[331] | 1 | /*
|
---|
| 2 | * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdio.h>
|
---|
| 11 | #include "internal/cryptlib.h"
|
---|
| 12 | #include "internal/numbers.h"
|
---|
| 13 | #include <openssl/x509v3.h>
|
---|
| 14 | #include <openssl/x509_vfy.h>
|
---|
| 15 | #include "internal/x509_int.h"
|
---|
| 16 |
|
---|
| 17 | static void x509v3_cache_extensions(X509 *x);
|
---|
| 18 |
|
---|
| 19 | static int check_ssl_ca(const X509 *x);
|
---|
| 20 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 21 | int ca);
|
---|
| 22 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 23 | int ca);
|
---|
| 24 | static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 25 | int ca);
|
---|
| 26 | static int purpose_smime(const X509 *x, int ca);
|
---|
| 27 | static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 28 | int ca);
|
---|
| 29 | static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 30 | int ca);
|
---|
| 31 | static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 32 | int ca);
|
---|
| 33 | static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 34 | int ca);
|
---|
| 35 | static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
|
---|
| 36 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
|
---|
| 37 |
|
---|
| 38 | static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b);
|
---|
| 39 | static void xptable_free(X509_PURPOSE *p);
|
---|
| 40 |
|
---|
| 41 | static X509_PURPOSE xstandard[] = {
|
---|
| 42 | {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
|
---|
| 43 | check_purpose_ssl_client, "SSL client", "sslclient", NULL},
|
---|
| 44 | {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
|
---|
| 45 | check_purpose_ssl_server, "SSL server", "sslserver", NULL},
|
---|
| 46 | {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
|
---|
| 47 | check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
|
---|
| 48 | {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign,
|
---|
| 49 | "S/MIME signing", "smimesign", NULL},
|
---|
| 50 | {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0,
|
---|
| 51 | check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
|
---|
| 52 | {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign,
|
---|
| 53 | "CRL signing", "crlsign", NULL},
|
---|
| 54 | {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any",
|
---|
| 55 | NULL},
|
---|
| 56 | {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper,
|
---|
| 57 | "OCSP helper", "ocsphelper", NULL},
|
---|
| 58 | {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0,
|
---|
| 59 | check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign",
|
---|
| 60 | NULL},
|
---|
| 61 | };
|
---|
| 62 |
|
---|
| 63 | #define X509_PURPOSE_COUNT OSSL_NELEM(xstandard)
|
---|
| 64 |
|
---|
| 65 | static STACK_OF(X509_PURPOSE) *xptable = NULL;
|
---|
| 66 |
|
---|
| 67 | static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b)
|
---|
| 68 | {
|
---|
| 69 | return (*a)->purpose - (*b)->purpose;
|
---|
| 70 | }
|
---|
| 71 |
|
---|
| 72 | /*
|
---|
| 73 | * As much as I'd like to make X509_check_purpose use a "const" X509* I
|
---|
| 74 | * really can't because it does recalculate hashes and do other non-const
|
---|
| 75 | * things.
|
---|
| 76 | */
|
---|
| 77 | int X509_check_purpose(X509 *x, int id, int ca)
|
---|
| 78 | {
|
---|
| 79 | int idx;
|
---|
| 80 | const X509_PURPOSE *pt;
|
---|
| 81 | if (!(x->ex_flags & EXFLAG_SET)) {
|
---|
| 82 | CRYPTO_THREAD_write_lock(x->lock);
|
---|
| 83 | x509v3_cache_extensions(x);
|
---|
| 84 | CRYPTO_THREAD_unlock(x->lock);
|
---|
| 85 | }
|
---|
| 86 | /* Return if side-effect only call */
|
---|
| 87 | if (id == -1)
|
---|
| 88 | return 1;
|
---|
| 89 | idx = X509_PURPOSE_get_by_id(id);
|
---|
| 90 | if (idx == -1)
|
---|
| 91 | return -1;
|
---|
| 92 | pt = X509_PURPOSE_get0(idx);
|
---|
| 93 | return pt->check_purpose(pt, x, ca);
|
---|
| 94 | }
|
---|
| 95 |
|
---|
| 96 | int X509_PURPOSE_set(int *p, int purpose)
|
---|
| 97 | {
|
---|
| 98 | if (X509_PURPOSE_get_by_id(purpose) == -1) {
|
---|
| 99 | X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
|
---|
| 100 | return 0;
|
---|
| 101 | }
|
---|
| 102 | *p = purpose;
|
---|
| 103 | return 1;
|
---|
| 104 | }
|
---|
| 105 |
|
---|
| 106 | int X509_PURPOSE_get_count(void)
|
---|
| 107 | {
|
---|
| 108 | if (!xptable)
|
---|
| 109 | return X509_PURPOSE_COUNT;
|
---|
| 110 | return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
|
---|
| 111 | }
|
---|
| 112 |
|
---|
| 113 | X509_PURPOSE *X509_PURPOSE_get0(int idx)
|
---|
| 114 | {
|
---|
| 115 | if (idx < 0)
|
---|
| 116 | return NULL;
|
---|
| 117 | if (idx < (int)X509_PURPOSE_COUNT)
|
---|
| 118 | return xstandard + idx;
|
---|
| 119 | return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
|
---|
| 120 | }
|
---|
| 121 |
|
---|
| 122 | int X509_PURPOSE_get_by_sname(const char *sname)
|
---|
| 123 | {
|
---|
| 124 | int i;
|
---|
| 125 | X509_PURPOSE *xptmp;
|
---|
| 126 | for (i = 0; i < X509_PURPOSE_get_count(); i++) {
|
---|
| 127 | xptmp = X509_PURPOSE_get0(i);
|
---|
| 128 | if (strcmp(xptmp->sname, sname) == 0)
|
---|
| 129 | return i;
|
---|
| 130 | }
|
---|
| 131 | return -1;
|
---|
| 132 | }
|
---|
| 133 |
|
---|
| 134 | int X509_PURPOSE_get_by_id(int purpose)
|
---|
| 135 | {
|
---|
| 136 | X509_PURPOSE tmp;
|
---|
| 137 | int idx;
|
---|
| 138 | if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
|
---|
| 139 | return purpose - X509_PURPOSE_MIN;
|
---|
| 140 | tmp.purpose = purpose;
|
---|
| 141 | if (!xptable)
|
---|
| 142 | return -1;
|
---|
| 143 | idx = sk_X509_PURPOSE_find(xptable, &tmp);
|
---|
| 144 | if (idx == -1)
|
---|
| 145 | return -1;
|
---|
| 146 | return idx + X509_PURPOSE_COUNT;
|
---|
| 147 | }
|
---|
| 148 |
|
---|
| 149 | int X509_PURPOSE_add(int id, int trust, int flags,
|
---|
| 150 | int (*ck) (const X509_PURPOSE *, const X509 *, int),
|
---|
| 151 | const char *name, const char *sname, void *arg)
|
---|
| 152 | {
|
---|
| 153 | int idx;
|
---|
| 154 | X509_PURPOSE *ptmp;
|
---|
| 155 | /*
|
---|
| 156 | * This is set according to what we change: application can't set it
|
---|
| 157 | */
|
---|
| 158 | flags &= ~X509_PURPOSE_DYNAMIC;
|
---|
| 159 | /* This will always be set for application modified trust entries */
|
---|
| 160 | flags |= X509_PURPOSE_DYNAMIC_NAME;
|
---|
| 161 | /* Get existing entry if any */
|
---|
| 162 | idx = X509_PURPOSE_get_by_id(id);
|
---|
| 163 | /* Need a new entry */
|
---|
| 164 | if (idx == -1) {
|
---|
| 165 | if ((ptmp = OPENSSL_malloc(sizeof(*ptmp))) == NULL) {
|
---|
| 166 | X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
|
---|
| 167 | return 0;
|
---|
| 168 | }
|
---|
| 169 | ptmp->flags = X509_PURPOSE_DYNAMIC;
|
---|
| 170 | } else
|
---|
| 171 | ptmp = X509_PURPOSE_get0(idx);
|
---|
| 172 |
|
---|
| 173 | /* OPENSSL_free existing name if dynamic */
|
---|
| 174 | if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
|
---|
| 175 | OPENSSL_free(ptmp->name);
|
---|
| 176 | OPENSSL_free(ptmp->sname);
|
---|
| 177 | }
|
---|
| 178 | /* dup supplied name */
|
---|
| 179 | ptmp->name = OPENSSL_strdup(name);
|
---|
| 180 | ptmp->sname = OPENSSL_strdup(sname);
|
---|
| 181 | if (!ptmp->name || !ptmp->sname) {
|
---|
| 182 | X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
|
---|
| 183 | goto err;
|
---|
| 184 | }
|
---|
| 185 | /* Keep the dynamic flag of existing entry */
|
---|
| 186 | ptmp->flags &= X509_PURPOSE_DYNAMIC;
|
---|
| 187 | /* Set all other flags */
|
---|
| 188 | ptmp->flags |= flags;
|
---|
| 189 |
|
---|
| 190 | ptmp->purpose = id;
|
---|
| 191 | ptmp->trust = trust;
|
---|
| 192 | ptmp->check_purpose = ck;
|
---|
| 193 | ptmp->usr_data = arg;
|
---|
| 194 |
|
---|
| 195 | /* If its a new entry manage the dynamic table */
|
---|
| 196 | if (idx == -1) {
|
---|
| 197 | if (xptable == NULL
|
---|
| 198 | && (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL) {
|
---|
| 199 | X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
|
---|
| 200 | goto err;
|
---|
| 201 | }
|
---|
| 202 | if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
|
---|
| 203 | X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
|
---|
| 204 | goto err;
|
---|
| 205 | }
|
---|
| 206 | }
|
---|
| 207 | return 1;
|
---|
| 208 | err:
|
---|
| 209 | if (idx == -1) {
|
---|
| 210 | OPENSSL_free(ptmp->name);
|
---|
| 211 | OPENSSL_free(ptmp->sname);
|
---|
| 212 | OPENSSL_free(ptmp);
|
---|
| 213 | }
|
---|
| 214 | return 0;
|
---|
| 215 | }
|
---|
| 216 |
|
---|
| 217 | static void xptable_free(X509_PURPOSE *p)
|
---|
| 218 | {
|
---|
| 219 | if (!p)
|
---|
| 220 | return;
|
---|
| 221 | if (p->flags & X509_PURPOSE_DYNAMIC) {
|
---|
| 222 | if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
|
---|
| 223 | OPENSSL_free(p->name);
|
---|
| 224 | OPENSSL_free(p->sname);
|
---|
| 225 | }
|
---|
| 226 | OPENSSL_free(p);
|
---|
| 227 | }
|
---|
| 228 | }
|
---|
| 229 |
|
---|
| 230 | void X509_PURPOSE_cleanup(void)
|
---|
| 231 | {
|
---|
| 232 | sk_X509_PURPOSE_pop_free(xptable, xptable_free);
|
---|
| 233 | xptable = NULL;
|
---|
| 234 | }
|
---|
| 235 |
|
---|
| 236 | int X509_PURPOSE_get_id(const X509_PURPOSE *xp)
|
---|
| 237 | {
|
---|
| 238 | return xp->purpose;
|
---|
| 239 | }
|
---|
| 240 |
|
---|
| 241 | char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
|
---|
| 242 | {
|
---|
| 243 | return xp->name;
|
---|
| 244 | }
|
---|
| 245 |
|
---|
| 246 | char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
|
---|
| 247 | {
|
---|
| 248 | return xp->sname;
|
---|
| 249 | }
|
---|
| 250 |
|
---|
| 251 | int X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
|
---|
| 252 | {
|
---|
| 253 | return xp->trust;
|
---|
| 254 | }
|
---|
| 255 |
|
---|
| 256 | static int nid_cmp(const int *a, const int *b)
|
---|
| 257 | {
|
---|
| 258 | return *a - *b;
|
---|
| 259 | }
|
---|
| 260 |
|
---|
| 261 | DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
|
---|
| 262 | IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
|
---|
| 263 |
|
---|
| 264 | int X509_supported_extension(X509_EXTENSION *ex)
|
---|
| 265 | {
|
---|
| 266 | /*
|
---|
| 267 | * This table is a list of the NIDs of supported extensions: that is
|
---|
| 268 | * those which are used by the verify process. If an extension is
|
---|
| 269 | * critical and doesn't appear in this list then the verify process will
|
---|
| 270 | * normally reject the certificate. The list must be kept in numerical
|
---|
| 271 | * order because it will be searched using bsearch.
|
---|
| 272 | */
|
---|
| 273 |
|
---|
| 274 | static const int supported_nids[] = {
|
---|
| 275 | NID_netscape_cert_type, /* 71 */
|
---|
| 276 | NID_key_usage, /* 83 */
|
---|
| 277 | NID_subject_alt_name, /* 85 */
|
---|
| 278 | NID_basic_constraints, /* 87 */
|
---|
| 279 | NID_certificate_policies, /* 89 */
|
---|
| 280 | NID_ext_key_usage, /* 126 */
|
---|
| 281 | #ifndef OPENSSL_NO_RFC3779
|
---|
| 282 | NID_sbgp_ipAddrBlock, /* 290 */
|
---|
| 283 | NID_sbgp_autonomousSysNum, /* 291 */
|
---|
| 284 | #endif
|
---|
| 285 | NID_policy_constraints, /* 401 */
|
---|
| 286 | NID_proxyCertInfo, /* 663 */
|
---|
| 287 | NID_name_constraints, /* 666 */
|
---|
| 288 | NID_policy_mappings, /* 747 */
|
---|
| 289 | NID_inhibit_any_policy /* 748 */
|
---|
| 290 | };
|
---|
| 291 |
|
---|
| 292 | int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
|
---|
| 293 |
|
---|
| 294 | if (ex_nid == NID_undef)
|
---|
| 295 | return 0;
|
---|
| 296 |
|
---|
| 297 | if (OBJ_bsearch_nid(&ex_nid, supported_nids, OSSL_NELEM(supported_nids)))
|
---|
| 298 | return 1;
|
---|
| 299 | return 0;
|
---|
| 300 | }
|
---|
| 301 |
|
---|
| 302 | static void setup_dp(X509 *x, DIST_POINT *dp)
|
---|
| 303 | {
|
---|
| 304 | X509_NAME *iname = NULL;
|
---|
| 305 | int i;
|
---|
| 306 | if (dp->reasons) {
|
---|
| 307 | if (dp->reasons->length > 0)
|
---|
| 308 | dp->dp_reasons = dp->reasons->data[0];
|
---|
| 309 | if (dp->reasons->length > 1)
|
---|
| 310 | dp->dp_reasons |= (dp->reasons->data[1] << 8);
|
---|
| 311 | dp->dp_reasons &= CRLDP_ALL_REASONS;
|
---|
| 312 | } else
|
---|
| 313 | dp->dp_reasons = CRLDP_ALL_REASONS;
|
---|
| 314 | if (!dp->distpoint || (dp->distpoint->type != 1))
|
---|
| 315 | return;
|
---|
| 316 | for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
|
---|
| 317 | GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
|
---|
| 318 | if (gen->type == GEN_DIRNAME) {
|
---|
| 319 | iname = gen->d.directoryName;
|
---|
| 320 | break;
|
---|
| 321 | }
|
---|
| 322 | }
|
---|
| 323 | if (!iname)
|
---|
| 324 | iname = X509_get_issuer_name(x);
|
---|
| 325 |
|
---|
| 326 | DIST_POINT_set_dpname(dp->distpoint, iname);
|
---|
| 327 |
|
---|
| 328 | }
|
---|
| 329 |
|
---|
| 330 | static void setup_crldp(X509 *x)
|
---|
| 331 | {
|
---|
| 332 | int i;
|
---|
| 333 | x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
|
---|
| 334 | for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
|
---|
| 335 | setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
|
---|
| 336 | }
|
---|
| 337 |
|
---|
| 338 | #define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
|
---|
| 339 | #define ku_reject(x, usage) \
|
---|
| 340 | (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
|
---|
| 341 | #define xku_reject(x, usage) \
|
---|
| 342 | (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
|
---|
| 343 | #define ns_reject(x, usage) \
|
---|
| 344 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
|
---|
| 345 |
|
---|
| 346 | static void x509v3_cache_extensions(X509 *x)
|
---|
| 347 | {
|
---|
| 348 | BASIC_CONSTRAINTS *bs;
|
---|
| 349 | PROXY_CERT_INFO_EXTENSION *pci;
|
---|
| 350 | ASN1_BIT_STRING *usage;
|
---|
| 351 | ASN1_BIT_STRING *ns;
|
---|
| 352 | EXTENDED_KEY_USAGE *extusage;
|
---|
| 353 | X509_EXTENSION *ex;
|
---|
| 354 |
|
---|
| 355 | int i;
|
---|
| 356 | if (x->ex_flags & EXFLAG_SET)
|
---|
| 357 | return;
|
---|
| 358 | X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
|
---|
| 359 | /* V1 should mean no extensions ... */
|
---|
| 360 | if (!X509_get_version(x))
|
---|
| 361 | x->ex_flags |= EXFLAG_V1;
|
---|
| 362 | /* Handle basic constraints */
|
---|
| 363 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
|
---|
| 364 | if (bs->ca)
|
---|
| 365 | x->ex_flags |= EXFLAG_CA;
|
---|
| 366 | if (bs->pathlen) {
|
---|
| 367 | if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
|
---|
| 368 | || !bs->ca) {
|
---|
| 369 | x->ex_flags |= EXFLAG_INVALID;
|
---|
| 370 | x->ex_pathlen = 0;
|
---|
| 371 | } else
|
---|
| 372 | x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
|
---|
| 373 | } else
|
---|
| 374 | x->ex_pathlen = -1;
|
---|
| 375 | BASIC_CONSTRAINTS_free(bs);
|
---|
| 376 | x->ex_flags |= EXFLAG_BCONS;
|
---|
| 377 | }
|
---|
| 378 | /* Handle proxy certificates */
|
---|
| 379 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
|
---|
| 380 | if (x->ex_flags & EXFLAG_CA
|
---|
| 381 | || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
|
---|
| 382 | || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
|
---|
| 383 | x->ex_flags |= EXFLAG_INVALID;
|
---|
| 384 | }
|
---|
| 385 | if (pci->pcPathLengthConstraint) {
|
---|
| 386 | x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
|
---|
| 387 | } else
|
---|
| 388 | x->ex_pcpathlen = -1;
|
---|
| 389 | PROXY_CERT_INFO_EXTENSION_free(pci);
|
---|
| 390 | x->ex_flags |= EXFLAG_PROXY;
|
---|
| 391 | }
|
---|
| 392 | /* Handle key usage */
|
---|
| 393 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
|
---|
| 394 | if (usage->length > 0) {
|
---|
| 395 | x->ex_kusage = usage->data[0];
|
---|
| 396 | if (usage->length > 1)
|
---|
| 397 | x->ex_kusage |= usage->data[1] << 8;
|
---|
| 398 | } else
|
---|
| 399 | x->ex_kusage = 0;
|
---|
| 400 | x->ex_flags |= EXFLAG_KUSAGE;
|
---|
| 401 | ASN1_BIT_STRING_free(usage);
|
---|
| 402 | }
|
---|
| 403 | x->ex_xkusage = 0;
|
---|
| 404 | if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
|
---|
| 405 | x->ex_flags |= EXFLAG_XKUSAGE;
|
---|
| 406 | for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
|
---|
| 407 | switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
|
---|
| 408 | case NID_server_auth:
|
---|
| 409 | x->ex_xkusage |= XKU_SSL_SERVER;
|
---|
| 410 | break;
|
---|
| 411 |
|
---|
| 412 | case NID_client_auth:
|
---|
| 413 | x->ex_xkusage |= XKU_SSL_CLIENT;
|
---|
| 414 | break;
|
---|
| 415 |
|
---|
| 416 | case NID_email_protect:
|
---|
| 417 | x->ex_xkusage |= XKU_SMIME;
|
---|
| 418 | break;
|
---|
| 419 |
|
---|
| 420 | case NID_code_sign:
|
---|
| 421 | x->ex_xkusage |= XKU_CODE_SIGN;
|
---|
| 422 | break;
|
---|
| 423 |
|
---|
| 424 | case NID_ms_sgc:
|
---|
| 425 | case NID_ns_sgc:
|
---|
| 426 | x->ex_xkusage |= XKU_SGC;
|
---|
| 427 | break;
|
---|
| 428 |
|
---|
| 429 | case NID_OCSP_sign:
|
---|
| 430 | x->ex_xkusage |= XKU_OCSP_SIGN;
|
---|
| 431 | break;
|
---|
| 432 |
|
---|
| 433 | case NID_time_stamp:
|
---|
| 434 | x->ex_xkusage |= XKU_TIMESTAMP;
|
---|
| 435 | break;
|
---|
| 436 |
|
---|
| 437 | case NID_dvcs:
|
---|
| 438 | x->ex_xkusage |= XKU_DVCS;
|
---|
| 439 | break;
|
---|
| 440 |
|
---|
| 441 | case NID_anyExtendedKeyUsage:
|
---|
| 442 | x->ex_xkusage |= XKU_ANYEKU;
|
---|
| 443 | break;
|
---|
| 444 | }
|
---|
| 445 | }
|
---|
| 446 | sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
|
---|
| 447 | }
|
---|
| 448 |
|
---|
| 449 | if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
|
---|
| 450 | if (ns->length > 0)
|
---|
| 451 | x->ex_nscert = ns->data[0];
|
---|
| 452 | else
|
---|
| 453 | x->ex_nscert = 0;
|
---|
| 454 | x->ex_flags |= EXFLAG_NSCERT;
|
---|
| 455 | ASN1_BIT_STRING_free(ns);
|
---|
| 456 | }
|
---|
| 457 | x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
|
---|
| 458 | x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
|
---|
| 459 | /* Does subject name match issuer ? */
|
---|
| 460 | if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
|
---|
| 461 | x->ex_flags |= EXFLAG_SI;
|
---|
| 462 | /* If SKID matches AKID also indicate self signed */
|
---|
| 463 | if (X509_check_akid(x, x->akid) == X509_V_OK &&
|
---|
| 464 | !ku_reject(x, KU_KEY_CERT_SIGN))
|
---|
| 465 | x->ex_flags |= EXFLAG_SS;
|
---|
| 466 | }
|
---|
| 467 | x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
---|
| 468 | x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
|
---|
| 469 | if (!x->nc && (i != -1))
|
---|
| 470 | x->ex_flags |= EXFLAG_INVALID;
|
---|
| 471 | setup_crldp(x);
|
---|
| 472 |
|
---|
| 473 | #ifndef OPENSSL_NO_RFC3779
|
---|
| 474 | x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
|
---|
| 475 | x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
|
---|
| 476 | NULL, NULL);
|
---|
| 477 | #endif
|
---|
| 478 | for (i = 0; i < X509_get_ext_count(x); i++) {
|
---|
| 479 | ex = X509_get_ext(x, i);
|
---|
| 480 | if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
|
---|
| 481 | == NID_freshest_crl)
|
---|
| 482 | x->ex_flags |= EXFLAG_FRESHEST;
|
---|
| 483 | if (!X509_EXTENSION_get_critical(ex))
|
---|
| 484 | continue;
|
---|
| 485 | if (!X509_supported_extension(ex)) {
|
---|
| 486 | x->ex_flags |= EXFLAG_CRITICAL;
|
---|
| 487 | break;
|
---|
| 488 | }
|
---|
| 489 | }
|
---|
| 490 | x->ex_flags |= EXFLAG_SET;
|
---|
| 491 | }
|
---|
| 492 |
|
---|
| 493 | /*-
|
---|
| 494 | * CA checks common to all purposes
|
---|
| 495 | * return codes:
|
---|
| 496 | * 0 not a CA
|
---|
| 497 | * 1 is a CA
|
---|
| 498 | * 2 basicConstraints absent so "maybe" a CA
|
---|
| 499 | * 3 basicConstraints absent but self signed V1.
|
---|
| 500 | * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
|
---|
| 501 | */
|
---|
| 502 |
|
---|
| 503 | static int check_ca(const X509 *x)
|
---|
| 504 | {
|
---|
| 505 | /* keyUsage if present should allow cert signing */
|
---|
| 506 | if (ku_reject(x, KU_KEY_CERT_SIGN))
|
---|
| 507 | return 0;
|
---|
| 508 | if (x->ex_flags & EXFLAG_BCONS) {
|
---|
| 509 | if (x->ex_flags & EXFLAG_CA)
|
---|
| 510 | return 1;
|
---|
| 511 | /* If basicConstraints says not a CA then say so */
|
---|
| 512 | else
|
---|
| 513 | return 0;
|
---|
| 514 | } else {
|
---|
| 515 | /* we support V1 roots for... uh, I don't really know why. */
|
---|
| 516 | if ((x->ex_flags & V1_ROOT) == V1_ROOT)
|
---|
| 517 | return 3;
|
---|
| 518 | /*
|
---|
| 519 | * If key usage present it must have certSign so tolerate it
|
---|
| 520 | */
|
---|
| 521 | else if (x->ex_flags & EXFLAG_KUSAGE)
|
---|
| 522 | return 4;
|
---|
| 523 | /* Older certificates could have Netscape-specific CA types */
|
---|
| 524 | else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
|
---|
| 525 | return 5;
|
---|
| 526 | /* can this still be regarded a CA certificate? I doubt it */
|
---|
| 527 | return 0;
|
---|
| 528 | }
|
---|
| 529 | }
|
---|
| 530 |
|
---|
| 531 | void X509_set_proxy_flag(X509 *x)
|
---|
| 532 | {
|
---|
| 533 | x->ex_flags |= EXFLAG_PROXY;
|
---|
| 534 | }
|
---|
| 535 |
|
---|
| 536 | void X509_set_proxy_pathlen(X509 *x, long l)
|
---|
| 537 | {
|
---|
| 538 | x->ex_pcpathlen = l;
|
---|
| 539 | }
|
---|
| 540 |
|
---|
| 541 | int X509_check_ca(X509 *x)
|
---|
| 542 | {
|
---|
| 543 | if (!(x->ex_flags & EXFLAG_SET)) {
|
---|
| 544 | CRYPTO_THREAD_write_lock(x->lock);
|
---|
| 545 | x509v3_cache_extensions(x);
|
---|
| 546 | CRYPTO_THREAD_unlock(x->lock);
|
---|
| 547 | }
|
---|
| 548 |
|
---|
| 549 | return check_ca(x);
|
---|
| 550 | }
|
---|
| 551 |
|
---|
| 552 | /* Check SSL CA: common checks for SSL client and server */
|
---|
| 553 | static int check_ssl_ca(const X509 *x)
|
---|
| 554 | {
|
---|
| 555 | int ca_ret;
|
---|
| 556 | ca_ret = check_ca(x);
|
---|
| 557 | if (!ca_ret)
|
---|
| 558 | return 0;
|
---|
| 559 | /* check nsCertType if present */
|
---|
| 560 | if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
|
---|
| 561 | return ca_ret;
|
---|
| 562 | else
|
---|
| 563 | return 0;
|
---|
| 564 | }
|
---|
| 565 |
|
---|
| 566 | static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 567 | int ca)
|
---|
| 568 | {
|
---|
| 569 | if (xku_reject(x, XKU_SSL_CLIENT))
|
---|
| 570 | return 0;
|
---|
| 571 | if (ca)
|
---|
| 572 | return check_ssl_ca(x);
|
---|
| 573 | /* We need to do digital signatures or key agreement */
|
---|
| 574 | if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))
|
---|
| 575 | return 0;
|
---|
| 576 | /* nsCertType if present should allow SSL client use */
|
---|
| 577 | if (ns_reject(x, NS_SSL_CLIENT))
|
---|
| 578 | return 0;
|
---|
| 579 | return 1;
|
---|
| 580 | }
|
---|
| 581 |
|
---|
| 582 | /*
|
---|
| 583 | * Key usage needed for TLS/SSL server: digital signature, encipherment or
|
---|
| 584 | * key agreement. The ssl code can check this more thoroughly for individual
|
---|
| 585 | * key types.
|
---|
| 586 | */
|
---|
| 587 | #define KU_TLS \
|
---|
| 588 | KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT
|
---|
| 589 |
|
---|
| 590 | static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 591 | int ca)
|
---|
| 592 | {
|
---|
| 593 | if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC))
|
---|
| 594 | return 0;
|
---|
| 595 | if (ca)
|
---|
| 596 | return check_ssl_ca(x);
|
---|
| 597 |
|
---|
| 598 | if (ns_reject(x, NS_SSL_SERVER))
|
---|
| 599 | return 0;
|
---|
| 600 | if (ku_reject(x, KU_TLS))
|
---|
| 601 | return 0;
|
---|
| 602 |
|
---|
| 603 | return 1;
|
---|
| 604 |
|
---|
| 605 | }
|
---|
| 606 |
|
---|
| 607 | static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 608 | int ca)
|
---|
| 609 | {
|
---|
| 610 | int ret;
|
---|
| 611 | ret = check_purpose_ssl_server(xp, x, ca);
|
---|
| 612 | if (!ret || ca)
|
---|
| 613 | return ret;
|
---|
| 614 | /* We need to encipher or Netscape complains */
|
---|
| 615 | if (ku_reject(x, KU_KEY_ENCIPHERMENT))
|
---|
| 616 | return 0;
|
---|
| 617 | return ret;
|
---|
| 618 | }
|
---|
| 619 |
|
---|
| 620 | /* common S/MIME checks */
|
---|
| 621 | static int purpose_smime(const X509 *x, int ca)
|
---|
| 622 | {
|
---|
| 623 | if (xku_reject(x, XKU_SMIME))
|
---|
| 624 | return 0;
|
---|
| 625 | if (ca) {
|
---|
| 626 | int ca_ret;
|
---|
| 627 | ca_ret = check_ca(x);
|
---|
| 628 | if (!ca_ret)
|
---|
| 629 | return 0;
|
---|
| 630 | /* check nsCertType if present */
|
---|
| 631 | if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
|
---|
| 632 | return ca_ret;
|
---|
| 633 | else
|
---|
| 634 | return 0;
|
---|
| 635 | }
|
---|
| 636 | if (x->ex_flags & EXFLAG_NSCERT) {
|
---|
| 637 | if (x->ex_nscert & NS_SMIME)
|
---|
| 638 | return 1;
|
---|
| 639 | /* Workaround for some buggy certificates */
|
---|
| 640 | if (x->ex_nscert & NS_SSL_CLIENT)
|
---|
| 641 | return 2;
|
---|
| 642 | return 0;
|
---|
| 643 | }
|
---|
| 644 | return 1;
|
---|
| 645 | }
|
---|
| 646 |
|
---|
| 647 | static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 648 | int ca)
|
---|
| 649 | {
|
---|
| 650 | int ret;
|
---|
| 651 | ret = purpose_smime(x, ca);
|
---|
| 652 | if (!ret || ca)
|
---|
| 653 | return ret;
|
---|
| 654 | if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION))
|
---|
| 655 | return 0;
|
---|
| 656 | return ret;
|
---|
| 657 | }
|
---|
| 658 |
|
---|
| 659 | static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 660 | int ca)
|
---|
| 661 | {
|
---|
| 662 | int ret;
|
---|
| 663 | ret = purpose_smime(x, ca);
|
---|
| 664 | if (!ret || ca)
|
---|
| 665 | return ret;
|
---|
| 666 | if (ku_reject(x, KU_KEY_ENCIPHERMENT))
|
---|
| 667 | return 0;
|
---|
| 668 | return ret;
|
---|
| 669 | }
|
---|
| 670 |
|
---|
| 671 | static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 672 | int ca)
|
---|
| 673 | {
|
---|
| 674 | if (ca) {
|
---|
| 675 | int ca_ret;
|
---|
| 676 | if ((ca_ret = check_ca(x)) != 2)
|
---|
| 677 | return ca_ret;
|
---|
| 678 | else
|
---|
| 679 | return 0;
|
---|
| 680 | }
|
---|
| 681 | if (ku_reject(x, KU_CRL_SIGN))
|
---|
| 682 | return 0;
|
---|
| 683 | return 1;
|
---|
| 684 | }
|
---|
| 685 |
|
---|
| 686 | /*
|
---|
| 687 | * OCSP helper: this is *not* a full OCSP check. It just checks that each CA
|
---|
| 688 | * is valid. Additional checks must be made on the chain.
|
---|
| 689 | */
|
---|
| 690 |
|
---|
| 691 | static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
|
---|
| 692 | {
|
---|
| 693 | /*
|
---|
| 694 | * Must be a valid CA. Should we really support the "I don't know" value
|
---|
| 695 | * (2)?
|
---|
| 696 | */
|
---|
| 697 | if (ca)
|
---|
| 698 | return check_ca(x);
|
---|
| 699 | /* leaf certificate is checked in OCSP_verify() */
|
---|
| 700 | return 1;
|
---|
| 701 | }
|
---|
| 702 |
|
---|
| 703 | static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
|
---|
| 704 | int ca)
|
---|
| 705 | {
|
---|
| 706 | int i_ext;
|
---|
| 707 |
|
---|
| 708 | /* If ca is true we must return if this is a valid CA certificate. */
|
---|
| 709 | if (ca)
|
---|
| 710 | return check_ca(x);
|
---|
| 711 |
|
---|
| 712 | /*
|
---|
| 713 | * Check the optional key usage field:
|
---|
| 714 | * if Key Usage is present, it must be one of digitalSignature
|
---|
| 715 | * and/or nonRepudiation (other values are not consistent and shall
|
---|
| 716 | * be rejected).
|
---|
| 717 | */
|
---|
| 718 | if ((x->ex_flags & EXFLAG_KUSAGE)
|
---|
| 719 | && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
|
---|
| 720 | !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
|
---|
| 721 | return 0;
|
---|
| 722 |
|
---|
| 723 | /* Only time stamp key usage is permitted and it's required. */
|
---|
| 724 | if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
|
---|
| 725 | return 0;
|
---|
| 726 |
|
---|
| 727 | /* Extended Key Usage MUST be critical */
|
---|
| 728 | i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
|
---|
| 729 | if (i_ext >= 0) {
|
---|
| 730 | X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
|
---|
| 731 | if (!X509_EXTENSION_get_critical(ext))
|
---|
| 732 | return 0;
|
---|
| 733 | }
|
---|
| 734 |
|
---|
| 735 | return 1;
|
---|
| 736 | }
|
---|
| 737 |
|
---|
| 738 | static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
|
---|
| 739 | {
|
---|
| 740 | return 1;
|
---|
| 741 | }
|
---|
| 742 |
|
---|
| 743 | /*-
|
---|
| 744 | * Various checks to see if one certificate issued the second.
|
---|
| 745 | * This can be used to prune a set of possible issuer certificates
|
---|
| 746 | * which have been looked up using some simple method such as by
|
---|
| 747 | * subject name.
|
---|
| 748 | * These are:
|
---|
| 749 | * 1. Check issuer_name(subject) == subject_name(issuer)
|
---|
| 750 | * 2. If akid(subject) exists check it matches issuer
|
---|
| 751 | * 3. If key_usage(issuer) exists check it supports certificate signing
|
---|
| 752 | * returns 0 for OK, positive for reason for mismatch, reasons match
|
---|
| 753 | * codes for X509_verify_cert()
|
---|
| 754 | */
|
---|
| 755 |
|
---|
| 756 | int X509_check_issued(X509 *issuer, X509 *subject)
|
---|
| 757 | {
|
---|
| 758 | if (X509_NAME_cmp(X509_get_subject_name(issuer),
|
---|
| 759 | X509_get_issuer_name(subject)))
|
---|
| 760 | return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
|
---|
| 761 | x509v3_cache_extensions(issuer);
|
---|
| 762 | x509v3_cache_extensions(subject);
|
---|
| 763 |
|
---|
| 764 | if (subject->akid) {
|
---|
| 765 | int ret = X509_check_akid(issuer, subject->akid);
|
---|
| 766 | if (ret != X509_V_OK)
|
---|
| 767 | return ret;
|
---|
| 768 | }
|
---|
| 769 |
|
---|
| 770 | if (subject->ex_flags & EXFLAG_PROXY) {
|
---|
| 771 | if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
|
---|
| 772 | return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
|
---|
| 773 | } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
|
---|
| 774 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
|
---|
| 775 | return X509_V_OK;
|
---|
| 776 | }
|
---|
| 777 |
|
---|
| 778 | int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
|
---|
| 779 | {
|
---|
| 780 |
|
---|
| 781 | if (!akid)
|
---|
| 782 | return X509_V_OK;
|
---|
| 783 |
|
---|
| 784 | /* Check key ids (if present) */
|
---|
| 785 | if (akid->keyid && issuer->skid &&
|
---|
| 786 | ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid))
|
---|
| 787 | return X509_V_ERR_AKID_SKID_MISMATCH;
|
---|
| 788 | /* Check serial number */
|
---|
| 789 | if (akid->serial &&
|
---|
| 790 | ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
|
---|
| 791 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
---|
| 792 | /* Check issuer name */
|
---|
| 793 | if (akid->issuer) {
|
---|
| 794 | /*
|
---|
| 795 | * Ugh, for some peculiar reason AKID includes SEQUENCE OF
|
---|
| 796 | * GeneralName. So look for a DirName. There may be more than one but
|
---|
| 797 | * we only take any notice of the first.
|
---|
| 798 | */
|
---|
| 799 | GENERAL_NAMES *gens;
|
---|
| 800 | GENERAL_NAME *gen;
|
---|
| 801 | X509_NAME *nm = NULL;
|
---|
| 802 | int i;
|
---|
| 803 | gens = akid->issuer;
|
---|
| 804 | for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
---|
| 805 | gen = sk_GENERAL_NAME_value(gens, i);
|
---|
| 806 | if (gen->type == GEN_DIRNAME) {
|
---|
| 807 | nm = gen->d.dirn;
|
---|
| 808 | break;
|
---|
| 809 | }
|
---|
| 810 | }
|
---|
| 811 | if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
|
---|
| 812 | return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
---|
| 813 | }
|
---|
| 814 | return X509_V_OK;
|
---|
| 815 | }
|
---|
| 816 |
|
---|
| 817 | uint32_t X509_get_extension_flags(X509 *x)
|
---|
| 818 | {
|
---|
| 819 | /* Call for side-effect of computing hash and caching extensions */
|
---|
| 820 | X509_check_purpose(x, -1, -1);
|
---|
| 821 | return x->ex_flags;
|
---|
| 822 | }
|
---|
| 823 |
|
---|
| 824 | uint32_t X509_get_key_usage(X509 *x)
|
---|
| 825 | {
|
---|
| 826 | /* Call for side-effect of computing hash and caching extensions */
|
---|
| 827 | X509_check_purpose(x, -1, -1);
|
---|
| 828 | if (x->ex_flags & EXFLAG_KUSAGE)
|
---|
| 829 | return x->ex_kusage;
|
---|
| 830 | return UINT32_MAX;
|
---|
| 831 | }
|
---|
| 832 |
|
---|
| 833 | uint32_t X509_get_extended_key_usage(X509 *x)
|
---|
| 834 | {
|
---|
| 835 | /* Call for side-effect of computing hash and caching extensions */
|
---|
| 836 | X509_check_purpose(x, -1, -1);
|
---|
| 837 | if (x->ex_flags & EXFLAG_XKUSAGE)
|
---|
| 838 | return x->ex_xkusage;
|
---|
| 839 | return UINT32_MAX;
|
---|
| 840 | }
|
---|
| 841 |
|
---|
| 842 | const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
|
---|
| 843 | {
|
---|
| 844 | /* Call for side-effect of computing hash and caching extensions */
|
---|
| 845 | X509_check_purpose(x, -1, -1);
|
---|
| 846 | return x->skid;
|
---|
| 847 | }
|
---|
| 848 |
|
---|
| 849 | long X509_get_pathlen(X509 *x)
|
---|
| 850 | {
|
---|
| 851 | /* Called for side effect of caching extensions */
|
---|
| 852 | if (X509_check_purpose(x, -1, -1) != 1
|
---|
| 853 | || (x->ex_flags & EXFLAG_BCONS) == 0)
|
---|
| 854 | return -1;
|
---|
| 855 | return x->ex_pathlen;
|
---|
| 856 | }
|
---|
| 857 |
|
---|
| 858 | long X509_get_proxy_pathlen(X509 *x)
|
---|
| 859 | {
|
---|
| 860 | /* Called for side effect of caching extensions */
|
---|
| 861 | if (X509_check_purpose(x, -1, -1) != 1
|
---|
| 862 | || (x->ex_flags & EXFLAG_PROXY) == 0)
|
---|
| 863 | return -1;
|
---|
| 864 | return x->ex_pcpathlen;
|
---|
| 865 | }
|
---|