97984cade4b2c2f059c5c2599f7872b2ae4df4c9
[openssl.git] / crypto / x509 / x509_vfy.c
1 /* crypto/x509/x509_vfy.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <time.h>
61 #include <errno.h>
62
63 #include "cryptlib.h"
64 #include <openssl/crypto.h>
65 #include <openssl/lhash.h>
66 #include <openssl/buffer.h>
67 #include <openssl/evp.h>
68 #include <openssl/asn1.h>
69 #include <openssl/x509.h>
70 #include <openssl/objects.h>
71
72 static int null_callback(int ok,X509_STORE_CTX *e);
73 static int internal_verify(X509_STORE_CTX *ctx);
74 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
75
76 static STACK *x509_store_ctx_method=NULL;
77 static int x509_store_ctx_num=0;
78 #if 0
79 static int x509_store_num=1;
80 static STACK *x509_store_method=NULL;
81 #endif
82
83 static int null_callback(int ok, X509_STORE_CTX *e)
84         {
85         return(ok);
86         }
87
88 #if 0
89 static int x509_subject_cmp(X509 **a, X509 **b)
90         {
91         return(X509_subject_name_cmp(*a,*b));
92         }
93 #endif
94
95 int X509_verify_cert(X509_STORE_CTX *ctx)
96         {
97         X509 *x,*xtmp,*chain_ss=NULL;
98         X509_NAME *xn;
99         X509_OBJECT obj;
100         int depth,i,ok=0;
101         int num;
102         int (*cb)();
103         STACK_OF(X509) *sktmp=NULL;
104
105         if (ctx->cert == NULL)
106                 {
107                 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
108                 return(-1);
109                 }
110
111         cb=ctx->ctx->verify_cb;
112         if (cb == NULL) cb=null_callback;
113
114         /* first we make sure the chain we are going to build is
115          * present and that the first entry is in place */
116         if (ctx->chain == NULL)
117                 {
118                 if (    ((ctx->chain=sk_X509_new_null()) == NULL) ||
119                         (!sk_X509_push(ctx->chain,ctx->cert)))
120                         {
121                         X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
122                         goto end;
123                         }
124                 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
125                 ctx->last_untrusted=1;
126                 }
127
128         /* We use a temporary STACK so we can chop and hack at it */
129         if (ctx->untrusted != NULL
130             && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
131                 {
132                 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
133                 goto end;
134                 }
135
136         num=sk_X509_num(ctx->chain);
137         x=sk_X509_value(ctx->chain,num-1);
138         depth=ctx->depth;
139
140
141         for (;;)
142                 {
143                 /* If we have enough, we break */
144                 if (depth < num) break; /* FIXME: If this happens, we should take
145                                          * note of it and, if appropriate, use the
146                                          * X509_V_ERR_CERT_CHAIN_TOO_LONG error
147                                          * code later.
148                                          */
149
150                 /* If we are self signed, we break */
151                 xn=X509_get_issuer_name(x);
152                 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
153                         break;
154
155                 /* If we were passed a cert chain, use it first */
156                 if (ctx->untrusted != NULL)
157                         {
158                         xtmp=X509_find_by_subject(sktmp,xn);
159                         if (xtmp != NULL)
160                                 {
161                                 if (!sk_X509_push(ctx->chain,xtmp))
162                                         {
163                                         X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
164                                         goto end;
165                                         }
166                                 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
167                                 sk_X509_delete_ptr(sktmp,xtmp);
168                                 ctx->last_untrusted++;
169                                 x=xtmp;
170                                 num++;
171                                 /* reparse the full chain for
172                                  * the next one */
173                                 continue;
174                                 }
175                         }
176                 break;
177                 }
178
179         /* at this point, chain should contain a list of untrusted
180          * certificates.  We now need to add at least one trusted one,
181          * if possible, otherwise we complain. */
182
183         i=sk_X509_num(ctx->chain);
184         x=sk_X509_value(ctx->chain,i-1);
185         xn = X509_get_subject_name(x);
186         if (X509_NAME_cmp(xn,X509_get_issuer_name(x))
187                 == 0)
188                 {
189                 /* we have a self signed certificate */
190                 if (sk_X509_num(ctx->chain) == 1)
191                         {
192                         /* We have a single self signed certificate: see if
193                          * we can find it in the store. We must have an exact
194                          * match to avoid possible impersonation.
195                          */
196                         ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
197                         if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 
198                                 {
199                                 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
200                                 ctx->current_cert=x;
201                                 ctx->error_depth=i-1;
202                                 if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj);
203                                 ok=cb(0,ctx);
204                                 if (!ok) goto end;
205                                 }
206                         else 
207                                 {
208                                 /* We have a match: replace certificate with store version
209                                  * so we get any trust settings.
210                                  */
211                                 X509_free(x);
212                                 x = obj.data.x509;
213                                 sk_X509_set(ctx->chain, i - 1, x);
214                                 ctx->last_untrusted=0;
215                                 }
216                         }
217                 else
218                         {
219                         /* worry more about this one elsewhere */
220                         chain_ss=sk_X509_pop(ctx->chain);
221                         ctx->last_untrusted--;
222                         num--;
223                         x=sk_X509_value(ctx->chain,num-1);
224                         }
225                 }
226
227         /* We now lookup certs from the certificate store */
228         for (;;)
229                 {
230                 /* If we have enough, we break */
231                 if (depth < num) break;
232
233                 /* If we are self signed, we break */
234                 xn=X509_get_issuer_name(x);
235                 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
236                         break;
237
238                 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
239                 if (ok != X509_LU_X509)
240                         {
241                         if (ok == X509_LU_RETRY)
242                                 {
243                                 X509_OBJECT_free_contents(&obj);
244                                 X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
245                                 return(ok);
246                                 }
247                         else if (ok != X509_LU_FAIL)
248                                 {
249                                 X509_OBJECT_free_contents(&obj);
250                                 /* not good :-(, break anyway */
251                                 return(ok);
252                                 }
253                         break;
254                         }
255                 x=obj.data.x509;
256                 if (!sk_X509_push(ctx->chain,obj.data.x509))
257                         {
258                         X509_OBJECT_free_contents(&obj);
259                         X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
260                         return(0);
261                         }
262                 num++;
263                 }
264
265         /* we now have our chain, lets check it... */
266         xn=X509_get_issuer_name(x);
267         if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
268                 {
269                 if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
270                         {
271                         if (ctx->last_untrusted >= num)
272                                 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
273                         else
274                                 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
275                         ctx->current_cert=x;
276                         }
277                 else
278                         {
279
280                         sk_X509_push(ctx->chain,chain_ss);
281                         num++;
282                         ctx->last_untrusted=num;
283                         ctx->current_cert=chain_ss;
284                         ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
285                         chain_ss=NULL;
286                         }
287
288                 ctx->error_depth=num-1;
289                 ok=cb(0,ctx);
290                 if (!ok) goto end;
291                 }
292
293         /* We may as well copy down any DSA parameters that are required */
294         X509_get_pubkey_parameters(NULL,ctx->chain);
295
296         /* At this point, we have a chain and just need to verify it */
297         if (ctx->ctx->verify != NULL)
298                 ok=ctx->ctx->verify(ctx);
299         else
300                 ok=internal_verify(ctx);
301         if (0)
302                 {
303 end:
304                 X509_get_pubkey_parameters(NULL,ctx->chain);
305                 }
306         if (sktmp != NULL) sk_X509_free(sktmp);
307         if (chain_ss != NULL) X509_free(chain_ss);
308         return(ok);
309         }
310
311 static int internal_verify(X509_STORE_CTX *ctx)
312         {
313         int i,ok=0,n;
314         X509 *xs,*xi;
315         EVP_PKEY *pkey=NULL;
316         int (*cb)();
317
318         cb=ctx->ctx->verify_cb;
319         if (cb == NULL) cb=null_callback;
320
321         n=sk_X509_num(ctx->chain);
322         ctx->error_depth=n-1;
323         n--;
324         xi=sk_X509_value(ctx->chain,n);
325         if (X509_NAME_cmp(X509_get_subject_name(xi),
326                 X509_get_issuer_name(xi)) == 0)
327                 xs=xi;
328         else
329                 {
330                 if (n <= 0)
331                         {
332                         ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
333                         ctx->current_cert=xi;
334                         ok=cb(0,ctx);
335                         goto end;
336                         }
337                 else
338                         {
339                         n--;
340                         ctx->error_depth=n;
341                         xs=sk_X509_value(ctx->chain,n);
342                         }
343                 }
344
345 /*      ctx->error=0;  not needed */
346         while (n >= 0)
347                 {
348                 ctx->error_depth=n;
349                 if (!xs->valid)
350                         {
351                         if ((pkey=X509_get_pubkey(xi)) == NULL)
352                                 {
353                                 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
354                                 ctx->current_cert=xi;
355                                 ok=(*cb)(0,ctx);
356                                 if (!ok) goto end;
357                                 }
358                         if (X509_verify(xs,pkey) <= 0)
359                                 {
360                                 EVP_PKEY_free(pkey);
361                                 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
362                                 ctx->current_cert=xs;
363                                 ok=(*cb)(0,ctx);
364                                 if (!ok) goto end;
365                                 }
366                         EVP_PKEY_free(pkey);
367                         pkey=NULL;
368
369                         i=X509_cmp_current_time(X509_get_notBefore(xs));
370                         if (i == 0)
371                                 {
372                                 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
373                                 ctx->current_cert=xs;
374                                 ok=(*cb)(0,ctx);
375                                 if (!ok) goto end;
376                                 }
377                         if (i > 0)
378                                 {
379                                 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
380                                 ctx->current_cert=xs;
381                                 ok=(*cb)(0,ctx);
382                                 if (!ok) goto end;
383                                 }
384                         xs->valid=1;
385                         }
386
387                 i=X509_cmp_current_time(X509_get_notAfter(xs));
388                 if (i == 0)
389                         {
390                         ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
391                         ctx->current_cert=xs;
392                         ok=(*cb)(0,ctx);
393                         if (!ok) goto end;
394                         }
395
396                 if (i < 0)
397                         {
398                         ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
399                         ctx->current_cert=xs;
400                         ok=(*cb)(0,ctx);
401                         if (!ok) goto end;
402                         }
403
404                 /* CRL CHECK */
405
406                 /* The last error (if any) is still in the error value */
407                 ctx->current_cert=xs;
408                 ok=(*cb)(1,ctx);
409                 if (!ok) goto end;
410
411                 n--;
412                 if (n >= 0)
413                         {
414                         xi=xs;
415                         xs=sk_X509_value(ctx->chain,n);
416                         }
417                 }
418         ok=1;
419 end:
420         return(ok);
421         }
422
423 int X509_cmp_current_time(ASN1_UTCTIME *ctm)
424         {
425         char *str;
426         ASN1_UTCTIME atm;
427         time_t offset;
428         char buff1[24],buff2[24],*p;
429         int i,j;
430
431         p=buff1;
432         i=ctm->length;
433         str=(char *)ctm->data;
434         if ((i < 11) || (i > 17)) return(0);
435         memcpy(p,str,10);
436         p+=10;
437         str+=10;
438
439         if ((*str == 'Z') || (*str == '-') || (*str == '+'))
440                 { *(p++)='0'; *(p++)='0'; }
441         else    { *(p++)= *(str++); *(p++)= *(str++); }
442         *(p++)='Z';
443         *(p++)='\0';
444
445         if (*str == 'Z')
446                 offset=0;
447         else
448                 {
449                 if ((*str != '+') && (str[5] != '-'))
450                         return(0);
451                 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
452                 offset+=(str[3]-'0')*10+(str[4]-'0');
453                 if (*str == '-')
454                         offset= -offset;
455                 }
456         atm.type=V_ASN1_UTCTIME;
457         atm.length=sizeof(buff2);
458         atm.data=(unsigned char *)buff2;
459
460         X509_gmtime_adj(&atm,-offset);
461
462         i=(buff1[0]-'0')*10+(buff1[1]-'0');
463         if (i < 50) i+=100; /* cf. RFC 2459 */
464         j=(buff2[0]-'0')*10+(buff2[1]-'0');
465         if (j < 50) j+=100;
466
467         if (i < j) return (-1);
468         if (i > j) return (1);
469         i=strcmp(buff1,buff2);
470         if (i == 0) /* wait a second then return younger :-) */
471                 return(-1);
472         else
473                 return(i);
474         }
475
476 ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
477         {
478         time_t t;
479
480         time(&t);
481         t+=adj;
482         return(ASN1_UTCTIME_set(s,t));
483         }
484
485 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
486         {
487         EVP_PKEY *ktmp=NULL,*ktmp2;
488         int i,j;
489
490         if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
491
492         for (i=0; i<sk_X509_num(chain); i++)
493                 {
494                 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
495                 if (ktmp == NULL)
496                         {
497                         X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
498                         return(0);
499                         }
500                 if (!EVP_PKEY_missing_parameters(ktmp))
501                         break;
502                 else
503                         {
504                         EVP_PKEY_free(ktmp);
505                         ktmp=NULL;
506                         }
507                 }
508         if (ktmp == NULL)
509                 {
510                 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
511                 return(0);
512                 }
513
514         /* first, populate the other certs */
515         for (j=i-1; j >= 0; j--)
516                 {
517                 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
518                 EVP_PKEY_copy_parameters(ktmp2,ktmp);
519                 EVP_PKEY_free(ktmp2);
520                 }
521         
522         if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
523         EVP_PKEY_free(ktmp);
524         return(1);
525         }
526
527 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
528         {
529         X509_OBJECT *obj,*r;
530         int ret=1;
531
532         if (x == NULL) return(0);
533         obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
534         if (obj == NULL)
535                 {
536                 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
537                 return(0);
538                 }
539         obj->type=X509_LU_X509;
540         obj->data.x509=x;
541
542         CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
543
544         X509_OBJECT_up_ref_count(obj);
545
546         r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
547         if (r != NULL)
548                 { /* oops, put it back */
549                 lh_delete(ctx->certs,(char *)obj);
550                 X509_OBJECT_free_contents(obj);
551                 Free(obj);
552                 lh_insert(ctx->certs,(char *)r);
553                 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
554                 ret=0;
555                 }
556
557         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
558
559         return(ret);    
560         }
561
562 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
563         {
564         X509_OBJECT *obj,*r;
565         int ret=1;
566
567         if (x == NULL) return(0);
568         obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
569         if (obj == NULL)
570                 {
571                 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
572                 return(0);
573                 }
574         obj->type=X509_LU_CRL;
575         obj->data.crl=x;
576
577         CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
578
579         X509_OBJECT_up_ref_count(obj);
580
581         r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
582         if (r != NULL)
583                 { /* oops, put it back */
584                 lh_delete(ctx->certs,(char *)obj);
585                 X509_OBJECT_free_contents(obj);
586                 Free(obj);
587                 lh_insert(ctx->certs,(char *)r);
588                 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
589                 ret=0;
590                 }
591
592         CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
593
594         return(ret);    
595         }
596
597 int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
598              int (*dup_func)(), void (*free_func)())
599         {
600         x509_store_ctx_num++;
601         return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
602                 &x509_store_ctx_method,
603                 argl,argp,new_func,dup_func,free_func));
604         }
605
606 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
607         {
608         return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
609         }
610
611 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
612         {
613         return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
614         }
615
616 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
617         {
618         return(ctx->error);
619         }
620
621 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
622         {
623         ctx->error=err;
624         }
625
626 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
627         {
628         return(ctx->error_depth);
629         }
630
631 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
632         {
633         return(ctx->current_cert);
634         }
635
636 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
637         {
638         return(ctx->chain);
639         }
640
641 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
642         {
643         ctx->cert=x;
644         }
645
646 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
647         {
648         ctx->untrusted=sk;
649         }
650
651 IMPLEMENT_STACK_OF(X509)
652 IMPLEMENT_ASN1_SET_OF(X509)
653
654 IMPLEMENT_STACK_OF(X509_NAME)
655
656 IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
657 IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)