From d43c4497ce1611373c3a3e5b433dfde4907d1a69 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 1 Sep 2008 15:15:16 +0000 Subject: [PATCH] Initial support for delta CRLs. If "use deltas" flag is set attempt to find a delta CRL in addition to a full CRL. Check and search delta in addition to the base. --- CHANGES | 6 + apps/apps.c | 2 + crypto/asn1/x_crl.c | 44 ++++- crypto/x509/x509.h | 5 + crypto/x509/x509_vfy.c | 359 ++++++++++++++++++++++++++++------------ crypto/x509/x509_vfy.h | 2 + crypto/x509v3/v3_enum.c | 19 ++- crypto/x509v3/v3_purp.c | 6 +- crypto/x509v3/x509v3.h | 15 +- 9 files changed, 341 insertions(+), 117 deletions(-) diff --git a/CHANGES b/CHANGES index 6e1bf9c0a4..f7427dd0ea 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] + *) Delta CRL support. New use deltas option which will attempt to locate + and search any appropriate delta CRLs available. + + This work was sponsored by Google. + [Steve Henson] + *) Support for CRLs partitioned by reason code. Reorganise CRL processing code and add additional score elements. Validate alternate CRL paths as part of the CRL checking and indicate a new error "CRL path validation diff --git a/apps/apps.c b/apps/apps.c index 7a1b6f7ca4..548ae4c143 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_X509_STRICT; else if (!strcmp(arg, "-extended_crl")) flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; + else if (!strcmp(arg, "-use_deltas")) + flags |= X509_V_FLAG_USE_DELTAS; else if (!strcmp(arg, "-policy_print")) flags |= X509_V_FLAG_NOTIFY_POLICY; else diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index 86adbe3e5f..c51c690ba9 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -137,6 +137,7 @@ static int crl_set_issuers(X509_CRL *crl) { X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i); STACK_OF(X509_EXTENSION) *exts; + ASN1_ENUMERATED *reason; X509_EXTENSION *ext; gtmp = X509_REVOKED_get_ext_d2i(rev, NID_certificate_issuer, @@ -161,6 +162,22 @@ static int crl_set_issuers(X509_CRL *crl) } rev->issuer = gens; + reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, + &j, NULL); + if (!reason && (j != -1)) + { + crl->flags |= EXFLAG_INVALID; + return 1; + } + + if (reason) + { + rev->reason = ASN1_ENUMERATED_get(reason); + ASN1_ENUMERATED_free(reason); + } + else + rev->reason = CRL_REASON_NONE; + /* Check for critical CRL entry extensions */ exts = rev->extensions; @@ -207,6 +224,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, crl->meth = default_crl_method; crl->meth_data = NULL; crl->issuers = NULL; + crl->crl_number = NULL; + crl->base_crl_number = NULL; break; case ASN1_OP_D2I_POST: @@ -221,6 +240,15 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, crl->akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); + crl->crl_number = X509_CRL_get_ext_d2i(crl, + NID_crl_number, NULL, NULL); + + crl->base_crl_number = X509_CRL_get_ext_d2i(crl, + NID_delta_crl, NULL, NULL); + /* Delta CRLs must have CRL number */ + if (crl->base_crl_number && !crl->crl_number) + crl->flags |= EXFLAG_INVALID; + /* See if we have any unhandled critical CRL extensions and * indicate this in a flag. We only currently handle IDP so * anything else critical sets the flag. @@ -233,13 +261,17 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { + int nid; ext = sk_X509_EXTENSION_value(exts, idx); + nid = OBJ_obj2nid(ext->object); + if (nid == NID_freshest_crl) + crl->flags |= EXFLAG_FRESHEST; if (ext->critical > 0) { - /* We handle IDP now so permit it */ - if (OBJ_obj2nid(ext->object) == - NID_issuing_distribution_point) - continue; + /* We handle IDP and deltas */ + if ((nid == NID_issuing_distribution_point) + || (nid == NID_delta_crl)) + break;; crl->flags |= EXFLAG_CRITICAL; break; } @@ -266,6 +298,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, AUTHORITY_KEYID_free(crl->akid); if (crl->idp) ISSUING_DIST_POINT_free(crl->idp); + ASN1_INTEGER_free(crl->crl_number); + ASN1_INTEGER_free(crl->base_crl_number); sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); break; } @@ -435,6 +469,8 @@ static int def_crl_lookup(X509_CRL *crl, { if (ret) *ret = rev; + if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) + return 2; return 1; } } diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index a1ac6192ba..56d9e9f1eb 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -436,6 +436,8 @@ struct x509_revoked_st STACK_OF(X509_EXTENSION) /* optional */ *extensions; /* Set up if indirect CRL */ STACK_OF(GENERAL_NAME) *issuer; + /* Revocation reason */ + int reason; int sequence; /* load sequence */ }; @@ -468,6 +470,9 @@ struct X509_crl_st /* Convenient breakdown of IDP */ int idp_flags; int idp_reasons; + /* CRL and base CRL numbers for delta processing */ + ASN1_INTEGER *crl_number; + ASN1_INTEGER *base_crl_number; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 4d7a94520c..cb7936f2b3 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -70,6 +70,44 @@ #include #include +/* CRL score values */ + +/* No unhandled critical extensions */ + +#define CRL_SCORE_NOCRITICAL 0x100 + +/* certificate is within CRL scope */ + +#define CRL_SCORE_SCOPE 0x080 + +/* CRL times valid */ + +#define CRL_SCORE_TIME 0x040 + +/* Issuer name matches certificate */ + +#define CRL_SCORE_ISSUER_NAME 0x020 + +/* If this score or above CRL is probably valid */ + +#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) + +/* CRL issuer is certificate issuer */ + +#define CRL_SCORE_ISSUER_CERT 0x018 + +/* CRL issuer is on certificate path */ + +#define CRL_SCORE_SAME_PATH 0x008 + +/* CRL issuer matches CRL AKID */ + +#define CRL_SCORE_AKID 0x004 + +/* Have a delta CRL with valid times */ + +#define CRL_SCORE_TIME_DELTA 0x002 + static int null_callback(int ok,X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); @@ -83,6 +121,10 @@ static int check_policy(X509_STORE_CTX *ctx); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x); +static int get_crl_delta(X509_STORE_CTX *ctx, + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); +static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, + X509_CRL *base, STACK_OF(X509_CRL) *crls); static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, int *pcrl_score); static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, @@ -649,7 +691,7 @@ static int check_revocation(X509_STORE_CTX *ctx) static int check_cert(X509_STORE_CTX *ctx) { - X509_CRL *crl = NULL; + X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; cnum = ctx->error_depth; @@ -660,7 +702,10 @@ static int check_cert(X509_STORE_CTX *ctx) while (ctx->current_reasons != CRLDP_ALL_REASONS) { /* Try to retrieve relevant CRL */ - ok = ctx->get_crl(ctx, &crl, x); + if (ctx->get_crl) + ok = ctx->get_crl(ctx, &crl, x); + else + ok = get_crl_delta(ctx, &crl, &dcrl, x); /* If error looking up CRL, nothing we can do except * notify callback */ @@ -674,14 +719,36 @@ static int check_cert(X509_STORE_CTX *ctx) ok = ctx->check_crl(ctx, crl); if (!ok) goto err; - ok = ctx->cert_crl(ctx, crl, x); - if (!ok) - goto err; + + if (dcrl) + { + ok = ctx->check_crl(ctx, dcrl); + if (!ok) + goto err; + ok = ctx->cert_crl(ctx, dcrl, x); + if (!ok) + goto err; + } + else + ok = 1; + + /* Don't look in full CRL if delta reason is removefromCRL */ + if (ok != 2) + { + ok = ctx->cert_crl(ctx, crl, x); + if (!ok) + goto err; + } + X509_CRL_free(crl); + X509_CRL_free(dcrl); crl = NULL; + dcrl = NULL; } err: X509_CRL_free(crl); + X509_CRL_free(dcrl); + ctx->current_crl = NULL; return ok; @@ -731,8 +798,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (!ctx->verify_cb(0, ctx)) return 0; } - - if (i < 0) + /* Ignore expiry of base CRL is delta is valid */ + if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; @@ -748,46 +815,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) return 1; } -/* CRL score values */ - -/* No unhandled critical extensions */ - -#define CRL_SCORE_NOCRITICAL 0x100 - -/* certificate is within CRL scope */ - -#define CRL_SCORE_SCOPE 0x080 - -/* CRL times valid */ - -#define CRL_SCORE_TIME 0x040 - -/* Issuer name matches certificate */ - -#define CRL_SCORE_ISSUER_NAME 0x020 - -/* If this score or above CRL is probably valid */ - -#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) - -/* CRL issuer is certificate issuer */ - -#define CRL_SCORE_ISSUER_CERT 0x018 - -/* CRL issuer is on certificate path */ - -#define CRL_SCORE_SAME_PATH 0x008 - -/* CRL issuer matches CRL AKID */ - -#define CRL_SCORE_AKID 0x004 - -/* CRL is complete, not delta */ - -#define CRL_SCORE_COMPLETE 0x002 - -static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer, - int *pscore, unsigned int *preasons, +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, STACK_OF(X509_CRL) *crls) { int i, crl_score, best_score = *pscore; @@ -818,16 +847,121 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer, *pissuer = best_crl_issuer; *pscore = best_score; *preasons = best_reasons; - CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509); + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); + if (*pdcrl) + { + X509_CRL_free(*pdcrl); + *pdcrl = NULL; + } + get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } - if (best_score >= CRL_SCORE_VALID) return 1; return 0; } +/* Compare two CRL extensions for delta checking purposes. They should be + * both present or both absent. If both present all fields must be identical. + */ + +static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) + { + ASN1_OCTET_STRING *exta, *extb; + int i; + i = X509_CRL_get_ext_by_NID(a, nid, 0); + if (i >= 0) + { + /* Can't have multiple occurrences */ + if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) + return 0; + exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); + } + else + exta = NULL; + + i = X509_CRL_get_ext_by_NID(b, nid, 0); + + if (i >= 0) + { + + if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) + return 0; + extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); + } + else + extb = NULL; + + if (!exta && !extb) + return 1; + + if (!exta || !extb) + return 0; + + + if (ASN1_OCTET_STRING_cmp(exta, extb)) + return 0; + + return 1; + } + +/* See if a base and delta are compatible */ + +static int check_delta_base(X509_CRL *delta, X509_CRL *base) + { + /* Delta CRL must be a delta */ + if (!delta->base_crl_number) + return 0; + /* Base must have a CRL number */ + if (!base->crl_number) + return 0; + /* Issuer names must match */ + if (X509_NAME_cmp(X509_CRL_get_issuer(base), + X509_CRL_get_issuer(delta))) + return 0; + /* AKID and IDP must match */ + if (!crl_extension_match(delta, base, NID_authority_key_identifier)) + return 0; + if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) + return 0; + /* Delta CRL base number must not exceed Full CRL number. */ + if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) + return 0; + /* Delta CRL number must exceed full CRL number */ + if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) + return 1; + return 0; + } + +/* For a given base CRL find a delta... maybe extend to delta scoring + * or retrieve a chain of deltas... + */ + +static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, + X509_CRL *base, STACK_OF(X509_CRL) *crls) + { + X509_CRL *delta; + int i; + if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) + return; + if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) + return; + for (i = 0; i < sk_X509_CRL_num(crls); i++) + { + delta = sk_X509_CRL_value(crls, i); + if (check_delta_base(delta, base)) + { + if (check_crl_time(ctx, delta, 0)) + *pscore |= CRL_SCORE_TIME_DELTA; + CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); + *dcrl = delta; + return; + } + } + *dcrl = NULL; + } + /* For a given CRL return how suitable it is for the supplied certificate 'x'. * The return value is a mask of several criteria. * If the issuer is not the certificate issuer this is returned in *pissuer. @@ -860,6 +994,9 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (!(crl->idp_reasons & ~tmp_reasons)) return 0; } + /* Don't process deltas at this stage */ + else if (crl->base_crl_number) + return 0; /* If issuer name doesn't match certificate need indirect CRL */ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { @@ -1146,22 +1283,24 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, return 0; } -/* Retrieve CRL corresponding to current certificate. Currently only - * one CRL is retrieved. Multiple CRLs may be needed if we handle - * CRLs partitioned on reason code later. +/* Retrieve CRL corresponding to current certificate. + * If deltas enabled try to find a delta CRL too */ -static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) +static int get_crl_delta(X509_STORE_CTX *ctx, + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) { int ok; X509 *issuer = NULL; int crl_score = 0; unsigned int reasons; - X509_CRL *crl = NULL; + X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); reasons = ctx->current_reasons; - ok = get_crl_sk(ctx, &crl, &issuer, &crl_score, &reasons, ctx->crls); + ok = get_crl_sk(ctx, &crl, &dcrl, + &issuer, &crl_score, &reasons, ctx->crls); + if (ok) goto done; @@ -1173,7 +1312,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) if (!skcrl && crl) goto done; - get_crl_sk(ctx, &crl, &issuer, &crl_score, &reasons, skcrl); + get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); sk_X509_CRL_pop_free(skcrl, X509_CRL_free); @@ -1186,6 +1325,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) ctx->current_crl_score = crl_score; ctx->current_reasons = reasons; *pcrl = crl; + *pdcrl = dcrl; return 1; } @@ -1203,6 +1343,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) /* if we have an alternative CRL issuer cert use that */ if (ctx->current_issuer) issuer = ctx->current_issuer; + /* Else find CRL issuer: if not last certificate then issuer * is next certificate in chain. */ @@ -1222,44 +1363,52 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { - /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) + /* Skip most tests for deltas because they have already + * been done + */ + if (!crl->base_crl_number) { - ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; - ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } + + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) + { + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } + + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) + { + if (!check_crl_path(ctx, ctx->current_issuer)) + { + ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } + } + + if (crl->idp_flags & IDP_INVALID) + { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } + + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) - { - ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; - ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; - } - - if (!(ctx->current_crl_score & CRL_SCORE_TIME)) - { - ok = check_crl_time(ctx, crl, 1); - if (!ok) - goto err; - } - - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) - { - if (!check_crl_path(ctx, ctx->current_issuer)) + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { - ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; - ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; - } - } - - if (crl->idp_flags & IDP_INVALID) - { - ctx->error = X509_V_ERR_INVALID_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + ok = check_crl_time(ctx, crl, 1); + if (!ok) + goto err; } /* Attempt to get issuer certificate public key */ @@ -1294,18 +1443,12 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int ok; - /* Look for serial number of certificate in CRL - * If found assume revoked: want something cleverer than - * this to handle entry extensions in V2 CRLs. + X509_REVOKED *rev; + /* The rules changed for this... previously if a CRL contained + * unhandled critical extensions it could still be used to indicate + * a certificate was revoked. This has since been changed since + * critical extension can change the meaning of CRL entries. */ - if (X509_CRL_get0_by_cert(crl, NULL, x) > 0) - { - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - if (!ok) - return 0; - } - if (crl->flags & EXFLAG_CRITICAL) { if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) @@ -1315,6 +1458,18 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) if(!ok) return 0; } + /* Look for serial number of certificate in CRL + * If found make sure reason is not removeFromCRL. + */ + if (X509_CRL_get0_by_cert(crl, &rev, x)) + { + if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) + return 2; + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) + return 0; + } return 1; } @@ -1898,7 +2053,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store && store->get_crl) ctx->get_crl = store->get_crl; else - ctx->get_crl = get_crl; + ctx->get_crl = NULL; if (store && store->check_crl) ctx->check_crl = store->check_crl; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index d1e5af64f4..0df76db849 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -385,6 +385,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_NOTIFY_POLICY 0x800 /* Extended CRL features such as indirect CRLs, alternate CRL signing keys */ #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 +/* Delta CRL support */ +#define X509_V_FLAG_USE_DELTAS 0x2000 #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509v3/v3_enum.c index a236cb22e1..f3c095b364 100644 --- a/crypto/x509v3/v3_enum.c +++ b/crypto/x509v3/v3_enum.c @@ -61,14 +61,17 @@ #include static ENUMERATED_NAMES crl_reasons[] = { -{0, "Unspecified", "unspecified"}, -{1, "Key Compromise", "keyCompromise"}, -{2, "CA Compromise", "CACompromise"}, -{3, "Affiliation Changed", "affiliationChanged"}, -{4, "Superseded", "superseded"}, -{5, "Cessation Of Operation", "cessationOfOperation"}, -{6, "Certificate Hold", "certificateHold"}, -{8, "Remove From CRL", "removeFromCRL"}, +{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"}, +{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"}, +{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"}, +{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"}, +{CRL_REASON_SUPERSEDED, "Superseded", "superseded"}, +{CRL_REASON_CESSATION_OF_OPERATION, + "Cessation Of Operation", "cessationOfOperation"}, +{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"}, +{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"}, +{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"}, +{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"}, {-1, NULL, NULL} }; diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2234bf147a..1ca370dc0b 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -465,8 +465,7 @@ static void x509v3_cache_extensions(X509 *x) if (!x->nc && (i != -1)) x->ex_flags |= EXFLAG_INVALID; setup_crldp(x); - - + #ifndef OPENSSL_NO_RFC3779 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, @@ -477,6 +476,9 @@ static void x509v3_cache_extensions(X509 *x) ex = X509_get_ext(x, i); if (!X509_EXTENSION_get_critical(ex)) continue; + if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) + == NID_freshest_crl) + x->ex_flags |= EXFLAG_FRESHEST; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index c824cf01f3..22b1b7fe39 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -226,6 +226,18 @@ X509_NAME *dpname; /* All existing reasons */ #define CRLDP_ALL_REASONS 0x807f +#define CRL_REASON_NONE -1 +#define CRL_REASON_UNSPECIFIED 0 +#define CRL_REASON_KEY_COMPROMISE 1 +#define CRL_REASON_CA_COMPROMISE 2 +#define CRL_REASON_AFFILIATION_CHANGED 3 +#define CRL_REASON_SUPERSEDED 4 +#define CRL_REASON_CESSATION_OF_OPERATION 5 +#define CRL_REASON_CERTIFICATE_HOLD 6 +#define CRL_REASON_REMOVE_FROM_CRL 8 +#define CRL_REASON_PRIVILEGE_WITHDRAWN 9 +#define CRL_REASON_AA_COMPROMISE 10 + struct DIST_POINT_st { DIST_POINT_NAME *distpoint; ASN1_BIT_STRING *reasons; @@ -402,7 +414,8 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_CRITICAL 0x200 #define EXFLAG_PROXY 0x400 -#define EXFLAG_INVALID_POLICY 0x400 +#define EXFLAG_INVALID_POLICY 0x800 +#define EXFLAG_FRESHEST 0x1000 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040