diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
commit | 81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch) | |
tree | 9c61e9161ee5332e99d091153a4cd242160b9180 /crypto/x509v3 | |
parent | a068630a2038ff167d29cdaed828161719355531 (diff) |
Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_purp.c | 34 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 6 |
2 files changed, 37 insertions, 3 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 717e23d5c6..9d67bd92d5 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -61,7 +61,6 @@ #include <openssl/x509v3.h> #include <openssl/x509_vfy.h> - static void x509v3_cache_extensions(X509 *x); static int ca_check(const X509 *x); @@ -74,6 +73,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); +static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b); @@ -87,6 +87,7 @@ static X509_PURPOSE xstandard[] = { {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, + {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, }; #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) @@ -144,7 +145,6 @@ int X509_PURPOSE_get_by_sname(char *sname) return -1; } - int X509_PURPOSE_get_by_id(int purpose) { X509_PURPOSE tmp; @@ -320,6 +320,15 @@ static void x509v3_cache_extensions(X509 *x) case NID_ms_sgc: case NID_ns_sgc: x->ex_xkusage |= XKU_SGC; + break; + + case NID_OCSP_sign: + x->ex_xkusage |= XKU_OCSP_SIGN; + break; + + case NID_time_stamp: + x->ex_xkusage |= XKU_TIMESTAMP; + break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); @@ -470,6 +479,27 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) return 1; } +/* OCSP helper: this is *not* a full OCSP check. It just checks that + * each CA is valid. Additional checks must be made on the chain. + */ + +static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) +{ + /* Must be a valid CA */ + if(ca) { + int ca_ret; + ca_ret = ca_check(x); + if(ca_ret != 2) return ca_ret; + if(x->ex_flags & EXFLAG_NSCERT) { + if(x->ex_nscert & NS_ANY_CA) return ca_ret; + return 0; + } + return 0; + } + /* leaf certificate is checked in OCSP_verify() */ + return 1; +} + static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 8bf67bcbe0..29421b754d 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -342,12 +342,15 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define NS_SSL_CA 0x04 #define NS_SMIME_CA 0x02 #define NS_OBJSIGN_CA 0x01 +#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA) #define XKU_SSL_SERVER 0x1 #define XKU_SSL_CLIENT 0x2 #define XKU_SMIME 0x4 #define XKU_CODE_SIGN 0x8 #define XKU_SGC 0x10 +#define XKU_OCSP_SIGN 0x20 +#define XKU_TIMESTAMP 0x40 #define X509_PURPOSE_DYNAMIC 0x1 #define X509_PURPOSE_DYNAMIC_NAME 0x2 @@ -370,9 +373,10 @@ typedef struct x509_purpose_st { #define X509_PURPOSE_SMIME_ENCRYPT 5 #define X509_PURPOSE_CRL_SIGN 6 #define X509_PURPOSE_ANY 7 +#define X509_PURPOSE_OCSP_HELPER 8 #define X509_PURPOSE_MIN 1 -#define X509_PURPOSE_MAX 7 +#define X509_PURPOSE_MAX 8 /* Flags for X509V3_EXT_print() */ |