I will re-issue a patch for 0.9.7d with the necessary corrections.
Thank you,
Abhijit Hayatnagarkar
Sparta, Inc.
On Mon, 12 Apr 2004, Chris Brook wrote:
> I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris
> native compiler instead of gcc. There were several errors because variable
> definitions were placed after allocation statements, e.g.
> + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> + cnf = sk_CONF_VALUE_value(nval, i);
> + STACK_OF(CONF_VALUE) *sk;
> I can list the corrections (about 12) or, more appriately, the author can
> re-issue the patch with the necessary corrections so that it follows
> standard C rules rather than C++.
> Chris Brook
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Stephen Henson via RT
> Sent: Thursday, April 08, 2004 4:02 AM
> Cc: [EMAIL PROTECTED]
> Subject: [openssl.org #869] [FWD] [PATCH] OpenSSL patch for CRL
> Distribution Points for the X.509 Certificate Profile
>
>
>
> ----- Forwarded message from Abhijit Hayatnagarkar
> <[EMAIL PROTECTED]> -----
>
> Delivered-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Date: Mon, 5 Apr 2004 16:38:13 -0400 (EDT)
> From: Abhijit Hayatnagarkar <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [PATCH] OpenSSL patch for CRL Distribution Points for the X.509
> Certificate Profile
> Precedence: bulk
> Reply-To: [EMAIL PROTECTED]
>
> Description of the patch:
>
> This patch provides the extended syntax for CRL Distribution Points as
> specified in RFC 3280 Section 4.2.1.14. It also tries to maintain
> backward compatibility with the existing syntax.
>
> Without this crld patch, the syntax for the X509 extension field "CRL
> Distribution Points" recognized by openssl is either:
>
> crlDistributionPoints=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl
> 2
>
> or
>
> [EMAIL PROTECTED]
>
> [crlsection]
> URI.1=http://uri.crl.com/crl1
> URI.2=http://uri.crl.com/crl2
>
> Thus, you can only specify the 'fullname' field of a single distribution
> point.
>
> With this crld patch, openssl will support a richer syntax for the "CRL
> Distribution Points" extension field. Apart from 'fullname', you will be
> able to specify the 'relativename', 'reasons' and 'CRLissuer' fields.
>
> This patch is backward compatible, so you will still be able to use the
> old syntax.
>
> The 'reasons' field is a bitmap of ReasonFlags. The ReasonFlags are:
> unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3),
> superseded (4), cessationOfOperation (5), certificateHold (6),
> privilegeWithdrawn (7) and aAcompromise (8).
>
> Users can now specify CRL Distribution Points with a syntax as detailed as
> the following:
>
> [EMAIL PROTECTED],@distpoint2
>
> [distpoint1]
> fullname=URI:http://uri.crl.com/crl1,URI:http://uri.crl.com/crl2
> reasons=keyCompromise,cACompromise
>
> [distpoint2]
> [EMAIL PROTECTED]
> reasons=cessationOfOperation,privilegeWithdrawn
> CRLissuer=email:[EMAIL PROTECTED]
>
> [relnamesect]
> C = US
> O = Org, Inc.
> 0.OU = Org Unit 1
> 1.OU = Sub Org Unit 2
> CN = relative common name
>
> Thanks,
> Abhijit Hayatnagarkar
> Sparta, Inc.
>
> A copy of the TSU Notification sent to [EMAIL PROTECTED] is attached
> below. This notification also included the patches attached to this
> email.
>
> ---------- Forwarded message ----------
> Date: Mon, 5 Apr 2004 16:21:57 -0400 (EDT)
> From: Abhijit Hayatnagarkar <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: TSU Notification
>
> SUBMISSION TYPE : TSU
> SUBMITTED BY : Abhijit Hayatnagarkar
> SUBMITTED FOR : Sparta, Inc.
> POINT OF CONTACT: Abhijit Hayatnagarkar
> PHONE and/or FAX: (410) 872-1515 Ext. 236
> MANUFACTURER :
> PRODUCT NAME/MODEL #: Patches for OpenSSL version 0.9.7c and SNAP-20040227
> ECCN: 5D002
> NOTIFICATION: Source code for the patch attached.
>
> Short Description:
> This patch provides the extended syntax for CRL Distribution
> Points in the X.509 Certificate Profile as specified in RFC 3280 (See:
> http://www.ietf.org/rfc/rfc3280.txt).
>
> Content-Description: A patch to openssl 0.9.7c for the extended syntax for
> CRL Distribution Points
> diff -ur openssl-0.9.7c/crypto/x509v3/v3_crld.c
> openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c
> --- openssl-0.9.7c/crypto/x509v3/v3_crld.c 2001-02-23
> 07:47:05.000000000 -0500
> +++ openssl-0.9.7c.modified/crypto/x509v3/v3_crld.c 2004-04-05
> 15:55:24.000000000 -0400
> @@ -63,8 +63,23 @@
> #include <openssl/asn1t.h>
> #include <openssl/x509v3.h>
>
> -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
> - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
> +static ENUMERATED_NAMES crl_reasons[] = {
> +{0, "Unused", "unused"},
> +{1, "Key Compromise", "keyCompromise"},
> +{2, "CA Compromise", "cACompromise"},
> +{3, "Affiliation Changed", "affiliationChanged"},
> +{4, "Superseded", "superseded"},
> +{5, "Cessation Of Operation", "cessationOfOperation"},
> +{6, "Certificate Hold", "certificateHold"},
> +{7, "Privilege Withdrawn", "privilegeWithdrawn"},
> +{8, "AA Compromise", "aACompromise"},
> +{-1, NULL, NULL}
> +};
> +
> +static int i2r_crld(X509V3_EXT_METHOD *method,
> + STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
> +static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
> + X509V3_CTX *ctx, char *strval);
> static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
> X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
>
> @@ -72,31 +87,164 @@
> NID_crl_distribution_points, X509V3_EXT_MULTILINE,
> ASN1_ITEM_ref(CRL_DIST_POINTS),
> 0,0,0,0,
> 0,0,
> -(X509V3_EXT_I2V)i2v_crld,
> -(X509V3_EXT_V2I)v2i_crld,
> 0,0,
> -NULL
> +(X509V3_EXT_I2R)i2r_crld,
> +(X509V3_EXT_R2I)r2i_crld,
> +crl_reasons
> };
>
> -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
> - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
> +static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
> STACK_OF(CONF_VALUE) *nval) {
> +
> + int i;
> + CONF_VALUE *cnf;
> + char *name, *value;
> + GENERAL_NAMES *gens = NULL;
> + DIST_POINT *point = NULL;
> + ASN1_BIT_STRING *bs = NULL;
> +
> + if (!(point = DIST_POINT_new())) goto merr;
> + point->distpoint = NULL;
> +
> + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> + cnf = sk_CONF_VALUE_value(nval, i);
> + STACK_OF(CONF_VALUE) *sk;
> + name = cnf->name;
> + value = cnf->value;
> + sk = X509V3_parse_list(value);
> +
> + if (!strcmp (name, "fullname")) {
> + if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
> +
> + if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.fullname = gens;
> + point->distpoint->type = 0;
> + gens = NULL;
> + }
> + else if (!strcmp (name, "relativename")) {
> + if (*value == '@') {
> + X509_NAME *nm = NULL;
> + STACK_OF(CONF_VALUE) *relsect = NULL;
> + if (!(nm = X509_NAME_new())) goto merr;
> +
> + relsect = X509V3_get_section(ctx, value + 1);
> + if (!relsect) {
> + X509V3err(X509V3_F_R2I_CRLD,
> X509V3_R_INVALID_SECTION);
> + ERR_add_error_data(2, "section=", value + 1);
> + X509_NAME_free(nm);
> + }
> +
> + if (! X509V3_NAME_from_section(nm, relsect,
> MBSTRING_ASC)) {
> + X509_NAME_free(nm);
> + nm = NULL;
> + }
> + X509V3_section_free(ctx, relsect);
> + if (!point->distpoint)
> + if(!(point->distpoint =
> DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.relativename = nm->entries;
> + point->distpoint->type = 1;
> + nm->entries = NULL;
> + X509_NAME_free(nm);
> + }
> + else {
> + X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
> + ERR_add_error_data(2, "section=", value);
> + goto err;
> + }
> + }
> + else if (!strcmp (name, "CRLissuer")) {
> + if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
> + point->CRLissuer = gens;
> + gens = NULL;
> + }
> + else if (!strcmp (name, "reasons")) {
> + int j;
> + if (! (bs = M_ASN1_BIT_STRING_new())) {
> + X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
> + goto merr;
> + }
> + for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
> + ENUMERATED_NAMES *enam;
> + CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
> + for (enam = method->usr_data; enam->lname; enam++) {
> + if (!strcmp(enam->sname, val->name) ||
> + !strcmp(enam->lname, val->name)) {
> + ASN1_BIT_STRING_set_bit(bs,
> enam->bitnum, 1);
> + break;
> + }
> + }
> + if (!enam->lname) {
> + X509V3err(X509V3_F_R2I_CRLD,
> +
> X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
> + X509V3_conf_err(val);
> + goto err;
> + }
> + }
> + point->reasons = bs;
> + }
> + else {
> + /* For Backward Compatibility */
> + goto err;
> + }
> + }
> + return point;
> +
> + merr:
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> + err:
> + GENERAL_NAMES_free(gens);
> + M_ASN1_BIT_STRING_free(bs);
> + DIST_POINT_free(point);
> + return NULL;
> +}
> +
> +static int i2r_crld(X509V3_EXT_METHOD *method,
> + STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
> {
> DIST_POINT *point;
> int i;
> for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
> point = sk_DIST_POINT_value(crld, i);
> - if(point->distpoint) {
> - if(point->distpoint->type == 0)
> - exts = i2v_GENERAL_NAMES(NULL,
> - point->distpoint->name.fullname, exts);
> - else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
> - }
> - if(point->reasons)
> - X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
> - if(point->CRLissuer)
> - X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
> + if (point) {
> + BIO_printf(out, "%*sDistribution Point:\n", indent, "");
> + if(point->distpoint) {
> + if(point->distpoint->type == 0) {
> + BIO_printf(out, "%*sFull Name:\n", indent + 2,
> "");
> + X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
> +
> point->distpoint->name.fullname, NULL),
> + indent + 4,
> method->ext_flags & X509V3_EXT_MULTILINE);
> + }
> + else if (point->distpoint->type == 1) {
> + BIO_printf(out, "%*sRelative Name:\n", indent
> + 2, "");
> + STACK_OF(X509_NAME_ENTRY) *ne =
> point->distpoint->name.relativename;
> + X509_NAME *nm = X509_NAME_new();
> + if (nm) {
> + char oline[256];
> + nm->entries = ne;
> + X509_NAME_oneline(nm, oline, 256);
> + BIO_printf(out, "%*s%s\n", indent + 4,
> "", oline);
> + nm->entries = NULL;
> + X509_NAME_free(nm);
> + }
> + }
> + }
> + if(point->reasons) {
> + BIO_printf(out, "%*sReasons:\n", indent + 2, "");
> + ENUMERATED_NAMES *enam;
> + ASN1_BIT_STRING *bits = point->reasons;
> +
> + for (enam = method->usr_data; enam->lname; enam++) {
> + if (ASN1_BIT_STRING_get_bit(bits,
> enam->bitnum))
> + BIO_printf(out, "%*s%s\n", indent + 4,
> "", enam->lname);
> + }
> + }
> + if(point->CRLissuer) {
> + BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
> + X509V3_EXT_val_prn(out,
> i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
> + indent + 4, method->ext_flags &
> X509V3_EXT_MULTILINE);
> + }
> + }
> }
> - return exts;
> + return 1;
> }
>
> static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
> @@ -128,7 +276,85 @@
> return crld;
>
> merr:
> - X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> + err:
> + GENERAL_NAME_free(gen);
> + GENERAL_NAMES_free(gens);
> + sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
> + return NULL;
> +}
> +
> +static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
> + X509V3_CTX *ctx, char *strval)
> +{
> + STACK_OF(DIST_POINT) *crld = NULL;
> + GENERAL_NAMES *gens = NULL;
> + GENERAL_NAME *gen = NULL;
> + CONF_VALUE *cnf;
> + int i;
> + char *name;
> + STACK_OF(CONF_VALUE) *nval;
> + nval = X509V3_parse_list(strval);
> + if(!(crld = sk_DIST_POINT_new_null())) goto merr;
> + for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> + cnf = sk_CONF_VALUE_value(nval, i);
> + name = cnf->name;
> + if (*name == '@') {
> + STACK_OF(CONF_VALUE) *crldsect;
> + crldsect = X509V3_get_section(ctx, name + 1);
> + if (!crldsect) {
> +
> X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
> + ERR_add_error_data(2, "section=", name);
> + goto err;
> + }
> +
> + DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
> + X509V3_section_free(ctx, crldsect);
> +
> + if (!sectpoint) {
> + /* For backward compatibility */
> + STACK_OF(DIST_POINT) *crld_tmp = NULL;
> + crld_tmp = v2i_crld(method, ctx, crldsect);
> +
> + if (crld_tmp) {
> + DIST_POINT *dp = NULL;
> +
> + while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
> + if (!sk_DIST_POINT_push(crld, dp)) {
> + DIST_POINT_free(dp);
> +
> sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
> + goto merr;
> + }
> + }
> + sk_DIST_POINT_pop_free(crld_tmp,
> DIST_POINT_free);
> + }
> + }
> + else if(!sk_DIST_POINT_push(crld, sectpoint)) {
> + DIST_POINT_free(sectpoint);
> + goto merr;
> + }
> + }
> + else { /* For backward compatibility */
> + DIST_POINT *point;
> + if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
> + if(!(gens = GENERAL_NAMES_new())) goto merr;
> + if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
> + gen = NULL;
> + if(!(point = DIST_POINT_new())) goto merr;
> + if(!sk_DIST_POINT_push(crld, point)) {
> + DIST_POINT_free(point);
> + goto merr;
> + }
> + if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.fullname = gens;
> + point->distpoint->type = 0;
> + gens = NULL;
> + }
> + }
> + return crld;
> +
> + merr:
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> err:
> GENERAL_NAME_free(gen);
> GENERAL_NAMES_free(gens);
> @@ -156,7 +382,7 @@
> IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
>
> ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
> - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
> + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints,
> DIST_POINT)
> ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
>
> IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
> diff -ur openssl-0.9.7c/crypto/x509v3/v3err.c
> openssl-0.9.7c.modified/crypto/x509v3/v3err.c
> --- openssl-0.9.7c/crypto/x509v3/v3err.c 2001-05-09 20:13:48.000000000 -0400
> +++ openssl-0.9.7c.modified/crypto/x509v3/v3err.c 2004-04-05
> 15:55:24.000000000 -0400
> @@ -93,7 +93,7 @@
> {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
> {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
> {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
> -{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
> +{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
> {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
> {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
> {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
> diff -ur openssl-0.9.7c/crypto/x509v3/v3_utl.c
> openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c
> --- openssl-0.9.7c/crypto/x509v3/v3_utl.c 2002-11-13
> 19:45:04.000000000 -0500
> +++ openssl-0.9.7c.modified/crypto/x509v3/v3_utl.c 2004-04-05
> 15:55:24.000000000 -0400
> @@ -533,3 +533,50 @@
> {
> sk_pop_free(sk, str_free);
> }
> +
> +/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
> +int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
> + unsigned long chtype)
> + {
> + CONF_VALUE *v;
> + int i, mval;
> + char *p, *type;
> + if (!nm)
> + return 0;
> +
> + for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
> + {
> + v=sk_CONF_VALUE_value(dn_sk,i);
> + type=v->name;
> + /* Skip past any leading X. X: X, etc to allow for
> + * multiple instances
> + */
> + for(p = type; *p ; p++)
> +#ifndef CHARSET_EBCDIC
> + if ((*p == ':') || (*p == ',') || (*p == '.'))
> +#else
> + if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p
> ==
> os_toascii['.']))
> +#endif
> + {
> + p++;
> + if(*p) type = p;
> + break;
> + }
> +#ifndef CHARSET_EBCDIC
> + if (*p == '+')
> +#else
> + if (*p == os_toascii['+'])
> +#endif
> + {
> + mval = -1;
> + p++;
> + }
> + else
> + mval = 0;
> + if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
> + (unsigned char *) v->value,-1,-1,mval))
> + return 0;
> +
> + }
> + return 1;
> + }
> diff -ur openssl-0.9.7c/crypto/x509v3/x509v3.h
> openssl-0.9.7c.modified/crypto/x509v3/x509v3.h
> --- openssl-0.9.7c/crypto/x509v3/x509v3.h 2003-01-29
> 10:06:38.000000000 -0500
> +++ openssl-0.9.7c.modified/crypto/x509v3/x509v3.h 2004-04-05
> 15:55:24.000000000 -0400
> @@ -547,6 +547,9 @@
> STACK *X509_get1_email(X509 *x);
> STACK *X509_REQ_get1_email(X509_REQ *x);
> void X509_email_free(STACK *sk);
> +/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
> +int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
> + unsigned long chtype);
>
>
> /* BEGIN ERROR CODES */
> @@ -585,7 +588,7 @@
> #define X509V3_F_V2I_ASN1_BIT_STRING 101
> #define X509V3_F_V2I_AUTHORITY_KEYID 119
> #define X509V3_F_V2I_BASIC_CONSTRAINTS 102
> -#define X509V3_F_V2I_CRLD 134
> +#define X509V3_F_R2I_CRLD 134
> #define X509V3_F_V2I_EXT_KU 103
> #define X509V3_F_V2I_GENERAL_NAME 117
> #define X509V3_F_V2I_GENERAL_NAMES 118
> diff -ur openssl-0.9.7c/include/openssl/x509v3.h
> openssl-0.9.7c.modified/include/openssl/x509v3.h
> --- openssl-0.9.7c/include/openssl/x509v3.h 2003-01-29
> 10:06:38.000000000 -0500
> +++ openssl-0.9.7c.modified/include/openssl/x509v3.h 2004-04-05
> 15:55:24.000000000 -0400
> @@ -547,6 +547,9 @@
> STACK *X509_get1_email(X509 *x);
> STACK *X509_REQ_get1_email(X509_REQ *x);
> void X509_email_free(STACK *sk);
> +/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
> +int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
> + unsigned long chtype);
>
>
> /* BEGIN ERROR CODES */
> @@ -585,7 +588,7 @@
> #define X509V3_F_V2I_ASN1_BIT_STRING 101
> #define X509V3_F_V2I_AUTHORITY_KEYID 119
> #define X509V3_F_V2I_BASIC_CONSTRAINTS 102
> -#define X509V3_F_V2I_CRLD 134
> +#define X509V3_F_R2I_CRLD 134
> #define X509V3_F_V2I_EXT_KU 103
> #define X509V3_F_V2I_GENERAL_NAME 117
> #define X509V3_F_V2I_GENERAL_NAMES 118
>
> Content-Description: A patch for the openssl development version 20040227
> for the extended syntax for CRL Distribution Points
> diff -ur openssl-SNAP-20040227/crypto/x509v3/v3_crld.c
> openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c
> --- openssl-SNAP-20040227/crypto/x509v3/v3_crld.c 2003-11-20
> 18:00:13.000000000 -0500
> +++ openssl-SNAP-20040227.modified/crypto/x509v3/v3_crld.c 2004-03-02
> 17:58:06.000000000 -0500
> @@ -63,8 +63,23 @@
> #include <openssl/asn1t.h>
> #include <openssl/x509v3.h>
>
> -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
> - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
> +static ENUMERATED_NAMES crl_reasons[] = {
> +{0, "Unused", "unused"},
> +{1, "Key Compromise", "keyCompromise"},
> +{2, "CA Compromise", "cACompromise"},
> +{3, "Affiliation Changed", "affiliationChanged"},
> +{4, "Superseded", "superseded"},
> +{5, "Cessation Of Operation", "cessationOfOperation"},
> +{6, "Certificate Hold", "certificateHold"},
> +{7, "Privilege Withdrawn", "privilegeWithdrawn"},
> +{8, "AA Compromise", "aACompromise"},
> +{-1, NULL, NULL}
> +};
> +
> +static int i2r_crld(X509V3_EXT_METHOD *method,
> + STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
> +static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
> + X509V3_CTX *ctx, char *strval);
> static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
> X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
>
> @@ -72,31 +87,164 @@
> NID_crl_distribution_points, X509V3_EXT_MULTILINE,
> ASN1_ITEM_ref(CRL_DIST_POINTS),
> 0,0,0,0,
> 0,0,
> -(X509V3_EXT_I2V)i2v_crld,
> -(X509V3_EXT_V2I)v2i_crld,
> 0,0,
> -NULL
> +(X509V3_EXT_I2R)i2r_crld,
> +(X509V3_EXT_R2I)r2i_crld,
> +crl_reasons
> };
>
> -static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
> - STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
> +static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
> STACK_OF(CONF_VALUE) *nval) {
> +
> + int i;
> + CONF_VALUE *cnf;
> + char *name, *value;
> + GENERAL_NAMES *gens = NULL;
> + DIST_POINT *point = NULL;
> + ASN1_BIT_STRING *bs = NULL;
> +
> + if (!(point = DIST_POINT_new())) goto merr;
> + point->distpoint = NULL;
> +
> + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> + cnf = sk_CONF_VALUE_value(nval, i);
> + STACK_OF(CONF_VALUE) *sk;
> + name = cnf->name;
> + value = cnf->value;
> + sk = X509V3_parse_list(value);
> +
> + if (!strcmp (name, "fullname")) {
> + if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
> +
> + if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.fullname = gens;
> + point->distpoint->type = 0;
> + gens = NULL;
> + }
> + else if (!strcmp (name, "relativename")) {
> + if (*value == '@') {
> + X509_NAME *nm = NULL;
> + STACK_OF(CONF_VALUE) *relsect = NULL;
> + if (!(nm = X509_NAME_new())) goto merr;
> +
> + relsect = X509V3_get_section(ctx, value + 1);
> + if (!relsect) {
> + X509V3err(X509V3_F_R2I_CRLD,
> X509V3_R_INVALID_SECTION);
> + ERR_add_error_data(2, "section=", value + 1);
> + X509_NAME_free(nm);
> + }
> +
> + if (! X509V3_NAME_from_section(nm, relsect,
> MBSTRING_ASC)) {
> + X509_NAME_free(nm);
> + nm = NULL;
> + }
> + X509V3_section_free(ctx, relsect);
> + if (!point->distpoint)
> + if(!(point->distpoint =
> DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.relativename = nm->entries;
> + point->distpoint->type = 1;
> + nm->entries = NULL;
> + X509_NAME_free(nm);
> + }
> + else {
> + X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
> + ERR_add_error_data(2, "section=", value);
> + goto err;
> + }
> + }
> + else if (!strcmp (name, "CRLissuer")) {
> + if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
> + point->CRLissuer = gens;
> + gens = NULL;
> + }
> + else if (!strcmp (name, "reasons")) {
> + int j;
> + if (! (bs = M_ASN1_BIT_STRING_new())) {
> + X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
> + goto merr;
> + }
> + for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
> + ENUMERATED_NAMES *enam;
> + CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
> + for (enam = method->usr_data; enam->lname; enam++) {
> + if (!strcmp(enam->sname, val->name) ||
> + !strcmp(enam->lname, val->name)) {
> + ASN1_BIT_STRING_set_bit(bs,
> enam->bitnum, 1);
> + break;
> + }
> + }
> + if (!enam->lname) {
> + X509V3err(X509V3_F_R2I_CRLD,
> +
> X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
> + X509V3_conf_err(val);
> + goto err;
> + }
> + }
> + point->reasons = bs;
> + }
> + else {
> + /* For Backward Compatibility */
> + goto err;
> + }
> + }
> + return point;
> +
> + merr:
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> + err:
> + GENERAL_NAMES_free(gens);
> + M_ASN1_BIT_STRING_free(bs);
> + DIST_POINT_free(point);
> + return NULL;
> +}
> +
> +static int i2r_crld(X509V3_EXT_METHOD *method,
> + STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
> {
> DIST_POINT *point;
> int i;
> for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
> point = sk_DIST_POINT_value(crld, i);
> - if(point->distpoint) {
> - if(point->distpoint->type == 0)
> - exts = i2v_GENERAL_NAMES(NULL,
> - point->distpoint->name.fullname, exts);
> - else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
> - }
> - if(point->reasons)
> - X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
> - if(point->CRLissuer)
> - X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
> + if (point) {
> + BIO_printf(out, "%*sDistribution Point:\n", indent, "");
> + if(point->distpoint) {
> + if(point->distpoint->type == 0) {
> + BIO_printf(out, "%*sFull Name:\n", indent + 2,
> "");
> + X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
> +
> point->distpoint->name.fullname, NULL),
> + indent + 4,
> method->ext_flags & X509V3_EXT_MULTILINE);
> + }
> + else if (point->distpoint->type == 1) {
> + BIO_printf(out, "%*sRelative Name:\n", indent
> + 2, "");
> + STACK_OF(X509_NAME_ENTRY) *ne =
> point->distpoint->name.relativename;
> + X509_NAME *nm = X509_NAME_new();
> + if (nm) {
> + char oline[256];
> + nm->entries = ne;
> + X509_NAME_oneline(nm, oline, 256);
> + BIO_printf(out, "%*s%s\n", indent + 4,
> "", oline);
> + nm->entries = NULL;
> + X509_NAME_free(nm);
> + }
> + }
> + }
> + if(point->reasons) {
> + BIO_printf(out, "%*sReasons:\n", indent + 2, "");
> + ENUMERATED_NAMES *enam;
> + ASN1_BIT_STRING *bits = point->reasons;
> +
> + for (enam = method->usr_data; enam->lname; enam++) {
> + if (ASN1_BIT_STRING_get_bit(bits,
> enam->bitnum))
> + BIO_printf(out, "%*s%s\n", indent + 4,
> "", enam->lname);
> + }
> + }
> + if(point->CRLissuer) {
> + BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
> + X509V3_EXT_val_prn(out,
> i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
> + indent + 4, method->ext_flags &
> X509V3_EXT_MULTILINE);
> + }
> + }
> }
> - return exts;
> + return 1;
> }
>
> static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
> @@ -128,7 +276,85 @@
> return crld;
>
> merr:
> - X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> + err:
> + GENERAL_NAME_free(gen);
> + GENERAL_NAMES_free(gens);
> + sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
> + return NULL;
> +}
> +
> +static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
> + X509V3_CTX *ctx, char *strval)
> +{
> + STACK_OF(DIST_POINT) *crld = NULL;
> + GENERAL_NAMES *gens = NULL;
> + GENERAL_NAME *gen = NULL;
> + CONF_VALUE *cnf;
> + int i;
> + char *name;
> + STACK_OF(CONF_VALUE) *nval;
> + nval = X509V3_parse_list(strval);
> + if(!(crld = sk_DIST_POINT_new_null())) goto merr;
> + for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> + cnf = sk_CONF_VALUE_value(nval, i);
> + name = cnf->name;
> + if (*name == '@') {
> + STACK_OF(CONF_VALUE) *crldsect;
> + crldsect = X509V3_get_section(ctx, name + 1);
> + if (!crldsect) {
> +
> X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
> + ERR_add_error_data(2, "section=", name);
> + goto err;
> + }
> +
> + DIST_POINT *sectpoint = crld_section(method, ctx, crldsect);
> + X509V3_section_free(ctx, crldsect);
> +
> + if (!sectpoint) {
> + /* For backward compatibility */
> + STACK_OF(DIST_POINT) *crld_tmp = NULL;
> + crld_tmp = v2i_crld(method, ctx, crldsect);
> +
> + if (crld_tmp) {
> + DIST_POINT *dp = NULL;
> +
> + while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
> + if (!sk_DIST_POINT_push(crld, dp)) {
> + DIST_POINT_free(dp);
> +
> sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
> + goto merr;
> + }
> + }
> + sk_DIST_POINT_pop_free(crld_tmp,
> DIST_POINT_free);
> + }
> + }
> + else if(!sk_DIST_POINT_push(crld, sectpoint)) {
> + DIST_POINT_free(sectpoint);
> + goto merr;
> + }
> + }
> + else { /* For backward compatibility */
> + DIST_POINT *point;
> + if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
> + if(!(gens = GENERAL_NAMES_new())) goto merr;
> + if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
> + gen = NULL;
> + if(!(point = DIST_POINT_new())) goto merr;
> + if(!sk_DIST_POINT_push(crld, point)) {
> + DIST_POINT_free(point);
> + goto merr;
> + }
> + if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
> + point->distpoint->name.fullname = gens;
> + point->distpoint->type = 0;
> + gens = NULL;
> + }
> + }
> + return crld;
> +
> + merr:
> + X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
> err:
> GENERAL_NAME_free(gen);
> GENERAL_NAMES_free(gens);
> diff -ur openssl-SNAP-20040227/crypto/x509v3/v3err.c
> openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c
> --- openssl-SNAP-20040227/crypto/x509v3/v3err.c 2003-03-24
> 14:15:29.000000000 -0500
> +++ openssl-SNAP-20040227.modified/crypto/x509v3/v3err.c 2004-03-02
> 14:52:53.000000000 -0500
> @@ -95,7 +95,7 @@
> {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
> {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
> {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
> -{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
> +{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
> {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
> {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
> {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
> diff -ur openssl-SNAP-20040227/crypto/x509v3/x509v3.h
> openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h
> --- openssl-SNAP-20040227/crypto/x509v3/x509v3.h 2003-03-24
> 14:15:29.000000000 -0500
> +++ openssl-SNAP-20040227.modified/crypto/x509v3/x509v3.h 2004-03-02
> 14:52:58.000000000 -0500
> @@ -633,7 +633,7 @@
> #define X509V3_F_V2I_ASN1_BIT_STRING 101
> #define X509V3_F_V2I_AUTHORITY_KEYID 119
> #define X509V3_F_V2I_BASIC_CONSTRAINTS 102
> -#define X509V3_F_V2I_CRLD 134
> +#define X509V3_F_R2I_CRLD 134
> #define X509V3_F_V2I_EXT_KU 103
> #define X509V3_F_V2I_GENERAL_NAME 117
> #define X509V3_F_V2I_GENERAL_NAMES 118
>
>
> ----- End forwarded message -----
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
