static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509 *ret = (X509 *)*pval; switch (operation) { case ASN1_OP_NEW_POST: ret->valid = 0; ret->name = NULL; ret->ex_flags = 0; ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; #ifndef OPENSSL_NO_RFC3779 ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; #endif ret->aux = NULL; ret->crldp = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; case ASN1_OP_D2I_POST: if (ret->name != NULL) OPENSSL_free(ret->name); ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0); break; case ASN1_OP_FREE_POST: CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); #endif if (ret->name != NULL) OPENSSL_free(ret->name); break; } return 1; }
// verify if prefix is part of the resources listed in cert // CA and untrusted are needed, because the resources in cert could be inherited // prefix_as_ext is the text-representation of an ip-address block like you would specify in an extension file // when creating a certificate, e.g. IPv6:2001:0638::/32 int verify_prefix_with_cert( int CA_der_count, int CA_der_length, const char* CAs_der, int untrusted_der_count, int untrusted_der_length, const char* untrusted_der, int cert_der_length, const char* cert_der, char* prefix_as_ext ) { X509_EXTENSION *prefix_ext; IPAddrBlocks *prefix_blocks = NULL; STACK_OF(X509) *chain = NULL; int allow_inheritance = 0; // router prefix cannot inherit int ret = 0; if ((prefix_ext = X509V3_EXT_conf_nid(NULL, NULL, NID_sbgp_ipAddrBlock, prefix_as_ext)) == NULL){ ret = -1; goto end; } prefix_blocks = (IPAddrBlocks *) X509V3_EXT_d2i(prefix_ext); X509_EXTENSION_free(prefix_ext); chain = get_verified_chain( CA_der_count, CA_der_length, CAs_der, untrusted_der_count, untrusted_der_length, untrusted_der, cert_der_length, cert_der ); if (chain == NULL) { ret = 0; } else { ret = v3_addr_validate_resource_set(chain, prefix_blocks, allow_inheritance); } end: if (prefix_blocks != NULL) sk_IPAddressFamily_pop_free(prefix_blocks, IPAddressFamily_free); if (chain != NULL) sk_X509_pop_free(chain, X509_free); return ret; }