Oops! Remeber to include the other patches this time...
This commit is contained in:
parent
3d8accc3ae
commit
0be9747b39
10 changed files with 149 additions and 3 deletions
|
@ -127,7 +127,11 @@ basicConstraints=CA:FALSE
|
|||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
||||
# PKIX recommendations
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
|
||||
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||
#nsBaseUrl
|
||||
|
@ -147,6 +151,8 @@ basicConstraints = CA:true
|
|||
|
||||
subjectKeyIdentifier=hash
|
||||
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This is what PKIX recommends but some broken software chokes on critical
|
||||
# extensions.
|
||||
#basicConstraints = critical,CA:true
|
||||
|
|
|
@ -70,6 +70,7 @@
|
|||
#define ASN1_F_D2I_PKCS7_SIGNED 152
|
||||
#define ASN1_F_D2I_PKCS7_SIGNER_INFO 153
|
||||
#define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE 154
|
||||
#define ASN1_F_D2I_PKEY_USAGE_PERIOD 239
|
||||
#define ASN1_F_D2I_PRIVATEKEY 155
|
||||
#define ASN1_F_D2I_PUBLICKEY 156
|
||||
#define ASN1_F_D2I_RSAPRIVATEKEY 157
|
||||
|
@ -120,6 +121,7 @@
|
|||
#define ASN1_F_PKCS7_SIGNED_NEW 199
|
||||
#define ASN1_F_PKCS7_SIGNER_INFO_NEW 200
|
||||
#define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW 201
|
||||
#define ASN1_F_PKEY_USAGE_PERIOD_NEW 240
|
||||
#define ASN1_F_X509_ALGOR_NEW 202
|
||||
#define ASN1_F_X509_ATTRIBUTE_NEW 203
|
||||
#define ASN1_F_X509_CINF_NEW 204
|
||||
|
|
|
@ -760,6 +760,7 @@ ASN1_BMPSTRING *d2i_ASN1_BMPSTRING();
|
|||
#define ASN1_F_D2I_PKCS7_SIGNED 152
|
||||
#define ASN1_F_D2I_PKCS7_SIGNER_INFO 153
|
||||
#define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE 154
|
||||
#define ASN1_F_D2I_PKEY_USAGE_PERIOD 239
|
||||
#define ASN1_F_D2I_PRIVATEKEY 155
|
||||
#define ASN1_F_D2I_PUBLICKEY 156
|
||||
#define ASN1_F_D2I_RSAPRIVATEKEY 157
|
||||
|
@ -810,6 +811,7 @@ ASN1_BMPSTRING *d2i_ASN1_BMPSTRING();
|
|||
#define ASN1_F_PKCS7_SIGNED_NEW 199
|
||||
#define ASN1_F_PKCS7_SIGNER_INFO_NEW 200
|
||||
#define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW 201
|
||||
#define ASN1_F_PKEY_USAGE_PERIOD_NEW 240
|
||||
#define ASN1_F_X509_ALGOR_NEW 202
|
||||
#define ASN1_F_X509_ATTRIBUTE_NEW 203
|
||||
#define ASN1_F_X509_CINF_NEW 204
|
||||
|
|
|
@ -132,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
|
|||
{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNED,0), "D2I_PKCS7_SIGNED"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNER_INFO,0), "D2I_PKCS7_SIGNER_INFO"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGN_ENVELOPE,0), "D2I_PKCS7_SIGN_ENVELOPE"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_PKEY_USAGE_PERIOD,0), "D2I_PKEY_USAGE_PERIOD"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0), "D2I_PRIVATEKEY"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0), "D2I_PUBLICKEY"},
|
||||
{ERR_PACK(0,ASN1_F_D2I_RSAPRIVATEKEY,0), "D2I_RSAPRIVATEKEY"},
|
||||
|
@ -182,6 +183,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
|
|||
{ERR_PACK(0,ASN1_F_PKCS7_SIGNED_NEW,0), "PKCS7_SIGNED_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_PKCS7_SIGNER_INFO_NEW,0), "PKCS7_SIGNER_INFO_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_PKCS7_SIGN_ENVELOPE_NEW,0), "PKCS7_SIGN_ENVELOPE_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_PKEY_USAGE_PERIOD_NEW,0), "PKEY_USAGE_PERIOD_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0), "X509_ALGOR_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0), "X509_ATTRIBUTE_NEW"},
|
||||
{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0), "X509_CINF_NEW"},
|
||||
|
|
|
@ -23,9 +23,10 @@ APPS=
|
|||
|
||||
LIB=$(TOP)/libcrypto.a
|
||||
LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
|
||||
v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c
|
||||
v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
|
||||
v3_pku.c
|
||||
LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
|
||||
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o
|
||||
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o
|
||||
|
||||
SRC= $(LIBSRC)
|
||||
|
||||
|
|
|
@ -175,11 +175,97 @@ STACK *extlist;
|
|||
return extlist;
|
||||
}
|
||||
|
||||
/* Currently two options:
|
||||
* keyid: use the issuers subject keyid, the value 'always' means its is
|
||||
* an error if the issuer certificate doesn't have a key id.
|
||||
* issuer: use the issuers cert issuer and serial number. The default is
|
||||
* to only use this if keyid is not present. With the option 'always'
|
||||
* this is always included.
|
||||
*/
|
||||
|
||||
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(method, ctx, values)
|
||||
X509V3_EXT_METHOD *method;
|
||||
X509V3_CTX *ctx;
|
||||
STACK *values;
|
||||
{
|
||||
return NULL;
|
||||
char keyid=0, issuer=0;
|
||||
int i;
|
||||
CONF_VALUE *cnf;
|
||||
ASN1_OCTET_STRING *ikeyid = NULL;
|
||||
X509_NAME *isname = NULL;
|
||||
STACK * gens = NULL;
|
||||
GENERAL_NAME *gen = NULL;
|
||||
ASN1_INTEGER *serial = NULL;
|
||||
X509_EXTENSION *ext;
|
||||
X509 *cert;
|
||||
AUTHORITY_KEYID *akeyid;
|
||||
for(i = 0; i < sk_num(values); i++) {
|
||||
cnf = (CONF_VALUE *)sk_value(values, i);
|
||||
if(!strcmp(cnf->name, "keyid")) {
|
||||
keyid = 1;
|
||||
if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
|
||||
} else if(!strcmp(cnf->name, "issuer")) {
|
||||
issuer = 1;
|
||||
if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
|
||||
} else {
|
||||
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
|
||||
ERR_add_error_data(2, "name=", cnf->name);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
if(!ctx || !ctx->issuer_cert) {
|
||||
if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
|
||||
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cert = ctx->issuer_cert;
|
||||
|
||||
if(keyid) {
|
||||
i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
|
||||
if((i >= 0) && (ext = X509_get_ext(cert, i)))
|
||||
ikeyid = (ASN1_OCTET_STRING *) X509V3_EXT_d2i(ext);
|
||||
if(keyid==2 && !ikeyid) {
|
||||
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if((issuer && !ikeyid) || (issuer == 2)) {
|
||||
isname = X509_NAME_dup(X509_get_issuer_name(cert));
|
||||
serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
|
||||
if(!isname || !serial) {
|
||||
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
|
||||
|
||||
if(isname) {
|
||||
if(!(gens = sk_new(NULL)) || !(gen = GENERAL_NAME_new())
|
||||
|| !sk_push(gens, (char *)gen)) {
|
||||
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
gen->type = GEN_DIRNAME;
|
||||
gen->d.dirn = isname;
|
||||
}
|
||||
|
||||
akeyid->issuer = gens;
|
||||
akeyid->serial = serial;
|
||||
akeyid->keyid = ikeyid;
|
||||
|
||||
return akeyid;
|
||||
|
||||
err:
|
||||
X509_NAME_free(isname);
|
||||
ASN1_INTEGER_free(serial);
|
||||
ASN1_OCTET_STRING_free(ikeyid);
|
||||
return NULL;
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -147,6 +147,7 @@ X509V3_EXT_METHOD *ext;
|
|||
}
|
||||
|
||||
extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
|
||||
extern X509V3_EXT_METHOD v3_pkey_usage_period;
|
||||
extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
|
||||
|
||||
int X509V3_add_standard_extensions()
|
||||
|
@ -159,5 +160,19 @@ int X509V3_add_standard_extensions()
|
|||
X509V3_EXT_add(&v3_ext_ku);
|
||||
X509V3_EXT_add(&v3_skey_id);
|
||||
X509V3_EXT_add(&v3_akey_id);
|
||||
X509V3_EXT_add(&v3_pkey_usage_period);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Return an extension internal structure */
|
||||
|
||||
char *X509V3_EXT_d2i(ext)
|
||||
X509_EXTENSION *ext;
|
||||
{
|
||||
X509V3_EXT_METHOD *method;
|
||||
unsigned char *p;
|
||||
if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
|
||||
p = ext->value->data;
|
||||
return method->d2i(NULL, &p, ext->value->length);
|
||||
}
|
||||
|
||||
|
|
|
@ -70,6 +70,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
|
|||
{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0), "S2I_S2I_SKEY_ID"},
|
||||
{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0), "string_to_hex"},
|
||||
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
|
||||
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
|
||||
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
|
||||
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
|
||||
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
|
||||
|
@ -103,9 +104,13 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
|
|||
{X509V3_R_INVALID_NULL_NAME ,"invalid null name"},
|
||||
{X509V3_R_INVALID_NULL_VALUE ,"invalid null value"},
|
||||
{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"},
|
||||
{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"},
|
||||
{X509V3_R_NO_PUBLIC_KEY ,"no public key"},
|
||||
{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"},
|
||||
{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"},
|
||||
{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"},
|
||||
{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"},
|
||||
{X509V3_R_UNKNOWN_OPTION ,"unknown option"},
|
||||
{X509V3_R_UNSUPPORTED_OPTION ,"unsupported option"},
|
||||
{0,NULL},
|
||||
};
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
#define X509V3_F_S2I_S2I_SKEY_ID 115
|
||||
#define X509V3_F_STRING_TO_HEX 113
|
||||
#define X509V3_F_V2I_ASN1_BIT_STRING 101
|
||||
#define X509V3_F_V2I_AUTHORITY_KEYID 119
|
||||
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
|
||||
#define X509V3_F_V2I_EXT_KU 103
|
||||
#define X509V3_F_V2I_GENERAL_NAME 117
|
||||
|
@ -38,7 +39,11 @@
|
|||
#define X509V3_R_INVALID_NULL_NAME 108
|
||||
#define X509V3_R_INVALID_NULL_VALUE 109
|
||||
#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
|
||||
#define X509V3_R_NO_ISSUER_CERTIFICATE 121
|
||||
#define X509V3_R_NO_PUBLIC_KEY 114
|
||||
#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
|
||||
#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
|
||||
#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
|
||||
#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
|
||||
#define X509V3_R_UNKNOWN_OPTION 120
|
||||
#define X509V3_R_UNSUPPORTED_OPTION 117
|
||||
|
|
|
@ -141,6 +141,11 @@ STACK *issuer;
|
|||
ASN1_INTEGER *serial;
|
||||
} AUTHORITY_KEYID;
|
||||
|
||||
typedef struct {
|
||||
ASN1_GENERALIZEDTIME *notBefore;
|
||||
ASN1_GENERALIZEDTIME *notAfter;
|
||||
} PKEY_USAGE_PERIOD;
|
||||
|
||||
typedef struct {
|
||||
|
||||
#define GEN_OTHERNAME (0|V_ASN1_CONTEXT_SPECIFIC)
|
||||
|
@ -211,6 +216,11 @@ AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, lo
|
|||
AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
|
||||
void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
|
||||
|
||||
int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp);
|
||||
PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, unsigned char **pp, long length);
|
||||
PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
|
||||
void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
|
||||
|
||||
STACK *GENERAL_NAMES_new(void);
|
||||
void GENERAL_NAMES_free(STACK *a);
|
||||
STACK *d2i_GENERAL_NAMES(STACK **a, unsigned char **pp, long length);
|
||||
|
@ -248,6 +258,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
|
|||
X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
|
||||
int X509V3_add_standard_extensions(void);
|
||||
STACK *X509V3_parse_list(char *line);
|
||||
char *X509V3_EXT_d2i(X509_EXTENSION *ext);
|
||||
|
||||
char *hex_to_string(unsigned char *buffer, long len);
|
||||
unsigned char *string_to_hex(char *str, long *len);
|
||||
|
@ -271,6 +282,11 @@ void GENERAL_NAME_free();
|
|||
STACK *i2v_GENERAL_NAME();
|
||||
GENERAL_NAME *v2i_GENERAL_NAME();
|
||||
|
||||
int i2d_PKEY_USAGE_PERIOD();
|
||||
PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD();
|
||||
PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new();
|
||||
void PKEY_USAGE_PERIOD_free();
|
||||
|
||||
STACK *GENERAL_NAMES_new():
|
||||
void GENERAL_NAMES_free():
|
||||
STACK *d2i_GENERAL_NAMES();
|
||||
|
@ -307,6 +323,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get();
|
|||
X509V3_EXT_METHOD *X509V3_EXT_get_nid();
|
||||
int X509V3_add_standard_extensions();
|
||||
STACK *X509V3_parse_list();
|
||||
char *X509V3_EXT_get_d2i();
|
||||
|
||||
char *hex_to_string();
|
||||
unsigned char *string_to_hex();
|
||||
|
@ -327,6 +344,7 @@ int X509V3_EXT_print_fp();
|
|||
#define X509V3_F_S2I_S2I_SKEY_ID 115
|
||||
#define X509V3_F_STRING_TO_HEX 113
|
||||
#define X509V3_F_V2I_ASN1_BIT_STRING 101
|
||||
#define X509V3_F_V2I_AUTHORITY_KEYID 119
|
||||
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
|
||||
#define X509V3_F_V2I_EXT_KU 103
|
||||
#define X509V3_F_V2I_GENERAL_NAME 117
|
||||
|
@ -357,9 +375,13 @@ int X509V3_EXT_print_fp();
|
|||
#define X509V3_R_INVALID_NULL_NAME 108
|
||||
#define X509V3_R_INVALID_NULL_VALUE 109
|
||||
#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
|
||||
#define X509V3_R_NO_ISSUER_CERTIFICATE 121
|
||||
#define X509V3_R_NO_PUBLIC_KEY 114
|
||||
#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
|
||||
#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
|
||||
#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
|
||||
#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
|
||||
#define X509V3_R_UNKNOWN_OPTION 120
|
||||
#define X509V3_R_UNSUPPORTED_OPTION 117
|
||||
|
||||
#ifdef __cplusplus
|
||||
|
|
Loading…
Reference in a new issue