Commit 13938ace authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add part of chain verify SSL support code: not complete or doing anything 

yet.

Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.

Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.
parent 51630a37

apps/verify.c

+3 −7
Original line number Diff line number Diff line
@@ -84,9 +84,7 @@ int MAIN(int argc, char **argv) 
	X509_STORE *cert_ctx=NULL;

	X509_LOOKUP *lookup=NULL;



	X509_PURPOSE_add_standard();

	X509_TRUST_add_standard();

	X509V3_add_standard_extensions();

	X509_init();

	cert_ctx=X509_STORE_new();

	if (cert_ctx == NULL) goto end;

	X509_STORE_set_verify_cb_func(cert_ctx,cb);
@@ -198,9 +196,7 @@ end: 
	}

	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);

	sk_X509_pop_free(untrusted, X509_free);

	X509V3_EXT_cleanup();

	X509_PURPOSE_cleanup();

	X509_TRUST_cleanup();

	X509_cleanup();

	EXIT(ret);

	}
@@ -246,7 +242,7 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpos 
		goto end;

		}

	X509_STORE_CTX_init(csc,ctx,x,uchain);

	if(purpose >= 0) X509_STORE_CTX_chain_purpose(csc, purpose);

	if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);

	i=X509_verify_cert(csc);

	X509_STORE_CTX_free(csc);

apps/x509.c

+2 −4
Original line number Diff line number Diff line
@@ -384,8 +384,7 @@ bad: 
		app_RAND_load_file(NULL, bio_err, 0);



	ERR_load_crypto_strings();

	X509V3_add_standard_extensions();

	X509_PURPOSE_add_standard();

	X509_init();



	if (!X509_STORE_set_default_paths(ctx))

		{
@@ -871,8 +870,7 @@ end: 
	EVP_PKEY_free(Upkey);

	EVP_PKEY_free(CApkey);

	X509_REQ_free(rq);

	X509V3_EXT_cleanup();

	X509_PURPOSE_cleanup();

	X509_cleanup();

	EXIT(ret);

	}

crypto/x509/Makefile.ssl

+25 −6
Original line number Diff line number Diff line
@@ -294,6 +294,24 @@ x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 
x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h

x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h

x509_set.o: ../cryptlib.h

x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h

x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h

x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h

x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h

x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h

x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h

x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h

x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h

x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h

x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h

x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h

x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h

x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h

x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h

x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h

x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h

x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h

x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h

x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h

x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -315,11 +333,12 @@ x509_txt.o: ../cryptlib.h 
x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h

x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h

x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h

x509_v3.o: ../../include/openssl/crypto.h ../../include/openssl/des.h

x509_v3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h

x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h

x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h

x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/md2.h

x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h

x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h

x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h

x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h

x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h

x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h

x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h

x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -328,7 +347,7 @@ x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h 
x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h

x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h

x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h

x509_v3.o: ../cryptlib.h

x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h

x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h

x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h

x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h

crypto/x509/x509.h

+4 −1
Original line number Diff line number Diff line
@@ -1015,6 +1015,8 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, 
ASN1_OBJECT *	X509_EXTENSION_get_object(X509_EXTENSION *ex);

ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);

int		X509_EXTENSION_get_critical(X509_EXTENSION *ex);

void		X509_init(void);

void		X509_cleanup(void);



int		X509_verify_cert(X509_STORE_CTX *ctx);
@@ -1098,9 +1100,9 @@ int X509_TRUST_get_trust(X509_TRUST *xp); 
#define X509_F_X509_REQ_PRINT				 121

#define X509_F_X509_REQ_PRINT_FP			 122

#define X509_F_X509_REQ_TO_X509				 123

#define X509_F_X509_SET_PURPOSE_AND_TRUST		 134

#define X509_F_X509_STORE_ADD_CERT			 124

#define X509_F_X509_STORE_ADD_CRL			 125

#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134

#define X509_F_X509_TO_X509_REQ				 126

#define X509_F_X509_TRUST_ADD				 133

#define X509_F_X509_VERIFY_CERT				 127
@@ -1123,6 +1125,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); 
#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108

#define X509_R_UNKNOWN_KEY_TYPE				 117

#define X509_R_UNKNOWN_NID				 109

#define X509_R_UNKNOWN_PURPOSE_ID			 121

#define X509_R_UNKNOWN_TRUST_ID				 120

#define X509_R_UNSUPPORTED_ALGORITHM			 111

#define X509_R_WRONG_LOOKUP_TYPE			 112

crypto/x509/x509_err.c

+2 −1
Original line number Diff line number Diff line
@@ -91,9 +91,9 @@ static ERR_STRING_DATA X509_str_functs[]= 
{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),	"X509_REQ_print"},

{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},

{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},

{ERR_PACK(0,X509_F_X509_SET_PURPOSE_AND_TRUST,0),	"X509_set_purpose_and_trust"},

{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},

{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},

{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},

{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},

{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},

{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
@@ -119,6 +119,7 @@ static ERR_STRING_DATA X509_str_reasons[]= 
{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},

{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},

{X509_R_UNKNOWN_NID                      ,"unknown nid"},

{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},

{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},

{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},

{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},