diff options
| author | Rob Austein <sra@hactrn.net> | 2006-08-24 19:52:52 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2006-08-24 19:52:52 +0000 |
| commit | d1b8f9077cb3133726caec0fae9e203cc30a688e (patch) | |
| tree | a4c06293b11c5216d11f4d28f1a90c5525ef87c9 /openssl | |
| parent | 0e6de91b9d13c7519d61cfa1a930b6e9c0431797 (diff) | |
v3_*_validate_resource_set()
svn path=/openssl/README; revision=223
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/README | 12 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_addr.c | 98 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_asid.c | 145 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3err.c | 1 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/x509v3.h | 7 |
5 files changed, 189 insertions, 74 deletions
diff --git a/openssl/README b/openssl/README index a451e1dc..4d71867c 100644 --- a/openssl/README +++ b/openssl/README @@ -298,7 +298,17 @@ notes and questions at the end. SUBSET if the resource set is a subset of the certificate resource list, or NOT otherwise - Status: Not done. Some supporting code exists. See notes below. + Status: Untested API functions written. No CLI (yet?). + + API: New (and as yet untested) functions: + v3_asid_validate_resource_set(), v3_addr_validate_resource_set(). + These return true if a certificate chain covers a resource set. + "Resource sets" are represented as the C form of the appropriate + extension, with the additional constraint that the resource set + must not use inheritance; this constraint is enforced by the code + (ie, using one of these functions on a resource set that specifies + inheritance will always return false regardless of the contents of + the chain). 7. generate_resource_certificate generates a resource certificate - I'm not sure I understand what the inputs are to be here - perhaps diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c index 88a53ab8..ee87fa25 100644 --- a/openssl/trunk/crypto/x509v3/v3_addr.c +++ b/openssl/trunk/crypto/x509v3/v3_addr.c @@ -1037,46 +1037,69 @@ static int addr_contains(IPAddressOrRanges *parent, */ #define validation_err(_err_) \ do { \ - ctx->error = _err_; \ - ctx->error_depth = i; \ - ctx->current_cert = x; \ - ret = ctx->verify_cb(0, ctx); \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ if (!ret) \ goto done; \ } while (0) /* - * RFC 3779 2.3 path validation. Intended to be called from X509_verify_cert(). + * Core code for RFC 3779 2.3 path validation. */ -int v3_addr_validate_path(X509_STORE_CTX *ctx) +static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + IPAddrBlocks *resource_set) { IPAddrBlocks *child = NULL; int i, j, ret = 1; X509 *x; - assert(ctx->verify_cb); + assert(chain != NULL); + assert(ctx != NULL || resource_set != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); - /* - * Start with the target certificate. If it doesn't have the - * extension, we're done. - */ - i = 0; - x = sk_X509_value(ctx->chain, i); - assert(x != NULL); - if (x->rfc3779_addr == NULL) - goto done; + if (resource_set != NULL) { + /* + * Separate resource set. Check for canonical form, check for + * inheritance (not allowed in a resource set). + */ + i = -1; + ret = v3_addr_is_canonical(resource_set); + for (j = 0; ret && j < sk_IPAddressFamily_num(resource_set); j++) { + IPAddressFamily *f = sk_IPAddressFamily_value(resource_set, j); + if (f->ipAddressChoice->type == IPAddressChoice_inherit) + ret = 0; + } + if (!ret) + goto done; + sk_IPAddressFamily_set_cmp_func(resource_set, IPAddressFamily_cmp); + child = sk_IPAddressFamily_dup(resource_set); - /* - * Has extension, need to check the whole chain. This requires a - * scratch stack, initially populated with a copy of the target - * certificate's extension. Make sure the extension is in canonical - * form first. - */ - if (!v3_addr_is_canonical(x->rfc3779_addr)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); - if ((child = sk_IPAddressFamily_dup(x->rfc3779_addr)) == NULL) { - X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH, ERR_R_MALLOC_FAILURE); + } else { + /* + * Start with the target certificate. If it doesn't have the + * extension, we're done. Otherwise, we need to check the chain. + */ + i = 0; + x = sk_X509_value(ctx->chain, i); + assert(x != NULL); + if (x->rfc3779_addr == NULL) + goto done; + if (!v3_addr_is_canonical(x->rfc3779_addr)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); + child = sk_IPAddressFamily_dup(x->rfc3779_addr); + } + + if (child == NULL) { + X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ret = 0; goto done; } @@ -1084,7 +1107,7 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx) * Now walk up the chain. No cert may list resources that its * parent doesn't list. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i++; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); assert(x != NULL); if (!v3_addr_is_canonical(x->rfc3779_addr)) @@ -1141,3 +1164,22 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx) } #undef validation_err + +/* + * RFC 3779 2.3 path validation -- called from X509_verify_cert(). + */ +int v3_addr_validate_path(X509_STORE_CTX *ctx) +{ + return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 2.3 path validation of a "resource set" + */ +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *resource_set) +{ + if (chain == NULL || resource_set == NULL) + return 0; + return v3_addr_validate_path_internal(NULL, chain, resource_set); +} diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c index c9c679e9..f3185d1e 100644 --- a/openssl/trunk/crypto/x509v3/v3_asid.c +++ b/openssl/trunk/crypto/x509v3/v3_asid.c @@ -596,69 +596,107 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) */ #define validation_err(_err_) \ do { \ - ctx->error = _err_; \ - ctx->error_depth = i; \ - ctx->current_cert = x; \ - ret = ctx->verify_cb(0, ctx); \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ if (!ret) \ goto done; \ } while (0) /* - * RFC 3779 3.3 path validation. Intended to be called from X509_verify_cert(). + * Core code for RFC 3779 3.3 path validation. */ -int v3_asid_validate_path(X509_STORE_CTX *ctx) +static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + ASIdentifiers *resource_set) { ASIdOrRanges *child_as = NULL, *child_rdi = NULL; int i, ret = 1, inherit_as = 0, inherit_rdi = 0; X509 *x; - assert(ctx->verify_cb); + assert(chain != NULL); + assert(ctx != NULL || resource_set != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); - /* - * Start with the target certificate. If it doesn't have the extension, - * we're done. - */ - i = 0; - x = sk_X509_value(ctx->chain, i); - assert(x != NULL); - if (x->rfc3779_asid == NULL) - goto done; + if (resource_set != NULL) { - /* - * Has extension, have to check the whole chain. Make sure the - * extension is in canonical form, then pull its resource lists - * so we can check whether its parents had them to grant. - */ - if (!v3_asid_is_canonical(x->rfc3779_asid)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - if (x->rfc3779_asid->asnum != NULL) { - switch (x->rfc3779_asid->asnum->type) { - case ASIdentifierChoice_inherit: - inherit_as = 1; - break; - case ASIdentifierChoice_asIdsOrRanges: - child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; - break; + /* + * Separate resource set. Check for canonical form, check for + * inheritance (not allowed in a resource set). + */ + i = -1; + ret = v3_asid_is_canonical(resource_set); + if (ret && resource_set->asnum != NULL) { + switch (resource_set->asnum->type) { + case ASIdentifierChoice_inherit: + ret = 0; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = resource_set->asnum->u.asIdsOrRanges; + break; + } } - } - if (x->rfc3779_asid->rdi != NULL) { - switch (x->rfc3779_asid->rdi->type) { - case ASIdentifierChoice_inherit: - inherit_rdi = 1; - break; - case ASIdentifierChoice_asIdsOrRanges: - child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; - break; + if (ret && resource_set->rdi != NULL) { + switch (resource_set->rdi->type) { + case ASIdentifierChoice_inherit: + ret = 0; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = resource_set->rdi->u.asIdsOrRanges; + break; + } + } + if (!ret) + goto done; + + } else { + + /* + * Starting with target certificate. If it doesn't have the + * extension, we're done. If it does, extension must be in + * canonical form, then we pull its resource lists so + * we can check whether its parents have them to grant. + */ + i = 0; + x = sk_X509_value(chain, i); + assert(x != NULL); + if (x->rfc3779_asid == NULL) + goto done; + if (!v3_asid_is_canonical(x->rfc3779_asid)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_asid->asnum != NULL) { + switch (x->rfc3779_asid->asnum->type) { + case ASIdentifierChoice_inherit: + inherit_as = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + break; + } + } + if (x->rfc3779_asid->rdi != NULL) { + switch (x->rfc3779_asid->rdi->type) { + case ASIdentifierChoice_inherit: + inherit_rdi = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + break; + } } } /* - * Now walk up the chain. Extensions must be in canonical form, and - * no cert may list resources that its parent doesn't list. + * Now walk up the chain. Extensions must be in canonical form, no + * cert may list resources that its parent doesn't list. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { - x = sk_X509_value(ctx->chain, i); + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); assert(x != NULL); if (x->rfc3779_asid == NULL) { if (child_as != NULL || child_rdi != NULL) @@ -716,3 +754,22 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx) } #undef validation_err + +/* + * RFC 3779 3.3 path validation -- called from X509_verify_cert(). + */ +int v3_asid_validate_path(X509_STORE_CTX *ctx) +{ + return v3_asid_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 3.3 path validation of a "resource set" + */ +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *resource_set) +{ + if (chain == NULL || resource_set == NULL) + return 0; + return v3_asid_validate_path_internal(NULL, chain, resource_set); +} diff --git a/openssl/trunk/crypto/x509v3/v3err.c b/openssl/trunk/crypto/x509v3/v3err.c index dca567ea..724565e3 100644 --- a/openssl/trunk/crypto/x509v3/v3err.c +++ b/openssl/trunk/crypto/x509v3/v3err.c @@ -119,6 +119,7 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH), "v3_addr_validate_path"}, +{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, diff --git a/openssl/trunk/crypto/x509v3/x509v3.h b/openssl/trunk/crypto/x509v3/x509v3.h index 660b5c73..27919d02 100644 --- a/openssl/trunk/crypto/x509v3/x509v3.h +++ b/openssl/trunk/crypto/x509v3/x509v3.h @@ -737,7 +737,11 @@ int v3_addr_canonize(IPAddrBlocks *addr); */ int v3_asid_validate_path(X509_STORE_CTX *); int v3_addr_validate_path(X509_STORE_CTX *); - +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *resource_set); +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *resource_set); + /* * [sra] END KLUDGE */ @@ -800,6 +804,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_V2I_POLICY_MAPPINGS 145 #define X509V3_F_V2I_SUBJECT_ALT 154 #define X509V3_F_V3_ADDR_VALIDATE_PATH 160 +#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 163 #define X509V3_F_V3_GENERIC_EXTENSION 116 #define X509V3_F_X509V3_ADD1_I2D 140 #define X509V3_F_X509V3_ADD_VALUE 105 |