if (lastpos < 0)
lastpos=0;
n=sk_X509_ATTRIBUTE_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
if (OBJ_cmp(ex->object,obj) == 0)
return(lastpos);
X509_ATTRIBUTE *new_attr=NULL;
STACK_OF(X509_ATTRIBUTE) *sk=NULL;
- if (x == NULL)
- {
+ if (x == NULL) {
X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
goto err2;
- }
+ }
- if (*x == NULL)
- {
+ if (*x == NULL) {
if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
goto err;
- }
- else
+ } else
sk= *x;
if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
X509_ATTRIBUTE *ret;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
if (ret == NULL) ASN1_OBJECT_free(obj);
return(ret);
{
X509_ATTRIBUTE *ret;
- if ((attr == NULL) || (*attr == NULL))
- {
- if ((ret=X509_ATTRIBUTE_new()) == NULL)
- {
+ if ((attr == NULL) || (*attr == NULL)) {
+ if ((ret=X509_ATTRIBUTE_new()) == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
return(NULL);
- }
}
+ }
else
ret= *attr;
X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
const char *atrname, int type, const unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_ATTRIBUTE *nattr;
obj=OBJ_txt2obj(atrname, 0);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
X509_R_INVALID_FIELD_NAME);
ERR_add_error_data(2, "name=", atrname);
return(NULL);
- }
+ }
nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nattr;
- }
+}
int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
{
if (attrtype == 0)
return 1;
if(!(ttmp = ASN1_TYPE_new())) goto err;
- if ((len == -1) && !(attrtype & MBSTRING_FLAG))
- {
+ if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
if (!ASN1_TYPE_set1(ttmp, attrtype, data))
goto err;
- }
- else
+ } else
ASN1_TYPE_set(ttmp, atype, stmp);
if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
return 1;
#include <openssl/x509v3.h>
int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
- {
+{
int i;
X509_CINF *ai,*bi;
i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
if (i) return(i);
return(X509_NAME_cmp(ai->issuer,bi->issuer));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_and_serial_hash(X509 *a)
- {
+{
unsigned long ret=0;
EVP_MD_CTX ctx;
unsigned char md[16];
err:
EVP_MD_CTX_cleanup(&ctx);
return(ret);
- }
+}
#endif
int X509_issuer_name_cmp(const X509 *a, const X509 *b)
- {
+{
return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
- }
+}
int X509_subject_name_cmp(const X509 *a, const X509 *b)
- {
+{
return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
- }
+}
int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
- {
+{
return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
- }
+}
#ifndef OPENSSL_NO_SHA
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
- {
+{
return memcmp(a->sha1_hash, b->sha1_hash, 20);
- }
+}
#endif
X509_NAME *X509_get_issuer_name(X509 *a)
- {
+{
return(a->cert_info->issuer);
- }
+}
unsigned long X509_issuer_name_hash(X509 *x)
- {
+{
return(X509_NAME_hash(x->cert_info->issuer));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_name_hash_old(X509 *x)
- {
+{
return(X509_NAME_hash_old(x->cert_info->issuer));
- }
+}
#endif
X509_NAME *X509_get_subject_name(X509 *a)
- {
+{
return(a->cert_info->subject);
- }
+}
ASN1_INTEGER *X509_get_serialNumber(X509 *a)
- {
+{
return(a->cert_info->serialNumber);
- }
+}
unsigned long X509_subject_name_hash(X509 *x)
- {
+{
return(X509_NAME_hash(x->cert_info->subject));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
- {
+{
return(X509_NAME_hash_old(x->cert_info->subject));
- }
+}
#endif
#ifndef OPENSSL_NO_SHA
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
- {
+{
int ret;
/* Ensure canonical encoding is present and up to date */
- if (!a->canon_enc || a->modified)
- {
+ if (!a->canon_enc || a->modified) {
ret = i2d_X509_NAME((X509_NAME *)a, NULL);
if (ret < 0)
return -2;
- }
+ }
- if (!b->canon_enc || b->modified)
- {
+ if (!b->canon_enc || b->modified) {
ret = i2d_X509_NAME((X509_NAME *)b, NULL);
if (ret < 0)
return -2;
- }
+ }
ret = a->canon_enclen - b->canon_enclen;
return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
- }
+}
unsigned long X509_NAME_hash(X509_NAME *x)
- {
+{
unsigned long ret=0;
unsigned char md[SHA_DIGEST_LENGTH];
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
)&0xffffffffL;
return(ret);
- }
+}
#ifndef OPENSSL_NO_MD5
* this is reasonably efficient. */
unsigned long X509_NAME_hash_old(X509_NAME *x)
- {
+{
EVP_MD_CTX md_ctx;
unsigned long ret=0;
unsigned char md[16];
EVP_MD_CTX_cleanup(&md_ctx);
return(ret);
- }
+}
#endif
/* Search a stack of X509 for a match */
X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
ASN1_INTEGER *serial)
- {
+{
int i;
X509_CINF cinf;
X509 x,*x509=NULL;
cinf.serialNumber=serial;
cinf.issuer=name;
- for (i=0; i<sk_X509_num(sk); i++)
- {
+ for (i=0; i<sk_X509_num(sk); i++) {
x509=sk_X509_value(sk,i);
if (X509_issuer_and_serial_cmp(x509,&x) == 0)
return(x509);
- }
- return(NULL);
}
+ return(NULL);
+}
X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
- {
+{
X509 *x509;
int i;
- for (i=0; i<sk_X509_num(sk); i++)
- {
+ for (i=0; i<sk_X509_num(sk); i++) {
x509=sk_X509_value(sk,i);
if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
return(x509);
- }
- return(NULL);
}
+ return(NULL);
+}
EVP_PKEY *X509_get_pubkey(X509 *x)
- {
+{
if ((x == NULL) || (x->cert_info == NULL))
return(NULL);
return(X509_PUBKEY_get(x->cert_info->key));
- }
+}
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
- {
+{
if(!x) return NULL;
return x->cert_info->key->public_key;
- }
+}
int X509_check_private_key(X509 *x, EVP_PKEY *k)
- {
+{
EVP_PKEY *xk;
int ret;
else
ret = -2;
- switch (ret)
- {
+ switch (ret) {
case 1:
break;
case 0:
break;
case -2:
X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
- }
+ }
if (xk)
EVP_PKEY_free(xk);
if (ret > 0)
return 1;
return 0;
- }
+}
#ifndef OPENSSL_NO_STDIO
int X509_STORE_set_default_paths(X509_STORE *ctx)
- {
+{
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
ERR_clear_error();
return(1);
- }
+}
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
- {
+{
X509_LOOKUP *lookup;
- if (file != NULL)
- {
+ if (file != NULL) {
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
if (lookup == NULL) return(0);
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
return(0);
- }
- if (path != NULL)
- {
+ }
+ if (path != NULL) {
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL) return(0);
if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
return(0);
- }
+ }
if ((path == NULL) && (file == NULL))
return(0);
return(1);
- }
+}
#endif
#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
static ERR_STRING_DATA X509_str_functs[]=
- {
+{
{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
{0,NULL}
- };
+};
static ERR_STRING_DATA X509_str_reasons[]=
- {
+{
{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
{0,NULL}
- };
+};
#endif
void ERR_load_X509_strings(void)
- {
+{
#ifndef OPENSSL_NO_ERR
- if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
- {
+ if (ERR_func_error_string(X509_str_functs[0].error) == NULL) {
ERR_load_strings(0,X509_str_functs);
ERR_load_strings(0,X509_str_reasons);
- }
-#endif
}
+#endif
+}
int X509_CRL_get_ext_count(X509_CRL *x)
- {
+{
return(X509v3_get_ext_count(x->crl->extensions));
- }
+}
int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
- }
+}
int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
- }
+}
int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
- {
+{
return(X509v3_get_ext(x->crl->extensions,loc));
- }
+}
X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
- {
+{
return(X509v3_delete_ext(x->crl->extensions,loc));
- }
+}
void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
{
}
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
- }
+}
int X509_get_ext_count(X509 *x)
- {
+{
return(X509v3_get_ext_count(x->cert_info->extensions));
- }
+}
int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
- }
+}
int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
- }
+}
int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_get_ext(X509 *x, int loc)
- {
+{
return(X509v3_get_ext(x->cert_info->extensions,loc));
- }
+}
X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
- {
+{
return(X509v3_delete_ext(x->cert_info->extensions,loc));
- }
+}
int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
- }
+}
void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
{
}
int X509_REVOKED_get_ext_count(X509_REVOKED *x)
- {
+{
return(X509v3_get_ext_count(x->extensions));
- }
+}
int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
- }
+}
int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
- }
+}
int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
- {
+{
return(X509v3_get_ext(x->extensions,loc));
- }
+}
X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
- {
+{
return(X509v3_delete_ext(x->extensions,loc));
- }
+}
int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
- }
+}
void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
{
#include <openssl/x509v3.h>
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
- {
+{
X509_LOOKUP *ret;
ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP));
ret->method=method;
ret->method_data=NULL;
ret->store_ctx=NULL;
- if ((method->new_item != NULL) && !method->new_item(ret))
- {
+ if ((method->new_item != NULL) && !method->new_item(ret)) {
free(ret);
return NULL;
- }
- return ret;
}
+ return ret;
+}
void X509_LOOKUP_free(X509_LOOKUP *ctx)
- {
+{
if (ctx == NULL) return;
if ( (ctx->method != NULL) &&
(ctx->method->free != NULL))
(*ctx->method->free)(ctx);
free(ctx);
- }
+}
int X509_LOOKUP_init(X509_LOOKUP *ctx)
- {
+{
if (ctx->method == NULL) return 0;
if (ctx->method->init != NULL)
return ctx->method->init(ctx);
else
return 1;
- }
+}
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
- {
+{
if (ctx->method == NULL) return 0;
if (ctx->method->shutdown != NULL)
return ctx->method->shutdown(ctx);
else
return 1;
- }
+}
int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret)
- {
+{
if (ctx->method == NULL) return -1;
if (ctx->method->ctrl != NULL)
return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
else
return 1;
- }
+}
int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
X509_OBJECT *ret)
return X509_LU_FAIL;
if (ctx->skip) return 0;
return ctx->method->get_by_subject(ctx,type,name,ret);
- }
+}
int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
ASN1_INTEGER *serial, X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) ||
(ctx->method->get_by_issuer_serial == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
- }
+}
int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
unsigned char *bytes, int len, X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
- }
+}
int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_alias(ctx,type,str,len,ret);
- }
+}
static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
- {
+ {
int ret;
ret=((*a)->type - (*b)->type);
if (ret) return ret;
- switch ((*a)->type)
- {
+ switch ((*a)->type) {
case X509_LU_X509:
ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
break;
default:
/* abort(); */
return 0;
- }
- return ret;
}
+ return ret;
+}
X509_STORE *X509_STORE_new(void)
- {
+{
X509_STORE *ret;
if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL)
sk_X509_OBJECT_free(ret->objs);
free(ret);
return NULL;
- }
+}
ret->get_issuer = 0;
ret->check_issued = 0;
ret->lookup_crls = 0;
ret->cleanup = 0;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
- {
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
sk_X509_OBJECT_free(ret->objs);
free(ret);
return NULL;
- }
+ }
ret->references=1;
return ret;
- }
+}
static void cleanup(X509_OBJECT *a)
- {
- if (a->type == X509_LU_X509)
- {
+{
+ if (a->type == X509_LU_X509) {
X509_free(a->data.x509);
- }
- else if (a->type == X509_LU_CRL)
- {
+ } else if (a->type == X509_LU_CRL) {
X509_CRL_free(a->data.crl);
- }
- else
- {
+ } else {
/* abort(); */
- }
+ }
free(a);
- }
+}
void X509_STORE_free(X509_STORE *vfy)
- {
+{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
return;
sk=vfy->get_cert_methods;
- for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
- {
+ for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
lu=sk_X509_LOOKUP_value(sk,i);
X509_LOOKUP_shutdown(lu);
X509_LOOKUP_free(lu);
- }
+ }
sk_X509_LOOKUP_free(sk);
sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
if (vfy->param)
X509_VERIFY_PARAM_free(vfy->param);
free(vfy);
- }
+}
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
- {
+{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
sk=v->get_cert_methods;
- for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
- {
+ for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
lu=sk_X509_LOOKUP_value(sk,i);
- if (m == lu->method)
- {
+ if (m == lu->method) {
return lu;
- }
}
+ }
/* a new one */
lu=X509_LOOKUP_new(m);
if (lu == NULL)
return NULL;
- else
- {
+ else {
lu->store_ctx=v;
if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
return lu;
- else
- {
+ else {
X509_LOOKUP_free(lu);
return NULL;
- }
}
}
+}
int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
X509_OBJECT *ret)
- {
+{
X509_STORE *ctx=vs->ctx;
X509_LOOKUP *lu;
X509_OBJECT stmp,*tmp;
tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (tmp == NULL || type == X509_LU_CRL)
- {
- for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
- {
+ if (tmp == NULL || type == X509_LU_CRL) {
+ for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
- if (j < 0)
- {
+ if (j < 0) {
vs->current_method=j;
return j;
- }
- else if (j)
- {
+ } else if (j) {
tmp= &stmp;
break;
- }
}
+ }
vs->current_method=0;
if (tmp == NULL)
return 0;
- }
+ }
/* if (ret->data.ptr != NULL)
X509_OBJECT_free_contents(ret); */
X509_OBJECT_up_ref_count(ret);
return 1;
- }
+}
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
- {
+{
X509_OBJECT *obj;
int ret=1;
if (x == NULL) return 0;
obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
obj->type=X509_LU_X509;
obj->data.x509=x;
X509_OBJECT_up_ref_count(obj);
- if (X509_OBJECT_retrieve_match(ctx->objs, obj))
- {
+ if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free_contents(obj);
free(obj);
X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
- }
+ }
else sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
- {
+{
X509_OBJECT *obj;
int ret=1;
if (x == NULL) return 0;
obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
obj->type=X509_LU_CRL;
obj->data.crl=x;
X509_OBJECT_up_ref_count(obj);
- if (X509_OBJECT_retrieve_match(ctx->objs, obj))
- {
+ if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free_contents(obj);
free(obj);
X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
- }
- else sk_X509_OBJECT_push(ctx->objs, obj);
+ } else
+ sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
- {
- switch (a->type)
- {
+{
+ switch (a->type) {
case X509_LU_X509:
CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
break;
case X509_LU_CRL:
CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
break;
- }
}
+}
void X509_OBJECT_free_contents(X509_OBJECT *a)
- {
- switch (a->type)
- {
+{
+ switch (a->type) {
case X509_LU_X509:
X509_free(a->data.x509);
break;
case X509_LU_CRL:
X509_CRL_free(a->data.crl);
break;
- }
}
+}
static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name, int *pnmatch)
- {
+{
X509_OBJECT stmp;
X509 x509_s;
X509_CINF cinf_s;
int idx;
stmp.type=type;
- switch (type)
- {
+ switch (type) {
case X509_LU_X509:
stmp.data.x509= &x509_s;
x509_s.cert_info= &cinf_s;
default:
/* abort(); */
return -1;
- }
+ }
idx = sk_X509_OBJECT_find(h,&stmp);
- if (idx >= 0 && pnmatch)
- {
+ if (idx >= 0 && pnmatch) {
int tidx;
const X509_OBJECT *tobj, *pstmp;
*pnmatch = 1;
pstmp = &stmp;
- for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
- {
+ for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
tobj = sk_X509_OBJECT_value(h, tidx);
if (x509_object_cmp(&tobj, &pstmp))
break;
(*pnmatch)++;
- }
}
- return idx;
}
+ return idx;
+}
int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name)
- {
+{
return x509_object_idx_cnt(h, type, name, NULL);
- }
+}
X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name)
- {
+{
int idx;
idx = X509_OBJECT_idx_by_subject(h, type, name);
if (idx==-1) return NULL;
return sk_X509_OBJECT_value(h, idx);
- }
+}
STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
- {
+{
int i, idx, cnt;
STACK_OF(X509) *sk;
X509 *x;
sk = sk_X509_new_null();
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
/* Nothing found in cache: do lookup to possibly add new
* objects to cache
*/
X509_OBJECT xobj;
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
- {
+ if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
sk_X509_free(sk);
return NULL;
- }
+ }
X509_OBJECT_free_contents(&xobj);
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
sk_X509_free(sk);
return NULL;
- }
}
- for (i = 0; i < cnt; i++, idx++)
- {
+ }
+ for (i = 0; i < cnt; i++, idx++) {
obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
x = obj->data.x509;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
- if (!sk_X509_push(sk, x))
- {
+ if (!sk_X509_push(sk, x)) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return NULL;
- }
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return sk;
- }
+}
STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
- {
+{
int i, idx, cnt;
STACK_OF(X509_CRL) *sk;
X509_CRL *x;
/* Always do lookup to possibly add new CRLs to cache
*/
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
- {
+ if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
sk_X509_CRL_free(sk);
return NULL;
- }
+ }
X509_OBJECT_free_contents(&xobj);
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
sk_X509_CRL_free(sk);
return NULL;
- }
+ }
- for (i = 0; i < cnt; i++, idx++)
- {
+ for (i = 0; i < cnt; i++, idx++) {
obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
x = obj->data.crl;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
- if (!sk_X509_CRL_push(sk, x))
- {
+ if (!sk_X509_CRL_push(sk, x)) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
X509_CRL_free(x);
sk_X509_CRL_pop_free(sk, X509_CRL_free);
return NULL;
- }
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return sk;
- }
+}
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
- {
+{
int idx, i;
X509_OBJECT *obj;
idx = sk_X509_OBJECT_find(h, x);
if (idx == -1) return NULL;
if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
return sk_X509_OBJECT_value(h, idx);
- for (i = idx; i < sk_X509_OBJECT_num(h); i++)
- {
+ for (i = idx; i < sk_X509_OBJECT_num(h); i++) {
obj = sk_X509_OBJECT_value(h, i);
if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
return NULL;
- if (x->type == X509_LU_X509)
- {
+ if (x->type == X509_LU_X509) {
if (!X509_cmp(obj->data.x509, x->data.x509))
return obj;
- }
- else if (x->type == X509_LU_CRL)
- {
+ } else if (x->type == X509_LU_CRL) {
if (!X509_CRL_match(obj->data.crl, x->data.crl))
return obj;
- }
- else
+ } else
return obj;
- }
- return NULL;
}
+ return NULL;
+}
/* Try to get issuer certificate from store. Due to limitations
* -1 some other error.
*/
int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
- {
+{
X509_NAME *xn;
X509_OBJECT obj, *pobj;
int i, ok, idx, ret;
xn=X509_get_issuer_name(x);
ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
- if (ok != X509_LU_X509)
- {
- if (ok == X509_LU_RETRY)
- {
+ if (ok != X509_LU_X509) {
+ if (ok == X509_LU_RETRY) {
X509_OBJECT_free_contents(&obj);
X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
return -1;
- }
- else if (ok != X509_LU_FAIL)
- {
+ } else if (ok != X509_LU_FAIL) {
X509_OBJECT_free_contents(&obj);
/* not good :-(, break anyway */
return -1;
- }
- return 0;
}
+ return 0;
+ }
/* If certificate matches all OK */
- if (ctx->check_issued(ctx, x, obj.data.x509))
- {
+ if (ctx->check_issued(ctx, x, obj.data.x509)) {
*issuer = obj.data.x509;
return 1;
- }
+ }
X509_OBJECT_free_contents(&obj);
/* Else find index of first cert accepted by 'check_issued' */
ret = 0;
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
- if (idx != -1) /* should be true as we've had at least one match */
- {
+ if (idx != -1) /* should be true as we've had at least one match */ {
/* Look through all matching certs for suitable issuer */
- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
- {
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
/* See if we've run past the matches */
if (pobj->type != X509_LU_X509)
break;
if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
break;
- if (ctx->check_issued(ctx, x, pobj->data.x509))
- {
+ if (ctx->check_issued(ctx, x, pobj->data.x509)) {
*issuer = pobj->data.x509;
X509_OBJECT_up_ref_count(pobj);
ret = 1;
break;
- }
}
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
- {
+{
return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
- }
+}
int X509_STORE_set_depth(X509_STORE *ctx, int depth)
- {
+{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
return 1;
- }
+}
int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
- {
+{
return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
- }
+}
int X509_STORE_set_trust(X509_STORE *ctx, int trust)
- {
+{
return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
- }
+}
int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
- {
+{
return X509_VERIFY_PARAM_set1(ctx->param, param);
- }
+}
void X509_STORE_set_verify_cb(X509_STORE *ctx,
int (*verify_cb)(int, X509_STORE_CTX *))
- {
+{
ctx->verify_cb = verify_cb;
- }
+}
IMPLEMENT_STACK_OF(X509_LOOKUP)
IMPLEMENT_STACK_OF(X509_OBJECT)
#include <openssl/buffer.h>
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
- {
+{
X509_NAME_ENTRY *ne;
int i;
int n,lold,l,l1,l2,num,j,type;
int gs_doit[4];
char tmp_buf[80];
- if (buf == NULL)
- {
+ if (buf == NULL) {
if ((b=BUF_MEM_new()) == NULL) goto err;
if (!BUF_MEM_grow(b,200)) goto err;
b->data[0]='\0';
len=200;
+ }
+ if (a == NULL) {
+ if(b) {
+ buf=b->data;
+ free(b);
}
- if (a == NULL)
- {
- if(b)
- {
- buf=b->data;
- free(b);
- }
- strlcpy(buf,"NO X509_NAME",len);
- return buf;
- }
+ strlcpy(buf,"NO X509_NAME",len);
+ return buf;
+ }
len--; /* space for '\0' */
l=0;
- for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
- {
+ for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) {
ne=sk_X509_NAME_ENTRY_value(a->entries,i);
n=OBJ_obj2nid(ne->object);
- if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
- {
+ if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) {
i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
s=tmp_buf;
- }
+ }
l1=strlen(s);
type=ne->value->type;
num=ne->value->length;
q=ne->value->data;
- if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
- {
+ if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) {
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
for (j=0; j<num; j++)
if (q[j] != 0) gs_doit[j&3]=1;
if (gs_doit[0]|gs_doit[1]|gs_doit[2])
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
- else
- {
+ else {
gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
gs_doit[3]=1;
- }
}
- else
+ } else
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
- for (l2=j=0; j<num; j++)
- {
+ for (l2=j=0; j<num; j++) {
if (!gs_doit[j&3]) continue;
l2++;
if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
- }
+ }
lold=l;
l+=1+l1+1+l2;
- if (b != NULL)
- {
+ if (b != NULL) {
if (!BUF_MEM_grow(b,l+1)) goto err;
p= &(b->data[lold]);
- }
- else if (l > len)
- {
+ } else if (l > len) {
break;
- }
- else
+ } else
p= &(buf[lold]);
*(p++)='/';
memcpy(p,s,(unsigned int)l1); p+=l1;
*(p++)='=';
q=ne->value->data;
- for (j=0; j<num; j++)
- {
+ for (j=0; j<num; j++) {
if (!gs_doit[j&3]) continue;
n=q[j];
- if ((n < ' ') || (n > '~'))
- {
+ if ((n < ' ') || (n > '~')) {
*(p++)='\\';
*(p++)='x';
*(p++)=hex[(n>>4)&0x0f];
*(p++)=hex[n&0x0f];
- }
- else
+ } else
*(p++)=n;
- }
- *p='\0';
}
- if (b != NULL)
- {
+ *p='\0';
+ }
+ if (b != NULL) {
p=b->data;
free(b);
- }
- else
+ } else
p=buf;
if (i == 0)
*p = '\0';
X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
if (b != NULL) BUF_MEM_free(b);
return(NULL);
- }
+}
#include <openssl/buffer.h>
X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
- {
+{
X509 *ret=NULL;
X509_CINF *xi=NULL;
X509_NAME *xn;
- if ((ret=X509_new()) == NULL)
- {
+ if ((ret=X509_new()) == NULL) {
X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
/* duplicate the request */
xi=ret->cert_info;
- if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
- {
+ if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) {
if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
if (!ASN1_INTEGER_set(xi->version,2)) goto err;
/* xi->extensions=ri->attributes; <- bad, should not ever be done
ri->attributes=NULL; */
- }
+ }
xn=X509_REQ_get_subject_name(r);
if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
if (!X509_sign(ret,pkey,EVP_md5()))
goto err;
- if (0)
- {
+ if (0) {
err:
X509_free(ret);
ret=NULL;
- }
- return(ret);
}
+ return(ret);
+}
#include <openssl/pem.h>
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
- {
+{
X509_REQ *ret;
X509_REQ_INFO *ri;
int i;
EVP_PKEY *pktmp;
ret=X509_REQ_new();
- if (ret == NULL)
- {
+ if (ret == NULL) {
X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
ri=ret->req_info;
EVP_PKEY_free(pktmp);
if (!i) goto err;
- if (pkey != NULL)
- {
+ if (pkey != NULL) {
if (!X509_REQ_sign(ret,pkey,md))
goto err;
- }
+ }
return(ret);
err:
X509_REQ_free(ret);
return(NULL);
- }
+}
EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
- {
+{
if ((req == NULL) || (req->req_info == NULL))
return(NULL);
return(X509_PUBKEY_get(req->req_info->pubkey));
- }
+}
int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
- {
+{
EVP_PKEY *xk=NULL;
int ok=0;
xk=X509_REQ_get_pubkey(x);
- switch (EVP_PKEY_cmp(xk, k))
- {
+ switch (EVP_PKEY_cmp(xk, k)) {
case 1:
ok=1;
break;
break;
case -2:
#ifndef OPENSSL_NO_EC
- if (k->type == EVP_PKEY_EC)
- {
+ if (k->type == EVP_PKEY_EC) {
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
break;
- }
+ }
#endif
#ifndef OPENSSL_NO_DH
- if (k->type == EVP_PKEY_DH)
- {
+ if (k->type == EVP_PKEY_DH) {
/* No idea */
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
break;
- }
+ }
#endif
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
- }
+ }
EVP_PKEY_free(xk);
return(ok);
- }
+}
/* It seems several organisations had the same idea of including a list of
* extensions in a certificate request. There are at least two OIDs that are
}
STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
- {
+{
X509_ATTRIBUTE *attr;
ASN1_TYPE *ext = NULL;
int idx, *pnid;
if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
return(NULL);
- for (pnid = ext_nids; *pnid != NID_undef; pnid++)
- {
+ for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
if (idx == -1)
continue;
else if(sk_ASN1_TYPE_num(attr->value.set))
ext = sk_ASN1_TYPE_value(attr->value.set, 0);
break;
- }
+ }
if(!ext || (ext->type != V_ASN1_SEQUENCE))
return NULL;
p = ext->value.sequence->data;
at = NULL;
attr->single = 0;
attr->object = OBJ_nid2obj(nid);
- if (!req->req_info->attributes)
- {
+ if (!req->req_info->attributes) {
if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
goto err;
- }
+ }
if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
return 1;
err:
#include <openssl/x509.h>
int X509_set_version(X509 *x, long version)
- {
+{
if (x == NULL) return(0);
- if (x->cert_info->version == NULL)
- {
+ if (x->cert_info->version == NULL) {
if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
return(0);
- }
- return(ASN1_INTEGER_set(x->cert_info->version,version));
}
+ return(ASN1_INTEGER_set(x->cert_info->version,version));
+}
int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
- {
+{
ASN1_INTEGER *in;
if (x == NULL) return(0);
in=x->cert_info->serialNumber;
- if (in != serial)
- {
+ if (in != serial) {
in=M_ASN1_INTEGER_dup(serial);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_INTEGER_free(x->cert_info->serialNumber);
x->cert_info->serialNumber=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_issuer_name(X509 *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_NAME_set(&x->cert_info->issuer,name));
- }
+}
int X509_set_subject_name(X509 *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_NAME_set(&x->cert_info->subject,name));
- }
+}
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
in=x->cert_info->validity->notBefore;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notBefore);
x->cert_info->validity->notBefore=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
in=x->cert_info->validity->notAfter;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notAfter);
x->cert_info->validity->notAfter=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
- }
-
-
-
+}
return 0;
}
trtmp->flags = X509_TRUST_DYNAMIC;
- } else trtmp = X509_TRUST_get0(idx);
+ } else
+ trtmp = X509_TRUST_get0(idx);
/* free existing name if dynamic */
if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
}
static void trtable_free(X509_TRUST *p)
- {
+{
if(!p) return;
- if (p->flags & X509_TRUST_DYNAMIC)
- {
+ if (p->flags & X509_TRUST_DYNAMIC) {
if (p->flags & X509_TRUST_DYNAMIC_NAME)
free(p->name);
free(p);
- }
}
+}
void X509_TRUST_cleanup(void)
{
#include <openssl/objects.h>
const char *X509_verify_cert_error_string(long n)
- {
+{
static char buf[100];
- switch ((int)n)
- {
+ switch ((int)n) {
case X509_V_OK:
return("ok");
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
default:
(void) snprintf(buf,sizeof buf,"error number %ld",n);
return(buf);
- }
}
+}
#include <openssl/x509v3.h>
int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
- {
+{
if (x == NULL) return(0);
return(sk_X509_EXTENSION_num(x));
- }
+}
int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
int lastpos)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-2);
return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
- }
+}
int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
int lastpos)
- {
+{
int n;
X509_EXTENSION *ex;
if (lastpos < 0)
lastpos=0;
n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_EXTENSION_value(sk,lastpos);
if (OBJ_cmp(ex->object,obj) == 0)
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
int lastpos)
- {
+{
int n;
X509_EXTENSION *ex;
if (lastpos < 0)
lastpos=0;
n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_EXTENSION_value(sk,lastpos);
if ( ((ex->critical > 0) && crit) ||
((ex->critical <= 0) && !crit))
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
- {
+{
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return NULL;
else
return sk_X509_EXTENSION_value(x,loc);
- }
+}
X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
- {
+{
X509_EXTENSION *ret;
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return(NULL);
ret=sk_X509_EXTENSION_delete(x,loc);
return(ret);
- }
+}
STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
X509_EXTENSION *ex, int loc)
- {
+{
X509_EXTENSION *new_ex=NULL;
int n;
STACK_OF(X509_EXTENSION) *sk=NULL;
- if (x == NULL)
- {
+ if (x == NULL) {
X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
goto err2;
- }
+ }
- if (*x == NULL)
- {
+ if (*x == NULL) {
if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
goto err;
- }
- else
+ } else
sk= *x;
n=sk_X509_EXTENSION_num(sk);
if (new_ex != NULL) X509_EXTENSION_free(new_ex);
if (sk != NULL) sk_X509_EXTENSION_free(sk);
return(NULL);
- }
+}
X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
int crit, ASN1_OCTET_STRING *data)
- {
+{
ASN1_OBJECT *obj;
X509_EXTENSION *ret;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
if (ret == NULL) ASN1_OBJECT_free(obj);
return(ret);
- }
+}
X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
- {
+{
X509_EXTENSION *ret;
- if ((ex == NULL) || (*ex == NULL))
- {
+ if ((ex == NULL) || (*ex == NULL)) {
if ((ret=X509_EXTENSION_new()) == NULL)
- {
+ {
X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
return(NULL);
- }
}
- else
+ } else
ret= *ex;
if (!X509_EXTENSION_set_object(ret,obj))
if ((ex == NULL) || (ret != *ex))
X509_EXTENSION_free(ret);
return(NULL);
- }
+}
int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
- {
+{
if ((ex == NULL) || (obj == NULL))
return(0);
ASN1_OBJECT_free(ex->object);
ex->object=OBJ_dup(obj);
return(1);
- }
+}
int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
- {
+{
if (ex == NULL) return(0);
ex->critical=(crit)?0xFF:-1;
return(1);
- }
+}
int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
- {
+{
int i;
if (ex == NULL) return(0);
i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
if (!i) return(0);
return(1);
- }
+}
ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(NULL);
return(ex->object);
- }
+}
ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(NULL);
return(ex->value);
- }
+}
int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(0);
if(ex->critical > 0) return 1;
return 0;
- }
+}
static int null_callback(int ok, X509_STORE_CTX *e)
- {
+{
return ok;
- }
+}
#if 0
static int x509_subject_cmp(X509 **a, X509 **b)
- {
+{
return X509_subject_name_cmp(*a,*b);
- }
+}
#endif
int X509_verify_cert(X509_STORE_CTX *ctx)
- {
+{
X509 *x,*xtmp,*chain_ss=NULL;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
int num;
int (*cb)(int xok,X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp=NULL;
- if (ctx->cert == NULL)
- {
+ if (ctx->cert == NULL) {
X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
- }
+ }
cb=ctx->verify_cb;
/* first we make sure the chain we are going to build is
* present and that the first entry is in place */
- if (ctx->chain == NULL)
- {
+ if (ctx->chain == NULL) {
if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain,ctx->cert)))
- {
+ (!sk_X509_push(ctx->chain,ctx->cert))) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
ctx->last_untrusted=1;
- }
+ }
/* We use a temporary STACK so we can chop and hack at it */
if (ctx->untrusted != NULL
- && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
- {
+ && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
num=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,num-1);
depth=param->depth;
- for (;;)
- {
+ for (;;) {
/* If we have enough, we break */
if (depth < num) break; /* FIXME: If this happens, we should take
* note of it and, if appropriate, use the
if (ctx->check_issued(ctx, x,x)) break;
/* If we were passed a cert chain, use it first */
- if (ctx->untrusted != NULL)
- {
+ if (ctx->untrusted != NULL) {
xtmp=find_issuer(ctx, sktmp,x);
- if (xtmp != NULL)
- {
- if (!sk_X509_push(ctx->chain,xtmp))
- {
+ if (xtmp != NULL) {
+ if (!sk_X509_push(ctx->chain,xtmp)) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
(void)sk_X509_delete_ptr(sktmp,xtmp);
ctx->last_untrusted++;
/* reparse the full chain for
* the next one */
continue;
- }
}
- break;
}
+ break;
+ }
/* at this point, chain should contain a list of untrusted
* certificates. We now need to add at least one trusted one,
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
- if (ctx->check_issued(ctx, x, x))
- {
+ if (ctx->check_issued(ctx, x, x)) {
/* we have a self signed certificate */
- if (sk_X509_num(ctx->chain) == 1)
- {
+ if (sk_X509_num(ctx->chain) == 1) {
/* We have a single self signed certificate: see if
* we can find it in the store. We must have an exact
* match to avoid possible impersonation.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
- if ((ok <= 0) || X509_cmp(x, xtmp))
- {
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
ctx->current_cert=x;
ctx->error_depth=i-1;
bad_chain = 1;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- else
- {
+ } else {
/* We have a match: replace certificate with store version
* so we get any trust settings.
*/
x = xtmp;
(void)sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted=0;
- }
}
- else
- {
+ } else {
/* extract and save self signed certificate for later use */
chain_ss=sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
x=sk_X509_value(ctx->chain,num-1);
- }
}
+ }
/* We now lookup certs from the certificate store */
- for (;;)
- {
+ for (;;) {
/* If we have enough, we break */
if (depth < num) break;
if (ok == 0) break;
x = xtmp;
- if (!sk_X509_push(ctx->chain,x))
- {
+ if (!sk_X509_push(ctx->chain,x)) {
X509_free(xtmp);
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
return 0;
- }
- num++;
}
+ num++;
+ }
/* we now have our chain, lets check it... */
/* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx,x,x))
- {
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
- {
+ if (!ctx->check_issued(ctx,x,x)) {
+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
ctx->current_cert=x;
- }
- else
- {
+ } else {
sk_X509_push(ctx->chain,chain_ss);
num++;
ctx->current_cert=chain_ss;
ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
chain_ss=NULL;
- }
+ }
ctx->error_depth=num-1;
bad_chain = 1;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
if(!ok) goto end;
- if (0)
- {
+ if (0) {
end:
X509_get_pubkey_parameters(NULL,ctx->chain);
- }
+ }
if (sktmp != NULL) sk_X509_free(sktmp);
if (chain_ss != NULL) X509_free(chain_ss);
return ok;
- }
+}
/* Given a STACK_OF(X509) find the issuer of cert (if any)
{
int i;
X509 *issuer;
- for (i = 0; i < sk_X509_num(sk); i++)
- {
+ for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer))
return issuer;
- }
+ }
return NULL;
}
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
- if (*issuer)
- {
+ if (*issuer) {
CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
return 1;
- }
- else
+ } else
return 0;
}
must_be_ca = -1;
/* CRL path validation */
- if (ctx->parent)
- {
+ if (ctx->parent) {
allow_proxy_certs = 0;
purpose = X509_PURPOSE_CRL_SIGN;
- }
- else
- {
+ } else {
allow_proxy_certs =
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
- }
+ }
/* Check all untrusted certificates */
- for (i = 0; i < ctx->last_untrusted; i++)
- {
+ for (i = 0; i < ctx->last_untrusted; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (x->ex_flags & EXFLAG_CRITICAL))
- {
+ && (x->ex_flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
- {
+ }
+ if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
ret = X509_check_ca(x);
- switch(must_be_ca)
- {
+ switch(must_be_ca) {
case -1:
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1) && (ret != 0))
- {
+ && (ret != 1) && (ret != 0)) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
- }
- else
+ } else
ret = 1;
break;
case 0:
- if (ret != 0)
- {
+ if (ret != 0) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_NON_CA;
- }
- else
+ } else
ret = 1;
break;
default:
if ((ret == 0)
|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1)))
- {
+ && (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
- }
- else
+ } else
ret = 1;
break;
- }
- if (ret == 0)
- {
+ }
+ if (ret == 0) {
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- if (ctx->param->purpose > 0)
- {
+ }
+ if (ctx->param->purpose > 0) {
ret = X509_check_purpose(x, purpose, must_be_ca > 0);
if ((ret == 0)
|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1)))
- {
+ && (ret != 1))) {
ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
}
+ }
/* Check pathlen if not self issued */
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
&& (x->ex_pathlen != -1)
- && (plen > (x->ex_pathlen + proxy_path_length + 1)))
- {
+ && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
plen++;
certificate must be another proxy certificate or a EE
certificate. If not, the next certificate must be a
CA certificate. */
- if (x->ex_flags & EXFLAG_PROXY)
- {
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
- {
+ if (x->ex_flags & EXFLAG_PROXY) {
+ if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
ctx->error =
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
proxy_path_length++;
must_be_ca = 0;
- }
- else
+ } else
must_be_ca = 1;
- }
+ }
ok = 1;
end:
return ok;
}
static int check_name_constraints(X509_STORE_CTX *ctx)
- {
+{
X509 *x;
int i, j, rv;
/* Check name constraints for all certificates */
- for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
- {
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
x = sk_X509_value(ctx->chain, i);
/* Ignore self issued certs unless last in chain */
if (i && (x->ex_flags & EXFLAG_SI))
* speaking needed but if it includes constraints it is to be
* assumed it expects them to be obeyed.
*/
- for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
- {
+ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
- if (nc)
- {
+ if (nc) {
rv = NAME_CONSTRAINTS_check(x, nc);
- if (rv != X509_V_OK)
- {
+ if (rv != X509_V_OK) {
ctx->error = rv;
ctx->error_depth = i;
ctx->current_cert = x;
if (!ctx->verify_cb(0,ctx))
return 0;
- }
}
}
}
- return 1;
}
+ return 1;
+}
static int check_trust(X509_STORE_CTX *ctx)
{
}
static int check_revocation(X509_STORE_CTX *ctx)
- {
+{
int i, last, ok;
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
last = sk_X509_num(ctx->chain) - 1;
- else
- {
+ else {
/* If checking CRL paths this isn't the EE certificate */
if (ctx->parent)
return 1;
last = 0;
- }
- for(i = 0; i <= last; i++)
- {
+ }
+ for(i = 0; i <= last; i++) {
ctx->error_depth = i;
ok = check_cert(ctx);
if (!ok) return ok;
- }
- return 1;
}
+ return 1;
+}
-static int check_cert(X509_STORE_CTX *ctx)
- {
+static int check_cert(X509_STORE_CTX *ctx) {
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
ctx->current_issuer = NULL;
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
- while (ctx->current_reasons != CRLDP_ALL_REASONS)
- {
+ while (ctx->current_reasons != CRLDP_ALL_REASONS) {
last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
/* If error looking up CRL, nothing we can do except
* notify callback
*/
- if(!ok)
- {
+ if(!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
- }
+ }
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl);
if (!ok)
goto err;
- if (dcrl)
- {
+ if (dcrl) {
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, dcrl, x);
if (!ok)
goto err;
- }
- else
+ } else
ok = 1;
/* Don't look in full CRL if delta reason is removefromCRL */
- if (ok != 2)
- {
+ if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
- }
+ }
X509_CRL_free(crl);
X509_CRL_free(dcrl);
/* If reasons not updated we wont get anywhere by
* another iteration, so exit loop.
*/
- if (last_reasons == ctx->current_reasons)
- {
+ if (last_reasons == ctx->current_reasons) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
- }
}
- err:
+ }
+err:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
- }
+}
/* Check CRL times against values in X509_STORE_CTX */
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
- {
+{
time_t *ptime;
int i;
if (notify)
ptime = NULL;
i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
- if (i == 0)
- {
+ if (i == 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i > 0)
- {
+ if (i > 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if(X509_CRL_get_nextUpdate(crl))
- {
+ if(X509_CRL_get_nextUpdate(crl)) {
i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
- if (i == 0)
- {
+ if (i == 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
/* Ignore expiry of base CRL is delta is valid */
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
- {
+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
}
+ }
if (notify)
ctx->current_crl = NULL;
return 1;
- }
+}
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
X509 **pissuer, int *pscore, unsigned int *preasons,
STACK_OF(X509_CRL) *crls)
- {
+{
int i, crl_score, best_score = *pscore;
unsigned int reasons, best_reasons = 0;
X509 *x = ctx->current_cert;
X509_CRL *crl, *best_crl = NULL;
X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
- for (i = 0; i < sk_X509_CRL_num(crls); i++)
- {
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
crl = sk_X509_CRL_value(crls, i);
reasons = *preasons;
crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
- if (crl_score > best_score)
- {
+ if (crl_score > best_score) {
best_crl = crl;
best_crl_issuer = crl_issuer;
best_score = crl_score;
best_reasons = reasons;
- }
}
+ }
- if (best_crl)
- {
+ if (best_crl) {
if (*pcrl)
X509_CRL_free(*pcrl);
*pcrl = best_crl;
*pscore = best_score;
*preasons = best_reasons;
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
- if (*pdcrl)
- {
+ if (*pdcrl) {
X509_CRL_free(*pdcrl);
*pdcrl = NULL;
- }
- get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
}
+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
+ }
if (best_score >= CRL_SCORE_VALID)
return 1;
return 0;
- }
+}
/* Compare two CRL extensions for delta checking purposes. They should be
* both present or both absent. If both present all fields must be identical.
*/
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
- {
+{
ASN1_OCTET_STRING *exta, *extb;
int i;
i = X509_CRL_get_ext_by_NID(a, nid, -1);
- if (i >= 0)
- {
+ if (i >= 0) {
/* Can't have multiple occurrences */
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
return 0;
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
- }
- else
+ } else
exta = NULL;
i = X509_CRL_get_ext_by_NID(b, nid, -1);
- if (i >= 0)
- {
+ if (i >= 0) {
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
- }
- else
+ } else
extb = NULL;
if (!exta && !extb)
return 0;
return 1;
- }
+}
/* See if a base and delta are compatible */
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
- {
+{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
return 0;
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
return 1;
return 0;
- }
+}
/* For a given base CRL find a delta... maybe extend to delta scoring
* or retrieve a chain of deltas...
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
X509_CRL *base, STACK_OF(X509_CRL) *crls)
- {
+{
X509_CRL *delta;
int i;
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
return;
- for (i = 0; i < sk_X509_CRL_num(crls); i++)
- {
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
delta = sk_X509_CRL_value(crls, i);
- if (check_delta_base(delta, base))
- {
+ if (check_delta_base(delta, base)) {
if (check_crl_time(ctx, delta, 0))
*pscore |= CRL_SCORE_TIME_DELTA;
CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
*dcrl = delta;
return;
- }
}
- *dcrl = NULL;
}
+ *dcrl = NULL;
+}
/* For a given CRL return how suitable it is for the supplied certificate 'x'.
* The return value is a mask of several criteria.
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons,
X509_CRL *crl, X509 *x)
- {
+{
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
if (crl->idp_flags & IDP_INVALID)
return 0;
/* Reason codes or indirect CRLs need extended CRL support */
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
- {
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
return 0;
- }
- else if (crl->idp_flags & IDP_REASONS)
- {
+ } else if (crl->idp_flags & IDP_REASONS) {
/* If no new reasons reject */
if (!(crl->idp_reasons & ~tmp_reasons))
return 0;
- }
+ }
/* Don't process deltas at this stage */
else if (crl->base_crl_number)
return 0;
/* If issuer name doesn't match certificate need indirect CRL */
- if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
- {
+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
if (!(crl->idp_flags & IDP_INDIRECT))
return 0;
- }
- else
+ } else
crl_score |= CRL_SCORE_ISSUER_NAME;
if (!(crl->flags & EXFLAG_CRITICAL))
/* Check cert for matching CRL distribution points */
- if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
- {
+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
/* If no new reasons reject */
if (!(crl_reasons & ~tmp_reasons))
return 0;
tmp_reasons |= crl_reasons;
crl_score |= CRL_SCORE_SCOPE;
- }
+ }
*preasons = tmp_reasons;
return crl_score;
- }
+}
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
X509 **pissuer, int *pcrl_score)
- {
+{
X509 *crl_issuer = NULL;
X509_NAME *cnm = X509_CRL_get_issuer(crl);
int cidx = ctx->error_depth;
crl_issuer = sk_X509_value(ctx->chain, cidx);
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
- if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
*pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
*pissuer = crl_issuer;
return;
- }
}
+ }
- for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
- {
+ for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
crl_issuer = sk_X509_value(ctx->chain, cidx);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
*pissuer = crl_issuer;
return;
- }
}
+ }
/* Anything else needs extended CRL support */
/* Otherwise the CRL issuer is not on the path. Look for it in the
* set of untrusted certificates.
*/
- for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
- {
+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
crl_issuer = sk_X509_value(ctx->untrusted, i);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pissuer = crl_issuer;
*pcrl_score |= CRL_SCORE_AKID;
return;
- }
}
}
+}
/* Check the path of a CRL issuer certificate. This creates a new
* X509_STORE_CTX and populates it with most of the parameters from the
*/
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
- {
+{
X509_STORE_CTX crl_ctx;
int ret;
/* Don't allow recursive CRL path validation */
err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
- }
+}
/* RFC3280 says nothing about the relationship between CRL path
* and certificate path, which could lead to situations where a
static int check_crl_chain(X509_STORE_CTX *ctx,
STACK_OF(X509) *cert_path,
STACK_OF(X509) *crl_path)
- {
+{
X509 *cert_ta, *crl_ta;
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
if (!X509_cmp(cert_ta, crl_ta))
return 1;
return 0;
- }
+}
/* Check for match between two dist point names: three separate cases.
* 1. Both are relative names and compare X509_NAME types.
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
- {
+{
X509_NAME *nm = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gena, *genb;
int i, j;
if (!a || !b)
return 1;
- if (a->type == 1)
- {
+ if (a->type == 1) {
if (!a->dpname)
return 0;
/* Case 1: two X509_NAME */
- if (b->type == 1)
- {
+ if (b->type == 1) {
if (!b->dpname)
return 0;
if (!X509_NAME_cmp(a->dpname, b->dpname))
return 1;
else
return 0;
- }
+ }
/* Case 2: set name and GENERAL_NAMES appropriately */
nm = a->dpname;
gens = b->name.fullname;
- }
- else if (b->type == 1)
- {
+ } else if (b->type == 1) {
if (!b->dpname)
return 0;
/* Case 2: set name and GENERAL_NAMES appropriately */
gens = a->name.fullname;
nm = b->dpname;
- }
+ }
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
- if (nm)
- {
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
- {
+ if (nm) {
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gena = sk_GENERAL_NAME_value(gens, i);
if (gena->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(nm, gena->d.directoryName))
return 1;
- }
- return 0;
}
+ return 0;
+ }
/* Else case 3: two GENERAL_NAMES */
- for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
- for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
- {
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
genb = sk_GENERAL_NAME_value(b->name.fullname, j);
if (!GENERAL_NAME_cmp(gena, genb))
return 1;
- }
}
+ }
return 0;
- }
+}
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
- {
+{
int i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
/* If no CRLissuer return is successful iff don't need a match */
if (!dp->CRLissuer)
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
if (gen->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(gen->d.directoryName, nm))
return 1;
- }
- return 0;
}
+ return 0;
+}
/* Check CRLDP and IDP */
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
unsigned int *preasons)
- {
+{
int i;
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
- if (x->ex_flags & EXFLAG_CA)
- {
+ if (x->ex_flags & EXFLAG_CA) {
if (crl->idp_flags & IDP_ONLYUSER)
return 0;
- }
- else
- {
+ } else {
if (crl->idp_flags & IDP_ONLYCA)
return 0;
- }
+ }
*preasons = crl->idp_reasons;
- for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
- {
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
- if (crldp_check_crlissuer(dp, crl, crl_score))
- {
+ if (crldp_check_crlissuer(dp, crl, crl_score)) {
if (!crl->idp ||
- idp_check_dp(dp->distpoint, crl->idp->distpoint))
- {
+ idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
*preasons &= dp->dp_reasons;
return 1;
- }
}
}
+ }
if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
return 1;
return 0;
- }
+}
/* Retrieve CRL corresponding to current certificate.
* If deltas enabled try to find a delta CRL too
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
- {
+{
int ok;
X509 *issuer = NULL;
int crl_score = 0;
done:
/* If we got any kind of CRL use it and return success */
- if (crl)
- {
+ if (crl) {
ctx->current_issuer = issuer;
ctx->current_crl_score = crl_score;
ctx->current_reasons = reasons;
*pcrl = crl;
*pdcrl = dcrl;
return 1;
- }
+ }
return 0;
- }
+}
/* Check CRL validity */
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
- {
+{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int ok = 0, chnum, cnum;
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
/* if we have an alternative CRL issuer cert use that */
- if (ctx->current_issuer)
+ if (ctx->current_issuer) {
issuer = ctx->current_issuer;
-
- /* Else find CRL issuer: if not last certificate then issuer
- * is next certificate in chain.
- */
- else if (cnum < chnum)
+ } else if (cnum < chnum) {
+ /* Else find CRL issuer: if not last certificate then issuer
+ * is next certificate in chain.
+ */
issuer = sk_X509_value(ctx->chain, cnum + 1);
- else
- {
+ } else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
- if(!ctx->check_issued(ctx, issuer, issuer))
- {
+ if(!ctx->check_issued(ctx, issuer, issuer)) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
}
+ }
- if(issuer)
- {
+ if(issuer) {
/* Skip most tests for deltas because they have already
* been done
*/
- if (!crl->base_crl_number)
- {
+ if (!crl->base_crl_number) {
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
- !(issuer->ex_kusage & KU_CRL_SIGN))
- {
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
- {
- if (check_crl_path(ctx, ctx->current_issuer) <= 0)
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
}
+ }
- if (crl->idp_flags & IDP_INVALID)
- {
+ if (crl->idp_flags & IDP_INVALID) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_TIME))
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
ok = check_crl_time(ctx, crl, 1);
if (!ok)
goto err;
- }
+ }
/* Attempt to get issuer certificate public key */
ikey = X509_get_pubkey(issuer);
- if(!ikey)
- {
+ if(!ikey) {
ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err;
- }
- else
- {
+ } else {
/* Verify CRL signature */
- if(X509_CRL_verify(crl, ikey) <= 0)
- {
+ if(X509_CRL_verify(crl, ikey) <= 0) {
ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err;
- }
}
}
+ }
ok = 1;
- err:
+err:
EVP_PKEY_free(ikey);
return ok;
- }
+}
/* Check certificate against CRL */
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
- {
+{
int ok;
X509_REVOKED *rev;
/* The rules changed for this... previously if a CRL contained
* critical extension can change the meaning of CRL entries.
*/
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (crl->flags & EXFLAG_CRITICAL))
- {
+ && (crl->flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok)
return 0;
- }
+ }
/* Look for serial number of certificate in CRL
* If found make sure reason is not removeFromCRL.
*/
- if (X509_CRL_get0_by_cert(crl, &rev, x))
- {
+ if (X509_CRL_get0_by_cert(crl, &rev, x)) {
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
ctx->error = X509_V_ERR_CERT_REVOKED;
ok = ctx->verify_cb(0, ctx);
if (!ok)
return 0;
- }
+ }
return 1;
- }
+}
static int check_policy(X509_STORE_CTX *ctx)
- {
+{
int ret;
if (ctx->parent)
return 1;
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
- if (ret == 0)
- {
+ if (ret == 0) {
X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
/* Invalid or inconsistent extensions */
- if (ret == -1)
- {
+ if (ret == -1) {
/* Locate certificates with bad extensions and notify
* callback.
*/
X509 *x;
int i;
- for (i = 1; i < sk_X509_num(ctx->chain); i++)
- {
+ for (i = 1; i < sk_X509_num(ctx->chain); i++) {
x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
if(!ctx->verify_cb(0, ctx))
return 0;
- }
- return 1;
}
- if (ret == -2)
- {
+ return 1;
+ }
+ if (ret == -2) {
ctx->current_cert = NULL;
ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
return ctx->verify_cb(0, ctx);
- }
+ }
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
- {
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
ctx->error = X509_V_OK;
if (!ctx->verify_cb(2, ctx))
return 0;
- }
+ }
return 1;
- }
+}
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
- {
+{
time_t *ptime;
int i;
ptime = NULL;
i=X509_cmp_time(X509_get_notBefore(x), ptime);
- if (i == 0)
- {
+ if (i == 0) {
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i > 0)
- {
+ if (i > 0) {
ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
i=X509_cmp_time(X509_get_notAfter(x), ptime);
- if (i == 0)
- {
+ if (i == 0) {
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i < 0)
- {
+ if (i < 0) {
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
return 1;
- }
+}
static int internal_verify(X509_STORE_CTX *ctx)
- {
+{
int ok=0,n;
X509 *xs,*xi;
EVP_PKEY *pkey=NULL;
if (ctx->check_issued(ctx, xi, xi))
xs=xi;
- else
- {
- if (n <= 0)
- {
+ else {
+ if (n <= 0) {
ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
ctx->current_cert=xi;
ok=cb(0,ctx);
goto end;
- }
- else
- {
+ } else {
n--;
ctx->error_depth=n;
xs=sk_X509_value(ctx->chain,n);
- }
}
+ }
/* ctx->error=0; not needed */
- while (n >= 0)
- {
+ while (n >= 0) {
ctx->error_depth=n;
/* Skip signature check for self signed certificates unless
* explicitly asked for. It doesn't add any security and
* just wastes time.
*/
- if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
- {
- if ((pkey=X509_get_pubkey(xi)) == NULL)
- {
+ if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if ((pkey=X509_get_pubkey(xi)) == NULL) {
ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert=xi;
ok=(*cb)(0,ctx);
if (!ok) goto end;
- }
- else if (X509_verify(xs,pkey) <= 0)
- {
+ } else if (X509_verify(xs,pkey) <= 0) {
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;
ok=(*cb)(0,ctx);
- if (!ok)
- {
+ if (!ok) {
EVP_PKEY_free(pkey);
goto end;
- }
}
+ }
EVP_PKEY_free(pkey);
pkey=NULL;
- }
+ }
xs->valid = 1;
if (!ok) goto end;
n--;
- if (n >= 0)
- {
+ if (n >= 0) {
xi=xs;
xs=sk_X509_value(ctx->chain,n);
- }
}
+ }
ok=1;
end:
return ok;
- }
+}
int X509_cmp_current_time(const ASN1_TIME *ctm)
{
}
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
- {
+{
char *str;
ASN1_TIME atm;
long offset;
p=buff1;
i=ctm->length;
str=(char *)ctm->data;
- if (ctm->type == V_ASN1_UTCTIME)
- {
+ if (ctm->type == V_ASN1_UTCTIME) {
if ((i < 11) || (i > 17)) return 0;
memcpy(p,str,10);
p+=10;
str+=10;
- }
- else
- {
+ } else {
if (i < 13) return 0;
memcpy(p,str,12);
p+=12;
str+=12;
- }
+ }
- if ((*str == 'Z') || (*str == '-') || (*str == '+'))
- { *(p++)='0'; *(p++)='0'; }
- else
- {
+ if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
+ *(p++)='0';
+ *(p++)='0';
+ } else {
*(p++)= *(str++);
*(p++)= *(str++);
/* Skip any fractional seconds... */
- if (*str == '.')
- {
+ if (*str == '.') {
str++;
while ((*str >= '0') && (*str <= '9')) str++;
- }
-
}
+
+ }
*(p++)='Z';
*(p++)='\0';
if (*str == 'Z')
offset=0;
- else
- {
+ else {
if ((*str != '+') && (*str != '-'))
return 0;
offset=((str[1]-'0')*10+(str[2]-'0'))*60;
offset+=(str[3]-'0')*10+(str[4]-'0');
if (*str == '-')
offset= -offset;
- }
+ }
atm.type=ctm->type;
atm.flags = 0;
atm.length=sizeof(buff2);
if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
- if (ctm->type == V_ASN1_UTCTIME)
- {
+ if (ctm->type == V_ASN1_UTCTIME) {
i=(buff1[0]-'0')*10+(buff1[1]-'0');
if (i < 50) i+=100; /* cf. RFC 2459 */
j=(buff2[0]-'0')*10+(buff2[1]-'0');
if (i < j) return -1;
if (i > j) return 1;
- }
+ }
i=strcmp(buff1,buff2);
if (i == 0) /* wait a second then return younger :-) */
return -1;
else
return i;
- }
+}
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
{
}
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
- {
+{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
- }
+}
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec, time_t *in_tm)
- {
+{
time_t t;
if (in_tm) t = *in_tm;
else time(&t);
- if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
- {
+ if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
if (s->type == V_ASN1_UTCTIME)
return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
if (s->type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
offset_sec);
- }
- return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
+}
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
- {
+{
EVP_PKEY *ktmp=NULL,*ktmp2;
int i,j;
if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
- for (i=0; i<sk_X509_num(chain); i++)
- {
+ for (i=0; i<sk_X509_num(chain); i++) {
ktmp=X509_get_pubkey(sk_X509_value(chain,i));
- if (ktmp == NULL)
- {
+ if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return 0;
- }
+ }
if (!EVP_PKEY_missing_parameters(ktmp))
break;
- else
- {
+ else {
EVP_PKEY_free(ktmp);
ktmp=NULL;
- }
}
- if (ktmp == NULL)
- {
+ }
+ if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
return 0;
- }
+ }
/* first, populate the other certs */
- for (j=i-1; j >= 0; j--)
- {
+ for (j=i-1; j >= 0; j--) {
ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
EVP_PKEY_copy_parameters(ktmp2,ktmp);
EVP_PKEY_free(ktmp2);
- }
+ }
if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
EVP_PKEY_free(ktmp);
return 1;
- }
+}
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
- {
+{
/* This function is (usually) called only once, by
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
new_func, dup_func, free_func);
- }
+}
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
- {
+{
return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
- }
+}
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
- {
+{
return CRYPTO_get_ex_data(&ctx->ex_data,idx);
- }
+}
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
- {
+{
return ctx->error;
- }
+}
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
- {
+{
ctx->error=err;
- }
+}
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
- {
+{
return ctx->error_depth;
- }
+}
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_cert;
- }
+}
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
- {
+{
return ctx->chain;
- }
+}
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
- {
+{
int i;
X509 *x;
STACK_OF(X509) *chain;
if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
- for (i = 0; i < sk_X509_num(chain); i++)
- {
+ for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
- }
- return chain;
}
+ return chain;
+}
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_issuer;
- }
+}
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_crl;
- }
+}
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
- {
+{
return ctx->parent;
- }
+}
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
- {
+{
ctx->cert=x;
- }
+}
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
- {
+{
ctx->untrusted=sk;
- }
+}
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
- {
+{
ctx->crls=sk;
- }
+}
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
- {
+{
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
- }
+}
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
- {
+{
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
- }
+}
/* This function is used to set the X509_STORE_CTX purpose and trust
* values. This is intended to be used when another structure has its
/* If purpose not set use default */
if (!purpose) purpose = def_purpose;
/* If we have a purpose then check it is valid */
- if (purpose)
- {
+ if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
- }
+ }
ptmp = X509_PURPOSE_get0(idx);
- if (ptmp->trust == X509_TRUST_DEFAULT)
- {
+ if (ptmp->trust == X509_TRUST_DEFAULT) {
idx = X509_PURPOSE_get_by_id(def_purpose);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
- }
- ptmp = X509_PURPOSE_get0(idx);
}
+ ptmp = X509_PURPOSE_get0(idx);
+ }
/* If trust not set then get from purpose default */
if (!trust) trust = ptmp->trust;
- }
- if (trust)
- {
+ }
+ if (trust) {
idx = X509_TRUST_get_by_id(trust);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_TRUST_ID);
return 0;
- }
}
+ }
if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
if (trust && !ctx->param->trust) ctx->param->trust = trust;
{
X509_STORE_CTX *ctx;
ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
- if (!ctx)
- {
+ if (!ctx) {
X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
return NULL;
- }
+ }
memset(ctx, 0, sizeof(X509_STORE_CTX));
return ctx;
}
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
STACK_OF(X509) *chain)
- {
+{
int ret = 1;
ctx->ctx=store;
ctx->current_method=0;
ctx->param = X509_VERIFY_PARAM_new();
- if (!ctx->param)
- {
+ if (!ctx->param) {
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
/* Inherit callbacks and flags from X509_STORE if not set
* use defaults.
else
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
- if (store)
- {
+ if (store) {
ctx->verify_cb = store->verify_cb;
ctx->cleanup = store->cleanup;
- }
- else
+ } else
ctx->cleanup = 0;
if (ret)
ret = X509_VERIFY_PARAM_inherit(ctx->param,
X509_VERIFY_PARAM_lookup("default"));
- if (ret == 0)
- {
+ if (ret == 0) {
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
if (store && store->check_issued)
ctx->check_issued = store->check_issued;
* corresponding "new" here and remove this bogus initialisation. */
/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
- &(ctx->ex_data)))
- {
+ &(ctx->ex_data))) {
free(ctx);
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
- return 1;
}
+ return 1;
+}
/* Set alternative lookup method: just a STACK of trusted certificates.
* This avoids X509_STORE nastiness where it isn't needed.
}
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
- {
+{
if (ctx->cleanup) ctx->cleanup(ctx);
- if (ctx->param != NULL)
- {
+ if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param=NULL;
- }
- if (ctx->tree != NULL)
- {
+ }
+ if (ctx->tree != NULL) {
X509_policy_tree_free(ctx->tree);
ctx->tree=NULL;
- }
- if (ctx->chain != NULL)
- {
+ }
+ if (ctx->chain != NULL) {
sk_X509_pop_free(ctx->chain,X509_free);
ctx->chain=NULL;
- }
+ }
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
- }
+}
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
- {
+{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
- }
+}
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
- {
+{
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
- }
+}
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
- {
+{
X509_VERIFY_PARAM_set_time(ctx->param, t);
- }
+}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
int (*verify_cb)(int, X509_STORE_CTX *))
- {
+{
ctx->verify_cb=verify_cb;
- }
+}
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
- {
+{
return ctx->tree;
- }
+}
int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
- {
+{
return ctx->explicit_policy;
- }
+}
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
- {
+{
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
if (!param)
return 0;
return X509_VERIFY_PARAM_inherit(ctx->param, param);
- }
+}
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
- {
+{
return ctx->param;
- }
+}
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
- {
+{
if (ctx->param)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = param;
- }
+}
IMPLEMENT_STACK_OF(X509)
IMPLEMENT_ASN1_SET_OF(X509)
/* X509_VERIFY_PARAM functions */
static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
- {
+{
if (!param)
return;
param->name = NULL;
param->inh_flags = 0;
param->flags = 0;
param->depth = -1;
- if (param->policies)
- {
+ if (param->policies) {
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
- }
}
+}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
- {
+{
X509_VERIFY_PARAM *param;
param = malloc(sizeof(X509_VERIFY_PARAM));
memset(param, 0, sizeof(X509_VERIFY_PARAM));
x509_verify_param_zero(param);
return param;
- }
+}
void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
- {
+{
x509_verify_param_zero(param);
free(param);
- }
+}
/* This function determines how parameters are "inherited" from one structure
* to another. There are several different ways this can happen.
int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
const X509_VERIFY_PARAM *src)
- {
+{
unsigned long inh_flags;
int to_default, to_overwrite;
if (!src)
/* If overwrite or check time not set, copy across */
- if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
- {
+ if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
dest->check_time = src->check_time;
dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
/* Don't need to copy flag: that is done below */
- }
+ }
if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
dest->flags = 0;
dest->flags |= src->flags;
- if (test_x509_verify_param_copy(policies, NULL))
- {
+ if (test_x509_verify_param_copy(policies, NULL)) {
if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
return 0;
- }
+ }
return 1;
- }
+}
int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
const X509_VERIFY_PARAM *from)
- {
+{
unsigned long save_flags = to->inh_flags;
int ret;
to->inh_flags |= X509_VP_FLAG_DEFAULT;
ret = X509_VERIFY_PARAM_inherit(to, from);
to->inh_flags = save_flags;
return ret;
- }
+}
int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
- {
+{
if (param->name)
free(param->name);
param->name = BUF_strdup(name);
if (param->name)
return 1;
return 0;
- }
+}
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
- {
+{
param->flags |= flags;
if (flags & X509_V_FLAG_POLICY_MASK)
param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
- }
+}
int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
- {
+{
param->flags &= ~flags;
return 1;
- }
+}
unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
- {
+{
return param->flags;
- }
+}
int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
- {
+{
return X509_PURPOSE_set(¶m->purpose, purpose);
- }
+}
int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
- {
+{
return X509_TRUST_set(¶m->trust, trust);
- }
+}
void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
- {
+{
param->depth = depth;
- }
+}
void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
- {
+{
param->check_time = t;
param->flags |= X509_V_FLAG_USE_CHECK_TIME;
- }
+}
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
- {
- if (!param->policies)
- {
+{
+ if (!param->policies) {
param->policies = sk_ASN1_OBJECT_new_null();
if (!param->policies)
return 0;
- }
+ }
if (!sk_ASN1_OBJECT_push(param->policies, policy))
return 0;
return 1;
- }
+}
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
STACK_OF(ASN1_OBJECT) *policies)
- {
+{
int i;
ASN1_OBJECT *oid, *doid;
if (!param)
if (param->policies)
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
- if (!policies)
- {
+ if (!policies) {
param->policies = NULL;
return 1;
- }
+ }
param->policies = sk_ASN1_OBJECT_new_null();
if (!param->policies)
return 0;
- for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
- {
+ for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
oid = sk_ASN1_OBJECT_value(policies, i);
doid = OBJ_dup(oid);
if (!doid)
return 0;
- if (!sk_ASN1_OBJECT_push(param->policies, doid))
- {
+ if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
ASN1_OBJECT_free(doid);
return 0;
- }
}
+ }
param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
- }
+}
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
- {
+{
return param->depth;
- }
+}
/* Default verify parameters: these are used for various
* applications and can be overridden by the user specified table.
X509_TRUST_SSL_SERVER, /* trust */
-1, /* depth */
NULL /* policies */
- }};
+ }
+};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
- {
+{
return strcmp(a->name, b->name);
- }
+}
DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
table);
static int param_cmp(const X509_VERIFY_PARAM * const *a,
const X509_VERIFY_PARAM * const *b)
- {
+{
return strcmp((*a)->name, (*b)->name);
- }
+}
int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
- {
+{
int idx;
X509_VERIFY_PARAM *ptmp;
- if (!param_table)
- {
+ if (!param_table) {
param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
if (!param_table)
return 0;
- }
- else
- {
+ } else {
idx = sk_X509_VERIFY_PARAM_find(param_table, param);
- if (idx != -1)
- {
+ if (idx != -1) {
ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
X509_VERIFY_PARAM_free(ptmp);
(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
- }
}
+ }
if (!sk_X509_VERIFY_PARAM_push(param_table, param))
return 0;
return 1;
- }
+}
const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
- {
+{
int idx;
X509_VERIFY_PARAM pm;
pm.name = (char *)name;
- if (param_table)
- {
+ if (param_table) {
idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
if (idx != -1)
return sk_X509_VERIFY_PARAM_value(param_table, idx);
- }
+ }
return OBJ_bsearch_table(&pm, default_table,
sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
- }
+}
void X509_VERIFY_PARAM_table_cleanup(void)
- {
+{
if (param_table)
sk_X509_VERIFY_PARAM_pop_free(param_table,
X509_VERIFY_PARAM_free);
param_table = NULL;
- }
+}
#include <openssl/x509.h>
int X509_CRL_set_version(X509_CRL *x, long version)
- {
+{
if (x == NULL) return(0);
- if (x->crl->version == NULL)
- {
+ if (x->crl->version == NULL) {
if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
return(0);
- }
- return(ASN1_INTEGER_set(x->crl->version,version));
}
+ return(ASN1_INTEGER_set(x->crl->version,version));
+}
int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->crl == NULL)) return(0);
return(X509_NAME_set(&x->crl->issuer,name));
- }
+}
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->crl->lastUpdate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->crl->lastUpdate);
x->crl->lastUpdate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->crl->nextUpdate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->crl->nextUpdate);
x->crl->nextUpdate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_CRL_sort(X509_CRL *c)
- {
+{
int i;
X509_REVOKED *r;
/* sort the data so it will be written in serial
* number order */
sk_X509_REVOKED_sort(c->crl->revoked);
- for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
- {
+ for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) {
r=sk_X509_REVOKED_value(c->crl->revoked,i);
r->sequence=i;
- }
+ }
c->crl->enc.modified = 1;
return 1;
- }
+}
int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->revocationDate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->revocationDate);
x->revocationDate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
- {
+{
ASN1_INTEGER *in;
if (x == NULL) return(0);
in=x->serialNumber;
- if (in != serial)
- {
+ if (in != serial) {
in=M_ASN1_INTEGER_dup(serial);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_INTEGER_free(x->serialNumber);
x->serialNumber=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
#include <openssl/x509.h>
int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-1);
return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
- }
+}
int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
int len)
- {
+{
int i;
ASN1_STRING *data;
memcpy(buf,data->data,i);
buf[i]='\0';
return(i);
- }
+}
int X509_NAME_entry_count(X509_NAME *name)
- {
+{
if (name == NULL) return(0);
return(sk_X509_NAME_ENTRY_num(name->entries));
- }
+}
int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-2);
return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
- }
+}
/* NOTE: you should be passsing -1, not 0 as lastpos */
int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
int lastpos)
- {
+{
int n;
X509_NAME_ENTRY *ne;
STACK_OF(X509_NAME_ENTRY) *sk;
lastpos= -1;
sk=name->entries;
n=sk_X509_NAME_ENTRY_num(sk);
- for (lastpos++; lastpos < n; lastpos++)
- {
+ for (lastpos++; lastpos < n; lastpos++) {
ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
if (OBJ_cmp(ne->object,obj) == 0)
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
- {
+{
if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
|| loc < 0)
return(NULL);
else
return(sk_X509_NAME_ENTRY_value(name->entries,loc));
- }
+}
X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
- {
+{
X509_NAME_ENTRY *ret;
int i,n,set_prev,set_next;
STACK_OF(X509_NAME_ENTRY) *sk;
for (i=loc; i<n; i++)
sk_X509_NAME_ENTRY_value(sk,i)->set--;
return(ret);
- }
+}
int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
unsigned char *bytes, int len, int loc, int set)
* prepend to the guy we are about to stomp on. */
int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
int set)
- {
+{
X509_NAME_ENTRY *new_name=NULL;
int n,i,inc;
STACK_OF(X509_NAME_ENTRY) *sk;
name->modified=1;
- if (set == -1)
- {
- if (loc == 0)
- {
+ if (set == -1) {
+ if (loc == 0) {
set=0;
inc=1;
- }
- else
- {
+ } else {
set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
inc=0;
- }
}
- else /* if (set >= 0) */
- {
- if (loc >= n)
- {
+ } else /* if (set >= 0) */ {
+ if (loc >= n) {
if (loc != 0)
set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
else
set=0;
- }
- else
+ } else
set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
inc=(set == 0)?1:0;
- }
+ }
if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
goto err;
new_name->set=set;
- if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
- {
+ if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) {
X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
goto err;
- }
- if (inc)
- {
+ }
+ if (inc) {
n=sk_X509_NAME_ENTRY_num(sk);
for (i=loc+1; i<n; i++)
sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
- }
+ }
return(1);
err:
if (new_name != NULL)
X509_NAME_ENTRY_free(new_name);
return(0);
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
const char *field, int type, const unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *nentry;
obj=OBJ_txt2obj(field, 0);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
X509_R_INVALID_FIELD_NAME);
ERR_add_error_data(2, "name=", field);
return(NULL);
- }
+ }
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nentry;
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
int type, unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *nentry;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nentry;
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
- {
+{
X509_NAME_ENTRY *ret;
- if ((ne == NULL) || (*ne == NULL))
- {
+ if ((ne == NULL) || (*ne == NULL)) {
if ((ret=X509_NAME_ENTRY_new()) == NULL)
return(NULL);
- }
- else
+ } else
ret= *ne;
if (!X509_NAME_ENTRY_set_object(ret,obj))
if ((ne == NULL) || (ret != *ne))
X509_NAME_ENTRY_free(ret);
return(NULL);
- }
+}
int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
- {
- if ((ne == NULL) || (obj == NULL))
- {
+{
+ if ((ne == NULL) || (obj == NULL)) {
X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
return(0);
- }
+ }
ASN1_OBJECT_free(ne->object);
ne->object=OBJ_dup(obj);
return((ne->object == NULL)?0:1);
- }
+}
int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
const unsigned char *bytes, int len)
- {
+{
int i;
if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
if (len < 0) len=strlen((const char *)bytes);
i=ASN1_STRING_set(ne->value,bytes,len);
if (!i) return(0);
- if (type != V_ASN1_UNDEF)
- {
+ if (type != V_ASN1_UNDEF) {
if (type == V_ASN1_APP_CHOOSE)
ne->value->type=ASN1_PRINTABLE_type(bytes,len);
else
ne->value->type=type;
- }
- return(1);
}
+ return(1);
+}
ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
- {
+{
if (ne == NULL) return(NULL);
return(ne->object);
- }
+}
ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
- {
+{
if (ne == NULL) return(NULL);
return(ne->value);
- }
+}
#include <openssl/x509.h>
int X509_REQ_set_version(X509_REQ *x, long version)
- {
+{
if (x == NULL) return(0);
return(ASN1_INTEGER_set(x->req_info->version,version));
- }
+}
int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->req_info == NULL)) return(0);
return(X509_NAME_set(&x->req_info->subject,name));
- }
+}
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
- {
+{
if ((x == NULL) || (x->req_info == NULL)) return(0);
return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
- }
+}
#include <openssl/x509.h>
int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
- {
+{
EVP_PKEY *pk;
int ret=0,i;
if (pk == NULL) return(0);
- switch (pk->type)
- {
+ switch (pk->type) {
case EVP_PKEY_RSA:
ret=EVP_PK_RSA|EVP_PKT_SIGN;
/* if (!sign only extension) */
break;
default:
break;
- }
+ }
i=OBJ_obj2nid(x->sig_alg->algorithm);
- if (i && OBJ_find_sigid_algs(i, NULL, &i))
- {
+ if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
- switch (i)
- {
+ switch (i) {
case NID_rsaEncryption:
case NID_rsa:
ret|=EVP_PKS_RSA;
break;
default:
break;
- }
}
+ }
if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
for, not bytes */
ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk);
return(ret);
- }
+}
if (lastpos < 0)
lastpos=0;
n=sk_X509_ATTRIBUTE_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
if (OBJ_cmp(ex->object,obj) == 0)
return(lastpos);
X509_ATTRIBUTE *new_attr=NULL;
STACK_OF(X509_ATTRIBUTE) *sk=NULL;
- if (x == NULL)
- {
+ if (x == NULL) {
X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
goto err2;
- }
+ }
- if (*x == NULL)
- {
+ if (*x == NULL) {
if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
goto err;
- }
- else
+ } else
sk= *x;
if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
X509_ATTRIBUTE *ret;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
if (ret == NULL) ASN1_OBJECT_free(obj);
return(ret);
{
X509_ATTRIBUTE *ret;
- if ((attr == NULL) || (*attr == NULL))
- {
- if ((ret=X509_ATTRIBUTE_new()) == NULL)
- {
+ if ((attr == NULL) || (*attr == NULL)) {
+ if ((ret=X509_ATTRIBUTE_new()) == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
return(NULL);
- }
}
+ }
else
ret= *attr;
X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
const char *atrname, int type, const unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_ATTRIBUTE *nattr;
obj=OBJ_txt2obj(atrname, 0);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
X509_R_INVALID_FIELD_NAME);
ERR_add_error_data(2, "name=", atrname);
return(NULL);
- }
+ }
nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nattr;
- }
+}
int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
{
if (attrtype == 0)
return 1;
if(!(ttmp = ASN1_TYPE_new())) goto err;
- if ((len == -1) && !(attrtype & MBSTRING_FLAG))
- {
+ if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
if (!ASN1_TYPE_set1(ttmp, attrtype, data))
goto err;
- }
- else
+ } else
ASN1_TYPE_set(ttmp, atype, stmp);
if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
return 1;
#include <openssl/x509v3.h>
int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
- {
+{
int i;
X509_CINF *ai,*bi;
i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
if (i) return(i);
return(X509_NAME_cmp(ai->issuer,bi->issuer));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_and_serial_hash(X509 *a)
- {
+{
unsigned long ret=0;
EVP_MD_CTX ctx;
unsigned char md[16];
err:
EVP_MD_CTX_cleanup(&ctx);
return(ret);
- }
+}
#endif
int X509_issuer_name_cmp(const X509 *a, const X509 *b)
- {
+{
return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
- }
+}
int X509_subject_name_cmp(const X509 *a, const X509 *b)
- {
+{
return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
- }
+}
int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
- {
+{
return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
- }
+}
#ifndef OPENSSL_NO_SHA
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
- {
+{
return memcmp(a->sha1_hash, b->sha1_hash, 20);
- }
+}
#endif
X509_NAME *X509_get_issuer_name(X509 *a)
- {
+{
return(a->cert_info->issuer);
- }
+}
unsigned long X509_issuer_name_hash(X509 *x)
- {
+{
return(X509_NAME_hash(x->cert_info->issuer));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_name_hash_old(X509 *x)
- {
+{
return(X509_NAME_hash_old(x->cert_info->issuer));
- }
+}
#endif
X509_NAME *X509_get_subject_name(X509 *a)
- {
+{
return(a->cert_info->subject);
- }
+}
ASN1_INTEGER *X509_get_serialNumber(X509 *a)
- {
+{
return(a->cert_info->serialNumber);
- }
+}
unsigned long X509_subject_name_hash(X509 *x)
- {
+{
return(X509_NAME_hash(x->cert_info->subject));
- }
+}
#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
- {
+{
return(X509_NAME_hash_old(x->cert_info->subject));
- }
+}
#endif
#ifndef OPENSSL_NO_SHA
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
- {
+{
int ret;
/* Ensure canonical encoding is present and up to date */
- if (!a->canon_enc || a->modified)
- {
+ if (!a->canon_enc || a->modified) {
ret = i2d_X509_NAME((X509_NAME *)a, NULL);
if (ret < 0)
return -2;
- }
+ }
- if (!b->canon_enc || b->modified)
- {
+ if (!b->canon_enc || b->modified) {
ret = i2d_X509_NAME((X509_NAME *)b, NULL);
if (ret < 0)
return -2;
- }
+ }
ret = a->canon_enclen - b->canon_enclen;
return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
- }
+}
unsigned long X509_NAME_hash(X509_NAME *x)
- {
+{
unsigned long ret=0;
unsigned char md[SHA_DIGEST_LENGTH];
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
)&0xffffffffL;
return(ret);
- }
+}
#ifndef OPENSSL_NO_MD5
* this is reasonably efficient. */
unsigned long X509_NAME_hash_old(X509_NAME *x)
- {
+{
EVP_MD_CTX md_ctx;
unsigned long ret=0;
unsigned char md[16];
EVP_MD_CTX_cleanup(&md_ctx);
return(ret);
- }
+}
#endif
/* Search a stack of X509 for a match */
X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
ASN1_INTEGER *serial)
- {
+{
int i;
X509_CINF cinf;
X509 x,*x509=NULL;
cinf.serialNumber=serial;
cinf.issuer=name;
- for (i=0; i<sk_X509_num(sk); i++)
- {
+ for (i=0; i<sk_X509_num(sk); i++) {
x509=sk_X509_value(sk,i);
if (X509_issuer_and_serial_cmp(x509,&x) == 0)
return(x509);
- }
- return(NULL);
}
+ return(NULL);
+}
X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
- {
+{
X509 *x509;
int i;
- for (i=0; i<sk_X509_num(sk); i++)
- {
+ for (i=0; i<sk_X509_num(sk); i++) {
x509=sk_X509_value(sk,i);
if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
return(x509);
- }
- return(NULL);
}
+ return(NULL);
+}
EVP_PKEY *X509_get_pubkey(X509 *x)
- {
+{
if ((x == NULL) || (x->cert_info == NULL))
return(NULL);
return(X509_PUBKEY_get(x->cert_info->key));
- }
+}
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
- {
+{
if(!x) return NULL;
return x->cert_info->key->public_key;
- }
+}
int X509_check_private_key(X509 *x, EVP_PKEY *k)
- {
+{
EVP_PKEY *xk;
int ret;
else
ret = -2;
- switch (ret)
- {
+ switch (ret) {
case 1:
break;
case 0:
break;
case -2:
X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
- }
+ }
if (xk)
EVP_PKEY_free(xk);
if (ret > 0)
return 1;
return 0;
- }
+}
#ifndef OPENSSL_NO_STDIO
int X509_STORE_set_default_paths(X509_STORE *ctx)
- {
+{
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
ERR_clear_error();
return(1);
- }
+}
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
- {
+{
X509_LOOKUP *lookup;
- if (file != NULL)
- {
+ if (file != NULL) {
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
if (lookup == NULL) return(0);
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
return(0);
- }
- if (path != NULL)
- {
+ }
+ if (path != NULL) {
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL) return(0);
if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
return(0);
- }
+ }
if ((path == NULL) && (file == NULL))
return(0);
return(1);
- }
+}
#endif
#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
static ERR_STRING_DATA X509_str_functs[]=
- {
+{
{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
{0,NULL}
- };
+};
static ERR_STRING_DATA X509_str_reasons[]=
- {
+{
{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
{0,NULL}
- };
+};
#endif
void ERR_load_X509_strings(void)
- {
+{
#ifndef OPENSSL_NO_ERR
- if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
- {
+ if (ERR_func_error_string(X509_str_functs[0].error) == NULL) {
ERR_load_strings(0,X509_str_functs);
ERR_load_strings(0,X509_str_reasons);
- }
-#endif
}
+#endif
+}
int X509_CRL_get_ext_count(X509_CRL *x)
- {
+{
return(X509v3_get_ext_count(x->crl->extensions));
- }
+}
int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
- }
+}
int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
- }
+}
int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
- {
+{
return(X509v3_get_ext(x->crl->extensions,loc));
- }
+}
X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
- {
+{
return(X509v3_delete_ext(x->crl->extensions,loc));
- }
+}
void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
{
}
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
- }
+}
int X509_get_ext_count(X509 *x)
- {
+{
return(X509v3_get_ext_count(x->cert_info->extensions));
- }
+}
int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
- }
+}
int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
- }
+}
int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_get_ext(X509 *x, int loc)
- {
+{
return(X509v3_get_ext(x->cert_info->extensions,loc));
- }
+}
X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
- {
+{
return(X509v3_delete_ext(x->cert_info->extensions,loc));
- }
+}
int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
- }
+}
void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
{
}
int X509_REVOKED_get_ext_count(X509_REVOKED *x)
- {
+{
return(X509v3_get_ext_count(x->extensions));
- }
+}
int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
- {
+{
return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
- }
+}
int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
int lastpos)
- {
+{
return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
- }
+}
int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
- {
+{
return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
- }
+}
X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
- {
+{
return(X509v3_get_ext(x->extensions,loc));
- }
+}
X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
- {
+{
return(X509v3_delete_ext(x->extensions,loc));
- }
+}
int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
- {
+{
return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
- }
+}
void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
{
#include <openssl/x509v3.h>
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
- {
+{
X509_LOOKUP *ret;
ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP));
ret->method=method;
ret->method_data=NULL;
ret->store_ctx=NULL;
- if ((method->new_item != NULL) && !method->new_item(ret))
- {
+ if ((method->new_item != NULL) && !method->new_item(ret)) {
free(ret);
return NULL;
- }
- return ret;
}
+ return ret;
+}
void X509_LOOKUP_free(X509_LOOKUP *ctx)
- {
+{
if (ctx == NULL) return;
if ( (ctx->method != NULL) &&
(ctx->method->free != NULL))
(*ctx->method->free)(ctx);
free(ctx);
- }
+}
int X509_LOOKUP_init(X509_LOOKUP *ctx)
- {
+{
if (ctx->method == NULL) return 0;
if (ctx->method->init != NULL)
return ctx->method->init(ctx);
else
return 1;
- }
+}
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
- {
+{
if (ctx->method == NULL) return 0;
if (ctx->method->shutdown != NULL)
return ctx->method->shutdown(ctx);
else
return 1;
- }
+}
int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret)
- {
+{
if (ctx->method == NULL) return -1;
if (ctx->method->ctrl != NULL)
return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
else
return 1;
- }
+}
int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
X509_OBJECT *ret)
return X509_LU_FAIL;
if (ctx->skip) return 0;
return ctx->method->get_by_subject(ctx,type,name,ret);
- }
+}
int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
ASN1_INTEGER *serial, X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) ||
(ctx->method->get_by_issuer_serial == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
- }
+}
int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
unsigned char *bytes, int len, X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
- }
+}
int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
X509_OBJECT *ret)
- {
+{
if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
return X509_LU_FAIL;
return ctx->method->get_by_alias(ctx,type,str,len,ret);
- }
+}
static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
- {
+ {
int ret;
ret=((*a)->type - (*b)->type);
if (ret) return ret;
- switch ((*a)->type)
- {
+ switch ((*a)->type) {
case X509_LU_X509:
ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
break;
default:
/* abort(); */
return 0;
- }
- return ret;
}
+ return ret;
+}
X509_STORE *X509_STORE_new(void)
- {
+{
X509_STORE *ret;
if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL)
sk_X509_OBJECT_free(ret->objs);
free(ret);
return NULL;
- }
+}
ret->get_issuer = 0;
ret->check_issued = 0;
ret->lookup_crls = 0;
ret->cleanup = 0;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
- {
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
sk_X509_OBJECT_free(ret->objs);
free(ret);
return NULL;
- }
+ }
ret->references=1;
return ret;
- }
+}
static void cleanup(X509_OBJECT *a)
- {
- if (a->type == X509_LU_X509)
- {
+{
+ if (a->type == X509_LU_X509) {
X509_free(a->data.x509);
- }
- else if (a->type == X509_LU_CRL)
- {
+ } else if (a->type == X509_LU_CRL) {
X509_CRL_free(a->data.crl);
- }
- else
- {
+ } else {
/* abort(); */
- }
+ }
free(a);
- }
+}
void X509_STORE_free(X509_STORE *vfy)
- {
+{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
return;
sk=vfy->get_cert_methods;
- for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
- {
+ for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
lu=sk_X509_LOOKUP_value(sk,i);
X509_LOOKUP_shutdown(lu);
X509_LOOKUP_free(lu);
- }
+ }
sk_X509_LOOKUP_free(sk);
sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
if (vfy->param)
X509_VERIFY_PARAM_free(vfy->param);
free(vfy);
- }
+}
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
- {
+{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
sk=v->get_cert_methods;
- for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
- {
+ for (i=0; i<sk_X509_LOOKUP_num(sk); i++) {
lu=sk_X509_LOOKUP_value(sk,i);
- if (m == lu->method)
- {
+ if (m == lu->method) {
return lu;
- }
}
+ }
/* a new one */
lu=X509_LOOKUP_new(m);
if (lu == NULL)
return NULL;
- else
- {
+ else {
lu->store_ctx=v;
if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
return lu;
- else
- {
+ else {
X509_LOOKUP_free(lu);
return NULL;
- }
}
}
+}
int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
X509_OBJECT *ret)
- {
+{
X509_STORE *ctx=vs->ctx;
X509_LOOKUP *lu;
X509_OBJECT stmp,*tmp;
tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (tmp == NULL || type == X509_LU_CRL)
- {
- for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
- {
+ if (tmp == NULL || type == X509_LU_CRL) {
+ for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
- if (j < 0)
- {
+ if (j < 0) {
vs->current_method=j;
return j;
- }
- else if (j)
- {
+ } else if (j) {
tmp= &stmp;
break;
- }
}
+ }
vs->current_method=0;
if (tmp == NULL)
return 0;
- }
+ }
/* if (ret->data.ptr != NULL)
X509_OBJECT_free_contents(ret); */
X509_OBJECT_up_ref_count(ret);
return 1;
- }
+}
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
- {
+{
X509_OBJECT *obj;
int ret=1;
if (x == NULL) return 0;
obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
obj->type=X509_LU_X509;
obj->data.x509=x;
X509_OBJECT_up_ref_count(obj);
- if (X509_OBJECT_retrieve_match(ctx->objs, obj))
- {
+ if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free_contents(obj);
free(obj);
X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
- }
+ }
else sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
- {
+{
X509_OBJECT *obj;
int ret=1;
if (x == NULL) return 0;
obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT));
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
obj->type=X509_LU_CRL;
obj->data.crl=x;
X509_OBJECT_up_ref_count(obj);
- if (X509_OBJECT_retrieve_match(ctx->objs, obj))
- {
+ if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
X509_OBJECT_free_contents(obj);
free(obj);
X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
- }
- else sk_X509_OBJECT_push(ctx->objs, obj);
+ } else
+ sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
- {
- switch (a->type)
- {
+{
+ switch (a->type) {
case X509_LU_X509:
CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
break;
case X509_LU_CRL:
CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
break;
- }
}
+}
void X509_OBJECT_free_contents(X509_OBJECT *a)
- {
- switch (a->type)
- {
+{
+ switch (a->type) {
case X509_LU_X509:
X509_free(a->data.x509);
break;
case X509_LU_CRL:
X509_CRL_free(a->data.crl);
break;
- }
}
+}
static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name, int *pnmatch)
- {
+{
X509_OBJECT stmp;
X509 x509_s;
X509_CINF cinf_s;
int idx;
stmp.type=type;
- switch (type)
- {
+ switch (type) {
case X509_LU_X509:
stmp.data.x509= &x509_s;
x509_s.cert_info= &cinf_s;
default:
/* abort(); */
return -1;
- }
+ }
idx = sk_X509_OBJECT_find(h,&stmp);
- if (idx >= 0 && pnmatch)
- {
+ if (idx >= 0 && pnmatch) {
int tidx;
const X509_OBJECT *tobj, *pstmp;
*pnmatch = 1;
pstmp = &stmp;
- for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
- {
+ for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
tobj = sk_X509_OBJECT_value(h, tidx);
if (x509_object_cmp(&tobj, &pstmp))
break;
(*pnmatch)++;
- }
}
- return idx;
}
+ return idx;
+}
int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name)
- {
+{
return x509_object_idx_cnt(h, type, name, NULL);
- }
+}
X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name)
- {
+{
int idx;
idx = X509_OBJECT_idx_by_subject(h, type, name);
if (idx==-1) return NULL;
return sk_X509_OBJECT_value(h, idx);
- }
+}
STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
- {
+{
int i, idx, cnt;
STACK_OF(X509) *sk;
X509 *x;
sk = sk_X509_new_null();
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
/* Nothing found in cache: do lookup to possibly add new
* objects to cache
*/
X509_OBJECT xobj;
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
- {
+ if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
sk_X509_free(sk);
return NULL;
- }
+ }
X509_OBJECT_free_contents(&xobj);
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
sk_X509_free(sk);
return NULL;
- }
}
- for (i = 0; i < cnt; i++, idx++)
- {
+ }
+ for (i = 0; i < cnt; i++, idx++) {
obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
x = obj->data.x509;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
- if (!sk_X509_push(sk, x))
- {
+ if (!sk_X509_push(sk, x)) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return NULL;
- }
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return sk;
- }
+}
STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
- {
+{
int i, idx, cnt;
STACK_OF(X509_CRL) *sk;
X509_CRL *x;
/* Always do lookup to possibly add new CRLs to cache
*/
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
- {
+ if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
sk_X509_CRL_free(sk);
return NULL;
- }
+ }
X509_OBJECT_free_contents(&xobj);
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
- if (idx < 0)
- {
+ if (idx < 0) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
sk_X509_CRL_free(sk);
return NULL;
- }
+ }
- for (i = 0; i < cnt; i++, idx++)
- {
+ for (i = 0; i < cnt; i++, idx++) {
obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
x = obj->data.crl;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
- if (!sk_X509_CRL_push(sk, x))
- {
+ if (!sk_X509_CRL_push(sk, x)) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
X509_CRL_free(x);
sk_X509_CRL_pop_free(sk, X509_CRL_free);
return NULL;
- }
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return sk;
- }
+}
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
- {
+{
int idx, i;
X509_OBJECT *obj;
idx = sk_X509_OBJECT_find(h, x);
if (idx == -1) return NULL;
if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
return sk_X509_OBJECT_value(h, idx);
- for (i = idx; i < sk_X509_OBJECT_num(h); i++)
- {
+ for (i = idx; i < sk_X509_OBJECT_num(h); i++) {
obj = sk_X509_OBJECT_value(h, i);
if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
return NULL;
- if (x->type == X509_LU_X509)
- {
+ if (x->type == X509_LU_X509) {
if (!X509_cmp(obj->data.x509, x->data.x509))
return obj;
- }
- else if (x->type == X509_LU_CRL)
- {
+ } else if (x->type == X509_LU_CRL) {
if (!X509_CRL_match(obj->data.crl, x->data.crl))
return obj;
- }
- else
+ } else
return obj;
- }
- return NULL;
}
+ return NULL;
+}
/* Try to get issuer certificate from store. Due to limitations
* -1 some other error.
*/
int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
- {
+{
X509_NAME *xn;
X509_OBJECT obj, *pobj;
int i, ok, idx, ret;
xn=X509_get_issuer_name(x);
ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
- if (ok != X509_LU_X509)
- {
- if (ok == X509_LU_RETRY)
- {
+ if (ok != X509_LU_X509) {
+ if (ok == X509_LU_RETRY) {
X509_OBJECT_free_contents(&obj);
X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
return -1;
- }
- else if (ok != X509_LU_FAIL)
- {
+ } else if (ok != X509_LU_FAIL) {
X509_OBJECT_free_contents(&obj);
/* not good :-(, break anyway */
return -1;
- }
- return 0;
}
+ return 0;
+ }
/* If certificate matches all OK */
- if (ctx->check_issued(ctx, x, obj.data.x509))
- {
+ if (ctx->check_issued(ctx, x, obj.data.x509)) {
*issuer = obj.data.x509;
return 1;
- }
+ }
X509_OBJECT_free_contents(&obj);
/* Else find index of first cert accepted by 'check_issued' */
ret = 0;
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
- if (idx != -1) /* should be true as we've had at least one match */
- {
+ if (idx != -1) /* should be true as we've had at least one match */ {
/* Look through all matching certs for suitable issuer */
- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
- {
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
/* See if we've run past the matches */
if (pobj->type != X509_LU_X509)
break;
if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
break;
- if (ctx->check_issued(ctx, x, pobj->data.x509))
- {
+ if (ctx->check_issued(ctx, x, pobj->data.x509)) {
*issuer = pobj->data.x509;
X509_OBJECT_up_ref_count(pobj);
ret = 1;
break;
- }
}
}
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
return ret;
- }
+}
int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
- {
+{
return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
- }
+}
int X509_STORE_set_depth(X509_STORE *ctx, int depth)
- {
+{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
return 1;
- }
+}
int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
- {
+{
return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
- }
+}
int X509_STORE_set_trust(X509_STORE *ctx, int trust)
- {
+{
return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
- }
+}
int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
- {
+{
return X509_VERIFY_PARAM_set1(ctx->param, param);
- }
+}
void X509_STORE_set_verify_cb(X509_STORE *ctx,
int (*verify_cb)(int, X509_STORE_CTX *))
- {
+{
ctx->verify_cb = verify_cb;
- }
+}
IMPLEMENT_STACK_OF(X509_LOOKUP)
IMPLEMENT_STACK_OF(X509_OBJECT)
#include <openssl/buffer.h>
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
- {
+{
X509_NAME_ENTRY *ne;
int i;
int n,lold,l,l1,l2,num,j,type;
int gs_doit[4];
char tmp_buf[80];
- if (buf == NULL)
- {
+ if (buf == NULL) {
if ((b=BUF_MEM_new()) == NULL) goto err;
if (!BUF_MEM_grow(b,200)) goto err;
b->data[0]='\0';
len=200;
+ }
+ if (a == NULL) {
+ if(b) {
+ buf=b->data;
+ free(b);
}
- if (a == NULL)
- {
- if(b)
- {
- buf=b->data;
- free(b);
- }
- strlcpy(buf,"NO X509_NAME",len);
- return buf;
- }
+ strlcpy(buf,"NO X509_NAME",len);
+ return buf;
+ }
len--; /* space for '\0' */
l=0;
- for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
- {
+ for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++) {
ne=sk_X509_NAME_ENTRY_value(a->entries,i);
n=OBJ_obj2nid(ne->object);
- if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
- {
+ if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) {
i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
s=tmp_buf;
- }
+ }
l1=strlen(s);
type=ne->value->type;
num=ne->value->length;
q=ne->value->data;
- if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
- {
+ if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) {
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
for (j=0; j<num; j++)
if (q[j] != 0) gs_doit[j&3]=1;
if (gs_doit[0]|gs_doit[1]|gs_doit[2])
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
- else
- {
+ else {
gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
gs_doit[3]=1;
- }
}
- else
+ } else
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
- for (l2=j=0; j<num; j++)
- {
+ for (l2=j=0; j<num; j++) {
if (!gs_doit[j&3]) continue;
l2++;
if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
- }
+ }
lold=l;
l+=1+l1+1+l2;
- if (b != NULL)
- {
+ if (b != NULL) {
if (!BUF_MEM_grow(b,l+1)) goto err;
p= &(b->data[lold]);
- }
- else if (l > len)
- {
+ } else if (l > len) {
break;
- }
- else
+ } else
p= &(buf[lold]);
*(p++)='/';
memcpy(p,s,(unsigned int)l1); p+=l1;
*(p++)='=';
q=ne->value->data;
- for (j=0; j<num; j++)
- {
+ for (j=0; j<num; j++) {
if (!gs_doit[j&3]) continue;
n=q[j];
- if ((n < ' ') || (n > '~'))
- {
+ if ((n < ' ') || (n > '~')) {
*(p++)='\\';
*(p++)='x';
*(p++)=hex[(n>>4)&0x0f];
*(p++)=hex[n&0x0f];
- }
- else
+ } else
*(p++)=n;
- }
- *p='\0';
}
- if (b != NULL)
- {
+ *p='\0';
+ }
+ if (b != NULL) {
p=b->data;
free(b);
- }
- else
+ } else
p=buf;
if (i == 0)
*p = '\0';
X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
if (b != NULL) BUF_MEM_free(b);
return(NULL);
- }
+}
#include <openssl/buffer.h>
X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
- {
+{
X509 *ret=NULL;
X509_CINF *xi=NULL;
X509_NAME *xn;
- if ((ret=X509_new()) == NULL)
- {
+ if ((ret=X509_new()) == NULL) {
X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
/* duplicate the request */
xi=ret->cert_info;
- if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
- {
+ if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) {
if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
if (!ASN1_INTEGER_set(xi->version,2)) goto err;
/* xi->extensions=ri->attributes; <- bad, should not ever be done
ri->attributes=NULL; */
- }
+ }
xn=X509_REQ_get_subject_name(r);
if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
if (!X509_sign(ret,pkey,EVP_md5()))
goto err;
- if (0)
- {
+ if (0) {
err:
X509_free(ret);
ret=NULL;
- }
- return(ret);
}
+ return(ret);
+}
#include <openssl/pem.h>
X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
- {
+{
X509_REQ *ret;
X509_REQ_INFO *ri;
int i;
EVP_PKEY *pktmp;
ret=X509_REQ_new();
- if (ret == NULL)
- {
+ if (ret == NULL) {
X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
ri=ret->req_info;
EVP_PKEY_free(pktmp);
if (!i) goto err;
- if (pkey != NULL)
- {
+ if (pkey != NULL) {
if (!X509_REQ_sign(ret,pkey,md))
goto err;
- }
+ }
return(ret);
err:
X509_REQ_free(ret);
return(NULL);
- }
+}
EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
- {
+{
if ((req == NULL) || (req->req_info == NULL))
return(NULL);
return(X509_PUBKEY_get(req->req_info->pubkey));
- }
+}
int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
- {
+{
EVP_PKEY *xk=NULL;
int ok=0;
xk=X509_REQ_get_pubkey(x);
- switch (EVP_PKEY_cmp(xk, k))
- {
+ switch (EVP_PKEY_cmp(xk, k)) {
case 1:
ok=1;
break;
break;
case -2:
#ifndef OPENSSL_NO_EC
- if (k->type == EVP_PKEY_EC)
- {
+ if (k->type == EVP_PKEY_EC) {
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
break;
- }
+ }
#endif
#ifndef OPENSSL_NO_DH
- if (k->type == EVP_PKEY_DH)
- {
+ if (k->type == EVP_PKEY_DH) {
/* No idea */
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
break;
- }
+ }
#endif
X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
- }
+ }
EVP_PKEY_free(xk);
return(ok);
- }
+}
/* It seems several organisations had the same idea of including a list of
* extensions in a certificate request. There are at least two OIDs that are
}
STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
- {
+{
X509_ATTRIBUTE *attr;
ASN1_TYPE *ext = NULL;
int idx, *pnid;
if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
return(NULL);
- for (pnid = ext_nids; *pnid != NID_undef; pnid++)
- {
+ for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
if (idx == -1)
continue;
else if(sk_ASN1_TYPE_num(attr->value.set))
ext = sk_ASN1_TYPE_value(attr->value.set, 0);
break;
- }
+ }
if(!ext || (ext->type != V_ASN1_SEQUENCE))
return NULL;
p = ext->value.sequence->data;
at = NULL;
attr->single = 0;
attr->object = OBJ_nid2obj(nid);
- if (!req->req_info->attributes)
- {
+ if (!req->req_info->attributes) {
if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
goto err;
- }
+ }
if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
return 1;
err:
#include <openssl/x509.h>
int X509_set_version(X509 *x, long version)
- {
+{
if (x == NULL) return(0);
- if (x->cert_info->version == NULL)
- {
+ if (x->cert_info->version == NULL) {
if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
return(0);
- }
- return(ASN1_INTEGER_set(x->cert_info->version,version));
}
+ return(ASN1_INTEGER_set(x->cert_info->version,version));
+}
int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
- {
+{
ASN1_INTEGER *in;
if (x == NULL) return(0);
in=x->cert_info->serialNumber;
- if (in != serial)
- {
+ if (in != serial) {
in=M_ASN1_INTEGER_dup(serial);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_INTEGER_free(x->cert_info->serialNumber);
x->cert_info->serialNumber=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_issuer_name(X509 *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_NAME_set(&x->cert_info->issuer,name));
- }
+}
int X509_set_subject_name(X509 *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_NAME_set(&x->cert_info->subject,name));
- }
+}
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
in=x->cert_info->validity->notBefore;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notBefore);
x->cert_info->validity->notBefore=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
in=x->cert_info->validity->notAfter;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notAfter);
x->cert_info->validity->notAfter=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
- {
+{
if ((x == NULL) || (x->cert_info == NULL)) return(0);
return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
- }
-
-
-
+}
return 0;
}
trtmp->flags = X509_TRUST_DYNAMIC;
- } else trtmp = X509_TRUST_get0(idx);
+ } else
+ trtmp = X509_TRUST_get0(idx);
/* free existing name if dynamic */
if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
}
static void trtable_free(X509_TRUST *p)
- {
+{
if(!p) return;
- if (p->flags & X509_TRUST_DYNAMIC)
- {
+ if (p->flags & X509_TRUST_DYNAMIC) {
if (p->flags & X509_TRUST_DYNAMIC_NAME)
free(p->name);
free(p);
- }
}
+}
void X509_TRUST_cleanup(void)
{
#include <openssl/objects.h>
const char *X509_verify_cert_error_string(long n)
- {
+{
static char buf[100];
- switch ((int)n)
- {
+ switch ((int)n) {
case X509_V_OK:
return("ok");
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
default:
(void) snprintf(buf,sizeof buf,"error number %ld",n);
return(buf);
- }
}
+}
#include <openssl/x509v3.h>
int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
- {
+{
if (x == NULL) return(0);
return(sk_X509_EXTENSION_num(x));
- }
+}
int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
int lastpos)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-2);
return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
- }
+}
int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
int lastpos)
- {
+{
int n;
X509_EXTENSION *ex;
if (lastpos < 0)
lastpos=0;
n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_EXTENSION_value(sk,lastpos);
if (OBJ_cmp(ex->object,obj) == 0)
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
int lastpos)
- {
+{
int n;
X509_EXTENSION *ex;
if (lastpos < 0)
lastpos=0;
n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++)
- {
+ for ( ; lastpos < n; lastpos++) {
ex=sk_X509_EXTENSION_value(sk,lastpos);
if ( ((ex->critical > 0) && crit) ||
((ex->critical <= 0) && !crit))
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
- {
+{
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return NULL;
else
return sk_X509_EXTENSION_value(x,loc);
- }
+}
X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
- {
+{
X509_EXTENSION *ret;
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return(NULL);
ret=sk_X509_EXTENSION_delete(x,loc);
return(ret);
- }
+}
STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
X509_EXTENSION *ex, int loc)
- {
+{
X509_EXTENSION *new_ex=NULL;
int n;
STACK_OF(X509_EXTENSION) *sk=NULL;
- if (x == NULL)
- {
+ if (x == NULL) {
X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
goto err2;
- }
+ }
- if (*x == NULL)
- {
+ if (*x == NULL) {
if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
goto err;
- }
- else
+ } else
sk= *x;
n=sk_X509_EXTENSION_num(sk);
if (new_ex != NULL) X509_EXTENSION_free(new_ex);
if (sk != NULL) sk_X509_EXTENSION_free(sk);
return(NULL);
- }
+}
X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
int crit, ASN1_OCTET_STRING *data)
- {
+{
ASN1_OBJECT *obj;
X509_EXTENSION *ret;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
if (ret == NULL) ASN1_OBJECT_free(obj);
return(ret);
- }
+}
X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
- {
+{
X509_EXTENSION *ret;
- if ((ex == NULL) || (*ex == NULL))
- {
+ if ((ex == NULL) || (*ex == NULL)) {
if ((ret=X509_EXTENSION_new()) == NULL)
- {
+ {
X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
return(NULL);
- }
}
- else
+ } else
ret= *ex;
if (!X509_EXTENSION_set_object(ret,obj))
if ((ex == NULL) || (ret != *ex))
X509_EXTENSION_free(ret);
return(NULL);
- }
+}
int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
- {
+{
if ((ex == NULL) || (obj == NULL))
return(0);
ASN1_OBJECT_free(ex->object);
ex->object=OBJ_dup(obj);
return(1);
- }
+}
int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
- {
+{
if (ex == NULL) return(0);
ex->critical=(crit)?0xFF:-1;
return(1);
- }
+}
int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
- {
+{
int i;
if (ex == NULL) return(0);
i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
if (!i) return(0);
return(1);
- }
+}
ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(NULL);
return(ex->object);
- }
+}
ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(NULL);
return(ex->value);
- }
+}
int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
- {
+{
if (ex == NULL) return(0);
if(ex->critical > 0) return 1;
return 0;
- }
+}
static int null_callback(int ok, X509_STORE_CTX *e)
- {
+{
return ok;
- }
+}
#if 0
static int x509_subject_cmp(X509 **a, X509 **b)
- {
+{
return X509_subject_name_cmp(*a,*b);
- }
+}
#endif
int X509_verify_cert(X509_STORE_CTX *ctx)
- {
+{
X509 *x,*xtmp,*chain_ss=NULL;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
int num;
int (*cb)(int xok,X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp=NULL;
- if (ctx->cert == NULL)
- {
+ if (ctx->cert == NULL) {
X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
- }
+ }
cb=ctx->verify_cb;
/* first we make sure the chain we are going to build is
* present and that the first entry is in place */
- if (ctx->chain == NULL)
- {
+ if (ctx->chain == NULL) {
if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain,ctx->cert)))
- {
+ (!sk_X509_push(ctx->chain,ctx->cert))) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
ctx->last_untrusted=1;
- }
+ }
/* We use a temporary STACK so we can chop and hack at it */
if (ctx->untrusted != NULL
- && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
- {
+ && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
num=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,num-1);
depth=param->depth;
- for (;;)
- {
+ for (;;) {
/* If we have enough, we break */
if (depth < num) break; /* FIXME: If this happens, we should take
* note of it and, if appropriate, use the
if (ctx->check_issued(ctx, x,x)) break;
/* If we were passed a cert chain, use it first */
- if (ctx->untrusted != NULL)
- {
+ if (ctx->untrusted != NULL) {
xtmp=find_issuer(ctx, sktmp,x);
- if (xtmp != NULL)
- {
- if (!sk_X509_push(ctx->chain,xtmp))
- {
+ if (xtmp != NULL) {
+ if (!sk_X509_push(ctx->chain,xtmp)) {
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
- }
+ }
CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
(void)sk_X509_delete_ptr(sktmp,xtmp);
ctx->last_untrusted++;
/* reparse the full chain for
* the next one */
continue;
- }
}
- break;
}
+ break;
+ }
/* at this point, chain should contain a list of untrusted
* certificates. We now need to add at least one trusted one,
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
- if (ctx->check_issued(ctx, x, x))
- {
+ if (ctx->check_issued(ctx, x, x)) {
/* we have a self signed certificate */
- if (sk_X509_num(ctx->chain) == 1)
- {
+ if (sk_X509_num(ctx->chain) == 1) {
/* We have a single self signed certificate: see if
* we can find it in the store. We must have an exact
* match to avoid possible impersonation.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
- if ((ok <= 0) || X509_cmp(x, xtmp))
- {
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
ctx->current_cert=x;
ctx->error_depth=i-1;
bad_chain = 1;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- else
- {
+ } else {
/* We have a match: replace certificate with store version
* so we get any trust settings.
*/
x = xtmp;
(void)sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted=0;
- }
}
- else
- {
+ } else {
/* extract and save self signed certificate for later use */
chain_ss=sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
x=sk_X509_value(ctx->chain,num-1);
- }
}
+ }
/* We now lookup certs from the certificate store */
- for (;;)
- {
+ for (;;) {
/* If we have enough, we break */
if (depth < num) break;
if (ok == 0) break;
x = xtmp;
- if (!sk_X509_push(ctx->chain,x))
- {
+ if (!sk_X509_push(ctx->chain,x)) {
X509_free(xtmp);
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
return 0;
- }
- num++;
}
+ num++;
+ }
/* we now have our chain, lets check it... */
/* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx,x,x))
- {
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
- {
+ if (!ctx->check_issued(ctx,x,x)) {
+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
ctx->current_cert=x;
- }
- else
- {
+ } else {
sk_X509_push(ctx->chain,chain_ss);
num++;
ctx->current_cert=chain_ss;
ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
chain_ss=NULL;
- }
+ }
ctx->error_depth=num-1;
bad_chain = 1;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
if(!ok) goto end;
- if (0)
- {
+ if (0) {
end:
X509_get_pubkey_parameters(NULL,ctx->chain);
- }
+ }
if (sktmp != NULL) sk_X509_free(sktmp);
if (chain_ss != NULL) X509_free(chain_ss);
return ok;
- }
+}
/* Given a STACK_OF(X509) find the issuer of cert (if any)
{
int i;
X509 *issuer;
- for (i = 0; i < sk_X509_num(sk); i++)
- {
+ for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer))
return issuer;
- }
+ }
return NULL;
}
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
- if (*issuer)
- {
+ if (*issuer) {
CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
return 1;
- }
- else
+ } else
return 0;
}
must_be_ca = -1;
/* CRL path validation */
- if (ctx->parent)
- {
+ if (ctx->parent) {
allow_proxy_certs = 0;
purpose = X509_PURPOSE_CRL_SIGN;
- }
- else
- {
+ } else {
allow_proxy_certs =
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
- }
+ }
/* Check all untrusted certificates */
- for (i = 0; i < ctx->last_untrusted; i++)
- {
+ for (i = 0; i < ctx->last_untrusted; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (x->ex_flags & EXFLAG_CRITICAL))
- {
+ && (x->ex_flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
- {
+ }
+ if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
ret = X509_check_ca(x);
- switch(must_be_ca)
- {
+ switch(must_be_ca) {
case -1:
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1) && (ret != 0))
- {
+ && (ret != 1) && (ret != 0)) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
- }
- else
+ } else
ret = 1;
break;
case 0:
- if (ret != 0)
- {
+ if (ret != 0) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_NON_CA;
- }
- else
+ } else
ret = 1;
break;
default:
if ((ret == 0)
|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1)))
- {
+ && (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
- }
- else
+ } else
ret = 1;
break;
- }
- if (ret == 0)
- {
+ }
+ if (ret == 0) {
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
- if (ctx->param->purpose > 0)
- {
+ }
+ if (ctx->param->purpose > 0) {
ret = X509_check_purpose(x, purpose, must_be_ca > 0);
if ((ret == 0)
|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1)))
- {
+ && (ret != 1))) {
ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
}
+ }
/* Check pathlen if not self issued */
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
&& (x->ex_pathlen != -1)
- && (plen > (x->ex_pathlen + proxy_path_length + 1)))
- {
+ && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
plen++;
certificate must be another proxy certificate or a EE
certificate. If not, the next certificate must be a
CA certificate. */
- if (x->ex_flags & EXFLAG_PROXY)
- {
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
- {
+ if (x->ex_flags & EXFLAG_PROXY) {
+ if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
ctx->error =
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
- }
+ }
proxy_path_length++;
must_be_ca = 0;
- }
- else
+ } else
must_be_ca = 1;
- }
+ }
ok = 1;
end:
return ok;
}
static int check_name_constraints(X509_STORE_CTX *ctx)
- {
+{
X509 *x;
int i, j, rv;
/* Check name constraints for all certificates */
- for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
- {
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
x = sk_X509_value(ctx->chain, i);
/* Ignore self issued certs unless last in chain */
if (i && (x->ex_flags & EXFLAG_SI))
* speaking needed but if it includes constraints it is to be
* assumed it expects them to be obeyed.
*/
- for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
- {
+ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
- if (nc)
- {
+ if (nc) {
rv = NAME_CONSTRAINTS_check(x, nc);
- if (rv != X509_V_OK)
- {
+ if (rv != X509_V_OK) {
ctx->error = rv;
ctx->error_depth = i;
ctx->current_cert = x;
if (!ctx->verify_cb(0,ctx))
return 0;
- }
}
}
}
- return 1;
}
+ return 1;
+}
static int check_trust(X509_STORE_CTX *ctx)
{
}
static int check_revocation(X509_STORE_CTX *ctx)
- {
+{
int i, last, ok;
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
last = sk_X509_num(ctx->chain) - 1;
- else
- {
+ else {
/* If checking CRL paths this isn't the EE certificate */
if (ctx->parent)
return 1;
last = 0;
- }
- for(i = 0; i <= last; i++)
- {
+ }
+ for(i = 0; i <= last; i++) {
ctx->error_depth = i;
ok = check_cert(ctx);
if (!ok) return ok;
- }
- return 1;
}
+ return 1;
+}
-static int check_cert(X509_STORE_CTX *ctx)
- {
+static int check_cert(X509_STORE_CTX *ctx) {
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
ctx->current_issuer = NULL;
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
- while (ctx->current_reasons != CRLDP_ALL_REASONS)
- {
+ while (ctx->current_reasons != CRLDP_ALL_REASONS) {
last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
/* If error looking up CRL, nothing we can do except
* notify callback
*/
- if(!ok)
- {
+ if(!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
- }
+ }
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl);
if (!ok)
goto err;
- if (dcrl)
- {
+ if (dcrl) {
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, dcrl, x);
if (!ok)
goto err;
- }
- else
+ } else
ok = 1;
/* Don't look in full CRL if delta reason is removefromCRL */
- if (ok != 2)
- {
+ if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
- }
+ }
X509_CRL_free(crl);
X509_CRL_free(dcrl);
/* If reasons not updated we wont get anywhere by
* another iteration, so exit loop.
*/
- if (last_reasons == ctx->current_reasons)
- {
+ if (last_reasons == ctx->current_reasons) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
- }
}
- err:
+ }
+err:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
- }
+}
/* Check CRL times against values in X509_STORE_CTX */
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
- {
+{
time_t *ptime;
int i;
if (notify)
ptime = NULL;
i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
- if (i == 0)
- {
+ if (i == 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i > 0)
- {
+ if (i > 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if(X509_CRL_get_nextUpdate(crl))
- {
+ if(X509_CRL_get_nextUpdate(crl)) {
i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
- if (i == 0)
- {
+ if (i == 0) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
/* Ignore expiry of base CRL is delta is valid */
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
- {
+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
}
+ }
if (notify)
ctx->current_crl = NULL;
return 1;
- }
+}
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
X509 **pissuer, int *pscore, unsigned int *preasons,
STACK_OF(X509_CRL) *crls)
- {
+{
int i, crl_score, best_score = *pscore;
unsigned int reasons, best_reasons = 0;
X509 *x = ctx->current_cert;
X509_CRL *crl, *best_crl = NULL;
X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
- for (i = 0; i < sk_X509_CRL_num(crls); i++)
- {
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
crl = sk_X509_CRL_value(crls, i);
reasons = *preasons;
crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
- if (crl_score > best_score)
- {
+ if (crl_score > best_score) {
best_crl = crl;
best_crl_issuer = crl_issuer;
best_score = crl_score;
best_reasons = reasons;
- }
}
+ }
- if (best_crl)
- {
+ if (best_crl) {
if (*pcrl)
X509_CRL_free(*pcrl);
*pcrl = best_crl;
*pscore = best_score;
*preasons = best_reasons;
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
- if (*pdcrl)
- {
+ if (*pdcrl) {
X509_CRL_free(*pdcrl);
*pdcrl = NULL;
- }
- get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
}
+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
+ }
if (best_score >= CRL_SCORE_VALID)
return 1;
return 0;
- }
+}
/* Compare two CRL extensions for delta checking purposes. They should be
* both present or both absent. If both present all fields must be identical.
*/
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
- {
+{
ASN1_OCTET_STRING *exta, *extb;
int i;
i = X509_CRL_get_ext_by_NID(a, nid, -1);
- if (i >= 0)
- {
+ if (i >= 0) {
/* Can't have multiple occurrences */
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
return 0;
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
- }
- else
+ } else
exta = NULL;
i = X509_CRL_get_ext_by_NID(b, nid, -1);
- if (i >= 0)
- {
+ if (i >= 0) {
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
- }
- else
+ } else
extb = NULL;
if (!exta && !extb)
return 0;
return 1;
- }
+}
/* See if a base and delta are compatible */
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
- {
+{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
return 0;
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
return 1;
return 0;
- }
+}
/* For a given base CRL find a delta... maybe extend to delta scoring
* or retrieve a chain of deltas...
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
X509_CRL *base, STACK_OF(X509_CRL) *crls)
- {
+{
X509_CRL *delta;
int i;
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
return;
- for (i = 0; i < sk_X509_CRL_num(crls); i++)
- {
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
delta = sk_X509_CRL_value(crls, i);
- if (check_delta_base(delta, base))
- {
+ if (check_delta_base(delta, base)) {
if (check_crl_time(ctx, delta, 0))
*pscore |= CRL_SCORE_TIME_DELTA;
CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
*dcrl = delta;
return;
- }
}
- *dcrl = NULL;
}
+ *dcrl = NULL;
+}
/* For a given CRL return how suitable it is for the supplied certificate 'x'.
* The return value is a mask of several criteria.
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons,
X509_CRL *crl, X509 *x)
- {
+{
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
if (crl->idp_flags & IDP_INVALID)
return 0;
/* Reason codes or indirect CRLs need extended CRL support */
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
- {
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
return 0;
- }
- else if (crl->idp_flags & IDP_REASONS)
- {
+ } else if (crl->idp_flags & IDP_REASONS) {
/* If no new reasons reject */
if (!(crl->idp_reasons & ~tmp_reasons))
return 0;
- }
+ }
/* Don't process deltas at this stage */
else if (crl->base_crl_number)
return 0;
/* If issuer name doesn't match certificate need indirect CRL */
- if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
- {
+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
if (!(crl->idp_flags & IDP_INDIRECT))
return 0;
- }
- else
+ } else
crl_score |= CRL_SCORE_ISSUER_NAME;
if (!(crl->flags & EXFLAG_CRITICAL))
/* Check cert for matching CRL distribution points */
- if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
- {
+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
/* If no new reasons reject */
if (!(crl_reasons & ~tmp_reasons))
return 0;
tmp_reasons |= crl_reasons;
crl_score |= CRL_SCORE_SCOPE;
- }
+ }
*preasons = tmp_reasons;
return crl_score;
- }
+}
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
X509 **pissuer, int *pcrl_score)
- {
+{
X509 *crl_issuer = NULL;
X509_NAME *cnm = X509_CRL_get_issuer(crl);
int cidx = ctx->error_depth;
crl_issuer = sk_X509_value(ctx->chain, cidx);
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
- if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
*pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
*pissuer = crl_issuer;
return;
- }
}
+ }
- for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
- {
+ for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
crl_issuer = sk_X509_value(ctx->chain, cidx);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
*pissuer = crl_issuer;
return;
- }
}
+ }
/* Anything else needs extended CRL support */
/* Otherwise the CRL issuer is not on the path. Look for it in the
* set of untrusted certificates.
*/
- for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
- {
+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
crl_issuer = sk_X509_value(ctx->untrusted, i);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
- {
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pissuer = crl_issuer;
*pcrl_score |= CRL_SCORE_AKID;
return;
- }
}
}
+}
/* Check the path of a CRL issuer certificate. This creates a new
* X509_STORE_CTX and populates it with most of the parameters from the
*/
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
- {
+{
X509_STORE_CTX crl_ctx;
int ret;
/* Don't allow recursive CRL path validation */
err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
- }
+}
/* RFC3280 says nothing about the relationship between CRL path
* and certificate path, which could lead to situations where a
static int check_crl_chain(X509_STORE_CTX *ctx,
STACK_OF(X509) *cert_path,
STACK_OF(X509) *crl_path)
- {
+{
X509 *cert_ta, *crl_ta;
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
if (!X509_cmp(cert_ta, crl_ta))
return 1;
return 0;
- }
+}
/* Check for match between two dist point names: three separate cases.
* 1. Both are relative names and compare X509_NAME types.
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
- {
+{
X509_NAME *nm = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gena, *genb;
int i, j;
if (!a || !b)
return 1;
- if (a->type == 1)
- {
+ if (a->type == 1) {
if (!a->dpname)
return 0;
/* Case 1: two X509_NAME */
- if (b->type == 1)
- {
+ if (b->type == 1) {
if (!b->dpname)
return 0;
if (!X509_NAME_cmp(a->dpname, b->dpname))
return 1;
else
return 0;
- }
+ }
/* Case 2: set name and GENERAL_NAMES appropriately */
nm = a->dpname;
gens = b->name.fullname;
- }
- else if (b->type == 1)
- {
+ } else if (b->type == 1) {
if (!b->dpname)
return 0;
/* Case 2: set name and GENERAL_NAMES appropriately */
gens = a->name.fullname;
nm = b->dpname;
- }
+ }
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
- if (nm)
- {
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
- {
+ if (nm) {
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gena = sk_GENERAL_NAME_value(gens, i);
if (gena->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(nm, gena->d.directoryName))
return 1;
- }
- return 0;
}
+ return 0;
+ }
/* Else case 3: two GENERAL_NAMES */
- for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
- for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
- {
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
genb = sk_GENERAL_NAME_value(b->name.fullname, j);
if (!GENERAL_NAME_cmp(gena, genb))
return 1;
- }
}
+ }
return 0;
- }
+}
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
- {
+{
int i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
/* If no CRLissuer return is successful iff don't need a match */
if (!dp->CRLissuer)
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
if (gen->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(gen->d.directoryName, nm))
return 1;
- }
- return 0;
}
+ return 0;
+}
/* Check CRLDP and IDP */
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
unsigned int *preasons)
- {
+{
int i;
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
- if (x->ex_flags & EXFLAG_CA)
- {
+ if (x->ex_flags & EXFLAG_CA) {
if (crl->idp_flags & IDP_ONLYUSER)
return 0;
- }
- else
- {
+ } else {
if (crl->idp_flags & IDP_ONLYCA)
return 0;
- }
+ }
*preasons = crl->idp_reasons;
- for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
- {
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
- if (crldp_check_crlissuer(dp, crl, crl_score))
- {
+ if (crldp_check_crlissuer(dp, crl, crl_score)) {
if (!crl->idp ||
- idp_check_dp(dp->distpoint, crl->idp->distpoint))
- {
+ idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
*preasons &= dp->dp_reasons;
return 1;
- }
}
}
+ }
if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
return 1;
return 0;
- }
+}
/* Retrieve CRL corresponding to current certificate.
* If deltas enabled try to find a delta CRL too
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
- {
+{
int ok;
X509 *issuer = NULL;
int crl_score = 0;
done:
/* If we got any kind of CRL use it and return success */
- if (crl)
- {
+ if (crl) {
ctx->current_issuer = issuer;
ctx->current_crl_score = crl_score;
ctx->current_reasons = reasons;
*pcrl = crl;
*pdcrl = dcrl;
return 1;
- }
+ }
return 0;
- }
+}
/* Check CRL validity */
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
- {
+{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int ok = 0, chnum, cnum;
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
/* if we have an alternative CRL issuer cert use that */
- if (ctx->current_issuer)
+ if (ctx->current_issuer) {
issuer = ctx->current_issuer;
-
- /* Else find CRL issuer: if not last certificate then issuer
- * is next certificate in chain.
- */
- else if (cnum < chnum)
+ } else if (cnum < chnum) {
+ /* Else find CRL issuer: if not last certificate then issuer
+ * is next certificate in chain.
+ */
issuer = sk_X509_value(ctx->chain, cnum + 1);
- else
- {
+ } else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
- if(!ctx->check_issued(ctx, issuer, issuer))
- {
+ if(!ctx->check_issued(ctx, issuer, issuer)) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
}
+ }
- if(issuer)
- {
+ if(issuer) {
/* Skip most tests for deltas because they have already
* been done
*/
- if (!crl->base_crl_number)
- {
+ if (!crl->base_crl_number) {
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
- !(issuer->ex_kusage & KU_CRL_SIGN))
- {
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
- {
- if (check_crl_path(ctx, ctx->current_issuer) <= 0)
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
}
+ }
- if (crl->idp_flags & IDP_INVALID)
- {
+ if (crl->idp_flags & IDP_INVALID) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err;
- }
+ }
- }
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_TIME))
- {
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
ok = check_crl_time(ctx, crl, 1);
if (!ok)
goto err;
- }
+ }
/* Attempt to get issuer certificate public key */
ikey = X509_get_pubkey(issuer);
- if(!ikey)
- {
+ if(!ikey) {
ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err;
- }
- else
- {
+ } else {
/* Verify CRL signature */
- if(X509_CRL_verify(crl, ikey) <= 0)
- {
+ if(X509_CRL_verify(crl, ikey) <= 0) {
ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err;
- }
}
}
+ }
ok = 1;
- err:
+err:
EVP_PKEY_free(ikey);
return ok;
- }
+}
/* Check certificate against CRL */
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
- {
+{
int ok;
X509_REVOKED *rev;
/* The rules changed for this... previously if a CRL contained
* critical extension can change the meaning of CRL entries.
*/
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (crl->flags & EXFLAG_CRITICAL))
- {
+ && (crl->flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok)
return 0;
- }
+ }
/* Look for serial number of certificate in CRL
* If found make sure reason is not removeFromCRL.
*/
- if (X509_CRL_get0_by_cert(crl, &rev, x))
- {
+ if (X509_CRL_get0_by_cert(crl, &rev, x)) {
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
ctx->error = X509_V_ERR_CERT_REVOKED;
ok = ctx->verify_cb(0, ctx);
if (!ok)
return 0;
- }
+ }
return 1;
- }
+}
static int check_policy(X509_STORE_CTX *ctx)
- {
+{
int ret;
if (ctx->parent)
return 1;
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
- if (ret == 0)
- {
+ if (ret == 0) {
X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
/* Invalid or inconsistent extensions */
- if (ret == -1)
- {
+ if (ret == -1) {
/* Locate certificates with bad extensions and notify
* callback.
*/
X509 *x;
int i;
- for (i = 1; i < sk_X509_num(ctx->chain); i++)
- {
+ for (i = 1; i < sk_X509_num(ctx->chain); i++) {
x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
if(!ctx->verify_cb(0, ctx))
return 0;
- }
- return 1;
}
- if (ret == -2)
- {
+ return 1;
+ }
+ if (ret == -2) {
ctx->current_cert = NULL;
ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
return ctx->verify_cb(0, ctx);
- }
+ }
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
- {
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
ctx->error = X509_V_OK;
if (!ctx->verify_cb(2, ctx))
return 0;
- }
+ }
return 1;
- }
+}
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
- {
+{
time_t *ptime;
int i;
ptime = NULL;
i=X509_cmp_time(X509_get_notBefore(x), ptime);
- if (i == 0)
- {
+ if (i == 0) {
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i > 0)
- {
+ if (i > 0) {
ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
i=X509_cmp_time(X509_get_notAfter(x), ptime);
- if (i == 0)
- {
+ if (i == 0) {
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
- if (i < 0)
- {
+ if (i < 0) {
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
- }
+ }
return 1;
- }
+}
static int internal_verify(X509_STORE_CTX *ctx)
- {
+{
int ok=0,n;
X509 *xs,*xi;
EVP_PKEY *pkey=NULL;
if (ctx->check_issued(ctx, xi, xi))
xs=xi;
- else
- {
- if (n <= 0)
- {
+ else {
+ if (n <= 0) {
ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
ctx->current_cert=xi;
ok=cb(0,ctx);
goto end;
- }
- else
- {
+ } else {
n--;
ctx->error_depth=n;
xs=sk_X509_value(ctx->chain,n);
- }
}
+ }
/* ctx->error=0; not needed */
- while (n >= 0)
- {
+ while (n >= 0) {
ctx->error_depth=n;
/* Skip signature check for self signed certificates unless
* explicitly asked for. It doesn't add any security and
* just wastes time.
*/
- if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
- {
- if ((pkey=X509_get_pubkey(xi)) == NULL)
- {
+ if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if ((pkey=X509_get_pubkey(xi)) == NULL) {
ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert=xi;
ok=(*cb)(0,ctx);
if (!ok) goto end;
- }
- else if (X509_verify(xs,pkey) <= 0)
- {
+ } else if (X509_verify(xs,pkey) <= 0) {
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;
ok=(*cb)(0,ctx);
- if (!ok)
- {
+ if (!ok) {
EVP_PKEY_free(pkey);
goto end;
- }
}
+ }
EVP_PKEY_free(pkey);
pkey=NULL;
- }
+ }
xs->valid = 1;
if (!ok) goto end;
n--;
- if (n >= 0)
- {
+ if (n >= 0) {
xi=xs;
xs=sk_X509_value(ctx->chain,n);
- }
}
+ }
ok=1;
end:
return ok;
- }
+}
int X509_cmp_current_time(const ASN1_TIME *ctm)
{
}
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
- {
+{
char *str;
ASN1_TIME atm;
long offset;
p=buff1;
i=ctm->length;
str=(char *)ctm->data;
- if (ctm->type == V_ASN1_UTCTIME)
- {
+ if (ctm->type == V_ASN1_UTCTIME) {
if ((i < 11) || (i > 17)) return 0;
memcpy(p,str,10);
p+=10;
str+=10;
- }
- else
- {
+ } else {
if (i < 13) return 0;
memcpy(p,str,12);
p+=12;
str+=12;
- }
+ }
- if ((*str == 'Z') || (*str == '-') || (*str == '+'))
- { *(p++)='0'; *(p++)='0'; }
- else
- {
+ if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
+ *(p++)='0';
+ *(p++)='0';
+ } else {
*(p++)= *(str++);
*(p++)= *(str++);
/* Skip any fractional seconds... */
- if (*str == '.')
- {
+ if (*str == '.') {
str++;
while ((*str >= '0') && (*str <= '9')) str++;
- }
-
}
+
+ }
*(p++)='Z';
*(p++)='\0';
if (*str == 'Z')
offset=0;
- else
- {
+ else {
if ((*str != '+') && (*str != '-'))
return 0;
offset=((str[1]-'0')*10+(str[2]-'0'))*60;
offset+=(str[3]-'0')*10+(str[4]-'0');
if (*str == '-')
offset= -offset;
- }
+ }
atm.type=ctm->type;
atm.flags = 0;
atm.length=sizeof(buff2);
if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
- if (ctm->type == V_ASN1_UTCTIME)
- {
+ if (ctm->type == V_ASN1_UTCTIME) {
i=(buff1[0]-'0')*10+(buff1[1]-'0');
if (i < 50) i+=100; /* cf. RFC 2459 */
j=(buff2[0]-'0')*10+(buff2[1]-'0');
if (i < j) return -1;
if (i > j) return 1;
- }
+ }
i=strcmp(buff1,buff2);
if (i == 0) /* wait a second then return younger :-) */
return -1;
else
return i;
- }
+}
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
{
}
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
- {
+{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
- }
+}
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec, time_t *in_tm)
- {
+{
time_t t;
if (in_tm) t = *in_tm;
else time(&t);
- if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
- {
+ if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
if (s->type == V_ASN1_UTCTIME)
return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
if (s->type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
offset_sec);
- }
- return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
+}
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
- {
+{
EVP_PKEY *ktmp=NULL,*ktmp2;
int i,j;
if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
- for (i=0; i<sk_X509_num(chain); i++)
- {
+ for (i=0; i<sk_X509_num(chain); i++) {
ktmp=X509_get_pubkey(sk_X509_value(chain,i));
- if (ktmp == NULL)
- {
+ if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return 0;
- }
+ }
if (!EVP_PKEY_missing_parameters(ktmp))
break;
- else
- {
+ else {
EVP_PKEY_free(ktmp);
ktmp=NULL;
- }
}
- if (ktmp == NULL)
- {
+ }
+ if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
return 0;
- }
+ }
/* first, populate the other certs */
- for (j=i-1; j >= 0; j--)
- {
+ for (j=i-1; j >= 0; j--) {
ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
EVP_PKEY_copy_parameters(ktmp2,ktmp);
EVP_PKEY_free(ktmp2);
- }
+ }
if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
EVP_PKEY_free(ktmp);
return 1;
- }
+}
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
- {
+{
/* This function is (usually) called only once, by
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
new_func, dup_func, free_func);
- }
+}
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
- {
+{
return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
- }
+}
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
- {
+{
return CRYPTO_get_ex_data(&ctx->ex_data,idx);
- }
+}
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
- {
+{
return ctx->error;
- }
+}
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
- {
+{
ctx->error=err;
- }
+}
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
- {
+{
return ctx->error_depth;
- }
+}
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_cert;
- }
+}
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
- {
+{
return ctx->chain;
- }
+}
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
- {
+{
int i;
X509 *x;
STACK_OF(X509) *chain;
if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
- for (i = 0; i < sk_X509_num(chain); i++)
- {
+ for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
- }
- return chain;
}
+ return chain;
+}
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_issuer;
- }
+}
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
- {
+{
return ctx->current_crl;
- }
+}
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
- {
+{
return ctx->parent;
- }
+}
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
- {
+{
ctx->cert=x;
- }
+}
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
- {
+{
ctx->untrusted=sk;
- }
+}
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
- {
+{
ctx->crls=sk;
- }
+}
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
- {
+{
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
- }
+}
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
- {
+{
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
- }
+}
/* This function is used to set the X509_STORE_CTX purpose and trust
* values. This is intended to be used when another structure has its
/* If purpose not set use default */
if (!purpose) purpose = def_purpose;
/* If we have a purpose then check it is valid */
- if (purpose)
- {
+ if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
- }
+ }
ptmp = X509_PURPOSE_get0(idx);
- if (ptmp->trust == X509_TRUST_DEFAULT)
- {
+ if (ptmp->trust == X509_TRUST_DEFAULT) {
idx = X509_PURPOSE_get_by_id(def_purpose);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
- }
- ptmp = X509_PURPOSE_get0(idx);
}
+ ptmp = X509_PURPOSE_get0(idx);
+ }
/* If trust not set then get from purpose default */
if (!trust) trust = ptmp->trust;
- }
- if (trust)
- {
+ }
+ if (trust) {
idx = X509_TRUST_get_by_id(trust);
- if (idx == -1)
- {
+ if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_TRUST_ID);
return 0;
- }
}
+ }
if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
if (trust && !ctx->param->trust) ctx->param->trust = trust;
{
X509_STORE_CTX *ctx;
ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
- if (!ctx)
- {
+ if (!ctx) {
X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
return NULL;
- }
+ }
memset(ctx, 0, sizeof(X509_STORE_CTX));
return ctx;
}
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
STACK_OF(X509) *chain)
- {
+{
int ret = 1;
ctx->ctx=store;
ctx->current_method=0;
ctx->param = X509_VERIFY_PARAM_new();
- if (!ctx->param)
- {
+ if (!ctx->param) {
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
/* Inherit callbacks and flags from X509_STORE if not set
* use defaults.
else
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
- if (store)
- {
+ if (store) {
ctx->verify_cb = store->verify_cb;
ctx->cleanup = store->cleanup;
- }
- else
+ } else
ctx->cleanup = 0;
if (ret)
ret = X509_VERIFY_PARAM_inherit(ctx->param,
X509_VERIFY_PARAM_lookup("default"));
- if (ret == 0)
- {
+ if (ret == 0) {
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
+ }
if (store && store->check_issued)
ctx->check_issued = store->check_issued;
* corresponding "new" here and remove this bogus initialisation. */
/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
- &(ctx->ex_data)))
- {
+ &(ctx->ex_data))) {
free(ctx);
X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
return 0;
- }
- return 1;
}
+ return 1;
+}
/* Set alternative lookup method: just a STACK of trusted certificates.
* This avoids X509_STORE nastiness where it isn't needed.
}
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
- {
+{
if (ctx->cleanup) ctx->cleanup(ctx);
- if (ctx->param != NULL)
- {
+ if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param=NULL;
- }
- if (ctx->tree != NULL)
- {
+ }
+ if (ctx->tree != NULL) {
X509_policy_tree_free(ctx->tree);
ctx->tree=NULL;
- }
- if (ctx->chain != NULL)
- {
+ }
+ if (ctx->chain != NULL) {
sk_X509_pop_free(ctx->chain,X509_free);
ctx->chain=NULL;
- }
+ }
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
- }
+}
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
- {
+{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
- }
+}
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
- {
+{
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
- }
+}
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
- {
+{
X509_VERIFY_PARAM_set_time(ctx->param, t);
- }
+}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
int (*verify_cb)(int, X509_STORE_CTX *))
- {
+{
ctx->verify_cb=verify_cb;
- }
+}
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
- {
+{
return ctx->tree;
- }
+}
int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
- {
+{
return ctx->explicit_policy;
- }
+}
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
- {
+{
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
if (!param)
return 0;
return X509_VERIFY_PARAM_inherit(ctx->param, param);
- }
+}
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
- {
+{
return ctx->param;
- }
+}
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
- {
+{
if (ctx->param)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = param;
- }
+}
IMPLEMENT_STACK_OF(X509)
IMPLEMENT_ASN1_SET_OF(X509)
/* X509_VERIFY_PARAM functions */
static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
- {
+{
if (!param)
return;
param->name = NULL;
param->inh_flags = 0;
param->flags = 0;
param->depth = -1;
- if (param->policies)
- {
+ if (param->policies) {
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
- }
}
+}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
- {
+{
X509_VERIFY_PARAM *param;
param = malloc(sizeof(X509_VERIFY_PARAM));
memset(param, 0, sizeof(X509_VERIFY_PARAM));
x509_verify_param_zero(param);
return param;
- }
+}
void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
- {
+{
x509_verify_param_zero(param);
free(param);
- }
+}
/* This function determines how parameters are "inherited" from one structure
* to another. There are several different ways this can happen.
int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
const X509_VERIFY_PARAM *src)
- {
+{
unsigned long inh_flags;
int to_default, to_overwrite;
if (!src)
/* If overwrite or check time not set, copy across */
- if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
- {
+ if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
dest->check_time = src->check_time;
dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
/* Don't need to copy flag: that is done below */
- }
+ }
if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
dest->flags = 0;
dest->flags |= src->flags;
- if (test_x509_verify_param_copy(policies, NULL))
- {
+ if (test_x509_verify_param_copy(policies, NULL)) {
if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
return 0;
- }
+ }
return 1;
- }
+}
int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
const X509_VERIFY_PARAM *from)
- {
+{
unsigned long save_flags = to->inh_flags;
int ret;
to->inh_flags |= X509_VP_FLAG_DEFAULT;
ret = X509_VERIFY_PARAM_inherit(to, from);
to->inh_flags = save_flags;
return ret;
- }
+}
int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
- {
+{
if (param->name)
free(param->name);
param->name = BUF_strdup(name);
if (param->name)
return 1;
return 0;
- }
+}
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
- {
+{
param->flags |= flags;
if (flags & X509_V_FLAG_POLICY_MASK)
param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
- }
+}
int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
- {
+{
param->flags &= ~flags;
return 1;
- }
+}
unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
- {
+{
return param->flags;
- }
+}
int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
- {
+{
return X509_PURPOSE_set(¶m->purpose, purpose);
- }
+}
int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
- {
+{
return X509_TRUST_set(¶m->trust, trust);
- }
+}
void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
- {
+{
param->depth = depth;
- }
+}
void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
- {
+{
param->check_time = t;
param->flags |= X509_V_FLAG_USE_CHECK_TIME;
- }
+}
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
- {
- if (!param->policies)
- {
+{
+ if (!param->policies) {
param->policies = sk_ASN1_OBJECT_new_null();
if (!param->policies)
return 0;
- }
+ }
if (!sk_ASN1_OBJECT_push(param->policies, policy))
return 0;
return 1;
- }
+}
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
STACK_OF(ASN1_OBJECT) *policies)
- {
+{
int i;
ASN1_OBJECT *oid, *doid;
if (!param)
if (param->policies)
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
- if (!policies)
- {
+ if (!policies) {
param->policies = NULL;
return 1;
- }
+ }
param->policies = sk_ASN1_OBJECT_new_null();
if (!param->policies)
return 0;
- for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
- {
+ for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
oid = sk_ASN1_OBJECT_value(policies, i);
doid = OBJ_dup(oid);
if (!doid)
return 0;
- if (!sk_ASN1_OBJECT_push(param->policies, doid))
- {
+ if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
ASN1_OBJECT_free(doid);
return 0;
- }
}
+ }
param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
- }
+}
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
- {
+{
return param->depth;
- }
+}
/* Default verify parameters: these are used for various
* applications and can be overridden by the user specified table.
X509_TRUST_SSL_SERVER, /* trust */
-1, /* depth */
NULL /* policies */
- }};
+ }
+};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
- {
+{
return strcmp(a->name, b->name);
- }
+}
DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
table);
static int param_cmp(const X509_VERIFY_PARAM * const *a,
const X509_VERIFY_PARAM * const *b)
- {
+{
return strcmp((*a)->name, (*b)->name);
- }
+}
int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
- {
+{
int idx;
X509_VERIFY_PARAM *ptmp;
- if (!param_table)
- {
+ if (!param_table) {
param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
if (!param_table)
return 0;
- }
- else
- {
+ } else {
idx = sk_X509_VERIFY_PARAM_find(param_table, param);
- if (idx != -1)
- {
+ if (idx != -1) {
ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
X509_VERIFY_PARAM_free(ptmp);
(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
- }
}
+ }
if (!sk_X509_VERIFY_PARAM_push(param_table, param))
return 0;
return 1;
- }
+}
const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
- {
+{
int idx;
X509_VERIFY_PARAM pm;
pm.name = (char *)name;
- if (param_table)
- {
+ if (param_table) {
idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
if (idx != -1)
return sk_X509_VERIFY_PARAM_value(param_table, idx);
- }
+ }
return OBJ_bsearch_table(&pm, default_table,
sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
- }
+}
void X509_VERIFY_PARAM_table_cleanup(void)
- {
+{
if (param_table)
sk_X509_VERIFY_PARAM_pop_free(param_table,
X509_VERIFY_PARAM_free);
param_table = NULL;
- }
+}
#include <openssl/x509.h>
int X509_CRL_set_version(X509_CRL *x, long version)
- {
+{
if (x == NULL) return(0);
- if (x->crl->version == NULL)
- {
+ if (x->crl->version == NULL) {
if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
return(0);
- }
- return(ASN1_INTEGER_set(x->crl->version,version));
}
+ return(ASN1_INTEGER_set(x->crl->version,version));
+}
int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->crl == NULL)) return(0);
return(X509_NAME_set(&x->crl->issuer,name));
- }
+}
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->crl->lastUpdate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->crl->lastUpdate);
x->crl->lastUpdate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->crl->nextUpdate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->crl->nextUpdate);
x->crl->nextUpdate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_CRL_sort(X509_CRL *c)
- {
+{
int i;
X509_REVOKED *r;
/* sort the data so it will be written in serial
* number order */
sk_X509_REVOKED_sort(c->crl->revoked);
- for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
- {
+ for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++) {
r=sk_X509_REVOKED_value(c->crl->revoked,i);
r->sequence=i;
- }
+ }
c->crl->enc.modified = 1;
return 1;
- }
+}
int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
- {
+{
ASN1_TIME *in;
if (x == NULL) return(0);
in=x->revocationDate;
- if (in != tm)
- {
+ if (in != tm) {
in=M_ASN1_TIME_dup(tm);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_TIME_free(x->revocationDate);
x->revocationDate=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
- {
+{
ASN1_INTEGER *in;
if (x == NULL) return(0);
in=x->serialNumber;
- if (in != serial)
- {
+ if (in != serial) {
in=M_ASN1_INTEGER_dup(serial);
- if (in != NULL)
- {
+ if (in != NULL) {
M_ASN1_INTEGER_free(x->serialNumber);
x->serialNumber=in;
- }
}
- return(in != NULL);
}
+ return(in != NULL);
+}
#include <openssl/x509.h>
int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-1);
return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
- }
+}
int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
int len)
- {
+{
int i;
ASN1_STRING *data;
memcpy(buf,data->data,i);
buf[i]='\0';
return(i);
- }
+}
int X509_NAME_entry_count(X509_NAME *name)
- {
+{
if (name == NULL) return(0);
return(sk_X509_NAME_ENTRY_num(name->entries));
- }
+}
int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
- {
+{
ASN1_OBJECT *obj;
obj=OBJ_nid2obj(nid);
if (obj == NULL) return(-2);
return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
- }
+}
/* NOTE: you should be passsing -1, not 0 as lastpos */
int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
int lastpos)
- {
+{
int n;
X509_NAME_ENTRY *ne;
STACK_OF(X509_NAME_ENTRY) *sk;
lastpos= -1;
sk=name->entries;
n=sk_X509_NAME_ENTRY_num(sk);
- for (lastpos++; lastpos < n; lastpos++)
- {
+ for (lastpos++; lastpos < n; lastpos++) {
ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
if (OBJ_cmp(ne->object,obj) == 0)
return(lastpos);
- }
- return(-1);
}
+ return(-1);
+}
X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
- {
+{
if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
|| loc < 0)
return(NULL);
else
return(sk_X509_NAME_ENTRY_value(name->entries,loc));
- }
+}
X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
- {
+{
X509_NAME_ENTRY *ret;
int i,n,set_prev,set_next;
STACK_OF(X509_NAME_ENTRY) *sk;
for (i=loc; i<n; i++)
sk_X509_NAME_ENTRY_value(sk,i)->set--;
return(ret);
- }
+}
int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
unsigned char *bytes, int len, int loc, int set)
* prepend to the guy we are about to stomp on. */
int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
int set)
- {
+{
X509_NAME_ENTRY *new_name=NULL;
int n,i,inc;
STACK_OF(X509_NAME_ENTRY) *sk;
name->modified=1;
- if (set == -1)
- {
- if (loc == 0)
- {
+ if (set == -1) {
+ if (loc == 0) {
set=0;
inc=1;
- }
- else
- {
+ } else {
set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
inc=0;
- }
}
- else /* if (set >= 0) */
- {
- if (loc >= n)
- {
+ } else /* if (set >= 0) */ {
+ if (loc >= n) {
if (loc != 0)
set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
else
set=0;
- }
- else
+ } else
set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
inc=(set == 0)?1:0;
- }
+ }
if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
goto err;
new_name->set=set;
- if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
- {
+ if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) {
X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
goto err;
- }
- if (inc)
- {
+ }
+ if (inc) {
n=sk_X509_NAME_ENTRY_num(sk);
for (i=loc+1; i<n; i++)
sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
- }
+ }
return(1);
err:
if (new_name != NULL)
X509_NAME_ENTRY_free(new_name);
return(0);
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
const char *field, int type, const unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *nentry;
obj=OBJ_txt2obj(field, 0);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
X509_R_INVALID_FIELD_NAME);
ERR_add_error_data(2, "name=", field);
return(NULL);
- }
+ }
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nentry;
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
int type, unsigned char *bytes, int len)
- {
+{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *nentry;
obj=OBJ_nid2obj(nid);
- if (obj == NULL)
- {
+ if (obj == NULL) {
X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
return(NULL);
- }
+ }
nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
ASN1_OBJECT_free(obj);
return nentry;
- }
+}
X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
- {
+{
X509_NAME_ENTRY *ret;
- if ((ne == NULL) || (*ne == NULL))
- {
+ if ((ne == NULL) || (*ne == NULL)) {
if ((ret=X509_NAME_ENTRY_new()) == NULL)
return(NULL);
- }
- else
+ } else
ret= *ne;
if (!X509_NAME_ENTRY_set_object(ret,obj))
if ((ne == NULL) || (ret != *ne))
X509_NAME_ENTRY_free(ret);
return(NULL);
- }
+}
int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
- {
- if ((ne == NULL) || (obj == NULL))
- {
+{
+ if ((ne == NULL) || (obj == NULL)) {
X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
return(0);
- }
+ }
ASN1_OBJECT_free(ne->object);
ne->object=OBJ_dup(obj);
return((ne->object == NULL)?0:1);
- }
+}
int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
const unsigned char *bytes, int len)
- {
+{
int i;
if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
if (len < 0) len=strlen((const char *)bytes);
i=ASN1_STRING_set(ne->value,bytes,len);
if (!i) return(0);
- if (type != V_ASN1_UNDEF)
- {
+ if (type != V_ASN1_UNDEF) {
if (type == V_ASN1_APP_CHOOSE)
ne->value->type=ASN1_PRINTABLE_type(bytes,len);
else
ne->value->type=type;
- }
- return(1);
}
+ return(1);
+}
ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
- {
+{
if (ne == NULL) return(NULL);
return(ne->object);
- }
+}
ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
- {
+{
if (ne == NULL) return(NULL);
return(ne->value);
- }
+}
#include <openssl/x509.h>
int X509_REQ_set_version(X509_REQ *x, long version)
- {
+{
if (x == NULL) return(0);
return(ASN1_INTEGER_set(x->req_info->version,version));
- }
+}
int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
- {
+{
if ((x == NULL) || (x->req_info == NULL)) return(0);
return(X509_NAME_set(&x->req_info->subject,name));
- }
+}
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
- {
+{
if ((x == NULL) || (x->req_info == NULL)) return(0);
return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
- }
+}
#include <openssl/x509.h>
int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
- {
+{
EVP_PKEY *pk;
int ret=0,i;
if (pk == NULL) return(0);
- switch (pk->type)
- {
+ switch (pk->type) {
case EVP_PKEY_RSA:
ret=EVP_PK_RSA|EVP_PKT_SIGN;
/* if (!sign only extension) */
break;
default:
break;
- }
+ }
i=OBJ_obj2nid(x->sig_alg->algorithm);
- if (i && OBJ_find_sigid_algs(i, NULL, &i))
- {
+ if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
- switch (i)
- {
+ switch (i) {
case NID_rsaEncryption:
case NID_rsa:
ret|=EVP_PKS_RSA;
break;
default:
break;
- }
}
+ }
if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
for, not bytes */
ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk);
return(ret);
- }
+}
projects / openbsd / commitdiff