2 * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/conf.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
18 DEFINE_STACK_OF(CONF_VALUE
)
19 DEFINE_STACK_OF(GENERAL_NAME
)
21 static STACK_OF(CONF_VALUE
) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD
*method
,
22 AUTHORITY_KEYID
*akeyid
,
25 static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD
*method
,
27 STACK_OF(CONF_VALUE
) *values
);
29 const X509V3_EXT_METHOD v3_akey_id
= {
30 NID_authority_key_identifier
,
31 X509V3_EXT_MULTILINE
, ASN1_ITEM_ref(AUTHORITY_KEYID
),
34 (X509V3_EXT_I2V
) i2v_AUTHORITY_KEYID
,
35 (X509V3_EXT_V2I
)v2i_AUTHORITY_KEYID
,
40 static STACK_OF(CONF_VALUE
) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD
*method
,
41 AUTHORITY_KEYID
*akeyid
,
47 tmp
= OPENSSL_buf2hexstr(akeyid
->keyid
->data
, akeyid
->keyid
->length
);
49 ERR_raise(ERR_LIB_X509V3
, ERR_R_MALLOC_FAILURE
);
52 X509V3_add_value((akeyid
->issuer
|| akeyid
->serial
) ? "keyid" : NULL
,
57 extlist
= i2v_GENERAL_NAMES(NULL
, akeyid
->issuer
, extlist
);
59 tmp
= OPENSSL_buf2hexstr(akeyid
->serial
->data
, akeyid
->serial
->length
);
61 ERR_raise(ERR_LIB_X509V3
, ERR_R_MALLOC_FAILURE
);
64 X509V3_add_value("serial", tmp
, &extlist
);
71 * Currently two options:
72 * keyid: use the issuers subject keyid, the value 'always' means its is
73 * an error if the issuer certificate doesn't have a key id.
74 * issuer: use the issuers cert issuer and serial number. The default is
75 * to only use this if keyid is not present. With the option 'always'
76 * this is always included.
79 static AUTHORITY_KEYID
*v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD
*method
,
81 STACK_OF(CONF_VALUE
) *values
)
83 char keyid
= 0, issuer
= 0;
86 ASN1_OCTET_STRING
*ikeyid
= NULL
;
87 X509_NAME
*isname
= NULL
;
88 GENERAL_NAMES
*gens
= NULL
;
89 GENERAL_NAME
*gen
= NULL
;
90 ASN1_INTEGER
*serial
= NULL
;
93 AUTHORITY_KEYID
*akeyid
;
95 for (i
= 0; i
< sk_CONF_VALUE_num(values
); i
++) {
96 cnf
= sk_CONF_VALUE_value(values
, i
);
97 if (strcmp(cnf
->name
, "keyid") == 0) {
99 if (cnf
->value
&& strcmp(cnf
->value
, "always") == 0)
101 } else if (strcmp(cnf
->name
, "issuer") == 0) {
103 if (cnf
->value
&& strcmp(cnf
->value
, "always") == 0)
106 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID
, X509V3_R_UNKNOWN_OPTION
);
107 ERR_add_error_data(2, "name=", cnf
->name
);
112 if (!ctx
|| !ctx
->issuer_cert
) {
113 if (ctx
&& (ctx
->flags
== CTX_TEST
))
114 return AUTHORITY_KEYID_new();
115 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID
,
116 X509V3_R_NO_ISSUER_CERTIFICATE
);
120 cert
= ctx
->issuer_cert
;
123 i
= X509_get_ext_by_NID(cert
, NID_subject_key_identifier
, -1);
124 if ((i
>= 0) && (ext
= X509_get_ext(cert
, i
)))
125 ikeyid
= X509V3_EXT_d2i(ext
);
126 if (keyid
== 2 && !ikeyid
) {
127 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID
,
128 X509V3_R_UNABLE_TO_GET_ISSUER_KEYID
);
133 if ((issuer
&& !ikeyid
) || (issuer
== 2)) {
134 isname
= X509_NAME_dup(X509_get_issuer_name(cert
));
135 serial
= ASN1_INTEGER_dup(X509_get_serialNumber(cert
));
136 if (!isname
|| !serial
) {
137 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID
,
138 X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS
);
143 if ((akeyid
= AUTHORITY_KEYID_new()) == NULL
)
147 if ((gens
= sk_GENERAL_NAME_new_null()) == NULL
148 || (gen
= GENERAL_NAME_new()) == NULL
149 || !sk_GENERAL_NAME_push(gens
, gen
)) {
150 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID
, ERR_R_MALLOC_FAILURE
);
153 gen
->type
= GEN_DIRNAME
;
154 gen
->d
.dirn
= isname
;
157 akeyid
->issuer
= gens
;
160 akeyid
->serial
= serial
;
161 akeyid
->keyid
= ikeyid
;
166 sk_GENERAL_NAME_free(gens
);
167 GENERAL_NAME_free(gen
);
168 X509_NAME_free(isname
);
169 ASN1_INTEGER_free(serial
);
170 ASN1_OCTET_STRING_free(ikeyid
);