Commit 002e66c0 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Support for policy mappings extension. 

Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.
parent e9746e03

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]



  *) Add support for policy mappings extension.



     This work was sponsored by Google.

     [Steve Henson]



  *) Fixes to pathlength constraint, self issued certificate handling,

     policy processing to align with RFC3280 and PKITS tests.

apps/apps.c

+2 −0
Original line number Diff line number Diff line
@@ -2235,6 +2235,8 @@ int args_verify(char ***pargs, int *pargc, 
		flags |= X509_V_FLAG_EXPLICIT_POLICY;

	else if (!strcmp(arg, "-inhibit_any"))

		flags |= X509_V_FLAG_INHIBIT_ANY;

	else if (!strcmp(arg, "-inhibit_map"))

		flags |= X509_V_FLAG_INHIBIT_MAP;

	else if (!strcmp(arg, "-x509_strict"))

		flags |= X509_V_FLAG_X509_STRICT;

	else if (!strcmp(arg, "-policy_print"))

crypto/x509/x509_vfy.c

+2 −1
Original line number Diff line number Diff line
@@ -1122,7 +1122,8 @@ static int check_policy(X509_STORE_CTX *ctx) 
				continue;

			ctx->current_cert = x;

			ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;

			ret = ctx->verify_cb(0, ctx);

			if(!ctx->verify_cb(0, ctx))

				return 0;

			}

		return 1;

		}

crypto/x509v3/pcy_cache.c

+0 −1
Original line number Diff line number Diff line
@@ -139,7 +139,6 @@ static int policy_cache_new(X509 *x) 
		return 0;

	cache->anyPolicy = NULL;

	cache->data = NULL;

	cache->maps = NULL;

	cache->any_skip = -1;

	cache->explicit_skip = -1;

	cache->map_skip = -1;

crypto/x509v3/pcy_data.c

+8 −4
Original line number Diff line number Diff line
@@ -82,17 +82,21 @@ void policy_data_free(X509_POLICY_DATA *data) 
 * another source.

 */



X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)

X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,

					const ASN1_OBJECT *cid, int crit)

	{

	X509_POLICY_DATA *ret;

	if (!policy && !id)

	ASN1_OBJECT *id;

	if (!policy && !cid)

		return NULL;

	if (id)

	if (cid)

		{

		id = OBJ_dup(id);

		id = OBJ_dup(cid);

		if (!id)

			return NULL;

		}

	else

		id = NULL;

	ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));

	if (!ret)

		return NULL;