summaryrefslogtreecommitdiffstats
path: root/crypto/x509
diff options
context:
space:
mode:
authorBen Laurie <ben@openssl.org>2006-11-27 14:18:05 +0000
committerBen Laurie <ben@openssl.org>2006-11-27 14:18:05 +0000
commit96ea4ae91c7fda9fd28a013182b0e8dc67b7ac7d (patch)
tree364aa21990f695348601d6f4a8774fe7d861e26e /crypto/x509
parent7af5726108188e4e4e4ca1a95cea43801ec19905 (diff)
Add RFC 3779 support.
Diffstat (limited to 'crypto/x509')
-rw-r--r--crypto/x509/x509.h4
-rw-r--r--crypto/x509/x509_txt.c2
-rw-r--r--crypto/x509/x509_vfy.c8
-rw-r--r--crypto/x509/x509_vfy.h1
4 files changed, 15 insertions, 0 deletions
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 40d94012f3..b70a008b85 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -291,6 +291,10 @@ struct x509_st
AUTHORITY_KEYID *akid;
X509_POLICY_CACHE *policy_cache;
STACK_OF(DIST_POINT) *crldp;
+#ifdef OPENSSL_RFC3779
+ STACK_OF(IPAddressFamily) *rfc3779_addr;
+ struct ASIdentifiers_st *rfc3779_asid;
+#endif
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 92f47a07b6..20b937d718 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -166,6 +166,8 @@ const char *X509_verify_cert_error_string(long n)
return("Different CRL scope");
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
return("Unsupported extension feature");
+ case X509_V_ERR_UNNESTED_RESOURCE:
+ return("RFC 3779 resource not subset of parent's resources");
default:
BIO_snprintf(buf,sizeof buf,"error number %ld",n);
return(buf);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d1aa3dafd6..d58f90010b 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -314,6 +314,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
ok=internal_verify(ctx);
if(!ok) goto end;
+#ifdef OPENSSL_RFC3779
+ /* RFC 3779 path validation, now that CRL check has been done */
+ ok = v3_asid_validate_path(ctx);
+ if (!ok) goto end;
+ ok = v3_addr_validate_path(ctx);
+ if (!ok) goto end;
+#endif
+
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index bfca7c7453..955af8341a 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -339,6 +339,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
+#define X509_V_ERR_UNNESTED_RESOURCE 46
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 10:19:18 +0000