[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-40-ga221c87
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-40-ga221c87 |
|
Date: |
Mon, 19 Nov 2012 23:20:15 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=a221c87220a212680a74e8fdcf840b02bdaa22fa
The branch, master has been updated
via a221c87220a212680a74e8fdcf840b02bdaa22fa (commit)
via ccb7b18b21c199207fe89d63940ca34c420a29a1 (commit)
via 04975161925c0a5372c4006d553f0263571fda90 (commit)
via e08948f813ac8880a5005677c69806f647a86869 (commit)
via a45fa2c779624a21ac99612c36f18f50f2d3f724 (commit)
via b8c2738c4ca0d4724a459f69ae519fd37c77d490 (commit)
via 684d473e5ad88f7e2b7e264ff9c83331f3a82007 (commit)
via 04111fd7ee4a3ba51f92f1354212ed9dd79be61f (commit)
via 04785a30d244dd81aa4a86053956b0183ab2440b (commit)
via 784412eb380cf86a40937574588d9ef11da31124 (commit)
via 04b490cab2022bf5664696d549a72e3b2a9e8cdf (commit)
via fa21bae5ed69aebef11af32a3d96dd24690363e3 (commit)
via 834586f8b3a768daae8a9e1a193779686445d7ae (commit)
via 69ef6006d91b265d3a8105d0649827cc7a9f1f6e (commit)
from 247ff3eecff914e2cc6b9377565232f8eb884af3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a221c87220a212680a74e8fdcf840b02bdaa22fa
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 20 00:12:14 2012 +0100
certtool is able to set certificate policies via a template
commit ccb7b18b21c199207fe89d63940ca34c420a29a1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Nov 20 00:11:12 2012 +0100
Added gnutls_x509_crt_set_policy()
commit 04975161925c0a5372c4006d553f0263571fda90
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 22:02:00 2012 +0100
doc update
commit e08948f813ac8880a5005677c69806f647a86869
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 21:53:53 2012 +0100
another rename
commit a45fa2c779624a21ac99612c36f18f50f2d3f724
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 21:40:20 2012 +0100
corrected win32 UCS2 conversion.
commit b8c2738c4ca0d4724a459f69ae519fd37c77d490
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 21:37:05 2012 +0100
simplified naming
commit 684d473e5ad88f7e2b7e264ff9c83331f3a82007
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 21:30:36 2012 +0100
documented update
commit 04111fd7ee4a3ba51f92f1354212ed9dd79be61f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 18:15:38 2012 +0100
mention the extension OID
commit 04785a30d244dd81aa4a86053956b0183ab2440b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 18:15:01 2012 +0100
updated certificates to parse 2.5.29.32.
commit 784412eb380cf86a40937574588d9ef11da31124
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 18:13:49 2012 +0100
handle visiblestring.
commit 04b490cab2022bf5664696d549a72e3b2a9e8cdf
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 17:59:36 2012 +0100
Added simple check for bmpstring decoding.
commit fa21bae5ed69aebef11af32a3d96dd24690363e3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 17:41:44 2012 +0100
Added _gnutls_ucs2_to_utf8() for windows (untested)
commit 834586f8b3a768daae8a9e1a193779686445d7ae
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 17:11:29 2012 +0100
If _gnutls_ucs2_to_utf8() handle the data as non-printable (fallback to
previous behavior).
commit 69ef6006d91b265d3a8105d0649827cc7a9f1f6e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 19 00:10:55 2012 +0100
doc update
-----------------------------------------------------------------------
Summary of changes:
NEWS | 7 +-
doc/Makefile.am | 6 +
doc/invoke-certtool.texi | 13 ++-
doc/manpages/Makefile.am | 3 +
lib/includes/gnutls/x509.h | 24 +++--
lib/libgnutls.map | 1 +
lib/pkix.asn | 2 +
lib/pkix_asn1_tab.c | 4 +
lib/system.c | 64 +++++++++-
lib/x509/common.c | 30 +++--
lib/x509/crl.c | 8 +-
lib/x509/crq.c | 10 +-
lib/x509/dn.c | 19 +++-
lib/x509/output.c | 12 +-
lib/x509/pkcs12.c | 2 +-
lib/x509/x509.c | 98 ++++++++-------
lib/x509/x509_write.c | 223 ++++++++++++++++++++++++++++++++-
src/certtool-args.c | 2 +-
src/certtool-args.def | 11 ++
src/certtool-args.h | 2 +-
src/certtool-cfg.c | 75 +++++++++++
src/certtool-cfg.h | 1 +
src/certtool.c | 1 +
tests/cert-tests/Makefile.am | 3 +-
tests/cert-tests/aki-cert.pem | 7 +-
tests/cert-tests/bmpstring.pem | 165 ++++++++++++++++++++++++
tests/cert-tests/no-ca-or-pathlen.pem | 6 +-
tests/cert-tests/pem-decoding | 18 +++
28 files changed, 715 insertions(+), 102 deletions(-)
create mode 100644 tests/cert-tests/bmpstring.pem
diff --git a/NEWS b/NEWS
index b7e3d91..289b955 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ See the end for copying conditions.
** libgnutls: Added functions to parse the certificates policies
extension.
+** libgnutls: Handle BMPString (UCS-2) encoding in the DN.
+
** libgnutls: Added PKCS #11 key generation function that returns the
public key on generation.
@@ -17,13 +19,16 @@ affected combined levels. Patch by Tim Kosse.
--load-privkey in order to print the corresponding public key of a private
key.
+** certtool: It is able to set certificate policies via a template.
+
** p11tool: After key generation, outputs the public key (useful in
tokens that do not store the public key).
** API and ABI modifications:
gnutls_pkcs11_privkey_generate2: Added
gnutls_x509_crt_get_policy: Added
-gnutls_certificate_policy_release: Added
+gnutls_x509_crt_set_policy: Added
+gnutls_x509_policy_release: Added
* Version 3.1.4 (released 2012-11-10)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index bb2624f..f5d26d2 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1207,6 +1207,8 @@ FUNCS += functions/gnutls_pkcs11_privkey_export_url
FUNCS += functions/gnutls_pkcs11_privkey_export_url.short
FUNCS += functions/gnutls_pkcs11_privkey_generate
FUNCS += functions/gnutls_pkcs11_privkey_generate.short
+FUNCS += functions/gnutls_pkcs11_privkey_generate2
+FUNCS += functions/gnutls_pkcs11_privkey_generate2.short
FUNCS += functions/gnutls_pkcs11_privkey_get_info
FUNCS += functions/gnutls_pkcs11_privkey_get_info.short
FUNCS += functions/gnutls_pkcs11_privkey_get_pk_algorithm
@@ -1937,6 +1939,8 @@ FUNCS += functions/gnutls_x509_crt_get_pk_dsa_raw
FUNCS += functions/gnutls_x509_crt_get_pk_dsa_raw.short
FUNCS += functions/gnutls_x509_crt_get_pk_rsa_raw
FUNCS += functions/gnutls_x509_crt_get_pk_rsa_raw.short
+FUNCS += functions/gnutls_x509_crt_get_policy
+FUNCS += functions/gnutls_x509_crt_get_policy.short
FUNCS += functions/gnutls_x509_crt_get_preferred_hash_algorithm
FUNCS += functions/gnutls_x509_crt_get_preferred_hash_algorithm.short
FUNCS += functions/gnutls_x509_crt_get_private_key_usage_period
@@ -2067,6 +2071,8 @@ FUNCS += functions/gnutls_x509_dn_oid_known
FUNCS += functions/gnutls_x509_dn_oid_known.short
FUNCS += functions/gnutls_x509_dn_oid_name
FUNCS += functions/gnutls_x509_dn_oid_name.short
+FUNCS += functions/gnutls_x509_policy_release
+FUNCS += functions/gnutls_x509_policy_release.short
FUNCS += functions/gnutls_x509_privkey_cpy
FUNCS += functions/gnutls_x509_privkey_cpy.short
FUNCS += functions/gnutls_x509_privkey_deinit
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index 329c26d..ed52118 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -6,7 +6,7 @@
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
-# It has been AutoGen-ed November 11, 2012 at 08:40:03 PM by AutoGen 5.16
+# It has been AutoGen-ed November 20, 2012 at 12:17:13 AM by AutoGen 5.16
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -543,9 +543,20 @@ signing_key
# CA issuers URI
# ca_issuers_uri = http://my.ca.issuer
+# Certificate policies
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.0
+# policy1_txt = "This is a long policy to summarize"
+# policy1_url = http://www.example.com/a-policy-to-read
+
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.1
+# policy2_txt = "This is a short policy"
+# policy2_url = http://www.example.com/another-policy-to-read
+
+
# Options for proxy certificates
# proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
# Options for generating a CRL
# next CRL update will be in 43 days (wow)
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index b477482..f336d1d 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -413,6 +413,7 @@ APIMANS += gnutls_pkcs11_obj_set_pin_function.3
APIMANS += gnutls_pkcs11_privkey_deinit.3
APIMANS += gnutls_pkcs11_privkey_export_url.3
APIMANS += gnutls_pkcs11_privkey_generate.3
+APIMANS += gnutls_pkcs11_privkey_generate2.3
APIMANS += gnutls_pkcs11_privkey_get_info.3
APIMANS += gnutls_pkcs11_privkey_get_pk_algorithm.3
APIMANS += gnutls_pkcs11_privkey_import_url.3
@@ -778,6 +779,7 @@ APIMANS += gnutls_x509_crt_get_key_usage.3
APIMANS += gnutls_x509_crt_get_pk_algorithm.3
APIMANS += gnutls_x509_crt_get_pk_dsa_raw.3
APIMANS += gnutls_x509_crt_get_pk_rsa_raw.3
+APIMANS += gnutls_x509_crt_get_policy.3
APIMANS += gnutls_x509_crt_get_preferred_hash_algorithm.3
APIMANS += gnutls_x509_crt_get_private_key_usage_period.3
APIMANS += gnutls_x509_crt_get_proxy.3
@@ -843,6 +845,7 @@ APIMANS += gnutls_x509_dn_import.3
APIMANS += gnutls_x509_dn_init.3
APIMANS += gnutls_x509_dn_oid_known.3
APIMANS += gnutls_x509_dn_oid_name.3
+APIMANS += gnutls_x509_policy_release.3
APIMANS += gnutls_x509_privkey_cpy.3
APIMANS += gnutls_x509_privkey_deinit.3
APIMANS += gnutls_x509_privkey_export.3
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 88f5293..8a0ad73 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -335,7 +335,7 @@ extern "C"
char **policyLanguage,
char **policy, size_t * sizeof_policy);
-#define GNUTLS_MAX_QUALIFIERS 16
+#define GNUTLS_MAX_QUALIFIERS 8
/**
* gnutls_x509_qualifier_t:
@@ -351,18 +351,24 @@ extern "C"
GNUTLS_X509_QUALIFIER_NOTICE
} gnutls_x509_qualifier_t;
- struct gnutls_certificate_policy_st
+ typedef struct gnutls_x509_policy_st
{
- char* policy_oid;
+ char* oid;
unsigned int qualifiers;
- gnutls_x509_qualifier_t qualifier_type[GNUTLS_MAX_QUALIFIERS];
- char *qualifier_data[GNUTLS_MAX_QUALIFIERS];
- };
-
- void gnutls_certificate_policy_release(struct gnutls_certificate_policy_st*
policy);
+ struct {
+ gnutls_x509_qualifier_t type;
+ char* data;
+ unsigned int size;
+ } qualifier[GNUTLS_MAX_QUALIFIERS];
+ } gnutls_x509_policy_st;
+
+ void gnutls_x509_policy_release(struct gnutls_x509_policy_st* policy);
int gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int indx,
- struct gnutls_certificate_policy_st* policy,
+ struct gnutls_x509_policy_st* policy,
unsigned int * critical);
+ int gnutls_x509_crt_set_policy (gnutls_x509_crt_t crt, struct
gnutls_x509_policy_st* policy,
+ unsigned int critical);
+
int gnutls_x509_dn_oid_known (const char *oid);
#define GNUTLS_X509_DN_OID_RETURN_OID 1
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index f9b3a46..6a53b8f 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -873,6 +873,7 @@ GNUTLS_3_1_0 {
gnutls_pkcs11_privkey_generate2;
gnutls_x509_crt_get_policy;
gnutls_certificate_policy_release;
+ gnutls_x509_crt_set_policy;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
diff --git a/lib/pkix.asn b/lib/pkix.asn
index 235b6d7..cc788b7 100644
--- a/lib/pkix.asn
+++ b/lib/pkix.asn
@@ -147,6 +147,7 @@ BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-- The content of this type conforms to RFC 2279.
+VisibleString ::= [UNIVERSAL 26] IMPLICIT OCTET STRING
-- attribute data types --
@@ -577,6 +578,7 @@ NoticeReference ::= SEQUENCE {
DisplayText ::= CHOICE {
ia5String IA5String (SIZE (1..200)),
+ visibleString VisibleString (SIZE (1..200)),
bmpString BMPString (SIZE (1..200)),
utf8String UTF8String (SIZE (1..200)) }
diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c
index 280c7cc..168eb6c 100644
--- a/lib/pkix_asn1_tab.c
+++ b/lib/pkix_asn1_tab.c
@@ -117,6 +117,8 @@ const asn1_static_node pkix_asn1_tab[] = {
{ NULL, 4360, "30"},
{ "UTF8String", 1610620935, NULL },
{ NULL, 4360, "12"},
+ { "VisibleString", 1610620935, NULL },
+ { NULL, 4360, "26"},
{ "Attribute", 1610612741, NULL },
{ "type", 1073741826, "AttributeType"},
{ "values", 536870927, NULL },
@@ -411,6 +413,8 @@ const asn1_static_node pkix_asn1_tab[] = {
{ "DisplayText", 1610612754, NULL },
{ "ia5String", 1612709890, "IA5String"},
{ "200", 524298, "1"},
+ { "visibleString", 1612709890, "VisibleString"},
+ { "200", 524298, "1"},
{ "bmpString", 1612709890, "BMPString"},
{ "200", 524298, "1"},
{ "utf8String", 538968066, "UTF8String"},
diff --git a/lib/system.c b/lib/system.c
index 285ffbd..dcca145 100644
--- a/lib/system.c
+++ b/lib/system.c
@@ -519,11 +519,73 @@ cleanup:
return ret;
}
-#else
+#elif defined(_WIN32)
+#include <winnls.h>
/* Can convert only english */
int _gnutls_ucs2_to_utf8(const void* data, size_t size, gnutls_datum_t *output)
{
+int ret;
+unsigned i;
+int len = 0, src_len;
+char* dst = NULL;
+char* src = NULL;
+
+ src_len = size/2;
+
+ src = gnutls_malloc(size);
+ if (src == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ /* convert to LE */
+ for (i=0;i<size;i+=2)
+ {
+ src[i] = ((char*)data)[1+i];
+ src[1+i] = ((char*)data)[i];
+ }
+
+ ret = WideCharToMultiByte(CP_UTF8, MB_ERR_INVALID_CHARS, (void*)src, src_len,
+ NULL, 0, NULL, NULL);
+ if (ret == 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ goto fail;
+ }
+
+ len = ret+1;
+ dst = gnutls_malloc(len);
+ if (dst == NULL)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto fail;
+ }
+
+ ret = WideCharToMultiByte(CP_UTF8, MB_ERR_INVALID_CHARS, (void*)src, src_len,
+ dst, len, NULL, NULL);
+ if (ret == 0)
+ {
+ ret = gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ goto fail;
+ }
+
+ output->data = dst;
+ output->size = ret;
+ ret = 0;
+ goto cleanup;
+
+fail:
+ gnutls_free(dst);
+
+cleanup:
+ gnutls_free(src);
+ return ret;
+}
+
+#else
+
+/* Can convert only english (ASCII) */
+int _gnutls_ucs2_to_utf8(const void* data, size_t size, gnutls_datum_t *output)
+{
unsigned int i, j;
char* dst;
const char *src = data;
diff --git a/lib/x509/common.c b/lib/x509/common.c
index fa4dbdc..0eff7a8 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -337,18 +337,23 @@ _gnutls_x509_oid_data2string (const char *oid, void
*value,
result = _gnutls_ucs2_to_utf8(str, len, &td);
if (result < 0)
- return gnutls_assert_val(result);
-
- if (td.size >= sizeof(str))
{
- gnutls_free(td.data);
- return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
+ /* could not convert. Handle it as non-printable */
+ non_printable = 1;
+ ucs2 = 0;
}
-
- memcpy(str, td.data, td.size);
- len = td.size;
+ else
+ {
+ if (td.size >= sizeof(str))
+ {
+ gnutls_free(td.data);
+ return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
+ }
+ memcpy(str, td.data, td.size);
+ len = td.size;
- gnutls_free(td.data);
+ gnutls_free(td.data);
+ }
}
else if (teletex != 0)
{
@@ -370,7 +375,7 @@ _gnutls_x509_oid_data2string (const char *oid, void *value,
/* Refuse to deal with strings containing NULs. */
if (strlen (str) != (size_t)len)
- return GNUTLS_E_ASN1_DER_ERROR;
+ return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
if (res)
_gnutls_str_cpy (res, *res_size, str);
@@ -380,10 +385,7 @@ _gnutls_x509_oid_data2string (const char *oid, void *value,
{
result = _gnutls_x509_data2hex (str, (size_t)len, res, res_size);
if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
+ return gnutls_assert_val(result);
}
}
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
index f156b43..b69a1c8 100644
--- a/lib/x509/crl.c
+++ b/lib/x509/crl.c
@@ -188,7 +188,7 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl,
char *buf,
* @crl: should contain a gnutls_x509_crl_t structure
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
- * @raw_flag: If non (0) returns the raw DER data of the DN part.
+ * @raw_flag: If non-zero returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the peer's name (may be null)
* @sizeof_buf: initially holds the size of @buf
*
@@ -761,7 +761,7 @@ _get_authority_key_id (gnutls_x509_crl_t cert, ASN1_TYPE
*c2,
* @alt_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
* @serial: buffer to store the serial number (may be null)
* @serial_size: Holds the size of the serial field (may be null)
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the X.509 authority key
* identifier when stored as a general name (authorityCertIssuer)
@@ -830,7 +830,7 @@ fail:
* @crl: should contain a #gnutls_x509_crl_t structure
* @id: The place where the identifier will be copied
* @id_size: Holds the size of the result field.
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* (may be null)
*
* This function will return the CRL authority's key identifier. This
@@ -881,7 +881,7 @@ gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t
crl, void *id,
* @crl: should contain a #gnutls_x509_crl_t structure
* @ret: The place where the number will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* (may be null)
*
* This function will return the CRL number extension. This is
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 19a7b68..853d145 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -261,7 +261,7 @@ gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf,
size_t * sizeof_buf)
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the RDN, this specifies
* which to send. Use (0) to get the first one.
- * @raw_flag: If non (0) returns the raw DER data of the DN part.
+ * @raw_flag: If non-zero returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the name (may be %NULL)
* @sizeof_buf: initially holds the size of @buf
*
@@ -1572,7 +1572,7 @@ gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t
crq, int indx,
* gnutls_x509_crq_get_key_usage:
* @crq: should contain a #gnutls_x509_crq_t structure
* @key_usage: where the key usage bits will be stored
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
* This function will return certificate's key usage, by reading the
* keyUsage X.509 extension (2.5.29.15). The key usage value will
@@ -1629,7 +1629,7 @@ gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
/**
* gnutls_x509_crq_get_basic_constraints:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* @ca: pointer to output integer indicating CA status, may be NULL,
* value is 1 if the certificate CA flag is set, 0 otherwise.
* @pathlen: pointer to output integer indicating path length (may be
@@ -1777,7 +1777,7 @@ get_subject_alt_name (gnutls_x509_crq_t crq,
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
* @ret_type: holds the #gnutls_x509_subject_alt_name_t name type
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* (may be null)
*
* This function will return the alternative names, contained in the
@@ -1852,7 +1852,7 @@ gnutls_x509_crq_get_subject_alt_othername_oid
(gnutls_x509_crq_t crq,
* specifies which to send. Use (0) to get the first one.
* @buf: a pointer to a structure to hold the name (may be null)
* @sizeof_buf: initially holds the size of @buf
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
* This function will return the extension specified by the OID in
* the certificate. The extensions will be returned as binary data
diff --git a/lib/x509/dn.c b/lib/x509/dn.c
index 9506969..238e28e 100644
--- a/lib/x509/dn.c
+++ b/lib/x509/dn.c
@@ -623,6 +623,17 @@ cleanup:
return result;
}
+static int is_printable(char p)
+{
+ if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') ||
+ (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' ||
+ p == '(' || p == '+' || p == ',' || p == '-' || p == '.' ||
+ p == '/' || p == ':' || p == '=' || p == '?')
+ return 1;
+
+ return 0;
+}
+
/* This will encode and write the AttributeTypeAndValue field.
* 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
* In all cases only one value is written.
@@ -667,12 +678,12 @@ _gnutls_x509_encode_and_write_attribute (const char
*given_oid,
string_type = "printableString";
- /* Check if the data is plain ascii, and use
+ /* Check if the data is ASN.1 printable, and use
* the UTF8 string type if not.
*/
for (i = 0; i < sizeof_data; i++)
{
- if (!isascii (data[i]))
+ if (!is_printable (data[i]))
{
string_type = "utf8String";
break;
@@ -796,7 +807,7 @@ _gnutls_x509_write_attribute (const char *given_oid,
/* Decodes an X.509 Attribute (if multi==1) or an AttributeTypeAndValue
* otherwise.
*
- * octet_string should be non (0) if we are to decode octet strings after
+ * octet_string should be non-zero if we are to decode octet strings after
* decoding.
*
* The output is allocated and stored in value.
@@ -1075,7 +1086,7 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn,
* @oid: an Object Identifier
* @indx: In case multiple same OIDs exist in the RDN indicates which
* to send. Use 0 for the first one.
- * @raw_flag: If non (0) then the raw DER data are returned.
+ * @raw_flag: If non-zero then the raw DER data are returned.
* @buf: a pointer to a structure to hold the peer's name
* @sizeof_buf: holds the size of @buf
*
diff --git a/lib/x509/output.c b/lib/x509/output.c
index a77484b..47945a9 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -960,7 +960,7 @@ print_extensions (gnutls_buffer_st * str, const char
*prefix, int type,
}
else if (strcmp (oid, "2.5.29.32") == 0)
{
- struct gnutls_certificate_policy_st policy;
+ struct gnutls_x509_policy_st policy;
const char* name;
int x;
@@ -977,18 +977,18 @@ print_extensions (gnutls_buffer_st * str, const char
*prefix, int type,
}
addf (str, "%s\t\tCertificate Policies (%s):\n", prefix,
critical ? _("critical") : _("not critical"));
- addf (str, "%s\t\t\t%s\n", prefix, policy.policy_oid);
+ addf (str, "%s\t\t\t%s\n", prefix, policy.oid);
for (j=0;j<policy.qualifiers;j++)
{
- if (policy.qualifier_type[j]==GNUTLS_X509_QUALIFIER_URI)
+ if (policy.qualifier[j].type==GNUTLS_X509_QUALIFIER_URI)
name = "URI";
- else if
(policy.qualifier_type[j]==GNUTLS_X509_QUALIFIER_NOTICE)
+ else if
(policy.qualifier[j].type==GNUTLS_X509_QUALIFIER_NOTICE)
name = "Note";
else name = "Unknown qualifier";
- addf (str, "%s\t\t\t\t%s: %s\n", prefix, name,
policy.qualifier_data[j]);
+ addf (str, "%s\t\t\t\t%s: %s\n", prefix, name,
policy.qualifier[j].data);
}
- gnutls_certificate_policy_release (&policy);
+ gnutls_x509_policy_release (&policy);
}
}
else if (strcmp (oid, "2.5.29.35") == 0)
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index a980ce2..edd0682 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1228,7 +1228,7 @@ write_attributes (gnutls_pkcs12_bag_t bag, int elem,
/* Encodes the bag into a SafeContents structure, and puts the output in
- * the given datum. Enc is set to non (0) if the data are encrypted;
+ * the given datum. Enc is set to non-zero if the data are encrypted;
*/
int
_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents,
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 235cce7..7c65e7d 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -278,7 +278,7 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char
*buf,
* @cert: should contain a #gnutls_x509_crt_t structure
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
- * @raw_flag: If non (0) returns the raw DER data of the DN part.
+ * @raw_flag: If non-zero returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the name (may be null)
* @buf_size: initially holds the size of @buf
*
@@ -390,7 +390,7 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf,
* @cert: should contain a #gnutls_x509_crt_t structure
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
- * @raw_flag: If non (0) returns the raw DER data of the DN part.
+ * @raw_flag: If non-zero returns the raw DER data of the DN part.
* @buf: a pointer where the DN part will be copied (may be null).
* @buf_size: initially holds the size of @buf
*
@@ -735,7 +735,7 @@ gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void
*result,
* @cert: should contain a #gnutls_x509_crt_t structure
* @ret: The place where the identifier will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the X.509v3 certificate's subject key
* identifier. This is obtained by the X.509 Subject Key identifier
@@ -876,7 +876,7 @@ _get_authority_key_id (gnutls_x509_crt_t cert, ASN1_TYPE
*c2,
* @alt_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
* @serial: buffer to store the serial number (may be null)
* @serial_size: Holds the size of the serial field (may be null)
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the X.509 authority key
* identifier when stored as a general name (authorityCertIssuer)
@@ -941,7 +941,7 @@ fail:
* @cert: should contain a #gnutls_x509_crt_t structure
* @id: The place where the identifier will be copied
* @id_size: Holds the size of the id field.
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the X.509v3 certificate authority's key
* identifier. This is obtained by the X.509 Authority Key
@@ -1315,7 +1315,7 @@ get_alt_name (gnutls_x509_crt_t cert, const char
*extension_id,
* @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
* @san: is the place where the alternative name will be copied to
* @san_size: holds the size of san.
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function retrieves the Alternative Name (2.5.29.17), contained
* in the given certificate in the X509v3 Certificate Extensions.
@@ -1355,7 +1355,7 @@ gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t
cert,
* @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
* @ian: is the place where the alternative name will be copied to
* @ian_size: holds the size of ian.
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function retrieves the Issuer Alternative Name (2.5.29.18),
* contained in the given certificate in the X509v3 Certificate
@@ -1399,7 +1399,7 @@ gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t
cert,
* @san: is the place where the alternative name will be copied to
* @san_size: holds the size of ret.
* @san_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the alternative names, contained in the
* given certificate. It is the same as
@@ -1434,7 +1434,7 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t
cert,
* @ian: is the place where the alternative name will be copied to
* @ian_size: holds the size of ret.
* @ian_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function will return the alternative names, contained in the
* given certificate. It is the same as
@@ -1546,7 +1546,7 @@ gnutls_x509_crt_get_issuer_alt_othername_oid
(gnutls_x509_crt_t cert,
/**
* gnutls_x509_crt_get_basic_constraints:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* @ca: pointer to output integer indicating CA status, may be NULL,
* value is 1 if the certificate CA flag is set, 0 otherwise.
* @pathlen: pointer to output integer indicating path length (may be
@@ -1612,7 +1612,7 @@ gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t
cert,
/**
* gnutls_x509_crt_get_ca_status:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
* This function will return certificates CA status, by reading the
* basicConstraints X.509 extension (2.5.29.19). If the certificate is
@@ -1639,7 +1639,7 @@ gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert,
unsigned int *critical)
* gnutls_x509_crt_get_key_usage:
* @cert: should contain a #gnutls_x509_crt_t structure
* @key_usage: where the key usage bits will be stored
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
* This function will return certificate's key usage, by reading the
* keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
@@ -1700,7 +1700,7 @@ gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert,
/**
* gnutls_x509_crt_get_proxy:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
* @pathlen: pointer to output integer indicating path length (may be
* NULL), non-negative error codes indicate a present pCPathLenConstraint
* field and the actual value, -1 indicate that the field is absent.
@@ -1760,36 +1760,36 @@ gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
}
/**
- * gnutls_certificate_policy_release:
+ * gnutls_x509_policy_release:
* @policy: a certificate policy
*
* This function will deinitialize all memory associated with the provided
* @policy. The policy is allocated using gnutls_x509_crt_get_policy().
*
**/
-void gnutls_certificate_policy_release(struct gnutls_certificate_policy_st*
policy)
+void gnutls_x509_policy_release(struct gnutls_x509_policy_st* policy)
{
unsigned i;
- gnutls_free(policy->policy_oid);
+ gnutls_free(policy->oid);
for (i=0;i<policy->qualifiers;i++)
- gnutls_free(policy->qualifier_data[i]);
+ gnutls_free(policy->qualifier[i].data);
}
-static int decode_user_notice(const void* data, size_t size, char** txt)
+static int decode_user_notice(const void* data, size_t size, gnutls_datum_t
*txt)
{
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
int ret, len;
char choice_type[64];
char name[128];
- gnutls_datum_t td, td2;
+ gnutls_datum_t td, utd;
ret = asn1_create_element
(_gnutls_get_pkix (), "PKIX1.UserNotice", &c2);
if (ret != ASN1_SUCCESS)
{
gnutls_assert ();
- ret = _gnutls_asn2err (ret);
+ ret = GNUTLS_E_PARSING_ERROR;
goto cleanup;
}
@@ -1797,7 +1797,7 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
if (ret != ASN1_SUCCESS)
{
gnutls_assert ();
- ret = _gnutls_asn2err (ret);
+ ret = GNUTLS_E_PARSING_ERROR;
goto cleanup;
}
@@ -1806,12 +1806,12 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
if (ret != ASN1_SUCCESS)
{
gnutls_assert ();
- ret = _gnutls_asn2err (ret);
+ ret = GNUTLS_E_PARSING_ERROR;
goto cleanup;
}
if (strcmp(choice_type, "utf8String") != 0 && strcmp(choice_type,
"IA5String") != 0 &&
- strcmp(choice_type, "bmpString") != 0)
+ strcmp(choice_type, "bmpString") != 0 && strcmp(choice_type,
"visibleString") != 0)
{
gnutls_assert();
ret = GNUTLS_E_PARSING_ERROR;
@@ -1821,7 +1821,7 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
snprintf (name, sizeof (name), "explicitText.%s", choice_type);
ret = _gnutls_x509_read_value(c2, name, &td);
- if (ret != ASN1_SUCCESS)
+ if (ret < 0)
{
gnutls_assert ();
goto cleanup;
@@ -1829,7 +1829,7 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
if (strcmp(choice_type, "bmpString") == 0)
{ /* convert to UTF-8 */
- ret = _gnutls_ucs2_to_utf8(td.data, td.size, &td2);
+ ret = _gnutls_ucs2_to_utf8(td.data, td.size, &utd);
_gnutls_free_datum(&td);
if (ret < 0)
{
@@ -1837,8 +1837,8 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
goto cleanup;
}
- td.data = td2.data;
- td.size = td2.size;
+ td.data = utd.data;
+ td.size = utd.size;
}
else
{
@@ -1846,7 +1846,8 @@ static int decode_user_notice(const void* data, size_t
size, char** txt)
td.data[td.size] = 0;
}
- *txt = (void*)td.data;
+ txt->data = (void*)td.data;
+ txt->size = td.size;
ret = 0;
cleanup:
@@ -1860,20 +1861,21 @@ cleanup:
* @cert: should contain a #gnutls_x509_crt_t structure
* @indx: This specifies which policy to return. Use (0) to get the first one.
* @policy: A pointer to a policy structure.
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
- * This function will extract the certificate policy specified by the
- * given index.
+ * This function will extract the certificate policy (extension 2.5.29.32)
+ * specified by the given index.
*
- * If @oid is null then only the size will be filled. The @oid
- * returned will be null terminated, although @oid_size will not
- * account for the trailing null.
+ * The policy returned by this function must be deinitialized by using
+ * gnutls_x509_policy_release().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
%GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* if the extension is not present, otherwise a negative error value.
**/
int
-gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int indx, struct
gnutls_certificate_policy_st* policy, unsigned int *critical)
+gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int indx,
+ struct gnutls_x509_policy_st* policy,
+ unsigned int *critical)
{
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
char tmpstr[128];
@@ -1936,7 +1938,7 @@ gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int
indx, struct gnutls_certi
gnutls_assert();
goto cleanup;
}
- policy->policy_oid = (void*)tmpd.data;
+ policy->oid = (void*)tmpd.data;
tmpd.data = NULL;
for (i=0;i<GNUTLS_MAX_QUALIFIERS;i++)
@@ -1969,12 +1971,15 @@ gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int
indx, struct gnutls_certi
goto full_cleanup;
}
- policy->qualifier_data[i] = (void*)td.data;
+ policy->qualifier[i].data = (void*)td.data;
+ policy->qualifier[i].size = td.size;
td.data = NULL;
- policy->qualifier_type[i] = GNUTLS_X509_QUALIFIER_URI;
+ policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_URI;
}
else if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.2") == 0)
{
+ gnutls_datum_t txt;
+
snprintf (tmpstr, sizeof (tmpstr),
"?%u.policyQualifiers.?%u.qualifier", indx, i+1);
ret = _gnutls_x509_read_string(c2, tmpstr, &td, RV_RAW);
@@ -1984,7 +1989,7 @@ gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int
indx, struct gnutls_certi
goto full_cleanup;
}
- ret = decode_user_notice(td.data, td.size,
&policy->qualifier_data[i]);
+ ret = decode_user_notice(td.data, td.size, &txt);
gnutls_free(td.data);
td.data = NULL;
@@ -1994,21 +1999,22 @@ gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int
indx, struct gnutls_certi
goto full_cleanup;
}
- policy->qualifier_type[i] = GNUTLS_X509_QUALIFIER_NOTICE;
+ policy->qualifier[i].data = (void*)txt.data;
+ policy->qualifier[i].size = txt.size;
+ policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_NOTICE;
}
else
- policy->qualifier_type[i] = GNUTLS_X509_QUALIFIER_UNKNOWN;
+ policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_UNKNOWN;
policy->qualifiers++;
}
-
ret = 0;
goto cleanup;
full_cleanup:
- gnutls_certificate_policy_release(policy);
+ gnutls_x509_policy_release(policy);
cleanup:
_gnutls_free_datum (&tmpd);
@@ -2024,7 +2030,7 @@ cleanup:
* @indx: In case multiple same OIDs exist in the extensions, this specifies
which to send. Use (0) to get the first one.
* @buf: a pointer to a structure to hold the name (may be null)
* @buf_size: initially holds the size of @buf
- * @critical: will be non (0) if the extension is marked as critical
+ * @critical: will be non-zero if the extension is marked as critical
*
* This function will return the extension specified by the OID in the
* certificate. The extensions will be returned as binary data DER
@@ -2902,7 +2908,7 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t
crt,
* gnutls_x509_crt_get_preferred_hash_algorithm:
* @crt: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
- * @mand: If non (0) it means that the algorithm MUST use this hash. May be
NULL.
+ * @mand: If non-zero it means that the algorithm MUST use this hash. May be
NULL.
*
* This function will read the certifcate and return the appropriate digest
* algorithm to use for signing with this certificate. Some certificates (i.e.
@@ -3051,7 +3057,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
* @ret: is the place where the distribution point will be copied to
* @ret_size: holds the size of ret.
* @reason_flags: Revocation reasons. An ORed sequence of flags from
%gnutls_x509_crl_reason_flags_t.
- * @critical: will be non (0) if the extension is marked as critical (may be
null)
+ * @critical: will be non-zero if the extension is marked as critical (may be
null)
*
* This function retrieves the CRL distribution points (2.5.29.31),
* contained in the given certificate in the X509v3 Certificate
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 40cd55b..62ed9c0 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -382,7 +382,7 @@ gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
* @oid: holds an Object Identified in null terminated string
* @buf: a pointer to a DER encoded data
* @sizeof_buf: holds the size of @buf
- * @critical: should be non (0) if the extension is to be marked as critical
+ * @critical: should be non-zero if the extension is to be marked as critical
*
* This function will set an the extension, by the specified OID, in
* the certificate. The extension data should be binary data DER
@@ -1544,3 +1544,224 @@ cleanup:
return ret;
}
+
+static int encode_user_notice(const gnutls_datum_t* txt, gnutls_datum_t
*der_data)
+{
+ int result;
+ ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+
+ if ((result =
+ asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.UserNotice",
+ &c2)) != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto error;
+ }
+
+ /* delete noticeRef */
+ result =
+ asn1_write_value (c2, "noticeRef", NULL, 0);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto error;
+ }
+
+ result =
+ asn1_write_value (c2, "explicitText", "utf8String", 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto error;
+ }
+
+ result =
+ asn1_write_value (c2, "explicitText.utf8String", txt->data, txt->size);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto error;
+ }
+
+ result = _gnutls_x509_der_encode(c2, "", der_data, 0);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ goto error;
+ }
+
+ result = 0;
+
+error:
+ asn1_delete_structure (&c2);
+ return result;
+
+}
+
+/**
+ * gnutls_x509_crt_set_policy:
+ * @cert: should contain a #gnutls_x509_crt_t structure
+ * @policy: A pointer to a policy structure.
+ * @critical: use non-zero if the extension is marked as critical
+ *
+ * This function will set the certificate policy extension (2.5.29.32).
+ * Multiple calls to this function append a new policy.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crt_set_policy (gnutls_x509_crt_t crt, struct
gnutls_x509_policy_st* policy,
+ unsigned int critical)
+{
+ int result;
+ unsigned i;
+ gnutls_datum_t der_data, tmpd, prev_der_data = {NULL, 0};
+ ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+ const char* oid;
+
+ if (crt == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ result = _gnutls_x509_crt_get_extension (crt, "2.5.29.32", 0,
+ &prev_der_data, NULL);
+ if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ result =
+ asn1_create_element (_gnutls_get_pkix (), "PKIX1.certificatePolicies",
&c2);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ if (prev_der_data.data != NULL)
+ {
+ result =
+ asn1_der_decoding (&c2, prev_der_data.data, prev_der_data.size,
+ NULL);
+
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+ }
+
+ /* 1. write a new policy */
+ result = asn1_write_value (c2, "", "NEW", 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ /* 2. Add the OID.
+ */
+ result = asn1_write_value (c2, "?LAST.policyIdentifier", policy->oid, 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ for (i=0;i<MIN(policy->qualifiers,GNUTLS_MAX_QUALIFIERS);i++)
+ {
+ result = asn1_write_value (c2, "?LAST.policyQualifiers", "NEW", 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI)
+ oid = "1.3.6.1.5.5.7.2.1";
+ else if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_NOTICE)
+ oid = "1.3.6.1.5.5.7.2.2";
+ else
+ {
+ result = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ goto cleanup;
+ }
+
+ result = asn1_write_value (c2,
"?LAST.policyQualifiers.?LAST.policyQualifierId", oid, 1);
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ result = _gnutls_asn2err (result);
+ goto cleanup;
+ }
+
+ if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI)
+ {
+ tmpd.data = (void*)policy->qualifier[i].data;
+ tmpd.size = policy->qualifier[i].size;
+
+ result = _gnutls_x509_write_value(c2,
"?LAST.policyQualifiers.?LAST.qualifier",
+ &tmpd, RV_IA5STRING);
+ if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ else if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_NOTICE)
+ {
+ tmpd.data = (void*)policy->qualifier[i].data;
+ tmpd.size = policy->qualifier[i].size;
+
+ result = encode_user_notice(&tmpd, &der_data);
+ if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ result = _gnutls_x509_write_value(c2,
"?LAST.policyQualifiers.?LAST.qualifier",
+ &der_data, RV_RAW);
+ _gnutls_free_datum(&der_data);
+ if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ }
+
+ result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
+ if (result < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ result = _gnutls_x509_crt_set_extension (crt, "2.5.29.32",
+ &der_data, 0);
+
+ _gnutls_free_datum(&der_data);
+
+ crt->use_extensions = 1;
+
+cleanup:
+ asn1_delete_structure (&c2);
+ _gnutls_free_datum(&prev_der_data);
+
+ return result;
+}
diff --git a/src/certtool-args.c b/src/certtool-args.c
index 26d78f9..33f7ad0 100644
--- a/src/certtool-args.c
+++ b/src/certtool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.c)
*
- * It has been AutoGen-ed November 11, 2012 at 08:37:40 PM by AutoGen 5.16
+ * It has been AutoGen-ed November 20, 2012 at 12:12:56 AM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
diff --git a/src/certtool-args.def b/src/certtool-args.def
index 480c16e..34c2d42 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -633,9 +633,20 @@ signing_key
# CA issuers URI
# ca_issuers_uri = http://my.ca.issuer
+# Certificate policies
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.0
+# policy1_txt = "This is a long policy to summarize"
+# policy1_url = http://www.example.com/a-policy-to-read
+
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.1
+# policy2_txt = "This is a short policy"
+# policy2_url = http://www.example.com/another-policy-to-read
+
+
# Options for proxy certificates
# proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
# Options for generating a CRL
# next CRL update will be in 43 days (wow)
diff --git a/src/certtool-args.h b/src/certtool-args.h
index 6c0b944..46af66d 100644
--- a/src/certtool-args.h
+++ b/src/certtool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.h)
*
- * It has been AutoGen-ed November 11, 2012 at 08:37:40 PM by AutoGen 5.16
+ * It has been AutoGen-ed November 20, 2012 at 12:12:55 AM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 768c58d..c2cf1c1 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -61,6 +61,9 @@ typedef struct _cfg_ctx
char *challenge_password;
char *pkcs9_email;
char *country;
+ char **policy_oid;
+ char *policy_txt[MAX_ENTRIES];
+ char *policy_url[MAX_ENTRIES];
char **dc;
char **dns_name;
char **uri;
@@ -182,6 +185,7 @@ template_parse (const char *template)
unsigned int i;
tOptionValue const * pov;
const tOptionValue* val;
+ char tmpstr[256];
pov = configFileLoad(template);
if (pov == NULL)
@@ -232,6 +236,29 @@ template_parse (const char *template)
if (val != NULL && val->valType == OPARG_TYPE_STRING)
cfg.country = strdup(val->v.strVal);
+ READ_MULTI_LINE("policy", cfg.policy_oid);
+
+ if (cfg.policy_oid != NULL)
+ {
+ int i = 0;
+ while(cfg.policy_oid[i] != NULL)
+ {
+ snprintf(tmpstr, sizeof(tmpstr), "policy%d_url", i+1);
+ val = optionGetValue(pov, tmpstr);
+ if (val != NULL && val->valType == OPARG_TYPE_STRING)
+ cfg.policy_url[i] = strdup(val->v.strVal);
+
+ snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt", i+1);
+ val = optionGetValue(pov, tmpstr);
+ if (val != NULL && val->valType == OPARG_TYPE_STRING)
+ {
+ cfg.policy_txt[i] = strdup(val->v.strVal);
+ }
+
+ i++;
+ }
+ }
+
READ_MULTI_LINE("dc", cfg.dc);
READ_MULTI_LINE("dns_name", cfg.dns_name);
READ_MULTI_LINE("uri", cfg.uri);
@@ -1212,6 +1239,54 @@ get_dns_name_set (int type, void *crt)
}
void
+get_policy_set (gnutls_x509_crt_t crt)
+{
+ int ret = 0, i;
+ gnutls_x509_policy_st policy;
+
+ if (batch)
+ {
+ if (!cfg.policy_oid)
+ return;
+
+ for (i = 0; cfg.policy_oid[i] != NULL; i++)
+ {
+ memset(&policy, 0, sizeof(policy));
+ policy.oid = cfg.policy_oid[i];
+
+ if (cfg.policy_txt[i] != NULL)
+ {
+ policy.qualifier[policy.qualifiers].type =
GNUTLS_X509_QUALIFIER_NOTICE;
+ policy.qualifier[policy.qualifiers].data = cfg.policy_txt[i];
+ policy.qualifier[policy.qualifiers].size =
strlen(cfg.policy_txt[i]);
+ policy.qualifiers++;
+ }
+
+ if (cfg.policy_url[i] != NULL)
+ {
+ policy.qualifier[policy.qualifiers].type =
GNUTLS_X509_QUALIFIER_URI;
+ policy.qualifier[policy.qualifiers].data = cfg.policy_url[i];
+ policy.qualifier[policy.qualifiers].size =
strlen(cfg.policy_url[i]);
+ policy.qualifiers++;
+ }
+
+fprintf(stderr, "setting policy %s with %d qualifiers\n", policy.oid,
policy.qualifiers);
+
+ ret =
+ gnutls_x509_crt_set_policy (crt, &policy, 0);
+ if (ret < 0)
+ break;
+ }
+ }
+
+ if (ret < 0)
+ {
+ fprintf (stderr, "set_policy: %s\n", gnutls_strerror (ret));
+ exit (1);
+ }
+}
+
+void
get_uri_set (int type, void *crt)
{
int ret = 0, i;
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 878ecac..bcb96d7 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -67,6 +67,7 @@ int get_encrypt_status (int server);
int get_sign_status (int server);
void get_ip_addr_set (int type, void *crt);
void get_dns_name_set (int type, void *crt);
+void get_policy_set (gnutls_x509_crt_t);
void get_uri_set (int type, void *crt);
void get_email_set (int type, void *crt);
int get_ipsec_ike_status (void);
diff --git a/src/certtool.c b/src/certtool.c
index 2f2eca7..dd34e3a 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -399,6 +399,7 @@ generate_certificate (gnutls_privkey_t * ret_key,
get_dns_name_set (TYPE_CRT, crt);
get_uri_set (TYPE_CRT, crt);
get_ip_addr_set (TYPE_CRT, crt);
+ get_policy_set (crt);
if (server != 0)
{
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 15ac543..faa998f 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -21,7 +21,8 @@
EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
template-test.key template-test.pem template-test.tmpl \
- funny-spacing.pem ca-certs.pem dane-test.rr cert-ecc256.pem
+ funny-spacing.pem ca-certs.pem dane-test.rr cert-ecc256.pem \
+ bmpstring.pem
dist_check_SCRIPTS = pathlen aki template-test pem-decoding dane
diff --git a/tests/cert-tests/aki-cert.pem b/tests/cert-tests/aki-cert.pem
index a7573fe..f2d8992 100644
--- a/tests/cert-tests/aki-cert.pem
+++ b/tests/cert-tests/aki-cert.pem
@@ -35,9 +35,10 @@ X.509 Certificate Information:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Path Length Constraint: 0
- Unknown extension 2.5.29.32 (not critical):
- ASCII:
0g0e..`.H...E....0V0(..+.........https://www.verisign.com/cps0*..+.......0...https://www.verisign.com/rpa
- Hexdump:
30673065060b6086480186f845010717033056302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f637073302a06082b06010505070202301e1a1c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061
+ Certificate Policies (not critical):
+ 2.16.840.1.113733.1.7.23.3
+ URI: https://www.verisign.com/cps
+ Note: https://www.verisign.com/rpa
CRL Distribution points (not critical):
URI: http://crl.verisign.com/pca3-g2.crl
Key Usage (critical):
diff --git a/tests/cert-tests/bmpstring.pem b/tests/cert-tests/bmpstring.pem
new file mode 100644
index 0000000..a1cbe14
--- /dev/null
+++ b/tests/cert-tests/bmpstring.pem
@@ -0,0 +1,165 @@
+X.509 Certificate Information:
+ Version: 3
+ Serial Number (hex): 57
+ Issuer: serialNumber=1,O=Hellenic Republic,CN=CSCA-HELLAS,OU=Hellenic
Police,C=GR,address@hidden
+ Validity:
+ Not Before: Sun Aug 21 08:00:06 UTC 2011
+ Not After: Wed Nov 23 21:59:59 UTC 2016
+ Subject: serialNumber=3,O=Hellenic
Republic,CN=CSCA-HELLAS,C=GR,address@hidden
+ Subject Public Key Algorithm: RSA
+ Certificate Security Level: High (4096 bits)
+ Modulus (bits 4096):
+ 00:e0:95:b2:04:5a:91:78:1f:7f:1c:33:7f:d0:3a:e1
+ 2c:a7:4c:19:be:43:30:c2:8b:b7:1a:1d:9d:80:43:30
+ fe:80:d6:87:ff:f3:f2:43:37:16:c2:1f:0f:50:f4:bf
+ 3b:a4:18:c6:d2:da:ab:56:d3:db:99:23:9f:df:3d:dc
+ 0a:12:61:1f:ec:e6:9a:64:bf:10:ed:50:60:ee:c9:fa
+ a4:82:22:97:89:d3:c0:d1:d0:ed:68:83:8a:4a:22:3f
+ c8:ee:99:5d:96:81:f1:3f:b2:6e:d3:7e:75:26:06:b4
+ d9:e1:df:a7:55:84:37:45:a9:79:6a:46:37:9f:91:ba
+ 95:5f:d2:70:1b:18:34:6a:c0:70:59:57:7a:68:ca:42
+ 89:05:4d:40:f7:60:e2:44:a5:29:6a:ac:83:6d:2f:c0
+ 2b:3f:4b:34:09:03:31:18:e8:e1:e0:59:37:d4:ca:76
+ 87:9b:fb:b3:1c:6d:94:bb:0d:3b:d1:c3:34:de:3b:d3
+ 4d:c7:0b:19:fb:49:f8:f0:db:28:45:36:88:af:2e:ae
+ 66:01:f6:60:24:ea:99:11:f7:dc:9c:32:84:5e:ee:d0
+ ed:a1:e0:d9:f8:9e:a2:69:ab:a7:e0:7e:a8:78:bc:27
+ 73:58:49:03:22:2a:87:e3:06:a5:d2:00:10:ac:34:90
+ 8f:0b:09:f2:d2:74:67:b7:da:00:19:47:e6:c6:70:23
+ de:a9:76:72:6e:4c:23:5c:26:66:dd:4c:e1:3b:19:35
+ 26:a4:d1:47:de:11:26:78:ad:94:be:71:6d:12:35:62
+ 61:e2:99:1e:56:e6:93:f7:e2:f1:82:36:ff:9c:0d:eb
+ f6:2d:5a:2e:ab:63:8c:67:d4:8d:50:7f:65:c8:7f:f6
+ d5:ef:bd:3e:0f:d3:7a:e6:29:c5:04:ea:0c:dc:46:f0
+ 4e:3e:3f:9e:e9:6d:66:fd:48:a1:b9:49:11:41:4c:84
+ d4:82:8b:dd:dc:f4:ff:67:1a:8a:d2:ae:42:39:55:73
+ df:59:e8:eb:f2:d7:9e:7f:dd:79:d4:c1:b7:8c:ca:5c
+ fe:20:4e:a2:02:19:28:18:32:b3:ba:20:72:dd:2c:8a
+ 82:d0:b3:9e:aa:ed:84:af:4f:f3:7e:01:49:7e:cf:95
+ 48:ed:a2:dc:2b:af:ed:a6:8e:97:fb:3b:6c:af:bd:0d
+ b4:7a:13:49:0e:a7:9b:26:cb:16:72:ed:72:49:f6:03
+ 28:c8:b6:ae:84:ce:35:0b:a5:42:2e:d4:fd:cd:d1:49
+ 0a:8d:4d:2d:c6:5f:e1:53:ec:4e:93:9d:eb:23:4e:14
+ 88:b5:4a:d5:3c:51:fd:d8:ff:b8:b5:06:41:62:36:80
+ 69
+ Exponent (bits 24):
+ 01:00:01
+ Extensions:
+ Private Key Usage Period (not critical):
+ Not Before: Sun Aug 21 08:00:06 UTC 2011
+ Not After: Tue Aug 23 20:59:59 UTC 2011
+ Key Usage (critical):
+ Certificate signing.
+ CRL signing.
+ Subject Key Identifier (not critical):
+ bd20bb15eaa7f91ee490df087a52e7aa08b0d7e6
+ Authority Key Identifier (not critical):
+ ecbcade39b163389122e04667889e156699ccbdf
+ Basic Constraints (critical):
+ Certificate Authority (CA): TRUE
+ Path Length Constraint: 0
+ CRL Distribution points (not critical):
+ URI: http://www.passport.gov.gr/csca/csca.crl
+ Certificate Policies (not critical):
+ 1.3.6.1.4.1.5484.1.10.99.1.0
+ Note: This Certificate is governed by the
referred Policies and the Certification Practice Statement of the Greek Country
Signing Certification Authority (CSCA-GREECE), which form an integral part of
the Ce
+ URI: http://www.passport.gov.gr/csca/policies/
+ Signature Algorithm: RSA-SHA256
+ Signature:
+ 3c:81:d2:be:59:6f:2a:c6:d7:92:79:2a:21:3c:32:72
+ 58:24:43:d1:38:59:e8:ec:76:ed:07:4a:c0:82:eb:90
+ 8b:2d:62:c4:60:55:ce:1c:a0:dc:c8:93:36:4c:36:72
+ 9c:52:46:40:2c:5b:27:29:63:7c:9c:4c:31:e7:20:8e
+ 9d:72:f4:8d:de:f9:50:27:57:58:6b:3b:4f:58:3b:59
+ d7:c0:3f:d3:9c:61:2b:2b:04:92:b6:68:1c:42:16:69
+ 11:1f:01:41:5a:e6:7d:30:42:a7:2b:f5:a7:15:db:ae
+ 0e:54:d2:41:79:3d:c6:c0:23:80:80:9b:9a:11:0d:00
+ 2d:66:52:4d:3a:1c:cd:cd:d6:eb:f9:50:b2:e1:9a:00
+ a8:b8:9b:b7:1a:36:0e:5a:12:b0:e1:b1:fd:69:e1:0d
+ dc:22:0d:10:e1:af:f7:0f:82:27:a1:76:7e:37:cd:53
+ 69:3c:e0:6b:ee:b1:1a:36:6a:db:cd:fa:e3:92:fb:18
+ 1c:23:d5:c2:09:93:eb:5a:dd:2c:cd:95:4a:e5:96:1e
+ 44:43:d9:0b:97:11:b7:36:62:64:16:57:84:96:e5:15
+ 35:be:10:5a:77:f1:f1:7d:ae:db:76:32:77:82:26:47
+ 04:e6:34:d2:82:07:f0:6e:a4:17:12:bc:09:ef:0d:7e
+ 00:7a:c6:e4:e9:93:17:aa:8c:25:97:7c:d7:b2:ea:60
+ 2a:29:54:f1:0d:c8:fa:e8:91:3d:b0:b3:15:fc:63:cc
+ 11:49:40:a7:52:5c:d0:0f:e2:df:13:d3:65:e1:d6:3d
+ f2:c7:6d:7c:19:f0:5d:79:0e:18:22:8b:89:5b:68:26
+ 5c:25:5b:0f:e2:9d:f3:50:a1:a0:5d:98:93:ed:45:f0
+ 94:e2:6b:51:bc:ca:58:16:f1:e4:37:37:32:d2:7d:c7
+ b2:cb:00:a9:90:45:ad:b4:29:91:dc:6a:1b:19:e7:20
+ df:9e:96:5a:17:4b:8a:e6:fb:3d:11:3b:ed:79:e4:9c
+ 55:62:1a:60:e2:d0:97:06:63:ea:9e:48:1e:f3:93:90
+ 9b:d4:a4:3e:21:05:97:99:25:6d:27:09:99:34:7b:f2
+ 80:a3:04:89:c1:e9:b9:5a:cf:df:39:40:23:e3:8c:22
+ 18:d3:d1:71:4e:86:e8:b6:bf:eb:f5:11:97:cf:d7:54
+ 65:62:c6:d4:fe:b7:f9:2d:ed:4a:8c:98:d2:96:aa:7f
+ 78:32:b6:63:ee:e2:51:64:24:74:9b:de:56:6f:21:45
+ cb:b5:48:a3:1f:33:5a:98:e5:29:5e:9b:e0:1f:fd:46
+ 45:eb:4f:34:15:7c:4a:be:a3:07:40:3c:33:3d:34:74
+Other Information:
+ SHA-1 fingerprint:
+ 8b730ffbd11677aaaf8600b893927d9e402c3f2d
+ Public Key Id:
+ 3c7fd9a47b17ed6f81ce80c326d147fd3b991444
+ Public key's random art:
+ +--[ RSA 4096]----+
+ | . oE |
+ | . . . |
+ | . . . .|
+ | o . . o |
+ | S o + =|
+ | . B . * B.|
+ | o o B ..+|
+ | . +. +|
+ | .. oo|
+ +-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIITDCCBjSgAwIBAgIBVzANBgkqhkiG9w0BAQsFADCBijEKMAgGA1UEBRMBMTEa
+MBgGA1UEChMRSGVsbGVuaWMgUmVwdWJsaWMxFDASBgNVBAMTC0NTQ0EtSEVMTEFT
+MRgwFgYDVQQLEw9IZWxsZW5pYyBQb2xpY2UxCzAJBgNVBAYTAkdSMSMwIQYJKoZI
+hvcNAQkBFhRjc2NhQHBhc3Nwb3J0Lmdvdi5ncjAeFw0xMTA4MjEwODAwMDZaFw0x
+NjExMjMyMTU5NTlaMHAxCjAIBgNVBAUTATMxGjAYBgNVBAoTEUhlbGxlbmljIFJl
+cHVibGljMRQwEgYDVQQDEwtDU0NBLUhFTExBUzELMAkGA1UEBhMCR1IxIzAhBgkq
+hkiG9w0BCQEWFGNzY2FAcGFzc3BvcnQuZ292LmdyMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEA4JWyBFqReB9/HDN/0DrhLKdMGb5DMMKLtxodnYBDMP6A
+1of/8/JDNxbCHw9Q9L87pBjG0tqrVtPbmSOf3z3cChJhH+zmmmS/EO1QYO7J+qSC
+IpeJ08DR0O1og4pKIj/I7pldloHxP7Ju0351Jga02eHfp1WEN0WpeWpGN5+RupVf
+0nAbGDRqwHBZV3poykKJBU1A92DiRKUpaqyDbS/AKz9LNAkDMRjo4eBZN9TKdoeb
++7McbZS7DTvRwzTeO9NNxwsZ+0n48NsoRTaIry6uZgH2YCTqmRH33JwyhF7u0O2h
+4Nn4nqJpq6fgfqh4vCdzWEkDIiqH4wal0gAQrDSQjwsJ8tJ0Z7faABlH5sZwI96p
+dnJuTCNcJmbdTOE7GTUmpNFH3hEmeK2UvnFtEjViYeKZHlbmk/fi8YI2/5wN6/Yt
+Wi6rY4xn1I1Qf2XIf/bV770+D9N65inFBOoM3EbwTj4/nultZv1IoblJEUFMhNSC
+i93c9P9nGorSrkI5VXPfWejr8teef9151MG3jMpc/iBOogIZKBgys7ogct0sioLQ
+s56q7YSvT/N+AUl+z5VI7aLcK6/tpo6X+ztsr70NtHoTSQ6nmybLFnLtckn2AyjI
+tq6EzjULpUIu1P3N0UkKjU0txl/hU+xOk53rI04UiLVK1TxR/dj/uLUGQWI2gGkC
+AwEAAaOCAtQwggLQMCsGA1UdEAQkMCKADzIwMTEwODIxMDgwMDA2WoEPMjAxMTA4
+MjMyMDU5NTlaMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUvSC7Feqn+R7kkN8I
+elLnqgiw1+YwHwYDVR0jBBgwFoAU7Lyt45sWM4kSLgRmeInhVmmcy98wEgYDVR0T
+AQH/BAgwBgEB/wIBADA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vd3d3LnBhc3Nw
+b3J0Lmdvdi5nci9jc2NhL2NzY2EuY3JsMIICAAYDVR0gBIIB9zCCAfMwggHvBgwr
+BgEEAapsAQpjAQAwggHdMIIBogYIKwYBBQUHAgIwggGUHoIBkABUAGgAaQBzACAA
+QwBlAHIAdABpAGYAaQBjAGEAdABlACAAaQBzACAAZwBvAHYAZQByAG4AZQBkACAA
+YgB5ACAAdABoAGUAIAByAGUAZgBlAHIAcgBlAGQAIABQAG8AbABpAGMAaQBlAHMA
+IABhAG4AZAAgAHQAaABlACAAQwBlAHIAdABpAGYAaQBjAGEAdABpAG8AbgAgAFAA
+cgBhAGMAdABpAGMAZQAgAFMAdABhAHQAZQBtAGUAbgB0ACAAbwBmACAAdABoAGUA
+IABHAHIAZQBlAGsAIABDAG8AdQBuAHQAcgB5ACAAUwBpAGcAbgBpAG4AZwAgAEMA
+ZQByAHQAaQBmAGkAYwBhAHQAaQBvAG4AIABBAHUAdABoAG8AcgBpAHQAeQAgACgA
+QwBTAEMAQQAtAEcAUgBFAEUAQwBFACkALAAgAHcAaABpAGMAaAAgAGYAbwByAG0A
+IABhAG4AIABpAG4AdABlAGcAcgBhAGwAIABwAGEAcgB0ACAAbwBmACAAdABoAGUA
+IABDAGUwNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cucGFzc3BvcnQuZ292LmdyL2Nz
+Y2EvcG9saWNpZXMvMA0GCSqGSIb3DQEBCwUAA4ICAQA8gdK+WW8qxteSeSohPDJy
+WCRD0ThZ6Ox27QdKwILrkIstYsRgVc4coNzIkzZMNnKcUkZALFsnKWN8nEwx5yCO
+nXL0jd75UCdXWGs7T1g7WdfAP9OcYSsrBJK2aBxCFmkRHwFBWuZ9MEKnK/WnFduu
+DlTSQXk9xsAjgICbmhENAC1mUk06HM3N1uv5ULLhmgCouJu3GjYOWhKw4bH9aeEN
+3CINEOGv9w+CJ6F2fjfNU2k84GvusRo2atvN+uOS+xgcI9XCCZPrWt0szZVK5ZYe
+REPZC5cRtzZiZBZXhJblFTW+EFp38fF9rtt2MneCJkcE5jTSggfwbqQXErwJ7w1+
+AHrG5OmTF6qMJZd817LqYCopVPENyProkT2wsxX8Y8wRSUCnUlzQD+LfE9Nl4dY9
+8sdtfBnwXXkOGCKLiVtoJlwlWw/infNQoaBdmJPtRfCU4mtRvMpYFvHkNzcy0n3H
+sssAqZBFrbQpkdxqGxnnIN+elloXS4rm+z0RO+155JxVYhpg4tCXBmPqnkge85OQ
+m9SkPiEFl5klbScJmTR78oCjBInB6blaz985QCPjjCIY09FxTobotr/r9RGXz9dU
+ZWLG1P63+S3tSoyY0paqf3gytmPu4lFkJHSb3lZvIUXLtUijHzNamOUpXpvgH/1G
+RetPNBV8Sr6jB0A8Mz00dA==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/no-ca-or-pathlen.pem
b/tests/cert-tests/no-ca-or-pathlen.pem
index 086feb4..0a87919 100644
--- a/tests/cert-tests/no-ca-or-pathlen.pem
+++ b/tests/cert-tests/no-ca-or-pathlen.pem
@@ -23,9 +23,9 @@ X.509 Certificate Information:
Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
- Unknown extension 2.5.29.32 (not critical):
- ASCII:
0;09..`.H...E....0*0(..+.........https://www.verisign.com/rpa
- Hexdump:
303b3039060b6086480186f84501070108302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061
+ Certificate Policies (not critical):
+ 2.16.840.1.113733.1.7.1.8
+ URI: https://www.verisign.com/rpa
Unknown extension 2.16.840.1.113730.1.1 (not critical):
ASCII: ....
Hexdump: 03020780
diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding
index 62cc0ee..715488e 100755
--- a/tests/cert-tests/pem-decoding
+++ b/tests/cert-tests/pem-decoding
@@ -25,6 +25,7 @@ set -e
srcdir=${srcdir:-.}
CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
+#check whether "funny" spaces can be interpreted
$CERTTOOL --certificate-info --infile $srcdir/funny-spacing.pem >/dev/null 2>&1
rc=$?
@@ -33,4 +34,21 @@ if test "$rc" != "0"; then
exit $rc
fi
+#check whether a BMPString attribute can be properly decoded
+$CERTTOOL --certificate-info --infile $srcdir/bmpstring.pem >tmp-pem.pem
+rc=$?
+
+if test "$rc" != "0"; then
+ exit $rc
+fi
+
+diff $srcdir/bmpstring.pem tmp-pem.pem
+rc=$?
+
+if test "$rc" != "0"; then
+ exit $rc
+fi
+
+rm -f tmp-pem.pem
+
exit 0
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-40-ga221c87,
Nikos Mavrogiannopoulos <=