Initial support for certificate policy checking and evaluation. (4acc3e90) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,11 @@

		Changes between 0.9.7c and 0.9.8 [xx XXX xxxx]

		*) Preliminary support for certificate policy evaluation and checking. This
		is initially intended to pass the tests outlined in "Conformance Testing
		of Relying Party Client Certificate Path Processing Logic" v1.07.
		[Steve Henson]

		*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
		remained unused and not that useful. A variety of other little bignum
		tweaks and fixes have also been made continuing on from the audit (see

crypto/asn1/x_x509.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -79,6 +79,8 @@ ASN1_SEQUENCE(X509_CINF) = {
		IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
		/* X509 top level structure needs a bit of customisation */

		extern void policy_cache_free(X509_POLICY_CACHE *cache);

		static int x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it)
		{
		X509 ret = (X509 )*pval;
		@@ -106,6 +108,7 @@ static int x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it)
		X509_CERT_AUX_free(ret->aux);
		ASN1_OCTET_STRING_free(ret->skid);
		AUTHORITY_KEYID_free(ret->akid);
		policy_cache_free(ret->policy_cache);

		if (ret->name != NULL) OPENSSL_free(ret->name);
		break;

crypto/ossl_typ.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -119,6 +119,11 @@ typedef struct conf_st CONF;

		typedef struct engine_st ENGINE;

		typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
		typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
		typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
		typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;

		/* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
		#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
		#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */

crypto/stack/safestack.h

+63 −0

Original line number	Diff line number	Diff line
		@@ -1359,6 +1359,69 @@ STACK_OF(type) \
		#define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
		#define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))

		#define sk_X509_POLICY_DATA_new(st) SKM_sk_new(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_new_null() SKM_sk_new_null(X509_POLICY_DATA)
		#define sk_X509_POLICY_DATA_free(st) SKM_sk_free(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_num(st) SKM_sk_num(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_value(st, i) SKM_sk_value(X509_POLICY_DATA, (st), (i))
		#define sk_X509_POLICY_DATA_set(st, i, val) SKM_sk_set(X509_POLICY_DATA, (st), (i), (val))
		#define sk_X509_POLICY_DATA_zero(st) SKM_sk_zero(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_push(st, val) SKM_sk_push(X509_POLICY_DATA, (st), (val))
		#define sk_X509_POLICY_DATA_unshift(st, val) SKM_sk_unshift(X509_POLICY_DATA, (st), (val))
		#define sk_X509_POLICY_DATA_find(st, val) SKM_sk_find(X509_POLICY_DATA, (st), (val))
		#define sk_X509_POLICY_DATA_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_DATA, (st), (val))
		#define sk_X509_POLICY_DATA_delete(st, i) SKM_sk_delete(X509_POLICY_DATA, (st), (i))
		#define sk_X509_POLICY_DATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_DATA, (st), (ptr))
		#define sk_X509_POLICY_DATA_insert(st, val, i) SKM_sk_insert(X509_POLICY_DATA, (st), (val), (i))
		#define sk_X509_POLICY_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_DATA, (st), (cmp))
		#define sk_X509_POLICY_DATA_dup(st) SKM_sk_dup(X509_POLICY_DATA, st)
		#define sk_X509_POLICY_DATA_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_DATA, (st), (free_func))
		#define sk_X509_POLICY_DATA_shift(st) SKM_sk_shift(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_pop(st) SKM_sk_pop(X509_POLICY_DATA, (st))
		#define sk_X509_POLICY_DATA_sort(st) SKM_sk_sort(X509_POLICY_DATA, (st))

		#define sk_X509_POLICY_NODE_new(st) SKM_sk_new(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_new_null() SKM_sk_new_null(X509_POLICY_NODE)
		#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_num(st) SKM_sk_num(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_value(st, i) SKM_sk_value(X509_POLICY_NODE, (st), (i))
		#define sk_X509_POLICY_NODE_set(st, i, val) SKM_sk_set(X509_POLICY_NODE, (st), (i), (val))
		#define sk_X509_POLICY_NODE_zero(st) SKM_sk_zero(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_push(st, val) SKM_sk_push(X509_POLICY_NODE, (st), (val))
		#define sk_X509_POLICY_NODE_unshift(st, val) SKM_sk_unshift(X509_POLICY_NODE, (st), (val))
		#define sk_X509_POLICY_NODE_find(st, val) SKM_sk_find(X509_POLICY_NODE, (st), (val))
		#define sk_X509_POLICY_NODE_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_NODE, (st), (val))
		#define sk_X509_POLICY_NODE_delete(st, i) SKM_sk_delete(X509_POLICY_NODE, (st), (i))
		#define sk_X509_POLICY_NODE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_NODE, (st), (ptr))
		#define sk_X509_POLICY_NODE_insert(st, val, i) SKM_sk_insert(X509_POLICY_NODE, (st), (val), (i))
		#define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp))
		#define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st)
		#define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func))
		#define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st))
		#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st))

		#define sk_X509_POLICY_REF_new(st) SKM_sk_new(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_new_null() SKM_sk_new_null(X509_POLICY_REF)
		#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_num(st) SKM_sk_num(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_value(st, i) SKM_sk_value(X509_POLICY_REF, (st), (i))
		#define sk_X509_POLICY_REF_set(st, i, val) SKM_sk_set(X509_POLICY_REF, (st), (i), (val))
		#define sk_X509_POLICY_REF_zero(st) SKM_sk_zero(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_push(st, val) SKM_sk_push(X509_POLICY_REF, (st), (val))
		#define sk_X509_POLICY_REF_unshift(st, val) SKM_sk_unshift(X509_POLICY_REF, (st), (val))
		#define sk_X509_POLICY_REF_find(st, val) SKM_sk_find(X509_POLICY_REF, (st), (val))
		#define sk_X509_POLICY_REF_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_REF, (st), (val))
		#define sk_X509_POLICY_REF_delete(st, i) SKM_sk_delete(X509_POLICY_REF, (st), (i))
		#define sk_X509_POLICY_REF_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_REF, (st), (ptr))
		#define sk_X509_POLICY_REF_insert(st, val, i) SKM_sk_insert(X509_POLICY_REF, (st), (val), (i))
		#define sk_X509_POLICY_REF_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_REF, (st), (cmp))
		#define sk_X509_POLICY_REF_dup(st) SKM_sk_dup(X509_POLICY_REF, st)
		#define sk_X509_POLICY_REF_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_REF, (st), (free_func))
		#define sk_X509_POLICY_REF_shift(st) SKM_sk_shift(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_pop(st) SKM_sk_pop(X509_POLICY_REF, (st))
		#define sk_X509_POLICY_REF_sort(st) SKM_sk_sort(X509_POLICY_REF, (st))

		#define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
		#define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
		#define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st))

crypto/x509/x509.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -285,6 +285,7 @@ struct x509_st
		unsigned long ex_nscert;
		ASN1_OCTET_STRING *skid;
		struct AUTHORITY_KEYID_st *akid;
		X509_POLICY_CACHE *policy_cache;
		#ifndef OPENSSL_NO_SHA
		unsigned char sha1_hash[SHA_DIGEST_LENGTH];
		#endif