Commit e9746e03 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Initial support for name constraints certificate extension.

TODO: robustness checking on name forms.
parent ab9c689a
Loading
Loading
Loading
Loading
+14 −0
Original line number Original line Diff line number Diff line
@@ -4,6 +4,18 @@


 Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]
 Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]


  *) Fixes to pathlength constraint, self issued certificate handling,
     policy processing to align with RFC3280 and PKITS tests.

     This work was sponsored by Google.
     [Steve Henson]

  *) Support for name constraints certificate extension. DN, email, DNS
     and URI types are currently supported.

     This work was sponsored by Google.
     [Steve Henson]

  *) To cater for systems that provide a pointer-based thread ID rather
  *) To cater for systems that provide a pointer-based thread ID rather
     than numeric, deprecate the current numeric thread ID mechanism and
     than numeric, deprecate the current numeric thread ID mechanism and
     replace it with a structure and associated callback type. This
     replace it with a structure and associated callback type. This
@@ -31,6 +43,8 @@
  *) Initial support for different CRL issuing certificates. This covers a
  *) Initial support for different CRL issuing certificates. This covers a
     simple case where the self issued certificates in the chain exist and
     simple case where the self issued certificates in the chain exist and
     the real CRL issuer is higher in the existing chain.
     the real CRL issuer is higher in the existing chain.

     This work was sponsored by Google.
     [Steve Henson]
     [Steve Henson]


  *) Removed effectively defunct crypto/store from the build.
  *) Removed effectively defunct crypto/store from the build.
+2 −0
Original line number Original line Diff line number Diff line
@@ -116,6 +116,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
		AUTHORITY_KEYID_free(ret->akid);
		AUTHORITY_KEYID_free(ret->akid);
		CRL_DIST_POINTS_free(ret->crldp);
		CRL_DIST_POINTS_free(ret->crldp);
		policy_cache_free(ret->policy_cache);
		policy_cache_free(ret->policy_cache);
		GENERAL_NAMES_free(ret->altname);
		NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
#ifndef OPENSSL_NO_RFC3779
		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
		ASIdentifiers_free(ret->rfc3779_asid);
		ASIdentifiers_free(ret->rfc3779_asid);
+1 −0
Original line number Original line Diff line number Diff line
@@ -177,6 +177,7 @@ typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;
typedef struct DIST_POINT_st DIST_POINT;
typedef struct DIST_POINT_st DIST_POINT;
typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;
typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;


  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+2 −0
Original line number Original line Diff line number Diff line
@@ -294,6 +294,8 @@ struct x509_st
	AUTHORITY_KEYID *akid;
	AUTHORITY_KEYID *akid;
	X509_POLICY_CACHE *policy_cache;
	X509_POLICY_CACHE *policy_cache;
	STACK_OF(DIST_POINT) *crldp;
	STACK_OF(DIST_POINT) *crldp;
	STACK_OF(GENERAL_NAME) *altname;
	NAME_CONSTRAINTS *nc;
#ifndef OPENSSL_NO_RFC3779
#ifndef OPENSSL_NO_RFC3779
	STACK_OF(IPAddressFamily) *rfc3779_addr;
	STACK_OF(IPAddressFamily) *rfc3779_addr;
	struct ASIdentifiers_st *rfc3779_asid;
	struct ASIdentifiers_st *rfc3779_asid;
+14 −0
Original line number Original line Diff line number Diff line
@@ -168,6 +168,20 @@ const char *X509_verify_cert_error_string(long n)
	return("Unsupported extension feature");
	return("Unsupported extension feature");
 	case X509_V_ERR_UNNESTED_RESOURCE:
 	case X509_V_ERR_UNNESTED_RESOURCE:
 		return("RFC 3779 resource not subset of parent's resources");
 		return("RFC 3779 resource not subset of parent's resources");

	case X509_V_ERR_PERMITTED_VIOLATION:
		return("permitted subtree violation");
	case X509_V_ERR_EXCLUDED_VIOLATION:
		return("excluded subtree violation");
	case X509_V_ERR_SUBTREE_MINMAX:
		return("name constraints minimum and maximum not supported");
	case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
		return("unsupported name constraint type");
	case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
		return("unsupported or invalid name constraint syntax");
	case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
		return("unsupported or invalid name syntax");

	default:
	default:
		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
		return(buf);
		return(buf);
Loading