Suppport for CRL distribution points extension. Also document some of
authorDr. Stephen Henson <steve@openssl.org>
Wed, 21 Apr 1999 17:44:45 +0000 (17:44 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 21 Apr 1999 17:44:45 +0000 (17:44 +0000)
this stuff.

13 files changed:
CHANGES
STATUS
crypto/asn1/asn1.err
crypto/asn1/asn1.h
crypto/asn1/asn1_err.c
crypto/x509v3/Makefile.ssl
crypto/x509v3/v3_cpols.c
crypto/x509v3/v3_crld.c [new file with mode: 0644]
crypto/x509v3/v3_lib.c
crypto/x509v3/v3err.c
crypto/x509v3/x509v3.err
crypto/x509v3/x509v3.h
doc/openssl.txt

diff --git a/CHANGES b/CHANGES
index ee8a65a..9b5fc0d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,10 @@
 
  Changes between 0.9.2b and 0.9.3
 
 
  Changes between 0.9.2b and 0.9.3
 
+  *) Add support for CRL distribution points extension. Add Certificate
+     Policies and CRL distribution points documentation.
+     [Steve Henson]
+
   *) Move the autogenerated header file parts to crypto/opensslconf.h.
      [Ulf Möller]
 
   *) Move the autogenerated header file parts to crypto/opensslconf.h.
      [Ulf Möller]
 
@@ -23,6 +27,7 @@
   *) Fix problems with sizeof(long) == 8.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Fix problems with sizeof(long) == 8.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
+>>>>>>> 1.185
   *) Change functions to ANSI C.
      [Ulf Möller]
 
   *) Change functions to ANSI C.
      [Ulf Möller]
 
@@ -36,7 +41,7 @@
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Support for Certificate Policies extension: both print and set.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Support for Certificate Policies extension: both print and set.
-     Various additions to support the r2i method this extension will use.
+     Various additions to support the r2i method this uses.
      [Steve Henson]
 
   *) A lot of constification, and fix a bug in X509_NAME_oneline() that could
      [Steve Henson]
 
   *) A lot of constification, and fix a bug in X509_NAME_oneline() that could
diff --git a/STATUS b/STATUS
index b1a8a2e..804ef8a 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,6 +1,6 @@
 
   OpenSSL STATUS                           Last modified at
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 1999/04/21 17:30:41 $
+  ______________                           $Date: 1999/04/21 17:44:32 $
 
   DEVELOPMENT STATE
 
 
   DEVELOPMENT STATE
 
@@ -40,6 +40,7 @@
         PKCS#12 code cleanup and enhancement.
        PKCS #8 and PKCS#5 v2.0 support.
        Private key, certificate and CRL API and implementation.
         PKCS#12 code cleanup and enhancement.
        PKCS #8 and PKCS#5 v2.0 support.
        Private key, certificate and CRL API and implementation.
+       Redo error code and DEF file generation scripts.
 
     o Mark is currently working on:
         Folding in any changes that are in the C2Net code base that were
 
     o Mark is currently working on:
         Folding in any changes that are in the C2Net code base that were
index e032270..22b7fb3 100644 (file)
@@ -57,6 +57,8 @@
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
+#define ASN1_F_D2I_DIST_POINT                           276
+#define ASN1_F_D2I_DIST_POINT_NAME                      277
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
+#define ASN1_F_DIST_POINT_NAME_NEW                      278
+#define ASN1_F_DIST_POINT_NEW                           279
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
index 04174cd..5f113b4 100644 (file)
@@ -864,6 +864,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
 #define ASN1_F_D2I_AUTHORITY_KEYID                      238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS                    227
 #define ASN1_F_D2I_DHPARAMS                             136
+#define ASN1_F_D2I_DIST_POINT                           276
+#define ASN1_F_D2I_DIST_POINT_NAME                      277
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
 #define ASN1_F_D2I_DSAPARAMS                            137
 #define ASN1_F_D2I_DSAPRIVATEKEY                        138
 #define ASN1_F_D2I_DSAPUBLICKEY                                 139
@@ -920,6 +922,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
 #define ASN1_F_D2I_X509_REVOKED                                 173
 #define ASN1_F_D2I_X509_SIG                             174
 #define ASN1_F_D2I_X509_VAL                             175
+#define ASN1_F_DIST_POINT_NAME_NEW                      278
+#define ASN1_F_DIST_POINT_NEW                           279
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
 #define ASN1_F_GENERAL_NAME_NEW                                 231
 #define ASN1_F_I2D_ASN1_HEADER                          176
 #define ASN1_F_I2D_ASN1_TIME                            225
index 7d82170..463500b 100644 (file)
@@ -119,6 +119,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),     "D2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),   "D2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),    "D2I_DHPARAMS"},
 {ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),     "D2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),   "D2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),    "D2I_DHPARAMS"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0),  "D2I_DIST_POINT"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0),     "D2I_DIST_POINT_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),   "D2I_DSAPARAMS"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),       "D2I_DSAPRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0),        "D2I_DSAPUBLICKEY"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),   "D2I_DSAPARAMS"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),       "D2I_DSAPRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0),        "D2I_DSAPUBLICKEY"},
@@ -175,6 +177,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0),        "D2I_X509_REVOKED"},
 {ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),    "D2I_X509_SIG"},
 {ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),    "D2I_X509_VAL"},
 {ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0),        "D2I_X509_REVOKED"},
 {ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),    "D2I_X509_SIG"},
 {ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),    "D2I_X509_VAL"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0),     "DIST_POINT_NAME_NEW"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0),  "DIST_POINT_NEW"},
 {ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0),        "GENERAL_NAME_NEW"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0), "i2d_ASN1_HEADER"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),   "i2d_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0),        "GENERAL_NAME_NEW"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0), "i2d_ASN1_HEADER"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),   "i2d_ASN1_TIME"},
index d15232e..4b4a11b 100644 (file)
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=        v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
 LIB=$(TOP)/libcrypto.a
 LIBSRC=        v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o
 
 SRC= $(LIBSRC)
 
 
 SRC= $(LIBSRC)
 
index 7785047..95033f2 100644 (file)
@@ -209,15 +209,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
 
        return pol;
 
 
        return pol;
 
-       err:
-       POLICYINFO_free(pol);
-       return NULL;
-       
        merr:
        X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
        merr:
        X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        POLICYINFO_free(pol);
        return NULL;
        
        POLICYINFO_free(pol);
        return NULL;
        
+       
 }
 
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
 }
 
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
@@ -277,12 +276,10 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
 
        return qual;
 
 
        return qual;
 
-       err:
-       POLICYQUALINFO_free(qual);
-       return NULL;
-
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        POLICYQUALINFO_free(qual);
        return NULL;
 }
        POLICYQUALINFO_free(qual);
        return NULL;
 }
@@ -304,12 +301,10 @@ static STACK *nref_nos(STACK *nos)
        }
        return nnums;
 
        }
        return nnums;
 
-       err:
-       sk_pop_free(nnums, ASN1_STRING_free);
-       return NULL;
-
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
        merr:
        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+       err:
        sk_pop_free(nnums, ASN1_STRING_free);
        return NULL;
 }
        sk_pop_free(nnums, ASN1_STRING_free);
        return NULL;
 }
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
new file mode 100644 (file)
index 0000000..c0b63ee
--- /dev/null
@@ -0,0 +1,290 @@
+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "conf.h"
+#include "asn1.h"
+#include "asn1_mac.h"
+#include "x509v3.h"
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+                                                        STACK *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                                X509V3_CTX *ctx, STACK *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+/*
+ * ASN1err(ASN1_F_DIST_POINT_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_DIST_POINT_NAME_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT_NAME,ERR_R_MALLOC_FAILURE);
+ */
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+                                                                STACK *exts)
+{
+       DIST_POINT *point;
+       int i;
+       for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+               point = sk_DIST_POINT_value(crld, i);
+               if(point->distpoint->fullname) {
+                       exts = i2v_GENERAL_NAMES(NULL,
+                                        point->distpoint->fullname, exts);
+               }
+               if(point->reasons) 
+                       X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+               if(point->CRLissuer)
+                       X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+               if(point->distpoint->relativename)
+                       X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+       }
+       return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                                X509V3_CTX *ctx, STACK *nval)
+{
+       STACK_OF(DIST_POINT) *crld = NULL;
+       STACK_OF(GENERAL_NAME) *gens = NULL;
+       GENERAL_NAME *gen = NULL;
+       CONF_VALUE *cnf;
+       int i;
+       if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+       for(i = 0; i < sk_num(nval); i++) {
+               DIST_POINT *point;
+               cnf = (CONF_VALUE *)sk_value(nval, i);
+               if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+               if(!(gens = GENERAL_NAMES_new())) goto merr;
+               if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+               gen = NULL;
+               if(!(point = DIST_POINT_new())) goto merr;
+               if(!sk_DIST_POINT_push(crld, point)) {
+                       DIST_POINT_free(point);
+                       goto merr;
+               }
+               if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+               point->distpoint->fullname = gens;
+               gens = NULL;
+       }
+       return crld;
+
+       merr:
+       X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+       err:
+       GENERAL_NAME_free(gen);
+       GENERAL_NAMES_free(gens);
+       sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+       return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+       return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+       sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+               unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+       int v = 0;
+       M_ASN1_I2D_vars(a);
+       /* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+       M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+       M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+       M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+       M_ASN1_I2D_seq_total();
+
+       M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+       M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+       M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+       M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+       DIST_POINT *ret=NULL;
+       ASN1_CTX c;
+       M_ASN1_New_Malloc(ret, DIST_POINT);
+       ret->distpoint = NULL;
+       ret->reasons = NULL;
+       ret->CRLissuer = NULL;
+       return (ret);
+       M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+       M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+       M_ASN1_D2I_Init();
+       M_ASN1_D2I_start_sequence();
+       M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+       M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+                                                       V_ASN1_BIT_STRING);
+       M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+                                                       V_ASN1_SEQUENCE);
+       M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+       if (a == NULL) return;
+       DIST_POINT_NAME_free(a->distpoint);
+       ASN1_BIT_STRING_free(a->reasons);
+       sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+       Free ((char *)a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+       int v = 0;
+       M_ASN1_I2D_vars(a);
+
+       if(a->fullname) {
+               M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+       } else {
+               M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+       }
+
+       /* Don't want a SEQUENCE so... */
+       if(pp == NULL) return ret;
+       p = *pp;
+
+       if(a->fullname) {
+               M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+       } else {
+               M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+       }
+       M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+       DIST_POINT_NAME *ret=NULL;
+       ASN1_CTX c;
+       M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+       ret->fullname = NULL;
+       ret->relativename = NULL;
+       return (ret);
+       M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+       if (a == NULL) return;
+       X509_NAME_free(a->relativename);
+       sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+       Free ((char *)a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+            long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+       
+       if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+               M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+                                                       V_ASN1_SEQUENCE);
+       } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+               M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+       } else {
+               c.error = ASN1_R_BAD_TAG;
+               goto err;
+       }
+
+       M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}
index 55b807c..f71e656 100644 (file)
@@ -142,7 +142,7 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
 
 int X509V3_add_standard_extensions(void)
 {
 
 int X509V3_add_standard_extensions(void)
 {
@@ -159,6 +159,7 @@ int X509V3_add_standard_extensions(void)
        X509V3_EXT_add(&v3_sxnet);
        X509V3_EXT_add(&v3_crl_reason);
        X509V3_EXT_add(&v3_cpols);
        X509V3_EXT_add(&v3_sxnet);
        X509V3_EXT_add(&v3_crl_reason);
        X509V3_EXT_add(&v3_cpols);
+       X509V3_EXT_add(&v3_crld);
        return 1;
 }
 
        return 1;
 }
 
index 09c5ff4..a00dda7 100644 (file)
@@ -87,6 +87,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),   "V2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),   "V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),   "V2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),   "V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),      "V2I_CRLD"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),    "V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),      "v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),     "v2i_GENERAL_NAMES"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),    "V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),      "v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),     "v2i_GENERAL_NAMES"},
index bdb68d1..1851deb 100644 (file)
@@ -25,6 +25,7 @@
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
+#define X509V3_F_V2I_CRLD                               134
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
index 84443cb..b823b36 100644 (file)
@@ -180,6 +180,21 @@ union {
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
+typedef struct DIST_POINT_NAME_st {
+/* NB: this is a CHOICE type and only one of these should be set */
+STACK_OF(GENERAL_NAME) *fullname;
+X509_NAME *relativename;
+} DIST_POINT_NAME;
+
+typedef struct DIST_POINT_st {
+DIST_POINT_NAME        *distpoint;
+ASN1_BIT_STRING *reasons;
+STACK_OF(GENERAL_NAME) *CRLissuer;
+} DIST_POINT;
+
+DECLARE_STACK_OF(DIST_POINT)
+DECLARE_ASN1_SET_OF(DIST_POINT)
+
 typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 STACK_OF(GENERAL_NAME) *issuer;
 typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 STACK_OF(GENERAL_NAME) *issuer;
@@ -343,6 +358,23 @@ NOTICEREF *NOTICEREF_new(void);
 NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
 void NOTICEREF_free(NOTICEREF *a);
 
 NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
 void NOTICEREF_free(NOTICEREF *a);
 
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp);
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void);
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a);
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length);
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp);
+DIST_POINT *DIST_POINT_new(void);
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length);
+void DIST_POINT_free(DIST_POINT *a);
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp);
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length);
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -537,6 +569,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
 #define X509V3_F_V2I_ASN1_BIT_STRING                    101
 #define X509V3_F_V2I_AUTHORITY_KEYID                    119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS                  102
+#define X509V3_F_V2I_CRLD                               134
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
 #define X509V3_F_V2I_EXT_KU                             103
 #define X509V3_F_V2I_GENERAL_NAME                       117
 #define X509V3_F_V2I_GENERAL_NAMES                      118
index cbfbb2a..e42cbbf 100644 (file)
@@ -272,10 +272,83 @@ Issuer Alternative Name.
 
 The issuer alternative name option supports all the literal options of
 subject alternative name. It does *not* support the email:copy option because
 
 The issuer alternative name option supports all the literal options of
 subject alternative name. It does *not* support the email:copy option because
-that would not make sense. It does support and additional issuer:copy option
+that would not make sense. It does support an additional issuer:copy option
 that will copy all the subject alternative name values from the issuer 
 certificate (if possible).
 
 that will copy all the subject alternative name values from the issuer 
 certificate (if possible).
 
+CRL distribution points.
+
+This is a multivalued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortuntately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section. This
+section can include explicitText, organization and noticeNumbers options. 
+explicitText and organization are text strings, noticeNumbers is a comma
+separated list of numbers. The organization and noticeNumbers options (if
+included) must BOTH be present.
+
+Example:
+
+certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
 Display only extensions.
 
 Some extensions are only partially supported and currently are only displayed
 Display only extensions.
 
 Some extensions are only partially supported and currently are only displayed