diff options
| author | levitte <levitte> | 2005-01-27 14:47:06 +0000 |
|---|---|---|
| committer | levitte <levitte> | 2005-01-27 14:47:06 +0000 |
| commit | 260c1c442d59a34dcb1d71b1c6d0258bcc05f2d3 (patch) | |
| tree | 013a0afd4fa9fd1a90fb79462a5fecd8905444d3 | |
| parent | 42f7d30ed582d423f636794535cfa6880a8fac97 (diff) | |
| download | openssl-260c1c442d59a34dcb1d71b1c6d0258bcc05f2d3.tar.gz | |
Because 0.9.7f is close to being released, I can't release my work to
integrate RFC 3820 into OpenSSL into the 0.9.7 line of development
with good conciense. This branch is created to make it possible for
me to commit my work somewhere.
| -rw-r--r-- | apps/openssl-vms.cnf | 53 | ||||
| -rw-r--r-- | apps/openssl.cnf | 53 | ||||
| -rw-r--r-- | crypto/crypto-lib.com | 2 | ||||
| -rw-r--r-- | crypto/objects/obj_dat.h | 39 | ||||
| -rw-r--r-- | crypto/objects/obj_mac.h | 24 | ||||
| -rw-r--r-- | crypto/objects/obj_mac.num | 6 | ||||
| -rw-r--r-- | crypto/objects/objects.txt | 7 | ||||
| -rw-r--r-- | crypto/x509/x509_txt.c | 9 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 34 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.h | 2 | ||||
| -rw-r--r-- | crypto/x509v3/Makefile | 48 | ||||
| -rw-r--r-- | crypto/x509v3/ext_dat.h | 5 | ||||
| -rw-r--r-- | crypto/x509v3/v3_pci.c | 313 | ||||
| -rw-r--r-- | crypto/x509v3/v3_pcia.c | 55 | ||||
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 20 | ||||
| -rw-r--r-- | crypto/x509v3/v3err.c | 13 | ||||
| -rw-r--r-- | crypto/x509v3/x509v3.h | 29 | ||||
| -rw-r--r-- | fips/sha1/Makefile | 3 | ||||
| -rw-r--r-- | ssl/ssltest.c | 489 | ||||
| -rw-r--r-- | test/CAss.cnf | 8 | ||||
| -rw-r--r-- | test/Makefile | 55 | ||||
| -rw-r--r-- | test/P1ss.cnf | 37 | ||||
| -rw-r--r-- | test/P2ss.cnf | 45 | ||||
| -rw-r--r-- | test/Uss.cnf | 8 | ||||
| -rw-r--r-- | test/testss | 102 | ||||
| -rw-r--r-- | test/testsslproxy | 10 | ||||
| -rwxr-xr-x | util/libeay.num | 25 | ||||
| -rw-r--r-- | util/mkerr.pl | 4 |
28 files changed, 1401 insertions, 97 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index d8bc419de..878467ce9 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/apps/openssl.cnf b/apps/openssl.cnf index af688a426..4c1d595b0 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 4d802fe69..c044ce009 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -247,7 +247,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ - $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ - "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ - "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ - - "v3_ocsp,v3_akeya" + "v3_ocsp,v3_akeya,v3_pcia,v3_pci" $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap" $ LIB_TXT_DB = "txt_db" $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ - diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index ae50a72b9..878512705 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 662 -#define NUM_SN 655 -#define NUM_LN 655 -#define NUM_OBJ 619 +#define NUM_NID 668 +#define NUM_SN 660 +#define NUM_LN 660 +#define NUM_OBJ 624 -static unsigned char lvalues[4461]={ +static unsigned char lvalues[4500]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -687,6 +687,11 @@ static unsigned char lvalues[4461]={ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4444] OBJ_ms_upn */ 0x55,0x04,0x09, /* [4454] OBJ_streetAddress */ 0x55,0x04,0x11, /* [4457] OBJ_postalCode */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15, /* [4460] OBJ_id_ppl */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E, /* [4467] OBJ_proxyCertInfo */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00, /* [4475] OBJ_id_ppl_anyLanguage */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01, /* [4483] OBJ_id_ppl_inheritAll */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02, /* [4491] OBJ_Independent */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1742,6 +1747,15 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL}, {"streetAddress","streetAddress",NID_streetAddress,3,&(lvalues[4454]),0}, {"postalCode","postalCode",NID_postalCode,3,&(lvalues[4457]),0}, +{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4460]),0}, +{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8, + &(lvalues[4467]),0}, +{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8, + &(lvalues[4475]),0}, +{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8, + &(lvalues[4483]),0}, +{NULL,NULL,NID_undef,0,NULL}, +{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4491]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2046,6 +2060,10 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[271]),/* "id-pkix1-explicit-93" */ &(nid_objs[270]),/* "id-pkix1-implicit-88" */ &(nid_objs[272]),/* "id-pkix1-implicit-93" */ +&(nid_objs[662]),/* "id-ppl" */ +&(nid_objs[664]),/* "id-ppl-anyLanguage" */ +&(nid_objs[667]),/* "id-ppl-independent" */ +&(nid_objs[665]),/* "id-ppl-inheritAll" */ &(nid_objs[267]),/* "id-qcs" */ &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */ &(nid_objs[259]),/* "id-qt" */ @@ -2221,6 +2239,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[415]),/* "prime256v1" */ &(nid_objs[385]),/* "private" */ &(nid_objs[84]),/* "privateKeyUsagePeriod" */ +&(nid_objs[663]),/* "proxyCertInfo" */ &(nid_objs[510]),/* "pseudonym" */ &(nid_objs[435]),/* "pss" */ &(nid_objs[286]),/* "qcStatements" */ @@ -2406,6 +2425,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[363]),/* "AD Time Stamping" */ &(nid_objs[405]),/* "ANSI X9.62" */ &(nid_objs[368]),/* "Acceptable OCSP Responses" */ +&(nid_objs[664]),/* "Any language" */ &(nid_objs[177]),/* "Authority Information Access" */ &(nid_objs[365]),/* "Basic OCSP Response" */ &(nid_objs[285]),/* "Biometric Info" */ @@ -2428,6 +2448,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[296]),/* "IPSec User" */ &(nid_objs[182]),/* "ISO Member Body" */ &(nid_objs[183]),/* "ISO US Member Body" */ +&(nid_objs[667]),/* "Independent" */ +&(nid_objs[665]),/* "Inherit all" */ &(nid_objs[142]),/* "Invalidity Date" */ &(nid_objs[504]),/* "MIME MHS" */ &(nid_objs[388]),/* "Mail" */ @@ -2468,6 +2490,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[164]),/* "Policy Qualifier CPS" */ &(nid_objs[165]),/* "Policy Qualifier User Notice" */ &(nid_objs[385]),/* "Private" */ +&(nid_objs[663]),/* "Proxy Certificate Information" */ &(nid_objs[ 1]),/* "RSA Data Security, Inc." */ &(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */ &(nid_objs[188]),/* "S/MIME" */ @@ -2704,6 +2727,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[271]),/* "id-pkix1-explicit-93" */ &(nid_objs[270]),/* "id-pkix1-implicit-88" */ &(nid_objs[272]),/* "id-pkix1-implicit-93" */ +&(nid_objs[662]),/* "id-ppl" */ &(nid_objs[267]),/* "id-qcs" */ &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */ &(nid_objs[259]),/* "id-qt" */ @@ -3310,6 +3334,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[266]),/* OBJ_id_aca 1 3 6 1 5 5 7 10 */ &(nid_objs[267]),/* OBJ_id_qcs 1 3 6 1 5 5 7 11 */ &(nid_objs[268]),/* OBJ_id_cct 1 3 6 1 5 5 7 12 */ +&(nid_objs[662]),/* OBJ_id_ppl 1 3 6 1 5 5 7 21 */ &(nid_objs[176]),/* OBJ_id_ad 1 3 6 1 5 5 7 48 */ &(nid_objs[507]),/* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */ &(nid_objs[508]),/* OBJ_id_hex_multipart_message 1 3 6 1 7 1 1 2 */ @@ -3363,6 +3388,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[292]),/* OBJ_sbqp_routerIdentifier 1 3 6 1 5 5 7 1 9 */ &(nid_objs[397]),/* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */ &(nid_objs[398]),/* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ +&(nid_objs[663]),/* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */ &(nid_objs[164]),/* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ &(nid_objs[165]),/* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ &(nid_objs[293]),/* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -3433,6 +3459,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[360]),/* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ &(nid_objs[361]),/* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ &(nid_objs[362]),/* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */ +&(nid_objs[664]),/* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */ +&(nid_objs[665]),/* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */ +&(nid_objs[667]),/* OBJ_Independent 1 3 6 1 5 5 7 21 2 */ &(nid_objs[178]),/* OBJ_ad_OCSP 1 3 6 1 5 5 7 48 1 */ &(nid_objs[179]),/* OBJ_ad_ca_issuers 1 3 6 1 5 5 7 48 2 */ &(nid_objs[363]),/* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index b1a3c8a85..d28894cf4 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -950,6 +950,10 @@ #define NID_id_cct 268 #define OBJ_id_cct OBJ_id_pkix,12L +#define SN_id_ppl "id-ppl" +#define NID_id_ppl 662 +#define OBJ_id_ppl OBJ_id_pkix,21L + #define SN_id_ad "id-ad" #define NID_id_ad 176 #define OBJ_id_ad OBJ_id_pkix,48L @@ -1065,6 +1069,11 @@ #define NID_sinfo_access 398 #define OBJ_sinfo_access OBJ_id_pe,11L +#define SN_proxyCertInfo "proxyCertInfo" +#define LN_proxyCertInfo "Proxy Certificate Information" +#define NID_proxyCertInfo 663 +#define OBJ_proxyCertInfo OBJ_id_pe,14L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1389,6 +1398,21 @@ #define NID_id_cct_PKIResponse 362 #define OBJ_id_cct_PKIResponse OBJ_id_cct,3L +#define SN_id_ppl_anyLanguage "id-ppl-anyLanguage" +#define LN_id_ppl_anyLanguage "Any language" +#define NID_id_ppl_anyLanguage 664 +#define OBJ_id_ppl_anyLanguage OBJ_id_ppl,0L + +#define SN_id_ppl_inheritAll "id-ppl-inheritAll" +#define LN_id_ppl_inheritAll "Inherit all" +#define NID_id_ppl_inheritAll 665 +#define OBJ_id_ppl_inheritAll OBJ_id_ppl,1L + +#define SN_Independent "id-ppl-independent" +#define LN_Independent "Independent" +#define NID_Independent 667 +#define OBJ_Independent OBJ_id_ppl,2L + #define SN_ad_OCSP "OCSP" #define LN_ad_OCSP "OCSP" #define NID_ad_OCSP 178 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index f808d9644..0e64a929b 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -659,3 +659,9 @@ des_ede3_cfb1 658 des_ede3_cfb8 659 streetAddress 660 postalCode 661 +id_ppl 662 +proxyCertInfo 663 +id_ppl_anyLanguage 664 +id_ppl_inheritAll 665 +id_ppl_independent 666 +Independent 667 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 10d811c37..50e9031e6 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -312,6 +312,7 @@ id-pkix 9 : id-pda id-pkix 10 : id-aca id-pkix 11 : id-qcs id-pkix 12 : id-cct +id-pkix 21 : id-ppl id-pkix 48 : id-ad # PKIX Modules @@ -346,6 +347,7 @@ id-pe 9 : sbqp-routerIdentifier id-pe 10 : ac-proxying !Cname sinfo-access id-pe 11 : subjectInfoAccess : Subject Information Access +id-pe 14 : proxyCertInfo : Proxy Certificate Information # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -461,6 +463,11 @@ id-cct 1 : id-cct-crs id-cct 2 : id-cct-PKIData id-cct 3 : id-cct-PKIResponse +# Predefined Proxy Certificate policy languages +id-ppl 0 : id-ppl-anyLanguage : Any language +id-ppl 1 : id-ppl-inheritAll : Inherit all +id-ppl 2 : id-ppl-independent : Independent + # access descriptors for authority info access extension !Cname ad-OCSP id-ad 1 : OCSP : OCSP diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index b8f5bc0cd..29c524803 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -126,6 +126,8 @@ const char *X509_verify_cert_error_string(long n) return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -142,19 +144,16 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index e60055c34..0e18cdb95 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -365,7 +365,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) else return 0; } - + /* Check a certificate chains extensions for consistency * with the supplied purpose @@ -379,6 +379,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; cb=ctx->verify_cb; /* must_be_ca can have 1 of 3 values: @@ -462,7 +463,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -470,8 +471,32 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - /* The next certificate must be a CA */ - must_be_ca = 1; + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(x, NID_proxyCertInfo, + NULL, NULL); + if (pci->pcPathLengthConstraint && + ASN1_INTEGER_get(pci->pcPathLengthConstraint) + < i) + { + PROXY_CERT_INFO_EXTENSION_free(pci); + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: @@ -835,6 +860,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } /* The last error (if any) is still in the error value */ + ctx->current_issuer=xi; ctx->current_cert=xs; ok=(*cb)(1,ctx); if (!ok) goto end; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index cb725b64d..f1d1b05fb 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -307,6 +307,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 #define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index 5aeffc794..ed2f91cbb 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -25,11 +25,11 @@ LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ -v3_ocsp.c v3_akeya.c +v3_ocsp.c v3_akeya.c v3_pcia.c v3_pci.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ -v3_ocsp.o v3_akeya.o +v3_ocsp.o v3_akeya.o v3_pcia.o v3_pci.o SRC= $(LIBSRC) @@ -444,6 +444,50 @@ v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_ocsp.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_ocsp.o: ../cryptlib.h v3_ocsp.c +v3_pci.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h +v3_pci.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +v3_pci.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +v3_pci.o: ../../include/openssl/cast.h ../../include/openssl/conf.h +v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +v3_pci.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h +v3_pci.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +v3_pci.o: ../../include/openssl/err.h ../../include/openssl/evp.h +v3_pci.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +v3_pci.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +v3_pci.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_pci.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +v3_pci.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +v3_pci.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +v3_pci.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +v3_pci.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +v3_pci.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h +v3_pci.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +v3_pci.o: ../cryptlib.h v3_pci.c +v3_pcia.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h +v3_pcia.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_pcia.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h +v3_pcia.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h +v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_pcia.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +v3_pcia.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h +v3_pcia.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +v3_pcia.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +v3_pcia.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_pcia.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +v3_pcia.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +v3_pcia.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +v3_pcia.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +v3_pcia.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +v3_pcia.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h +v3_pcia.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +v3_pcia.o: v3_pcia.c v3_pku.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 6fa3178e6..d8328ac46 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold; +extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -107,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sinfo, #ifndef OPENSSL_NO_OCSP -&v3_crl_hold +&v3_crl_hold, #endif +&v3_pci, }; /* Number of standard extensions */ diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c new file mode 100644 index 000000000..b32d96861 --- /dev/null +++ b/crypto/x509v3/v3_pci.c @@ -0,0 +1,313 @@ +/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */ +/* Contributed to the OpenSSL Project 2004 + * by Richard Levitte (richard@levitte.org) + */ +/* Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdio.h> +#include "cryptlib.h" +#include <openssl/conf.h> +#include <openssl/x509v3.h> + +static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, + BIO *out, int indent); +static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *str); + +X509V3_EXT_METHOD v3_pci = + { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), + 0,0,0,0, + 0,0, + NULL, NULL, + (X509V3_EXT_I2R)i2r_pci, + (X509V3_EXT_R2I)r2i_pci, + NULL, + }; + +static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, + BIO *out, int indent) + { + BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); + if (pci->pcPathLengthConstraint) + i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); + else + BIO_printf(out, "infinite"); + BIO_puts(out, "\n"); + BIO_printf(out, "%*sPolicy Language: ", indent, ""); + i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); + BIO_puts(out, "\n"); + if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) + BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + pci->proxyPolicy->policy->data); + return 1; + } + +static int process_pci_value(CONF_VALUE *val, + ASN1_OBJECT **language, ASN1_INTEGER **pathlen, + ASN1_OCTET_STRING **policy) + { + int free_policy = 0; + + if (strcmp(val->name, "language") == 0) + { + if (*language) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED); + X509V3_conf_err(val); + return 0; + } + if (!(*language = OBJ_txt2obj(val->value, 0))) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER); + X509V3_conf_err(val); + return 0; + } + } + else if (strcmp(val->name, "pathlen") == 0) + { + if (*pathlen) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED); + X509V3_conf_err(val); + return 0; + } + if (!X509V3_get_value_int(val, pathlen)) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH); + X509V3_conf_err(val); + return 0; + } + } + else if (strcmp(val->name, "policy") == 0) + { + unsigned char *tmp_data = NULL; + long val_len; + if (!*policy) + { + *policy = ASN1_OCTET_STRING_new(); + if (!*policy) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + X509V3_conf_err(val); + return 0; + } + free_policy = 1; + } + if (strncmp(val->value, "hex:", 4) == 0) + { + unsigned char *tmp_data2 = + string_to_hex(val->value + 4, &val_len); + + if (!tmp_data2) goto err; + + tmp_data = OPENSSL_realloc((*policy)->data, + (*policy)->length + val_len + 1); + if (tmp_data) + { + (*policy)->data = tmp_data; + memcpy(&(*policy)->data[(*policy)->length], + tmp_data2, val_len); + (*policy)->length += val_len; + (*policy)->data[(*policy)->length] = '\0'; + } + } + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; + int n; + BIO *b = BIO_new_file(val->value + 5, "r"); + if (!b) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); + X509V3_conf_err(val); + goto err; + } + while((n = BIO_read(b, buf, sizeof(buf))) > 0 + || (n == 0 && BIO_should_retry(b))) + { + if (!n) continue; + + tmp_data = OPENSSL_realloc((*policy)->data, + (*policy)->length + n + 1); + + if (!tmp_data) + break; + + (*policy)->data = tmp_data; + memcpy(&(*policy)->data[(*policy)->length], + buf, n); + (*policy)->length += n; + (*policy)->data[(*policy)->length] = '\0'; + } + + if (n < 0) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); + X509V3_conf_err(val); + goto err; + } + } + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val->value + 5); + tmp_data = OPENSSL_realloc((*policy)->data, + (*policy)->length + val_len + 1); + if (tmp_data) + { + (*policy)->data = tmp_data; + memcpy(&(*policy)->data[(*policy)->length], + val->value + 5, val_len); + (*policy)->length += val_len; + (*policy)->data[(*policy)->length] = '\0'; + } + } + else + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); + X509V3_conf_err(val); + goto err; + } + if (!tmp_data) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + X509V3_conf_err(val); + goto err; + } + } + return 1; +err: + if (free_policy) + { + ASN1_OCTET_STRING_free(*policy); + *policy = NULL; + } + return 0; + } + +static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *value) + { + PROXY_CERT_INFO_EXTENSION *pci = NULL; + STACK_OF(CONF_VALUE) *vals; + ASN1_OBJECT *language = NULL; + ASN1_INTEGER *pathlen = NULL; + ASN1_OCTET_STRING *policy = NULL; + int i, j; + + vals = X509V3_parse_list(value); + for (i = 0; i < sk_CONF_VALUE_num(vals); i++) + { + CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); + if (!cnf->name || (*cnf->name != '@' && !cnf->value)) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING); + X509V3_conf_err(cnf); + goto err; + } + if (*cnf->name == '@') + { + STACK_OF(CONF_VALUE) *sect; + int success_p = 1; + + sect = X509V3_get_section(ctx, cnf->name + 1); + if (!sect) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION); + X509V3_conf_err(cnf); + goto err; + } + for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) + { + success_p = + process_pci_value(sk_CONF_VALUE_value(sect, j), + &language, &pathlen, &policy); + } + X509V3_section_free(ctx, sect); + if (!success_p) + goto err; + } + else + { + if (!process_pci_value(cnf, + &language, &pathlen, &policy)) + { + X509V3_conf_err(cnf); + goto err; + } + } + } + + /* Language is mandatory */ + if (!language) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); + goto err; + } + i = OBJ_obj2nid(language); + if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) + { + X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); + goto err; + } + + pci = PROXY_CERT_INFO_EXTENSION_new(); + if (!pci) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + goto err; + } + pci->proxyPolicy = PROXY_POLICY_new(); + if (!pci->proxyPolicy) + { + X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + goto err; + } + + pci->proxyPolicy->policyLanguage = language; language = NULL; + pci->proxyPolicy->policy = policy; policy = NULL; + pci->pcPathLengthConstraint = pathlen; pathlen = NULL; + goto end; +err: + if (language) { ASN1_OBJECT_free(language); language = NULL; } + if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } + if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } + if (pci && pci->proxyPolicy) + { + PROXY_POLICY_free(pci->proxyPolicy); + pci->proxyPolicy = NULL; + } + if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } +end: + sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); + return pci; + } diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509v3/v3_pcia.c new file mode 100644 index 000000000..bb362e0e5 --- /dev/null +++ b/crypto/x509v3/v3_pcia.c @@ -0,0 +1,55 @@ +/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */ +/* Contributed to the OpenSSL Project 2004 + * by Richard Levitte (richard@levitte.org) + */ +/* Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <openssl/asn1.h> +#include <openssl/asn1t.h> +#include <openssl/x509v3.h> + +ASN1_SEQUENCE(PROXY_POLICY) = + { + ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT), + ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(PROXY_POLICY) + +IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY) + +ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = + { + ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER), + ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY) +} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION) + +IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 3e94f77c7..7281106fd 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -285,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ - NID_ext_key_usage /* 126 */ + NID_ext_key_usage, /* 126 */ + NID_proxyCertInfo /* 661 */ }; int ex_nid; @@ -306,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex) static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; + PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -334,6 +336,14 @@ static void x509v3_cache_extensions(X509 *x) BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } + /* Handle proxy certificates */ + if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA) { + x->ex_flags |= EXFLAG_INVALID; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + x->ex_flags |= EXFLAG_PROXY; + } /* Handle key usage */ if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if(usage->length > 0) { @@ -623,7 +633,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } - if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; + if(subject->ex_flags & EXFLAG_PROXY) + { + if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) + return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; + } + else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) + return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index 000ddbc38..2df0c3ef0 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -1,6 +1,6 @@ /* crypto/x509v3/v3err.c */ /* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -79,6 +79,7 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, +{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, @@ -129,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, +{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, {X509V3_R_INVALID_NAME ,"invalid name"}, @@ -140,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, {X509V3_R_INVALID_OPTION ,"invalid option"}, {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, {X509V3_R_INVALID_SECTION ,"invalid section"}, {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, @@ -150,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, +{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, +{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, +{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, +{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, +{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, +{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, +{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index f220ca5e3..e6d91251c 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; DECLARE_STACK_OF(POLICYINFO) DECLARE_ASN1_SET_OF(POLICYINFO) +/* Proxy certificate structures, see RFC 3820 */ +typedef struct PROXY_POLICY_st + { + ASN1_OBJECT *policyLanguage; + ASN1_OCTET_STRING *policy; + } PROXY_POLICY; + +typedef struct PROXY_CERT_INFO_EXTENSION_st + { + ASN1_INTEGER *pcPathLengthConstraint; + PROXY_POLICY *proxyPolicy; + } PROXY_CERT_INFO_EXTENSION; + +DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) +DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) + + #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ ",name:", val->name, ",value:", val->value); @@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 #define EXFLAG_CRITICAL 0x200 +#define EXFLAG_PROXY 0x400 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 @@ -572,6 +590,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_NREF_NOS 133 #define X509V3_F_POLICY_SECTION 131 #define X509V3_F_R2I_CERTPOL 130 +#define X509V3_F_R2I_PCI 142 #define X509V3_F_S2I_ASN1_IA5STRING 100 #define X509V3_F_S2I_ASN1_INTEGER 108 #define X509V3_F_S2I_ASN1_OCTET_STRING 112 @@ -619,6 +638,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 #define X509V3_R_EXTENSION_VALUE_ERROR 116 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 +#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 #define X509V3_R_INVALID_NAME 106 @@ -630,6 +650,8 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 #define X509V3_R_INVALID_OPTION 138 #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 +#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 +#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151 #define X509V3_R_INVALID_PURPOSE 146 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 @@ -640,9 +662,16 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_NO_ISSUER_CERTIFICATE 121 #define X509V3_R_NO_ISSUER_DETAILS 127 #define X509V3_R_NO_POLICY_IDENTIFIER 139 +#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_NO_SUBJECT_DETAILS 125 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 +#define X509V3_R_POLICY_PATH_LENGTH 152 +#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 +#define X509V3_R_POLICY_SYNTAX_NOT 154 +#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 +#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 diff --git a/fips/sha1/Makefile b/fips/sha1/Makefile index 1fa25b32b..857c10cd0 100644 --- a/fips/sha1/Makefile +++ b/fips/sha1/Makefile @@ -113,7 +113,8 @@ fips_sha1_selftest.o: ../../include/openssl/safestack.h fips_sha1_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h fips_sha1_selftest.o: ../../include/openssl/symhacks.h fips_sha1_selftest.c fips_sha1dgst.o: ../../include/openssl/opensslconf.h -fips_sha1dgst.o: ../../include/openssl/opensslv.h fips_sha1dgst.c +fips_sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h +fips_sha1dgst.o: fips_md32_common.h fips_sha1dgst.c fips_sha_locl.h fips_sha1test.o: ../../e_os.h ../../include/openssl/bio.h fips_sha1test.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h fips_sha1test.o: ../../include/openssl/err.h ../../include/openssl/fips.h diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 7e58582f9..c868baaa5 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -119,6 +119,7 @@ #include <stdlib.h> #include <string.h> #include <time.h> +#include <ctype.h> #define USE_SOCKETS #include "e_os.h" @@ -127,6 +128,7 @@ #include <openssl/crypto.h> #include <openssl/evp.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> #include <openssl/ssl.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> @@ -169,8 +171,14 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); static void free_tmp_rsa(void); #endif static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); -#define APP_CALLBACK "Test Callback Argument" -static char *app_verify_arg = APP_CALLBACK; +#define APP_CALLBACK_STRING "Test Callback Argument" +struct app_verify_arg + { + char *string; + int app_verify; + char *proxy_auth; + char *proxy_cond; + }; #ifndef OPENSSL_NO_DH static DH *get_dh512(void); @@ -204,6 +212,8 @@ static void sv_usage(void) #endif fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); + fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); + fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); fprintf(stderr," -v - more output\n"); fprintf(stderr," -d - debug output\n"); fprintf(stderr," -reuse - use session-id reuse\n"); @@ -353,7 +363,8 @@ int main(int argc, char *argv[]) int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; - int app_verify=0; + struct app_verify_arg app_verify_arg = + { APP_CALLBACK_STRING, 0, NULL, NULL }; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; @@ -421,6 +432,16 @@ int main(int argc, char *argv[]) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; + else if (strcmp(*argv,"-proxy_auth") == 0) + { + if (--argc < 1) goto bad; + app_verify_arg.proxy_auth= *(++argv); + } + else if (strcmp(*argv,"-proxy_cond") == 0) + { + if (--argc < 1) goto bad; + app_verify_arg.proxy_cond= *(++argv); + } else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-d") == 0) @@ -533,7 +554,7 @@ int main(int argc, char *argv[]) } else if (strcmp(*argv,"-app_verify") == 0) { - app_verify = 1; + app_verify_arg.app_verify = 1; } else { @@ -708,20 +729,14 @@ bad: SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); - if (app_verify) - { - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); - } + SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); - if (app_verify) - { - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); - } + SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); } { @@ -1503,6 +1518,22 @@ err: return(ret); } +static int get_proxy_auth_ex_data_idx(void) + { + static volatile int idx = -1; + if (idx < 0) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + if (idx < 0) + { + idx = X509_STORE_CTX_get_ex_new_index(0, + "SSLtest for verify callback", NULL,NULL,NULL); + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + } + return idx; + } + static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s,buf[256]; @@ -1512,7 +1543,8 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) if (s != NULL) { if (ok) - fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf); + fprintf(stderr,"depth=%d %s\n", + ctx->error_depth,buf); else fprintf(stderr,"depth=%d error=%d %s\n", ctx->error_depth,ctx->error,buf); @@ -1529,25 +1561,440 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) } } + if (ok == 1) + { + X509 *xs = ctx->current_cert; +#if 0 + X509 *xi = ctx->current_issuer; +#endif + + if (xs->ex_flags & EXFLAG_PROXY) + { + unsigned int *letters = + X509_STORE_CTX_get_ex_data(ctx, + get_proxy_auth_ex_data_idx()); + + if (letters) + { + int found_any = 0; + int i; + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(xs, NID_proxyCertInfo, + NULL, NULL); + + switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) + { + case NID_Independent: + /* Completely meaningless in this + program, as there's no way to + grant explicit rights to a + specific PrC. Basically, using + id-ppl-Independent is the perfect + way to grant no rights at all. */ + fprintf(stderr, " Independent proxy certificate"); + for (i = 0; i < 26; i++) + letters[i] = 0; + break; + case NID_id_ppl_inheritAll: + /* This is basically a NOP, we + simply let the current rights + stand as they are. */ + fprintf(stderr, " Proxy certificate inherits all"); + break; + default: + s = (char *) + pci->proxyPolicy->policy->data; + i = pci->proxyPolicy->policy->length; + + /* The algorithm works as follows: + it is assumed that previous + iterations or the initial granted + rights has already set some elements + of `letters'. What we need to do is + to clear those that weren't granted + by the current PrC as well. The + easiest way to do this is to add 1 + to all the elements whose letters + are given with the current policy. + That way, all elements that are set + by the current policy and were + already set by earlier policies and + through the original grant of rights + will get the value 2 or higher. + The last thing to do is to sweep + through `letters' and keep the + elements having the value 2 as set, + and clear all the others. */ + + fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); + while(i-- > 0) + { + char c = *s++; + if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + letters[c - 'A']++; + } + } + for (i = 0; i < 26; i++) + if (letters[i] < 2) + letters[i] = 0; + else + letters[i] = 1; + } + + found_any = 0; + fprintf(stderr, + ", resulting proxy rights = "); + for(i = 0; i < 26; i++) + if (letters[i]) + { + fprintf(stderr, "%c", i + 'A'); + found_any = 1; + } + if (!found_any) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + PROXY_CERT_INFO_EXTENSION_free(pci); + } + } + } + return(ok); } +static void process_proxy_debug(int indent, const char *format, ...) + { + static const char indentation[] = + ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" + ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ + char my_format[256]; + va_list args; + + BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", + indent, indent, indentation, format); + + va_start(args, format); + vfprintf(stderr, my_format, args); + va_end(args); + } +/* Priority levels: + 0 [!]var, () + 1 & ^ + 2 | +*/ +static int process_proxy_cond_adders(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent); +static int process_proxy_cond_val(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + char c; + int ok = 1; + int negate = 0; + + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_val at position %d: %s\n", + *pos, cond); + + while(c == '!') + { + negate = !negate; + cond++; (*pos)++; + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + } + + if (c == '(') + { + cond++; (*pos)++; + ok = process_proxy_cond_adders(letters, cond, cond_end, pos, + indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + if (c != ')') + { + fprintf(stderr, + "Weird condition character in position %d: " + "%c\n", *pos, c); + ok = -1; + goto end; + } + cond++; (*pos)++; + } + else if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + ok = letters[c - 'A']; + cond++; (*pos)++; + } + else + { + fprintf(stderr, + "Weird condition character in position %d: " + "%c\n", *pos, c); + ok = -1; + goto end; + } + end: + *cond_end = cond; + if (ok >= 0 && negate) + ok = !ok; + + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_val at position %d: %s, returning %d\n", + *pos, cond, ok); + + return ok; + } +static int process_proxy_cond_multipliers(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + int ok; + char c; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_multipliers at position %d: %s\n", + *pos, cond); + + ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + + while(ok >= 0) + { + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + switch(c) + { + case '&': + case '^': + { + int save_ok = ok; + + cond++; (*pos)++; + ok = process_proxy_cond_val(letters, + cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + break; + + switch(c) + { + case '&': + ok &= save_ok; + break; + case '^': + ok ^= save_ok; + break; + default: + fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" + " STOPPING\n"); + EXIT(1); + } + } + break; + default: + goto end; + } + } + end: + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", + *pos, cond, ok); + + *cond_end = cond; + return ok; + } +static int process_proxy_cond_adders(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + int ok; + char c; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_adders at position %d: %s\n", + *pos, cond); + + ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, + indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + + while(ok >= 0) + { + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + switch(c) + { + case '|': + { + int save_ok = ok; + + cond++; (*pos)++; + ok = process_proxy_cond_multipliers(letters, + cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + break; + + switch(c) + { + case '|': + ok |= save_ok; + break; + default: + fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" + " STOPPING\n"); + EXIT(1); + } + } + break; + default: + goto end; + } + } + end: + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_adders at position %d: %s, returning %d\n", + *pos, cond, ok); + + *cond_end = cond; + return ok; + } + +static int process_proxy_cond(unsigned int letters[26], + const char *cond, const char **cond_end) + { + int pos = 1; + return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); + } + static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) { - char *s = NULL,buf[256]; int ok=1; + struct app_verify_arg *cb_arg = arg; + unsigned int letters[26]; /* only used with proxy_auth */ - fprintf(stderr, "In app_verify_callback, allowing cert. "); - fprintf(stderr, "Arg is: %s\n", (char *)arg); - fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n", - (unsigned int)ctx, (unsigned int)ctx->cert); - if (ctx->cert) - s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); - if (s != NULL) + if (cb_arg->app_verify) { + char *s = NULL,buf[256]; + + fprintf(stderr, "In app_verify_callback, allowing cert. "); + fprintf(stderr, "Arg is: %s\n", cb_arg->string); + fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n", + (unsigned int)ctx, (unsigned int)ctx->cert); + if (ctx->cert) + s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); + if (s != NULL) + { fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); + } + return(1); } + if (cb_arg->proxy_auth) + { + int found_any = 0, i; + char *sp; + + for(i = 0; i < 26; i++) + letters[i] = 0; + for(sp = cb_arg->proxy_auth; *sp; sp++) + { + char c = *sp; + if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + letters[c - 'A'] = 1; + } + } + fprintf(stderr, + " Initial proxy rights = "); + for(i = 0; i < 26; i++) + if (letters[i]) + { + fprintf(stderr, "%c", i + 'A'); + found_any = 1; + } + if (!found_any) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + X509_STORE_CTX_set_ex_data(ctx, + get_proxy_auth_ex_data_idx(),letters); + } + +#ifndef OPENSSL_NO_X509_VERIFY +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(1); +# endif + ok = X509_verify_cert(ctx); +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(0); +# endif +#endif + + if (cb_arg->proxy_auth) + { + if (ok) + { + const char *cond_end = NULL; + + ok = process_proxy_cond(letters, + cb_arg->proxy_cond, &cond_end); + + if (ok < 0) + EXIT(3); + if (*cond_end) + { + fprintf(stderr, "Stopped processing condition before it's end.\n"); + ok = 0; + } + if (!ok) + fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", + cb_arg->proxy_cond); + else + fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", + cb_arg->proxy_cond); + } + } return(ok); } diff --git a/test/CAss.cnf b/test/CAss.cnf index b941b7ae1..21da59a73 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -23,3 +23,11 @@ organizationName_value = Dodgy Brothers commonName = Common Name (eg, YOUR name) commonName_value = Dodgy CA + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true,pathlen:1 +keyUsage = cRLSign, keyCertSign +issuerAltName=issuer:copy + diff --git a/test/Makefile b/test/Makefile index 200041327..8b649b285 100644 --- a/test/Makefile +++ b/test/Makefile @@ -274,20 +274,26 @@ test_gen: @echo "Generate and verify a certificate request" @$(SET_SO_PATHS); sh ./testgen -test_ss keyU.ss certU.ss certCA.ss: testss +test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ + intP1.ss intP2.ss: testss @echo "Generate and certify a test certificate" @$(SET_SO_PATHS); sh ./testss + @cat certCA.ss certU.ss > intP1.ss + @cat certCA.ss certU.ss certP1.ss > intP2.ss test_engine: @echo "Manipulate the ENGINE structures" $(SET_SO_PATHS); ./$(ENGINETEST) -test_ssl: keyU.ss certU.ss certCA.ss +test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ + intP1.ss intP2.ss @echo "test SSL protocol" @if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ $(SET_SO_PATHS); sh ./testfipsssl keyU.ss certU.ss certCA.ss; \ fi @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss + @$(SET_SO_PATHS); sh ./testsslproxy keyP1.ss certP1.ss intP1.ss + @$(SET_SO_PATHS); sh ./testsslproxy keyP2.ss certP2.ss intP2.ss test_ca: @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \ @@ -924,25 +930,26 @@ ssltest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssltest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssltest.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssltest.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssltest.o: ../include/openssl/des_old.h ../include/openssl/dh.h -ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssltest.o: ../include/openssl/engine.h ../include/openssl/err.h -ssltest.o: ../include/openssl/evp.h ../include/openssl/fips.h -ssltest.o: ../include/openssl/idea.h ../include/openssl/kssl.h -ssltest.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssltest.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssltest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssltest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssltest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssltest.c +ssltest.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ssltest.o: ../include/openssl/des.h ../include/openssl/des_old.h +ssltest.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssltest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h +ssltest.o: ../include/openssl/err.h ../include/openssl/evp.h +ssltest.o: ../include/openssl/fips.h ../include/openssl/idea.h +ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssltest.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssltest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssltest.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssltest.o: ../include/openssl/rand.h ../include/openssl/rc2.h +ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssltest.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssltest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssltest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssltest.c diff --git a/test/P1ss.cnf b/test/P1ss.cnf new file mode 100644 index 000000000..876a0d35f --- /dev/null +++ b/test/P1ss.cnf @@ -0,0 +1,37 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = ./.rnd + +#################################################################### +[ req ] +default_bits = 512 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = md2 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 + +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 + +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 + +[ v3_proxy ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB diff --git a/test/P2ss.cnf b/test/P2ss.cnf new file mode 100644 index 000000000..373a87e7c --- /dev/null +++ b/test/P2ss.cnf @@ -0,0 +1,45 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = ./.rnd + +#################################################################### +[ req ] +default_bits = 512 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = md2 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 + +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 + +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 + +3.commonName = Common Name (eg, YOUR name) +3.commonName_value = Proxy 2 + +[ v3_proxy ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +proxyCertInfo=critical,@proxy_ext + +[ proxy_ext ] +language=id-ppl-anyLanguage +pathlen=0 +policy=text:BC diff --git a/test/Uss.cnf b/test/Uss.cnf index c89692d51..0c0ebb5f6 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -26,3 +26,11 @@ organizationName_value = Dodgy Brothers 1.commonName = Common Name (eg, YOUR name) 1.commonName_value = Brother 2 + +[ v3_ee ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +issuerAltName=issuer:copy + diff --git a/test/testss b/test/testss index a5aecf469..e71510bef 100644 --- a/test/testss +++ b/test/testss @@ -1,9 +1,10 @@ #!/bin/sh -digest='-mdc2' -reqcmd="../apps/ssleay req" -x509cmd="../apps/ssleay x509 $digest" -verifycmd="../apps/ssleay verify" +digest='-md5' +reqcmd="../apps/openssl req" +x509cmd="../apps/openssl x509 $digest" +verifycmd="../apps/openssl verify" +dummycnf="../apps/openssl.cnf" CAkey="keyCA.ss" CAcert="certCA.ss" @@ -16,16 +17,37 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +P1conf="P1ss.cnf" +P1key="keyP1.ss" +P1req="reqP1.ss" +P1cert="certP1.ss" +P1intermediate="tmp_intP1.ss" + +P2conf="P2ss.cnf" +P2key="keyP2.ss" +P2req="reqP2.ss" +P2cert="certP2.ss" +P2intermediate="tmp_intP2.ss" + echo echo "make a certificate request using 'req'" -$reqcmd -config $CAconf -out $CAreq -keyout $CAkey -new #>err.ss + +echo "string to make the random number generator think it has entropy" >> ./.rnd + +if ../apps/openssl no-rsa; then + req_new='-newkey dsa:../apps/dsa512.pem' +else + req_new='-new' +fi + +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss if [ $? != 0 ]; then echo "error using 'req' to generate a certificate request" exit 1 fi echo echo "convert the certificate request into a self signed certificate using 'x509'" -$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss if [ $? != 0 ]; then echo "error using 'x509' to self sign a certificate request" exit 1 @@ -39,13 +61,13 @@ if [ $? != 0 ]; then exit 1 fi -$reqcmd -verify -in $CAreq -noout +$reqcmd -config $dummycnf -verify -in $CAreq -noout if [ $? != 0 ]; then echo first generated request is invalid exit 1 fi -$reqcmd -verify -in $CAreq2 -noout +$reqcmd -config $dummycnf -verify -in $CAreq2 -noout if [ $? != 0 ]; then echo second generated request is invalid exit 1 @@ -58,18 +80,18 @@ if [ $? != 0 ]; then fi echo -echo "make another certificate request using 'req'" -$reqcmd -config $Uconf -out $Ureq -keyout $Ukey -new >err.ss +echo "make a user certificate request using 'req'" +$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss if [ $? != 0 ]; then - echo "error using 'req' to generate a certificate request" + echo "error using 'req' to generate a user certificate request" exit 1 fi echo -echo "sign certificate request with the just created CA via 'x509'" -$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss +echo "sign user certificate request with the just created CA via 'x509'" +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss if [ $? != 0 ]; then - echo "error using 'x509' to sign a certificate request" + echo "error using 'x509' to sign a user certificate request" exit 1 fi @@ -79,11 +101,63 @@ echo "Certificate details" $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert echo +echo "make a proxy certificate request using 'req'" +$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate a proxy certificate request" + exit 1 +fi + +echo +echo "sign proxy certificate request with the just created user certificate via 'x509'" +$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a proxy certificate request" + exit 1 +fi + +cat $Ucert > $P1intermediate +$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert + +echo +echo "make another proxy certificate request using 'req'" +$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate another proxy certificate request" + exit 1 +fi + +echo +echo "sign second proxy certificate request with the first proxy certificate via 'x509'" +$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a second proxy certificate request" + exit 1 +fi + +cat $Ucert $P1cert > $P2intermediate +$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert + +echo echo The generated CA certificate is $CAcert echo The generated CA private key is $CAkey echo The generated user certificate is $Ucert echo The generated user private key is $Ukey +echo The first generated proxy certificate is $P1cert +echo The first generated proxy private key is $P1key + +echo The second generated proxy certificate is $P2cert +echo The second generated proxy private key is $P2key + /bin/rm err.ss +#/bin/rm $P1intermediate +#/bin/rm $P2intermediate exit 0 diff --git a/test/testsslproxy b/test/testsslproxy new file mode 100644 index 000000000..70cf12342 --- /dev/null +++ b/test/testsslproxy @@ -0,0 +1,10 @@ +#! /bin/sh + +echo 'Testing a lot of proxy conditions.' +echo 'Some of them may turn out being invalid, which is fine.' +for auth in A B C BC; do + for cond in A B C 'A|B&!C'; do + sh ./testssl $1 $2 $3 "-proxy_auth $auth -proxy_cond $cond" + if [ $? = 3 ]; then exit 1; fi + done +done diff --git a/util/libeay.num b/util/libeay.num index a6be820d7..75e7e83ed 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2842,16 +2842,15 @@ FIPS_mode 3283 EXIST:OPENSSL_FIPS:FUNCTION: FIPS_selftest_failed 3284 EXIST:OPENSSL_FIPS:FUNCTION: sk_is_sorted 3285 EXIST::FUNCTION: X509_check_ca 3286 EXIST::FUNCTION: -private_idea_set_encrypt_key 3287 EXIST:OPENSSL_FIPS:FUNCTION:IDEA -HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC -private_SHA_Init 3289 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0 -private_CAST_set_key 3290 EXIST::FUNCTION:CAST -private_RIPEMD160_Init 3291 EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD -private_RC5_32_set_key 3292 EXIST::FUNCTION:RC5 -private_MD5_Init 3293 EXIST:OPENSSL_FIPS:FUNCTION:MD5 -private_RC4_set_key 3294 EXIST:OPENSSL_FIPS:FUNCTION:RC4 -private_MDC2_Init 3295 EXIST:OPENSSL_FIPS:FUNCTION:MDC2 -private_RC2_set_key 3296 EXIST::FUNCTION:RC2 -private_MD4_Init 3297 EXIST:OPENSSL_FIPS:FUNCTION:MD4 -private_BF_set_key 3298 EXIST::FUNCTION:BF -private_MD2_Init 3299 EXIST:OPENSSL_FIPS:FUNCTION:MD2 +d2i_PROXY_CERT_INFO_EXTENSION 3287 EXIST::FUNCTION: +PROXY_POLICY_it 3288 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_POLICY_it 3288 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +i2d_PROXY_POLICY 3289 EXIST::FUNCTION: +i2d_PROXY_CERT_INFO_EXTENSION 3290 EXIST::FUNCTION: +d2i_PROXY_POLICY 3291 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_new 3292 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_free 3293 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_it 3294 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_CERT_INFO_EXTENSION_it 3294 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +PROXY_POLICY_free 3295 EXIST::FUNCTION: +PROXY_POLICY_new 3296 EXIST::FUNCTION: diff --git a/util/mkerr.pl b/util/mkerr.pl index 024e26246..60e534807 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -263,7 +263,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2005 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", @@ -405,7 +405,7 @@ EOF print OUT <<"EOF"; /* $cfile */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions |