[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Mon Jul 25 15:37:05 UTC 2016 

The branch master has been updated
       via  fe0169b09717b3c3d52c0fba96e1dcf5e8a60d94 (commit)
      from  3067095e8a2cca3d33fa0af77788bc45da68b76b (commit)


- Log -----------------------------------------------------------------
commit fe0169b09717b3c3d52c0fba96e1dcf5e8a60d94
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Jul 25 17:02:56 2016 +0200

    Make it possible for external code to set the certiciate proxy path length
    
    This adds the functions X509_set_proxy_pathlen(), which sets the
    internal pc path length cache for a given X509 structure, along with
    X509_get_proxy_pathlen(), which retrieves it.
    
    Along with the previously added X509_set_proxy_flag(), this provides
    the tools needed to manipulate all the information cached on proxy
    certificates, allowing external code to do what's necessary to have
    them verified correctly by the libcrypto code.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509v3/v3_purp.c                 | 14 ++++++++++++++
 doc/crypto/X509_get_extension_flags.pod | 23 ++++++++++++++++++++---
 include/openssl/x509v3.h                |  2 ++
 util/libcrypto.num                      |  2 ++
 4 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 6174538..451e7f8 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -533,6 +533,11 @@ void X509_set_proxy_flag(X509 *x)
     x->ex_flags |= EXFLAG_PROXY;
 }
 
+void X509_set_proxy_pathlen(X509 *x, long l)
+{
+    x->ex_pcpathlen = l;
+}
+
 int X509_check_ca(X509 *x)
 {
     if (!(x->ex_flags & EXFLAG_SET)) {
@@ -849,3 +854,12 @@ long X509_get_pathlen(X509 *x)
         return -1;
     return x->ex_pathlen;
 }
+
+long X509_get_proxy_pathlen(X509 *x)
+{
+    /* Called for side effect of caching extensions */
+    if (X509_check_purpose(x, -1, -1) != 1
+            || (x->ex_flags & EXFLAG_PROXY) == 0)
+        return -1;
+    return x->ex_pcpathlen;
+}
diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod
index 473ef28..0fc42e8 100644
--- a/doc/crypto/X509_get_extension_flags.pod
+++ b/doc/crypto/X509_get_extension_flags.pod
@@ -4,8 +4,12 @@
 
 X509_get0_subject_key_id,
 X509_get_pathlen,
-X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage,
-X509_set_proxy_flag - retrieve certificate extension data
+X509_get_extension_flags,
+X509_get_key_usage,
+X509_get_extended_key_usage,
+X509_set_proxy_flag,
+X509_set_proxy_pathlen,
+X509_get_proxy_pathlen - retrieve certificate extension data
 
 =head1 SYNOPSIS
 
@@ -17,6 +21,8 @@ X509_set_proxy_flag - retrieve certificate extension data
    uint32_t X509_get_extended_key_usage(X509 *x);
    const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
    void X509_set_proxy_flag(X509 *x);
+   void X509_set_proxy_path_length(int l);
+   long X509_get_proxy_pathlen(X509 *x);
 
 =head1 DESCRIPTION
 
@@ -107,6 +113,13 @@ X509_set_proxy_flag() marks the certificate with the B<EXFLAG_PROXY> flag.
 This is for the users who need to mark non-RFC3820 proxy certificates as
 such, as OpenSSL only detects RFC3820 compliant ones.
 
+X509_set_proxy_pathlen() sets the proxy certificate path length for the given
+certificate B<x>.  This is for the users who need to mark non-RFC3820 proxy
+certificates as such, as OpenSSL only detects RFC3820 compliant ones.
+
+X509_get_proxy_pathlen() returns the proxy certificate path length for the
+given certificate B<x> if it is a proxy certicate.
+
 =head1 NOTES
 
 The value of the flags correspond to extension values which are cached
@@ -138,13 +151,17 @@ X509_get0_subject_key_id() returns the subject key identifier as a
 pointer to an B<ASN1_OCTET_STRING> structure or B<NULL> if the extension
 is absent or an error occurred during parsing.
 
+X509_get_proxy_pathlen() returns the path length value if the given
+certificate is a proxy one and has a path length set, and -1 otherwise.
+
 =head1 SEE ALSO
 
 L<X509_check_purpose(3)>
 
 =head1 HISTORY
 
-X509_get_pathlen() and X509_set_proxy_flag() were added in OpenSSL 1.1.0.
+X509_get_pathlen(), X509_set_proxy_flag(), X509_set_proxy_pathlen() and
+X509_get_proxy_pathlen() were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index c708ec3..c3f3863 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -650,6 +650,8 @@ int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
 void X509_set_proxy_flag(X509 *x);
+void X509_set_proxy_pathlen(X509 *x, long l);
+long X509_get_proxy_pathlen(X509 *x);
 
 uint32_t X509_get_extension_flags(X509 *x);
 uint32_t X509_get_key_usage(X509 *x);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 0a79379..1fb7cf3 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4187,3 +4187,5 @@ X509_STORE_CTX_get_lookup_crls          4131	1_1_0	EXIST::FUNCTION:
 X509_STORE_get_verify                   4132	1_1_0	EXIST::FUNCTION:
 X509_STORE_unlock                       4133	1_1_0	EXIST::FUNCTION:
 X509_STORE_lock                         4134	1_1_0	EXIST::FUNCTION:
+X509_set_proxy_pathlen                  4135	1_1_0	EXIST::FUNCTION:
+X509_get_proxy_pathlen                  4136	1_1_0	EXIST::FUNCTION:

More information about the openssl-commits mailing list