[openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
This has now been implemented in 0.9.9 but using a somewhat different syntax. Ticket resolved. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris native compiler instead of gcc. There were several errors because variable definitions were placed after allocation statements, e.g. + for (i = 0; i sk_CONF_VALUE_num(nval); i++) { + cnf = sk_CONF_VALUE_value(nval, i); + STACK_OF(CONF_VALUE) *sk; I can list the corrections (about 12) or, more appriately, the author can re-issue the patch with the necessary corrections so that it follows standard C rules rather than C++. Chris Brook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT Sent: Thursday, April 08, 2004 4:02 AM Cc: [EMAIL PROTECTED] Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile - Forwarded message from Abhijit Hayatnagarkar [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile Precedence: bulk Reply-To: [EMAIL PROTECTED] Description of the patch: This patch provides the extended syntax for CRL Distribution Points as specified in RFC 3280 Section 4.2.1.14. It also tries to maintain backward compatibility with the existing syntax. Without this crld patch, the syntax for the X509 extension field CRL Distribution Points recognized by openssl is either: crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl 2 or [EMAIL PROTECTED] [crlsection] URI.1=http://uri.crl.com/crl1 URI.2=http://uri.crl.com/crl2 Thus, you can only specify the 'fullname' field of a single distribution point. With this crld patch, openssl will support a richer syntax for the CRL Distribution Points extension field. Apart from 'fullname', you will be able to specify the 'relativename', 'reasons' and 'CRLissuer' fields. This patch is backward compatible, so you will still be able to use the old syntax. The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are: unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7) and aAcompromise (8). Users can now specify CRL Distribution Points with a syntax as detailed as the following: [EMAIL PROTECTED],@distpoint2 [distpoint1] fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 reasons=keyCompromise,cACompromise [distpoint2] [EMAIL PROTECTED] reasons=cessationOfOperation,privilegeWithdrawn CRLissuer=email:[EMAIL PROTECTED] [relnamesect] C = US O = Org, Inc. 0.OU= Org Unit 1 1.OU= Sub Org Unit 2 CN = relative common name Thanks, Abhijit Hayatnagarkar Sparta, Inc. A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached below. This notification also included the patches attached to this email. -- Forwarded message -- Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: TSU Notification SUBMISSION TYPE : TSU SUBMITTED BY: Abhijit Hayatnagarkar SUBMITTED FOR : Sparta, Inc. POINT OF CONTACT: Abhijit Hayatnagarkar PHONE and/or FAX: (410) 872-1515 Ext. 236 MANUFACTURER: PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227 ECCN: 5D002 NOTIFICATION: Source code for the patch attached. Short Description: This patch provides the extended syntax for CRL Distribution Points in the X.509 Certificate Profile as specified in RFC 3280 (See: http://www.ietf.org/rfc/rfc3280.txt). Content-Description: A patch to openssl 0.9.7c for the extended syntax for CRL Distribution Points diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c --- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23 07:47:05.0 -0500 +++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05 15:55:24.0 -0400 @@ -63,8 +63,23 @@ #include openssl/asn1t.h #include openssl/x509v3.h -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist); +static ENUMERATED_NAMES crl_reasons[] = { +{0, Unused, unused}, +{1, Key Compromise, keyCompromise}, +{2, CA Compromise, cACompromise}, +{3, Affiliation Changed, affiliationChanged}, +{4, Superseded, superseded}, +{5, Cessation Of Operation, cessationOfOperation}, +{6, Certificate Hold, certificateHold}, +{7, Privilege Withdrawn, privilegeWithdrawn}, +{8, AA Compromise, aACompromise}, +{-1, NULL, NULL} +}; + +static int i2r_crld(X509V3_EXT_METHOD *method, +STACK_OF(DIST_POINT) *crld, BIO *out, int indent); +static STACK_OF(DIST_POINT
RE: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
I will re-issue a patch for 0.9.7d with the necessary corrections. Thank you, Abhijit Hayatnagarkar Sparta, Inc. On Mon, 12 Apr 2004, Chris Brook wrote: I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris native compiler instead of gcc. There were several errors because variable definitions were placed after allocation statements, e.g. + for (i = 0; i sk_CONF_VALUE_num(nval); i++) { + cnf = sk_CONF_VALUE_value(nval, i); + STACK_OF(CONF_VALUE) *sk; I can list the corrections (about 12) or, more appriately, the author can re-issue the patch with the necessary corrections so that it follows standard C rules rather than C++. Chris Brook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT Sent: Thursday, April 08, 2004 4:02 AM Cc: [EMAIL PROTECTED] Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile - Forwarded message from Abhijit Hayatnagarkar [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile Precedence: bulk Reply-To: [EMAIL PROTECTED] Description of the patch: This patch provides the extended syntax for CRL Distribution Points as specified in RFC 3280 Section 4.2.1.14. It also tries to maintain backward compatibility with the existing syntax. Without this crld patch, the syntax for the X509 extension field CRL Distribution Points recognized by openssl is either: crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl 2 or [EMAIL PROTECTED] [crlsection] URI.1=http://uri.crl.com/crl1 URI.2=http://uri.crl.com/crl2 Thus, you can only specify the 'fullname' field of a single distribution point. With this crld patch, openssl will support a richer syntax for the CRL Distribution Points extension field. Apart from 'fullname', you will be able to specify the 'relativename', 'reasons' and 'CRLissuer' fields. This patch is backward compatible, so you will still be able to use the old syntax. The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are: unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7) and aAcompromise (8). Users can now specify CRL Distribution Points with a syntax as detailed as the following: [EMAIL PROTECTED],@distpoint2 [distpoint1] fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 reasons=keyCompromise,cACompromise [distpoint2] [EMAIL PROTECTED] reasons=cessationOfOperation,privilegeWithdrawn CRLissuer=email:[EMAIL PROTECTED] [relnamesect] C = US O = Org, Inc. 0.OU= Org Unit 1 1.OU= Sub Org Unit 2 CN = relative common name Thanks, Abhijit Hayatnagarkar Sparta, Inc. A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached below. This notification also included the patches attached to this email. -- Forwarded message -- Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: TSU Notification SUBMISSION TYPE : TSU SUBMITTED BY: Abhijit Hayatnagarkar SUBMITTED FOR : Sparta, Inc. POINT OF CONTACT: Abhijit Hayatnagarkar PHONE and/or FAX: (410) 872-1515 Ext. 236 MANUFACTURER: PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227 ECCN: 5D002 NOTIFICATION: Source code for the patch attached. Short Description: This patch provides the extended syntax for CRL Distribution Points in the X.509 Certificate Profile as specified in RFC 3280 (See: http://www.ietf.org/rfc/rfc3280.txt). Content-Description: A patch to openssl 0.9.7c for the extended syntax for CRL Distribution Points diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c --- openssl-0.9.7c/crypto/x509v3/v3_crld.c2001-02-23 07:47:05.0 -0500 +++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05 15:55:24.0 -0400 @@ -63,8 +63,23 @@ #include openssl/asn1t.h #include openssl/x509v3.h -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist); +static ENUMERATED_NAMES crl_reasons[] = { +{0, Unused, unused}, +{1, Key Compromise, keyCompromise}, +{2, CA Compromise, cACompromise}, +{3, Affiliation Changed, affiliationChanged}, +{4, Superseded, superseded}, +{5, Cessation Of Operation, cessationOfOperation}, +{6
[openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
- Forwarded message from Abhijit Hayatnagarkar [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile Precedence: bulk Reply-To: [EMAIL PROTECTED] Description of the patch: This patch provides the extended syntax for CRL Distribution Points as specified in RFC 3280 Section 4.2.1.14. It also tries to maintain backward compatibility with the existing syntax. Without this crld patch, the syntax for the X509 extension field CRL Distribution Points recognized by openssl is either: crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 or [EMAIL PROTECTED] [crlsection] URI.1=http://uri.crl.com/crl1 URI.2=http://uri.crl.com/crl2 Thus, you can only specify the 'fullname' field of a single distribution point. With this crld patch, openssl will support a richer syntax for the CRL Distribution Points extension field. Apart from 'fullname', you will be able to specify the 'relativename', 'reasons' and 'CRLissuer' fields. This patch is backward compatible, so you will still be able to use the old syntax. The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are: unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7) and aAcompromise (8). Users can now specify CRL Distribution Points with a syntax as detailed as the following: [EMAIL PROTECTED],@distpoint2 [distpoint1] fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 reasons=keyCompromise,cACompromise [distpoint2] [EMAIL PROTECTED] reasons=cessationOfOperation,privilegeWithdrawn CRLissuer=email:[EMAIL PROTECTED] [relnamesect] C = US O = Org, Inc. 0.OU= Org Unit 1 1.OU= Sub Org Unit 2 CN = relative common name Thanks, Abhijit Hayatnagarkar Sparta, Inc. A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached below. This notification also included the patches attached to this email. -- Forwarded message -- Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: TSU Notification SUBMISSION TYPE : TSU SUBMITTED BY: Abhijit Hayatnagarkar SUBMITTED FOR : Sparta, Inc. POINT OF CONTACT: Abhijit Hayatnagarkar PHONE and/or FAX: (410) 872-1515 Ext. 236 MANUFACTURER: PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227 ECCN: 5D002 NOTIFICATION: Source code for the patch attached. Short Description: This patch provides the extended syntax for CRL Distribution Points in the X.509 Certificate Profile as specified in RFC 3280 (See: http://www.ietf.org/rfc/rfc3280.txt). Content-Description: A patch to openssl 0.9.7c for the extended syntax for CRL Distribution Points diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c --- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23 07:47:05.0 -0500 +++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05 15:55:24.0 -0400 @@ -63,8 +63,23 @@ #include openssl/asn1t.h #include openssl/x509v3.h -static