[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Thu Oct 15 14:37:36 UTC 2015
The branch master has been updated
via f51e5ed6b4b91d12228da873db72aa28109d1797 (commit)
via 34a42e1489bf4f45bfad069eceba56315d4713be (commit)
via 81e4943843773a04067703e0dc1668ec5d3b4cf1 (commit)
via 4392479c08392feb4be2ecb9d1b5decc50e32df0 (commit)
via 272d917deb0534a6a9b13e22ff16e4c95406d1ed (commit)
via 4002da0f52828dc4a495f7ac163d9e77c2774f3e (commit)
from f4f78ff7daf15f609a8bef1179d01cc982e37478 (commit)
- Log -----------------------------------------------------------------
commit f51e5ed6b4b91d12228da873db72aa28109d1797
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Aug 5 03:21:40 2015 +0100
Fix self signed handling.
Don't mark a certificate as self signed if keyUsage is present and
certificate signing not asserted.
PR#3979
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 34a42e1489bf4f45bfad069eceba56315d4713be
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Oct 11 21:13:42 2015 +0100
embed CRL serial number and signature fields
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 81e4943843773a04067703e0dc1668ec5d3b4cf1
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Oct 11 21:05:49 2015 +0100
embed certificate serial number and signature fields
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 4392479c08392feb4be2ecb9d1b5decc50e32df0
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Oct 11 20:44:07 2015 +0100
embed value field of X509_EXTENSION
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 272d917deb0534a6a9b13e22ff16e4c95406d1ed
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Oct 11 21:20:19 2015 +0100
add CHANGES entry for embed
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 4002da0f52828dc4a495f7ac163d9e77c2774f3e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Oct 11 23:25:08 2015 +0100
Handle embed flag in ASN1_STRING_copy().
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 21 +++++++++++++++++++++
crypto/asn1/asn1_lib.c | 4 +++-
crypto/include/internal/x509_int.h | 8 ++++----
crypto/x509/t_x509.c | 2 +-
crypto/x509/x509_cmp.c | 10 +++++-----
crypto/x509/x509_lcl.h | 2 +-
crypto/x509/x509_set.c | 15 +++++----------
crypto/x509/x509_v3.c | 4 ++--
crypto/x509/x509_vfy.c | 2 +-
crypto/x509/x509cset.c | 17 ++++++-----------
crypto/x509/x_all.c | 11 ++++++-----
crypto/x509/x_crl.c | 14 +++++++-------
crypto/x509/x_exten.c | 2 +-
crypto/x509/x_x509.c | 6 +++---
crypto/x509v3/v3_purp.c | 19 ++++++++++---------
15 files changed, 76 insertions(+), 61 deletions(-)
diff --git a/CHANGES b/CHANGES
index 3d9c183..cfbb7a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,27 @@
_______________
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
+
+ *) New ASN.1 embed macro.
+
+ New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
+ structure is not allocated: it is part of the parent. That is instead of
+
+ FOO *x;
+
+ it must be:
+
+ FOO x;
+
+ This reduces memory fragmentation and make it impossible to accidentally
+ set a mandatory field to NULL.
+
+ This currently only works for some fields specifically a SEQUENCE, CHOICE,
+ or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
+ equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
+ SEQUENCE OF.
+ [Steve Henson]
+
*) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
[Emilia Käsper]
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 12248db..ef9223c 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -284,7 +284,9 @@ int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
dst->type = str->type;
if (!ASN1_STRING_set(dst, str->data, str->length))
return 0;
- dst->flags = str->flags;
+ /* Copy flags but preserve embed value */
+ dst->flags &= ASN1_STRING_FLAG_EMBED;
+ dst->flags |= str->flags & ~ASN1_STRING_FLAG_EMBED;
return 1;
}
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 8fd0bcf..5997a21 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -121,7 +121,7 @@ struct X509_crl_info_st {
struct X509_crl_st {
X509_CRL_INFO crl; /* signed CRL data */
X509_ALGOR sig_alg; /* CRL signature algorithm */
- ASN1_BIT_STRING *signature; /* CRL signature */
+ ASN1_BIT_STRING signature; /* CRL signature */
int references;
int flags;
/*
@@ -145,7 +145,7 @@ struct X509_crl_st {
};
struct x509_revoked_st {
- ASN1_INTEGER *serialNumber; /* revoked entry serial number */
+ ASN1_INTEGER serialNumber; /* revoked entry serial number */
ASN1_TIME *revocationDate; /* revocation date */
STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */
/* decoded value of CRLissuer extension: set if indirect CRL */
@@ -176,7 +176,7 @@ struct x509_cert_aux_st {
struct x509_cinf_st {
ASN1_INTEGER *version; /* [ 0 ] default of v1 */
- ASN1_INTEGER *serialNumber;
+ ASN1_INTEGER serialNumber;
X509_ALGOR signature;
X509_NAME *issuer;
X509_VAL validity;
@@ -191,7 +191,7 @@ struct x509_cinf_st {
struct x509_st {
X509_CINF cert_info;
X509_ALGOR sig_alg;
- ASN1_BIT_STRING *signature;
+ ASN1_BIT_STRING signature;
int valid;
int references;
char *name;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 4cab108..5a73db1 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -238,7 +238,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
ci->extensions, cflag, 8);
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
- if (X509_signature_print(bp, &x->sig_alg, x->signature) <= 0)
+ if (X509_signature_print(bp, &x->sig_alg, &x->signature) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_AUX)) {
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 1e469f9..4017545 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -72,7 +72,7 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
ai = &a->cert_info;
bi = &b->cert_info;
- i = ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber);
+ i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber);
if (i)
return (i);
return (X509_NAME_cmp(ai->issuer, bi->issuer));
@@ -94,8 +94,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
goto err;
OPENSSL_free(f);
if (!EVP_DigestUpdate
- (&ctx, (unsigned char *)a->cert_info.serialNumber->data,
- (unsigned long)a->cert_info.serialNumber->length))
+ (&ctx, (unsigned char *)a->cert_info.serialNumber.data,
+ (unsigned long)a->cert_info.serialNumber.length))
goto err;
if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL))
goto err;
@@ -152,7 +152,7 @@ X509_NAME *X509_get_subject_name(X509 *a)
ASN1_INTEGER *X509_get_serialNumber(X509 *a)
{
- return (a->cert_info.serialNumber);
+ return &a->cert_info.serialNumber;
}
unsigned long X509_subject_name_hash(X509 *x)
@@ -278,7 +278,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
if (!sk)
return NULL;
- x.cert_info.serialNumber = serial;
+ x.cert_info.serialNumber = *serial;
x.cert_info.issuer = name;
for (i = 0; i < sk_X509_num(sk); i++) {
diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 71c8a2a..af04341 100644
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -98,7 +98,7 @@ struct x509_attributes_st {
struct X509_extension_st {
ASN1_OBJECT *object;
ASN1_BOOLEAN critical;
- ASN1_OCTET_STRING *value;
+ ASN1_OCTET_STRING value;
};
/*
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 7873edf..38ec0db 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -85,16 +85,11 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
ASN1_INTEGER *in;
if (x == NULL)
- return (0);
- in = x->cert_info.serialNumber;
- if (in != serial) {
- in = ASN1_INTEGER_dup(serial);
- if (in != NULL) {
- ASN1_INTEGER_free(x->cert_info.serialNumber);
- x->cert_info.serialNumber = in;
- }
- }
- return (in != NULL);
+ return 0;
+ in = &x->cert_info.serialNumber;
+ if (in != serial)
+ return ASN1_STRING_copy(in, serial);
+ return 1;
}
int X509_set_issuer_name(X509 *x, X509_NAME *name)
diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c
index 4e9c8f5..f192979 100644
--- a/crypto/x509/x509_v3.c
+++ b/crypto/x509/x509_v3.c
@@ -253,7 +253,7 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
if (ex == NULL)
return (0);
- i = ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
+ i = ASN1_OCTET_STRING_set(&ex->value, data->data, data->length);
if (!i)
return (0);
return (1);
@@ -270,7 +270,7 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
{
if (ex == NULL)
return (NULL);
- return (ex->value);
+ return &ex->value;
}
int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9cecde7..1ae3675 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2088,7 +2088,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
* Add only if not also in base. TODO: need something cleverer here
* for some more complex CRLs covering multiple CAs.
*/
- if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
+ if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
rvtmp = X509_REVOKED_dup(rvn);
if (!rvtmp)
goto memerr;
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index a779fd4..899d492 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -172,7 +172,7 @@ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
X509_CRL *crl)
{
if (psig != NULL)
- *psig = crl->signature;
+ *psig = &crl->signature;
if (palg != NULL)
*palg = &crl->sig_alg;
}
@@ -206,7 +206,7 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x)
{
- return x->serialNumber;
+ return &x->serialNumber;
}
int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
@@ -215,15 +215,10 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
if (x == NULL)
return (0);
- in = x->serialNumber;
- if (in != serial) {
- in = ASN1_INTEGER_dup(serial);
- if (in != NULL) {
- ASN1_INTEGER_free(x->serialNumber);
- x->serialNumber = in;
- }
- }
- return (in != NULL);
+ in = &x->serialNumber;
+ if (in != serial)
+ return ASN1_STRING_copy(in, serial);
+ return 1;
}
STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(X509_REVOKED *r)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 1db66f6..5c5f573 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -77,7 +77,7 @@ int X509_verify(X509 *a, EVP_PKEY *r)
if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature))
return 0;
return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
- a->signature, &a->cert_info, r));
+ &a->signature, &a->cert_info, r));
}
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
@@ -96,7 +96,8 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->cert_info.enc.modified = 1;
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
- &x->sig_alg, x->signature, &x->cert_info, pkey, md));
+ &x->sig_alg, &x->signature, &x->cert_info, pkey,
+ md));
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -104,7 +105,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
x->cert_info.enc.modified = 1;
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
&x->cert_info.signature,
- &x->sig_alg, x->signature, &x->cert_info, ctx);
+ &x->sig_alg, &x->signature, &x->cert_info, ctx);
}
int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
@@ -130,14 +131,14 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl.enc.modified = 1;
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
- &x->sig_alg, x->signature, &x->crl, pkey, md));
+ &x->sig_alg, &x->signature, &x->crl, pkey, md));
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
{
x->crl.enc.modified = 1;
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
- &x->crl.sig_alg, &x->sig_alg, x->signature,
+ &x->crl.sig_alg, &x->sig_alg, &x->signature,
&x->crl, ctx);
}
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c8889d1..79fa5ca 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -69,7 +69,7 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
ASN1_SEQUENCE(X509_REVOKED) = {
- ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
+ ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER),
ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
} ASN1_SEQUENCE_END(X509_REVOKED)
@@ -333,7 +333,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO),
ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR),
- ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
+ ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
@@ -349,8 +349,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
const X509_REVOKED *const *b)
{
- return (ASN1_STRING_cmp((ASN1_STRING *)(*a)->serialNumber,
- (ASN1_STRING *)(*b)->serialNumber));
+ return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber,
+ (ASN1_STRING *)&(*b)->serialNumber));
}
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
@@ -394,7 +394,7 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
- &crl->sig_alg, crl->signature, &crl->crl, r));
+ &crl->sig_alg, &crl->signature, &crl->crl, r));
}
static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
@@ -430,7 +430,7 @@ static int def_crl_lookup(X509_CRL *crl,
{
X509_REVOKED rtmp, *rev;
int idx;
- rtmp.serialNumber = serial;
+ rtmp.serialNumber = *serial;
/*
* Sort revoked into serial number order if not already sorted. Do this
* under a lock to avoid race condition.
@@ -446,7 +446,7 @@ static int def_crl_lookup(X509_CRL *crl,
/* Need to look for matching name */
for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) {
rev = sk_X509_REVOKED_value(crl->crl.revoked, idx);
- if (ASN1_INTEGER_cmp(rev->serialNumber, serial))
+ if (ASN1_INTEGER_cmp(&rev->serialNumber, serial))
return 0;
if (crl_revoked_issuer_match(crl, issuer, rev)) {
if (ret)
diff --git a/crypto/x509/x_exten.c b/crypto/x509/x_exten.c
index c0d4c96..c5b391f 100644
--- a/crypto/x509/x_exten.c
+++ b/crypto/x509/x_exten.c
@@ -66,7 +66,7 @@
ASN1_SEQUENCE(X509_EXTENSION) = {
ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
- ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
+ ASN1_EMBED(X509_EXTENSION, value, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(X509_EXTENSION)
ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 92d4fa3..ad2309c 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -66,7 +66,7 @@
ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
+ ASN1_EMBED(X509_CINF, serialNumber, ASN1_INTEGER),
ASN1_EMBED(X509_CINF, signature, X509_ALGOR),
ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),
ASN1_EMBED(X509_CINF, validity, X509_VAL),
@@ -135,7 +135,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
ASN1_EMBED(X509, cert_info, X509_CINF),
ASN1_EMBED(X509, sig_alg, X509_ALGOR),
- ASN1_SIMPLE(X509, signature, ASN1_BIT_STRING)
+ ASN1_EMBED(X509, signature, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END_ref(X509, X509)
IMPLEMENT_ASN1_FUNCTIONS(X509)
@@ -215,7 +215,7 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x)
{
if (psig)
- *psig = x->signature;
+ *psig = &x->signature;
if (palg)
*palg = &x->sig_alg;
}
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 43f3551..90b3abc 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)
setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
}
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
static void x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
@@ -497,7 +505,8 @@ static void x509v3_cache_extensions(X509 *x)
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK)
+ if (X509_check_akid(x, x->akid) == X509_V_OK &&
+ !ku_reject(x, KU_KEY_CERT_SIGN))
x->ex_flags |= EXFLAG_SS;
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
@@ -536,14 +545,6 @@ static void x509v3_cache_extensions(X509 *x)
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
*/
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
More information about the openssl-commits
mailing list