static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
X509 *ret = (X509 *)*pval;
switch (operation) {
case ASN1_OP_NEW_POST:
ret->valid = 0;
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
#ifndef OPENSSL_NO_RFC3779
ret->rfc3779_addr = NULL;
ret->rfc3779_asid = NULL;
#endif
ret->aux = NULL;
ret->crldp = NULL;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
break;
case ASN1_OP_D2I_POST:
if (ret->name != NULL)
OPENSSL_free(ret->name);
ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
break;
case ASN1_OP_FREE_POST:
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
X509_CERT_AUX_free(ret->aux);
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
policy_cache_free(ret->policy_cache);
GENERAL_NAMES_free(ret->altname);
NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
ASIdentifiers_free(ret->rfc3779_asid);
#endif
if (ret->name != NULL)
OPENSSL_free(ret->name);
break;
}
return 1;
}
// verify if prefix is part of the resources listed in cert
// CA and untrusted are needed, because the resources in cert could be inherited
// prefix_as_ext is the text-representation of an ip-address block like you would specify in an extension file
// when creating a certificate, e.g. IPv6:2001:0638::/32
int verify_prefix_with_cert(
int CA_der_count,
int CA_der_length,
const char* CAs_der,
int untrusted_der_count,
int untrusted_der_length,
const char* untrusted_der,
int cert_der_length,
const char* cert_der,
char* prefix_as_ext
)
{
X509_EXTENSION *prefix_ext;
IPAddrBlocks *prefix_blocks = NULL;
STACK_OF(X509) *chain = NULL;
int allow_inheritance = 0; // router prefix cannot inherit
int ret = 0;
if ((prefix_ext = X509V3_EXT_conf_nid(NULL, NULL, NID_sbgp_ipAddrBlock, prefix_as_ext)) == NULL){
ret = -1;
goto end;
}
prefix_blocks = (IPAddrBlocks *) X509V3_EXT_d2i(prefix_ext);
X509_EXTENSION_free(prefix_ext);
chain = get_verified_chain(
CA_der_count,
CA_der_length,
CAs_der,
untrusted_der_count,
untrusted_der_length,
untrusted_der,
cert_der_length,
cert_der
);
if (chain == NULL) {
ret = 0;
} else {
ret = v3_addr_validate_resource_set(chain, prefix_blocks, allow_inheritance);
}
end:
if (prefix_blocks != NULL) sk_IPAddressFamily_pop_free(prefix_blocks, IPAddressFamily_free);
if (chain != NULL) sk_X509_pop_free(chain, X509_free);
return ret;
}
