generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial support for delta CRLs. If "use deltas" flag is set attempt to find

Browse Source 
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
This commit is contained in:
Dr. Stephen Henson 2008-09-01 15:15:16 +00:00
parent 4b96839f06
commit d43c4497ce
9 changed files with 341 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -4,6 +4,12 @@
Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
*) Delta CRL support. New use deltas option which will attempt to locate
and search any appropriate delta CRLs available.
This work was sponsored by Google.
[Steve Henson]
*) Support for CRLs partitioned by reason code. Reorganise CRL processing
code and add additional score elements. Validate alternate CRL paths
as part of the CRL checking and indicate a new error "CRL path validation

2
apps/apps.c
View File

@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_X509_STRICT;
else if (!strcmp(arg, "-extended_crl"))
flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
else if (!strcmp(arg, "-use_deltas"))
flags |= X509_V_FLAG_USE_DELTAS;
else if (!strcmp(arg, "-policy_print"))
flags |= X509_V_FLAG_NOTIFY_POLICY;
else

44
crypto/asn1/x_crl.c
View File

@ -137,6 +137,7 @@ static int crl_set_issuers(X509_CRL *crl)
{
X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);
STACK_OF(X509_EXTENSION) *exts;
ASN1_ENUMERATED *reason;
X509_EXTENSION *ext;
gtmp = X509_REVOKED_get_ext_d2i(rev,
NID_certificate_issuer,
@ -161,6 +162,22 @@ static int crl_set_issuers(X509_CRL *crl)
}
rev->issuer = gens;
reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason,
&j, NULL);
if (!reason && (j != -1))
{
crl->flags |= EXFLAG_INVALID;
return 1;
}
if (reason)
{
rev->reason = ASN1_ENUMERATED_get(reason);
ASN1_ENUMERATED_free(reason);
}
else
rev->reason = CRL_REASON_NONE;
/* Check for critical CRL entry extensions */
exts = rev->extensions;
@ -207,6 +224,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
crl->meth = default_crl_method;
crl->meth_data = NULL;
crl->issuers = NULL;
crl->crl_number = NULL;
crl->base_crl_number = NULL;
break;
case ASN1_OP_D2I_POST:
@ -221,6 +240,15 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
crl->akid = X509_CRL_get_ext_d2i(crl,
NID_authority_key_identifier, NULL, NULL);
crl->crl_number = X509_CRL_get_ext_d2i(crl,
NID_crl_number, NULL, NULL);
crl->base_crl_number = X509_CRL_get_ext_d2i(crl,
NID_delta_crl, NULL, NULL);
/* Delta CRLs must have CRL number */
if (crl->base_crl_number && !crl->crl_number)
crl->flags |= EXFLAG_INVALID;
/* See if we have any unhandled critical CRL extensions and
* indicate this in a flag. We only currently handle IDP so
* anything else critical sets the flag.
@ -233,13 +261,17 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
{
int nid;
ext = sk_X509_EXTENSION_value(exts, idx);
nid = OBJ_obj2nid(ext->object);
if (nid == NID_freshest_crl)
crl->flags |= EXFLAG_FRESHEST;
if (ext->critical > 0)
{
/* We handle IDP now so permit it */
if (OBJ_obj2nid(ext->object) ==
NID_issuing_distribution_point)
continue;
/* We handle IDP and deltas */
if ((nid == NID_issuing_distribution_point)
|| (nid == NID_delta_crl))
break;;
crl->flags |= EXFLAG_CRITICAL;
break;
}
@ -266,6 +298,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
AUTHORITY_KEYID_free(crl->akid);
if (crl->idp)
ISSUING_DIST_POINT_free(crl->idp);
ASN1_INTEGER_free(crl->crl_number);
ASN1_INTEGER_free(crl->base_crl_number);
sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
break;
}
@ -435,6 +469,8 @@ static int def_crl_lookup(X509_CRL *crl,
{
if (ret)
*ret = rev;
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
return 1;
}
}

5
crypto/x509/x509.h
View File

@ -436,6 +436,8 @@ struct x509_revoked_st
STACK_OF(X509_EXTENSION) /* optional */ *extensions;
/* Set up if indirect CRL */
STACK_OF(GENERAL_NAME) *issuer;
/* Revocation reason */
int reason;
int sequence; /* load sequence */
};
@ -468,6 +470,9 @@ struct X509_crl_st
/* Convenient breakdown of IDP */
int idp_flags;
int idp_reasons;
/* CRL and base CRL numbers for delta processing */
ASN1_INTEGER *crl_number;
ASN1_INTEGER *base_crl_number;
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif

359
crypto/x509/x509_vfy.c
View File

@ -70,6 +70,44 @@
#include <openssl/x509v3.h>
#include <openssl/objects.h>
/* CRL score values */
/* No unhandled critical extensions */
#define CRL_SCORE_NOCRITICAL 0x100
/* certificate is within CRL scope */
#define CRL_SCORE_SCOPE 0x080
/* CRL times valid */
#define CRL_SCORE_TIME 0x040
/* Issuer name matches certificate */
#define CRL_SCORE_ISSUER_NAME 0x020
/* If this score or above CRL is probably valid */
#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
/* CRL issuer is certificate issuer */
#define CRL_SCORE_ISSUER_CERT 0x018
/* CRL issuer is on certificate path */
#define CRL_SCORE_SAME_PATH 0x008
/* CRL issuer matches CRL AKID */
#define CRL_SCORE_AKID 0x004
/* Have a delta CRL with valid times */
#define CRL_SCORE_TIME_DELTA 0x002
static int null_callback(int ok,X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
@ -83,6 +121,10 @@ static int check_policy(X509_STORE_CTX *ctx);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons,
X509_CRL *crl, X509 *x);
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
X509_CRL *base, STACK_OF(X509_CRL) *crls);
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
X509 **pissuer, int *pcrl_score);
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
@ -649,7 +691,7 @@ static int check_revocation(X509_STORE_CTX *ctx)
static int check_cert(X509_STORE_CTX *ctx)
{
X509_CRL *crl = NULL;
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
cnum = ctx->error_depth;
@ -660,7 +702,10 @@ static int check_cert(X509_STORE_CTX *ctx)
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
/* Try to retrieve relevant CRL */
ok = ctx->get_crl(ctx, &crl, x);
if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x);
else
ok = get_crl_delta(ctx, &crl, &dcrl, x);
/* If error looking up CRL, nothing we can do except
* notify callback
*/
@ -674,14 +719,36 @@ static int check_cert(X509_STORE_CTX *ctx)
ok = ctx->check_crl(ctx, crl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
if (dcrl)
{
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, dcrl, x);
if (!ok)
goto err;
}
else
ok = 1;
/* Don't look in full CRL if delta reason is removefromCRL */
if (ok != 2)
{
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
}
X509_CRL_free(crl);
X509_CRL_free(dcrl);
crl = NULL;
dcrl = NULL;
}
err:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
@ -731,8 +798,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i < 0)
/* Ignore expiry of base CRL is delta is valid */
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
{
if (!notify)
return 0;
@ -748,46 +815,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
return 1;
}
/* CRL score values */
/* No unhandled critical extensions */
#define CRL_SCORE_NOCRITICAL 0x100
/* certificate is within CRL scope */
#define CRL_SCORE_SCOPE 0x080
/* CRL times valid */
#define CRL_SCORE_TIME 0x040
/* Issuer name matches certificate */
#define CRL_SCORE_ISSUER_NAME 0x020
/* If this score or above CRL is probably valid */
#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
/* CRL issuer is certificate issuer */
#define CRL_SCORE_ISSUER_CERT 0x018
/* CRL issuer is on certificate path */
#define CRL_SCORE_SAME_PATH 0x008
/* CRL issuer matches CRL AKID */
#define CRL_SCORE_AKID 0x004
/* CRL is complete, not delta */
#define CRL_SCORE_COMPLETE 0x002
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer,
int *pscore, unsigned int *preasons,
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
X509 **pissuer, int *pscore, unsigned int *preasons,
STACK_OF(X509_CRL) *crls)
{
int i, crl_score, best_score = *pscore;
@ -818,16 +847,121 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer,
*pissuer = best_crl_issuer;
*pscore = best_score;
*preasons = best_reasons;
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
if (*pdcrl)
{
X509_CRL_free(*pdcrl);
*pdcrl = NULL;
}
get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
}
if (best_score >= CRL_SCORE_VALID)
return 1;
return 0;
}
/* Compare two CRL extensions for delta checking purposes. They should be
* both present or both absent. If both present all fields must be identical.
*/
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
{
ASN1_OCTET_STRING *exta, *extb;
int i;
i = X509_CRL_get_ext_by_NID(a, nid, 0);
if (i >= 0)
{
/* Can't have multiple occurrences */
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
return 0;
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
}
else
exta = NULL;
i = X509_CRL_get_ext_by_NID(b, nid, 0);
if (i >= 0)
{
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
}
else
extb = NULL;
if (!exta && !extb)
return 1;
if (!exta || !extb)
return 0;
if (ASN1_OCTET_STRING_cmp(exta, extb))
return 0;
return 1;
}
/* See if a base and delta are compatible */
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
return 0;
/* Base must have a CRL number */
if (!base->crl_number)
return 0;
/* Issuer names must match */
if (X509_NAME_cmp(X509_CRL_get_issuer(base),
X509_CRL_get_issuer(delta)))
return 0;
/* AKID and IDP must match */
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
return 0;
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
return 0;
/* Delta CRL base number must not exceed Full CRL number. */
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
return 0;
/* Delta CRL number must exceed full CRL number */
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
return 1;
return 0;
}
/* For a given base CRL find a delta... maybe extend to delta scoring
* or retrieve a chain of deltas...
*/
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
X509_CRL *base, STACK_OF(X509_CRL) *crls)
{
X509_CRL *delta;
int i;
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
return;
for (i = 0; i < sk_X509_CRL_num(crls); i++)
{
delta = sk_X509_CRL_value(crls, i);
if (check_delta_base(delta, base))
{
if (check_crl_time(ctx, delta, 0))
*pscore |= CRL_SCORE_TIME_DELTA;
CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
*dcrl = delta;
return;
}
}
*dcrl = NULL;
}
/* For a given CRL return how suitable it is for the supplied certificate 'x'.
* The return value is a mask of several criteria.
* If the issuer is not the certificate issuer this is returned in *pissuer.
@ -860,6 +994,9 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
if (!(crl->idp_reasons & ~tmp_reasons))
return 0;
}
/* Don't process deltas at this stage */
else if (crl->base_crl_number)
return 0;
/* If issuer name doesn't match certificate need indirect CRL */
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
{
@ -1146,22 +1283,24 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
return 0;
}
/* Retrieve CRL corresponding to current certificate. Currently only
* one CRL is retrieved. Multiple CRLs may be needed if we handle
* CRLs partitioned on reason code later.
/* Retrieve CRL corresponding to current certificate.
* If deltas enabled try to find a delta CRL too
*/
static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
{
int ok;
X509 *issuer = NULL;
int crl_score = 0;
unsigned int reasons;
X509_CRL *crl = NULL;
X509_CRL *crl = NULL, *dcrl = NULL;
STACK_OF(X509_CRL) *skcrl;
X509_NAME *nm = X509_get_issuer_name(x);
reasons = ctx->current_reasons;
ok = get_crl_sk(ctx, &crl, &issuer, &crl_score, &reasons, ctx->crls);
ok = get_crl_sk(ctx, &crl, &dcrl,
&issuer, &crl_score, &reasons, ctx->crls);
if (ok)
goto done;
@ -1173,7 +1312,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
if (!skcrl && crl)
goto done;
get_crl_sk(ctx, &crl, &issuer, &crl_score, &reasons, skcrl);
get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
@ -1186,6 +1325,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
ctx->current_crl_score = crl_score;
ctx->current_reasons = reasons;
*pcrl = crl;
*pdcrl = dcrl;
return 1;
}
@ -1203,6 +1343,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
/* if we have an alternative CRL issuer cert use that */
if (ctx->current_issuer)
issuer = ctx->current_issuer;
/* Else find CRL issuer: if not last certificate then issuer
* is next certificate in chain.
*/
@ -1222,44 +1363,52 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if(issuer)
{
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
!(issuer->ex_kusage & KU_CRL_SIGN))
/* Skip most tests for deltas because they have already
* been done
*/
if (!crl->base_crl_number)
{
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
!(issuer->ex_kusage & KU_CRL_SIGN))
{
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
{
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
{
if (!check_crl_path(ctx, ctx->current_issuer))
{
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
}
if (crl->idp_flags & IDP_INVALID)
{
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
}
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
{
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_TIME))
{
ok = check_crl_time(ctx, crl, 1);
if (!ok)
goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
{
if (!check_crl_path(ctx, ctx->current_issuer))
if (!(ctx->current_crl_score & CRL_SCORE_TIME))
{
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
}
}
if (crl->idp_flags & IDP_INVALID)
{
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
ok = check_crl_time(ctx, crl, 1);
if (!ok)
goto err;
}
/* Attempt to get issuer certificate public key */
@ -1294,18 +1443,12 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int ok;
/* Look for serial number of certificate in CRL
* If found assume revoked: want something cleverer than
* this to handle entry extensions in V2 CRLs.
X509_REVOKED *rev;
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
* a certificate was revoked. This has since been changed since
* critical extension can change the meaning of CRL entries.
*/
if (X509_CRL_get0_by_cert(crl, NULL, x) > 0)
{
ctx->error = X509_V_ERR_CERT_REVOKED;
ok = ctx->verify_cb(0, ctx);
if (!ok)
return 0;
}
if (crl->flags & EXFLAG_CRITICAL)
{
if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
@ -1315,6 +1458,18 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
if(!ok)
return 0;
}
/* Look for serial number of certificate in CRL
* If found make sure reason is not removeFromCRL.
*/
if (X509_CRL_get0_by_cert(crl, &rev, x))
{
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
ctx->error = X509_V_ERR_CERT_REVOKED;
ok = ctx->verify_cb(0, ctx);
if (!ok)
return 0;
}
return 1;
}
@ -1898,7 +2053,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
if (store && store->get_crl)
ctx->get_crl = store->get_crl;
else
ctx->get_crl = get_crl;
ctx->get_crl = NULL;
if (store && store->check_crl)
ctx->check_crl = store->check_crl;

2
crypto/x509/x509_vfy.h
View File

@ -385,6 +385,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_FLAG_NOTIFY_POLICY 0x800
/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
/* Delta CRL support */
#define X509_V_FLAG_USE_DELTAS 0x2000
#define X509_VP_FLAG_DEFAULT 0x1
#define X509_VP_FLAG_OVERWRITE 0x2

19
crypto/x509v3/v3_enum.c
View File

@ -61,14 +61,17 @@
#include <openssl/x509v3.h>
static ENUMERATED_NAMES crl_reasons[] = {
{0, "Unspecified", "unspecified"},
{1, "Key Compromise", "keyCompromise"},
{2, "CA Compromise", "CACompromise"},
{3, "Affiliation Changed", "affiliationChanged"},
{4, "Superseded", "superseded"},
{5, "Cessation Of Operation", "cessationOfOperation"},
{6, "Certificate Hold", "certificateHold"},
{8, "Remove From CRL", "removeFromCRL"},
{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
{CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
{CRL_REASON_CESSATION_OF_OPERATION,
"Cessation Of Operation", "cessationOfOperation"},
{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
{-1, NULL, NULL}
};

6
crypto/x509v3/v3_purp.c
View File

@ -465,8 +465,7 @@ static void x509v3_cache_extensions(X509 *x)
if (!x->nc && (i != -1))
x->ex_flags |= EXFLAG_INVALID;
setup_crldp(x);
#ifndef OPENSSL_NO_RFC3779
x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
@ -477,6 +476,9 @@ static void x509v3_cache_extensions(X509 *x)
ex = X509_get_ext(x, i);
if (!X509_EXTENSION_get_critical(ex))
continue;
if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
== NID_freshest_crl)
x->ex_flags |= EXFLAG_FRESHEST;
if (!X509_supported_extension(ex))
{
x->ex_flags |= EXFLAG_CRITICAL;

15
crypto/x509v3/x509v3.h
View File

@ -226,6 +226,18 @@ X509_NAME *dpname;
/* All existing reasons */
#define CRLDP_ALL_REASONS 0x807f
#define CRL_REASON_NONE -1
#define CRL_REASON_UNSPECIFIED 0
#define CRL_REASON_KEY_COMPROMISE 1
#define CRL_REASON_CA_COMPROMISE 2
#define CRL_REASON_AFFILIATION_CHANGED 3
#define CRL_REASON_SUPERSEDED 4
#define CRL_REASON_CESSATION_OF_OPERATION 5
#define CRL_REASON_CERTIFICATE_HOLD 6
#define CRL_REASON_REMOVE_FROM_CRL 8
#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
#define CRL_REASON_AA_COMPROMISE 10
struct DIST_POINT_st {
DIST_POINT_NAME *distpoint;
ASN1_BIT_STRING *reasons;
@ -402,7 +414,8 @@ struct ISSUING_DIST_POINT_st
#define EXFLAG_CRITICAL 0x200
#define EXFLAG_PROXY 0x400
#define EXFLAG_INVALID_POLICY 0x400
#define EXFLAG_INVALID_POLICY 0x800
#define EXFLAG_FRESHEST 0x1000
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040