +{X509_TRUST_SSL_SERVER, "SSL server", "sslserver"}, +{X509_TRUST_EMAIL, "S/MIME email", "email"}, +{X509_TRUST_OBJECT_SIGN, "Object Signing", "objsign"}, +{-1, NULL, NULL} +}; + +int X509_trust_set_bit_asc(X509 *x, char *str, int value) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(str, tbits); + if(bitnum < 0) return 0; + if(x) return X509_trust_set_bit(x, bitnum, value); + return 1; +} + +int X509_notrust_set_bit_asc(X509 *x, char *str, int value) +{ + int bitnum; + bitnum = ASN1_BIT_STRING_num_asc(str, tbits); + if(bitnum < 0) return 0; + if(x) return X509_notrust_set_bit(x, bitnum, value); + return 1; +} + + +int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) +{ + char oidstr[80], first; + int i; + if(!aux) return 1; + if(aux->trust) { + BIO_printf(out, "%*sTrusted for:\n", indent, ""); + ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2); + } else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, ""); + if(aux->notrust) { + BIO_printf(out, "%*sUntrusted for:\n", indent, ""); + ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2); + } else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, ""); + if(aux->othertrust) { + first = 1; + BIO_printf(out, "%*sOther Trusted Uses:\n%*s", + indent, "", indent + 2, ""); + for(i = 0; i < sk_ASN1_OBJECT_num(aux->othertrust); i++) { + if(!first) BIO_puts(out, ", "); + else first = 0; + OBJ_obj2txt(oidstr, 80, + sk_ASN1_OBJECT_value(aux->othertrust, i), 0); + BIO_puts(out, oidstr); + } + BIO_puts(out, "\n"); + } + if(aux->othernotrust) { + first = 1; + BIO_printf(out, "%*sOther Untrusted Uses:\n%*s", + indent, "", indent + 2, ""); + for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) { + if(!first) BIO_puts(out, ", "); + else first = 0; + OBJ_obj2txt(oidstr, 80, + sk_ASN1_OBJECT_value(aux->othernotrust, i), 0); + BIO_puts(out, oidstr); + } + BIO_puts(out, "\n"); + } + if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "", + aux->alias->data); + return 1; +} diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 3352c61c60..ee3213045e 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -118,6 +118,7 @@ X509 *X509_new(void) ret->valid=0; ret->ex_flags = 0; ret->name=NULL; + ret->aux=NULL; M_ASN1_New(ret->cert_info,X509_CINF_new); M_ASN1_New(ret->sig_alg,X509_ALGOR_new); M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new); @@ -149,6 +150,7 @@ void X509_free(X509 *a) X509_CINF_free(a->cert_info); X509_ALGOR_free(a->sig_alg); M_ASN1_BIT_STRING_free(a->signature); + X509_CERT_AUX_free(a->aux); if (a->name != NULL) Free(a->name); Free((char *)a); @@ -172,3 +174,37 @@ char *X509_get_ex_data(X509 *r, int idx) return(CRYPTO_get_ex_data(&r->ex_data,idx)); } +/* X509_AUX ASN1 routines. X509_AUX is the name given to + * a certificate with extra info tagged on the end. Since these + * functions set how a certificate is trusted they should only + * be used when the certificate comes from a reliable source + * such as local storage. + * + */ + +X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length) +{ + unsigned char *q; + X509 *ret; + /* Save start position */ + q = *pp; + ret = d2i_X509(a, pp, length); + /* If certificate unreadable then forget it */ + if(!ret) return NULL; + /* update length */ + length -= *pp - q; + if(!length) return ret; + if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err; + return ret; + err: + X509_free(ret); + return NULL; +} + +int i2d_X509_AUX(X509 *a, unsigned char **pp) +{ + int length; + length = i2d_X509(a, pp); + if(a) length += i2d_X509_CERT_AUX(a->aux, pp); + return length; +} diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c new file mode 100644 index 0000000000..4b1f448d84 --- /dev/null +++ b/crypto/asn1/x_x509a.c @@ -0,0 +1,218 @@ +/* a_x509a.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE O |