Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
2e8cb108
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
9 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
2e8cb108
编写于
12月 04, 2012
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
initial support for delta CRL generations by diffing two full CRLs
上级
256f9573
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
198 addition
and
3 deletion
+198
-3
CHANGES
CHANGES
+4
-0
apps/crl.c
apps/crl.c
+53
-2
crypto/asn1/x_crl.c
crypto/asn1/x_crl.c
+1
-0
crypto/x509/x509.h
crypto/x509/x509.h
+12
-0
crypto/x509/x509_err.c
crypto/x509/x509_err.c
+9
-1
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+119
-0
未找到文件。
CHANGES
浏览文件 @
2e8cb108
...
...
@@ -4,6 +4,10 @@
Changes between 1.0.x and 1.1.0 [xx XXX xxxx]
*) New function X509_CRL_diff to generate a delta CRL from the difference
of two full CRLs. Add support to "crl" utility.
[Steve Henson]
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
[Steve Henson]
...
...
apps/crl.c
浏览文件 @
2e8cb108
...
...
@@ -104,8 +104,8 @@ int MAIN(int argc, char **argv)
char
*
CAfile
=
NULL
,
*
CApath
=
NULL
;
int
ret
=
1
,
i
,
num
,
badops
=
0
,
badsig
=
0
;
BIO
*
out
=
NULL
;
int
informat
,
outformat
;
char
*
infile
=
NULL
,
*
outfile
=
NULL
;
int
informat
,
outformat
,
keyformat
;
char
*
infile
=
NULL
,
*
outfile
=
NULL
,
*
crldiff
=
NULL
,
*
keyfile
=
NULL
;
int
hash
=
0
,
issuer
=
0
,
lastupdate
=
0
,
nextupdate
=
0
,
noout
=
0
,
text
=
0
;
int
fingerprint
=
0
,
crlnumber
=
0
;
const
char
**
pp
;
...
...
@@ -140,6 +140,7 @@ int MAIN(int argc, char **argv)
informat
=
FORMAT_PEM
;
outformat
=
FORMAT_PEM
;
keyformat
=
FORMAT_PEM
;
argc
--
;
argv
++
;
...
...
@@ -168,6 +169,21 @@ int MAIN(int argc, char **argv)
if
(
--
argc
<
1
)
goto
bad
;
infile
=
*
(
++
argv
);
}
else
if
(
strcmp
(
*
argv
,
"-gendelta"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
crldiff
=
*
(
++
argv
);
}
else
if
(
strcmp
(
*
argv
,
"-key"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
keyfile
=
*
(
++
argv
);
}
else
if
(
strcmp
(
*
argv
,
"-keyform"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
keyformat
=
str2fmt
(
*
(
++
argv
));
}
else
if
(
strcmp
(
*
argv
,
"-out"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
...
...
@@ -277,6 +293,39 @@ bad:
else
BIO_printf
(
bio_err
,
"verify OK
\n
"
);
}
if
(
crldiff
)
{
X509_CRL
*
newcrl
,
*
delta
;
if
(
!
keyfile
)
{
BIO_puts
(
bio_err
,
"Missing CRL signing key
\n
"
);
goto
end
;
}
newcrl
=
load_crl
(
crldiff
,
informat
);
if
(
!
newcrl
)
goto
end
;
pkey
=
load_key
(
bio_err
,
keyfile
,
keyformat
,
0
,
NULL
,
NULL
,
"CRL signing key"
);
if
(
!
pkey
)
{
X509_CRL_free
(
newcrl
);
goto
end
;
}
delta
=
X509_CRL_diff
(
x
,
newcrl
,
pkey
,
digest
,
0
);
X509_CRL_free
(
newcrl
);
EVP_PKEY_free
(
pkey
);
if
(
delta
)
{
X509_CRL_free
(
x
);
x
=
delta
;
}
else
{
BIO_puts
(
bio_err
,
"Error creating delta CRL
\n
"
);
goto
end
;
}
}
if
(
num
)
{
for
(
i
=
1
;
i
<=
num
;
i
++
)
...
...
@@ -394,6 +443,8 @@ bad:
if
(
!
i
)
{
BIO_printf
(
bio_err
,
"unable to write CRL
\n
"
);
goto
end
;
}
ret
=
0
;
end:
if
(
ret
!=
0
)
ERR_print_errors
(
bio_err
);
BIO_free_all
(
out
);
BIO_free_all
(
bio_out
);
bio_out
=
NULL
;
...
...
crypto/asn1/x_crl.c
浏览文件 @
2e8cb108
...
...
@@ -356,6 +356,7 @@ ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
}
ASN1_SEQUENCE_END_ref
(
X509_CRL
,
X509_CRL
)
IMPLEMENT_ASN1_FUNCTIONS
(
X509_REVOKED
)
IMPLEMENT_ASN1_DUP_FUNCTION
(
X509_REVOKED
)
IMPLEMENT_ASN1_FUNCTIONS
(
X509_CRL_INFO
)
IMPLEMENT_ASN1_FUNCTIONS
(
X509_CRL
)
IMPLEMENT_ASN1_DUP_FUNCTION
(
X509_CRL
)
...
...
crypto/x509/x509.h
浏览文件 @
2e8cb108
...
...
@@ -765,6 +765,7 @@ X509 *X509_dup(X509 *x509);
X509_ATTRIBUTE
*
X509_ATTRIBUTE_dup
(
X509_ATTRIBUTE
*
xa
);
X509_EXTENSION
*
X509_EXTENSION_dup
(
X509_EXTENSION
*
ex
);
X509_CRL
*
X509_CRL_dup
(
X509_CRL
*
crl
);
X509_REVOKED
*
X509_REVOKED_dup
(
X509_REVOKED
*
rev
);
X509_REQ
*
X509_REQ_dup
(
X509_REQ
*
req
);
X509_ALGOR
*
X509_ALGOR_dup
(
X509_ALGOR
*
xn
);
int
X509_ALGOR_set0
(
X509_ALGOR
*
alg
,
ASN1_OBJECT
*
aobj
,
int
ptype
,
void
*
pval
);
...
...
@@ -965,6 +966,9 @@ int X509_CRL_sort(X509_CRL *crl);
int
X509_REVOKED_set_serialNumber
(
X509_REVOKED
*
x
,
ASN1_INTEGER
*
serial
);
int
X509_REVOKED_set_revocationDate
(
X509_REVOKED
*
r
,
ASN1_TIME
*
tm
);
X509_CRL
*
X509_CRL_diff
(
X509_CRL
*
base
,
X509_CRL
*
newer
,
EVP_PKEY
*
skey
,
const
EVP_MD
*
md
,
unsigned
int
flags
);
int
X509_REQ_check_private_key
(
X509_REQ
*
x509
,
EVP_PKEY
*
pkey
);
int
X509_check_private_key
(
X509
*
x509
,
EVP_PKEY
*
pkey
);
...
...
@@ -1245,6 +1249,7 @@ void ERR_load_X509_strings(void);
#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
#define X509_F_X509_CHECK_PRIVATE_KEY 128
#define X509_F_X509_CRL_DIFF 105
#define X509_F_X509_CRL_PRINT_FP 147
#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
...
...
@@ -1277,20 +1282,27 @@ void ERR_load_X509_strings(void);
#define X509_F_X509_VERIFY_CERT 127
/* Reason codes. */
#define X509_R_AKID_MISMATCH 110
#define X509_R_BAD_X509_FILETYPE 100
#define X509_R_BASE64_DECODE_ERROR 118
#define X509_R_CANT_CHECK_DH_KEY 114
#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
#define X509_R_CRL_ALREADY_DELTA 127
#define X509_R_CRL_VERIFY_FAILURE 131
#define X509_R_ERR_ASN1_LIB 102
#define X509_R_IDP_MISMATCH 128
#define X509_R_INVALID_DIRECTORY 113
#define X509_R_INVALID_FIELD_NAME 119
#define X509_R_INVALID_TRUST 123
#define X509_R_ISSUER_MISMATCH 129
#define X509_R_KEY_TYPE_MISMATCH 115
#define X509_R_KEY_VALUES_MISMATCH 116
#define X509_R_LOADING_CERT_DIR 103
#define X509_R_LOADING_DEFAULTS 104
#define X509_R_METHOD_NOT_SUPPORTED 124
#define X509_R_NEWER_CRL_NOT_NEWER 132
#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
#define X509_R_NO_CRL_NUMBER 130
#define X509_R_PUBLIC_KEY_DECODE_ERROR 125
#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
#define X509_R_SHOULD_RETRY 106
...
...
crypto/x509/x509_err.c
浏览文件 @
2e8cb108
/* crypto/x509/x509_err.c */
/* ====================================================================
* Copyright (c) 1999-20
06
The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-20
12
The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
...
...
@@ -85,6 +85,7 @@ static ERR_STRING_DATA X509_str_functs[]=
{
ERR_FUNC
(
X509_F_X509_ATTRIBUTE_GET0_DATA
),
"X509_ATTRIBUTE_get0_data"
},
{
ERR_FUNC
(
X509_F_X509_ATTRIBUTE_SET1_DATA
),
"X509_ATTRIBUTE_set1_data"
},
{
ERR_FUNC
(
X509_F_X509_CHECK_PRIVATE_KEY
),
"X509_check_private_key"
},
{
ERR_FUNC
(
X509_F_X509_CRL_DIFF
),
"X509_CRL_diff"
},
{
ERR_FUNC
(
X509_F_X509_CRL_PRINT_FP
),
"X509_CRL_print_fp"
},
{
ERR_FUNC
(
X509_F_X509_EXTENSION_CREATE_BY_NID
),
"X509_EXTENSION_create_by_NID"
},
{
ERR_FUNC
(
X509_F_X509_EXTENSION_CREATE_BY_OBJ
),
"X509_EXTENSION_create_by_OBJ"
},
...
...
@@ -120,20 +121,27 @@ static ERR_STRING_DATA X509_str_functs[]=
static
ERR_STRING_DATA
X509_str_reasons
[]
=
{
{
ERR_REASON
(
X509_R_AKID_MISMATCH
)
,
"akid mismatch"
},
{
ERR_REASON
(
X509_R_BAD_X509_FILETYPE
)
,
"bad x509 filetype"
},
{
ERR_REASON
(
X509_R_BASE64_DECODE_ERROR
)
,
"base64 decode error"
},
{
ERR_REASON
(
X509_R_CANT_CHECK_DH_KEY
)
,
"cant check dh key"
},
{
ERR_REASON
(
X509_R_CERT_ALREADY_IN_HASH_TABLE
),
"cert already in hash table"
},
{
ERR_REASON
(
X509_R_CRL_ALREADY_DELTA
)
,
"crl already delta"
},
{
ERR_REASON
(
X509_R_CRL_VERIFY_FAILURE
)
,
"crl verify failure"
},
{
ERR_REASON
(
X509_R_ERR_ASN1_LIB
)
,
"err asn1 lib"
},
{
ERR_REASON
(
X509_R_IDP_MISMATCH
)
,
"idp mismatch"
},
{
ERR_REASON
(
X509_R_INVALID_DIRECTORY
)
,
"invalid directory"
},
{
ERR_REASON
(
X509_R_INVALID_FIELD_NAME
)
,
"invalid field name"
},
{
ERR_REASON
(
X509_R_INVALID_TRUST
)
,
"invalid trust"
},
{
ERR_REASON
(
X509_R_ISSUER_MISMATCH
)
,
"issuer mismatch"
},
{
ERR_REASON
(
X509_R_KEY_TYPE_MISMATCH
)
,
"key type mismatch"
},
{
ERR_REASON
(
X509_R_KEY_VALUES_MISMATCH
)
,
"key values mismatch"
},
{
ERR_REASON
(
X509_R_LOADING_CERT_DIR
)
,
"loading cert dir"
},
{
ERR_REASON
(
X509_R_LOADING_DEFAULTS
)
,
"loading defaults"
},
{
ERR_REASON
(
X509_R_METHOD_NOT_SUPPORTED
)
,
"method not supported"
},
{
ERR_REASON
(
X509_R_NEWER_CRL_NOT_NEWER
)
,
"newer crl not newer"
},
{
ERR_REASON
(
X509_R_NO_CERT_SET_FOR_US_TO_VERIFY
),
"no cert set for us to verify"
},
{
ERR_REASON
(
X509_R_NO_CRL_NUMBER
)
,
"no crl number"
},
{
ERR_REASON
(
X509_R_PUBLIC_KEY_DECODE_ERROR
),
"public key decode error"
},
{
ERR_REASON
(
X509_R_PUBLIC_KEY_ENCODE_ERROR
),
"public key encode error"
},
{
ERR_REASON
(
X509_R_SHOULD_RETRY
)
,
"should retry"
},
...
...
crypto/x509/x509_vfy.c
浏览文件 @
2e8cb108
...
...
@@ -1888,6 +1888,125 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
return
1
;
}
/* Make a delta CRL as the diff between two full CRLs */
X509_CRL
*
X509_CRL_diff
(
X509_CRL
*
base
,
X509_CRL
*
newer
,
EVP_PKEY
*
skey
,
const
EVP_MD
*
md
,
unsigned
int
flags
)
{
X509_CRL
*
crl
=
NULL
;
int
i
;
STACK_OF
(
X509_REVOKED
)
*
revs
=
NULL
;
/* CRLs can't be delta already */
if
(
base
->
base_crl_number
||
newer
->
base_crl_number
)
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_CRL_ALREADY_DELTA
);
return
NULL
;
}
/* Base and new CRL must have a CRL number */
if
(
!
base
->
crl_number
||
!
newer
->
crl_number
)
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_NO_CRL_NUMBER
);
return
NULL
;
}
/* Issuer names must match */
if
(
X509_NAME_cmp
(
X509_CRL_get_issuer
(
base
),
X509_CRL_get_issuer
(
newer
)))
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_ISSUER_MISMATCH
);
return
NULL
;
}
/* AKID and IDP must match */
if
(
!
crl_extension_match
(
base
,
newer
,
NID_authority_key_identifier
))
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_AKID_MISMATCH
);
return
NULL
;
}
if
(
!
crl_extension_match
(
base
,
newer
,
NID_issuing_distribution_point
))
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_IDP_MISMATCH
);
return
NULL
;
}
/* Newer CRL number must exceed full CRL number */
if
(
ASN1_INTEGER_cmp
(
newer
->
crl_number
,
base
->
crl_number
)
<=
0
)
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_NEWER_CRL_NOT_NEWER
);
return
NULL
;
}
/* CRLs must verify */
if
(
skey
&&
(
X509_CRL_verify
(
base
,
skey
)
<=
0
||
X509_CRL_verify
(
newer
,
skey
)
<=
0
))
{
X509err
(
X509_F_X509_CRL_DIFF
,
X509_R_CRL_VERIFY_FAILURE
);
return
NULL
;
}
/* Create new CRL */
crl
=
X509_CRL_new
();
if
(
!
crl
||
!
X509_CRL_set_version
(
crl
,
1
))
goto
memerr
;
/* Set issuer name */
if
(
!
X509_CRL_set_issuer_name
(
crl
,
X509_CRL_get_issuer
(
newer
)))
goto
memerr
;
if
(
!
X509_CRL_set_lastUpdate
(
crl
,
X509_CRL_get_lastUpdate
(
newer
)))
goto
memerr
;
if
(
!
X509_CRL_set_nextUpdate
(
crl
,
X509_CRL_get_nextUpdate
(
newer
)))
goto
memerr
;
/* Set base CRL number: must be critical */
if
(
!
X509_CRL_add1_ext_i2d
(
crl
,
NID_delta_crl
,
base
->
crl_number
,
1
,
0
))
goto
memerr
;
/* Copy extensions across from newest CRL to delta: this will set
* CRL number to correct value too.
*/
for
(
i
=
0
;
i
<
X509_CRL_get_ext_count
(
newer
);
i
++
)
{
X509_EXTENSION
*
ext
;
ext
=
X509_CRL_get_ext
(
newer
,
i
);
if
(
!
X509_CRL_add_ext
(
crl
,
ext
,
-
1
))
goto
memerr
;
}
/* Go through revoked entries, copying as needed */
revs
=
X509_CRL_get_REVOKED
(
newer
);
for
(
i
=
0
;
i
<
sk_X509_REVOKED_num
(
revs
);
i
++
)
{
X509_REVOKED
*
rvn
,
*
rvtmp
;
rvn
=
sk_X509_REVOKED_value
(
revs
,
i
);
/* Add only if not also in base.
* TODO: need something cleverer here for some more complex
* CRLs covering multiple CAs.
*/
if
(
!
X509_CRL_get0_by_serial
(
base
,
&
rvtmp
,
rvn
->
serialNumber
))
{
rvtmp
=
X509_REVOKED_dup
(
rvn
);
if
(
!
rvtmp
)
goto
memerr
;
if
(
!
X509_CRL_add0_revoked
(
crl
,
rvtmp
))
{
X509_REVOKED_free
(
rvtmp
);
goto
memerr
;
}
}
}
/* TODO: optionally prune deleted entries */
if
(
skey
&&
md
&&
!
X509_CRL_sign
(
crl
,
skey
,
md
))
goto
memerr
;
return
crl
;
memerr:
X509err
(
X509_F_X509_CRL_DIFF
,
ERR_R_MALLOC_FAILURE
);
if
(
crl
)
X509_CRL_free
(
crl
);
return
NULL
;
}
int
X509_STORE_CTX_get_ex_new_index
(
long
argl
,
void
*
argp
,
CRYPTO_EX_new
*
new_func
,
CRYPTO_EX_dup
*
dup_func
,
CRYPTO_EX_free
*
free_func
)
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录