*Ryan Hooper*
+ * Constify Various X509 functions:
+ X509_get_pathlen X509_check_ca X509_check_purpose X509_get_proxy_pathlen
+ X509_get_extension_flags X509_get_key_usage X509_get_extended_key_usage
+ X509_get0_subject_key_id X509_get0_authority_key_id X509_get0_authority_issuer
+ X509_get0_authority_serial.
+
+ * Bob Beck *
+
* Fixed CRLs with invalid `ASN1_TIME` in invalidityDate extensions,
where verification incorrectly succeeded. Enforced proper
handling of `ASN1_TIME` validation results so that any CRL
return (*a)->purpose - (*b)->purpose;
}
-/*
- * As much as I'd like to make X509_check_purpose use a "const" X509* I really
- * can't because it does recalculate hashes and do other non-const things.
- * If id == -1 it just calls x509v3_cache_extensions() for its side-effect.
- * Returns 1 on success, 0 if x does not allow purpose, -1 on (internal) error.
- */
int X509_check_purpose(const X509 *x, int id, int non_leaf)
{
int idx;
* x->sha1_hash is filled in, or else EXFLAG_NO_FINGERPRINT is set in x->flags.
* X509_SIG_INFO_VALID is set in x->flags if x->siginf was filled successfully.
* Set EXFLAG_INVALID and return 0 in case the certificate is invalid.
+ *
+ * This is usually called by side-effect on objects, and forces us to keep
+ * mutable X509 objects around. We should really make this go away.
+ * In the interest of being able to do so, this function explicitly takes
+ * a const argument and casts away const.
*/
-int ossl_x509v3_cache_extensions(X509 *x)
+int ossl_x509v3_cache_extensions(const X509 *const_x)
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
EXTENDED_KEY_USAGE *extusage;
int i;
int res;
+ X509 *x;
+
+ /*
+ * XXX deliberately cast away const - this is so the
+ * public API may be made const even though we are lying
+ * about it for the moment. This will enable us
+ * to move to where we do not have to cast this away
+ * in the future
+ */
+ x = (X509 *)const_x;
#ifdef tsan_ld_acq
/* Fast lock-free check, see end of the function for details. */
x->ex_pcpathlen = l;
}
-int X509_check_ca(X509 *x)
+int X509_check_ca(const X509 *x)
{
/* Note 0 normally means "not a CA" - but in this case means error. */
if (!ossl_x509v3_cache_extensions(x))
return X509_V_OK;
}
-uint32_t X509_get_extension_flags(X509 *x)
+uint32_t X509_get_extension_flags(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
X509_check_purpose(x, -1, 0);
return x->ex_flags;
}
-uint32_t X509_get_key_usage(X509 *x)
+uint32_t X509_get_key_usage(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return (x->ex_flags & EXFLAG_KUSAGE) != 0 ? x->ex_kusage : UINT32_MAX;
}
-uint32_t X509_get_extended_key_usage(X509 *x)
+uint32_t X509_get_extended_key_usage(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return (x->ex_flags & EXFLAG_XKUSAGE) != 0 ? x->ex_xkusage : UINT32_MAX;
}
-const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
+const ASN1_OCTET_STRING *X509_get0_subject_key_id(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return x->skid;
}
-const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return (x->akid != NULL ? x->akid->keyid : NULL);
}
-const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x)
+const GENERAL_NAMES *X509_get0_authority_issuer(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return (x->akid != NULL ? x->akid->issuer : NULL);
}
-const ASN1_INTEGER *X509_get0_authority_serial(X509 *x)
+const ASN1_INTEGER *X509_get0_authority_serial(const X509 *x)
{
/* Call for side-effect of computing hash and caching extensions */
if (X509_check_purpose(x, -1, 0) != 1)
return (x->akid != NULL ? x->akid->serial : NULL);
}
-long X509_get_pathlen(X509 *x)
+long X509_get_pathlen(const X509 *x)
{
/* Called for side effect of caching extensions */
if (X509_check_purpose(x, -1, 0) != 1
return x->ex_pathlen;
}
-long X509_get_proxy_pathlen(X509 *x)
+long X509_get_proxy_pathlen(const X509 *x)
{
/* Called for side effect of caching extensions */
if (X509_check_purpose(x, -1, 0) != 1
#include <openssl/x509v3.h>
- int X509_check_ca(X509 *cert);
+ int X509_check_ca(const X509 *cert);
=head1 DESCRIPTION
#include <openssl/x509v3.h>
- long X509_get_pathlen(X509 *x);
- uint32_t X509_get_extension_flags(X509 *x);
- uint32_t X509_get_key_usage(X509 *x);
- uint32_t X509_get_extended_key_usage(X509 *x);
- const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
- const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
- const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
- const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
+ long X509_get_pathlen(const X509 *x);
+ uint32_t X509_get_extension_flags(const X509 *x);
+ uint32_t X509_get_key_usage(const X509 *x);
+ uint32_t X509_get_extended_key_usage(const X509 *x);
+ const ASN1_OCTET_STRING *X509_get0_subject_key_id(const X509 *x);
+ const ASN1_OCTET_STRING *X509_get0_authority_key_id(const X509 *x);
+ const GENERAL_NAMES *X509_get0_authority_issuer(const X509 *x);
+ const ASN1_INTEGER *X509_get0_authority_serial(const X509 *x);
void X509_set_proxy_flag(X509 *x);
void X509_set_proxy_pathlen(int l);
- long X509_get_proxy_pathlen(X509 *x);
+ long X509_get_proxy_pathlen(const X509 *x);
=head1 DESCRIPTION
int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc);
int ossl_x509_set1_time(int *modified, ASN1_TIME **ptm, const ASN1_TIME *tm);
int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
-int ossl_x509v3_cache_extensions(X509 *x);
+int ossl_x509v3_cache_extensions(const X509 *x);
int ossl_x509_init_sig_info(X509 *x);
int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key);
EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key);
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain);
-long X509_get_pathlen(X509 *x);
+long X509_get_pathlen(const X509 *x);
DECLARE_ASN1_ENCODE_FUNCTIONS_only(EVP_PKEY, PUBKEY)
EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length,
OSSL_LIB_CTX *libctx, const char *propq);
const STACK_OF(X509_EXTENSION) *exts,
unsigned long flag, int indent);
-int X509_check_ca(X509 *x);
+int X509_check_ca(const X509 *x);
int X509_check_purpose(const X509 *x, int id, int ca);
int X509_supported_extension(X509_EXTENSION *ex);
int X509_check_issued(X509 *issuer, X509 *subject);
int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid);
void X509_set_proxy_flag(X509 *x);
void X509_set_proxy_pathlen(X509 *x, long l);
-long X509_get_proxy_pathlen(X509 *x);
-
-uint32_t X509_get_extension_flags(X509 *x);
-uint32_t X509_get_key_usage(X509 *x);
-uint32_t X509_get_extended_key_usage(X509 *x);
-const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
-const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
-const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
-const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
+long X509_get_proxy_pathlen(const X509 *x);
+
+uint32_t X509_get_extension_flags(const X509 *x);
+uint32_t X509_get_key_usage(const X509 *x);
+uint32_t X509_get_extended_key_usage(const X509 *x);
+const ASN1_OCTET_STRING *X509_get0_subject_key_id(const X509 *x);
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(const X509 *x);
+const GENERAL_NAMES *X509_get0_authority_issuer(const X509 *x);
+const ASN1_INTEGER *X509_get0_authority_serial(const X509 *x);
int X509_PURPOSE_get_count(void);
int X509_PURPOSE_get_unused_id(OSSL_LIB_CTX *libctx);
projects / thirdparty / openssl.git / commitdiff
