Make it possible for external code to flag a certificate as a proxy one.

author Richard Levitte <levitte@openssl.org>

Fri, 22 Jul 2016 14:45:33 +0000 (16:45 +0200)

committer Richard Levitte <levitte@openssl.org>

Sat, 23 Jul 2016 09:35:23 +0000 (11:35 +0200)
author Richard Levitte <levitte@openssl.org>
Fri, 22 Jul 2016 14:45:33 +0000 (16:45 +0200)
committer Richard Levitte <levitte@openssl.org>
Sat, 23 Jul 2016 09:35:23 +0000 (11:35 +0200)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c

index fff099474e5d091bcac130a8cca696f9da0a276b..0820a2a5d38977b21002fa21fb7b68b58d1b709e 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -528,6 +528,11 @@ static int check_ca(const X509 *x)
      }
  }
  
+void X509_set_proxy_flag(X509 *x)
+{
+    x->ex_flags |= EXFLAG_PROXY;
+}
+
  int X509_check_ca(X509 *x)
  {
      if (!(x->ex_flags & EXFLAG_SET)) {
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod

index 2509b65ca02a7aff92a7ec35793a4848c2f280df..473ef28b6da8f3ff89e3c1d4a9e76e63c878b4ab 100644 (file)
--- a/doc/crypto/X509_get_extension_flags.pod
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -4,8 +4,8 @@
  
  X509_get0_subject_key_id,
  X509_get_pathlen,
-X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage -
-retrieve certificate extension data
+X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage,
+X509_set_proxy_flag - retrieve certificate extension data
  
  =head1 SYNOPSIS
  
@@ -16,6 +16,7 @@ retrieve certificate extension data
     uint32_t X509_get_key_usage(X509 *x);
     uint32_t X509_get_extended_key_usage(X509 *x);
     const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
+   void X509_set_proxy_flag(X509 *x);
  
  =head1 DESCRIPTION
  
@@ -102,6 +103,10 @@ X509_get_extended_key_usage() return an internal pointer to the subject key
  identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension
  is not present or cannot be parsed.
  
+X509_set_proxy_flag() marks the certificate with the B<EXFLAG_PROXY> flag.
+This is for the users who need to mark non-RFC3820 proxy certificates as
+such, as OpenSSL only detects RFC3820 compliant ones.
+
  =head1 NOTES
  
  The value of the flags correspond to extension values which are cached
@@ -139,7 +144,7 @@ L<X509_check_purpose(3)>
  
  =head1 HISTORY
  
-X509_get_pathlen() was added in OpenSSL 1.1.0.
+X509_get_pathlen() and X509_set_proxy_flag() were added in OpenSSL 1.1.0.
  
  =head1 COPYRIGHT
  
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h

index 89be5f9c148861d6d08592625a615943c3e51e64..b37f52bcabaf9a2888bd0c998a36407c3c86a6a9 100644 (file)
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -649,6 +649,7 @@ int X509_supported_extension(X509_EXTENSION *ex);
  int X509_PURPOSE_set(int *p, int purpose);
  int X509_check_issued(X509 *issuer, X509 *subject);
  int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
+void X509_set_proxy_flag(X509 *x);
  
  uint32_t X509_get_extension_flags(X509 *x);
  uint32_t X509_get_key_usage(X509 *x);
author	Richard Levitte <levitte@openssl.org>
	Fri, 22 Jul 2016 14:45:33 +0000 (16:45 +0200)
committer	Richard Levitte <levitte@openssl.org>
	Sat, 23 Jul 2016 09:35:23 +0000 (11:35 +0200)
crypto/x509v3/v3_purp.c		patch \| blob \| history
doc/crypto/X509_get_extension_flags.pod		patch \| blob \| history
include/openssl/x509v3.h		patch \| blob \| history