Initial print only support for IDP CRL extension.

2005-07-23 23:33:06 +00:00 · 2005-07-23 23:33:06 +00:00 · 231493c93c
commit 231493c93c
parent 20a90e3a76
8 changed files with 143 additions and 9 deletions
--- a/3
+++ b/3
@ -4,7 +4,8 @@

 Changes between 0.9.8 and 0.9.9  [xx XXX xxxx]

-  *) 
+  *) Add print only support for Issuing Distribution Point CRL extension.
+     [Steve Henson]

 Changes between 0.9.8 and 0.9.8a  [XX xxx XXXX]

--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@ -62,12 +62,12 @@
 * [including the GNU Public Licence.]
 */

-#define NUM_NID 751
-#define NUM_SN 747
-#define NUM_LN 747
-#define NUM_OBJ 709
+#define NUM_NID 752
+#define NUM_SN 748
+#define NUM_LN 748
+#define NUM_OBJ 710

-static unsigned char lvalues[5002]={
+static unsigned char lvalues[5005]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@ -777,6 +777,7 @@ static unsigned char lvalues[5002]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4977] OBJ_id_ppl_anyLanguage */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4985] OBJ_id_ppl_inheritAll */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4993] OBJ_Independent */
+0x55,0x1D,0x1C,                              /* [5001] OBJ_issuing_distribution_point */
 };

 static ASN1_OBJECT nid_objs[NUM_NID]={
@ -1945,6 +1946,8 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
 	&(lvalues[4985]),0},
 {"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4993]),0},
+{"issuingDistributionPoint","X509v3 Issuing Distrubution Point",
+	NID_issuing_distribution_point,3,&(lvalues[5001]),0},
 };

 static ASN1_OBJECT *sn_objs[NUM_SN]={
@ -2382,6 +2385,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[295]),/* "ipsecTunnel" */
 &(nid_objs[296]),/* "ipsecUser" */
 &(nid_objs[86]),/* "issuerAltName" */
+&(nid_objs[751]),/* "issuingDistributionPoint" */
 &(nid_objs[492]),/* "janetMailbox" */
 &(nid_objs[150]),/* "keyBag" */
 &(nid_objs[83]),/* "keyUsage" */
@ -2797,6 +2801,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[126]),/* "X509v3 Extended Key Usage" */
 &(nid_objs[739]),/* "X509v3 Inhibit Any Policy" */
 &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
+&(nid_objs[751]),/* "X509v3 Issuing Distrubution Point" */
 &(nid_objs[83]),/* "X509v3 Key Usage" */
 &(nid_objs[736]),/* "X509v3 Name Constraints" */
 &(nid_objs[403]),/* "X509v3 No Revocation Available" */
@ -3502,6 +3507,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
 &(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
 &(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[751]),/* OBJ_issuing_distribution_point   2 5 29 28 */
 &(nid_objs[736]),/* OBJ_name_constraints             2 5 29 30 */
 &(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
 &(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@ -2094,6 +2094,11 @@
 #define NID_delta_crl		140
 #define OBJ_delta_crl		OBJ_id_ce,27L

+#define SN_issuing_distribution_point		"issuingDistributionPoint"
+#define LN_issuing_distribution_point		"X509v3 Issuing Distrubution Point"
+#define NID_issuing_distribution_point		751
+#define OBJ_issuing_distribution_point		OBJ_id_ce,28L
+
 #define SN_name_constraints		"nameConstraints"
 #define LN_name_constraints		"X509v3 Name Constraints"
 #define NID_name_constraints		736
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@ -748,3 +748,4 @@ proxyCertInfo		747
 id_ppl_anyLanguage		748
 id_ppl_inheritAll		749
 Independent		750
+issuing_distribution_point		751
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@ -677,6 +677,8 @@ id-ce 21		: CRLReason		: X509v3 CRL Reason Code
 id-ce 24		: invalidityDate	: Invalidity Date
 !Cname delta-crl
 id-ce 27		: deltaCRL		: X509v3 Delta CRL Indicator
+!Cname issuing-distribution-point
+id-ce 28	: issuingDistributionPoint : X509v3 Issuing Distrubution Point
 !Cname name-constraints
 id-ce 30		: nameConstraints	: X509v3 Name Constraints
 !Cname crl-distribution-points
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@ -66,7 +66,7 @@ extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;

 /* This table will be searched using OBJ_bsearch so it *must* kept in
 * order of the ext_nid values.
@ -115,7 +115,8 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_name_constraints,
 &v3_policy_mappings,
 &v3_inhibit_anyp,
-&v3_pci
+&v3_pci,
+&v3_idp
 };

 /* Number of standard extensions */
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999, 2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@ -160,3 +160,112 @@ ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
 ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)

 IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
+
+ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
+	ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
+	ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
+	ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
+	ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
+	ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
+	ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
+} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
+
+static int i2r_idp(X509V3_EXT_METHOD *method,
+	     void *pidp, BIO *out, int indent);
+
+X509V3_EXT_METHOD v3_idp =
+	{
+	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
+	ASN1_ITEM_ref(ISSUING_DIST_POINT),
+	0,0,0,0,
+	0,0,
+	0,0,
+	i2r_idp,0,
+	NULL
+	};
+
+static const BIT_STRING_BITNAME reason_flags[] = {
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "AACompromise"},
+{-1, NULL, NULL}
+};
+
+static int print_reasons(BIO *out, const char *rname,
+			ASN1_BIT_STRING *rflags, int indent)
+	{
+	int first = 1;
+	const BIT_STRING_BITNAME *pbn;
+	BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
+	for (pbn = reason_flags; pbn->lname; pbn++)
+		{
+		if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
+			{
+			if (first)
+				first = 0;
+			else
+				BIO_puts(out, ",");
+			BIO_puts(out, pbn->lname);
+			}
+		}
+	if (first)
+		BIO_puts(out, "<EMPTY>\n");
+	else
+		BIO_puts(out, "\n");
+	return 1;
+	}
+
+static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
+	{
+	int i;
+	if (dpn->type == 0)
+		{
+		STACK_OF(GENERAL_NAME) *gens;
+		BIO_printf(out, "%*sFull Name:\n", indent, "");
+		gens = dpn->name.fullname;
+		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+			{
+			BIO_printf(out, "%*s", indent + 2, "");
+			GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
+			}
+		}
+	else
+		{
+		X509_NAME ntmp;
+		ntmp.entries = dpn->name.relativename;
+		BIO_printf(out, "%*sRelative Name:\n%*s",
+						indent, "", indent + 2, "");
+		X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
+		BIO_puts(out, "\n");
+		}
+	return 1;
+	}
+
+static int i2r_idp(X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
+	{
+	ISSUING_DIST_POINT *idp = pidp;
+	if (idp->distpoint)
+		print_distpoint(out, idp->distpoint, indent);
+	if (idp->onlyuser > 0)
+		BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
+	if (idp->onlyCA > 0)
+		BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
+	if (idp->indirectCRL > 0)
+		BIO_printf(out, "%*sIndirect CRL\n", indent, "");
+	if (idp->onlysomereasons)
+		print_reasons(out, "Only Some Reasons", 
+				idp->onlysomereasons, indent);
+	if (idp->onlyattr > 0)
+		BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
+	if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
+		&& (idp->indirectCRL <= 0) && !idp->onlysomereasons
+		&& (idp->onlyattr <= 0))
+		BIO_printf(out, "%*s<EMPTY>\n", indent, "");
+		
+	return 1;
+	}
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@ -329,6 +329,15 @@ typedef struct PROXY_CERT_INFO_EXTENSION_st
 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)

+typedef struct ISSUING_DIST_POINT_st
+	{
+	DIST_POINT_NAME *distpoint;
+	int onlyuser;
+	int onlyCA;
+	ASN1_BIT_STRING *onlysomereasons;
+	int indirectCRL;
+	int onlyattr;
+	} ISSUING_DIST_POINT;

 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);