Commit e9746e03 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Initial support for name constraints certificate extension.

TODO: robustness checking on name forms.
parent ab9c689a
Loading
Loading
Loading
Loading
+14 −0
Original line number Diff line number Diff line
@@ -4,6 +4,18 @@

 Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]

  *) Fixes to pathlength constraint, self issued certificate handling,
     policy processing to align with RFC3280 and PKITS tests.

     This work was sponsored by Google.
     [Steve Henson]

  *) Support for name constraints certificate extension. DN, email, DNS
     and URI types are currently supported.

     This work was sponsored by Google.
     [Steve Henson]

  *) To cater for systems that provide a pointer-based thread ID rather
     than numeric, deprecate the current numeric thread ID mechanism and
     replace it with a structure and associated callback type. This
@@ -31,6 +43,8 @@
  *) Initial support for different CRL issuing certificates. This covers a
     simple case where the self issued certificates in the chain exist and
     the real CRL issuer is higher in the existing chain.

     This work was sponsored by Google.
     [Steve Henson]

  *) Removed effectively defunct crypto/store from the build.
+2 −0
Original line number Diff line number Diff line
@@ -116,6 +116,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
		AUTHORITY_KEYID_free(ret->akid);
		CRL_DIST_POINTS_free(ret->crldp);
		policy_cache_free(ret->policy_cache);
		GENERAL_NAMES_free(ret->altname);
		NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
		ASIdentifiers_free(ret->rfc3779_asid);
+1 −0
Original line number Diff line number Diff line
@@ -177,6 +177,7 @@ typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
typedef struct DIST_POINT_st DIST_POINT;
typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;

  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+2 −0
Original line number Diff line number Diff line
@@ -294,6 +294,8 @@ struct x509_st
	AUTHORITY_KEYID *akid;
	X509_POLICY_CACHE *policy_cache;
	STACK_OF(DIST_POINT) *crldp;
	STACK_OF(GENERAL_NAME) *altname;
	NAME_CONSTRAINTS *nc;
#ifndef OPENSSL_NO_RFC3779
	STACK_OF(IPAddressFamily) *rfc3779_addr;
	struct ASIdentifiers_st *rfc3779_asid;
+14 −0
Original line number Diff line number Diff line
@@ -168,6 +168,20 @@ const char *X509_verify_cert_error_string(long n)
	return("Unsupported extension feature");
 	case X509_V_ERR_UNNESTED_RESOURCE:
 		return("RFC 3779 resource not subset of parent's resources");

	case X509_V_ERR_PERMITTED_VIOLATION:
		return("permitted subtree violation");
	case X509_V_ERR_EXCLUDED_VIOLATION:
		return("excluded subtree violation");
	case X509_V_ERR_SUBTREE_MINMAX:
		return("name constraints minimum and maximum not supported");
	case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
		return("unsupported name constraint type");
	case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
		return("unsupported or invalid name constraint syntax");
	case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
		return("unsupported or invalid name syntax");

	default:
		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
		return(buf);
Loading