/* * Written by Dr Stephen N Henson ([email protected]) for the OpenSSL project * 2001. */ /* ==================================================================== * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * [email protected]. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * ([email protected]). This product includes software written by Tim * Hudson ([email protected]). */ #include <string.h> #include <openssl/digest.h> #include <openssl/err.h> #include <openssl/mem.h> #include <openssl/obj.h> #include <openssl/thread.h> #include <openssl/x509.h> #include "../internal.h" #include "internal.h" struct x509_purpose_st { … } /* X509_PURPOSE */; #define V1_ROOT … #define ku_reject(x, usage) … #define xku_reject(x, usage) … static int check_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); // X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by // |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and // cannot be used with |X509_STORE_CTX_set_purpose|. #define X509_TRUST_NONE … static const X509_PURPOSE xstandard[] = …; int X509_check_purpose(X509 *x, int id, int ca) { … } const X509_PURPOSE *X509_PURPOSE_get0(int id) { … } int X509_PURPOSE_get_by_sname(const char *sname) { … } int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { … } int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { … } int X509_supported_extension(const X509_EXTENSION *ex) { … } static int setup_dp(X509 *x, DIST_POINT *dp) { … } static int setup_crldp(X509 *x) { … } int x509v3_cache_extensions(X509 *x) { … } // check_ca returns one if |x| should be considered a CA certificate and zero // otherwise. static int check_ca(const X509 *x) { … } int X509_check_ca(X509 *x) { … } // check_purpose returns one if |x| is a valid part of a certificate path for // extended key usage |required_xku| and at least one of key usages in // |required_kus|. |ca| indicates whether |x| is a CA or end-entity certificate. static int check_purpose(const X509 *x, int ca, int required_xku, int required_kus) { … } static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { … } // Key usage needed for TLS/SSL server: digital signature, encipherment or // key agreement. The ssl code can check this more thoroughly for individual // key types. #define X509v3_KU_TLS … static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { … } static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { … } int X509_check_issued(X509 *issuer, X509 *subject) { … } int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid) { … } uint32_t X509_get_extension_flags(X509 *x) { … } uint32_t X509_get_key_usage(X509 *x) { … } uint32_t X509_get_extended_key_usage(X509 *x) { … } const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509) { … } const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509) { … } const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509) { … } const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509) { … } long X509_get_pathlen(X509 *x509) { … }