I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris
native compiler instead of gcc. There were several errors because variable
definitions were placed after allocation statements, e.g.
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
I can list the corrections (about 12) or, more appriately, the author can
re-issue the patch with the necessary corrections so that it follows
standard C rules rather than C++.
Chris Brook
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT
Sent: Thursday, April 08, 2004 4:02 AM
Cc: [EMAIL PROTECTED]
Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL
Distribution Points for the X.509 Certificate Profile
----- Forwarded message from Abhijit Hayatnagarkar
<[EMAIL PROTECTED]> -----
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT)
From: Abhijit Hayatnagarkar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509
Certificate Profile
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
Description of the patch:
This patch provides the extended syntax for CRL Distribution Points as
specified in RFC 3280 Section 4.2.1.14. It also tries to maintain
backward compatibility with the existing syntax.
Without this crld patch, the syntax for the X509 extension field "CRL
Distribution Points" recognized by openssl is either:
crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl
2
or
[EMAIL PROTECTED]
[crlsection]
URI.1=http://uri.crl.com/crl1
URI.2=http://uri.crl.com/crl2
Thus, you can only specify the 'fullname' field of a single distribution
point.
With this crld patch, openssl will support a richer syntax for the "CRL
Distribution Points" extension field. Apart from 'fullname', you will be
able to specify the 'relativename', 'reasons' and 'CRLissuer' fields.
This patch is backward compatible, so you will still be able to use the
old syntax.
The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are:
unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3),
superseded (4), cessationOfOperation (5), certificateHold (6),
privilegeWithdrawn (7) and aAcompromise (8).
Users can now specify CRL Distribution Points with a syntax as detailed as
the following:
[EMAIL PROTECTED],@distpoint2
[distpoint1]
fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
reasons=keyCompromise,cACompromise
[distpoint2]
[EMAIL PROTECTED]
reasons=cessationOfOperation,privilegeWithdrawn
CRLissuer=email:[EMAIL PROTECTED]
[relnamesect]
C = US
O = Org, Inc.
0.OU = Org Unit 1
1.OU = Sub Org Unit 2
CN = relative common name
Thanks,
Abhijit Hayatnagarkar
Sparta, Inc.
A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached
below. This notification also included the patches attached to this
email.
---------- Forwarded message ----------
Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT)
From: Abhijit Hayatnagarkar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: TSU Notification
SUBMISSION TYPE : TSU
SUBMITTED BY : Abhijit Hayatnagarkar
SUBMITTED FOR : Sparta, Inc.
POINT OF CONTACT: Abhijit Hayatnagarkar
PHONE and/or FAX: (410) 872-1515 Ext. 236
MANUFACTURER :
PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227
ECCN: 5D002
NOTIFICATION: Source code for the patch attached.
Short Description:
This patch provides the extended syntax for CRL Distribution
Points in the X.509 Certificate Profile as specified in RFC 3280 (See:
http://www.ietf.org/rfc/rfc3280.txt).
Content-Description: A patch to openssl 0.9.7c for the extended syntax for
CRL Distribution Points
diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c
openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c
--- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23
07:47:05.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05
15:55:24.000000000 -0400
@@ -63,8 +63,23 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "cACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "aACompromise"},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval);
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -72,31 +87,164 @@
NID_crl_distribution_points, X509V3_EXT_MULTILINE,
ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
0,0,
-NULL
+(X509V3_EXT_I2R)i2r_crld,
+(X509V3_EXT_R2I)r2i_crld,
+crl_reasons
};
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval) {
+
+ int i;
+ CONF_VALUE *cnf;
+ char *name, *value;
+ GENERAL_NAMES *gens = NULL;
+ DIST_POINT *point = NULL;
+ ASN1_BIT_STRING *bs = NULL;
+
+ if (!(point = DIST_POINT_new())) goto merr;
+ point->distpoint = NULL;
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
+ name = cnf->name;
+ value = cnf->value;
+ sk = X509V3_parse_list(value);
+
+ if (!strcmp (name, "fullname")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "relativename")) {
+ if (*value == '@') {
+ X509_NAME *nm = NULL;
+ STACK_OF(CONF_VALUE) *relsect = NULL;
+ if (!(nm = X509_NAME_new())) goto merr;
+
+ relsect = X509V3_get_section(ctx, value + 1);
+ if (!relsect) {
+ X509V3err(X509V3_F_R2I_CRLD,
X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value + 1);
+ X509_NAME_free(nm);
+ }
+
+ if (! X509V3_NAME_from_section(nm, relsect,
MBSTRING_ASC)) {
+ X509_NAME_free(nm);
+ nm = NULL;
+ }
+ X509V3_section_free(ctx, relsect);
+ if (!point->distpoint)
+ if(!(point->distpoint =
DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.relativename = nm->entries;
+ point->distpoint->type = 1;
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ else {
+ X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value);
+ goto err;
+ }
+ }
+ else if (!strcmp (name, "CRLissuer")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+ point->CRLissuer = gens;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "reasons")) {
+ int j;
+ if (! (bs = M_ASN1_BIT_STRING_new())) {
+ X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
+ goto merr;
+ }
+ for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
+ ENUMERATED_NAMES *enam;
+ CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (!strcmp(enam->sname, val->name) ||
+ !strcmp(enam->lname, val->name)) {
+ ASN1_BIT_STRING_set_bit(bs,
enam->bitnum, 1);
+ break;
+ }
+ }
+ if (!enam->lname) {
+ X509V3err(X509V3_F_R2I_CRLD,
+
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+ point->reasons = bs;
+ }
+ else {
+ /* For Backward Compatibility */
+ goto err;
+ }
+ }
+ return point;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAMES_free(gens);
+ M_ASN1_BIT_STRING_free(bs);
+ DIST_POINT_free(point);
+ return NULL;
+}
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
{
DIST_POINT *point;
int i;
for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
point = sk_DIST_POINT_value(crld, i);
- if(point->distpoint) {
- if(point->distpoint->type == 0)
- exts = i2v_GENERAL_NAMES(NULL,
- point->distpoint->name.fullname, exts);
- else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
- }
- if(point->reasons)
- X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
- if(point->CRLissuer)
- X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+ if (point) {
+ BIO_printf(out, "%*sDistribution Point:\n", indent, "");
+ if(point->distpoint) {
+ if(point->distpoint->type == 0) {
+ BIO_printf(out, "%*sFull Name:\n", indent + 2,
"");
+ X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
+
point->distpoint->name.fullname, NULL),
+ indent + 4,
method->ext_flags & X509V3_EXT_MULTILINE);
+ }
+ else if (point->distpoint->type == 1) {
+ BIO_printf(out, "%*sRelative Name:\n", indent
+ 2, "");
+ STACK_OF(X509_NAME_ENTRY) *ne =
point->distpoint->name.relativename;
+ X509_NAME *nm = X509_NAME_new();
+ if (nm) {
+ char oline[256];
+ nm->entries = ne;
+ X509_NAME_oneline(nm, oline, 256);
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", oline);
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ }
+ }
+ if(point->reasons) {
+ BIO_printf(out, "%*sReasons:\n", indent + 2, "");
+ ENUMERATED_NAMES *enam;
+ ASN1_BIT_STRING *bits = point->reasons;
+
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (ASN1_BIT_STRING_get_bit(bits,
enam->bitnum))
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", enam->lname);
+ }
+ }
+ if(point->CRLissuer) {
+ BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
+ X509V3_EXT_val_prn(out,
i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
+ indent + 4, method->ext_flags &
X509V3_EXT_MULTILINE);
+ }
+ }
}
- return exts;
+ return 1;
}
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
@@ -128,7 +276,85 @@
return crld;
merr:
- X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAME_free(gen);
+ GENERAL_NAMES_free(gens);
+ sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+ return NULL;
+}
+
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval)
+{
+ STACK_OF(DIST_POINT) *crld = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ CONF_VALUE *cnf;
+ int i;
+ char *name;
+ STACK_OF(CONF_VALUE) *nval;
+ nval = X509V3_parse_list(strval);
+ if(!(crld = sk_DIST_POINT_new_null())) goto merr;
+ for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ if (*name == '@') {
+ STACK_OF(CONF_VALUE) *crldsect;
+ crldsect = X509V3_get_section(ctx, name + 1);
+ if (!crldsect) {
+
X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
+ ERR_add_error_data(2, "section=", name);
+ goto err;
+ }
+
+ DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
+ X509V3_section_free(ctx, crldsect);
+
+ if (!sectpoint) {
+ /* For backward compatibility */
+ STACK_OF(DIST_POINT) *crld_tmp = NULL;
+ crld_tmp = v2i_crld(method, ctx, crldsect);
+
+ if (crld_tmp) {
+ DIST_POINT *dp = NULL;
+
+ while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
+ if (!sk_DIST_POINT_push(crld, dp)) {
+ DIST_POINT_free(dp);
+
sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
+ goto merr;
+ }
+ }
+ sk_DIST_POINT_pop_free(crld_tmp,
DIST_POINT_free);
+ }
+ }
+ else if(!sk_DIST_POINT_push(crld, sectpoint)) {
+ DIST_POINT_free(sectpoint);
+ goto merr;
+ }
+ }
+ else { /* For backward compatibility */
+ DIST_POINT *point;
+ if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
+ if(!(gens = GENERAL_NAMES_new())) goto merr;
+ if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+ gen = NULL;
+ if(!(point = DIST_POINT_new())) goto merr;
+ if(!sk_DIST_POINT_push(crld, point)) {
+ DIST_POINT_free(point);
+ goto merr;
+ }
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ }
+ return crld;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
@@ -156,7 +382,7 @@
IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints,
DIST_POINT)
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
diff -ur openssl-0.9.7c/crypto/x509v3/v3err.c
openssl-0.9.7c.modified/crypto/x509v3/v3err.c
--- openssl-0.9.7c/crypto/x509v3/v3err.c 2001-05-09 20:13:48.000000000 -0400
+++ openssl-0.9.7c.modified/crypto/x509v3/v3err.c 2004-04-05
15:55:24.000000000 -0400
@@ -93,7 +93,7 @@
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
diff -ur openssl-0.9.7c/crypto/x509v3/v3_utl.c
openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c
--- openssl-0.9.7c/crypto/x509v3/v3_utl.c 2002-11-13
19:45:04.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c 2004-04-05
15:55:24.000000000 -0400
@@ -533,3 +533,50 @@
{
sk_pop_free(sk, str_free);
}
+
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype)
+ {
+ CONF_VALUE *v;
+ int i, mval;
+ char *p, *type;
+ if (!nm)
+ return 0;
+
+ for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+ {
+ v=sk_CONF_VALUE_value(dn_sk,i);
+ type=v->name;
+ /* Skip past any leading X. X: X, etc to allow for
+ * multiple instances
+ */
+ for(p = type; *p ; p++)
+#ifndef CHARSET_EBCDIC
+ if ((*p == ':') || (*p == ',') || (*p == '.'))
+#else
+ if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p
==
os_toascii['.']))
+#endif
+ {
+ p++;
+ if(*p) type = p;
+ break;
+ }
+#ifndef CHARSET_EBCDIC
+ if (*p == '+')
+#else
+ if (*p == os_toascii['+'])
+#endif
+ {
+ mval = -1;
+ p++;
+ }
+ else
+ mval = 0;
+ if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
+ (unsigned char *) v->value,-1,-1,mval))
+ return 0;
+
+ }
+ return 1;
+ }
diff -ur openssl-0.9.7c/crypto/x509v3/x509v3.h
openssl-0.9.7c.modified/crypto/x509v3/x509v3.h
--- openssl-0.9.7c/crypto/x509v3/x509v3.h 2003-01-29
10:06:38.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/x509v3.h 2004-04-05
15:55:24.000000000 -0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
diff -ur openssl-0.9.7c/include/openssl/x509v3.h
openssl-0.9.7c.modified/include/openssl/x509v3.h
--- openssl-0.9.7c/include/openssl/x509v3.h 2003-01-29
10:06:38.000000000 -0500
+++ openssl-0.9.7c.modified/include/openssl/x509v3.h 2004-04-05
15:55:24.000000000 -0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
Content-Description: A patch for the openssl development version 20040227
for the extended syntax for CRL Distribution Points
diff -ur openssl-SNAP-20040227/crypto/x509v3/v3_crld.c
openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c
--- openssl-SNAP-20040227/crypto/x509v3/v3_crld.c 2003-11-20
18:00:13.000000000 -0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c 2004-03-02
17:58:06.000000000 -0500
@@ -63,8 +63,23 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "cACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "aACompromise"},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval);
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -72,31 +87,164 @@
NID_crl_distribution_points, X509V3_EXT_MULTILINE,
ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
0,0,
-NULL
+(X509V3_EXT_I2R)i2r_crld,
+(X509V3_EXT_R2I)r2i_crld,
+crl_reasons
};
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval) {
+
+ int i;
+ CONF_VALUE *cnf;
+ char *name, *value;
+ GENERAL_NAMES *gens = NULL;
+ DIST_POINT *point = NULL;
+ ASN1_BIT_STRING *bs = NULL;
+
+ if (!(point = DIST_POINT_new())) goto merr;
+ point->distpoint = NULL;
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
+ name = cnf->name;
+ value = cnf->value;
+ sk = X509V3_parse_list(value);
+
+ if (!strcmp (name, "fullname")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "relativename")) {
+ if (*value == '@') {
+ X509_NAME *nm = NULL;
+ STACK_OF(CONF_VALUE) *relsect = NULL;
+ if (!(nm = X509_NAME_new())) goto merr;
+
+ relsect = X509V3_get_section(ctx, value + 1);
+ if (!relsect) {
+ X509V3err(X509V3_F_R2I_CRLD,
X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value + 1);
+ X509_NAME_free(nm);
+ }
+
+ if (! X509V3_NAME_from_section(nm, relsect,
MBSTRING_ASC)) {
+ X509_NAME_free(nm);
+ nm = NULL;
+ }
+ X509V3_section_free(ctx, relsect);
+ if (!point->distpoint)
+ if(!(point->distpoint =
DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.relativename = nm->entries;
+ point->distpoint->type = 1;
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ else {
+ X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value);
+ goto err;
+ }
+ }
+ else if (!strcmp (name, "CRLissuer")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+ point->CRLissuer = gens;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "reasons")) {
+ int j;
+ if (! (bs = M_ASN1_BIT_STRING_new())) {
+ X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
+ goto merr;
+ }
+ for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
+ ENUMERATED_NAMES *enam;
+ CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (!strcmp(enam->sname, val->name) ||
+ !strcmp(enam->lname, val->name)) {
+ ASN1_BIT_STRING_set_bit(bs,
enam->bitnum, 1);
+ break;
+ }
+ }
+ if (!enam->lname) {
+ X509V3err(X509V3_F_R2I_CRLD,
+
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+ point->reasons = bs;
+ }
+ else {
+ /* For Backward Compatibility */
+ goto err;
+ }
+ }
+ return point;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAMES_free(gens);
+ M_ASN1_BIT_STRING_free(bs);
+ DIST_POINT_free(point);
+ return NULL;
+}
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
{
DIST_POINT *point;
int i;
for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
point = sk_DIST_POINT_value(crld, i);
- if(point->distpoint) {
- if(point->distpoint->type == 0)
- exts = i2v_GENERAL_NAMES(NULL,
- point->distpoint->name.fullname, exts);
- else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
- }
- if(point->reasons)
- X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
- if(point->CRLissuer)
- X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+ if (point) {
+ BIO_printf(out, "%*sDistribution Point:\n", indent, "");
+ if(point->distpoint) {
+ if(point->distpoint->type == 0) {
+ BIO_printf(out, "%*sFull Name:\n", indent + 2,
"");
+ X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
+
point->distpoint->name.fullname, NULL),
+ indent + 4,
method->ext_flags & X509V3_EXT_MULTILINE);
+ }
+ else if (point->distpoint->type == 1) {
+ BIO_printf(out, "%*sRelative Name:\n", indent
+ 2, "");
+ STACK_OF(X509_NAME_ENTRY) *ne =
point->distpoint->name.relativename;
+ X509_NAME *nm = X509_NAME_new();
+ if (nm) {
+ char oline[256];
+ nm->entries = ne;
+ X509_NAME_oneline(nm, oline, 256);
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", oline);
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ }
+ }
+ if(point->reasons) {
+ BIO_printf(out, "%*sReasons:\n", indent + 2, "");
+ ENUMERATED_NAMES *enam;
+ ASN1_BIT_STRING *bits = point->reasons;
+
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (ASN1_BIT_STRING_get_bit(bits,
enam->bitnum))
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", enam->lname);
+ }
+ }
+ if(point->CRLissuer) {
+ BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
+ X509V3_EXT_val_prn(out,
i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
+ indent + 4, method->ext_flags &
X509V3_EXT_MULTILINE);
+ }
+ }
}
- return exts;
+ return 1;
}
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
@@ -128,7 +276,85 @@
return crld;
merr:
- X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAME_free(gen);
+ GENERAL_NAMES_free(gens);
+ sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+ return NULL;
+}
+
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval)
+{
+ STACK_OF(DIST_POINT) *crld = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ CONF_VALUE *cnf;
+ int i;
+ char *name;
+ STACK_OF(CONF_VALUE) *nval;
+ nval = X509V3_parse_list(strval);
+ if(!(crld = sk_DIST_POINT_new_null())) goto merr;
+ for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ if (*name == '@') {
+ STACK_OF(CONF_VALUE) *crldsect;
+ crldsect = X509V3_get_section(ctx, name + 1);
+ if (!crldsect) {
+
X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
+ ERR_add_error_data(2, "section=", name);
+ goto err;
+ }
+
+ DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
+ X509V3_section_free(ctx, crldsect);
+
+ if (!sectpoint) {
+ /* For backward compatibility */
+ STACK_OF(DIST_POINT) *crld_tmp = NULL;
+ crld_tmp = v2i_crld(method, ctx, crldsect);
+
+ if (crld_tmp) {
+ DIST_POINT *dp = NULL;
+
+ while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
+ if (!sk_DIST_POINT_push(crld, dp)) {
+ DIST_POINT_free(dp);
+
sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
+ goto merr;
+ }
+ }
+ sk_DIST_POINT_pop_free(crld_tmp,
DIST_POINT_free);
+ }
+ }
+ else if(!sk_DIST_POINT_push(crld, sectpoint)) {
+ DIST_POINT_free(sectpoint);
+ goto merr;
+ }
+ }
+ else { /* For backward compatibility */
+ DIST_POINT *point;
+ if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
+ if(!(gens = GENERAL_NAMES_new())) goto merr;
+ if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+ gen = NULL;
+ if(!(point = DIST_POINT_new())) goto merr;
+ if(!sk_DIST_POINT_push(crld, point)) {
+ DIST_POINT_free(point);
+ goto merr;
+ }
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ }
+ return crld;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
diff -ur openssl-SNAP-20040227/crypto/x509v3/v3err.c
openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c
--- openssl-SNAP-20040227/crypto/x509v3/v3err.c 2003-03-24
14:15:29.000000000 -0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c 2004-03-02
14:52:53.000000000 -0500
@@ -95,7 +95,7 @@
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
diff -ur openssl-SNAP-20040227/crypto/x509v3/x509v3.h
openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h
--- openssl-SNAP-20040227/crypto/x509v3/x509v3.h 2003-03-24
14:15:29.000000000 -0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h 2004-03-02
14:52:58.000000000 -0500
@@ -633,7 +633,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
----- End forwarded message -----
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
