OpenSSL Developers -
Attached please find a patch to add support for the PKIX certificate
access description and certificate policies extensions to the
openssl-0.9.2b tarball. Note that Dr. Steve Henson is also working
through the PKIX extensions. But in case anybody's waiting for either
of these two now, this patch should do the trick. Thanks to Dr. Steve
for pointers about configuration file syntax and various ASN.1 nasties.
A brief overview follows. Email me ([EMAIL PROTECTED]) if you
need more information or can't follow my instructions. Apologies
in advance for posting such a womping email. Until the dev team
makes up its mind about accepting contributions from the US, we're
on our own when it comes to sharing and maintaining contributions
like these... :) Thanks also to Dr. Steve Henson for pointers
about build infrastructure and other OpenSSL arcana.
TT
Apologies to unixers in advance. The following instructions,
development, and testing have only been performed on NT. On the
other hand, with the latest mks toolkit, I seem to be able to
do most of the tricks the big kids can do, too. So hopefully
most of what follows can be easily revised to work in either
environment. You'll need a "patch" command to apply the patches
and a "sh" command to run the script.
To start, you need an OpenSSL-0.9.2b source tree. All the diffs
were done from the 0.9.2b tarball, so you'd be best off using
those sources as your starting point, too.
Create a top-level directory into which you'll untar the attachment,
e.g. "patch". I created the tar file using the mks command "tar -czvf
x509v3.tar", so you should be able to untar it with "tar -xzvf x509v3.tar"
Here's a summary of the files you get:
The patch updates several files in the x509v3, objects, and apps
directories. It also adds several files to the x509v3 directory.
Files in the patch include:
asn1.err.patch add errors for new ASN.1 routines (probably overkill)
asn1.h.patch add errors for new ASN.1 routines
asn1_err.c.patch add errors for new ASN.1 routines
libeay.num.patch add ordinals for new ASN.1 routines
makefile.ssl.patch add new source modules (v3_XXX.c below)
obj_dat.h.patch add oids for extensions
objects.h.patch add oids for extensions
openssl.cnf.patch configuration file sample for extensions
update.sh script to apply patches, copy files
v3_ad.c access description ASN.1 routines
v3_ainf.c authority info ASN.1 routines
v3_cpols.c certificiate policy ASN.1 routines
v3_lib.c.patch hook list of extensions with two newbies
v3_nref.c notice reference ASN.1 routines
v3_pinf.c policy info ASN.1 routines
v3_pqinf.c policy qualifier info ASN.1 routines
v3_unot.c user notice ASN.1 routines
x509v3.h.patch C structs for internal representations for ASN.1
Run the update.sh script to apply the patches and copy the new files to
the appropriate directories. I'll append the output from when I run this
on my machine.
Re-configure and build from scratch. The exact steps you follow vary
per platform. On NT, what I do is:
cd <root of tree>
perl configure VC-WIN32
ms\do_nt.bat
nmake -f ms\nt.mak
I've successfully run the tests with the resulting executables, but you
should probably do the same when you rebuild your libraries.
See the authInfoAccess and certPolicies sections in apps/openssl.cnf
for examples of how to add these extensions to *your* certs, today... :)
...
authorityInfoAccess = @authInfoAccess
certificatePolicies = @certPolicies
[ authInfoAccess ]
URI.1 = http://www.pki.com/ca1/ocspResponder/ocsp
URI.2 = http://www.pki.com/ca2/ocspResponder/ocsp
IP.0 = 1.2.3.4
RID = 1.2.3.4.5.6.7.8.9.10
[ certPolicies ]
id = 2.16.840.1.113731.99999.2.1
uri.1 = 2.16.840.1.113731.99999.2.2,http://www.co1.com/cps
uri.2 = 2.16.840.1.113731.99999.2.2,http://www.co2.com/cps
notice.1 = 2.16.840.1.113731.99999.2.3,,,display text
notice.2 = 2.16.840.1.113731.99999.2.3,org,1.2,display text
notice.3 = 2.16.840.1.113731.99999.2.3,orgorgorg,8.9.10.11.123456789,
notice.4 = 2.16.840.1.113731.99999.2.4,new org,99.88.77.66,@display.txt
-> sh -x update.sh
+ patch -i makefile.ssl.patch ../crypto/x509v3/makefile.ssl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/x509v3/makefile.ssl Mon Mar 22 07:22:00 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/x509v3/makefile.ssl Tue Mar 30 16:42:54 1999
--------------------------
Patching file ../crypto/x509v3/makefile.ssl using Plan A...
Hunk #1 succeeded at 24.
done
+ patch -i v3_lib.c.patch ../crypto/x509v3/v3_lib.c
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/x509v3/v3_lib.c Thu Mar 4 18:29:48 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/x509v3/v3_lib.c Tue Mar 30 16:39:48 1999
--------------------------
Patching file ../crypto/x509v3/v3_lib.c using Plan A...
Hunk #1 succeeded at 148.
Hunk #2 succeeded at 164.
done
+ patch -i x509v3.h.patch ../crypto/x509v3/x509v3.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/x509v3/x509v3.h Mon Mar 8 17:46:54 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/x509v3/x509v3.h Wed Mar 31 10:58:00 1999
--------------------------
Patching file ../crypto/x509v3/x509v3.h using Plan A...
Hunk #1 succeeded at 173.
Hunk #2 succeeded at 256.
Hunk #3 succeeded at 367.
Hunk #4 succeeded at 461.
Hunk #5 succeeded at 478.
Hunk #6 succeeded at 486.
Hunk #7 succeeded at 502.
done
+ patch -i objects.h.patch ../crypto/objects/objects.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/objects/objects.h Thu Feb 18 20:29:26 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/objects/objects.h Tue Mar 30 17:06:10 1999
--------------------------
Patching file ../crypto/objects/objects.h using Plan A...
Hunk #1 succeeded at 678.
Hunk #2 succeeded at 722.
Hunk #3 succeeded at 749.
done
+ patch -i obj_dat.h.patch ../crypto/objects/obj_dat.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/objects/obj_dat.h Thu Feb 18 20:29:26 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/objects/obj_dat.h Thu Apr 1 13:18:26 1999
--------------------------
Patching file ../crypto/objects/obj_dat.h using Plan A...
Hunk #1 succeeded at 61.
Hunk #2 succeeded at 168.
Hunk #3 succeeded at 364.
Hunk #4 succeeded at 409.
Hunk #5 succeeded at 476.
Hunk #6 succeeded at 513.
Hunk #7 succeeded at 544.
Hunk #8 succeeded at 563.
Hunk #9 succeeded at 692.
Hunk #10 succeeded at 724.
Hunk #11 succeeded at 738.
Hunk #12 succeeded at 784.
done
+ patch -i asn1.h.patch ../crypto/asn1/asn1.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/asn1/asn1.h Mon Mar 8 17:46:50 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/asn1/asn1.h Tue Mar 30 16:46:20 1999
--------------------------
Patching file ../crypto/asn1/asn1.h using Plan A...
Hunk #1 succeeded at 698.
Hunk #2 succeeded at 725.
Hunk #3 succeeded at 749.
Hunk #4 succeeded at 756.
Hunk #5 succeeded at 768.
Hunk #6 succeeded at 794.
Hunk #7 succeeded at 813.
Hunk #8 succeeded at 825.
done
+ patch -i asn1_err.c.patch ../crypto/asn1/asn1_err.c
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/asn1/asn1_err.c Wed Feb 17 18:22:54 1999
|--- ./openssl-0.9.2b-x509v3-patch/crypto/asn1/asn1_err.c Tue Mar 30 16:46:20 1999
--------------------------
Patching file ../crypto/asn1/asn1_err.c using Plan A...
Hunk #1 succeeded at 67.
Hunk #2 succeeded at 94.
Hunk #3 succeeded at 118.
Hunk #4 succeeded at 125.
Hunk #5 succeeded at 137.
Hunk #6 succeeded at 163.
Hunk #7 succeeded at 182.
Hunk #8 succeeded at 194.
done
+ patch -i openssl.cnf.patch ../apps/openssl.cnf
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/apps/openssl.cnf Sat Mar 6 14:33:24 1999
|--- ./openssl-0.9.2b-x509v3-patch/apps/openssl.cnf Wed Mar 31 09:53:18 1999
--------------------------
Patching file ../apps/openssl.cnf using Plan A...
Hunk #1 succeeded at 190.
done
+ patch -i libeay.num.patch ../util/libeay.num
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/util/libeay.num Mon Mar 8 17:46:56 1999
|--- ./openssl-0.9.2b-x509v3-patch/util/libeay.num Wed Mar 31 10:14:28 1999
--------------------------
Patching file ../util/libeay.num using Plan A...
Hunk #1 succeeded at 1229.
done
+ cp v3_ad.c v3_ainf.c v3_cpols.c v3_nref.c v3_pinf.c v3_pqinf.c v3_unot.c
+../crypto/x509v3
openssl-0.9.2b tarball patch for x509v3 extensions
