UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
X509V3_R_BAD_IP_ADDRESS:118:bad ip address
X509V3_R_BAD_OBJECT:119:bad object
+X509V3_R_BAD_OPTION:170:bad option
+X509V3_R_BAD_VALUE:171:bad value
X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
X509V3_R_DIRNAME_ERROR:149:dirname error
X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
X509V3_R_UNKNOWN_OPTION:120:unknown option
+X509V3_R_UNKNOWN_VALUE:172:unknown value
X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
X509V3_R_USER_TOO_LONG:132:user too long
}
/*-
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
+ * Three explicit tags may be given, where 'keyid' and 'issuer' may be combined:
+ * 'none': do not add any authority key identifier.
+ * 'keyid': use the issuer's subject keyid; the option 'always' means its is
+ * an error if the issuer certificate doesn't have a subject key id.
+ * 'issuer': use the issuer's cert issuer and serial number. The default is
+ * to only use this if 'keyid' is not present. With the option 'always'
* this is always included.
*/
-
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *values)
for (i = 0; i < n; i++) {
cnf = sk_CONF_VALUE_value(values, i);
- if (strcmp(cnf->name, "keyid") == 0) {
+ if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) {
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ "name=%s option=%s", cnf->name, cnf->value);
+ goto err;
+ }
+ if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) {
keyid = 1;
- if (cnf->value && strcmp(cnf->value, "always") == 0)
+ if (cnf->value != NULL)
keyid = 2;
- } else if (strcmp(cnf->name, "issuer") == 0) {
+ } else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) {
issuer = 1;
- if (cnf->value && strcmp(cnf->value, "always") == 0)
+ if (cnf->value != NULL)
issuer = 2;
+ } else if (strcmp(cnf->name, "none") == 0
+ || strcmp(cnf->name, "keyid") == 0
+ || strcmp(cnf->name, "issuer") == 0) {
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE,
+ "name=%s", cnf->name);
+ goto err;
} else {
- ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+ ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE,
"name=%s", cnf->name);
goto err;
}
static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OPTION), "bad option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_VALUE), "bad value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
"bn to asn1 integer error"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME),
"unknown extension name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_VALUE), "unknown value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION),
"unsupported option"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE),
Either or both can have the option B<always>,
indicated by putting a colon C<:> between the value and this option.
For self-signed certificates the AKID is suppressed unless B<always> is present.
-By default the B<x509>, B<req>, and B<ca> apps behave as if
-"none" was given for self-signed certificates and "keyid, issuer" otherwise.
+By default the B<x509>, B<req>, and B<ca> apps behave as if B<none> was given
+for self-signed certificates and B<keyid>C<,> B<issuer> otherwise.
If B<keyid> is present, an attempt is made to
copy the subject key identifier (SKID) from the issuer certificate except if
*/
# define X509V3_R_BAD_IP_ADDRESS 118
# define X509V3_R_BAD_OBJECT 119
+# define X509V3_R_BAD_OPTION 170
+# define X509V3_R_BAD_VALUE 171
# define X509V3_R_BN_DEC2BN_ERROR 100
# define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
# define X509V3_R_DIRNAME_ERROR 149
# define X509V3_R_UNKNOWN_EXTENSION 129
# define X509V3_R_UNKNOWN_EXTENSION_NAME 130
# define X509V3_R_UNKNOWN_OPTION 120
+# define X509V3_R_UNKNOWN_VALUE 172
# define X509V3_R_UNSUPPORTED_OPTION 117
# define X509V3_R_UNSUPPORTED_TYPE 167
# define X509V3_R_USER_TOO_LONG 132