diff options
| author | Richard Levitte <levitte@openssl.org> | 2004-12-28 00:21:35 +0000 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2004-12-28 00:21:35 +0000 |
| commit | 6951c23afd4e7951451a4d90023111a06e86589f (patch) | |
| tree | 0eca84b83a120737ac41da268b6baba4484ded68 /crypto/x509 | |
| parent | de421076a5e0cbf31268c8769f5ac0889bef79ba (diff) | |
Add functionality needed to process proxy certificates.
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/x509.h | 1 | ||||
| -rw-r--r-- | crypto/x509/x509_txt.c | 12 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 25 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.h | 8 |
4 files changed, 32 insertions, 14 deletions
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 016164cb68..46673fddd1 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -280,6 +280,7 @@ struct x509_st CRYPTO_EX_DATA ex_data; /* These contain copies of various extension values */ long ex_pathlen; + long ex_pcpathlen; unsigned long ex_flags; unsigned long ex_kusage; unsigned long ex_xkusage; diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 57ff33dc19..247e7e178a 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -126,6 +126,8 @@ const char *X509_verify_cert_error_string(long n) return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -142,28 +144,22 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - case X509_V_ERR_INVALID_EXTENSION: return("invalid or inconsistent certificate extension"); - case X509_V_ERR_INVALID_POLICY_EXTENSION: return("invalid or inconsistent certificate policy extension"); - case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c6c83ad72f..cbdd978a7d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -389,6 +389,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; cb=ctx->verify_cb; /* must_be_ca can have 1 of 3 values: @@ -472,7 +473,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -480,8 +481,26 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - /* The next certificate must be a CA */ - must_be_ca = 1; + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) + { + ctx->error = + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 5f49c2a8b7..33ace72671 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -323,10 +323,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 #define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_INVALID_EXTENSION 38 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 39 -#define X509_V_ERR_NO_EXPLICIT_POLICY 40 +#define X509_V_ERR_INVALID_EXTENSION 40 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 41 +#define X509_V_ERR_NO_EXPLICIT_POLICY 42 /* The application is not happy */ |