From: Dr. Stephen Henson Date: Wed, 21 Apr 1999 17:44:45 +0000 (+0000) Subject: Suppport for CRL distribution points extension. Also document some of X-Git-Tag: OpenSSL_0_9_3beta1~289 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=d943e3724162cb7668b90a34f689e7c2b89ebc64 Suppport for CRL distribution points extension. Also document some of this stuff. --- diff --git a/CHANGES b/CHANGES index ee8a65a368..9b5fc0d89e 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,10 @@ Changes between 0.9.2b and 0.9.3 + *) Add support for CRL distribution points extension. Add Certificate + Policies and CRL distribution points documentation. + [Steve Henson] + *) Move the autogenerated header file parts to crypto/opensslconf.h. [Ulf Möller] @@ -23,6 +27,7 @@ *) Fix problems with sizeof(long) == 8. [Andy Polyakov ] +>>>>>>> 1.185 *) Change functions to ANSI C. [Ulf Möller] @@ -36,7 +41,7 @@ [Andy Polyakov ] *) Support for Certificate Policies extension: both print and set. - Various additions to support the r2i method this extension will use. + Various additions to support the r2i method this uses. [Steve Henson] *) A lot of constification, and fix a bug in X509_NAME_oneline() that could diff --git a/STATUS b/STATUS index b1a8a2ec1f..804ef8ae31 100644 --- a/STATUS +++ b/STATUS @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 1999/04/21 17:30:41 $ + ______________ $Date: 1999/04/21 17:44:32 $ DEVELOPMENT STATE @@ -40,6 +40,7 @@ PKCS#12 code cleanup and enhancement. PKCS #8 and PKCS#5 v2.0 support. Private key, certificate and CRL API and implementation. + Redo error code and DEF file generation scripts. o Mark is currently working on: Folding in any changes that are in the C2Net code base that were diff --git a/crypto/asn1/asn1.err b/crypto/asn1/asn1.err index e03227067f..22b7fb351b 100644 --- a/crypto/asn1/asn1.err +++ b/crypto/asn1/asn1.err @@ -57,6 +57,8 @@ #define ASN1_F_D2I_AUTHORITY_KEYID 238 #define ASN1_F_D2I_BASIC_CONSTRAINTS 227 #define ASN1_F_D2I_DHPARAMS 136 +#define ASN1_F_D2I_DIST_POINT 276 +#define ASN1_F_D2I_DIST_POINT_NAME 277 #define ASN1_F_D2I_DSAPARAMS 137 #define ASN1_F_D2I_DSAPRIVATEKEY 138 #define ASN1_F_D2I_DSAPUBLICKEY 139 @@ -113,6 +115,8 @@ #define ASN1_F_D2I_X509_REVOKED 173 #define ASN1_F_D2I_X509_SIG 174 #define ASN1_F_D2I_X509_VAL 175 +#define ASN1_F_DIST_POINT_NAME_NEW 278 +#define ASN1_F_DIST_POINT_NEW 279 #define ASN1_F_GENERAL_NAME_NEW 231 #define ASN1_F_I2D_ASN1_HEADER 176 #define ASN1_F_I2D_ASN1_TIME 225 diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 04174cdedb..5f113b4202 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -864,6 +864,8 @@ ASN1_STRING *ASN1_pack_string(); #define ASN1_F_D2I_AUTHORITY_KEYID 238 #define ASN1_F_D2I_BASIC_CONSTRAINTS 227 #define ASN1_F_D2I_DHPARAMS 136 +#define ASN1_F_D2I_DIST_POINT 276 +#define ASN1_F_D2I_DIST_POINT_NAME 277 #define ASN1_F_D2I_DSAPARAMS 137 #define ASN1_F_D2I_DSAPRIVATEKEY 138 #define ASN1_F_D2I_DSAPUBLICKEY 139 @@ -920,6 +922,8 @@ ASN1_STRING *ASN1_pack_string(); #define ASN1_F_D2I_X509_REVOKED 173 #define ASN1_F_D2I_X509_SIG 174 #define ASN1_F_D2I_X509_VAL 175 +#define ASN1_F_DIST_POINT_NAME_NEW 278 +#define ASN1_F_DIST_POINT_NEW 279 #define ASN1_F_GENERAL_NAME_NEW 231 #define ASN1_F_I2D_ASN1_HEADER 176 #define ASN1_F_I2D_ASN1_TIME 225 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 7d8217036b..463500b40f 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -119,6 +119,8 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0), "D2I_AUTHORITY_KEYID"}, {ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0), "D2I_BASIC_CONSTRAINTS"}, {ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0), "D2I_DHPARAMS"}, +{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0), "D2I_DIST_POINT"}, +{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0), "D2I_DIST_POINT_NAME"}, {ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0), "D2I_DSAPARAMS"}, {ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0), "D2I_DSAPRIVATEKEY"}, {ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0), "D2I_DSAPUBLICKEY"}, @@ -175,6 +177,8 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0), "D2I_X509_REVOKED"}, {ERR_PACK(0,ASN1_F_D2I_X509_SIG,0), "D2I_X509_SIG"}, {ERR_PACK(0,ASN1_F_D2I_X509_VAL,0), "D2I_X509_VAL"}, +{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0), "DIST_POINT_NAME_NEW"}, +{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0), "DIST_POINT_NEW"}, {ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0), "GENERAL_NAME_NEW"}, {ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0), "i2d_ASN1_HEADER"}, {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "i2d_ASN1_TIME"}, diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index d15232e151..4b4a11b757 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -24,10 +24,10 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \ v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \ -v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c +v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ -v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o +v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o SRC= $(LIBSRC) diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index 7785047025..95033f265b 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -209,15 +209,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs) return pol; - err: - POLICYINFO_free(pol); - return NULL; - merr: X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE); + + err: POLICYINFO_free(pol); return NULL; + } static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot) @@ -277,12 +276,10 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot) return qual; - err: - POLICYQUALINFO_free(qual); - return NULL; - merr: X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); + + err: POLICYQUALINFO_free(qual); return NULL; } @@ -304,12 +301,10 @@ static STACK *nref_nos(STACK *nos) } return nnums; - err: - sk_pop_free(nnums, ASN1_STRING_free); - return NULL; - merr: X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); + + err: sk_pop_free(nnums, ASN1_STRING_free); return NULL; } diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c new file mode 100644 index 0000000000..c0b63ee23c --- /dev/null +++ b/crypto/x509v3/v3_crld.c @@ -0,0 +1,290 @@ +/* v3_crld.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include "cryptlib.h" +#include "conf.h" +#include "asn1.h" +#include "asn1_mac.h" +#include "x509v3.h" + +static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld, + STACK *extlist); +static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK *nval); + +X509V3_EXT_METHOD v3_crld = { +NID_crl_distribution_points, X509V3_EXT_MULTILINE, +(X509V3_EXT_NEW)CRL_DIST_POINTS_new, +CRL_DIST_POINTS_free, +(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS, +i2d_CRL_DIST_POINTS, +NULL, NULL, +(X509V3_EXT_I2V)i2v_crld, +(X509V3_EXT_V2I)v2i_crld, +NULL, NULL, NULL +}; + +/* + * ASN1err(ASN1_F_DIST_POINT_NEW,ERR_R_MALLOC_FAILURE); + * ASN1err(ASN1_F_D2I_DIST_POINT,ERR_R_MALLOC_FAILURE); + * ASN1err(ASN1_F_DIST_POINT_NAME_NEW,ERR_R_MALLOC_FAILURE); + * ASN1err(ASN1_F_D2I_DIST_POINT_NAME,ERR_R_MALLOC_FAILURE); + */ + +static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld, + STACK *exts) +{ + DIST_POINT *point; + int i; + for(i = 0; i < sk_DIST_POINT_num(crld); i++) { + point = sk_DIST_POINT_value(crld, i); + if(point->distpoint->fullname) { + exts = i2v_GENERAL_NAMES(NULL, + point->distpoint->fullname, exts); + } + if(point->reasons) + X509V3_add_value("reasons","", &exts); + if(point->CRLissuer) + X509V3_add_value("CRLissuer","", &exts); + if(point->distpoint->relativename) + X509V3_add_value("RelativeName","", &exts); + } + return exts; +} + +static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK *nval) +{ + STACK_OF(DIST_POINT) *crld = NULL; + STACK_OF(GENERAL_NAME) *gens = NULL; + GENERAL_NAME *gen = NULL; + CONF_VALUE *cnf; + int i; + if(!(crld = sk_DIST_POINT_new(NULL))) goto merr; + for(i = 0; i < sk_num(nval); i++) { + DIST_POINT *point; + cnf = (CONF_VALUE *)sk_value(nval, i); + if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; + if(!(gens = GENERAL_NAMES_new())) goto merr; + if(!sk_GENERAL_NAME_push(gens, gen)) goto merr; + gen = NULL; + if(!(point = DIST_POINT_new())) goto merr; + if(!sk_DIST_POINT_push(crld, point)) { + DIST_POINT_free(point); + goto merr; + } + if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr; + point->distpoint->fullname = gens; + gens = NULL; + } + return crld; + + merr: + X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE); + err: + GENERAL_NAME_free(gen); + GENERAL_NAMES_free(gens); + sk_DIST_POINT_pop_free(crld, DIST_POINT_free); + return NULL; +} + +int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp) +{ + +return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL, IS_SEQUENCE);} + +STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void) +{ + return sk_DIST_POINT_new_null(); +} + +void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a) +{ + sk_DIST_POINT_pop_free(a, DIST_POINT_free); +} + +STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a, + unsigned char **pp,long length) +{ +return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT, + DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); + +} + +IMPLEMENT_STACK_OF(DIST_POINT) +IMPLEMENT_ASN1_SET_OF(DIST_POINT) + +int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp) +{ + int v = 0; + M_ASN1_I2D_vars(a); + /* NB: underlying type is a CHOICE so need EXPLICIT tagging */ + M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v); + M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING); + M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES); + + M_ASN1_I2D_seq_total(); + + M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v); + M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1); + M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2); + + M_ASN1_I2D_finish(); +} + +DIST_POINT *DIST_POINT_new(void) +{ + DIST_POINT *ret=NULL; + ASN1_CTX c; + M_ASN1_New_Malloc(ret, DIST_POINT); + ret->distpoint = NULL; + ret->reasons = NULL; + ret->CRLissuer = NULL; + return (ret); + M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW); +} + +DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length) +{ + M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new); + M_ASN1_D2I_Init(); + M_ASN1_D2I_start_sequence(); + M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0); + M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1, + V_ASN1_BIT_STRING); + M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2, + V_ASN1_SEQUENCE); + M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT); +} + +void DIST_POINT_free(DIST_POINT *a) +{ + if (a == NULL) return; + DIST_POINT_NAME_free(a->distpoint); + ASN1_BIT_STRING_free(a->reasons); + sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free); + Free ((char *)a); +} + +int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp) +{ + int v = 0; + M_ASN1_I2D_vars(a); + + if(a->fullname) { + M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES); + } else { + M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v); + } + + /* Don't want a SEQUENCE so... */ + if(pp == NULL) return ret; + p = *pp; + + if(a->fullname) { + M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0); + } else { + M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v); + } + M_ASN1_I2D_finish(); +} + +DIST_POINT_NAME *DIST_POINT_NAME_new(void) +{ + DIST_POINT_NAME *ret=NULL; + ASN1_CTX c; + M_ASN1_New_Malloc(ret, DIST_POINT_NAME); + ret->fullname = NULL; + ret->relativename = NULL; + return (ret); + M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW); +} + +void DIST_POINT_NAME_free(DIST_POINT_NAME *a) +{ + if (a == NULL) return; + X509_NAME_free(a->relativename); + sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free); + Free ((char *)a); +} + +DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp, + long length) +{ + unsigned char _tmp, tag; + M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new); + M_ASN1_D2I_Init(); + c.slen = length; + + _tmp = M_ASN1_next; + tag = _tmp & ~V_ASN1_CONSTRUCTED; + + if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) { + M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES, + V_ASN1_SEQUENCE); + } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) { + M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1); + } else { + c.error = ASN1_R_BAD_TAG; + goto err; + } + + M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME); +} diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c index 55b807c1c8..f71e65604a 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509v3/v3_lib.c @@ -142,7 +142,7 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet; extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols; +extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld; int X509V3_add_standard_extensions(void) { @@ -159,6 +159,7 @@ int X509V3_add_standard_extensions(void) X509V3_EXT_add(&v3_sxnet); X509V3_EXT_add(&v3_crl_reason); X509V3_EXT_add(&v3_cpols); + X509V3_EXT_add(&v3_crld); return 1; } diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index 09c5ff4ae8..a00dda754f 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -87,6 +87,7 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"}, {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"}, {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"}, +{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"}, {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"}, {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"}, {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"}, diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err index bdb68d140c..1851deb63e 100644 --- a/crypto/x509v3/x509v3.err +++ b/crypto/x509v3/x509v3.err @@ -25,6 +25,7 @@ #define X509V3_F_V2I_ASN1_BIT_STRING 101 #define X509V3_F_V2I_AUTHORITY_KEYID 119 #define X509V3_F_V2I_BASIC_CONSTRAINTS 102 +#define X509V3_F_V2I_CRLD 134 #define X509V3_F_V2I_EXT_KU 103 #define X509V3_F_V2I_GENERAL_NAME 117 #define X509V3_F_V2I_GENERAL_NAMES 118 diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 84443cb786..b823b36264 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -180,6 +180,21 @@ union { DECLARE_STACK_OF(GENERAL_NAME) DECLARE_ASN1_SET_OF(GENERAL_NAME) +typedef struct DIST_POINT_NAME_st { +/* NB: this is a CHOICE type and only one of these should be set */ +STACK_OF(GENERAL_NAME) *fullname; +X509_NAME *relativename; +} DIST_POINT_NAME; + +typedef struct DIST_POINT_st { +DIST_POINT_NAME *distpoint; +ASN1_BIT_STRING *reasons; +STACK_OF(GENERAL_NAME) *CRLissuer; +} DIST_POINT; + +DECLARE_STACK_OF(DIST_POINT) +DECLARE_ASN1_SET_OF(DIST_POINT) + typedef struct AUTHORITY_KEYID_st { ASN1_OCTET_STRING *keyid; STACK_OF(GENERAL_NAME) *issuer; @@ -343,6 +358,23 @@ NOTICEREF *NOTICEREF_new(void); NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length); void NOTICEREF_free(NOTICEREF *a); +int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp); +STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void); +void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a); +STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a, + unsigned char **pp,long length); + +int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp); +DIST_POINT *DIST_POINT_new(void); +DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length); +void DIST_POINT_free(DIST_POINT *a); + +int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp); +DIST_POINT_NAME *DIST_POINT_NAME_new(void); +void DIST_POINT_NAME_free(DIST_POINT_NAME *a); +DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp, + long length); + #ifdef HEADER_CONF_H GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf); void X509V3_conf_free(CONF_VALUE *val); @@ -537,6 +569,7 @@ int X509V3_EXT_print_fp(); #define X509V3_F_V2I_ASN1_BIT_STRING 101 #define X509V3_F_V2I_AUTHORITY_KEYID 119 #define X509V3_F_V2I_BASIC_CONSTRAINTS 102 +#define X509V3_F_V2I_CRLD 134 #define X509V3_F_V2I_EXT_KU 103 #define X509V3_F_V2I_GENERAL_NAME 117 #define X509V3_F_V2I_GENERAL_NAMES 118 diff --git a/doc/openssl.txt b/doc/openssl.txt index cbfbb2abd0..e42cbbfef6 100644 --- a/doc/openssl.txt +++ b/doc/openssl.txt @@ -272,10 +272,83 @@ Issuer Alternative Name. The issuer alternative name option supports all the literal options of subject alternative name. It does *not* support the email:copy option because -that would not make sense. It does support and additional issuer:copy option +that would not make sense. It does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate (if possible). +CRL distribution points. + +This is a multivalued extension that supports all the literal options of +subject alternative name. Of the few software packages that currently interpret +this extension most only interpret the URI option. + +Currently each option will set a new DistributionPoint with the fullName +field set to the given value. + +Other fields like cRLissuer and reasons cannot currently be set or displayed: +at this time no examples were available that used these fields. + +If you see this extension with when you attempt to print it out +or it doesn't appear to display correctly then let me know, including the +certificate (mail me at steve@openssl.org) . + +Examples: + +crlDistributionPoints=URI:http://www.myhost.com/myca.crl +crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl + +Certificate Policies. + +This is a RAW extension. It attempts to display the contents of this extension: +unfortuntately this extension is often improperly encoded. + +The certificate policies extension will rarely be used in practice: few +software packages interpret it correctly or at all. + +All the fields of this extension can be set by using the appropriate syntax. + +If you follow the PKIX recommendations of not including any qualifiers and just +using only one OID then you just include the value of that OID. Multiple OIDs +can be set separated by commas, for example: + +certificatePolicies= 1.2.4.5, 1.1.3.4 + +If you wish to include qualifiers then the policy OID and qualifiers need to +be specified in a separate section: this is done by using the @section syntax +instead of a literal OID value. + +The section referred to must include the policy OID using the name +policyIdentifier, cPSuri qualifiers can be included using the syntax: + +CPS.nnn=value + +userNotice qualifiers can be set using the syntax: + +userNotice.nnn=@notice + +The value of the userNotice qualifier is specified in the relevant section. This +section can include explicitText, organization and noticeNumbers options. +explicitText and organization are text strings, noticeNumbers is a comma +separated list of numbers. The organization and noticeNumbers options (if +included) must BOTH be present. + +Example: + +certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect + +[polsect] + +policyIdentifier = 1.3.5.8 +CPS.1="http://my.host.name/" +CPS.2="http://my.your.name/" +userNotice.1=@notice + +[notice] + +explicitText="Explicit Text Here" +organization="Organisation Name" +noticeNumbers=1,2,3,4 + Display only extensions. Some extensions are only partially supported and currently are only displayed