return 1; \
}
-#define X509_invalid(cert) (!x509v3_cache_extensions(cert))
+#define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert))
#define EVP_PKEY_invalid(key) 0
#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
if (crt == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
else
- (void)x509_set0_libctx(crt, ctx->libctx, ctx->propq);
+ (void)ossl_x509_set0_libctx(crt, ctx->libctx, ctx->propq);
return crt;
}
}
sig_err:
- res = x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
+ res = ossl_x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_VALIDATING_SIGNATURE);
if (res)
ERR_add_error_mem_bio("\n", bio);
if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
return 0;
/* prevent misleading error later in case x509v3_cache_extensions() fails */
- if (!x509v3_cache_extensions(cert)) {
+ if (!ossl_x509v3_cache_extensions(cert)) {
ossl_cmp_warn(ctx, "cert appears to be invalid");
return 0;
}
break;
case CMS_RECIPINFO_TRANS:
ri->d.ktri->cms_ctx = ctx;
- x509_set0_libctx(ri->d.ktri->recip,
- ossl_cms_ctx_get0_libctx(ctx),
- ossl_cms_ctx_get0_propq(ctx));
+ ossl_x509_set0_libctx(ri->d.ktri->recip,
+ ossl_cms_ctx_get0_libctx(ctx),
+ ossl_cms_ctx_get0_propq(ctx));
break;
case CMS_RECIPINFO_KEK:
ri->d.kekri->cms_ctx = ctx;
for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
cch = sk_CMS_CertificateChoices_value(*pcerts, i);
if (cch->type == CMS_CERTCHOICE_CERT)
- x509_set0_libctx(cch->d.certificate, libctx, propq);
+ ossl_x509_set0_libctx(cch->d.certificate, libctx, propq);
}
}
}
OSSL_LIB_CTX *libctx = NULL;
const char *propq = NULL;
- if (!X509_PUBKEY_get0_libctx(&libctx, &propq, pubkey)
+ if (!ossl_x509_PUBKEY_get0_libctx(&libctx, &propq, pubkey)
|| !X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
unsigned char cert_sha1[SHA_DIGEST_LENGTH];
/* Call for side-effect of computing hash and caching extensions */
- if (!x509v3_cache_extensions(cert))
+ if (!ossl_x509v3_cache_extensions(cert))
return NULL;
if ((cid = ESS_CERT_ID_new()) == NULL)
return;
for (i = 0; i < sk_X509_num(certs); i++)
- x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
+ ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) {
PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i);
- x509_set0_libctx(ri->cert, libctx, propq);
+ ossl_x509_set0_libctx(ri->cert, libctx, propq);
}
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
/* We determined the object type */
data->object_type = OSSL_OBJECT_CERT;
- if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
+ if (cert != NULL && !ossl_x509_set0_libctx(cert, libctx, propq)) {
X509_free(cert);
cert = NULL;
}
/* We determined the object type */
data->object_type = OSSL_OBJECT_CRL;
- if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
+ if (crl != NULL && !ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
X509_CRL_free(crl);
crl = NULL;
}
* Helper functions for improving certificate verification error diagnostics
*/
-int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
+int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
{
unsigned long flags = ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE |
XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN;
X509 *cert = sk_X509_value(certs, i);
if (cert != NULL) {
- if (!x509_print_ex_brief(bio, cert, 0))
+ if (!ossl_x509_print_ex_brief(bio, cert, 0))
return 0;
if (!X509V3_extensions_print(bio, NULL,
X509_get0_extensions(cert),
}
BIO_printf(bio, "Failure for:\n");
- x509_print_ex_brief(bio, X509_STORE_CTX_get_current_cert(ctx),
- X509_FLAG_NO_EXTENSIONS);
+ ossl_x509_print_ex_brief(bio, X509_STORE_CTX_get_current_cert(ctx),
+ X509_FLAG_NO_EXTENSIONS);
if (cert_error == X509_V_ERR_CERT_UNTRUSTED
|| cert_error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
|| cert_error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
int idx;
const X509_PURPOSE *pt;
- if (!x509v3_cache_extensions(x))
+ if (!ossl_x509v3_cache_extensions(x))
return -1;
if (id == -1)
return 1;
* X509_SIG_INFO_VALID is set in x->flags if x->siginf was filled successfully.
* Set EXFLAG_INVALID and return 0 in case the certificate is invalid.
*/
-int x509v3_cache_extensions(X509 *x)
+int ossl_x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
/* .. and the signature alg matches the PUBKEY alg: */
&& check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK)
x->ex_flags |= EXFLAG_SS; /* indicate self-signed */
- /* This is very related to x509_likely_issued(x, x) == X509_V_OK */
+ /* This is very related to ossl_x509_likely_issued(x, x) == X509_V_OK */
}
/* Handle subject alternative names and various other extensions */
}
/* Set x->siginf, ignoring errors due to unsupported algos */
- (void)x509_init_sig_info(x);
+ (void)ossl_x509_init_sig_info(x);
x->ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */
#ifdef tsan_st_rel
int X509_check_ca(X509 *x)
{
/* Note 0 normally means "not a CA" - but in this case means error. */
- if (!x509v3_cache_extensions(x))
+ if (!ossl_x509v3_cache_extensions(x))
return 0;
return check_ca(x);
{
int ret;
- if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK)
+ if ((ret = ossl_x509_likely_issued(issuer, subject)) != X509_V_OK)
return ret;
- return x509_signing_allowed(issuer, subject);
+ return ossl_x509_signing_allowed(issuer, subject);
}
-/* Do the checks 1., 2., and 3. as described above for X509_check_issued() */
-int x509_likely_issued(X509 *issuer, X509 *subject)
+/* do the checks 1., 2., and 3. as described above for X509_check_issued() */
+int ossl_x509_likely_issued(X509 *issuer, X509 *subject)
{
int ret;
X509_get_issuer_name(subject)) != 0)
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
- /* Set issuer->skid and subject->akid */
- if (!x509v3_cache_extensions(issuer)
- || !x509v3_cache_extensions(subject))
+ /* set issuer->skid and subject->akid */
+ if (!ossl_x509v3_cache_extensions(issuer)
+ || !ossl_x509v3_cache_extensions(subject))
return X509_V_ERR_UNSPECIFIED;
ret = X509_check_akid(issuer, subject->akid);
* Returns 0 for OK, or positive for reason for rejection
* where reason codes match those for X509_verify_cert().
*/
-int x509_signing_allowed(const X509 *issuer, const X509 *subject)
+int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject)
{
if (subject->ex_flags & EXFLAG_PROXY) {
if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
};
/* No error callback if depth < 0 */
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth);
+int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth);
/* a sequence of these are used */
struct x509_attributes_st {
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
-void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
- const ASN1_STRING *sig);
-int x509_likely_issued(X509 *issuer, X509 *subject);
-int x509_signing_allowed(const X509 *issuer, const X509 *subject);
+int ossl_x509_likely_issued(X509 *issuer, X509 *subject);
+int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject);
}
/* If certificate matches and is currently valid all OK */
if (ctx->check_issued(ctx, x, obj->data.x509)) {
- if (x509_check_cert_time(ctx, obj->data.x509, -1)) {
+ if (ossl_x509_check_cert_time(ctx, obj->data.x509, -1)) {
*issuer = obj->data.x509;
if (!X509_up_ref(*issuer)) {
*issuer = NULL;
if (ctx->check_issued(ctx, x, pobj->data.x509)) {
ret = 1;
/* If times check fine, exit with match, else keep looking. */
- if (x509_check_cert_time(ctx, pobj->data.x509, -1)) {
+ if (ossl_x509_check_cert_time(ctx, pobj->data.x509, -1)) {
*issuer = pobj->data.x509;
break;
}
return X509_NAME_set(&x->cert_info.subject, name);
}
-int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm)
+int ossl_x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm)
{
ASN1_TIME *in;
in = *ptm;
{
if (x == NULL)
return 0;
- return x509_set1_time(&x->cert_info.validity.notBefore, tm);
+ return ossl_x509_set1_time(&x->cert_info.validity.notBefore, tm);
}
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
- return x509_set1_time(&x->cert_info.validity.notAfter, tm);
+ return ossl_x509_set1_time(&x->cert_info.validity.notAfter, tm);
}
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
}
/* Returns 1 on success, 0 on failure */
-int x509_init_sig_info(X509 *x)
+int ossl_x509_init_sig_info(X509 *x)
{
return x509_sig_info_init(&x->siginf, &x->sig_alg, &x->signature);
}
/*-
* Return 1 if given cert is considered self-signed, 0 if not, or -1 on error.
* This actually verifies self-signedness only if requested.
- * It calls X509v3_cache_extensions()
+ * It calls ossl_x509v3_cache_extensions()
* to match issuer and subject names (i.e., the cert being self-issued) and any
* present authority key identifier to match the subject key identifier, etc.
*/
ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return -1;
}
- if (!x509v3_cache_extensions(cert))
+ if (!ossl_x509v3_cache_extensions(cert))
return -1;
if ((cert->ex_flags & EXFLAG_SS) == 0)
return 0;
if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
- if (x509_check_cert_time(ctx, issuer, -1))
+ if (ossl_x509_check_cert_time(ctx, issuer, -1))
return issuer;
if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
X509_get0_notAfter(rv)) > 0)
/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
- int err = x509_likely_issued(issuer, x);
+ int err = ossl_x509_likely_issued(issuer, x);
if (err == X509_V_OK)
return 1;
*
* Return 1 on success, 0 otherwise.
*/
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
+int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
{
time_t *ptime;
int i;
* We report the issuer as NULL because all we have is a bare key.
*/
xi = NULL;
- } else if (x509_likely_issued(xi, xi) != X509_V_OK
+ } else if (ossl_x509_likely_issued(xi, xi) != X509_V_OK
/* exceptional case: last cert in the chain is not self-issued */
&& ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) == 0)) {
if (n > 0) {
* we are free to ignore any key usage restrictions on such certs.
*/
int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0
- ? X509_V_OK : x509_signing_allowed(xi, xs);
+ ? X509_V_OK : ossl_x509_signing_allowed(xi, xs);
CB_FAIL_IF(ret != X509_V_OK, ctx, xi, issuer_depth, ret);
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
/* in addition to RFC 5280, do also for trusted (root) cert */
/* Calls verify callback as needed */
- if (!x509_check_cert_time(ctx, xs, n))
+ if (!ossl_x509_check_cert_time(ctx, xs, n))
return 0;
/*
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_CERT_HAS_EXPIRED:
- return 0; /* Callback already issued by x509_check_cert_time() */
+ return 0; /* Callback already issued by ossl_x509_check_cert_time() */
default: /* A preliminary error has become final */
return verify_cb_cert(ctx, NULL, num - 1, ctx->error);
case X509_V_OK:
{
if (x == NULL)
return 0;
- return x509_set1_time(&x->crl.lastUpdate, tm);
+ return ossl_x509_set1_time(&x->crl.lastUpdate, tm);
}
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
- return x509_set1_time(&x->crl.nextUpdate, tm);
+ return ossl_x509_set1_time(&x->crl.nextUpdate, tm);
}
int X509_CRL_sort(X509_CRL *c)
{
X509_CRL *old = exarg;
- if (!x509_crl_set0_libctx(crl, old->libctx, old->propq))
+ if (!ossl_x509_crl_set0_libctx(crl, old->libctx, old->propq))
return 0;
}
break;
return crl->meth_data;
}
-int x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx, const char *propq)
+int ossl_x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx,
+ const char *propq)
{
if (x != NULL) {
x->libctx = libctx;
}
/* For the algorithm specific d2i functions further down */
-EVP_PKEY *d2i_PUBKEY_legacy(EVP_PKEY **a,
- const unsigned char **pp, long length)
+EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a,
+ const unsigned char **pp, long length)
{
return d2i_PUBKEY_int(a, pp, length, NULL, NULL, 1, d2i_X509_PUBKEY);
}
const unsigned char *q;
q = *pp;
- pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+ pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
if (pkey == NULL)
return NULL;
key = EVP_PKEY_get1_RSA(pkey);
const unsigned char *q;
q = *pp;
- pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+ pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
if (pkey == NULL)
return NULL;
key = EVP_PKEY_get1_DSA(pkey);
const unsigned char *q;
q = *pp;
- pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+ pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
if (pkey == NULL)
return NULL;
key = EVP_PKEY_get1_EC_KEY(pkey);
return EVP_PKEY_eq(pA, pB);
}
-int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
- const X509_PUBKEY *key)
+int ossl_x509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
+ const X509_PUBKEY *key)
{
if (plibctx)
*plibctx = key->libctx;
{
X509 *old = exarg;
- if (!x509_set0_libctx(ret, old->libctx, old->propq))
+ if (!ossl_x509_set0_libctx(ret, old->libctx, old->propq))
return 0;
}
break;
cert = (X509 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (X509_it()));
/* Only cache the extensions if the cert object was passed in */
if (cert != NULL && a != NULL) {
- if (!x509v3_cache_extensions(cert)) {
+ if (!ossl_x509v3_cache_extensions(cert)) {
if (free_on_error)
X509_free(cert);
cert = NULL;
* asn1 object and it needs a libctx to operate.
* Use X509_new_ex() instead if possible.
*/
-int x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq)
+int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq)
{
if (x != NULL) {
x->libctx = libctx;
X509 *cert = NULL;
cert = (X509 *)ASN1_item_new((X509_it()));
- if (!x509_set0_libctx(cert, libctx, propq)) {
+ if (!ossl_x509_set0_libctx(cert, libctx, propq)) {
X509_free(cert);
cert = NULL;
}
};
int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc);
-int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
-int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
-int x509v3_cache_extensions(X509 *x);
-int x509_init_sig_info(X509 *x);
-int x509_check_issued_int(X509 *issuer, X509 *subject, OSSL_LIB_CTX *libctx,
- const char *propq);
-
-int x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
-int x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx, const char *propq);
-int x509_init_sig_info(X509 *x);
-int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type, void *data,
- unsigned char *md, unsigned int *len,
+int ossl_x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
+int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
+int ossl_x509v3_cache_extensions(X509 *x);
+int ossl_x509_init_sig_info(X509 *x);
+
+int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
+int ossl_x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx,
+ const char *propq);
+int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type,
+ void *data, unsigned char *md, unsigned int *len,
OSSL_LIB_CTX *libctx, const char *propq);
int ossl_x509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags);
int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
int flags);
-int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
- const X509_PUBKEY *key);
+int ossl_x509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
+ const X509_PUBKEY *key);
/* Calculate default key identifier according to RFC 5280 section 4.2.1.2 (1) */
ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY *pubkey);
/* A variant of d2i_PUBKEY() that is guaranteed to only return legacy keys */
-EVP_PKEY *d2i_PUBKEY_legacy(EVP_PKEY **a,
- const unsigned char **in, long length);
+EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a,
+ const unsigned char **in, long length);
#endif
&& (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
RESET_ERR_MARK();
derp = der;
- pkey = d2i_PUBKEY_legacy(NULL, &derp, der_len);
+ pkey = ossl_d2i_PUBKEY_legacy(NULL, &derp, der_len);
}
if (pkey != NULL) {