Oops! Remeber to include the other patches this time...

6 files changed, 136 insertions, 2 deletions

diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index 3608bbed94..500cfd3935 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -23,9 +23,10 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
-v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c
+v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
+v3_pku.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
-v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o
 
 SRC= $(LIBSRC)
 
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index e3b84601be..bef9b77943 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c
@@ -175,11 +175,97 @@ STACK *extlist;
 	return extlist;
 }
 
+/* Currently two options:
+ * keyid: use the issuers subject keyid, the value 'always' means its is
+ * an error if the issuer certificate doesn't have a key id.
+ * issuer: use the issuers cert issuer and serial number. The default is
+ * to only use this if keyid is not present. With the option 'always'
+ * this is always included.
+ */
+
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(method, ctx, values)
 X509V3_EXT_METHOD *method;
 X509V3_CTX *ctx;
 STACK *values;
 {
+char keyid=0, issuer=0;
+int i;
+CONF_VALUE *cnf;
+ASN1_OCTET_STRING *ikeyid = NULL;
+X509_NAME *isname = NULL;
+STACK * gens = NULL;
+GENERAL_NAME *gen = NULL;
+ASN1_INTEGER *serial = NULL;
+X509_EXTENSION *ext;
+X509 *cert;
+AUTHORITY_KEYID *akeyid;
+for(i = 0; i < sk_num(values); i++) {
+	cnf = (CONF_VALUE *)sk_value(values, i);
+	if(!strcmp(cnf->name, "keyid")) {
+		keyid = 1;
+		if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
+	} else if(!strcmp(cnf->name, "issuer")) {
+		issuer = 1;
+		if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
+	} else {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+		ERR_add_error_data(2, "name=", cnf->name);
+		return NULL;
+	}
+}
+
+
+
+if(!ctx || !ctx->issuer_cert) {
+	if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
+	X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+	return NULL;
+}
+
+cert = ctx->issuer_cert;
+
+if(keyid) {
+	i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+	if((i >= 0)  && (ext = X509_get_ext(cert, i)))
+			ikeyid = (ASN1_OCTET_STRING *) X509V3_EXT_d2i(ext);
+	if(keyid==2 && !ikeyid) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+		return NULL;
+	}
+}
+
+if((issuer && !ikeyid) || (issuer == 2)) {
+	isname = X509_NAME_dup(X509_get_issuer_name(cert));
+	serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+	if(!isname || !serial) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+		goto err;
+	}
+}
+
+if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+if(isname) {
+	if(!(gens = sk_new(NULL)) || !(gen = GENERAL_NAME_new())
+		|| !sk_push(gens, (char *)gen)) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	gen->type = GEN_DIRNAME;
+	gen->d.dirn = isname;
+}
+
+akeyid->issuer = gens;
+akeyid->serial = serial;
+akeyid->keyid = ikeyid;
+
+return akeyid;
+
+err:
+X509_NAME_free(isname);
+ASN1_INTEGER_free(serial);
+ASN1_OCTET_STRING_free(ikeyid);
 return NULL;
+
 }
 
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 3fb21fbe25..c9e9cbaadf 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -147,6 +147,7 @@ X509V3_EXT_METHOD *ext;
 }
 
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
 int X509V3_add_standard_extensions()
@@ -159,5 +160,19 @@ int X509V3_add_standard_extensions()
 	X509V3_EXT_add(&v3_ext_ku);
 	X509V3_EXT_add(&v3_skey_id);
 	X509V3_EXT_add(&v3_akey_id);
+	X509V3_EXT_add(&v3_pkey_usage_period);
 	return 1;
 }
+
+/* Return an extension internal structure */
+
+char *X509V3_EXT_d2i(ext)
+X509_EXTENSION *ext;
+{
+	X509V3_EXT_METHOD *method;
+	unsigned char *p;
+	if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
+	p = ext->value->data;
+	return method->d2i(NULL, &p, ext->value->length);
+}
+
diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index 7cbb821817..50dff95263 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -70,6 +70,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),	"S2I_S2I_SKEY_ID"},
 {ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),	"string_to_hex"},
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
+{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
@@ -103,9 +104,13 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
 {X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
 {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
+{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
 {X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
 {0,NULL},
 	};
diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err
index 1aa2a8a87d..0b9fb62d2b 100644
--- a/crypto/x509v3/x509v3.err
+++ b/crypto/x509v3/x509v3.err
@@ -8,6 +8,7 @@
 #define X509V3_F_S2I_S2I_SKEY_ID			 115
 #define X509V3_F_STRING_TO_HEX				 113
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_V2I_GENERAL_NAME			 117
@@ -38,7 +39,11 @@
 #define X509V3_R_INVALID_NULL_NAME			 108
 #define X509V3_R_INVALID_NULL_VALUE			 109
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_PUBLIC_KEY				 114
 #define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
+#define X509V3_R_UNKNOWN_OPTION				 120
 #define X509V3_R_UNSUPPORTED_OPTION			 117
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 09cf489802..75a18b908a 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -142,6 +142,11 @@ ASN1_INTEGER *serial;
 } AUTHORITY_KEYID;
 
 typedef struct {
+ASN1_GENERALIZEDTIME *notBefore;
+ASN1_GENERALIZEDTIME *notAfter;
+} PKEY_USAGE_PERIOD;
+
+typedef struct {
 
 #define GEN_OTHERNAME	(0|V_ASN1_CONTEXT_SPECIFIC)
 #define GEN_EMAIL	(1|V_ASN1_CONTEXT_SPECIFIC)
@@ -211,6 +216,11 @@ AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, lo
 AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
 void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
 
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp);
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, unsigned char **pp, long length);
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
+
 STACK *GENERAL_NAMES_new(void);
 void GENERAL_NAMES_free(STACK *a);
 STACK *d2i_GENERAL_NAMES(STACK **a, unsigned char **pp, long length);
@@ -248,6 +258,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
 X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK *X509V3_parse_list(char *line);
+char *X509V3_EXT_d2i(X509_EXTENSION *ext);
 
 char *hex_to_string(unsigned char *buffer, long len);
 unsigned char *string_to_hex(char *str, long *len);
@@ -271,6 +282,11 @@ void GENERAL_NAME_free();
 STACK *i2v_GENERAL_NAME();
 GENERAL_NAME *v2i_GENERAL_NAME();
 
+int i2d_PKEY_USAGE_PERIOD();
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD();
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new();
+void PKEY_USAGE_PERIOD_free();
+
 STACK *GENERAL_NAMES_new():
 void GENERAL_NAMES_free():
 STACK *d2i_GENERAL_NAMES();
@@ -307,6 +323,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get();
 X509V3_EXT_METHOD *X509V3_EXT_get_nid();
 int X509V3_add_standard_extensions();
 STACK *X509V3_parse_list();
+char *X509V3_EXT_get_d2i();
 
 char *hex_to_string();
 unsigned char *string_to_hex();
@@ -327,6 +344,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_S2I_S2I_SKEY_ID			 115
 #define X509V3_F_STRING_TO_HEX				 113
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_V2I_GENERAL_NAME			 117
@@ -357,9 +375,13 @@ int X509V3_EXT_print_fp();
 #define X509V3_R_INVALID_NULL_NAME			 108
 #define X509V3_R_INVALID_NULL_VALUE			 109
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_PUBLIC_KEY				 114
 #define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
+#define X509V3_R_UNKNOWN_OPTION				 120
 #define X509V3_R_UNSUPPORTED_OPTION			 117
  
 #ifdef  __cplusplus