diff options
author | Ben Laurie <ben@openssl.org> | 2006-11-27 14:18:05 +0000 |
---|---|---|
committer | Ben Laurie <ben@openssl.org> | 2006-11-27 14:18:05 +0000 |
commit | 96ea4ae91c7fda9fd28a013182b0e8dc67b7ac7d (patch) | |
tree | 364aa21990f695348601d6f4a8774fe7d861e26e /crypto/x509 | |
parent | 7af5726108188e4e4e4ca1a95cea43801ec19905 (diff) |
Add RFC 3779 support.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509.h | 4 | ||||
-rw-r--r-- | crypto/x509/x509_txt.c | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 8 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 1 |
4 files changed, 15 insertions, 0 deletions
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 40d94012f3..b70a008b85 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -291,6 +291,10 @@ struct x509_st AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; +#ifdef OPENSSL_RFC3779 + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; +#endif #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 92f47a07b6..20b937d718 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -166,6 +166,8 @@ const char *X509_verify_cert_error_string(long n) return("Different CRL scope"); case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: return("Unsupported extension feature"); + case X509_V_ERR_UNNESTED_RESOURCE: + return("RFC 3779 resource not subset of parent's resources"); default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index d1aa3dafd6..d58f90010b 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -314,6 +314,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok=internal_verify(ctx); if(!ok) goto end; +#ifdef OPENSSL_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) goto end; + ok = v3_addr_validate_path(ctx); + if (!ok) goto end; +#endif + /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index bfca7c7453..955af8341a 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -339,6 +339,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 #define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 |