From 8b5faa7170599a10b7304ec693b84d6d6fd0697f Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 13 Jul 2024 15:08:58 +0000 Subject: [PATCH] Unify X.509v3 extension methods Use C99 initializers for all structs (some were forgotten). Make all the structs static, call them x509v3_ext_* matching NID_*. Add accessors called x509v3_ext_method_* and use these to implement X509V3_EXT_get_nid(). This adds consistency and avoids a few contortions like grouping a few extensions in arrays to save a couple externs. ok beck jsing --- lib/libcrypto/ct/ct_x509v3.c | 127 ++++++++------ lib/libcrypto/x509/x509_addr.c | 10 +- lib/libcrypto/x509/x509_akey.c | 10 +- lib/libcrypto/x509/x509_alt.c | 118 +++++++------ lib/libcrypto/x509/x509_asid.c | 10 +- lib/libcrypto/x509/x509_bcons.c | 10 +- lib/libcrypto/x509/x509_bitst.c | 26 ++- lib/libcrypto/x509/x509_cpols.c | 10 +- lib/libcrypto/x509/x509_crld.c | 48 ++++-- lib/libcrypto/x509/x509_extku.c | 18 +- lib/libcrypto/x509/x509_ia5.c | 290 ++++++++++++++++++-------------- lib/libcrypto/x509/x509_info.c | 18 +- lib/libcrypto/x509/x509_int.c | 46 +++-- lib/libcrypto/x509/x509_lib.c | 173 ++++++++++--------- lib/libcrypto/x509/x509_local.h | 45 ++++- lib/libcrypto/x509/x509_ncons.c | 10 +- lib/libcrypto/x509/x509_ocsp.c | 58 ++++++- lib/libcrypto/x509/x509_pcons.c | 10 +- lib/libcrypto/x509/x509_pku.c | 10 +- lib/libcrypto/x509/x509_pmaps.c | 10 +- lib/libcrypto/x509/x509_skey.c | 10 +- 21 files changed, 691 insertions(+), 376 deletions(-) diff --git a/lib/libcrypto/ct/ct_x509v3.c b/lib/libcrypto/ct/ct_x509v3.c index 59f2975cd91..b14ffc9532a 100644 --- a/lib/libcrypto/ct/ct_x509v3.c +++ b/lib/libcrypto/ct/ct_x509v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */ +/* $OpenBSD: ct_x509v3.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */ /* * Written by Rob Stradling (rob@comodo.com) and Stephen Henson * (steve@openssl.org) for the OpenSSL project 2014. @@ -128,59 +128,74 @@ ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) return s; } -/* Handlers for X509v3/OCSP Certificate Transparency extensions */ -const X509V3_EXT_METHOD v3_ct_scts[3] = { - /* X509v3 extension in certificates that contains SCTs */ - [0] = { - .ext_nid = NID_ct_precert_scts, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, - .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST, - .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, - .r2i = NULL, - .usr_data = NULL, - }, - - /* X509v3 extension to mark a certificate as a pre-certificate */ - [1] = { - .ext_nid = NID_ct_precert_poison, - .ext_flags = 0, - .it = &ASN1_NULL_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = i2s_poison, - .s2i = s2i_poison, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - - /* OCSP extension that contains SCTs */ - [2] = { - .ext_nid = NID_ct_cert_scts, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, - .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST, - .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, - .r2i = NULL, - .usr_data = NULL, - }, +/* X509v3 extension in certificates that contains SCTs */ +static const X509V3_EXT_METHOD x509v3_ext_ct_precert_scts = { + .ext_nid = NID_ct_precert_scts, + .ext_flags = 0, + .it = NULL, + .ext_new = NULL, + .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, + .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST, + .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = NULL, + .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, + .r2i = NULL, + .usr_data = NULL, }; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_precert_scts(void) +{ + return &x509v3_ext_ct_precert_scts; +} + +/* X509v3 extension to mark a certificate as a pre-certificate */ +static const X509V3_EXT_METHOD x509v3_ext_ct_precert_poison = { + .ext_nid = NID_ct_precert_poison, + .ext_flags = 0, + .it = &ASN1_NULL_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = i2s_poison, + .s2i = s2i_poison, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_precert_poison(void) +{ + return &x509v3_ext_ct_precert_poison; +} + +/* OCSP extension that contains SCTs */ +static const X509V3_EXT_METHOD x509v3_ext_ct_cert_scts = { + .ext_nid = NID_ct_cert_scts, + .ext_flags = 0, + .it = NULL, + .ext_new = NULL, + .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, + .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST, + .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = NULL, + .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_cert_scts(void) +{ + return &x509v3_ext_ct_cert_scts; +} diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 864b7bbf3dc..2208cc434ee 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.92 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1714,7 +1714,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, /* * OpenSSL dispatch */ -const X509V3_EXT_METHOD v3_addr = { +static const X509V3_EXT_METHOD x509v3_ext_sbgp_ipAddrBlock = { .ext_nid = NID_sbgp_ipAddrBlock, .ext_flags = 0, .it = &IPAddrBlocks_it, @@ -1731,6 +1731,12 @@ const X509V3_EXT_METHOD v3_addr = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sbgp_ipAddrBlock(void) +{ + return &x509v3_ext_sbgp_ipAddrBlock; +} + /* * Figure out whether extension uses inheritance. */ diff --git a/lib/libcrypto/x509/x509_akey.c b/lib/libcrypto/x509/x509_akey.c index f8c71133502..b052d95984f 100644 --- a/lib/libcrypto/x509/x509_akey.c +++ b/lib/libcrypto/x509/x509_akey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_akey.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_akey_id = { +static const X509V3_EXT_METHOD x509v3_ext_authority_key_identifier = { .ext_nid = NID_authority_key_identifier, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_KEYID_it, @@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_akey_id = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_authority_key_identifier(void) +{ + return &x509v3_ext_authority_key_identifier; +} + static STACK_OF(CONF_VALUE) * i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) diff --git a/lib/libcrypto/x509/x509_alt.c b/lib/libcrypto/x509/x509_alt.c index 59fa39fa6b4..8981e4c4fba 100644 --- a/lib/libcrypto/x509/x509_alt.c +++ b/lib/libcrypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.16 2023/08/30 00:49:32 tb Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.17 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -74,57 +74,75 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); -const X509V3_EXT_METHOD v3_alt[] = { - { - .ext_nid = NID_subject_alt_name, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = (X509V3_EXT_V2I)v2i_subject_alt, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_issuer_alt_name, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = (X509V3_EXT_V2I)v2i_issuer_alt, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_certificate_issuer, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, +static const X509V3_EXT_METHOD x509v3_ext_subject_alt_name = { + .ext_nid = NID_subject_alt_name, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = (X509V3_EXT_V2I)v2i_subject_alt, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_subject_alt_name(void) +{ + return &x509v3_ext_subject_alt_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_issuer_alt_name = { + .ext_nid = NID_issuer_alt_name, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = (X509V3_EXT_V2I)v2i_issuer_alt, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_issuer_alt_name(void) +{ + return &x509v3_ext_issuer_alt_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_certificate_issuer = { + .ext_nid = NID_certificate_issuer, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_certificate_issuer(void) +{ + return &x509v3_ext_certificate_issuer; +} + STACK_OF(CONF_VALUE) * i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c index e3af673202f..40ee201a9fc 100644 --- a/lib/libcrypto/x509/x509_asid.c +++ b/lib/libcrypto/x509/x509_asid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_asid.c,v 1.44 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -946,7 +946,7 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, /* * OpenSSL dispatch. */ -const X509V3_EXT_METHOD v3_asid = { +static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = { .ext_nid = NID_sbgp_autonomousSysNum, .ext_flags = 0, .it = &ASIdentifiers_it, @@ -963,6 +963,12 @@ const X509V3_EXT_METHOD v3_asid = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sbgp_autonomousSysNum(void) +{ + return &x509v3_ext_sbgp_autonomousSysNum; +} + /* * Figure out whether extension uses inheritance. */ diff --git a/lib/libcrypto/x509/x509_bcons.c b/lib/libcrypto/x509/x509_bcons.c index 7ad65231ecb..e44ff4d1cb6 100644 --- a/lib/libcrypto/x509/x509_bcons.c +++ b/lib/libcrypto/x509/x509_bcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_bcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_bcons = { +static const X509V3_EXT_METHOD x509v3_ext_basic_constraints = { .ext_nid = NID_basic_constraints, .ext_flags = 0, .it = &BASIC_CONSTRAINTS_it, @@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_bcons = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_basic_constraints(void) +{ + return &x509v3_ext_basic_constraints; +} + static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = { { .flags = ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_bitst.c b/lib/libcrypto/x509/x509_bitst.c index 4c36d31b030..0328310f08c 100644 --- a/lib/libcrypto/x509/x509_bitst.c +++ b/lib/libcrypto/x509/x509_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */ +/* $OpenBSD: x509_bitst.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -102,7 +102,7 @@ static BIT_STRING_BITNAME crl_reasons[] = { {-1, NULL, NULL} }; -const X509V3_EXT_METHOD v3_nscert = { +static const X509V3_EXT_METHOD x509v3_ext_netscape_cert_type = { .ext_nid = NID_netscape_cert_type, .ext_flags = 0, .it = &ASN1_BIT_STRING_it, @@ -119,7 +119,13 @@ const X509V3_EXT_METHOD v3_nscert = { .usr_data = ns_cert_type_table, }; -const X509V3_EXT_METHOD v3_key_usage = { +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_cert_type(void) +{ + return &x509v3_ext_netscape_cert_type; +} + +static const X509V3_EXT_METHOD x509v3_ext_key_usage = { .ext_nid = NID_key_usage, .ext_flags = 0, .it = &ASN1_BIT_STRING_it, @@ -136,7 +142,13 @@ const X509V3_EXT_METHOD v3_key_usage = { .usr_data = key_usage_type_table, }; -const X509V3_EXT_METHOD v3_crl_reason = { +const X509V3_EXT_METHOD * +x509v3_ext_method_key_usage(void) +{ + return &x509v3_ext_key_usage; +} + +static const X509V3_EXT_METHOD x509v3_ext_crl_reason = { .ext_nid = NID_crl_reason, .ext_flags = 0, .it = &ASN1_ENUMERATED_it, @@ -153,6 +165,12 @@ const X509V3_EXT_METHOD v3_crl_reason = { .usr_data = crl_reasons, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_reason(void) +{ + return &x509v3_ext_crl_reason; +} + STACK_OF(CONF_VALUE) * i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index 34c9345a4fc..7a701ea6594 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.12 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.13 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -82,7 +82,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org); static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); -const X509V3_EXT_METHOD v3_cpols = { +static const X509V3_EXT_METHOD x509v3_ext_certificate_policies = { .ext_nid = NID_certificate_policies, .ext_flags = 0, .it = &CERTIFICATEPOLICIES_it, @@ -99,6 +99,12 @@ const X509V3_EXT_METHOD v3_cpols = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_certificate_policies(void) +{ + return &x509v3_ext_certificate_policies; +} + static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, .tag = 0, diff --git a/lib/libcrypto/x509/x509_crld.c b/lib/libcrypto/x509/x509_crld.c index dfb5d27f656..e9252a247aa 100644 --- a/lib/libcrypto/x509/x509_crld.c +++ b/lib/libcrypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_crld.c,v 1.6 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -72,7 +72,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method, static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent); -const X509V3_EXT_METHOD v3_crld = { +static const X509V3_EXT_METHOD x509v3_ext_crl_distribution_points = { .ext_nid = NID_crl_distribution_points, .ext_flags = 0, .it = &CRL_DIST_POINTS_it, @@ -89,7 +89,13 @@ const X509V3_EXT_METHOD v3_crld = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_freshest_crl = { +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_distribution_points(void) +{ + return &x509v3_ext_crl_distribution_points; +} + +static const X509V3_EXT_METHOD x509v3_ext_freshest_crl = { .ext_nid = NID_freshest_crl, .ext_flags = 0, .it = &CRL_DIST_POINTS_it, @@ -106,6 +112,12 @@ const X509V3_EXT_METHOD v3_freshest_crl = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_freshest_crl(void) +{ + return &x509v3_ext_freshest_crl; +} + static STACK_OF(GENERAL_NAME) * gnames_from_sectname(X509V3_CTX *ctx, char *sect) { @@ -655,17 +667,29 @@ static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -const X509V3_EXT_METHOD v3_idp = { - NID_issuing_distribution_point, X509V3_EXT_MULTILINE, - &ISSUING_DIST_POINT_it, - 0, 0, 0, 0, - 0, 0, - 0, - v2i_idp, - i2r_idp, 0, - NULL +static const X509V3_EXT_METHOD x509v3_ext_issuing_distribution_point = { + .ext_nid = NID_issuing_distribution_point, + .ext_flags = X509V3_EXT_MULTILINE, + .it = &ISSUING_DIST_POINT_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = v2i_idp, + .i2r = i2r_idp, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_issuing_distribution_point(void) +{ + return &x509v3_ext_issuing_distribution_point; +} + static void * v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) diff --git a/lib/libcrypto/x509/x509_extku.c b/lib/libcrypto/x509/x509_extku.c index f0f8d44aa66..6a69adabc61 100644 --- a/lib/libcrypto/x509/x509_extku.c +++ b/lib/libcrypto/x509/x509_extku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_extku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_extku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE( const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist); -const X509V3_EXT_METHOD v3_ext_ku = { +static const X509V3_EXT_METHOD x509v3_ext_ext_key_usage = { .ext_nid = NID_ext_key_usage, .ext_flags = 0, .it = &EXTENDED_KEY_USAGE_it, @@ -85,8 +85,14 @@ const X509V3_EXT_METHOD v3_ext_ku = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_ext_key_usage(void) +{ + return &x509v3_ext_ext_key_usage; +} + /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ -const X509V3_EXT_METHOD v3_ocsp_accresp = { +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_acceptableResponses = { .ext_nid = NID_id_pkix_OCSP_acceptableResponses, .ext_flags = 0, .it = &EXTENDED_KEY_USAGE_it, @@ -103,6 +109,12 @@ const X509V3_EXT_METHOD v3_ocsp_accresp = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void) +{ + return &x509v3_ext_id_pkix_OCSP_acceptableResponses; +} + static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, .tag = 0, diff --git a/lib/libcrypto/x509/x509_ia5.c b/lib/libcrypto/x509/x509_ia5.c index 4113c3d3b38..4f62a9134cc 100644 --- a/lib/libcrypto/x509/x509_ia5.c +++ b/lib/libcrypto/x509/x509_ia5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,137 +68,167 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_ns_ia5_list[] = { - { - .ext_nid = NID_netscape_base_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_revocation_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ca_revocation_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_renewal_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ca_policy_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ssl_server_name, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_comment, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = -1, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, +static const X509V3_EXT_METHOD x509v3_ext_netscape_base_url = { + .ext_nid = NID_netscape_base_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_base_url(void) +{ + return &x509v3_ext_netscape_base_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_revocation_url = { + .ext_nid = NID_netscape_revocation_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_revocation_url(void) +{ + return &x509v3_ext_netscape_revocation_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_revocation_url = { + .ext_nid = NID_netscape_ca_revocation_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ca_revocation_url(void) +{ + return &x509v3_ext_netscape_ca_revocation_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_renewal_url = { + .ext_nid = NID_netscape_renewal_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_renewal_url(void) +{ + return &x509v3_ext_netscape_renewal_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_policy_url = { + .ext_nid = NID_netscape_ca_policy_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ca_policy_url(void) +{ + return &x509v3_ext_netscape_ca_policy_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ssl_server_name = { + .ext_nid = NID_netscape_ssl_server_name, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ssl_server_name(void) +{ + return &x509v3_ext_netscape_ssl_server_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_comment = { + .ext_nid = NID_netscape_comment, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_comment(void) +{ + return &x509v3_ext_netscape_comment; +} + static char * i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5) { diff --git a/lib/libcrypto/x509/x509_info.c b/lib/libcrypto/x509/x509_info.c index 9372b066aef..d1de346ee65 100644 --- a/lib/libcrypto/x509/x509_info.c +++ b/lib/libcrypto/x509/x509_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_info.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -71,7 +71,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS( static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS( X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -const X509V3_EXT_METHOD v3_info = { +static const X509V3_EXT_METHOD x509v3_ext_info_access = { .ext_nid = NID_info_access, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_INFO_ACCESS_it, @@ -88,7 +88,13 @@ const X509V3_EXT_METHOD v3_info = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_sinfo = { +const X509V3_EXT_METHOD * +x509v3_ext_method_info_access(void) +{ + return &x509v3_ext_info_access; +} + +static const X509V3_EXT_METHOD x509v3_ext_sinfo_access = { .ext_nid = NID_sinfo_access, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_INFO_ACCESS_it, @@ -105,6 +111,12 @@ const X509V3_EXT_METHOD v3_sinfo = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sinfo_access(void) +{ + return &x509v3_ext_sinfo_access; +} + static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_int.c b/lib/libcrypto/x509/x509_int.c index 35c8853c137..2236bfe4c40 100644 --- a/lib/libcrypto/x509/x509_int.c +++ b/lib/libcrypto/x509/x509_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_int.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -60,7 +60,7 @@ #include -const X509V3_EXT_METHOD v3_crl_num = { +static const X509V3_EXT_METHOD x509v3_ext_crl_number = { .ext_nid = NID_crl_number, .ext_flags = 0, .it = &ASN1_INTEGER_it, @@ -77,7 +77,13 @@ const X509V3_EXT_METHOD v3_crl_num = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_delta_crl = { +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_number(void) +{ + return &x509v3_ext_crl_number; +} + +static const X509V3_EXT_METHOD x509v3_ext_delta_crl = { .ext_nid = NID_delta_crl, .ext_flags = 0, .it = &ASN1_INTEGER_it, @@ -94,17 +100,37 @@ const X509V3_EXT_METHOD v3_delta_crl = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_delta_crl(void) +{ + return &x509v3_ext_delta_crl; +} + static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) { return s2i_ASN1_INTEGER(meth, value); } -const X509V3_EXT_METHOD v3_inhibit_anyp = { - NID_inhibit_any_policy, 0, &ASN1_INTEGER_it, - 0, 0, 0, 0, - (X509V3_EXT_I2S)i2s_ASN1_INTEGER, - (X509V3_EXT_S2I)s2i_asn1_int, - 0, 0, 0, 0, - NULL +static const X509V3_EXT_METHOD x509v3_ext_inhibit_any_policy = { + .ext_nid = NID_inhibit_any_policy, + .ext_flags = 0, + .it = &ASN1_INTEGER_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + .s2i = (X509V3_EXT_S2I)s2i_asn1_int, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; + +const X509V3_EXT_METHOD * +x509v3_ext_method_inhibit_any_policy(void) +{ + return &x509v3_ext_inhibit_any_policy; +} diff --git a/lib/libcrypto/x509/x509_lib.c b/lib/libcrypto/x509/x509_lib.c index 8382babbdfc..6fa66ab88ef 100644 --- a/lib/libcrypto/x509/x509_lib.c +++ b/lib/libcrypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,89 +65,104 @@ #include "x509_local.h" -extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; -extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo; -extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; -extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; -extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; -extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern const X509V3_EXT_METHOD v3_crl_hold; -extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern const X509V3_EXT_METHOD v3_addr, v3_asid; -extern const X509V3_EXT_METHOD v3_ct_scts[3]; - -static const X509V3_EXT_METHOD *standard_exts[] = { - &v3_nscert, - &v3_ns_ia5_list[0], - &v3_ns_ia5_list[1], - &v3_ns_ia5_list[2], - &v3_ns_ia5_list[3], - &v3_ns_ia5_list[4], - &v3_ns_ia5_list[5], - &v3_ns_ia5_list[6], - &v3_skey_id, - &v3_key_usage, - &v3_pkey_usage_period, - &v3_alt[0], - &v3_alt[1], - &v3_bcons, - &v3_crl_num, - &v3_cpols, - &v3_akey_id, - &v3_crld, - &v3_ext_ku, - &v3_delta_crl, - &v3_crl_reason, -#ifndef OPENSSL_NO_OCSP - &v3_crl_invdate, -#endif - &v3_info, -#ifndef OPENSSL_NO_RFC3779 - &v3_addr, - &v3_asid, -#endif -#ifndef OPENSSL_NO_OCSP - &v3_ocsp_nonce, - &v3_ocsp_crlid, - &v3_ocsp_accresp, - &v3_ocsp_nocheck, - &v3_ocsp_acutoff, - &v3_ocsp_serviceloc, +const X509V3_EXT_METHOD * +X509V3_EXT_get_nid(int nid) +{ + switch (nid) { + case NID_authority_key_identifier: + return x509v3_ext_method_authority_key_identifier(); + case NID_basic_constraints: + return x509v3_ext_method_basic_constraints(); + case NID_certificate_issuer: + return x509v3_ext_method_certificate_issuer(); + case NID_certificate_policies: + return x509v3_ext_method_certificate_policies(); + case NID_crl_distribution_points: + return x509v3_ext_method_crl_distribution_points(); + case NID_crl_number: + return x509v3_ext_method_crl_number(); + case NID_crl_reason: + return x509v3_ext_method_crl_reason(); +#ifndef OPENSSL_NO_CT + case NID_ct_cert_scts: + return x509v3_ext_method_ct_cert_scts(); + case NID_ct_precert_poison: + return x509v3_ext_method_ct_precert_poison(); + case NID_ct_precert_scts: + return x509v3_ext_method_ct_precert_scts(); #endif - &v3_sinfo, - &v3_policy_constraints, + case NID_delta_crl: + return x509v3_ext_method_delta_crl(); + case NID_ext_key_usage: + return x509v3_ext_method_ext_key_usage(); + case NID_freshest_crl: + return x509v3_ext_method_freshest_crl(); #ifndef OPENSSL_NO_OCSP - &v3_crl_hold, + case NID_hold_instruction_code: + return x509v3_ext_method_hold_instruction_code(); + case NID_id_pkix_OCSP_CrlID: + return x509v3_ext_method_id_pkix_OCSP_CrlID(); + case NID_id_pkix_OCSP_Nonce: + return x509v3_ext_method_id_pkix_OCSP_Nonce(); + case NID_id_pkix_OCSP_acceptableResponses: + return x509v3_ext_method_id_pkix_OCSP_acceptableResponses(); + case NID_id_pkix_OCSP_archiveCutoff: + return x509v3_ext_method_id_pkix_OCSP_archiveCutoff(); + case NID_id_pkix_OCSP_serviceLocator: + return x509v3_ext_method_id_pkix_OCSP_serviceLocator(); #endif - &v3_name_constraints, - &v3_policy_mappings, - &v3_inhibit_anyp, - &v3_idp, - &v3_alt[2], - &v3_freshest_crl, -#ifndef OPENSSL_NO_CT - &v3_ct_scts[0], - &v3_ct_scts[1], - &v3_ct_scts[2], + case NID_info_access: + return x509v3_ext_method_info_access(); + case NID_inhibit_any_policy: + return x509v3_ext_method_inhibit_any_policy(); + case NID_invalidity_date: + return x509v3_ext_method_invalidity_date(); + case NID_issuer_alt_name: + return x509v3_ext_method_issuer_alt_name(); + case NID_issuing_distribution_point: + return x509v3_ext_method_issuing_distribution_point(); + case NID_key_usage: + return x509v3_ext_method_key_usage(); + case NID_name_constraints: + return x509v3_ext_method_name_constraints(); + case NID_netscape_base_url: + return x509v3_ext_method_netscape_base_url(); + case NID_netscape_ca_policy_url: + return x509v3_ext_method_netscape_ca_policy_url(); + case NID_netscape_ca_revocation_url: + return x509v3_ext_method_netscape_ca_revocation_url(); + case NID_netscape_cert_type: + return x509v3_ext_method_netscape_cert_type(); + case NID_netscape_comment: + return x509v3_ext_method_netscape_comment(); + case NID_netscape_renewal_url: + return x509v3_ext_method_netscape_renewal_url(); + case NID_netscape_revocation_url: + return x509v3_ext_method_netscape_revocation_url(); + case NID_netscape_ssl_server_name: + return x509v3_ext_method_netscape_ssl_server_name(); + case NID_policy_constraints: + return x509v3_ext_method_policy_constraints(); + case NID_policy_mappings: + return x509v3_ext_method_policy_mappings(); + case NID_private_key_usage_period: + return x509v3_ext_method_private_key_usage_period(); +#ifndef OPENSSL_NO_RFC3779 + case NID_sbgp_ipAddrBlock: + return x509v3_ext_method_sbgp_ipAddrBlock(); + case NID_sbgp_autonomousSysNum: + return x509v3_ext_method_sbgp_autonomousSysNum(); #endif -}; - -#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0])) - -const X509V3_EXT_METHOD * -X509V3_EXT_get_nid(int nid) -{ - size_t i; - - for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) { - if (standard_exts[i]->ext_nid == nid) - return standard_exts[i]; + case NID_sinfo_access: + return x509v3_ext_method_sinfo_access(); + case NID_subject_alt_name: + return x509v3_ext_method_subject_alt_name(); + case NID_subject_key_identifier: + return x509v3_ext_method_subject_key_identifier(); + default: + return NULL; } - - return NULL; -} +}; LCRYPTO_ALIAS(X509V3_EXT_get_nid); const X509V3_EXT_METHOD * diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 6b72678e7a2..81a237d860d 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.25 2024/07/12 18:15:10 beck Exp $ */ +/* $OpenBSD: x509_local.h,v 1.26 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -418,6 +418,49 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int X509_PURPOSE_get_by_id(int id); int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); +const X509V3_EXT_METHOD *x509v3_ext_method_authority_key_identifier(void); +const X509V3_EXT_METHOD *x509v3_ext_method_basic_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_certificate_issuer(void); +const X509V3_EXT_METHOD *x509v3_ext_method_certificate_policies(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_distribution_points(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_number(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_reason(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_cert_scts(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_poison(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_scts(void); +const X509V3_EXT_METHOD *x509v3_ext_method_delta_crl(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ext_key_usage(void); +const X509V3_EXT_METHOD *x509v3_ext_method_freshest_crl(void); +const X509V3_EXT_METHOD *x509v3_ext_method_hold_instruction_code(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_CrlID(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_Nonce(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_serviceLocator(void); +const X509V3_EXT_METHOD *x509v3_ext_method_info_access(void); +const X509V3_EXT_METHOD *x509v3_ext_method_inhibit_any_policy(void); +const X509V3_EXT_METHOD *x509v3_ext_method_invalidity_date(void); +const X509V3_EXT_METHOD *x509v3_ext_method_issuer_alt_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_issuing_distribution_point(void); +const X509V3_EXT_METHOD *x509v3_ext_method_key_usage(void); +const X509V3_EXT_METHOD *x509v3_ext_method_name_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_base_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_policy_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_revocation_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_cert_type(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_comment(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_renewal_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_revocation_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ssl_server_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_policy_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_policy_mappings(void); +const X509V3_EXT_METHOD *x509v3_ext_method_private_key_usage_period(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_ipAddrBlock(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_autonomousSysNum(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sinfo_access(void); +const X509V3_EXT_METHOD *x509v3_ext_method_subject_alt_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_subject_key_identifier(void); + __END_HIDDEN_DECLS #endif /* !HEADER_X509_LOCAL_H */ diff --git a/lib/libcrypto/x509/x509_ncons.c b/lib/libcrypto/x509/x509_ncons.c index f8c63886a4e..148a66e887c 100644 --- a/lib/libcrypto/x509/x509_ncons.c +++ b/lib/libcrypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ncons.c,v 1.10 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -81,7 +81,7 @@ static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base); -const X509V3_EXT_METHOD v3_name_constraints = { +static const X509V3_EXT_METHOD x509v3_ext_name_constraints = { .ext_nid = NID_name_constraints, .ext_flags = 0, .it = &NAME_CONSTRAINTS_it, @@ -98,6 +98,12 @@ const X509V3_EXT_METHOD v3_name_constraints = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_name_constraints(void) +{ + return &x509v3_ext_name_constraints; +} + static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_ocsp.c b/lib/libcrypto/x509/x509_ocsp.c index cc55d9390d8..11d1a1c9c3b 100644 --- a/lib/libcrypto/x509/x509_ocsp.c +++ b/lib/libcrypto/x509/x509_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ocsp.c,v 1.2 2022/01/07 09:45:52 tb Exp $ */ +/* $OpenBSD: x509_ocsp.c,v 1.3 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -95,7 +95,7 @@ static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); -const X509V3_EXT_METHOD v3_ocsp_crlid = { +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_CrlID = { .ext_nid = NID_id_pkix_OCSP_CrlID, .ext_flags = 0, .it = &OCSP_CRLID_it, @@ -112,7 +112,13 @@ const X509V3_EXT_METHOD v3_ocsp_crlid = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_acutoff = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_CrlID(void) +{ + return &x509v3_ext_id_pkix_OCSP_CrlID; +} + +const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_archiveCutoff = { .ext_nid = NID_id_pkix_OCSP_archiveCutoff, .ext_flags = 0, .it = &ASN1_GENERALIZEDTIME_it, @@ -129,7 +135,13 @@ const X509V3_EXT_METHOD v3_ocsp_acutoff = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_crl_invdate = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void) +{ + return &x509v3_ext_id_pkix_OCSP_archiveCutoff; +} + +static const X509V3_EXT_METHOD x509v3_ext_invalidity_date = { .ext_nid = NID_invalidity_date, .ext_flags = 0, .it = &ASN1_GENERALIZEDTIME_it, @@ -146,7 +158,13 @@ const X509V3_EXT_METHOD v3_crl_invdate = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_crl_hold = { +const X509V3_EXT_METHOD * +x509v3_ext_method_invalidity_date(void) +{ + return &x509v3_ext_invalidity_date; +} + +static const X509V3_EXT_METHOD x509v3_ext_hold_instruction_code = { .ext_nid = NID_hold_instruction_code, .ext_flags = 0, .it = &ASN1_OBJECT_it, @@ -163,7 +181,13 @@ const X509V3_EXT_METHOD v3_crl_hold = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_nonce = { +const X509V3_EXT_METHOD * +x509v3_ext_method_hold_instruction_code(void) +{ + return &x509v3_ext_hold_instruction_code; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_Nonce = { .ext_nid = NID_id_pkix_OCSP_Nonce, .ext_flags = 0, .it = NULL, @@ -180,7 +204,13 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_nocheck = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_Nonce(void) +{ + return &x509v3_ext_id_pkix_OCSP_Nonce; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_noCheck = { .ext_nid = NID_id_pkix_OCSP_noCheck, .ext_flags = 0, .it = &ASN1_NULL_it, @@ -197,7 +227,13 @@ const X509V3_EXT_METHOD v3_ocsp_nocheck = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_serviceloc = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_noCheck(void) +{ + return &x509v3_ext_id_pkix_OCSP_noCheck; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_serviceLocator = { .ext_nid = NID_id_pkix_OCSP_serviceLocator, .ext_flags = 0, .it = &OCSP_SERVICELOC_it, @@ -214,6 +250,12 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_serviceLocator(void) +{ + return &x509v3_ext_id_pkix_OCSP_serviceLocator; +} + static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind) { diff --git a/lib/libcrypto/x509/x509_pcons.c b/lib/libcrypto/x509/x509_pcons.c index 8f2109eaad5..d6ee9d7e2ca 100644 --- a/lib/libcrypto/x509/x509_pcons.c +++ b/lib/libcrypto/x509/x509_pcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -71,7 +71,7 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_policy_constraints = { +static const X509V3_EXT_METHOD x509v3_ext_policy_constraints = { .ext_nid = NID_policy_constraints, .ext_flags = 0, .it = &POLICY_CONSTRAINTS_it, @@ -88,6 +88,12 @@ const X509V3_EXT_METHOD v3_policy_constraints = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_policy_constraints(void) +{ + return &x509v3_ext_policy_constraints; +} + static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = { { .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_pku.c b/lib/libcrypto/x509/x509_pku.c index 05c9ff24312..6753f0f7333 100644 --- a/lib/libcrypto/x509/x509_pku.c +++ b/lib/libcrypto/x509/x509_pku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,7 +65,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); -const X509V3_EXT_METHOD v3_pkey_usage_period = { +static const X509V3_EXT_METHOD x509v3_ext_private_key_usage_period = { .ext_nid = NID_private_key_usage_period, .ext_flags = 0, .it = &PKEY_USAGE_PERIOD_it, @@ -82,6 +82,12 @@ const X509V3_EXT_METHOD v3_pkey_usage_period = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_private_key_usage_period(void) +{ + return &x509v3_ext_private_key_usage_period; +} + static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = { { .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_pmaps.c b/lib/libcrypto/x509/x509_pmaps.c index b2d74dce1d1..7a91917f652 100644 --- a/lib/libcrypto/x509/x509_pmaps.c +++ b/lib/libcrypto/x509/x509_pmaps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pmaps.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pmaps.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -69,7 +69,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS( const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist); -const X509V3_EXT_METHOD v3_policy_mappings = { +static const X509V3_EXT_METHOD x509v3_ext_policy_mappings = { .ext_nid = NID_policy_mappings, .ext_flags = 0, .it = &POLICY_MAPPINGS_it, @@ -86,6 +86,12 @@ const X509V3_EXT_METHOD v3_policy_mappings = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_policy_mappings(void) +{ + return &x509v3_ext_policy_mappings; +} + static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_skey.c b/lib/libcrypto/x509/x509_skey.c index 245ba515866..d2c90b6f1cf 100644 --- a/lib/libcrypto/x509/x509_skey.c +++ b/lib/libcrypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -67,7 +67,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_skey_id = { +static const X509V3_EXT_METHOD x509v3_ext_subject_key_identifier = { .ext_nid = NID_subject_key_identifier, .ext_flags = 0, .it = &ASN1_OCTET_STRING_it, @@ -84,6 +84,12 @@ const X509V3_EXT_METHOD v3_skey_id = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_subject_key_identifier(void) +{ + return &x509v3_ext_subject_key_identifier; +} + char * i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct) { -- 2.20.1