diff options
| author | Rob Austein <sra@hactrn.net> | 2006-08-26 19:14:06 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2006-08-26 19:14:06 +0000 |
| commit | 52dacdd430e0b0d70ffabf33380b044b0132347a (patch) | |
| tree | b10079b095d4ef3975eb1b25805dc93d3b246852 | |
| parent | 99b382d77e50198e59869fbb9c3cb52f0bf79ff5 (diff) | |
Add inheritance and subset tests.
svn path=/openssl/README; revision=233
| -rw-r--r-- | openssl/README | 12 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_addr.c | 28 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_asid.c | 20 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/x509v3.h | 10 | ||||
| -rwxr-xr-x | openssl/trunk/util/libeay.num | 4 |
5 files changed, 67 insertions, 7 deletions
diff --git a/openssl/README b/openssl/README index 3e5f7131..e6999091 100644 --- a/openssl/README +++ b/openssl/README @@ -279,7 +279,13 @@ notes and questions at the end. strict subset of data2, or = NOT in all other cases (CLI or API) (EQUAL, SUBSET, NOT) - Status: Not done. Some supporting code exists. See notes below. + Status: API code written, not fully tested. No CLI. API functions + test whether an extension uses inheritance, and whether one + extension is a (possibly improper) subset of another. Subset test + fails if either extension uses inheritance. + + API: v3_asid_inherits(), v3_addr_inherits(), v3_asid_subset(), + v3_addr_subset(). 5. is_3379_canonical tests a single data set and returns CANONICAL if the resource is formatted according to 3779 or NOT is otherwise @@ -354,6 +360,10 @@ notes and questions at the end. would be to add said checks (probably not very, once I find the right place in the code...). + API: Primitive #6 (above) extended to accept argument indicating + whether inheritance is allowed, so that primitive #6 can be used to + test extensions pulled from a request against a certificate chain. + Notes: - "For some definition of done": opinions vary on whether the existing diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c index 70911805..78f60ed4 100644 --- a/openssl/trunk/crypto/x509v3/v3_addr.c +++ b/openssl/trunk/crypto/x509v3/v3_addr.c @@ -999,7 +999,7 @@ X509V3_EXT_METHOD v3_addr = { /* * Figure out whether extension sues inheritance. */ -static int addr_inherits(IPAddrBlocks *addr) +int v3_addr_inherits(IPAddrBlocks *addr) { int i; if (addr == NULL) @@ -1012,7 +1012,6 @@ static int addr_inherits(IPAddrBlocks *addr) return 0; } - /* * Figure out whether parent contains child. */ @@ -1050,6 +1049,29 @@ static int addr_contains(IPAddressOrRanges *parent, } /* + * Test whether a is a subset of b. + */ +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +{ + int i; + if (a == NULL || a == b) + return 1; + if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) + return 0; + sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); + for (i = 0; i < sk_IPAddressFamily_num(a); i++) { + IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); + int j = sk_IPAddressFamily_find(b, fa); + IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, + fa->ipAddressChoice->u.addressesOrRanges, + length_from_afi(afi_from_addressfamily(fb)))) + return 0; + } + return 1; +} + +/* * Validation error handling via callback. */ #define validation_err(_err_) \ @@ -1186,7 +1208,7 @@ int v3_addr_validate_resource_set(STACK_OF(X509) *chain, return 1; if (chain == NULL || sk_X509_num(chain) == 0) return 0; - if (!allow_inheritance && addr_inherits(ext)) + if (!allow_inheritance && v3_addr_inherits(ext)) return 0; return v3_addr_validate_path_internal(NULL, chain, ext); } diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c index 79dd262b..70bd5581 100644 --- a/openssl/trunk/crypto/x509v3/v3_asid.c +++ b/openssl/trunk/crypto/x509v3/v3_asid.c @@ -563,7 +563,7 @@ X509V3_EXT_METHOD v3_asid = { /* * Figure out whether extension uses inheritance. */ -static int asid_inherits(ASIdentifiers *asid) +int v3_asid_inherits(ASIdentifiers *asid) { return (asid != NULL && ((asid->asnum != NULL && @@ -604,6 +604,22 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) } /* + * Test whether a is a subet of b. + */ +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) +{ + return (a == NULL || + a == b || + (b != NULL && + !v3_asid_inherits(a) && + !v3_asid_inherits(b) && + asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges) && + asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges))); +} + +/* * Validation error handling via callback. */ #define validation_err(_err_) \ @@ -756,7 +772,7 @@ int v3_asid_validate_resource_set(STACK_OF(X509) *chain, return 1; if (chain == NULL || sk_X509_num(chain) == 0) return 0; - if (!allow_inheritance && asid_inherits(ext)) + if (!allow_inheritance && v3_asid_inherits(ext)) return 0; return v3_asid_validate_path_internal(NULL, chain, ext); } diff --git a/openssl/trunk/crypto/x509v3/x509v3.h b/openssl/trunk/crypto/x509v3/x509v3.h index ea5d3f6e..fc0570b2 100644 --- a/openssl/trunk/crypto/x509v3/x509v3.h +++ b/openssl/trunk/crypto/x509v3/x509v3.h @@ -734,7 +734,15 @@ int v3_asid_canonize(ASIdentifiers *asid); int v3_addr_canonize(IPAddrBlocks *addr); /* - * Check whether RFC 3779 extensions nest properly. + * Tests for inheritance and containment. + */ +int v3_asid_inherits(ASIdentifiers *asid); +int v3_addr_inherits(IPAddrBlocks *addr); +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b); +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); + +/* + * Check whether RFC 3779 extensions nest properly in chains. */ int v3_asid_validate_path(X509_STORE_CTX *); int v3_addr_validate_path(X509_STORE_CTX *); diff --git a/openssl/trunk/util/libeay.num b/openssl/trunk/util/libeay.num index 6f6f11ef..53be196f 100755 --- a/openssl/trunk/util/libeay.num +++ b/openssl/trunk/util/libeay.num @@ -3437,3 +3437,7 @@ v3_asid_canonize 3829 EXIST::FUNCTION: v3_asid_validate_resource_set 3830 EXIST::FUNCTION: v3_addr_is_canonical 3831 EXIST::FUNCTION: v3_addr_canonize 3832 EXIST::FUNCTION: +v3_addr_inherits 3833 EXIST::FUNCTION: +v3_addr_subset 3834 EXIST::FUNCTION: +v3_asid_subset 3835 EXIST::FUNCTION: +v3_asid_inherits 3836 EXIST::FUNCTION: |