[openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
This has now been implemented in 0.9.9 but using a somewhat different syntax. Ticket resolved. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris
native compiler instead of gcc. There were several errors because variable
definitions were placed after allocation statements, e.g.
+ for (i = 0; i sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
I can list the corrections (about 12) or, more appriately, the author can
re-issue the patch with the necessary corrections so that it follows
standard C rules rather than C++.
Chris Brook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT
Sent: Thursday, April 08, 2004 4:02 AM
Cc: [EMAIL PROTECTED]
Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL
Distribution Points for the X.509 Certificate Profile
- Forwarded message from Abhijit Hayatnagarkar
[EMAIL PROTECTED] -
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT)
From: Abhijit Hayatnagarkar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509
Certificate Profile
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
Description of the patch:
This patch provides the extended syntax for CRL Distribution Points as
specified in RFC 3280 Section 4.2.1.14. It also tries to maintain
backward compatibility with the existing syntax.
Without this crld patch, the syntax for the X509 extension field CRL
Distribution Points recognized by openssl is either:
crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl
2
or
[EMAIL PROTECTED]
[crlsection]
URI.1=http://uri.crl.com/crl1
URI.2=http://uri.crl.com/crl2
Thus, you can only specify the 'fullname' field of a single distribution
point.
With this crld patch, openssl will support a richer syntax for the CRL
Distribution Points extension field. Apart from 'fullname', you will be
able to specify the 'relativename', 'reasons' and 'CRLissuer' fields.
This patch is backward compatible, so you will still be able to use the
old syntax.
The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are:
unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3),
superseded (4), cessationOfOperation (5), certificateHold (6),
privilegeWithdrawn (7) and aAcompromise (8).
Users can now specify CRL Distribution Points with a syntax as detailed as
the following:
[EMAIL PROTECTED],@distpoint2
[distpoint1]
fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
reasons=keyCompromise,cACompromise
[distpoint2]
[EMAIL PROTECTED]
reasons=cessationOfOperation,privilegeWithdrawn
CRLissuer=email:[EMAIL PROTECTED]
[relnamesect]
C = US
O = Org, Inc.
0.OU= Org Unit 1
1.OU= Sub Org Unit 2
CN = relative common name
Thanks,
Abhijit Hayatnagarkar
Sparta, Inc.
A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached
below. This notification also included the patches attached to this
email.
-- Forwarded message --
Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT)
From: Abhijit Hayatnagarkar [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: TSU Notification
SUBMISSION TYPE : TSU
SUBMITTED BY: Abhijit Hayatnagarkar
SUBMITTED FOR : Sparta, Inc.
POINT OF CONTACT: Abhijit Hayatnagarkar
PHONE and/or FAX: (410) 872-1515 Ext. 236
MANUFACTURER:
PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227
ECCN: 5D002
NOTIFICATION: Source code for the patch attached.
Short Description:
This patch provides the extended syntax for CRL Distribution
Points in the X.509 Certificate Profile as specified in RFC 3280 (See:
http://www.ietf.org/rfc/rfc3280.txt).
Content-Description: A patch to openssl 0.9.7c for the extended syntax for
CRL Distribution Points
diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c
openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c
--- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23
07:47:05.0 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05
15:55:24.0 -0400
@@ -63,8 +63,23 @@
#include openssl/asn1t.h
#include openssl/x509v3.h
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, Unused, unused},
+{1, Key Compromise, keyCompromise},
+{2, CA Compromise, cACompromise},
+{3, Affiliation Changed, affiliationChanged},
+{4, Superseded, superseded},
+{5, Cessation Of Operation, cessationOfOperation},
+{6, Certificate Hold, certificateHold},
+{7, Privilege Withdrawn, privilegeWithdrawn},
+{8, AA Compromise, aACompromise},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT
RE: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
I will re-issue a patch for 0.9.7d with the necessary corrections.
Thank you,
Abhijit Hayatnagarkar
Sparta, Inc.
On Mon, 12 Apr 2004, Chris Brook wrote:
I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris
native compiler instead of gcc. There were several errors because variable
definitions were placed after allocation statements, e.g.
+ for (i = 0; i sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
I can list the corrections (about 12) or, more appriately, the author can
re-issue the patch with the necessary corrections so that it follows
standard C rules rather than C++.
Chris Brook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT
Sent: Thursday, April 08, 2004 4:02 AM
Cc: [EMAIL PROTECTED]
Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL
Distribution Points for the X.509 Certificate Profile
- Forwarded message from Abhijit Hayatnagarkar
[EMAIL PROTECTED] -
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT)
From: Abhijit Hayatnagarkar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509
Certificate Profile
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
Description of the patch:
This patch provides the extended syntax for CRL Distribution Points as
specified in RFC 3280 Section 4.2.1.14. It also tries to maintain
backward compatibility with the existing syntax.
Without this crld patch, the syntax for the X509 extension field CRL
Distribution Points recognized by openssl is either:
crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl
2
or
[EMAIL PROTECTED]
[crlsection]
URI.1=http://uri.crl.com/crl1
URI.2=http://uri.crl.com/crl2
Thus, you can only specify the 'fullname' field of a single distribution
point.
With this crld patch, openssl will support a richer syntax for the CRL
Distribution Points extension field. Apart from 'fullname', you will be
able to specify the 'relativename', 'reasons' and 'CRLissuer' fields.
This patch is backward compatible, so you will still be able to use the
old syntax.
The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are:
unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3),
superseded (4), cessationOfOperation (5), certificateHold (6),
privilegeWithdrawn (7) and aAcompromise (8).
Users can now specify CRL Distribution Points with a syntax as detailed as
the following:
[EMAIL PROTECTED],@distpoint2
[distpoint1]
fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
reasons=keyCompromise,cACompromise
[distpoint2]
[EMAIL PROTECTED]
reasons=cessationOfOperation,privilegeWithdrawn
CRLissuer=email:[EMAIL PROTECTED]
[relnamesect]
C = US
O = Org, Inc.
0.OU= Org Unit 1
1.OU= Sub Org Unit 2
CN = relative common name
Thanks,
Abhijit Hayatnagarkar
Sparta, Inc.
A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached
below. This notification also included the patches attached to this
email.
-- Forwarded message --
Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT)
From: Abhijit Hayatnagarkar [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: TSU Notification
SUBMISSION TYPE : TSU
SUBMITTED BY: Abhijit Hayatnagarkar
SUBMITTED FOR : Sparta, Inc.
POINT OF CONTACT: Abhijit Hayatnagarkar
PHONE and/or FAX: (410) 872-1515 Ext. 236
MANUFACTURER:
PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227
ECCN: 5D002
NOTIFICATION: Source code for the patch attached.
Short Description:
This patch provides the extended syntax for CRL Distribution
Points in the X.509 Certificate Profile as specified in RFC 3280 (See:
http://www.ietf.org/rfc/rfc3280.txt).
Content-Description: A patch to openssl 0.9.7c for the extended syntax for
CRL Distribution Points
diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c
openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c
--- openssl-0.9.7c/crypto/x509v3/v3_crld.c2001-02-23
07:47:05.0 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05
15:55:24.0 -0400
@@ -63,8 +63,23 @@
#include openssl/asn1t.h
#include openssl/x509v3.h
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, Unused, unused},
+{1, Key Compromise, keyCompromise},
+{2, CA Compromise, cACompromise},
+{3, Affiliation Changed, affiliationChanged},
+{4, Superseded, superseded},
+{5, Cessation Of Operation, cessationOfOperation},
+{6
[openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile
- Forwarded message from Abhijit Hayatnagarkar [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509 Certificate Profile Precedence: bulk Reply-To: [EMAIL PROTECTED] Description of the patch: This patch provides the extended syntax for CRL Distribution Points as specified in RFC 3280 Section 4.2.1.14. It also tries to maintain backward compatibility with the existing syntax. Without this crld patch, the syntax for the X509 extension field CRL Distribution Points recognized by openssl is either: crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 or [EMAIL PROTECTED] [crlsection] URI.1=http://uri.crl.com/crl1 URI.2=http://uri.crl.com/crl2 Thus, you can only specify the 'fullname' field of a single distribution point. With this crld patch, openssl will support a richer syntax for the CRL Distribution Points extension field. Apart from 'fullname', you will be able to specify the 'relativename', 'reasons' and 'CRLissuer' fields. This patch is backward compatible, so you will still be able to use the old syntax. The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are: unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7) and aAcompromise (8). Users can now specify CRL Distribution Points with a syntax as detailed as the following: [EMAIL PROTECTED],@distpoint2 [distpoint1] fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2 reasons=keyCompromise,cACompromise [distpoint2] [EMAIL PROTECTED] reasons=cessationOfOperation,privilegeWithdrawn CRLissuer=email:[EMAIL PROTECTED] [relnamesect] C = US O = Org, Inc. 0.OU= Org Unit 1 1.OU= Sub Org Unit 2 CN = relative common name Thanks, Abhijit Hayatnagarkar Sparta, Inc. A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached below. This notification also included the patches attached to this email. -- Forwarded message -- Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT) From: Abhijit Hayatnagarkar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: TSU Notification SUBMISSION TYPE : TSU SUBMITTED BY: Abhijit Hayatnagarkar SUBMITTED FOR : Sparta, Inc. POINT OF CONTACT: Abhijit Hayatnagarkar PHONE and/or FAX: (410) 872-1515 Ext. 236 MANUFACTURER: PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227 ECCN: 5D002 NOTIFICATION: Source code for the patch attached. Short Description: This patch provides the extended syntax for CRL Distribution Points in the X.509 Certificate Profile as specified in RFC 3280 (See: http://www.ietf.org/rfc/rfc3280.txt). Content-Description: A patch to openssl 0.9.7c for the extended syntax for CRL Distribution Points diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c --- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23 07:47:05.0 -0500 +++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05 15:55:24.0 -0400 @@ -63,8 +63,23 @@ #include openssl/asn1t.h #include openssl/x509v3.h -static
