The branch master has been updated via 40ffdc9cfa0717d778c674bb79850e404b587077 (commit) via dc29030ab67880440ec8fcff3a35b5c7bdca5c6b (commit) via a9732d04fa4ace9b4d86218e0818c47c68c08d4d (commit) from 18cd23df8a8f2edd800182e1ab62111e4b7f1dbe (commit)
- Log ----------------------------------------------------------------- commit 40ffdc9cfa0717d778c674bb79850e404b587077 Author: Dr. Stephen Henson <st...@openssl.org> Date: Fri Sep 11 00:06:37 2015 +0100 Add comments to x509_int.h Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Emilia Käsper <emi...@openssl.org> commit dc29030ab67880440ec8fcff3a35b5c7bdca5c6b Author: Dr. Stephen Henson <st...@openssl.org> Date: Mon Sep 7 23:32:58 2015 +0100 Add accessors for X509_REVOKED. Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Emilia Käsper <emi...@openssl.org> commit a9732d04fa4ace9b4d86218e0818c47c68c08d4d Author: Dr. Stephen Henson <st...@openssl.org> Date: Mon Sep 7 16:51:05 2015 +0100 Add accessors for request and CRL signatures Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Emilia Käsper <emi...@openssl.org> ----------------------------------------------------------------------- Summary of changes: crypto/include/internal/x509_int.h | 122 ++++++++++++++++++++++--------------- crypto/x509/x509_req.c | 20 ++++++ crypto/x509/x509cset.c | 25 +++++++- include/openssl/x509.h | 8 +++ 4 files changed, 124 insertions(+), 51 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index d9147ae..26678cf 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -59,72 +59,75 @@ /* Internal X509 structures and functions: not for application use */ +/* Note: unless otherwise stated a field pointer is mandatory and should + * never be set to NULL: the ASN.1 code and accessors rely on mandatory + * fields never being NULL. + */ + +/* + * name entry structure, equivalent to AttributeTypeAndValue defined + * in RFC5280 et al. + */ struct X509_name_entry_st { - ASN1_OBJECT *object; - ASN1_STRING *value; - int set; + ASN1_OBJECT *object; /* AttributeType */ + ASN1_STRING *value; /* AttributeValue */ + int set; /* index of RDNSequence for this entry */ int size; /* temp variable */ }; -/* we always keep X509_NAMEs in 2 forms. */ +/* Name from RFC 5280. */ struct X509_name_st { - STACK_OF(X509_NAME_ENTRY) *entries; + STACK_OF(X509_NAME_ENTRY) *entries; /* DN components */ int modified; /* true if 'bytes' needs to be built */ - BUF_MEM *bytes; -/* unsigned long hash; Keep the hash around for lookups */ + BUF_MEM *bytes; /* cached encoding: cannot be NULL */ + /* canonical encoding used for rapid Name comparison */ unsigned char *canon_enc; int canon_enclen; } /* X509_NAME */ ; -/* - * This stuff is certificate "auxiliary info" it contains details which are - * useful in certificate stores and databases. When used this is tagged onto - * the end of the certificate itself - */ - -struct x509_cert_aux_st { - STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ - STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ - ASN1_UTF8STRING *alias; /* "friendly name" */ - ASN1_OCTET_STRING *keyid; /* key id of private key */ - STACK_OF(X509_ALGOR) *other; /* other unspecified info */ -}; +/* PKCS#10 certificate request */ struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - X509_PUBKEY *pubkey; - /* d=2 hl=2 l= 0 cons: cont: 00 */ - STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ + ASN1_ENCODING enc; /* cached encoding of signed part */ + ASN1_INTEGER *version; /* version, defaults to v1(0) so can be NULL */ + X509_NAME *subject; /* certificate request DN */ + X509_PUBKEY *pubkey; /* public key of request */ + /* + * Zero or more attributes. + * NB: although attributes is a mandatory field some broken + * encodings omit it so this may be NULL in that case. + */ + STACK_OF(X509_ATTRIBUTE) *attributes; }; struct X509_req_st { - X509_REQ_INFO req_info; - X509_ALGOR sig_alg; - ASN1_BIT_STRING *signature; + X509_REQ_INFO req_info; /* signed certificate request data */ + X509_ALGOR sig_alg; /* signature algorithm */ + ASN1_BIT_STRING *signature; /* signature */ int references; }; struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - STACK_OF(X509_REVOKED) *revoked; - STACK_OF(X509_EXTENSION) /* [0] */ *extensions; - ASN1_ENCODING enc; + ASN1_INTEGER *version; /* version: defaults to v1(0) so may be NULL */ + X509_ALGOR sig_alg; /* signagture algorithm */ + X509_NAME *issuer; /* CRL issuer name */ + ASN1_TIME *lastUpdate; /* lastUpdate field */ + ASN1_TIME *nextUpdate; /* nextUpdate field: optional */ + STACK_OF(X509_REVOKED) *revoked; /* revoked entries: optional */ + STACK_OF(X509_EXTENSION) *extensions; /* extensions: optional */ + ASN1_ENCODING enc; /* encoding of signed portion of CRL */ }; struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO crl; - X509_ALGOR sig_alg; - ASN1_BIT_STRING *signature; + X509_CRL_INFO crl; /* signed CRL data */ + X509_ALGOR sig_alg; /* CRL signature algorithm */ + ASN1_BIT_STRING *signature; /* CRL signature */ int references; int flags; - /* Copies of various extensions */ + /* + * Cached copies of decoded extension values, since extensions + * are optional any of these can be NULL. + */ AUTHORITY_KEYID *akid; ISSUING_DIST_POINT *idp; /* Convenient breakdown of IDP */ @@ -133,19 +136,40 @@ struct X509_crl_st { /* CRL and base CRL numbers for delta processing */ ASN1_INTEGER *crl_number; ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; STACK_OF(GENERAL_NAMES) *issuers; + /* hash of CRL */ + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + /* alternative method to handle this CRL */ const X509_CRL_METHOD *meth; void *meth_data; }; struct x509_revoked_st { - ASN1_INTEGER *serialNumber; - ASN1_TIME *revocationDate; - STACK_OF(X509_EXTENSION) /* optional */ *extensions; - /* Set up if indirect CRL */ + ASN1_INTEGER *serialNumber; /* revoked entry serial number */ + ASN1_TIME *revocationDate; /* revocation date */ + STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */ + /* decoded value of CRLissuer extension: set if indirect CRL */ STACK_OF(GENERAL_NAME) *issuer; - /* Revocation reason */ + /* revocation reason: set to CRL_REASON_NONE if reason extension absent */ int reason; - int sequence; /* load sequence */ + /* + * CRL entries are reordered for faster lookup of serial numbers. This + * field contains the original load sequence for this entry. + */ + int sequence; +}; + +/* + * This stuff is certificate "auxiliary info": it contains details which are + * useful in certificate stores and databases. When used this is tagged onto + * the end of the certificate itself. OpenSSL specific structure not defined + * in any RFC. + */ + +struct x509_cert_aux_st { + STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ + STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ + ASN1_UTF8STRING *alias; /* "friendly name" */ + ASN1_OCTET_STRING *keyid; /* key id of private key */ + STACK_OF(X509_ALGOR) *other; /* other unspecified info */ }; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 3433694..a2d70c0 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -314,3 +314,23 @@ X509_NAME *X509_REQ_get_subject_name(X509_REQ *req) { return req->req_info.subject; } + +void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + X509_REQ *req) +{ + if (psig == NULL) + *psig = req->signature; + if (palg == NULL) + *palg = &req->sig_alg; +} + +int X509_REQ_get_signature_nid(const X509_REQ *req) +{ + return OBJ_obj2nid(req->sig_alg.algorithm); +} + +int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +{ + req->req_info.enc.modified = 1; + return i2d_X509_REQ_INFO(&req->req_info, pp); +} diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index 6215cf0..1543588 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -166,12 +166,22 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl) { - if (psig) + if (psig == NULL) *psig = crl->signature; - if (palg) + if (palg == NULL) *palg = &crl->sig_alg; } +int X509_CRL_get_signature_nid(const X509_CRL *crl) +{ + return OBJ_obj2nid(crl->sig_alg.algorithm); +} + +ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x) +{ + return x->revocationDate; +} + int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) { ASN1_TIME *in; @@ -189,6 +199,11 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) return (in != NULL); } +ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x) +{ + return x->serialNumber; +} + int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) { ASN1_INTEGER *in; @@ -205,3 +220,9 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) } return (in != NULL); } + +int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) +{ + crl->crl.enc.modified = 1; + return i2d_X509_CRL_INFO(&crl->crl, pp); +} diff --git a/include/openssl/x509.h b/include/openssl/x509.h index f809d38..1374b0f 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -753,6 +753,10 @@ long X509_REQ_get_version(X509_REQ *req); int X509_REQ_set_version(X509_REQ *x, long version); X509_NAME *X509_REQ_get_subject_name(X509_REQ *req); int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); +void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + X509_REQ *req); +int X509_REQ_get_signature_nid(const X509_REQ *req); +int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); int X509_REQ_extension_nid(int nid); @@ -793,8 +797,12 @@ X509_NAME *X509_CRL_get_issuer(X509_CRL *crl); STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl); +int X509_CRL_get_signature_nid(const X509_CRL *crl); +int i2d_re_X509_CRL_tbs(X509_CRL *req, unsigned char **pp); +ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x); int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); +ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits