Initial support for name constraints certificate extension. (e9746e03) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+14 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,18 @@

		Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]

		*) Fixes to pathlength constraint, self issued certificate handling,
		policy processing to align with RFC3280 and PKITS tests.

		This work was sponsored by Google.
		[Steve Henson]

		*) Support for name constraints certificate extension. DN, email, DNS
		and URI types are currently supported.

		This work was sponsored by Google.
		[Steve Henson]

		*) To cater for systems that provide a pointer-based thread ID rather
		than numeric, deprecate the current numeric thread ID mechanism and
		replace it with a structure and associated callback type. This
		@@ -31,6 +43,8 @@
		*) Initial support for different CRL issuing certificates. This covers a
		simple case where the self issued certificates in the chain exist and
		the real CRL issuer is higher in the existing chain.

		This work was sponsored by Google.
		[Steve Henson]

		*) Removed effectively defunct crypto/store from the build.

+2 −0

Original line number	Diff line number	Diff line
		@@ -116,6 +116,8 @@ static int x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
		AUTHORITY_KEYID_free(ret->akid);
		CRL_DIST_POINTS_free(ret->crldp);
		policy_cache_free(ret->policy_cache);
		GENERAL_NAMES_free(ret->altname);
		NAME_CONSTRAINTS_free(ret->nc);
		#ifndef OPENSSL_NO_RFC3779
		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
		ASIdentifiers_free(ret->rfc3779_asid);

+1 −0

Original line number	Diff line number	Diff line
		@@ -177,6 +177,7 @@ typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
		typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
		typedef struct DIST_POINT_st DIST_POINT;
		typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
		typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;

		/* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
		#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */

+2 −0

Original line number	Diff line number	Diff line
		@@ -294,6 +294,8 @@ struct x509_st
		AUTHORITY_KEYID *akid;
		X509_POLICY_CACHE *policy_cache;
		STACK_OF(DIST_POINT) *crldp;
		STACK_OF(GENERAL_NAME) *altname;
		NAME_CONSTRAINTS *nc;
		#ifndef OPENSSL_NO_RFC3779
		STACK_OF(IPAddressFamily) *rfc3779_addr;
		struct ASIdentifiers_st *rfc3779_asid;

+14 −0

Original line number	Diff line number	Diff line
		@@ -168,6 +168,20 @@ const char *X509_verify_cert_error_string(long n)
		return("Unsupported extension feature");
		case X509_V_ERR_UNNESTED_RESOURCE:
		return("RFC 3779 resource not subset of parent's resources");

		case X509_V_ERR_PERMITTED_VIOLATION:
		return("permitted subtree violation");
		case X509_V_ERR_EXCLUDED_VIOLATION:
		return("excluded subtree violation");
		case X509_V_ERR_SUBTREE_MINMAX:
		return("name constraints minimum and maximum not supported");
		case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
		return("unsupported name constraint type");
		case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
		return("unsupported or invalid name constraint syntax");
		case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
		return("unsupported or invalid name syntax");

		default:
		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
		return(buf);