From 6447cce37251e6d947279a3fd6874e59ed0d3d2d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 29 Dec 1999 00:40:28 +0000 Subject: Simplify the trust structure: basically zap the bit strings and represent everything by OIDs. --- crypto/x509/x509_trs.c | 61 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 19 deletions(-) (limited to 'crypto/x509/x509_trs.c') diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index f96f5f9b26..8a632db7b0 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -64,9 +64,12 @@ static int tr_cmp(X509_TRUST **a, X509_TRUST **b); static void trtable_free(X509_TRUST *p); -static int trust_1bit(X509_TRUST *trust, X509 *x, int flags); +static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); static int trust_any(X509_TRUST *trust, X509 *x, int flags); +static int obj_trust(int id, X509 *x, int flags); +static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; + /* WARNING: the following table should be kept in order of trust * and without any gaps so we can just subtract the minimum trust * value to get an index into the table @@ -74,10 +77,9 @@ static int trust_any(X509_TRUST *trust, X509 *x, int flags); static X509_TRUST trstandard[] = { {X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL}, -{X509_TRUST_SSL_CLIENT, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_CLIENT, NULL}, -{X509_TRUST_SSL_SERVER, 0, trust_1bit, "SSL Client", X509_TRUST_BIT_SSL_SERVER, NULL}, -{X509_TRUST_EMAIL, 0, trust_1bit, "S/MIME email", X509_TRUST_BIT_EMAIL, NULL}, -{X509_TRUST_OBJECT_SIGN, 0, trust_1bit, "Object Signing", X509_TRUST_BIT_OBJECT_SIGN, NULL}, +{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, +{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL}, +{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, }; #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) @@ -91,12 +93,22 @@ static int tr_cmp(X509_TRUST **a, X509_TRUST **b) return (*a)->trust - (*b)->trust; } +int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) +{ +int (*oldtrust)(int , X509 *, int); +oldtrust = default_trust; +default_trust = trust; +return oldtrust; +} + + int X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; int idx; if(id == -1) return 1; - if(!(idx = X509_TRUST_get_by_id(id))) return 0; + if(!(idx = X509_TRUST_get_by_id(id))) + return default_trust(id, x, flags); pt = X509_TRUST_iget(idx); return pt->check_trust(pt, x, flags); } @@ -212,20 +224,9 @@ int X509_TRUST_get_trust(X509_TRUST *xp) return xp->trust; } -static int trust_1bit(X509_TRUST *trust, X509 *x, int flags) +static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - X509_CERT_AUX *ax; - ax = x->aux; - if(ax) { - if(ax->reject - && ( ASN1_BIT_STRING_get_bit(ax->reject, X509_TRUST_BIT_ALL) - || ASN1_BIT_STRING_get_bit(ax->reject, trust->arg1))) - return X509_TRUST_REJECTED; - if(ax->trust && (ASN1_BIT_STRING_get_bit(ax->trust, X509_TRUST_BIT_ALL) - || ASN1_BIT_STRING_get_bit(ax->trust, trust->arg1))) - return X509_TRUST_TRUSTED; - return X509_TRUST_UNTRUSTED; - } + if(x->aux) return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatability * we return trusted if it is self signed */ @@ -234,6 +235,28 @@ static int trust_1bit(X509_TRUST *trust, X509 *x, int flags) else return X509_TRUST_UNTRUSTED; } +static int obj_trust(int id, X509 *x, int flags) +{ + ASN1_OBJECT *obj; + int i; + X509_CERT_AUX *ax; + ax = x->aux; + if(!ax) return X509_TRUST_UNTRUSTED; + if(ax->reject) { + for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + obj = sk_ASN1_OBJECT_value(ax->reject, i); + if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; + } + } + if(ax->trust) { + for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + obj = sk_ASN1_OBJECT_value(ax->trust, i); + if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; + } + } + return X509_TRUST_UNTRUSTED; +} + static int trust_any(X509_TRUST *trust, X509 *x, int flags) { return X509_TRUST_TRUSTED; -- cgit v1.2.3