Suppport for CRL distribution points extension. Also document some of
authorDr. Stephen Henson <steve@openssl.org>
Wed, 21 Apr 1999 17:44:45 +0000 (17:44 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 21 Apr 1999 17:44:45 +0000 (17:44 +0000)
this stuff.

13 files changed:
CHANGES
STATUS
crypto/asn1/asn1.err
crypto/asn1/asn1.h
crypto/asn1/asn1_err.c
crypto/x509v3/Makefile.ssl
crypto/x509v3/v3_cpols.c
crypto/x509v3/v3_crld.c [new file with mode: 0644]
crypto/x509v3/v3_lib.c
crypto/x509v3/v3err.c
crypto/x509v3/x509v3.err
crypto/x509v3/x509v3.h
doc/openssl.txt

diff --git a/CHANGES b/CHANGES
index ee8a65a..9b5fc0d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,10 @@
 
  Changes between 0.9.2b and 0.9.3
 
+  *) Add support for CRL distribution points extension. Add Certificate
+     Policies and CRL distribution points documentation.
+     [Steve Henson]
+
   *) Move the autogenerated header file parts to crypto/opensslconf.h.
      [Ulf Möller]
 
@@ -23,6 +27,7 @@
   *) Fix problems with sizeof(long) == 8.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
+>>>>>>> 1.185
   *) Change functions to ANSI C.
      [Ulf Möller]
 
@@ -36,7 +41,7 @@
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Support for Certificate Policies extension: both print and set.
-     Various additions to support the r2i method this extension will use.
+     Various additions to support the r2i method this uses.
      [Steve Henson]
 
   *) A lot of constification, and fix a bug in X509_NAME_oneline() that could
diff --git a/STATUS b/STATUS
index b1a8a2e..804ef8a 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,6 +1,6 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 1999/04/21 17:30:41 $
+  ______________                           $Date: 1999/04/21 17:44:32 $
 
   DEVELOPMENT STATE
 
@@ -40,6 +40,7 @@
         PKCS#12 code cleanup and enhancement.
        PKCS #8 and PKCS#5 v2.0 support.
        Private key, certificate and CRL API and implementation.
+       Redo error code and DEF file generation scripts.
 
     o Mark is currently working on:
         Folding in any changes that are in the C2Net code base that were
index e032270..22b7fb3 100644 (file)
@@ -57,6 +57,8 @@
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
+#define ASN1_F_D2I_DIST_POINT                           276
+#define ASN1_F_D2I_DIST_POINT_NAME                      277
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
+#define ASN1_F_DIST_POINT_NAME_NEW                      278
+#define ASN1_F_DIST_POINT_NEW                           279
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
index 04174cd..5f113b4 100644 (file)
@@ -864,6 +864,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
+#define ASN1_F_D2I_DIST_POINT                           276
+#define ASN1_F_D2I_DIST_POINT_NAME                      277
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
@@ -920,6 +922,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
+#define ASN1_F_DIST_POINT_NAME_NEW                      278
+#define ASN1_F_DIST_POINT_NEW                           279
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
index 7d82170..463500b 100644 (file)
@@ -119,6 +119,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),     "D2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),   "D2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),    "D2I_DHPARAMS"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0),  "D2I_DIST_POINT"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0),     "D2I_DIST_POINT_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),   "D2I_DSAPARAMS"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),       "D2I_DSAPRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0),        "D2I_DSAPUBLICKEY"},
@@ -175,6 +177,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0),        "D2I_X509_REVOKED"},
 {ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),    "D2I_X509_SIG"},
 {ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),    "D2I_X509_VAL"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0),     "DIST_POINT_NAME_NEW"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0),  "DIST_POINT_NEW"},
 {ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0),        "GENERAL_NAME_NEW"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0), "i2d_ASN1_HEADER"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),   "i2d_ASN1_TIME"},
index d15232e..4b4a11b 100644 (file)
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=        v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o
 
 SRC= $(LIBSRC)
 
index 7785047..95033f2 100644 (file)
@@ -209,15 +209,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
 
        return pol;
 
-       err:
-       POLICYINFO_free(pol);
-       return NULL;
-       
        merr:
        X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        POLICYINFO_free(pol);
        return NULL;
        
+       
 }
 
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
@@ -277,12 +276,10 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
 
        return qual;
 
-       err:
-       POLICYQUALINFO_free(qual);
-       return NULL;
-
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        POLICYQUALINFO_free(qual);
        return NULL;
 }
@@ -304,12 +301,10 @@ static STACK *nref_nos(STACK *nos)
        }
        return nnums;
 
-       err:
-       sk_pop_free(nnums, ASN1_STRING_free);
-       return NULL;
-
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        sk_pop_free(nnums, ASN1_STRING_free);
        return NULL;
 }
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
new file mode 100644 (file)
index 0000000..c0b63ee
--- /dev/null
@@ -0,0 +1,290 @@
+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "conf.h"
+#include "asn1.h"
+#include "asn1_mac.h"
+#include "x509v3.h"
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+                                                        STACK *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                                X509V3_CTX *ctx, STACK *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+/*
+ * ASN1err(ASN1_F_DIST_POINT_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_DIST_POINT_NAME_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT_NAME,ERR_R_MALLOC_FAILURE);
+ */
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+                                                                STACK *exts)
+{
+       DIST_POINT *point;
+       int i;
+       for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+               point = sk_DIST_POINT_value(crld, i);
+               if(point->distpoint->fullname) {
+                       exts = i2v_GENERAL_NAMES(NULL,
+                                        point->distpoint->fullname, exts);
+               }
+               if(point->reasons) 
+                       X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+               if(point->CRLissuer)
+                       X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+               if(point->distpoint->relativename)
+                       X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+       }
+       return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                                X509V3_CTX *ctx, STACK *nval)
+{
+       STACK_OF(DIST_POINT) *crld = NULL;
+       STACK_OF(GENERAL_NAME) *gens = NULL;
+       GENERAL_NAME *gen = NULL;
+       CONF_VALUE *cnf;
+       int i;
+       if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+       for(i = 0; i < sk_num(nval); i++) {
+               DIST_POINT *point;
+               cnf = (CONF_VALUE *)sk_value(nval, i);
+               if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+               if(!(gens = GENERAL_NAMES_new())) goto merr;
+               if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+               gen = NULL;
+               if(!(point = DIST_POINT_new())) goto merr;
+               if(!sk_DIST_POINT_push(crld, point)) {
+                       DIST_POINT_free(point);
+                       goto merr;
+               }
+               if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+               point->distpoint->fullname = gens;
+               gens = NULL;
+       }
+       return crld;
+
+       merr:
+       X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+       err:
+       GENERAL_NAME_free(gen);
+       GENERAL_NAMES_free(gens);
+       sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+       return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+       return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+       sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+               unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+       int v = 0;
+       M_ASN1_I2D_vars(a);
+       /* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+       M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+       M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+       M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+       M_ASN1_I2D_seq_total();
+
+       M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+       M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+       M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+       M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+       DIST_POINT *ret=NULL;
+       ASN1_CTX c;
+       M_ASN1_New_Malloc(ret, DIST_POINT);
+       ret->distpoint = NULL;
+       ret->reasons = NULL;
+       ret->CRLissuer = NULL;
+       return (ret);
+       M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+       M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+       M_ASN1_D2I_Init();
+       M_ASN1_D2I_start_sequence();
+       M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+       M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+                                                       V_ASN1_BIT_STRING);
+       M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+                                                       V_ASN1_SEQUENCE);
+       M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+       if (a == NULL) return;
+       DIST_POINT_NAME_free(a->distpoint);
+       ASN1_BIT_STRING_free(a->reasons);
+       sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+       Free ((char *)a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+       int v = 0;
+       M_ASN1_I2D_vars(a);
+
+       if(a->fullname) {
+               M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+       } else {
+               M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+       }
+
+       /* Don't want a SEQUENCE so... */
+       if(pp == NULL) return ret;
+       p = *pp;
+
+       if(a->fullname) {
+               M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+       } else {
+               M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+       }
+       M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+       DIST_POINT_NAME *ret=NULL;
+       ASN1_CTX c;
+       M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+       ret->fullname = NULL;
+       ret->relativename = NULL;
+       return (ret);
+       M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+       if (a == NULL) return;
+       X509_NAME_free(a->relativename);
+       sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+       Free ((char *)a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+            long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+       
+       if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+               M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+                                                       V_ASN1_SEQUENCE);
+       } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+               M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+       } else {
+               c.error = ASN1_R_BAD_TAG;
+               goto err;
+       }
+
+       M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}
index 55b807c..f71e656 100644 (file)
@@ -142,7 +142,7 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
 
 int X509V3_add_standard_extensions(void)
 {
@@ -159,6 +159,7 @@ int X509V3_add_standard_extensions(void)
        X509V3_EXT_add(&v3_sxnet);
        X509V3_EXT_add(&v3_crl_reason);
        X509V3_EXT_add(&v3_cpols);
+       X509V3_EXT_add(&v3_crld);
        return 1;
 }
 
index 09c5ff4..a00dda7 100644 (file)
@@ -87,6 +87,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),   "V2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),   "V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),      "V2I_CRLD"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),    "V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),      "v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),     "v2i_GENERAL_NAMES"},
index bdb68d1..1851deb 100644 (file)
@@ -25,6 +25,7 @@
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
+#define X509V3_F_V2I_CRLD                               134
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
index 84443cb..b823b36 100644 (file)
@@ -180,6 +180,21 @@ union {
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
+typedef struct DIST_POINT_NAME_st {
+/* NB: this is a CHOICE type and only one of these should be set */
+STACK_OF(GENERAL_NAME) *fullname;
+X509_NAME *relativename;
+} DIST_POINT_NAME;
+
+typedef struct DIST_POINT_st {
+DIST_POINT_NAME        *distpoint;
+ASN1_BIT_STRING *reasons;
+STACK_OF(GENERAL_NAME) *CRLissuer;
+} DIST_POINT;
+
+DECLARE_STACK_OF(DIST_POINT)
+DECLARE_ASN1_SET_OF(DIST_POINT)
+
 typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 STACK_OF(GENERAL_NAME) *issuer;
@@ -343,6 +358,23 @@ NOTICEREF *NOTICEREF_new(void);
 NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
 void NOTICEREF_free(NOTICEREF *a);
 
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp);
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void);
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a);
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length);
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp);
+DIST_POINT *DIST_POINT_new(void);
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length);
+void DIST_POINT_free(DIST_POINT *a);
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp);
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length);
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -537,6 +569,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
+#define X509V3_F_V2I_CRLD                               134
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
index cbfbb2a..e42cbbf 100644 (file)
@@ -272,10 +272,83 @@ Issuer Alternative Name.
 
 The issuer alternative name option supports all the literal options of
 subject alternative name. It does *not* support the email:copy option because
-that would not make sense. It does support and additional issuer:copy option
+that would not make sense. It does support an additional issuer:copy option
 that will copy all the subject alternative name values from the issuer 
 certificate (if possible).
 
+CRL distribution points.
+
+This is a multivalued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortuntately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section. This
+section can include explicitText, organization and noticeNumbers options. 
+explicitText and organization are text strings, noticeNumbers is a comma
+separated list of numbers. The organization and noticeNumbers options (if
+included) must BOTH be present.
+
+Example:
+
+certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
 Display only extensions.
 
 Some extensions are only partially supported and currently are only displayed