[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Sep 1 20:17:00 UTC 2015
The branch master has been updated
via 6c41ee7c6530b23267ed20f95143a2a682796fef (commit)
via 361136f4b39de26edcc275f8fe1471bcb90feb64 (commit)
via 063f1f0c693a10aab6a7227df15d4120ed824856 (commit)
via af183984c3feaae693f4785be71dc1e098991d6f (commit)
from fb029cebaeb6b0dbdb05a26a515e38a52a3c0fa1 (commit)
- Log -----------------------------------------------------------------
commit 6c41ee7c6530b23267ed20f95143a2a682796fef
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 1 19:09:20 2015 +0100
make update
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 361136f4b39de26edcc275f8fe1471bcb90feb64
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 1 18:56:58 2015 +0100
Document extension functions
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 063f1f0c693a10aab6a7227df15d4120ed824856
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 1 17:48:05 2015 +0100
functions to retrieve certificate flags
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit af183984c3feaae693f4785be71dc1e098991d6f
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 1 16:07:05 2015 +0100
use uint32_t for certificate flags
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/v3_purp.c | 22 ++++++
doc/crypto/X509_get_extension_flags.pod | 115 ++++++++++++++++++++++++++++++++
include/openssl/x509.h | 8 +--
include/openssl/x509v3.h | 5 ++
util/libeay.num | 3 +
5 files changed, 149 insertions(+), 4 deletions(-)
create mode 100644 doc/crypto/X509_get_extension_flags.pod
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 1f9296a..13c5120 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -841,3 +841,25 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
}
return X509_V_OK;
}
+
+uint32_t X509_get_extension_flags(X509 *x)
+{
+ X509_check_purpose(x, -1, -1);
+ return x->ex_flags;
+}
+
+uint32_t X509_get_key_usage(X509 *x)
+{
+ X509_check_purpose(x, -1, -1);
+ if (x->ex_flags & EXFLAG_KUSAGE)
+ return x->ex_kusage;
+ return UINT32_MAX;
+}
+
+uint32_t X509_get_extended_key_usage(X509 *x)
+{
+ X509_check_purpose(x, -1, -1);
+ if (x->ex_flags & EXFLAG_XKUSAGE)
+ return x->ex_xkusage;
+ return UINT32_MAX;
+}
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
new file mode 100644
index 0000000..2950bd7
--- /dev/null
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -0,0 +1,115 @@
+=pod
+
+=head1 NAME
+
+X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage -
+retrieve certificate extension flags.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509v3.h>
+
+ uint32_t X509_get_extension_flags(X509 *x);
+ uint32_t X509_get_key_usage(X509 *x);
+ uint32_t X509_get_extended_key_usage(X509 *x);
+
+=head1 DESCRIPTION
+
+These functions retrieve flags related to commonly used certificate extensions.
+
+X509_get_extension_flags() retrieves general information about a certificate,
+it will return one or more of the following flags ored together.
+
+=over 4
+
+=item B<EXFLAG_V1>
+
+The certificate is an obsolete version 1 certificate.
+
+=item B<EXFLAG_BCONS>
+
+The certificate contains a basic constraints extension.
+
+=item B<EXFLAG_CA>
+
+The certificate contains basic constraints and asserts the CA flag.
+
+=item B<EXFLAG_PROXY>
+
+The certificate is a valid proxy certificate.
+
+=item B<EXFLAG_SI>
+
+The certificate is self issued (that is subject and issuer names match).
+
+=item B<EXFLAG_SS>
+
+The subject and issuer names match and extension values imply it is self
+signed.
+
+=item B<EXFLAG_FRESHEST>
+
+The freshest CRL extension is present in the certificate.
+
+=item B<EXFLAG_CRITICAL>
+
+The certificate contains an unhandled critical extension.
+
+=item B<EXFLAG_INVALID>
+
+Some certificate extension values are invalid or inconsistent. The
+certificate should be rejected.
+
+=item B<EXFLAG_KUSAGE>
+
+The certificate contains a key usage extension. The value can be retrieved
+using X509_get_key_usage().
+
+=item B<EXFLAG_XKUSAGE>
+
+The certificate contains an extended key usage extension. The value can be
+retrieved using X509_get_extended_key_usage().
+
+=back
+
+X509_get_key_usage() returns the value of the key usage extension. If key
+usage is present will return zero or more of the flags:
+B<KU_DIGITAL_SIGNATURE>, B<KU_NON_REPUDIATION>, B<KU_KEY_ENCIPHERMENT>,
+B<KU_DATA_ENCIPHERMENT>, B<KU_KEY_AGREEMENT>, B<KU_KEY_CERT_SIGN>,
+B<KU_CRL_SIGN>, B<KU_ENCIPHER_ONLY> or B<KU_DECIPHER_ONLY> corresponding to
+individual key usage bits. If key usage is absent then B<UINT32_MAX> is
+returned.
+
+X509_get_extended_key_usage() returns the value of the extended key usage
+extension. If extended key usage is present it will return zero or more of the
+flags: B<XKU_SSL_SERVER>, B<XKU_SSL_CLIENT>, B<XKU_SMIME>, B<XKU_CODE_SIGN>
+B<XKU_OCSP_SIGN>, B<XKU_TIMESTAMP>, B<XKU_DVCS> or B<XKU_ANYEKU>. These
+correspond to the OIDs B<id-kp-serverAuth>, B<id-kp-clientAuth>,
+B<id-kp-emailProtection>, B<id-kp-codeSigning>, B<id-kp-OCSPSigning>,
+B<id-kp-timeStamping>, B<id-kp-dvcs> and B<anyExtendedKeyUsage> respectively.
+Additionally B<XKU_SGC> is set if either Netscape or Microsoft SGC OIDs are
+present.
+
+=head1 NOTES
+
+The value of the flags correspond to extension values which are cached
+in the B<X509> structure. If the flags returned do not provide sufficient
+information an application should examine extension values directly.
+
+If the key usage or extended key usage extension is absent then typically usage
+is unrestricted. For this reason X509_get_key_usage() and
+X509_get_extended_key_usage() return B<UINT32_MAX> when the corresponding
+extension is absent. Applications can additionally check the return value of
+X509_get_extension_flags() and take appropriate action is an extension is
+absent.
+
+=head1 RETURN VALUE
+
+These functions all return sets of flags corresponding to the certificate
+extension values.
+
+=head1 SEE ALSO
+
+L<X509_check_purpose(3)>
+
+=cut
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4e816ea..5e795c0 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -197,10 +197,10 @@ struct x509_st {
/* These contain copies of various extension values */
long ex_pathlen;
long ex_pcpathlen;
- unsigned long ex_flags;
- unsigned long ex_kusage;
- unsigned long ex_xkusage;
- unsigned long ex_nscert;
+ uint32_t ex_flags;
+ uint32_t ex_kusage;
+ uint32_t ex_xkusage;
+ uint32_t ex_nscert;
ASN1_OCTET_STRING *skid;
AUTHORITY_KEYID *akid;
X509_POLICY_CACHE *policy_cache;
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index a46ec5d..19fcb39 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -696,6 +696,11 @@ int X509_supported_extension(X509_EXTENSION *ex);
int X509_PURPOSE_set(int *p, int purpose);
int X509_check_issued(X509 *issuer, X509 *subject);
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
+
+uint32_t X509_get_extension_flags(X509 *x);
+uint32_t X509_get_key_usage(X509 *x);
+uint32_t X509_get_extended_key_usage(X509 *x);
+
int X509_PURPOSE_get_count(void);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
int X509_PURPOSE_get_by_sname(char *sname);
diff --git a/util/libeay.num b/util/libeay.num
index 1e3671f..080066a 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4592,3 +4592,6 @@ X509_up_ref 4950 EXIST::FUNCTION:
X509_REQ_get_version 4951 EXIST::FUNCTION:
X509_REQ_get_subject_name 4952 EXIST::FUNCTION:
X509_CRL_up_ref 4953 EXIST::FUNCTION:
+X509_get_extension_flags 4954 EXIST::FUNCTION:
+X509_get_extended_key_usage 4955 EXIST::FUNCTION:
+X509_get_key_usage 4956 EXIST::FUNCTION:
More information about the openssl-commits
mailing list