From: Dr. Stephen Henson Date: Tue, 3 Oct 2006 02:47:59 +0000 (+0000) Subject: Place standard CRL behaviour in default X509_CRL_METHOD new functions to X-Git-Tag: OpenSSL_0_9_8k^2~1116 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=f4c630abb3552d5c8eabe23eadc5488017325449;hp=c2cccfc585cdc45852d928bb65e38245bf1c253e Place standard CRL behaviour in default X509_CRL_METHOD new functions to create, free and set default CRL method. --- diff --git a/crypto/asn1/asn1_locl.h b/crypto/asn1/asn1_locl.h index 318e27eeb4..3cead31fcd 100644 --- a/crypto/asn1/asn1_locl.h +++ b/crypto/asn1/asn1_locl.h @@ -121,8 +121,11 @@ struct evp_pkey_asn1_method_st * efficient callbacks: for example a CRL entry database. */ +#define X509_CRL_METHOD_DYNAMIC 1 + struct x509_crl_method_st { + int flags; int (*crl_init)(X509_CRL *crl); int (*crl_free)(X509_CRL *crl); int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser); diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index 0c4dd554c7..5fed086438 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -73,6 +73,20 @@ ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509_REVOKED) +static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r); +static int def_crl_lookup(X509_CRL *crl, + X509_REVOKED **ret, ASN1_INTEGER *serial); + +static X509_CRL_METHOD int_crl_meth = + { + 0, + 0,0, + def_crl_lookup, + def_crl_verify + }; + +static const X509_CRL_METHOD *default_crl_method = &int_crl_meth; + /* The X509_CRL_INFO structure needs a bit of customisation. * Since we cache the original encoding the signature wont be affected by * reordering of the revoked field. @@ -123,7 +137,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, crl->akid = NULL; crl->flags = 0; crl->idp_flags = 0; - crl->meth = 0; + crl->meth = default_crl_method; + crl->meth_data = NULL; break; case ASN1_OP_D2I_POST: @@ -161,13 +176,19 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; } } - if (crl->meth && crl->meth->crl_init) - return crl->meth->crl_init(crl); + if (crl->meth->crl_init) + { + if (crl->meth->crl_init(crl) == 0) + return 0; + } break; case ASN1_OP_FREE_POST: - if (crl->meth && crl->meth->crl_free) - return crl->meth->crl_free(crl); + if (crl->meth->crl_free) + { + if (!crl->meth->crl_free(crl)) + return 0; + } if (crl->akid) AUTHORITY_KEYID_free(crl->akid); if (crl->idp) @@ -252,19 +273,30 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r) { - if (crl->meth && crl->meth->crl_verify) + if (crl->meth->crl_verify) return crl->meth->crl_verify(crl, r); + return 0; + } + +int X509_CRL_get0_by_serial(X509_CRL *crl, + X509_REVOKED **ret, ASN1_INTEGER *serial) + { + if (crl->meth->crl_lookup) + return crl->meth->crl_lookup(crl, ret, serial); + return 0; + } + +static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) + { return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), crl->sig_alg, crl->signature,crl->crl,r)); } -int X509_CRL_get0_by_serial(X509_CRL *crl, +static int def_crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial) { X509_REVOKED rtmp; int idx; - if (crl->meth && crl->meth->crl_lookup) - return crl->meth->crl_lookup(crl, ret, serial); rtmp.serialNumber = serial; /* Sort revoked into serial number order if not already sorted. * Do this under a lock to avoid race condition. @@ -288,6 +320,49 @@ int X509_CRL_get0_by_serial(X509_CRL *crl, return 0; } +void X509_CRL_set_default_method(const X509_CRL_METHOD *meth) + { + if (meth == NULL) + default_crl_method = &int_crl_meth; + else + default_crl_method = meth; + } + +X509_CRL_METHOD *X509_CRL_METHOD_new( + int (*crl_init)(X509_CRL *crl), + int (*crl_free)(X509_CRL *crl), + int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser), + int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)) + { + X509_CRL_METHOD *m; + m = OPENSSL_malloc(sizeof(X509_CRL_METHOD)); + if (!m) + return NULL; + m->crl_init = crl_init; + m->crl_free = crl_free; + m->crl_lookup = crl_lookup; + m->crl_verify = crl_verify; + m->flags = X509_CRL_METHOD_DYNAMIC; + return m; + } + +void X509_CRL_METHOD_free(X509_CRL_METHOD *m) + { + if (!(m->flags & X509_CRL_METHOD_DYNAMIC)) + return; + OPENSSL_free(m); + } + +void X509_CRL_set_meth_data(X509_CRL *crl, void *dat) + { + crl->meth_data = dat; + } + +void *X509_CRL_get_meth_data(X509_CRL *crl) + { + return crl->meth_data; + } + IMPLEMENT_STACK_OF(X509_REVOKED) IMPLEMENT_ASN1_SET_OF(X509_REVOKED) IMPLEMENT_STACK_OF(X509_CRL) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index f28086c175..51c5a0abce 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -460,7 +460,8 @@ struct X509_crl_st #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif - X509_CRL_METHOD *meth; + const X509_CRL_METHOD *meth; + void *meth_data; } /* X509_CRL */; DECLARE_STACK_OF(X509_CRL) @@ -748,6 +749,22 @@ extern "C" { #define X509_CRL_get_issuer(x) ((x)->crl->issuer) #define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) +void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); +X509_CRL_METHOD *X509_CRL_METHOD_new( + int (*crl_init)(X509_CRL *crl), + int (*crl_free)(X509_CRL *crl), + int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *ser), + int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)); +void X509_CRL_METHOD_free(X509_CRL_METHOD *m); + +void X509_CRL_set_meth_data(X509_CRL *crl, void *dat); +void *X509_CRL_get_meth_data(X509_CRL *crl); + +IMPLEMENT_STACK_OF(X509_REVOKED) +IMPLEMENT_ASN1_SET_OF(X509_REVOKED) +IMPLEMENT_STACK_OF(X509_CRL) +IMPLEMENT_ASN1_SET_OF(X509_CRL) + /* This one is only used so that a binary form can output, as in * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */ #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)