[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Sep 5 18:12:02 UTC 2020
The branch master has been updated
via 076bf8c2c972d01a70ca4146e637dfbe6f35b2fb (commit)
from 0b86eefd431dd05a0ba87b2f67a6b99def89b6d5 (commit)
- Log -----------------------------------------------------------------
commit 076bf8c2c972d01a70ca4146e637dfbe6f35b2fb
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Sep 3 23:04:48 2020 +0200
X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12787)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/t_x509.c | 21 +++++++++++++++------
crypto/x509/v3_prn.c | 7 ++++++-
include/openssl/x509.h | 1 +
3 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 199f88857b..f0240f12c3 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -200,9 +200,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
}
}
- if (!(cflag & X509_FLAG_NO_EXTENSIONS))
- X509V3_extensions_print(bp, "X509v3 extensions",
- X509_get0_extensions(x), cflag, 8);
+ if (!(cflag & X509_FLAG_NO_EXTENSIONS)
+ && !X509V3_extensions_print(bp, "X509v3 extensions",
+ X509_get0_extensions(x), cflag, 8))
+ goto err;
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
const X509_ALGOR *sig_alg;
@@ -415,7 +416,8 @@ int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0)
if (BIO_printf(bio, " no more valid\n") <= 0)
return 0;
- return X509_print_ex(bio, cert, flags, ~(neg_cflags));
+ return X509_print_ex(bio, cert, flags,
+ ~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID);
}
static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
@@ -427,8 +429,15 @@ static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *cert = sk_X509_value(certs, i);
- if (cert != NULL && !x509_print_ex_brief(bio, cert, 0))
- return 0;
+
+ if (cert != NULL) {
+ if (!x509_print_ex_brief(bio, cert, 0))
+ return 0;
+ if (!X509V3_extensions_print(bio, NULL,
+ X509_get0_extensions(cert),
+ X509_FLAG_EXTENSIONS_ONLY_KID, 8))
+ return 0;
+ }
}
return 1;
}
diff --git a/crypto/x509/v3_prn.c b/crypto/x509/v3_prn.c
index aa902204f0..4b2ad2685b 100644
--- a/crypto/x509/v3_prn.c
+++ b/crypto/x509/v3_prn.c
@@ -156,10 +156,15 @@ int X509V3_extensions_print(BIO *bp, const char *title,
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
+
ex = sk_X509_EXTENSION_value(exts, i);
+ obj = X509_EXTENSION_get_object(ex);
+ if ((flag & X509_FLAG_EXTENSIONS_ONLY_KID) != 0
+ && OBJ_obj2nid(obj) != NID_subject_key_identifier
+ && OBJ_obj2nid(obj) != NID_authority_key_identifier)
+ continue;
if (indent && BIO_printf(bp, "%*s", indent, "") <= 0)
return 0;
- obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp, obj);
j = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index d243fda94c..bbe2d62cf9 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -159,6 +159,7 @@ DEFINE_OR_DECLARE_STACK_OF(X509_TRUST)
# define X509_FLAG_NO_AUX (1L << 10)
# define X509_FLAG_NO_ATTRIBUTES (1L << 11)
# define X509_FLAG_NO_IDS (1L << 12)
+# define X509_FLAG_EXTENSIONS_ONLY_KID (1L << 13)
/* Flags specific to X509_NAME_print_ex() */
More information about the openssl-commits
mailing list