Lines Matching refs:x
19 static int check_ssl_ca(const X509 *x);
20 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
22 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
24 static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
26 static int purpose_smime(const X509 *x, int non_leaf);
27 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
29 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
31 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
33 static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
35 static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *x,
37 static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x,
39 static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x,
86 int X509_check_purpose(X509 *x, int id, int non_leaf) in X509_check_purpose() argument
91 if (!ossl_x509v3_cache_extensions(x)) in X509_check_purpose()
100 return pt->check_purpose(pt, x, non_leaf); in X509_check_purpose()
310 static int setup_dp(const X509 *x, DIST_POINT *dp) in setup_dp() argument
347 iname = X509_get_issuer_name(x); in setup_dp()
352 static int setup_crldp(X509 *x) in setup_crldp() argument
356 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); in setup_crldp()
357 if (x->crldp == NULL && i != -1) in setup_crldp()
360 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { in setup_crldp()
361 int res = setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); in setup_crldp()
386 #define ku_reject(x, usage) \ argument
387 (((x)->ex_flags & EXFLAG_KUSAGE) != 0 && ((x)->ex_kusage & (usage)) == 0)
388 #define xku_reject(x, usage) \ argument
389 (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0)
390 #define ns_reject(x, usage) \ argument
391 (((x)->ex_flags & EXFLAG_NSCERT) != 0 && ((x)->ex_nscert & (usage)) == 0)
400 int ossl_x509v3_cache_extensions(X509 *x) in ossl_x509v3_cache_extensions() argument
412 if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached)) in ossl_x509v3_cache_extensions()
413 return (x->ex_flags & EXFLAG_INVALID) == 0; in ossl_x509v3_cache_extensions()
416 if (!CRYPTO_THREAD_write_lock(x->lock)) in ossl_x509v3_cache_extensions()
418 if ((x->ex_flags & EXFLAG_SET) != 0) { /* Cert has already been processed */ in ossl_x509v3_cache_extensions()
419 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
420 return (x->ex_flags & EXFLAG_INVALID) == 0; in ossl_x509v3_cache_extensions()
426 if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) in ossl_x509v3_cache_extensions()
427 x->ex_flags |= EXFLAG_NO_FINGERPRINT; in ossl_x509v3_cache_extensions()
430 if (X509_get_version(x) == X509_VERSION_1) in ossl_x509v3_cache_extensions()
431 x->ex_flags |= EXFLAG_V1; in ossl_x509v3_cache_extensions()
434 x->ex_pathlen = -1; in ossl_x509v3_cache_extensions()
435 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
437 x->ex_flags |= EXFLAG_CA; in ossl_x509v3_cache_extensions()
445 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
447 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); in ossl_x509v3_cache_extensions()
451 x->ex_flags |= EXFLAG_BCONS; in ossl_x509v3_cache_extensions()
453 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
457 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
458 if ((x->ex_flags & EXFLAG_CA) != 0 in ossl_x509v3_cache_extensions()
459 || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 in ossl_x509v3_cache_extensions()
460 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { in ossl_x509v3_cache_extensions()
461 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
464 x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint); in ossl_x509v3_cache_extensions()
466 x->ex_pcpathlen = -1; in ossl_x509v3_cache_extensions()
468 x->ex_flags |= EXFLAG_PROXY; in ossl_x509v3_cache_extensions()
470 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
474 if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
475 x->ex_kusage = 0; in ossl_x509v3_cache_extensions()
477 x->ex_kusage = usage->data[0]; in ossl_x509v3_cache_extensions()
479 x->ex_kusage |= usage->data[1] << 8; in ossl_x509v3_cache_extensions()
481 x->ex_flags |= EXFLAG_KUSAGE; in ossl_x509v3_cache_extensions()
484 if (x->ex_kusage == 0) { in ossl_x509v3_cache_extensions()
486 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
489 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
493 x->ex_xkusage = 0; in ossl_x509v3_cache_extensions()
494 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
495 x->ex_flags |= EXFLAG_XKUSAGE; in ossl_x509v3_cache_extensions()
499 x->ex_xkusage |= XKU_SSL_SERVER; in ossl_x509v3_cache_extensions()
502 x->ex_xkusage |= XKU_SSL_CLIENT; in ossl_x509v3_cache_extensions()
505 x->ex_xkusage |= XKU_SMIME; in ossl_x509v3_cache_extensions()
508 x->ex_xkusage |= XKU_CODE_SIGN; in ossl_x509v3_cache_extensions()
512 x->ex_xkusage |= XKU_SGC; in ossl_x509v3_cache_extensions()
515 x->ex_xkusage |= XKU_OCSP_SIGN; in ossl_x509v3_cache_extensions()
518 x->ex_xkusage |= XKU_TIMESTAMP; in ossl_x509v3_cache_extensions()
521 x->ex_xkusage |= XKU_DVCS; in ossl_x509v3_cache_extensions()
524 x->ex_xkusage |= XKU_ANYEKU; in ossl_x509v3_cache_extensions()
533 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
537 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL)) != NULL) { in ossl_x509v3_cache_extensions()
539 x->ex_nscert = ns->data[0]; in ossl_x509v3_cache_extensions()
541 x->ex_nscert = 0; in ossl_x509v3_cache_extensions()
542 x->ex_flags |= EXFLAG_NSCERT; in ossl_x509v3_cache_extensions()
545 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
549 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); in ossl_x509v3_cache_extensions()
550 if (x->skid == NULL && i != -1) in ossl_x509v3_cache_extensions()
551 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
553 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); in ossl_x509v3_cache_extensions()
554 if (x->akid == NULL && i != -1) in ossl_x509v3_cache_extensions()
555 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
558 if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) { in ossl_x509v3_cache_extensions()
559 x->ex_flags |= EXFLAG_SI; /* Cert is self-issued */ in ossl_x509v3_cache_extensions()
560 if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ in ossl_x509v3_cache_extensions()
562 && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) in ossl_x509v3_cache_extensions()
563 x->ex_flags |= EXFLAG_SS; /* indicate self-signed */ in ossl_x509v3_cache_extensions()
568 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); in ossl_x509v3_cache_extensions()
569 if (x->altname == NULL && i != -1) in ossl_x509v3_cache_extensions()
570 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
571 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); in ossl_x509v3_cache_extensions()
572 if (x->nc == NULL && i != -1) in ossl_x509v3_cache_extensions()
573 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
576 res = setup_crldp(x); in ossl_x509v3_cache_extensions()
578 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
581 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); in ossl_x509v3_cache_extensions()
582 if (x->rfc3779_addr == NULL && i != -1) in ossl_x509v3_cache_extensions()
583 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
584 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); in ossl_x509v3_cache_extensions()
585 if (x->rfc3779_asid == NULL && i != -1) in ossl_x509v3_cache_extensions()
586 x->ex_flags |= EXFLAG_INVALID; in ossl_x509v3_cache_extensions()
588 for (i = 0; i < X509_get_ext_count(x); i++) { in ossl_x509v3_cache_extensions()
589 X509_EXTENSION *ex = X509_get_ext(x, i); in ossl_x509v3_cache_extensions()
593 x->ex_flags |= EXFLAG_FRESHEST; in ossl_x509v3_cache_extensions()
597 x->ex_flags |= EXFLAG_CRITICAL; in ossl_x509v3_cache_extensions()
602 x->ex_flags |= EXFLAG_BCONS_CRITICAL; in ossl_x509v3_cache_extensions()
605 x->ex_flags |= EXFLAG_AKID_CRITICAL; in ossl_x509v3_cache_extensions()
608 x->ex_flags |= EXFLAG_SKID_CRITICAL; in ossl_x509v3_cache_extensions()
611 x->ex_flags |= EXFLAG_SAN_CRITICAL; in ossl_x509v3_cache_extensions()
619 (void)ossl_x509_init_sig_info(x); in ossl_x509v3_cache_extensions()
621 x->ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */ in ossl_x509v3_cache_extensions()
623 tsan_st_rel((TSAN_QUALIFIER int *)&x->ex_cached, 1); in ossl_x509v3_cache_extensions()
632 if ((x->ex_flags & EXFLAG_INVALID) == 0) { in ossl_x509v3_cache_extensions()
633 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
636 CRYPTO_THREAD_unlock(x->lock); in ossl_x509v3_cache_extensions()
653 static int check_ca(const X509 *x) in check_ca() argument
656 if (ku_reject(x, KU_KEY_CERT_SIGN)) in check_ca()
658 if ((x->ex_flags & EXFLAG_BCONS) != 0) { in check_ca()
660 return (x->ex_flags & EXFLAG_CA) != 0; in check_ca()
663 if ((x->ex_flags & V1_ROOT) == V1_ROOT) in check_ca()
668 else if ((x->ex_flags & EXFLAG_KUSAGE) != 0) in check_ca()
671 else if ((x->ex_flags & EXFLAG_NSCERT) != 0 in check_ca()
672 && (x->ex_nscert & NS_ANY_CA) != 0) in check_ca()
679 void X509_set_proxy_flag(X509 *x) in X509_set_proxy_flag() argument
681 if (CRYPTO_THREAD_write_lock(x->lock)) { in X509_set_proxy_flag()
682 x->ex_flags |= EXFLAG_PROXY; in X509_set_proxy_flag()
683 CRYPTO_THREAD_unlock(x->lock); in X509_set_proxy_flag()
687 void X509_set_proxy_pathlen(X509 *x, long l) in X509_set_proxy_pathlen() argument
689 x->ex_pcpathlen = l; in X509_set_proxy_pathlen()
692 int X509_check_ca(X509 *x) in X509_check_ca() argument
695 if (!ossl_x509v3_cache_extensions(x)) in X509_check_ca()
698 return check_ca(x); in X509_check_ca()
702 static int check_ssl_ca(const X509 *x) in check_ssl_ca() argument
704 int ca_ret = check_ca(x); in check_ssl_ca()
709 return ca_ret != 5 || (x->ex_nscert & NS_SSL_CA) != 0; in check_ssl_ca()
712 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ssl_client() argument
715 if (xku_reject(x, XKU_SSL_CLIENT)) in check_purpose_ssl_client()
718 return check_ssl_ca(x); in check_purpose_ssl_client()
720 if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) in check_purpose_ssl_client()
723 if (ns_reject(x, NS_SSL_CLIENT)) in check_purpose_ssl_client()
736 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ssl_server() argument
739 if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) in check_purpose_ssl_server()
742 return check_ssl_ca(x); in check_purpose_ssl_server()
744 if (ns_reject(x, NS_SSL_SERVER)) in check_purpose_ssl_server()
746 if (ku_reject(x, KU_TLS)) in check_purpose_ssl_server()
753 static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ns_ssl_server() argument
756 int ret = check_purpose_ssl_server(xp, x, non_leaf); in check_purpose_ns_ssl_server()
761 return ku_reject(x, KU_KEY_ENCIPHERMENT) ? 0 : ret; in check_purpose_ns_ssl_server()
765 static int purpose_smime(const X509 *x, int non_leaf) in purpose_smime() argument
767 if (xku_reject(x, XKU_SMIME)) in purpose_smime()
770 int ca_ret = check_ca(x); in purpose_smime()
775 if (ca_ret != 5 || (x->ex_nscert & NS_SMIME_CA) != 0) in purpose_smime()
780 if ((x->ex_flags & EXFLAG_NSCERT) != 0) { in purpose_smime()
781 if ((x->ex_nscert & NS_SMIME) != 0) in purpose_smime()
784 return (x->ex_nscert & NS_SSL_CLIENT) != 0 ? 2 : 0; in purpose_smime()
789 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_smime_sign() argument
792 int ret = purpose_smime(x, non_leaf); in check_purpose_smime_sign()
796 return ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION) ? 0 : ret; in check_purpose_smime_sign()
799 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, in check_purpose_smime_encrypt() argument
802 int ret = purpose_smime(x, non_leaf); in check_purpose_smime_encrypt()
806 return ku_reject(x, KU_KEY_ENCIPHERMENT) ? 0 : ret; in check_purpose_smime_encrypt()
809 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_crl_sign() argument
813 int ca_ret = check_ca(x); in check_purpose_crl_sign()
817 return !ku_reject(x, KU_CRL_SIGN); in check_purpose_crl_sign()
824 static int check_purpose_ocsp_helper(const X509_PURPOSE *xp, const X509 *x, in check_purpose_ocsp_helper() argument
832 return check_ca(x); in check_purpose_ocsp_helper()
837 static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_timestamp_sign() argument
847 return check_ca(x); in check_purpose_timestamp_sign()
863 if ((x->ex_flags & EXFLAG_KUSAGE) != 0 in check_purpose_timestamp_sign()
864 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || in check_purpose_timestamp_sign()
865 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) in check_purpose_timestamp_sign()
869 if ((x->ex_flags & EXFLAG_XKUSAGE) == 0 || x->ex_xkusage != XKU_TIMESTAMP) in check_purpose_timestamp_sign()
873 i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1); in check_purpose_timestamp_sign()
875 && !X509_EXTENSION_get_critical(X509_get_ext((X509 *)x, i_ext))) in check_purpose_timestamp_sign()
880 static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *x, in check_purpose_code_sign() argument
890 return check_ca(x); in check_purpose_code_sign()
905 if ((x->ex_flags & EXFLAG_KUSAGE) == 0) in check_purpose_code_sign()
907 if ((x->ex_kusage & KU_DIGITAL_SIGNATURE) == 0) in check_purpose_code_sign()
909 if ((x->ex_kusage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) != 0) in check_purpose_code_sign()
913 i_ext = X509_get_ext_by_NID(x, NID_key_usage, -1); in check_purpose_code_sign()
917 X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext); in check_purpose_code_sign()
923 if ((x->ex_flags & EXFLAG_XKUSAGE) == 0) in check_purpose_code_sign()
925 if ((x->ex_xkusage & XKU_CODE_SIGN) == 0) in check_purpose_code_sign()
927 if ((x->ex_xkusage & (XKU_ANYEKU | XKU_SSL_SERVER)) != 0) in check_purpose_code_sign()
934 static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x, in no_check_purpose() argument
1040 uint32_t X509_get_extension_flags(X509 *x) in X509_get_extension_flags() argument
1043 X509_check_purpose(x, -1, 0); in X509_get_extension_flags()
1044 return x->ex_flags; in X509_get_extension_flags()
1047 uint32_t X509_get_key_usage(X509 *x) in X509_get_key_usage() argument
1050 if (X509_check_purpose(x, -1, 0) != 1) in X509_get_key_usage()
1052 return (x->ex_flags & EXFLAG_KUSAGE) != 0 ? x->ex_kusage : UINT32_MAX; in X509_get_key_usage()
1055 uint32_t X509_get_extended_key_usage(X509 *x) in X509_get_extended_key_usage() argument
1058 if (X509_check_purpose(x, -1, 0) != 1) in X509_get_extended_key_usage()
1060 return (x->ex_flags & EXFLAG_XKUSAGE) != 0 ? x->ex_xkusage : UINT32_MAX; in X509_get_extended_key_usage()
1063 const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x) in X509_get0_subject_key_id() argument
1066 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_subject_key_id()
1068 return x->skid; in X509_get0_subject_key_id()
1071 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) in X509_get0_authority_key_id() argument
1074 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_key_id()
1076 return (x->akid != NULL ? x->akid->keyid : NULL); in X509_get0_authority_key_id()
1079 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) in X509_get0_authority_issuer() argument
1082 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_issuer()
1084 return (x->akid != NULL ? x->akid->issuer : NULL); in X509_get0_authority_issuer()
1087 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) in X509_get0_authority_serial() argument
1090 if (X509_check_purpose(x, -1, 0) != 1) in X509_get0_authority_serial()
1092 return (x->akid != NULL ? x->akid->serial : NULL); in X509_get0_authority_serial()
1095 long X509_get_pathlen(X509 *x) in X509_get_pathlen() argument
1098 if (X509_check_purpose(x, -1, 0) != 1 in X509_get_pathlen()
1099 || (x->ex_flags & EXFLAG_BCONS) == 0) in X509_get_pathlen()
1101 return x->ex_pathlen; in X509_get_pathlen()
1104 long X509_get_proxy_pathlen(X509 *x) in X509_get_proxy_pathlen() argument
1107 if (X509_check_purpose(x, -1, 0) != 1 in X509_get_proxy_pathlen()
1108 || (x->ex_flags & EXFLAG_PROXY) == 0) in X509_get_proxy_pathlen()
1110 return x->ex_pcpathlen; in X509_get_proxy_pathlen()
