[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Sat Jul 23 14:18:31 UTC 2016
The branch master has been updated
via f46c2597ab958ce970aec40ff3b7f5ba5ceb0bcb (commit)
via 9961cb77684aa26fe7302e691b7d16e53432a625 (commit)
from 8b9546c7085733c88f1df66da48d48a3bc5230a2 (commit)
- Log -----------------------------------------------------------------
commit f46c2597ab958ce970aec40ff3b7f5ba5ceb0bcb
Author: Richard Levitte <levitte at openssl.org>
Date: Sat Jul 23 11:34:45 2016 +0200
Properly initialise the internal proxy certificate path length cache
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 9961cb77684aa26fe7302e691b7d16e53432a625
Author: Richard Levitte <levitte at openssl.org>
Date: Fri Jul 22 16:45:33 2016 +0200
Make it possible for external code to flag a certificate as a proxy one.
This adds the function X509_set_proxy_flag(), which sets the internal flag
EXFLAG_PROXY on a given X509 structure.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x_x509.c | 1 +
crypto/x509v3/v3_purp.c | 5 +++++
doc/crypto/X509_get_extension_flags.pod | 11 ++++++++---
include/openssl/x509v3.h | 1 +
4 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 9445430..7d9f981 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -43,6 +43,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
case ASN1_OP_NEW_POST:
ret->ex_flags = 0;
ret->ex_pathlen = -1;
+ ret->ex_pcpathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
#ifndef OPENSSL_NO_RFC3779
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index fff0994..0820a2a 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -528,6 +528,11 @@ static int check_ca(const X509 *x)
}
}
+void X509_set_proxy_flag(X509 *x)
+{
+ x->ex_flags |= EXFLAG_PROXY;
+}
+
int X509_check_ca(X509 *x)
{
if (!(x->ex_flags & EXFLAG_SET)) {
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
index 2509b65..473ef28 100644
--- a/doc/crypto/X509_get_extension_flags.pod
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -4,8 +4,8 @@
X509_get0_subject_key_id,
X509_get_pathlen,
-X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage -
-retrieve certificate extension data
+X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage,
+X509_set_proxy_flag - retrieve certificate extension data
=head1 SYNOPSIS
@@ -16,6 +16,7 @@ retrieve certificate extension data
uint32_t X509_get_key_usage(X509 *x);
uint32_t X509_get_extended_key_usage(X509 *x);
const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
+ void X509_set_proxy_flag(X509 *x);
=head1 DESCRIPTION
@@ -102,6 +103,10 @@ X509_get_extended_key_usage() return an internal pointer to the subject key
identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension
is not present or cannot be parsed.
+X509_set_proxy_flag() marks the certificate with the B<EXFLAG_PROXY> flag.
+This is for the users who need to mark non-RFC3820 proxy certificates as
+such, as OpenSSL only detects RFC3820 compliant ones.
+
=head1 NOTES
The value of the flags correspond to extension values which are cached
@@ -139,7 +144,7 @@ L<X509_check_purpose(3)>
=head1 HISTORY
-X509_get_pathlen() was added in OpenSSL 1.1.0.
+X509_get_pathlen() and X509_set_proxy_flag() were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 89be5f9..b37f52b 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -649,6 +649,7 @@ int X509_supported_extension(X509_EXTENSION *ex);
int X509_PURPOSE_set(int *p, int purpose);
int X509_check_issued(X509 *issuer, X509 *subject);
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
+void X509_set_proxy_flag(X509 *x);
uint32_t X509_get_extension_flags(X509 *x);
uint32_t X509_get_key_usage(X509 *x);
More information about the openssl-commits
mailing list