Lines Matching refs:x

19 static int check_ssl_ca(const X509 *x);
20 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
22 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
24 static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
26 static int purpose_smime(const X509 *x, int require_ca);
27 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
29 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
31 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
33 static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
35 static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x,
37 static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x,
81 int X509_check_purpose(X509 *x, int id, int require_ca) in X509_check_purpose() argument
86 if (!ossl_x509v3_cache_extensions(x)) in X509_check_purpose()
95 return pt->check_purpose(pt, x, require_ca); in X509_check_purpose()
307 static int setup_dp(const X509 *x, DIST_POINT *dp) in setup_dp() argument
344 iname = X509_get_issuer_name(x); in setup_dp()
349 static int setup_crldp(X509 *x) in setup_crldp() argument
353 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); in setup_crldp()
354 if (x->crldp == NULL && i != -1) in setup_crldp()
357 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { in setup_crldp()
358 int res = setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); in setup_crldp()
383 #define ku_reject(x, usage) \ argument
384 (((x)->ex_flags & EXFLAG_KUSAGE) != 0 && ((x)->ex_kusage & (usage)) == 0)
385 #define xku_reject(x, usage) \ argument
386 (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0)
387 #define ns_reject(x, usage) \ argument
388 (((x)->ex_flags & EXFLAG_NSCERT) != 0 && ((x)->ex_nscert & (usage)) == 0)
397 int ossl_x509v3_cache_extensions(X509 *x) in ossl_x509v3_cache_extensions() argument
409 if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached)) in ossl_x509v3_cache_extensions()
410 return (x->ex_flags & EXFLAG_INVALID) == 0; in ossl_x509v3_cache_extensions()
413 if (!CRYPTO_THREAD_write_lock(x->lock)) in ossl_x509v3_cache_extensions()
415 if (x->ex_flags & EXFLAG_SET) { /* Cert has already been processed */ in ossl_x509v3_cache_extensions()
416 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
417 return (x->ex_flags & EXFLAG_INVALID) == 0; in ossl_x509v3_cache_extensions()
421 if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) in ossl_x509v3_cache_extensions()
422 x->ex_flags |= EXFLAG_NO_FINGERPRINT; in ossl_x509v3_cache_extensions()
427 if (X509_get_version(x) == X509_VERSION_1) in ossl_x509v3_cache_extensions()
428 x->ex_flags |= EXFLAG_V1; in ossl_x509v3_cache_extensions()
431 x->ex_pathlen = -1; in ossl_x509v3_cache_extensions()
432 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
434 x->ex_flags |= EXFLAG_CA; in ossl_x509v3_cache_extensions()
442 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
444 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); in ossl_x509v3_cache_extensions()
448 x->ex_flags |= EXFLAG_BCONS; in ossl_x509v3_cache_extensions()
450 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
454 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
455 if (x->ex_flags & EXFLAG_CA in ossl_x509v3_cache_extensions()
456 || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 in ossl_x509v3_cache_extensions()
457 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { in ossl_x509v3_cache_extensions()
458 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
461 x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint); in ossl_x509v3_cache_extensions()
463 x->ex_pcpathlen = -1; in ossl_x509v3_cache_extensions()
465 x->ex_flags |= EXFLAG_PROXY; in ossl_x509v3_cache_extensions()
467 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
471 if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
472 x->ex_kusage = 0; in ossl_x509v3_cache_extensions()
474 x->ex_kusage = usage->data[0]; in ossl_x509v3_cache_extensions()
476 x->ex_kusage |= usage->data[1] << 8; in ossl_x509v3_cache_extensions()
478 x->ex_flags |= EXFLAG_KUSAGE; in ossl_x509v3_cache_extensions()
481 if (x->ex_kusage == 0) { in ossl_x509v3_cache_extensions()
483 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
486 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
490 x->ex_xkusage = 0; in ossl_x509v3_cache_extensions()
491 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
492 x->ex_flags |= EXFLAG_XKUSAGE; in ossl_x509v3_cache_extensions()
496 x->ex_xkusage |= XKU_SSL_SERVER; in ossl_x509v3_cache_extensions()
499 x->ex_xkusage |= XKU_SSL_CLIENT; in ossl_x509v3_cache_extensions()
502 x->ex_xkusage |= XKU_SMIME; in ossl_x509v3_cache_extensions()
505 x->ex_xkusage |= XKU_CODE_SIGN; in ossl_x509v3_cache_extensions()
509 x->ex_xkusage |= XKU_SGC; in ossl_x509v3_cache_extensions()
512 x->ex_xkusage |= XKU_OCSP_SIGN; in ossl_x509v3_cache_extensions()
515 x->ex_xkusage |= XKU_TIMESTAMP; in ossl_x509v3_cache_extensions()
518 x->ex_xkusage |= XKU_DVCS; in ossl_x509v3_cache_extensions()
521 x->ex_xkusage |= XKU_ANYEKU; in ossl_x509v3_cache_extensions()
530 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
534 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
536 x->ex_nscert = ns->data[0]; in ossl_x509v3_cache_extensions()
538 x->ex_nscert = 0; in ossl_x509v3_cache_extensions()
539 x->ex_flags |= EXFLAG_NSCERT; in ossl_x509v3_cache_extensions()
542 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
546 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); in ossl_x509v3_cache_extensions()
547 if (x->skid == NULL && i != -1) in ossl_x509v3_cache_extensions()
548 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
550 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); in ossl_x509v3_cache_extensions()
551 if (x->akid == NULL && i != -1) in ossl_x509v3_cache_extensions()
552 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
555 if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) { in ossl_x509v3_cache_extensions()
556 x->ex_flags |= EXFLAG_SI; /* Cert is self-issued */ in ossl_x509v3_cache_extensions()
557 if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ in ossl_x509v3_cache_extensions()
559 && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) in ossl_x509v3_cache_extensions()
560 x->ex_flags |= EXFLAG_SS; /* indicate self-signed */ in ossl_x509v3_cache_extensions()
565 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); in ossl_x509v3_cache_extensions()
566 if (x->altname == NULL && i != -1) in ossl_x509v3_cache_extensions()
567 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
568 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); in ossl_x509v3_cache_extensions()
569 if (x->nc == NULL && i != -1) in ossl_x509v3_cache_extensions()
570 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
573 res = setup_crldp(x); in ossl_x509v3_cache_extensions()
575 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
580 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); in ossl_x509v3_cache_extensions()
581 if (x->rfc3779_addr == NULL && i != -1) in ossl_x509v3_cache_extensions()
582 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
583 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); in ossl_x509v3_cache_extensions()
584 if (x->rfc3779_asid == NULL && i != -1) in ossl_x509v3_cache_extensions()
585 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
587 for (i = 0; i < X509_get_ext_count(x); i++) { in ossl_x509v3_cache_extensions()
588 X509_EXTENSION *ex = X509_get_ext(x, i); in ossl_x509v3_cache_extensions()
592 x->ex_flags |= EXFLAG_FRESHEST; in ossl_x509v3_cache_extensions()
596 x->ex_flags |= EXFLAG_CRITICAL; in ossl_x509v3_cache_extensions()
601 x->ex_flags |= EXFLAG_BCONS_CRITICAL; in ossl_x509v3_cache_extensions()
604 x->ex_flags |= EXFLAG_AKID_CRITICAL; in ossl_x509v3_cache_extensions()
607 x->ex_flags |= EXFLAG_SKID_CRITICAL; in ossl_x509v3_cache_extensions()
610 x->ex_flags |= EXFLAG_SAN_CRITICAL; in ossl_x509v3_cache_extensions()
618 (void)ossl_x509_init_sig_info(x); in ossl_x509v3_cache_extensions()
620 x->ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */ in ossl_x509v3_cache_extensions()
622 tsan_st_rel((TSAN_QUALIFIER int *)&x->ex_cached, 1); in ossl_x509v3_cache_extensions()
630 if ((x->ex_flags & (EXFLAG_INVALID | EXFLAG_NO_FINGERPRINT)) == 0) { in ossl_x509v3_cache_extensions()
631 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
634 if ((x->ex_flags & EXFLAG_INVALID) != 0) in ossl_x509v3_cache_extensions()
639 x->ex_flags |= EXFLAG_SET; /* indicate that cert has been processed */ in ossl_x509v3_cache_extensions()
640 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
656 static int check_ca(const X509 *x) in check_ca() argument
659 if (ku_reject(x, KU_KEY_CERT_SIGN)) in check_ca()
661 if ((x->ex_flags & EXFLAG_BCONS) != 0) { in check_ca()
663 return (x->ex_flags & EXFLAG_CA) != 0; in check_ca()
666 if ((x->ex_flags & V1_ROOT) == V1_ROOT) in check_ca()
671 else if (x->ex_flags & EXFLAG_KUSAGE) in check_ca()
674 else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA) in check_ca()
681 void X509_set_proxy_flag(X509 *x) in X509_set_proxy_flag() argument
683 if (CRYPTO_THREAD_write_lock(x->lock)) { in X509_set_proxy_flag()
684 x->ex_flags |= EXFLAG_PROXY; in X509_set_proxy_flag()
685 CRYPTO_THREAD_unlock(x->lock); in X509_set_proxy_flag()
689 void X509_set_proxy_pathlen(X509 *x, long l) in X509_set_proxy_pathlen() argument
691 x->ex_pcpathlen = l; in X509_set_proxy_pathlen()
694 int X509_check_ca(X509 *x) in X509_check_ca() argument
697 if (!ossl_x509v3_cache_extensions(x)) in X509_check_ca()
700 return check_ca(x); in X509_check_ca()
704 static int check_ssl_ca(const X509 *x) in check_ssl_ca() argument
706 int ca_ret = check_ca(x); in check_ssl_ca()
711 return ca_ret != 5 || (x->ex_nscert & NS_SSL_CA) != 0; in check_ssl_ca()
714 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ssl_client() argument
717 if (xku_reject(x, XKU_SSL_CLIENT)) in check_purpose_ssl_client()
720 return check_ssl_ca(x); in check_purpose_ssl_client()
722 if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) in check_purpose_ssl_client()
725 if (ns_reject(x, NS_SSL_CLIENT)) in check_purpose_ssl_client()
738 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ssl_server() argument
741 if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) in check_purpose_ssl_server()
744 return check_ssl_ca(x); in check_purpose_ssl_server()
746 if (ns_reject(x, NS_SSL_SERVER)) in check_purpose_ssl_server()
748 if (ku_reject(x, KU_TLS)) in check_purpose_ssl_server()
755 static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ns_ssl_server() argument
759 ret = check_purpose_ssl_server(xp, x, require_ca); in check_purpose_ns_ssl_server()
763 if (ku_reject(x, KU_KEY_ENCIPHERMENT)) in check_purpose_ns_ssl_server()
769 static int purpose_smime(const X509 *x, int require_ca) in purpose_smime() argument
771 if (xku_reject(x, XKU_SMIME)) in purpose_smime()
775 ca_ret = check_ca(x); in purpose_smime()
779 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) in purpose_smime()
784 if (x->ex_flags & EXFLAG_NSCERT) { in purpose_smime()
785 if (x->ex_nscert & NS_SMIME) in purpose_smime()
788 if (x->ex_nscert & NS_SSL_CLIENT) in purpose_smime()
795 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_smime_sign() argument
799 ret = purpose_smime(x, require_ca); in check_purpose_smime_sign()
802 if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) in check_purpose_smime_sign()
807 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, in check_purpose_smime_encrypt() argument
811 ret = purpose_smime(x, require_ca); in check_purpose_smime_encrypt()
814 if (ku_reject(x, KU_KEY_ENCIPHERMENT)) in check_purpose_smime_encrypt()
819 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_crl_sign() argument
824 if ((ca_ret = check_ca(x)) != 2) in check_purpose_crl_sign()
829 if (ku_reject(x, KU_CRL_SIGN)) in check_purpose_crl_sign()
838 static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ocsp_helper() argument
846 return check_ca(x); in check_purpose_ocsp_helper()
851 static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_timestamp_sign() argument
858 return check_ca(x); in check_purpose_timestamp_sign()
866 if ((x->ex_flags & EXFLAG_KUSAGE) in check_purpose_timestamp_sign()
867 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || in check_purpose_timestamp_sign()
868 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) in check_purpose_timestamp_sign()
872 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) in check_purpose_timestamp_sign()
876 i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1); in check_purpose_timestamp_sign()
878 X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext); in check_purpose_timestamp_sign()
886 static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x, in no_check_purpose() argument
991 uint32_t X509_get_extension_flags(X509 *x) in X509_get_extension_flags() argument
994 X509_check_purpose(x, -1, 0); in X509_get_extension_flags()
995 return x->ex_flags; in X509_get_extension_flags()
998 uint32_t X509_get_key_usage(X509 *x) in X509_get_key_usage() argument
1001 if (X509_check_purpose(x, -1, 0) != 1) in X509_get_key_usage()
1003 if (x->ex_flags & EXFLAG_KUSAGE) in X509_get_key_usage()
1004 return x->ex_kusage; in X509_get_key_usage()
1008 uint32_t X509_get_extended_key_usage(X509 *x) in X509_get_extended_key_usage() argument
1011 if (X509_check_purpose(x, -1, 0) != 1) in X509_get_extended_key_usage()
1013 if (x->ex_flags & EXFLAG_XKUSAGE) in X509_get_extended_key_usage()
1014 return x->ex_xkusage; in X509_get_extended_key_usage()
1018 const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x) in X509_get0_subject_key_id() argument
1021 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_subject_key_id()
1023 return x->skid; in X509_get0_subject_key_id()
1026 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) in X509_get0_authority_key_id() argument
1029 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_key_id()
1031 return (x->akid != NULL ? x->akid->keyid : NULL); in X509_get0_authority_key_id()
1034 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) in X509_get0_authority_issuer() argument
1037 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_issuer()
1039 return (x->akid != NULL ? x->akid->issuer : NULL); in X509_get0_authority_issuer()
1042 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) in X509_get0_authority_serial() argument
1045 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_serial()
1047 return (x->akid != NULL ? x->akid->serial : NULL); in X509_get0_authority_serial()
1050 long X509_get_pathlen(X509 *x) in X509_get_pathlen() argument
1053 if (X509_check_purpose(x, -1, 0) != 1 in X509_get_pathlen()
1054 || (x->ex_flags & EXFLAG_BCONS) == 0) in X509_get_pathlen()
1056 return x->ex_pathlen; in X509_get_pathlen()
1059 long X509_get_proxy_pathlen(X509 *x) in X509_get_proxy_pathlen() argument
1062 if (X509_check_purpose(x, -1, 0) != 1 in X509_get_proxy_pathlen()
1063 || (x->ex_flags & EXFLAG_PROXY) == 0) in X509_get_proxy_pathlen()
1065 return x->ex_pcpathlen; in X509_get_proxy_pathlen()