Description of the patch:
This patch provides the extended syntax for CRL Distribution Points as
specified in RFC 3280 Section 4.2.1.14. It also tries to maintain
backward compatibility with the existing syntax.
Without this crld patch, the syntax for the X509 extension field "CRL
Distribution Points" recognized by openssl is either:
crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
or
[EMAIL PROTECTED]
[crlsection]
URI.1=http://uri.crl.com/crl1
URI.2=http://uri.crl.com/crl2
Thus, you can only specify the 'fullname' field of a single distribution
point.
With this crld patch, openssl will support a richer syntax for the "CRL
Distribution Points" extension field. Apart from 'fullname', you will be
able to specify the 'relativename', 'reasons' and 'CRLissuer' fields.
This patch is backward compatible, so you will still be able to use the
old syntax.
The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are:
unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3),
superseded (4), cessationOfOperation (5), certificateHold (6),
privilegeWithdrawn (7) and aAcompromise (8).
Users can now specify CRL Distribution Points with a syntax as detailed as
the following:
[EMAIL PROTECTED],@distpoint2
[distpoint1]
fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
reasons=keyCompromise,cACompromise
[distpoint2]
[EMAIL PROTECTED]
reasons=cessationOfOperation,privilegeWithdrawn
CRLissuer=email:[EMAIL PROTECTED]
[relnamesect]
C = US
O = Org, Inc.
0.OU = Org Unit 1
1.OU = Sub Org Unit 2
CN = relative common name
Thanks,
Abhijit Hayatnagarkar
Sparta, Inc.
A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached
below. This notification also included the patches attached to this
email.
---------- Forwarded message ----------
Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT)
From: Abhijit Hayatnagarkar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: TSU Notification
SUBMISSION TYPE : TSU
SUBMITTED BY : Abhijit Hayatnagarkar
SUBMITTED FOR : Sparta, Inc.
POINT OF CONTACT: Abhijit Hayatnagarkar
PHONE and/or FAX: (410) 872-1515 Ext. 236
MANUFACTURER :
PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227
ECCN: 5D002
NOTIFICATION: Source code for the patch attached.
Short Description:
This patch provides the extended syntax for CRL Distribution
Points in the X.509 Certificate Profile as specified in RFC 3280 (See:
http://www.ietf.org/rfc/rfc3280.txt).
diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c
openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c
--- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23 07:47:05.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05 15:55:24.000000000
-0400
@@ -63,8 +63,23 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "cACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "aACompromise"},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval);
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -72,31 +87,164 @@
NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
0,0,
-NULL
+(X509V3_EXT_I2R)i2r_crld,
+(X509V3_EXT_R2I)r2i_crld,
+crl_reasons
};
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval) {
+
+ int i;
+ CONF_VALUE *cnf;
+ char *name, *value;
+ GENERAL_NAMES *gens = NULL;
+ DIST_POINT *point = NULL;
+ ASN1_BIT_STRING *bs = NULL;
+
+ if (!(point = DIST_POINT_new())) goto merr;
+ point->distpoint = NULL;
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
+ name = cnf->name;
+ value = cnf->value;
+ sk = X509V3_parse_list(value);
+
+ if (!strcmp (name, "fullname")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "relativename")) {
+ if (*value == '@') {
+ X509_NAME *nm = NULL;
+ STACK_OF(CONF_VALUE) *relsect = NULL;
+ if (!(nm = X509_NAME_new())) goto merr;
+
+ relsect = X509V3_get_section(ctx, value + 1);
+ if (!relsect) {
+ X509V3err(X509V3_F_R2I_CRLD,
X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value + 1);
+ X509_NAME_free(nm);
+ }
+
+ if (! X509V3_NAME_from_section(nm, relsect,
MBSTRING_ASC)) {
+ X509_NAME_free(nm);
+ nm = NULL;
+ }
+ X509V3_section_free(ctx, relsect);
+ if (!point->distpoint)
+ if(!(point->distpoint =
DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.relativename = nm->entries;
+ point->distpoint->type = 1;
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ else {
+ X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value);
+ goto err;
+ }
+ }
+ else if (!strcmp (name, "CRLissuer")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+ point->CRLissuer = gens;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "reasons")) {
+ int j;
+ if (! (bs = M_ASN1_BIT_STRING_new())) {
+ X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
+ goto merr;
+ }
+ for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
+ ENUMERATED_NAMES *enam;
+ CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (!strcmp(enam->sname, val->name) ||
+ !strcmp(enam->lname, val->name)) {
+ ASN1_BIT_STRING_set_bit(bs,
enam->bitnum, 1);
+ break;
+ }
+ }
+ if (!enam->lname) {
+ X509V3err(X509V3_F_R2I_CRLD,
+
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+ point->reasons = bs;
+ }
+ else {
+ /* For Backward Compatibility */
+ goto err;
+ }
+ }
+ return point;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAMES_free(gens);
+ M_ASN1_BIT_STRING_free(bs);
+ DIST_POINT_free(point);
+ return NULL;
+}
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
{
DIST_POINT *point;
int i;
for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
point = sk_DIST_POINT_value(crld, i);
- if(point->distpoint) {
- if(point->distpoint->type == 0)
- exts = i2v_GENERAL_NAMES(NULL,
- point->distpoint->name.fullname, exts);
- else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
- }
- if(point->reasons)
- X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
- if(point->CRLissuer)
- X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+ if (point) {
+ BIO_printf(out, "%*sDistribution Point:\n", indent, "");
+ if(point->distpoint) {
+ if(point->distpoint->type == 0) {
+ BIO_printf(out, "%*sFull Name:\n", indent + 2,
"");
+ X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
+
point->distpoint->name.fullname, NULL),
+ indent + 4,
method->ext_flags & X509V3_EXT_MULTILINE);
+ }
+ else if (point->distpoint->type == 1) {
+ BIO_printf(out, "%*sRelative Name:\n", indent
+ 2, "");
+ STACK_OF(X509_NAME_ENTRY) *ne =
point->distpoint->name.relativename;
+ X509_NAME *nm = X509_NAME_new();
+ if (nm) {
+ char oline[256];
+ nm->entries = ne;
+ X509_NAME_oneline(nm, oline, 256);
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", oline);
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ }
+ }
+ if(point->reasons) {
+ BIO_printf(out, "%*sReasons:\n", indent + 2, "");
+ ENUMERATED_NAMES *enam;
+ ASN1_BIT_STRING *bits = point->reasons;
+
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (ASN1_BIT_STRING_get_bit(bits,
enam->bitnum))
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", enam->lname);
+ }
+ }
+ if(point->CRLissuer) {
+ BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
+ X509V3_EXT_val_prn(out,
i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
+ indent + 4, method->ext_flags &
X509V3_EXT_MULTILINE);
+ }
+ }
}
- return exts;
+ return 1;
}
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
@@ -128,7 +276,85 @@
return crld;
merr:
- X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAME_free(gen);
+ GENERAL_NAMES_free(gens);
+ sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+ return NULL;
+}
+
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval)
+{
+ STACK_OF(DIST_POINT) *crld = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ CONF_VALUE *cnf;
+ int i;
+ char *name;
+ STACK_OF(CONF_VALUE) *nval;
+ nval = X509V3_parse_list(strval);
+ if(!(crld = sk_DIST_POINT_new_null())) goto merr;
+ for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ if (*name == '@') {
+ STACK_OF(CONF_VALUE) *crldsect;
+ crldsect = X509V3_get_section(ctx, name + 1);
+ if (!crldsect) {
+
X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
+ ERR_add_error_data(2, "section=", name);
+ goto err;
+ }
+
+ DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
+ X509V3_section_free(ctx, crldsect);
+
+ if (!sectpoint) {
+ /* For backward compatibility */
+ STACK_OF(DIST_POINT) *crld_tmp = NULL;
+ crld_tmp = v2i_crld(method, ctx, crldsect);
+
+ if (crld_tmp) {
+ DIST_POINT *dp = NULL;
+
+ while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
+ if (!sk_DIST_POINT_push(crld, dp)) {
+ DIST_POINT_free(dp);
+
sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
+ goto merr;
+ }
+ }
+ sk_DIST_POINT_pop_free(crld_tmp,
DIST_POINT_free);
+ }
+ }
+ else if(!sk_DIST_POINT_push(crld, sectpoint)) {
+ DIST_POINT_free(sectpoint);
+ goto merr;
+ }
+ }
+ else { /* For backward compatibility */
+ DIST_POINT *point;
+ if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
+ if(!(gens = GENERAL_NAMES_new())) goto merr;
+ if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+ gen = NULL;
+ if(!(point = DIST_POINT_new())) goto merr;
+ if(!sk_DIST_POINT_push(crld, point)) {
+ DIST_POINT_free(point);
+ goto merr;
+ }
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ }
+ return crld;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
@@ -156,7 +382,7 @@
IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints,
DIST_POINT)
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
diff -ur openssl-0.9.7c/crypto/x509v3/v3err.c
openssl-0.9.7c.modified/crypto/x509v3/v3err.c
--- openssl-0.9.7c/crypto/x509v3/v3err.c 2001-05-09 20:13:48.000000000 -0400
+++ openssl-0.9.7c.modified/crypto/x509v3/v3err.c 2004-04-05 15:55:24.000000000
-0400
@@ -93,7 +93,7 @@
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
diff -ur openssl-0.9.7c/crypto/x509v3/v3_utl.c
openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c
--- openssl-0.9.7c/crypto/x509v3/v3_utl.c 2002-11-13 19:45:04.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c 2004-04-05 15:55:24.000000000
-0400
@@ -533,3 +533,50 @@
{
sk_pop_free(sk, str_free);
}
+
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype)
+ {
+ CONF_VALUE *v;
+ int i, mval;
+ char *p, *type;
+ if (!nm)
+ return 0;
+
+ for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+ {
+ v=sk_CONF_VALUE_value(dn_sk,i);
+ type=v->name;
+ /* Skip past any leading X. X: X, etc to allow for
+ * multiple instances
+ */
+ for(p = type; *p ; p++)
+#ifndef CHARSET_EBCDIC
+ if ((*p == ':') || (*p == ',') || (*p == '.'))
+#else
+ if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p
== os_toascii['.']))
+#endif
+ {
+ p++;
+ if(*p) type = p;
+ break;
+ }
+#ifndef CHARSET_EBCDIC
+ if (*p == '+')
+#else
+ if (*p == os_toascii['+'])
+#endif
+ {
+ mval = -1;
+ p++;
+ }
+ else
+ mval = 0;
+ if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
+ (unsigned char *) v->value,-1,-1,mval))
+ return 0;
+
+ }
+ return 1;
+ }
diff -ur openssl-0.9.7c/crypto/x509v3/x509v3.h
openssl-0.9.7c.modified/crypto/x509v3/x509v3.h
--- openssl-0.9.7c/crypto/x509v3/x509v3.h 2003-01-29 10:06:38.000000000 -0500
+++ openssl-0.9.7c.modified/crypto/x509v3/x509v3.h 2004-04-05 15:55:24.000000000
-0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
diff -ur openssl-0.9.7c/include/openssl/x509v3.h
openssl-0.9.7c.modified/include/openssl/x509v3.h
--- openssl-0.9.7c/include/openssl/x509v3.h 2003-01-29 10:06:38.000000000 -0500
+++ openssl-0.9.7c.modified/include/openssl/x509v3.h 2004-04-05 15:55:24.000000000
-0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
diff -ur openssl-SNAP-20040227/crypto/x509v3/v3_crld.c
openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c
--- openssl-SNAP-20040227/crypto/x509v3/v3_crld.c 2003-11-20 18:00:13.000000000
-0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c 2004-03-02
17:58:06.000000000 -0500
@@ -63,8 +63,23 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "cACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "aACompromise"},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval);
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -72,31 +87,164 @@
NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
0,0,
-NULL
+(X509V3_EXT_I2R)i2r_crld,
+(X509V3_EXT_R2I)r2i_crld,
+crl_reasons
};
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval) {
+
+ int i;
+ CONF_VALUE *cnf;
+ char *name, *value;
+ GENERAL_NAMES *gens = NULL;
+ DIST_POINT *point = NULL;
+ ASN1_BIT_STRING *bs = NULL;
+
+ if (!(point = DIST_POINT_new())) goto merr;
+ point->distpoint = NULL;
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ STACK_OF(CONF_VALUE) *sk;
+ name = cnf->name;
+ value = cnf->value;
+ sk = X509V3_parse_list(value);
+
+ if (!strcmp (name, "fullname")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "relativename")) {
+ if (*value == '@') {
+ X509_NAME *nm = NULL;
+ STACK_OF(CONF_VALUE) *relsect = NULL;
+ if (!(nm = X509_NAME_new())) goto merr;
+
+ relsect = X509V3_get_section(ctx, value + 1);
+ if (!relsect) {
+ X509V3err(X509V3_F_R2I_CRLD,
X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value + 1);
+ X509_NAME_free(nm);
+ }
+
+ if (! X509V3_NAME_from_section(nm, relsect,
MBSTRING_ASC)) {
+ X509_NAME_free(nm);
+ nm = NULL;
+ }
+ X509V3_section_free(ctx, relsect);
+ if (!point->distpoint)
+ if(!(point->distpoint =
DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.relativename = nm->entries;
+ point->distpoint->type = 1;
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ else {
+ X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value);
+ goto err;
+ }
+ }
+ else if (!strcmp (name, "CRLissuer")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+ point->CRLissuer = gens;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "reasons")) {
+ int j;
+ if (! (bs = M_ASN1_BIT_STRING_new())) {
+ X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
+ goto merr;
+ }
+ for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
+ ENUMERATED_NAMES *enam;
+ CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (!strcmp(enam->sname, val->name) ||
+ !strcmp(enam->lname, val->name)) {
+ ASN1_BIT_STRING_set_bit(bs,
enam->bitnum, 1);
+ break;
+ }
+ }
+ if (!enam->lname) {
+ X509V3err(X509V3_F_R2I_CRLD,
+
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+ point->reasons = bs;
+ }
+ else {
+ /* For Backward Compatibility */
+ goto err;
+ }
+ }
+ return point;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAMES_free(gens);
+ M_ASN1_BIT_STRING_free(bs);
+ DIST_POINT_free(point);
+ return NULL;
+}
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
{
DIST_POINT *point;
int i;
for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
point = sk_DIST_POINT_value(crld, i);
- if(point->distpoint) {
- if(point->distpoint->type == 0)
- exts = i2v_GENERAL_NAMES(NULL,
- point->distpoint->name.fullname, exts);
- else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
- }
- if(point->reasons)
- X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
- if(point->CRLissuer)
- X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+ if (point) {
+ BIO_printf(out, "%*sDistribution Point:\n", indent, "");
+ if(point->distpoint) {
+ if(point->distpoint->type == 0) {
+ BIO_printf(out, "%*sFull Name:\n", indent + 2,
"");
+ X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
+
point->distpoint->name.fullname, NULL),
+ indent + 4,
method->ext_flags & X509V3_EXT_MULTILINE);
+ }
+ else if (point->distpoint->type == 1) {
+ BIO_printf(out, "%*sRelative Name:\n", indent
+ 2, "");
+ STACK_OF(X509_NAME_ENTRY) *ne =
point->distpoint->name.relativename;
+ X509_NAME *nm = X509_NAME_new();
+ if (nm) {
+ char oline[256];
+ nm->entries = ne;
+ X509_NAME_oneline(nm, oline, 256);
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", oline);
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ }
+ }
+ if(point->reasons) {
+ BIO_printf(out, "%*sReasons:\n", indent + 2, "");
+ ENUMERATED_NAMES *enam;
+ ASN1_BIT_STRING *bits = point->reasons;
+
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (ASN1_BIT_STRING_get_bit(bits,
enam->bitnum))
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", enam->lname);
+ }
+ }
+ if(point->CRLissuer) {
+ BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
+ X509V3_EXT_val_prn(out,
i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
+ indent + 4, method->ext_flags &
X509V3_EXT_MULTILINE);
+ }
+ }
}
- return exts;
+ return 1;
}
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
@@ -128,7 +276,85 @@
return crld;
merr:
- X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAME_free(gen);
+ GENERAL_NAMES_free(gens);
+ sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+ return NULL;
+}
+
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval)
+{
+ STACK_OF(DIST_POINT) *crld = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ CONF_VALUE *cnf;
+ int i;
+ char *name;
+ STACK_OF(CONF_VALUE) *nval;
+ nval = X509V3_parse_list(strval);
+ if(!(crld = sk_DIST_POINT_new_null())) goto merr;
+ for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ if (*name == '@') {
+ STACK_OF(CONF_VALUE) *crldsect;
+ crldsect = X509V3_get_section(ctx, name + 1);
+ if (!crldsect) {
+
X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
+ ERR_add_error_data(2, "section=", name);
+ goto err;
+ }
+
+ DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
+ X509V3_section_free(ctx, crldsect);
+
+ if (!sectpoint) {
+ /* For backward compatibility */
+ STACK_OF(DIST_POINT) *crld_tmp = NULL;
+ crld_tmp = v2i_crld(method, ctx, crldsect);
+
+ if (crld_tmp) {
+ DIST_POINT *dp = NULL;
+
+ while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
+ if (!sk_DIST_POINT_push(crld, dp)) {
+ DIST_POINT_free(dp);
+
sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
+ goto merr;
+ }
+ }
+ sk_DIST_POINT_pop_free(crld_tmp,
DIST_POINT_free);
+ }
+ }
+ else if(!sk_DIST_POINT_push(crld, sectpoint)) {
+ DIST_POINT_free(sectpoint);
+ goto merr;
+ }
+ }
+ else { /* For backward compatibility */
+ DIST_POINT *point;
+ if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
+ if(!(gens = GENERAL_NAMES_new())) goto merr;
+ if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+ gen = NULL;
+ if(!(point = DIST_POINT_new())) goto merr;
+ if(!sk_DIST_POINT_push(crld, point)) {
+ DIST_POINT_free(point);
+ goto merr;
+ }
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ }
+ return crld;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
diff -ur openssl-SNAP-20040227/crypto/x509v3/v3err.c
openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c
--- openssl-SNAP-20040227/crypto/x509v3/v3err.c 2003-03-24 14:15:29.000000000 -0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c 2004-03-02
14:52:53.000000000 -0500
@@ -95,7 +95,7 @@
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
diff -ur openssl-SNAP-20040227/crypto/x509v3/x509v3.h
openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h
--- openssl-SNAP-20040227/crypto/x509v3/x509v3.h 2003-03-24 14:15:29.000000000
-0500
+++ openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h 2004-03-02
14:52:58.000000000 -0500
@@ -633,7 +633,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
