summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>1999-08-09 22:38:05 +0000
committerDr. Stephen Henson <steve@openssl.org>1999-08-09 22:38:05 +0000
commit87c49f622e7fe9d93b3ab87b1edd5faa32fa6e74 (patch)
treee2408f817ecc675e1f44400bc0f165557b00e17b /crypto
parent29159a42d2708cb962b3fa6358f3a02ec5cf46b2 (diff)
Support for parsing of certificate extensions in PKCS#10 requests: these are
used by things like Xenroll. Also include documentation for extendedKeyUsage extension.
Diffstat (limited to 'crypto')
-rw-r--r--crypto/asn1/t_req.c27
-rw-r--r--crypto/asn1/t_x509.c4
-rw-r--r--crypto/objects/objects.h12
-rw-r--r--crypto/x509/x509.h4
-rw-r--r--crypto/x509/x509_req.c56
5 files changed, 99 insertions, 4 deletions
diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c
index bdd749436a..6049909a02 100644
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -62,6 +62,7 @@
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#ifndef NO_FP_API
int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
@@ -90,6 +91,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
X509_REQ_INFO *ri;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) *sk;
+ STACK_OF(X509_EXTENSION) *exts;
char str[128];
ri=x->req_info;
@@ -161,6 +163,8 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
int j,type=0,count=1,ii=0;
a=sk_X509_ATTRIBUTE_value(sk,i);
+ if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+ continue;
sprintf(str,"%12s","");
if (BIO_puts(bp,str) <= 0) goto err;
if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
@@ -201,6 +205,29 @@ get_next:
}
}
+ exts = X509_REQ_get_extensions(x);
+ if(exts) {
+ BIO_printf(bp,"%8sRequested Extensions:\n","");
+ for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
+ ASN1_OBJECT *obj;
+ X509_EXTENSION *ex;
+ int j;
+ ex=sk_X509_EXTENSION_value(exts, i);
+ if (BIO_printf(bp,"%12s","") <= 0) goto err;
+ obj=X509_EXTENSION_get_object(ex);
+ i2a_ASN1_OBJECT(bp,obj);
+ j=X509_EXTENSION_get_critical(ex);
+ if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+ goto err;
+ if(!X509V3_EXT_print(bp, ex, 0, 16)) {
+ BIO_printf(bp, "%16s", "");
+ ASN1_OCTET_STRING_print(bp,ex->value);
+ }
+ if (BIO_write(bp,"\n",1) <= 0) goto err;
+ }
+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+ }
+
i=OBJ_obj2nid(x->sig_alg->algorithm);
sprintf(str,"%4sSignature Algorithm: %s","",
(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c
index 42f4d498cf..80cf37bf04 100644
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -188,11 +188,7 @@ int X509_print(BIO *bp, X509 *x)
BIO_printf(bp,"%8sX509v3 extensions:\n","");
for (i=0; i<n; i++)
{
-#if 0
- int data_type,pack_type;
-#endif
ASN1_OBJECT *obj;
-
ex=X509_get_ext(x,i);
if (BIO_printf(bp,"%12s","") <= 0) goto err;
obj=X509_EXTENSION_get_object(ex);
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index d03748e022..f7cfe1c92c 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -890,6 +890,18 @@ extern "C" {
#define NID_pbeWithSHA1AndDES_CBC 170
#define OBJ_pbeWithSHA1AndDES_CBC OBJ_pkcs,5L,10L
+/* Extension request OIDs */
+
+#define LN_ms_ext_req "Microsoft Extension Request"
+#define SN_ms_ext_req "msExtReq"
+#define NID_ms_ext_req 171
+#define OBJ_ms_ext_req 1L,3L,6L,1L,4L,1L,311L,2L,1L,14L
+
+#define LN_ext_req "Extension Request"
+#define SN_ext_req "extReq"
+#define NID_ext_req 172
+#define OBJ_ext_req OBJ_pkcs9,14L
+
#include <openssl/bio.h>
#include <openssl/asn1.h>
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 35f9484f8b..80ca680594 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -787,6 +787,10 @@ int X509_REQ_set_version(X509_REQ *x,long version);
int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req);
+int X509_REQ_extension_nid(int nid);
+int * X509_REQ_get_extesion_nids(void);
+void X509_REQ_set_extension_nids(int *nids);
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 2ef94decd1..6544f03f2c 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -113,3 +113,59 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
return(X509_PUBKEY_get(req->req_info->pubkey));
}
+/* It seems several organisations had the same idea of including a list of
+ * extensions in a certificate request. There are at least two OIDs that are
+ * used and there may be more: so the list is configurable.
+ */
+
+static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+
+static int *ext_nids = ext_nid_list;
+
+int X509_REQ_extension_nid(int req_nid)
+{
+ int i, nid;
+ for(i = 0; ; i++) {
+ nid = ext_nids[i];
+ if(nid == NID_undef) return 0;
+ else if (req_nid == nid) return 1;
+ }
+}
+
+int *X509_REQ_get_extesion_nids(void)
+{
+ return ext_nids;
+}
+
+void X509_REQ_set_extension_nids(int *nids)
+{
+ ext_nids = nids;
+}
+
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
+{
+ X509_ATTRIBUTE *attr;
+ STACK_OF(X509_ATTRIBUTE) *sk;
+ ASN1_TYPE *ext = NULL;
+ int i;
+ unsigned char *p;
+ if ((req == NULL) || (req->req_info == NULL))
+ return(NULL);
+ sk=req->req_info->attributes;
+ if (!sk) return NULL;
+ for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+ attr = sk_X509_ATTRIBUTE_value(sk, i);
+ if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
+ if(attr->set && sk_ASN1_TYPE_num(attr->value.set))
+ ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+ else ext = attr->value.single;
+ break;
+ }
+ }
+ if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+ p = ext->value.sequence->data;
+ return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
+ ext->value.sequence->length,
+ d2i_X509_EXTENSION, X509_EXTENSION_free,
+ V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-09 01:58:18 +0000