[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Sep 22 20:17:35 UTC 2015
The branch master has been updated
via e15a18de96b8c948cc69df35aba7e1e245f6c999 (commit)
via 94e84f5e958f82a9636734b56fcf17f466bfe4e4 (commit)
via 69d492eac8b065319620b6559dc4d0731ecb9952 (commit)
via d19a50c9fbd5750f6e75dcca508034e558df7276 (commit)
via 2c81e476fab0e3e0b6140652b4577bf6f3b827be (commit)
via 7e4188326b4e9c179835f6b3ee668b2a70eb0cfd (commit)
from 6a12a5740b338437cc39480452c1282d0298325d (commit)
- Log -----------------------------------------------------------------
commit e15a18de96b8c948cc69df35aba7e1e245f6c999
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 17:09:11 2015 +0100
make update
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 94e84f5e958f82a9636734b56fcf17f466bfe4e4
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 15:23:05 2015 +0100
header includes
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 69d492eac8b065319620b6559dc4d0731ecb9952
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 18:51:47 2015 +0100
Document X509_get0_subject_key_id()
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit d19a50c9fbd5750f6e75dcca508034e558df7276
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 15:19:32 2015 +0100
New function X509_get0_subject_key_id()
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 2c81e476fab0e3e0b6140652b4577bf6f3b827be
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 14:00:13 2015 +0100
Make X509 opaque
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 7e4188326b4e9c179835f6b3ee668b2a70eb0cfd
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Sep 22 18:37:57 2015 +0100
Avoid structure access in crypto/ts
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/cms/cms_lib.c | 14 ++++++-----
crypto/include/internal/x509_int.h | 43 +++++++++++++++++++++++++++++++++
crypto/ts/Makefile | 4 +--
crypto/ts/ts_rsp_sign.c | 5 ++--
crypto/ts/ts_rsp_verify.c | 8 +++---
crypto/x509/Makefile | 21 ++++++++--------
crypto/x509/t_x509.c | 10 +-------
crypto/x509/x509_set.c | 1 +
crypto/x509/x_x509.c | 1 +
crypto/x509v3/Makefile | 13 ++++++----
crypto/x509v3/pcy_cache.c | 1 +
crypto/x509v3/pcy_map.c | 1 +
crypto/x509v3/v3_addr.c | 1 +
crypto/x509v3/v3_asid.c | 1 +
crypto/x509v3/v3_purp.c | 7 ++++++
doc/crypto/X509_get_extension_flags.pod | 21 +++++++++++++---
include/openssl/x509.h | 43 +--------------------------------
include/openssl/x509v3.h | 1 +
util/libeay.num | 11 +++++++++
19 files changed, 124 insertions(+), 83 deletions(-)
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index ef18418..157590d 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -585,10 +585,11 @@ int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert)
int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert)
{
- X509_check_purpose(cert, -1, -1);
- if (!cert->skid)
+ const ASN1_OCTET_STRING *cert_keyid = X509_get0_subject_key_id(cert);
+
+ if (cert_keyid == NULL)
return -1;
- return ASN1_OCTET_STRING_cmp(keyid, cert->skid);
+ return ASN1_OCTET_STRING_cmp(keyid, cert_keyid);
}
int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert)
@@ -613,12 +614,13 @@ int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert)
int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert)
{
ASN1_OCTET_STRING *keyid = NULL;
- X509_check_purpose(cert, -1, -1);
- if (!cert->skid) {
+ const ASN1_OCTET_STRING *cert_keyid;
+ cert_keyid = X509_get0_subject_key_id(cert);
+ if (cert_keyid == NULL) {
CMSerr(CMS_F_CMS_SET1_KEYID, CMS_R_CERTIFICATE_HAS_NO_KEYID);
return 0;
}
- keyid = ASN1_STRING_dup(cert->skid);
+ keyid = ASN1_STRING_dup(cert_keyid);
if (!keyid) {
CMSerr(CMS_F_CMS_SET1_KEYID, ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 26678cf..8fd0bcf 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -173,3 +173,46 @@ struct x509_cert_aux_st {
ASN1_OCTET_STRING *keyid; /* key id of private key */
STACK_OF(X509_ALGOR) *other; /* other unspecified info */
};
+
+struct x509_cinf_st {
+ ASN1_INTEGER *version; /* [ 0 ] default of v1 */
+ ASN1_INTEGER *serialNumber;
+ X509_ALGOR signature;
+ X509_NAME *issuer;
+ X509_VAL validity;
+ X509_NAME *subject;
+ X509_PUBKEY *key;
+ ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
+ ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
+ STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
+ ASN1_ENCODING enc;
+};
+
+struct x509_st {
+ X509_CINF cert_info;
+ X509_ALGOR sig_alg;
+ ASN1_BIT_STRING *signature;
+ int valid;
+ int references;
+ char *name;
+ CRYPTO_EX_DATA ex_data;
+ /* These contain copies of various extension values */
+ long ex_pathlen;
+ long ex_pcpathlen;
+ uint32_t ex_flags;
+ uint32_t ex_kusage;
+ uint32_t ex_xkusage;
+ uint32_t ex_nscert;
+ ASN1_OCTET_STRING *skid;
+ AUTHORITY_KEYID *akid;
+ X509_POLICY_CACHE *policy_cache;
+ STACK_OF(DIST_POINT) *crldp;
+ STACK_OF(GENERAL_NAME) *altname;
+ NAME_CONSTRAINTS *nc;
+#ifndef OPENSSL_NO_RFC3779
+ STACK_OF(IPAddressFamily) *rfc3779_addr;
+ struct ASIdentifiers_st *rfc3779_asid;
+# endif
+ unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+ X509_CERT_AUX *aux;
+} /* X509 */ ;
diff --git a/crypto/ts/Makefile b/crypto/ts/Makefile
index 76d1aea..754b89a 100644
--- a/crypto/ts/Makefile
+++ b/crypto/ts/Makefile
@@ -207,7 +207,7 @@ ts_rsp_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
ts_rsp_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h
ts_rsp_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
ts_rsp_sign.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
-ts_rsp_sign.o: ts_lcl.h ts_rsp_sign.c
+ts_rsp_sign.o: ../include/internal/x509_int.h ts_lcl.h ts_rsp_sign.c
ts_rsp_utils.o: ../../e_os.h ../../include/openssl/asn1.h
ts_rsp_utils.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
ts_rsp_utils.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
@@ -243,7 +243,7 @@ ts_rsp_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
ts_rsp_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h
ts_rsp_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
ts_rsp_verify.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
-ts_rsp_verify.o: ts_lcl.h ts_rsp_verify.c
+ts_rsp_verify.o: ../include/internal/x509_int.h ts_lcl.h ts_rsp_verify.c
ts_verify_ctx.o: ../../e_os.h ../../include/openssl/asn1.h
ts_verify_ctx.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
ts_verify_ctx.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 3694239..dd6591d 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -784,12 +784,13 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
{
ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL;
+ unsigned char cert_sha1[SHA_DIGEST_LENGTH];
X509_check_purpose(cert, -1, 0);
if ((cid = ESS_CERT_ID_new()) == NULL)
goto err;
- if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
- sizeof(cert->sha1_hash)))
+ X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
+ if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
goto err;
/* Setting the issuer/serial if requested. */
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 1133b5d..84c9b31 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -289,10 +289,13 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
{
int i;
+ unsigned char cert_sha1[SHA_DIGEST_LENGTH];
if (!cert_ids || !cert)
return -1;
+ X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
+
/* Recompute SHA1 hash of certificate if necessary (side effect). */
X509_check_purpose(cert, -1, 0);
@@ -300,9 +303,8 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
- if (cid->hash->length == sizeof(cert->sha1_hash)
- && memcmp(cid->hash->data, cert->sha1_hash,
- sizeof(cert->sha1_hash)) == 0) {
+ if (cid->hash->length == SHA_DIGEST_LENGTH
+ && memcmp(cid->hash->data, cert_sha1, SHA_DIGEST_LENGTH) == 0) {
ESS_ISSUER_SERIAL *is = cid->issuer_serial;
if (!is || !ts_issuer_serial_cmp(is, cert))
return i;
diff --git a/crypto/x509/Makefile b/crypto/x509/Makefile
index 72a53db..ba0c87e 100644
--- a/crypto/x509/Makefile
+++ b/crypto/x509/Makefile
@@ -133,19 +133,18 @@ t_req.o: ../include/internal/cryptlib.h t_req.c
t_x509.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
t_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_x509.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-t_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-t_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-t_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_x509.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+t_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_x509.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+t_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
t_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
t_x509.o: ../include/internal/asn1_int.h ../include/internal/cryptlib.h
-t_x509.o: t_x509.c
+t_x509.o: ../include/internal/x509_int.h t_x509.c
t_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
t_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -315,7 +314,7 @@ x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
x509_set.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x509_set.o: x509_set.c
+x509_set.o: ../include/internal/x509_int.h x509_set.c
x509_trs.o: ../../e_os.h ../../include/openssl/asn1.h
x509_trs.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
@@ -557,7 +556,7 @@ x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
x_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
x_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
x_x509.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
-x_x509.o: x_x509.c
+x_x509.o: ../include/internal/x509_int.h x_x509.c
x_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
x_x509a.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
x_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index b4d7a3e..4cab108 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -60,19 +60,11 @@
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/bn.h>
-#ifndef OPENSSL_NO_RSA
-# include <openssl/rsa.h>
-#endif
-#ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_EC
-# include <openssl/ec.h>
-#endif
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "internal/asn1_int.h"
+#include "internal/x509_int.h"
#ifndef OPENSSL_NO_STDIO
int X509_print_fp(FILE *fp, X509 *x)
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 1284bcb..7873edf 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -62,6 +62,7 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
int X509_set_version(X509 *x, long version)
{
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index d775eeb..028c75a 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -62,6 +62,7 @@
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
index a80ec98..5460af4 100644
--- a/crypto/x509v3/Makefile
+++ b/crypto/x509v3/Makefile
@@ -84,7 +84,8 @@ pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
pcy_cache.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
pcy_cache.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
pcy_cache.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_cache.o: ../include/internal/cryptlib.h pcy_cache.c pcy_int.h
+pcy_cache.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+pcy_cache.o: pcy_cache.c pcy_int.h
pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h
pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
pcy_data.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
@@ -126,7 +127,8 @@ pcy_map.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_map.o: ../include/internal/cryptlib.h pcy_int.h pcy_map.c
+pcy_map.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+pcy_map.o: pcy_int.h pcy_map.c
pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
pcy_node.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
pcy_node.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -168,7 +170,7 @@ v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
v3_addr.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
-v3_addr.o: ext_dat.h v3_addr.c
+v3_addr.o: ../include/internal/x509_int.h ext_dat.h v3_addr.c
v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
@@ -227,7 +229,8 @@ v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_asid.o: ../include/internal/cryptlib.h ext_dat.h v3_asid.c
+v3_asid.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+v3_asid.o: ext_dat.h v3_asid.c
v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
@@ -519,7 +522,7 @@ v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
v3_purp.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
-v3_purp.o: v3_purp.c
+v3_purp.o: ../include/internal/x509_int.h v3_purp.c
v3_scts.o: ../../e_os.h ../../include/openssl/asn1.h
v3_scts.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
v3_scts.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c
index 61065aa..41a748d 100644
--- a/crypto/x509v3/pcy_cache.c
+++ b/crypto/x509v3/pcy_cache.c
@@ -60,6 +60,7 @@
#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include "pcy_int.h"
diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c
index a4ff30c..4989a81 100644
--- a/crypto/x509v3/pcy_map.c
+++ b/crypto/x509v3/pcy_map.c
@@ -60,6 +60,7 @@
#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include "pcy_int.h"
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index ff6fb32..f4a3bcb 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -68,6 +68,7 @@
#include <openssl/asn1t.h>
#include <openssl/buffer.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include "ext_dat.h"
#ifndef OPENSSL_NO_RFC3779
diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
index e1cde64..af527eb 100644
--- a/crypto/x509v3/v3_asid.c
+++ b/crypto/x509v3/v3_asid.c
@@ -67,6 +67,7 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/bn.h>
#include "ext_dat.h"
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 61d9772..43f3551 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -62,6 +62,7 @@
#include "internal/numbers.h"
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
+#include "internal/x509_int.h"
static void x509v3_cache_extensions(X509 *x);
@@ -868,3 +869,9 @@ uint32_t X509_get_extended_key_usage(X509 *x)
return x->ex_xkusage;
return UINT32_MAX;
}
+
+const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
+{
+ X509_check_purpose(x, -1, -1);
+ return x->skid;
+}
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
index 2950bd7..d19eb89 100644
--- a/doc/crypto/X509_get_extension_flags.pod
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -12,6 +12,7 @@ retrieve certificate extension flags.
uint32_t X509_get_extension_flags(X509 *x);
uint32_t X509_get_key_usage(X509 *x);
uint32_t X509_get_extended_key_usage(X509 *x);
+ const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
=head1 DESCRIPTION
@@ -90,11 +91,16 @@ B<id-kp-timeStamping>, B<id-kp-dvcs> and B<anyExtendedKeyUsage> respectively.
Additionally B<XKU_SGC> is set if either Netscape or Microsoft SGC OIDs are
present.
+X509_get_extended_key_usage() return an internal pointer to the subject key
+identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension
+is not present or cannot be parsed.
+
=head1 NOTES
The value of the flags correspond to extension values which are cached
in the B<X509> structure. If the flags returned do not provide sufficient
-information an application should examine extension values directly.
+information an application should examine extension values directly
+for example using X509_get_ext_d2i().
If the key usage or extended key usage extension is absent then typically usage
is unrestricted. For this reason X509_get_key_usage() and
@@ -103,10 +109,19 @@ extension is absent. Applications can additionally check the return value of
X509_get_extension_flags() and take appropriate action is an extension is
absent.
+If X509_get0_subject_key_id() returns B<NULL> then the extension may be
+absent or malformed. Applications can determine the precise reason using
+X509_get_ext_d2i().
+
=head1 RETURN VALUE
-These functions all return sets of flags corresponding to the certificate
-extension values.
+X509_get_extension_flags(), X509_get_key_usage() and
+X509_get_extended_key_usage() return sets of flags corresponding to the
+certificate extension values.
+
+X509_get0_subject_key_id() returns the subject key identifier as a
+pointer to an B<ASN1_OCTET_STRING> structure or B<NULL> if the extension
+is absent or an error occured during parsing.
=head1 SEE ALSO
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 5d6c083..21a8c5a 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -164,50 +164,9 @@ typedef struct X509_req_info_st X509_REQ_INFO;
typedef struct X509_req_st X509_REQ;
-typedef struct x509_cinf_st {
- ASN1_INTEGER *version; /* [ 0 ] default of v1 */
- ASN1_INTEGER *serialNumber;
- X509_ALGOR signature;
- X509_NAME *issuer;
- X509_VAL validity;
- X509_NAME *subject;
- X509_PUBKEY *key;
- ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
- ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
- STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
- ASN1_ENCODING enc;
-} X509_CINF;
-
typedef struct x509_cert_aux_st X509_CERT_AUX;
-struct x509_st {
- X509_CINF cert_info;
- X509_ALGOR sig_alg;
- ASN1_BIT_STRING *signature;
- int valid;
- int references;
- char *name;
- CRYPTO_EX_DATA ex_data;
- /* These contain copies of various extension values */
- long ex_pathlen;
- long ex_pcpathlen;
- uint32_t ex_flags;
- uint32_t ex_kusage;
- uint32_t ex_xkusage;
- uint32_t ex_nscert;
- ASN1_OCTET_STRING *skid;
- AUTHORITY_KEYID *akid;
- X509_POLICY_CACHE *policy_cache;
- STACK_OF(DIST_POINT) *crldp;
- STACK_OF(GENERAL_NAME) *altname;
- NAME_CONSTRAINTS *nc;
-#ifndef OPENSSL_NO_RFC3779
- STACK_OF(IPAddressFamily) *rfc3779_addr;
- struct ASIdentifiers_st *rfc3779_asid;
-# endif
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
- X509_CERT_AUX *aux;
-} /* X509 */ ;
+typedef struct x509_cinf_st X509_CINF;
DECLARE_STACK_OF(X509)
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 280b9c1..3898426 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -700,6 +700,7 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
uint32_t X509_get_extension_flags(X509 *x);
uint32_t X509_get_key_usage(X509 *x);
uint32_t X509_get_extended_key_usage(X509 *x);
+const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
int X509_PURPOSE_get_count(void);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
diff --git a/util/libeay.num b/util/libeay.num
index 1e5be8e..1ae0f8e 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4629,3 +4629,14 @@ EVP_PKEY_meth_get_sign 4987 EXIST::FUNCTION:
EVP_PKEY_meth_get_copy 4988 EXIST::FUNCTION:
EVP_PKEY_meth_get_verify_recover 4989 EXIST::FUNCTION:
EVP_PKEY_meth_get_encrypt 4990 EXIST::FUNCTION:
+X509_get0_subject_key_id 4991 EXIST::FUNCTION:
+i2d_re_X509_CRL_tbs 4992 EXIST::FUNCTION:
+X509_REQ_get_X509_PUBKEY 4993 EXIST::FUNCTION:
+X509_REQ_get0_signature 4994 EXIST::FUNCTION:
+X509_REVOKED_get0_revocationDate 4995 EXIST::FUNCTION:
+X509_REVOKED_get0_serialNumber 4996 EXIST::FUNCTION:
+X509_CRL_get0_extensions 4997 EXIST::FUNCTION:
+X509_REQ_get_signature_nid 4998 EXIST::FUNCTION:
+X509_CRL_get_signature_nid 5000 EXIST::FUNCTION:
+i2d_re_X509_REQ_tbs 5001 EXIST::FUNCTION:
+X509_REVOKED_get0_extensions 5002 EXIST::FUNCTION:
More information about the openssl-commits
mailing list