[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri Jan 7 09:46:44 UTC 2022
The branch master has been updated
via 6e98b7f153fcf9dfad1053fbb3a592166837c6fc (commit)
from fd989c734dc3f9e15d700ff9ced15125a23d4359 (commit)
- Log -----------------------------------------------------------------
commit 6e98b7f153fcf9dfad1053fbb3a592166837c6fc
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Aug 17 19:12:55 2021 +0200
v2i_AUTHORITY_KEYID(): Improve error reporting on parsing config values/options
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16345)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 3 +++
crypto/x509/v3_akid.c | 33 ++++++++++++++++++++++-----------
crypto/x509/v3err.c | 3 +++
doc/man5/x509v3_config.pod | 4 ++--
include/openssl/x509v3err.h | 3 +++
5 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 6e75af9b8b..3c59fce96c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1585,6 +1585,8 @@ UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value
UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
X509V3_R_BAD_IP_ADDRESS:118:bad ip address
X509V3_R_BAD_OBJECT:119:bad object
+X509V3_R_BAD_OPTION:170:bad option
+X509V3_R_BAD_VALUE:171:bad value
X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
X509V3_R_DIRNAME_ERROR:149:dirname error
@@ -1651,6 +1653,7 @@ X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument
X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
X509V3_R_UNKNOWN_OPTION:120:unknown option
+X509V3_R_UNKNOWN_VALUE:172:unknown value
X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
X509V3_R_USER_TOO_LONG:132:user too long
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 2a993dd5bc..209f32cbf7 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -85,14 +85,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
}
/*-
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
+ * Three explicit tags may be given, where 'keyid' and 'issuer' may be combined:
+ * 'none': do not add any authority key identifier.
+ * 'keyid': use the issuer's subject keyid; the option 'always' means its is
+ * an error if the issuer certificate doesn't have a subject key id.
+ * 'issuer': use the issuer's cert issuer and serial number. The default is
+ * to only use this if 'keyid' is not present. With the option 'always'
* this is always included.
*/
-
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *values)
@@ -119,16 +119,27 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
for (i = 0; i < n; i++) {
cnf = sk_CONF_VALUE_value(values, i);
- if (strcmp(cnf->name, "keyid") == 0) {
+ if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) {
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ "name=%s option=%s", cnf->name, cnf->value);
+ goto err;
+ }
+ if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) {
keyid = 1;
- if (cnf->value && strcmp(cnf->value, "always") == 0)
+ if (cnf->value != NULL)
keyid = 2;
- } else if (strcmp(cnf->name, "issuer") == 0) {
+ } else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) {
issuer = 1;
- if (cnf->value && strcmp(cnf->value, "always") == 0)
+ if (cnf->value != NULL)
issuer = 2;
+ } else if (strcmp(cnf->name, "none") == 0
+ || strcmp(cnf->name, "keyid") == 0
+ || strcmp(cnf->name, "issuer") == 0) {
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE,
+ "name=%s", cnf->name);
+ goto err;
} else {
- ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE,
"name=%s", cnf->name);
goto err;
}
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index 6f38034c1a..b52f16f597 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -17,6 +17,8 @@
static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OPTION), "bad option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_VALUE), "bad value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
"bn to asn1 integer error"},
@@ -127,6 +129,7 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME),
"unknown extension name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_VALUE), "unknown value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION),
"unsupported option"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE),
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index fb9e562d7f..97251d5d09 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -195,8 +195,8 @@ or both of them, separated by C<,>.
Either or both can have the option B<always>,
indicated by putting a colon C<:> between the value and this option.
For self-signed certificates the AKID is suppressed unless B<always> is present.
-By default the B<x509>, B<req>, and B<ca> apps behave as if
-"none" was given for self-signed certificates and "keyid, issuer" otherwise.
+By default the B<x509>, B<req>, and B<ca> apps behave as if B<none> was given
+for self-signed certificates and B<keyid>C<,> B<issuer> otherwise.
If B<keyid> is present, an attempt is made to
copy the subject key identifier (SKID) from the issuer certificate except if
diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h
index 1ae3a56209..fcad1bfca5 100644
--- a/include/openssl/x509v3err.h
+++ b/include/openssl/x509v3err.h
@@ -23,6 +23,8 @@
*/
# define X509V3_R_BAD_IP_ADDRESS 118
# define X509V3_R_BAD_OBJECT 119
+# define X509V3_R_BAD_OPTION 170
+# define X509V3_R_BAD_VALUE 171
# define X509V3_R_BN_DEC2BN_ERROR 100
# define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
# define X509V3_R_DIRNAME_ERROR 149
@@ -86,6 +88,7 @@
# define X509V3_R_UNKNOWN_EXTENSION 129
# define X509V3_R_UNKNOWN_EXTENSION_NAME 130
# define X509V3_R_UNKNOWN_OPTION 120
+# define X509V3_R_UNKNOWN_VALUE 172
# define X509V3_R_UNSUPPORTED_OPTION 117
# define X509V3_R_UNSUPPORTED_TYPE 167
# define X509V3_R_USER_TOO_LONG 132
More information about the openssl-commits
mailing list