[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Tue Sep 1 20:17:00 UTC 2015

The branch master has been updated
       via  6c41ee7c6530b23267ed20f95143a2a682796fef (commit)
       via  361136f4b39de26edcc275f8fe1471bcb90feb64 (commit)
       via  063f1f0c693a10aab6a7227df15d4120ed824856 (commit)
       via  af183984c3feaae693f4785be71dc1e098991d6f (commit)
      from  fb029cebaeb6b0dbdb05a26a515e38a52a3c0fa1 (commit)

- Log -----------------------------------------------------------------
commit 6c41ee7c6530b23267ed20f95143a2a682796fef
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Sep 1 19:09:20 2015 +0100

    make update
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 361136f4b39de26edcc275f8fe1471bcb90feb64
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Sep 1 18:56:58 2015 +0100

    Document extension functions
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 063f1f0c693a10aab6a7227df15d4120ed824856
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Sep 1 17:48:05 2015 +0100

    functions to retrieve certificate flags
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit af183984c3feaae693f4785be71dc1e098991d6f
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Sep 1 16:07:05 2015 +0100

    use uint32_t for certificate flags
    Reviewed-by: Rich Salz <rsalz at openssl.org>


Summary of changes:
 crypto/x509v3/v3_purp.c                 |  22 ++++++
 doc/crypto/X509_get_extension_flags.pod | 115 ++++++++++++++++++++++++++++++++
 include/openssl/x509.h                  |   8 +--
 include/openssl/x509v3.h                |   5 ++
 util/libeay.num                         |   3 +
 5 files changed, 149 insertions(+), 4 deletions(-)
 create mode 100644 doc/crypto/X509_get_extension_flags.pod

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 1f9296a..13c5120 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -841,3 +841,25 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
     return X509_V_OK;
+uint32_t X509_get_extension_flags(X509 *x)
+    X509_check_purpose(x, -1, -1);
+    return x->ex_flags;
+uint32_t X509_get_key_usage(X509 *x)
+    X509_check_purpose(x, -1, -1);
+    if (x->ex_flags & EXFLAG_KUSAGE)
+        return x->ex_kusage;
+    return UINT32_MAX;
+uint32_t X509_get_extended_key_usage(X509 *x)
+    X509_check_purpose(x, -1, -1);
+    if (x->ex_flags & EXFLAG_XKUSAGE)
+        return x->ex_xkusage;
+    return UINT32_MAX;
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
new file mode 100644
index 0000000..2950bd7
--- /dev/null
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -0,0 +1,115 @@
+=head1 NAME
+X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage -
+retrieve certificate extension flags.
+=head1 SYNOPSIS
+   #include <openssl/x509v3.h>
+   uint32_t X509_get_extension_flags(X509 *x);
+   uint32_t X509_get_key_usage(X509 *x);
+   uint32_t X509_get_extended_key_usage(X509 *x);
+These functions retrieve flags related to commonly used certificate extensions.
+X509_get_extension_flags() retrieves general information about a certificate,
+it will return one or more of the following flags ored together.
+=over 4
+=item B<EXFLAG_V1>
+The certificate is an obsolete version 1 certificate.
+The certificate contains a basic constraints extension.
+=item B<EXFLAG_CA>
+The certificate contains basic constraints and asserts the CA flag.
+The certificate is a valid proxy certificate.
+=item B<EXFLAG_SI>
+The certificate is self issued (that is subject and issuer names match).
+=item B<EXFLAG_SS>
+The subject and issuer names match and extension values imply it is self
+The freshest CRL extension is present in the certificate.
+The certificate contains an unhandled critical extension.
+Some certificate extension values are invalid or inconsistent. The
+certificate should be rejected.
+The certificate contains a key usage extension. The value can be retrieved
+using X509_get_key_usage().
+The certificate contains an extended key usage extension. The value can be
+retrieved using X509_get_extended_key_usage().
+X509_get_key_usage() returns the value of the key usage extension.  If key
+usage is present will return zero or more of the flags:
+individual key usage bits. If key usage is absent then B<UINT32_MAX> is
+X509_get_extended_key_usage() returns the value of the extended key usage
+extension. If extended key usage is present it will return zero or more of the
+correspond to the OIDs B<id-kp-serverAuth>, B<id-kp-clientAuth>,
+B<id-kp-emailProtection>, B<id-kp-codeSigning>, B<id-kp-OCSPSigning>,
+B<id-kp-timeStamping>, B<id-kp-dvcs> and B<anyExtendedKeyUsage> respectively.
+Additionally B<XKU_SGC> is set if either Netscape or Microsoft SGC OIDs are
+=head1 NOTES
+The value of the flags correspond to extension values which are cached
+in the B<X509> structure. If the flags returned do not provide sufficient
+information an application should examine extension values directly.
+If the key usage or extended key usage extension is absent then typically usage
+is unrestricted. For this reason X509_get_key_usage() and
+X509_get_extended_key_usage() return B<UINT32_MAX> when the corresponding
+extension is absent. Applications can additionally check the return value of
+X509_get_extension_flags() and take appropriate action is an extension is
+These functions all return sets of flags corresponding to the certificate
+extension values.
+=head1 SEE ALSO
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4e816ea..5e795c0 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -197,10 +197,10 @@ struct x509_st {
     /* These contain copies of various extension values */
     long ex_pathlen;
     long ex_pcpathlen;
-    unsigned long ex_flags;
-    unsigned long ex_kusage;
-    unsigned long ex_xkusage;
-    unsigned long ex_nscert;
+    uint32_t ex_flags;
+    uint32_t ex_kusage;
+    uint32_t ex_xkusage;
+    uint32_t ex_nscert;
     ASN1_OCTET_STRING *skid;
     X509_POLICY_CACHE *policy_cache;
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index a46ec5d..19fcb39 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -696,6 +696,11 @@ int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
+uint32_t X509_get_extension_flags(X509 *x);
+uint32_t X509_get_key_usage(X509 *x);
+uint32_t X509_get_extended_key_usage(X509 *x);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE *X509_PURPOSE_get0(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);
diff --git a/util/libeay.num b/util/libeay.num
index 1e3671f..080066a 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4592,3 +4592,6 @@ X509_up_ref                             4950	EXIST::FUNCTION:
 X509_REQ_get_version                    4951	EXIST::FUNCTION:
 X509_REQ_get_subject_name               4952	EXIST::FUNCTION:
 X509_CRL_up_ref                         4953	EXIST::FUNCTION:
+X509_get_extension_flags                4954	EXIST::FUNCTION:
+X509_get_extended_key_usage             4955	EXIST::FUNCTION:
+X509_get_key_usage                      4956	EXIST::FUNCTION:

More information about the openssl-commits mailing list