From 231493c93c863527082b55d33292f743a60413fb Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 23 Jul 2005 23:33:06 +0000 Subject: [PATCH] Initial print only support for IDP CRL extension. --- CHANGES | 3 +- crypto/objects/obj_dat.h | 16 ++++-- crypto/objects/obj_mac.h | 5 ++ crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 2 + crypto/x509v3/ext_dat.h | 5 +- crypto/x509v3/v3_crld.c | 111 ++++++++++++++++++++++++++++++++++++- crypto/x509v3/x509v3.h | 9 +++ 8 files changed, 143 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index cd8f971a54..f828606009 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,8 @@ Changes between 0.9.8 and 0.9.9 [xx XXX xxxx] - *) + *) Add print only support for Issuing Distribution Point CRL extension. + [Steve Henson] Changes between 0.9.8 and 0.9.8a [XX xxx XXXX] diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index c2a707a984..ae6b1794e4 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 751 -#define NUM_SN 747 -#define NUM_LN 747 -#define NUM_OBJ 709 +#define NUM_NID 752 +#define NUM_SN 748 +#define NUM_LN 748 +#define NUM_OBJ 710 -static unsigned char lvalues[5002]={ +static unsigned char lvalues[5005]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -777,6 +777,7 @@ static unsigned char lvalues[5002]={ 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00, /* [4977] OBJ_id_ppl_anyLanguage */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01, /* [4985] OBJ_id_ppl_inheritAll */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02, /* [4993] OBJ_Independent */ +0x55,0x1D,0x1C, /* [5001] OBJ_issuing_distribution_point */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1945,6 +1946,8 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8, &(lvalues[4985]),0}, {"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4993]),0}, +{"issuingDistributionPoint","X509v3 Issuing Distrubution Point", + NID_issuing_distribution_point,3,&(lvalues[5001]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2382,6 +2385,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[295]),/* "ipsecTunnel" */ &(nid_objs[296]),/* "ipsecUser" */ &(nid_objs[86]),/* "issuerAltName" */ +&(nid_objs[751]),/* "issuingDistributionPoint" */ &(nid_objs[492]),/* "janetMailbox" */ &(nid_objs[150]),/* "keyBag" */ &(nid_objs[83]),/* "keyUsage" */ @@ -2797,6 +2801,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ &(nid_objs[739]),/* "X509v3 Inhibit Any Policy" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ +&(nid_objs[751]),/* "X509v3 Issuing Distrubution Point" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ &(nid_objs[736]),/* "X509v3 Name Constraints" */ &(nid_objs[403]),/* "X509v3 No Revocation Available" */ @@ -3502,6 +3507,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[430]),/* OBJ_hold_instruction_code 2 5 29 23 */ &(nid_objs[142]),/* OBJ_invalidity_date 2 5 29 24 */ &(nid_objs[140]),/* OBJ_delta_crl 2 5 29 27 */ +&(nid_objs[751]),/* OBJ_issuing_distribution_point 2 5 29 28 */ &(nid_objs[736]),/* OBJ_name_constraints 2 5 29 30 */ &(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */ &(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index 322577094a..8f629b4b0a 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -2094,6 +2094,11 @@ #define NID_delta_crl 140 #define OBJ_delta_crl OBJ_id_ce,27L +#define SN_issuing_distribution_point "issuingDistributionPoint" +#define LN_issuing_distribution_point "X509v3 Issuing Distrubution Point" +#define NID_issuing_distribution_point 751 +#define OBJ_issuing_distribution_point OBJ_id_ce,28L + #define SN_name_constraints "nameConstraints" #define LN_name_constraints "X509v3 Name Constraints" #define NID_name_constraints 736 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 180d20f1bc..2cfa485cf0 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -748,3 +748,4 @@ proxyCertInfo 747 id_ppl_anyLanguage 748 id_ppl_inheritAll 749 Independent 750 +issuing_distribution_point 751 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 46a405b3e6..49f9b2caf5 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -677,6 +677,8 @@ id-ce 21 : CRLReason : X509v3 CRL Reason Code id-ce 24 : invalidityDate : Invalidity Date !Cname delta-crl id-ce 27 : deltaCRL : X509v3 Delta CRL Indicator +!Cname issuing-distribution-point +id-ce 28 : issuingDistributionPoint : X509v3 Issuing Distrubution Point !Cname name-constraints id-ce 30 : nameConstraints : X509v3 Name Constraints !Cname crl-distribution-points diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 5e86de5c9e..e23ee9bc79 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -66,7 +66,7 @@ extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; +extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -115,7 +115,8 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_name_constraints, &v3_policy_mappings, &v3_inhibit_anyp, -&v3_pci +&v3_pci, +&v3_idp }; /* Number of standard extensions */ diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c index f90829c574..28a38c16f4 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509v3/v3_crld.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999, 2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -160,3 +160,112 @@ ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) + +ASN1_SEQUENCE(ISSUING_DIST_POINT) = { + ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0), + ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1), + ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2), + ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3), + ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4), + ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5) +} ASN1_SEQUENCE_END(ISSUING_DIST_POINT) + +static int i2r_idp(X509V3_EXT_METHOD *method, + void *pidp, BIO *out, int indent); + +X509V3_EXT_METHOD v3_idp = + { + NID_issuing_distribution_point, X509V3_EXT_MULTILINE, + ASN1_ITEM_ref(ISSUING_DIST_POINT), + 0,0,0,0, + 0,0, + 0,0, + i2r_idp,0, + NULL + }; + +static const BIT_STRING_BITNAME reason_flags[] = { +{1, "Key Compromise", "keyCompromise"}, +{2, "CA Compromise", "CACompromise"}, +{3, "Affiliation Changed", "affiliationChanged"}, +{4, "Superseded", "superseded"}, +{5, "Cessation Of Operation", "cessationOfOperation"}, +{6, "Certificate Hold", "certificateHold"}, +{7, "Privilege Withdrawn", "privilegeWithdrawn"}, +{8, "AA Compromise", "AACompromise"}, +{-1, NULL, NULL} +}; + +static int print_reasons(BIO *out, const char *rname, + ASN1_BIT_STRING *rflags, int indent) + { + int first = 1; + const BIT_STRING_BITNAME *pbn; + BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, ""); + for (pbn = reason_flags; pbn->lname; pbn++) + { + if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) + { + if (first) + first = 0; + else + BIO_puts(out, ","); + BIO_puts(out, pbn->lname); + } + } + if (first) + BIO_puts(out, "\n"); + else + BIO_puts(out, "\n"); + return 1; + } + +static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent) + { + int i; + if (dpn->type == 0) + { + STACK_OF(GENERAL_NAME) *gens; + BIO_printf(out, "%*sFull Name:\n", indent, ""); + gens = dpn->name.fullname; + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) + { + BIO_printf(out, "%*s", indent + 2, ""); + GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i)); + } + } + else + { + X509_NAME ntmp; + ntmp.entries = dpn->name.relativename; + BIO_printf(out, "%*sRelative Name:\n%*s", + indent, "", indent + 2, ""); + X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE); + BIO_puts(out, "\n"); + } + return 1; + } + +static int i2r_idp(X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent) + { + ISSUING_DIST_POINT *idp = pidp; + if (idp->distpoint) + print_distpoint(out, idp->distpoint, indent); + if (idp->onlyuser > 0) + BIO_printf(out, "%*sOnly User Certificates\n", indent, ""); + if (idp->onlyCA > 0) + BIO_printf(out, "%*sOnly CA Certificates\n", indent, ""); + if (idp->indirectCRL > 0) + BIO_printf(out, "%*sIndirect CRL\n", indent, ""); + if (idp->onlysomereasons) + print_reasons(out, "Only Some Reasons", + idp->onlysomereasons, indent); + if (idp->onlyattr > 0) + BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, ""); + if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) + && (idp->indirectCRL <= 0) && !idp->onlysomereasons + && (idp->onlyattr <= 0)) + BIO_printf(out, "%*s\n", indent, ""); + + return 1; + } diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 555820fc1f..c6533d4ed4 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -329,6 +329,15 @@ typedef struct PROXY_CERT_INFO_EXTENSION_st DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) +typedef struct ISSUING_DIST_POINT_st + { + DIST_POINT_NAME *distpoint; + int onlyuser; + int onlyCA; + ASN1_BIT_STRING *onlysomereasons; + int indirectCRL; + int onlyattr; + } ISSUING_DIST_POINT; #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ ",name:", val->name, ",value:", val->value); -- GitLab