static int check_code_sign(const X509_PURPOSE *xp, const X509 *crt, int ca)
{
X509 *x = (X509 *)crt;
uint32_t ex_flags = SSL_X509_get_extension_flags(x);
uint32_t ex_xkusage = SSL_X509_get_extended_key_usage(x);
(void)xp;
if (ca) {
int idx;
const X509_PURPOSE *pt;
if ((ex_flags & EXFLAG_XKUSAGE) && !(ex_xkusage & XKU_CODE_SIGN))
return 0;
idx = X509_PURPOSE_get_by_id(X509_PURPOSE_OCSP_HELPER);
if (idx == -1)
return 0;
pt = X509_PURPOSE_get0(idx);
return pt->check_purpose(pt, x, ca);
}
return (ex_flags & EXFLAG_XKUSAGE) && (ex_xkusage & XKU_CODE_SIGN);
}
int X509_PURPOSE_add(int id, int trust, int flags,
int (*ck) (const X509_PURPOSE *, const X509 *, int),
char *name, char *sname, void *arg)
{
int idx;
X509_PURPOSE *ptmp;
/*
* This is set according to what we change: application can't set it
*/
flags &= ~X509_PURPOSE_DYNAMIC;
/* This will always be set for application modified trust entries */
flags |= X509_PURPOSE_DYNAMIC_NAME;
/* Get existing entry if any */
idx = X509_PURPOSE_get_by_id(id);
/* Need a new entry */
if (idx == -1) {
if ((ptmp = OPENSSL_malloc(sizeof(*ptmp))) == NULL) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
ptmp->flags = X509_PURPOSE_DYNAMIC;
} else
ptmp = X509_PURPOSE_get0(idx);
/* OPENSSL_free existing name if dynamic */
if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
OPENSSL_free(ptmp->name);
OPENSSL_free(ptmp->sname);
}
/* dup supplied name */
ptmp->name = OPENSSL_strdup(name);
ptmp->sname = OPENSSL_strdup(sname);
if (!ptmp->name || !ptmp->sname) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Keep the dynamic flag of existing entry */
ptmp->flags &= X509_PURPOSE_DYNAMIC;
/* Set all other flags */
ptmp->flags |= flags;
ptmp->purpose = id;
ptmp->trust = trust;
ptmp->check_purpose = ck;
ptmp->usr_data = arg;
/* If its a new entry manage the dynamic table */
if (idx == -1) {
if (xptable == NULL
&& (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
}
return 1;
}
int X509_PURPOSE_set(int *p, int purpose)
{
if(X509_PURPOSE_get_by_id(purpose) == -1) {
X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
return 0;
}
*p = purpose;
return 1;
}
int X509_PURPOSE_set(int *p, int purpose)
{
if(X509_PURPOSE_get_by_id(purpose) == -1) {
OPENSSL_PUT_ERROR(X509V3, X509_PURPOSE_set, X509V3_R_INVALID_PURPOSE);
return 0;
}
*p = purpose;
return 1;
}
/* As much as I'd like to make X509_check_purpose use a "const" X509*
* I really can't because it does recalculate hashes and do other non-const
* things. */
int X509_check_purpose(X509 *x, int id, int ca)
{
int idx;
const X509_PURPOSE *pt;
if(!(x->ex_flags & EXFLAG_SET)) {
x509v3_cache_extensions(x);
}
if(id == -1) return 1;
idx = X509_PURPOSE_get_by_id(id);
if(idx == -1) return -1;
pt = X509_PURPOSE_get0(idx);
return pt->check_purpose(pt, x, ca);
}
/*
* As much as I'd like to make X509_check_purpose use a "const" X509* I
* really can't because it does recalculate hashes and do other non-const
* things.
*/
int X509_check_purpose(X509 *x, int id, int ca)
{
int idx;
const X509_PURPOSE *pt;
if (!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_THREAD_write_lock(x->lock);
x509v3_cache_extensions(x);
CRYPTO_THREAD_unlock(x->lock);
}
/* Return if side-effect only call */
if (id == -1)
return 1;
idx = X509_PURPOSE_get_by_id(id);
if (idx == -1)
return -1;
pt = X509_PURPOSE_get0(idx);
return pt->check_purpose(pt, x, ca);
}
