From 9b5cc156f3e42488bc975bbe3055bf004f6dae4a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 20 Jan 1999 00:14:40 +0000 Subject: [PATCH] Continued patches so certificates and CRLs now can support and use GeneralizedTime. --- CHANGES | 8 ++++++++ apps/crl.c | 6 +++--- apps/pkcs7.c | 4 ++-- apps/s_cb.c | 4 ++-- apps/x509.c | 4 ++-- crypto/asn1/t_x509.c | 4 ++-- crypto/asn1/x_cinf.c | 7 +++++++ crypto/asn1/x_crl.c | 24 +++++++++++++++++------- crypto/asn1/x_val.c | 20 ++++++++++---------- 9 files changed, 53 insertions(+), 28 deletions(-) diff --git a/CHANGES b/CHANGES index d2ab339bd5..ec02d06569 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,13 @@ Changes between 0.9.1c and 0.9.2 + *) Continuing patches for GeneralizedTime. Fix up certificate and CRL + ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. + Removed the versions check from X509 routines when loading extensions: + this allows certain broken certificates that don't set the version + properly to be processed. + [Steve Henson] + *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which can still be regenerated with "make depend". @@ -22,6 +29,7 @@ C file. To rebuild all the error codes from scratch (the old behaviour) either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl or delete all the .err files. + [Steve Henson] *) CAST-128 was incorrectly implemented for short keys. The C version has been fixed, but is untested. The assembler versions are also fixed, but diff --git a/apps/crl.c b/apps/crl.c index acb5cb9b24..a0098e9efd 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -214,14 +214,14 @@ bad: if (lastupdate == i) { fprintf(stdout,"lastUpdate="); - ASN1_UTCTIME_print(bio_out,x->crl->lastUpdate); + ASN1_TIME_print(bio_out,x->crl->lastUpdate); fprintf(stdout,"\n"); } if (nextupdate == i) { fprintf(stdout,"nextUpdate="); if (x->crl->nextUpdate != NULL) - ASN1_UTCTIME_print(bio_out,x->crl->nextUpdate); + ASN1_TIME_print(bio_out,x->crl->nextUpdate); else fprintf(stdout,"NONE"); fprintf(stdout,"\n"); @@ -264,7 +264,7 @@ bad: fprintf(stdout,"revoked: serialNumber="); i2a_ASN1_INTEGER(out,r->serialNumber); fprintf(stdout," revocationDate="); - ASN1_UTCTIME_print(bio_out,r->revocationDate); + ASN1_TIME_print(bio_out,r->revocationDate); fprintf(stdout,"\n"); } sk_free(sk); diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 4105dbd9ef..06640bf0f2 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -277,9 +277,9 @@ bad: BIO_puts(out,buf); BIO_puts(out,"\nlast update="); - ASN1_UTCTIME_print(out,crl->crl->lastUpdate); + ASN1_TIME_print(out,crl->crl->lastUpdate); BIO_puts(out,"\nnext update="); - ASN1_UTCTIME_print(out,crl->crl->nextUpdate); + ASN1_TIME_print(out,crl->crl->nextUpdate); BIO_puts(out,"\n"); PEM_write_bio_X509_CRL(out,crl); diff --git a/apps/s_cb.c b/apps/s_cb.c index 7fa855c5dc..1a7b06e1ee 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -109,13 +109,13 @@ X509_STORE_CTX *ctx; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); - ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); - ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; } diff --git a/apps/x509.c b/apps/x509.c index 58ccd939e7..fa8537e078 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -550,13 +550,13 @@ bad: else if (startdate == i) { BIO_puts(STDout,"notBefore="); - ASN1_UTCTIME_print(STDout,X509_get_notBefore(x)); + ASN1_TIME_print(STDout,X509_get_notBefore(x)); BIO_puts(STDout,"\n"); } else if (enddate == i) { BIO_puts(STDout,"notAfter="); - ASN1_UTCTIME_print(STDout,X509_get_notAfter(x)); + ASN1_TIME_print(STDout,X509_get_notAfter(x)); BIO_puts(STDout,"\n"); } else if (fingerprint == i) diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index bfee6f66a7..060f99d5a8 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -146,9 +146,9 @@ X509 *x; if (!X509_NAME_print(bp,X509_get_issuer_name(x),16)) goto err; if (BIO_write(bp,"\n Validity\n",18) <= 0) goto err; if (BIO_write(bp," Not Before: ",24) <= 0) goto err; - if (!ASN1_UTCTIME_print(bp,X509_get_notBefore(x))) goto err; + if (!ASN1_TIME_print(bp,X509_get_notBefore(x))) goto err; if (BIO_write(bp,"\n Not After : ",25) <= 0) goto err; - if (!ASN1_UTCTIME_print(bp,X509_get_notAfter(x))) goto err; + if (!ASN1_TIME_print(bp,X509_get_notAfter(x))) goto err; if (BIO_write(bp,"\n Subject: ",18) <= 0) goto err; if (!X509_NAME_print(bp,X509_get_subject_name(x),16)) goto err; if (BIO_write(bp,"\n Subject Public Key Info:\n",34) <= 0) diff --git a/crypto/asn1/x_cinf.c b/crypto/asn1/x_cinf.c index 99b9fe7b9f..88099ea9f7 100644 --- a/crypto/asn1/x_cinf.c +++ b/crypto/asn1/x_cinf.c @@ -147,7 +147,14 @@ long length; M_ASN1_D2I_get_IMP_opt(ret->subjectUID,d2i_ASN1_BIT_STRING, 2, V_ASN1_BIT_STRING); } +/* Note: some broken certificates include extensions but don't set + * the version number properly. By bypassing this check they can + * be parsed. + */ + +#ifdef VERSION_EXT_CHECK if (ver >= 2) /* version 3 extensions */ +#endif { if (ret->extensions != NULL) while (sk_num(ret->extensions)) diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index 5e1fa796bd..8629a73f8c 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -85,13 +85,13 @@ unsigned char **pp; M_ASN1_I2D_vars(a); M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); - M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_UTCTIME); + M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); M_ASN1_I2D_len_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); - M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_UTCTIME); + M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); M_ASN1_I2D_put_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -107,7 +107,7 @@ long length; M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER); - M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_UTCTIME); + M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_TIME); M_ASN1_D2I_get_seq_opt(ret->extensions,d2i_X509_EXTENSION, X509_EXTENSION_free); M_ASN1_D2I_Finish(a,X509_REVOKED_free,ASN1_F_D2I_X509_REVOKED); @@ -130,9 +130,9 @@ unsigned char **pp; } M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR); M_ASN1_I2D_len(a->issuer,i2d_X509_NAME); - M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_UTCTIME); + M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_TIME); if (a->nextUpdate != NULL) - { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_UTCTIME); } + { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt(a->revoked,i2d_X509_REVOKED); M_ASN1_I2D_len_EXP_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -177,8 +177,18 @@ long length; } M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR); M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME); - M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_UTCTIME); - M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_UTCTIME,V_ASN1_UTCTIME); + M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_TIME); + /* Manually handle the OPTIONAL ASN1_TIME stuff */ + if((c.slen != 0) && + ( ( (M_ASN1_next & ~V_ASN1_CONSTRUCTED) == + V_ASN1_UNIVERSAL|V_ASN1_UTCTIME) + || ( ( (M_ASN1_next & ~V_ASN1_CONSTRUCTED) == + V_ASN1_UNIVERSAL|V_ASN1_GENERALIZEDTIME) ) ) ) { + M_ASN1_D2I_get(ret->nextUpdate,d2i_ASN1_TIME); + } + if(!ret->nextUpdate) + M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_GENERALIZEDTIME, + V_ASN1_GENERALIZEDTIME); if (ret->revoked != NULL) { while (sk_num(ret->revoked)) diff --git a/crypto/asn1/x_val.c b/crypto/asn1/x_val.c index 8d996e9950..f6534a6a5c 100644 --- a/crypto/asn1/x_val.c +++ b/crypto/asn1/x_val.c @@ -71,13 +71,13 @@ unsigned char **pp; { M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->notBefore,i2d_ASN1_UTCTIME); - M_ASN1_I2D_len(a->notAfter,i2d_ASN1_UTCTIME); + M_ASN1_I2D_len(a->notBefore,i2d_ASN1_TIME); + M_ASN1_I2D_len(a->notAfter,i2d_ASN1_TIME); M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(a->notBefore,i2d_ASN1_UTCTIME); - M_ASN1_I2D_put(a->notAfter,i2d_ASN1_UTCTIME); + M_ASN1_I2D_put(a->notBefore,i2d_ASN1_TIME); + M_ASN1_I2D_put(a->notAfter,i2d_ASN1_TIME); M_ASN1_I2D_finish(); } @@ -91,8 +91,8 @@ long length; M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_UTCTIME); - M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_UTCTIME); + M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_TIME); + M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_TIME); M_ASN1_D2I_Finish(a,X509_VAL_free,ASN1_F_D2I_X509_VAL); } @@ -102,8 +102,8 @@ X509_VAL *X509_VAL_new() ASN1_CTX c; M_ASN1_New_Malloc(ret,X509_VAL); - M_ASN1_New(ret->notBefore,ASN1_UTCTIME_new); - M_ASN1_New(ret->notAfter,ASN1_UTCTIME_new); + M_ASN1_New(ret->notBefore,ASN1_TIME_new); + M_ASN1_New(ret->notAfter,ASN1_TIME_new); return(ret); M_ASN1_New_Error(ASN1_F_X509_VAL_NEW); } @@ -112,8 +112,8 @@ void X509_VAL_free(a) X509_VAL *a; { if (a == NULL) return; - ASN1_UTCTIME_free(a->notBefore); - ASN1_UTCTIME_free(a->notAfter); + ASN1_TIME_free(a->notBefore); + ASN1_TIME_free(a->notAfter); Free((char *)a); } -- 2.34.1