When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.

The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.

Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.

as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.

with the appropriate parameters which calls OBJ_bsearch(). A compiler will
typically inline this.

This avoids the need for cmp_xxx variables and fixes unchecked const issues
with CHECKED_PTR_OF()

a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.

Tidy CRL scoring system.

Add new CRL path validation error.

Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.

TODO: robustness checking on name forms.

fields.

Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.

handling to support this.

and response verification.

Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller

a security threat on unexpecting applications.  Document and test.

check_ca(), to resolve constness issue.  check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().

CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)

when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.

I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.

Notified privately to me by Peter Sylvester <Peter.Sylvester@EdelWeb.fr>,
one of the authors of said RFC

[See
     Message-ID: <3BB07999.30432AD2@celocom.com>
     Date: Tue, 25 Sep 2001 13:33:29 +0100
     From: Dr S N Henson <drh@celocom.com>
     To: openssl-dev@openssl.org
     Subject: Re: Error in v3_purp.c
]

making X509_check_issued() properly match an issuer that's found in a
Authority Key Identifier.

Reject certificates with unhandled critical extensions.

Purpose and trust setting functions for X509_STORE.

Tidy existing code.

sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.

certificates.

One is a valid CA which has no basicConstraints
but does have certSign keyUsage.

Other is S/MIME signer with nonRepudiation but
no digitalSignature.

Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".

Merge from the ASN1 branch of new ASN1 code
to main trunk.

Lets see if the makes it to openssl-cvs :-)

The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.

The new code performs several tests on a candidate issuer
certificate based on certificate extensions.

It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.

Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...

This must have broken something though :-(