Add the RFC6962 OIDs to the objects table.
(backport from master branch)
return BIO_dump_indent_cb(write_bio, bp, s, len, indent);
}
+int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
+ int datalen)
+ {
+ int i, j = 0;
+
+ if (datalen < 1)
+ return 1;
+
+ for (i = 0; i < datalen - 1; i++)
+ {
+ if (i && !j) BIO_printf(out, "%*s", indent, "");
+
+ BIO_printf(out, "%02X:", data[i]);
+
+ j = (j + 1) % width;
+ if (!j) BIO_printf(out, "\n");
+ }
+
+ if (i && !j) BIO_printf(out, "%*s", indent, "");
+ BIO_printf(out, "%02X", data[datalen - 1]);
+ return 1;
+ }
int BIO_dump_fp(FILE *fp, const char *s, int len);
int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent);
#endif
+int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
+ int datalen);
+
struct hostent *BIO_gethostbyname(const char *name);
/* We might want a thread-safe interface too:
* struct hostent *BIO_gethostbyname_r(const char *name,
"v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ -
"v3_ocsp,v3_akeya,v3_pmaps,v3_pcons,v3_ncons,v3_pcia,v3_pci,"+ -
"pcy_cache,pcy_node,pcy_data,pcy_map,pcy_tree,pcy_lib,"+ -
- "v3_asid,v3_addr"
+ "v3_asid,v3_addr,v3_scts"
$ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap"
$ LIB_TXT_DB = "txt_db"
$ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ -
* [including the GNU Public Licence.]
*/
-#define NUM_NID 951
-#define NUM_SN 944
-#define NUM_LN 944
-#define NUM_OBJ 883
+#define NUM_NID 955
+#define NUM_SN 948
+#define NUM_LN 948
+#define NUM_OBJ 887
-static const unsigned char lvalues[6188]={
+static const unsigned char lvalues[6228]={
0x00, /* [ 0] OBJ_undef */
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
0x2B,0x81,0x04,0x01,0x0E,0x01, /* [6169] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x02, /* [6175] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x03, /* [6181] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,/* [6187] OBJ_ct_precert_scts */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03,/* [6197] OBJ_ct_precert_poison */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04,/* [6207] OBJ_ct_precert_signer */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05,/* [6217] OBJ_ct_cert_scts */
};
static const ASN1_OBJECT nid_objs[NUM_NID]={
NID_aes_192_cbc_hmac_sha256,0,NULL,0},
{"AES-256-CBC-HMAC-SHA256","aes-256-cbc-hmac-sha256",
NID_aes_256_cbc_hmac_sha256,0,NULL,0},
+{"ct_precert_scts","CT Precertificate SCTs",NID_ct_precert_scts,10,
+ &(lvalues[6187]),0},
+{"ct_precert_poison","CT Precertificate Poison",NID_ct_precert_poison,
+ 10,&(lvalues[6197]),0},
+{"ct_precert_signer","CT Precertificate Signer",NID_ct_precert_signer,
+ 10,&(lvalues[6207]),0},
+{"ct_cert_scts","CT Certificate SCTs",NID_ct_cert_scts,10,
+ &(lvalues[6217]),0},
};
static const unsigned int sn_objs[NUM_SN]={
884, /* "crossCertificatePair" */
806, /* "cryptocom" */
805, /* "cryptopro" */
+954, /* "ct_cert_scts" */
+952, /* "ct_precert_poison" */
+951, /* "ct_precert_scts" */
+953, /* "ct_precert_signer" */
500, /* "dITRedirect" */
451, /* "dNSDomain" */
495, /* "dSAQuality" */
285, /* "Biometric Info" */
179, /* "CA Issuers" */
785, /* "CA Repository" */
+954, /* "CT Certificate SCTs" */
+952, /* "CT Precertificate Poison" */
+951, /* "CT Precertificate SCTs" */
+953, /* "CT Precertificate Signer" */
131, /* "Code Signing" */
783, /* "Diffie-Hellman based MAC" */
382, /* "Directory" */
138, /* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */
648, /* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */
649, /* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */
+951, /* OBJ_ct_precert_scts 1 3 6 1 4 1 11129 2 4 2 */
+952, /* OBJ_ct_precert_poison 1 3 6 1 4 1 11129 2 4 3 */
+953, /* OBJ_ct_precert_signer 1 3 6 1 4 1 11129 2 4 4 */
+954, /* OBJ_ct_cert_scts 1 3 6 1 4 1 11129 2 4 5 */
751, /* OBJ_camellia_128_cbc 1 2 392 200011 61 1 1 1 2 */
752, /* OBJ_camellia_192_cbc 1 2 392 200011 61 1 1 1 3 */
753, /* OBJ_camellia_256_cbc 1 2 392 200011 61 1 1 1 4 */
#define SN_dh_cofactor_kdf "dh-cofactor-kdf"
#define NID_dh_cofactor_kdf 947
+#define SN_ct_precert_scts "ct_precert_scts"
+#define LN_ct_precert_scts "CT Precertificate SCTs"
+#define NID_ct_precert_scts 951
+#define OBJ_ct_precert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,2L
+
+#define SN_ct_precert_poison "ct_precert_poison"
+#define LN_ct_precert_poison "CT Precertificate Poison"
+#define NID_ct_precert_poison 952
+#define OBJ_ct_precert_poison 1L,3L,6L,1L,4L,1L,11129L,2L,4L,3L
+
+#define SN_ct_precert_signer "ct_precert_signer"
+#define LN_ct_precert_signer "CT Precertificate Signer"
+#define NID_ct_precert_signer 953
+#define OBJ_ct_precert_signer 1L,3L,6L,1L,4L,1L,11129L,2L,4L,4L
+
+#define SN_ct_cert_scts "ct_cert_scts"
+#define LN_ct_cert_scts "CT Certificate SCTs"
+#define NID_ct_cert_scts 954
+#define OBJ_ct_cert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,5L
+
aes_128_cbc_hmac_sha256 948
aes_192_cbc_hmac_sha256 949
aes_256_cbc_hmac_sha256 950
+ct_precert_scts 951
+ct_precert_poison 952
+ct_precert_signer 953
+ct_cert_scts 954
# NIDs for use with lookup tables.
: dh-std-kdf
: dh-cofactor-kdf
+
+# RFC 6962 Extension OIDs (see http://www.ietf.org/rfc/rfc6962.txt)
+1 3 6 1 4 1 11129 2 4 2 : ct_precert_scts : CT Precertificate SCTs
+1 3 6 1 4 1 11129 2 4 3 : ct_precert_poison : CT Precertificate Poison
+1 3 6 1 4 1 11129 2 4 4 : ct_precert_signer : CT Precertificate Signer
+1 3 6 1 4 1 11129 2 4 5 : ct_cert_scts : CT Certificate SCTs
v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
-v3_asid.c v3_addr.c
+v3_asid.c v3_addr.c v3_scts.c
LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
-v3_asid.o v3_addr.o
+v3_asid.o v3_addr.o v3_scts.o
SRC= $(LIBSRC)
extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
extern X509V3_EXT_METHOD v3_addr, v3_asid;
+extern X509V3_EXT_METHOD v3_ct_scts[];
/* This table will be searched using OBJ_bsearch so it *must* kept in
* order of the ext_nid values.
&v3_idp,
&v3_alt[2],
&v3_freshest_crl,
+&v3_ct_scts[0],
+&v3_ct_scts[1],
};
/* Number of standard extensions */
--- /dev/null
+/* v3_scts.c */
+/* Written by Rob Stradling (rob@comodo.com) for the OpenSSL project 2014.
+ */
+/* ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/x509v3.h>
+#include <openssl/bn.h>
+#include "../ssl/ssl_locl.h"
+
+static int i2r_scts(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct, BIO *out, int indent);
+
+const X509V3_EXT_METHOD v3_ct_scts[] = {
+{ NID_ct_precert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
+0,0,0,0,
+0,0,0,0,
+(X509V3_EXT_I2R)i2r_scts, NULL,
+NULL},
+
+{ NID_ct_cert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
+0,0,0,0,
+0,0,0,0,
+(X509V3_EXT_I2R)i2r_scts, NULL,
+NULL},
+};
+
+static void tls12_signature_print(BIO *out, const unsigned char *data)
+ {
+ int nid = NID_undef;
+ /* RFC6962 only permits two signature algorithms */
+ if (data[0] == TLSEXT_hash_sha256)
+ {
+ if (data[1] == TLSEXT_signature_rsa)
+ nid = NID_sha256WithRSAEncryption;
+ else if (data[1] == TLSEXT_signature_ecdsa)
+ nid = NID_ecdsa_with_SHA256;
+ }
+ if (nid == NID_undef)
+ BIO_printf(out, "%02X%02X", data[0], data[1]);
+ else
+ BIO_printf(out, "%s", OBJ_nid2ln(nid));
+ }
+
+static void timestamp_print(BIO *out, BN_ULLONG timestamp)
+ {
+ ASN1_GENERALIZEDTIME *gen;
+ char genstr[20];
+ gen = ASN1_GENERALIZEDTIME_new();
+ ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,
+ timestamp / 86400000,
+ (timestamp % 86400000) / 1000);
+ /* Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
+ * characters long with a final Z. Update it with fractional seconds.
+ */
+ BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
+ ASN1_STRING_data(gen),
+ (unsigned int)(timestamp % 1000));
+ ASN1_GENERALIZEDTIME_set_string(gen, genstr);
+ ASN1_GENERALIZEDTIME_print(out, gen);
+ ASN1_GENERALIZEDTIME_free(gen);
+ }
+
+static int i2r_scts(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct,
+ BIO *out, int indent)
+ {
+ BN_ULLONG timestamp;
+ unsigned char* data = oct->data;
+ unsigned short listlen, sctlen = 0, fieldlen;
+
+ if (oct->length < 2)
+ return 0;
+ n2s(data, listlen);
+ if (listlen != oct->length - 2)
+ return 0;
+
+ while (listlen > 0)
+ {
+ if (listlen < 2)
+ return 0;
+ n2s(data, sctlen);
+ listlen -= 2;
+
+ if ((sctlen < 1) || (sctlen > listlen))
+ return 0;
+ listlen -= sctlen;
+
+ BIO_printf(out, "%*sSigned Certificate Timestamp:", indent,
+ "");
+
+ if (*data == 0) /* SCT v1 */
+ {
+ /* Fixed-length header:
+ * struct {
+ * (1 byte) Version sct_version;
+ * (32 bytes) LogID id;
+ * (8 bytes) uint64 timestamp;
+ * (2 bytes + ?) CtExtensions extensions;
+ */
+ if (sctlen < 43)
+ return 0;
+ sctlen -= 43;
+
+ BIO_printf(out, "\n%*sVersion : v1(0)", indent + 4,
+ "");
+
+ BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
+ BIO_hex_string(out, indent + 16, 16, data + 1, 32);
+
+ data += 33;
+ n2l8(data, timestamp);
+ BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
+ timestamp_print(out, timestamp);
+
+ n2s(data, fieldlen);
+ if (sctlen < fieldlen)
+ return 0;
+ sctlen -= fieldlen;
+ BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
+ if (fieldlen == 0)
+ BIO_printf(out, "none");
+ else
+ BIO_hex_string(out, indent + 16, 16, data,
+ fieldlen);
+ data += fieldlen;
+
+ /* digitally-signed struct header:
+ * (1 byte) Hash algorithm
+ * (1 byte) Signature algorithm
+ * (2 bytes + ?) Signature
+ */
+ if (sctlen < 4)
+ return 0;
+ sctlen -= 4;
+
+ BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
+ tls12_signature_print(out, data);
+ data += 2;
+ n2s(data, fieldlen);
+ if (sctlen != fieldlen)
+ return 0;
+ BIO_printf(out, "\n%*s ", indent + 4, "");
+ BIO_hex_string(out, indent + 16, 16, data, fieldlen);
+ if (listlen > 0) BIO_printf(out, "\n");
+ data += fieldlen;
+ }
+ }
+
+ return 1;
+ }
l|=((BN_ULLONG)(*((c)++)))<< 8, \
l|=((BN_ULLONG)(*((c)++))))
+#define n2l8(c,l) (l =((BN_ULLONG)(*((c)++)))<<56, \
+ l|=((BN_ULLONG)(*((c)++)))<<48, \
+ l|=((BN_ULLONG)(*((c)++)))<<40, \
+ l|=((BN_ULLONG)(*((c)++)))<<32, \
+ l|=((BN_ULLONG)(*((c)++)))<<24, \
+ l|=((BN_ULLONG)(*((c)++)))<<16, \
+ l|=((BN_ULLONG)(*((c)++)))<< 8, \
+ l|=((BN_ULLONG)(*((c)++))))
+
/* NOTE - c is not incremented as per l2c */
#define l2cn(l1,l2,c,n) { \
c+=n; \
projects / openssl / commitdiff