Add support for CRLs partitioned by reason code.

Tidy CRL scoring system.

Add new CRL path validation error.

3 files changed, 14 insertions, 0 deletions

diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index 001edec39..17a1fbf62 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -191,6 +191,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
 	}
 
 static const BIT_STRING_BITNAME reason_flags[] = {
+{0, "Unused", "unused"},
 {1, "Key Compromise", "keyCompromise"},
 {2, "CA Compromise", "CACompromise"},
 {3, "Affiliation Changed", "affiliationChanged"},
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index bdf72227e..2234bf147 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -318,6 +318,16 @@ static void setup_dp(X509 *x, DIST_POINT *dp)
 	{
 	X509_NAME *iname = NULL;
 	int i;
+	if (dp->reasons)
+		{
+		if (dp->reasons->length > 0)
+			dp->dp_reasons = dp->reasons->data[0];
+		if (dp->reasons->length > 1)
+			dp->dp_reasons |= (dp->reasons->data[1] << 8);
+		dp->dp_reasons &= CRLDP_ALL_REASONS;
+		}
+	else
+		dp->dp_reasons = CRLDP_ALL_REASONS;
 	if (!dp->distpoint || (dp->distpoint->type != 1))
 		return;
 	for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index c4a8cfca8..c824cf01f 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -223,11 +223,14 @@ union {
 /* If relativename then this contains the full distribution point name */
 X509_NAME *dpname;
 } DIST_POINT_NAME;
+/* All existing reasons */
+#define CRLDP_ALL_REASONS	0x807f
 
 struct DIST_POINT_st {
 DIST_POINT_NAME	*distpoint;
 ASN1_BIT_STRING *reasons;
 GENERAL_NAMES *CRLissuer;
+int dp_reasons;
 };
 
 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;