Ruby  3.1.0dev(2021-09-10revisionb76ad15ed0da636161de0243c547ee1e6fc95681)
ossl_x509.c
Go to the documentation of this file.
1 /*
2  * 'OpenSSL for Ruby' project
3  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4  * All rights reserved.
5  */
6 /*
7  * This program is licensed under the same licence as Ruby.
8  * (See the file 'LICENCE'.)
9  */
10 #include "ossl.h"
11 
12 VALUE mX509;
13 
14 #define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
15 #define DefX509Default(x,i) \
16  rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
17 
18 ASN1_TIME *
19 ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
20 {
21  time_t sec;
22 
23  int off_days;
24 
25  ossl_time_split(time, &sec, &off_days);
26  return X509_time_adj_ex(s, off_days, 0, &sec);
27 }
28 
29 void
30 Init_ossl_x509(void)
31 {
32 #if 0
33  mOSSL = rb_define_module("OpenSSL");
34 #endif
35 
36  mX509 = rb_define_module_under(mOSSL, "X509");
37 
38  Init_ossl_x509attr();
39  Init_ossl_x509cert();
40  Init_ossl_x509crl();
41  Init_ossl_x509ext();
42  Init_ossl_x509name();
43  Init_ossl_x509req();
44  Init_ossl_x509revoked();
45  Init_ossl_x509store();
46 
47  /* Constants are up-to-date with 1.1.1. */
48 
49  /* Certificate verification error code */
50  DefX509Const(V_OK);
51 #if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
52  DefX509Const(V_ERR_UNSPECIFIED);
53 #endif
54  DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
55  DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
56  DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
57  DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE);
58  DefX509Const(V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY);
59  DefX509Const(V_ERR_CERT_SIGNATURE_FAILURE);
60  DefX509Const(V_ERR_CRL_SIGNATURE_FAILURE);
61  DefX509Const(V_ERR_CERT_NOT_YET_VALID);
62  DefX509Const(V_ERR_CERT_HAS_EXPIRED);
63  DefX509Const(V_ERR_CRL_NOT_YET_VALID);
64  DefX509Const(V_ERR_CRL_HAS_EXPIRED);
65  DefX509Const(V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD);
66  DefX509Const(V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD);
67  DefX509Const(V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD);
68  DefX509Const(V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
69  DefX509Const(V_ERR_OUT_OF_MEM);
70  DefX509Const(V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
71  DefX509Const(V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
72  DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
73  DefX509Const(V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
74  DefX509Const(V_ERR_CERT_CHAIN_TOO_LONG);
75  DefX509Const(V_ERR_CERT_REVOKED);
76  DefX509Const(V_ERR_INVALID_CA);
77  DefX509Const(V_ERR_PATH_LENGTH_EXCEEDED);
78  DefX509Const(V_ERR_INVALID_PURPOSE);
79  DefX509Const(V_ERR_CERT_UNTRUSTED);
80  DefX509Const(V_ERR_CERT_REJECTED);
81  DefX509Const(V_ERR_SUBJECT_ISSUER_MISMATCH);
82  DefX509Const(V_ERR_AKID_SKID_MISMATCH);
83  DefX509Const(V_ERR_AKID_ISSUER_SERIAL_MISMATCH);
84  DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
85  DefX509Const(V_ERR_UNABLE_TO_GET_CRL_ISSUER);
86  DefX509Const(V_ERR_UNHANDLED_CRITICAL_EXTENSION);
87  DefX509Const(V_ERR_KEYUSAGE_NO_CRL_SIGN);
88  DefX509Const(V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION);
89  DefX509Const(V_ERR_INVALID_NON_CA);
90  DefX509Const(V_ERR_PROXY_PATH_LENGTH_EXCEEDED);
91  DefX509Const(V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE);
92  DefX509Const(V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);
93  DefX509Const(V_ERR_INVALID_EXTENSION);
94  DefX509Const(V_ERR_INVALID_POLICY_EXTENSION);
95  DefX509Const(V_ERR_NO_EXPLICIT_POLICY);
96  DefX509Const(V_ERR_DIFFERENT_CRL_SCOPE);
97  DefX509Const(V_ERR_UNSUPPORTED_EXTENSION_FEATURE);
98  DefX509Const(V_ERR_UNNESTED_RESOURCE);
99  DefX509Const(V_ERR_PERMITTED_VIOLATION);
100  DefX509Const(V_ERR_EXCLUDED_VIOLATION);
101  DefX509Const(V_ERR_SUBTREE_MINMAX);
102  DefX509Const(V_ERR_APPLICATION_VERIFICATION);
103  DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_TYPE);
104  DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
105  DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
106  DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
107 #if defined(X509_V_ERR_PATH_LOOP)
108  DefX509Const(V_ERR_PATH_LOOP);
109 #endif
110 #if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
111  DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
112  DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
113  DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
114  DefX509Const(V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM);
115  DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
116  DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
117 #endif
118  DefX509Const(V_ERR_HOSTNAME_MISMATCH);
119  DefX509Const(V_ERR_EMAIL_MISMATCH);
120  DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
121 #if defined(X509_V_ERR_DANE_NO_MATCH)
122  DefX509Const(V_ERR_DANE_NO_MATCH);
123 #endif
124 #if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
125  DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
126  DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
127  DefX509Const(V_ERR_CA_MD_TOO_WEAK);
128 #endif
129 #if defined(X509_V_ERR_INVALID_CALL)
130  DefX509Const(V_ERR_INVALID_CALL);
131 #endif
132 #if defined(X509_V_ERR_STORE_LOOKUP)
133  DefX509Const(V_ERR_STORE_LOOKUP);
134 #endif
135 #if defined(X509_V_ERR_NO_VALID_SCTS)
136  DefX509Const(V_ERR_NO_VALID_SCTS);
137 #endif
138 #if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
139  DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
140 #endif
141 #if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
142  DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
143  DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
144  DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
145 #endif
146 
147  /* Certificate verify flags */
148  /* Set by Store#flags= and StoreContext#flags=. */
149  DefX509Const(V_FLAG_USE_CHECK_TIME);
150  /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
151  * certificate chain leaf. */
152  DefX509Const(V_FLAG_CRL_CHECK);
153  /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for all
154  * certificates in the certificate chain */
155  DefX509Const(V_FLAG_CRL_CHECK_ALL);
156  /* Set by Store#flags= and StoreContext#flags=. Disables critical extension
157  * checking. */
158  DefX509Const(V_FLAG_IGNORE_CRITICAL);
159  /* Set by Store#flags= and StoreContext#flags=. Disables workarounds for
160  * broken certificates. */
161  DefX509Const(V_FLAG_X509_STRICT);
162  /* Set by Store#flags= and StoreContext#flags=. Enables proxy certificate
163  * verification. */
164  DefX509Const(V_FLAG_ALLOW_PROXY_CERTS);
165  /* Set by Store#flags= and StoreContext#flags=. Enables certificate policy
166  * constraints checking. */
167  DefX509Const(V_FLAG_POLICY_CHECK);
168  /* Set by Store#flags= and StoreContext#flags=.
169  * Implies V_FLAG_POLICY_CHECK */
170  DefX509Const(V_FLAG_EXPLICIT_POLICY);
171  /* Set by Store#flags= and StoreContext#flags=.
172  * Implies V_FLAG_POLICY_CHECK */
173  DefX509Const(V_FLAG_INHIBIT_ANY);
174  /* Set by Store#flags= and StoreContext#flags=.
175  * Implies V_FLAG_POLICY_CHECK */
176  DefX509Const(V_FLAG_INHIBIT_MAP);
177  /* Set by Store#flags= and StoreContext#flags=. */
178  DefX509Const(V_FLAG_NOTIFY_POLICY);
179  /* Set by Store#flags= and StoreContext#flags=. Enables some additional
180  * features including support for indirect signed CRLs. */
181  DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
182  /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
183  * specified, deltas are ignored. */
184  DefX509Const(V_FLAG_USE_DELTAS);
185  /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
186  * signature of the root self-signed CA. */
187  DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
188  /* Set by Store#flags= and StoreContext#flags=. When constructing a
189  * certificate chain, search the Store first for the issuer certificate.
190  * Enabled by default in OpenSSL >= 1.1.0. */
191  DefX509Const(V_FLAG_TRUSTED_FIRST);
192 #if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
193  /* Set by Store#flags= and StoreContext#flags=.
194  * Enables Suite B 128 bit only mode. */
195  DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
196 #endif
197 #if defined(X509_V_FLAG_SUITEB_192_LOS)
198  /* Set by Store#flags= and StoreContext#flags=.
199  * Enables Suite B 192 bit only mode. */
200  DefX509Const(V_FLAG_SUITEB_192_LOS);
201 #endif
202 #if defined(X509_V_FLAG_SUITEB_128_LOS)
203  /* Set by Store#flags= and StoreContext#flags=.
204  * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
205  DefX509Const(V_FLAG_SUITEB_128_LOS);
206 #endif
207  /* Set by Store#flags= and StoreContext#flags=.
208  * Allows partial chains if at least one certificate is in trusted store. */
209  DefX509Const(V_FLAG_PARTIAL_CHAIN);
210 #if defined(X509_V_FLAG_NO_ALT_CHAINS)
211  /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
212  * a alternative chain. No effect in OpenSSL >= 1.1.0. */
213  DefX509Const(V_FLAG_NO_ALT_CHAINS);
214 #endif
215 #if defined(X509_V_FLAG_NO_CHECK_TIME)
216  /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
217  * validity period of certificates and CRLs. No effect when the current
218  * time is explicitly set by Store#time= or StoreContext#time=. */
219  DefX509Const(V_FLAG_NO_CHECK_TIME);
220 #endif
221 
222  /* Set by Store#purpose=. SSL/TLS client. */
223  DefX509Const(PURPOSE_SSL_CLIENT);
224  /* Set by Store#purpose=. SSL/TLS server. */
225  DefX509Const(PURPOSE_SSL_SERVER);
226  /* Set by Store#purpose=. Netscape SSL server. */
227  DefX509Const(PURPOSE_NS_SSL_SERVER);
228  /* Set by Store#purpose=. S/MIME signing. */
229  DefX509Const(PURPOSE_SMIME_SIGN);
230  /* Set by Store#purpose=. S/MIME encryption. */
231  DefX509Const(PURPOSE_SMIME_ENCRYPT);
232  /* Set by Store#purpose=. CRL signing */
233  DefX509Const(PURPOSE_CRL_SIGN);
234  /* Set by Store#purpose=. No checks. */
235  DefX509Const(PURPOSE_ANY);
236  /* Set by Store#purpose=. OCSP helper. */
237  DefX509Const(PURPOSE_OCSP_HELPER);
238  /* Set by Store#purpose=. Time stamps signer. */
239  DefX509Const(PURPOSE_TIMESTAMP_SIGN);
240 
241  DefX509Const(TRUST_COMPAT);
242  DefX509Const(TRUST_SSL_CLIENT);
243  DefX509Const(TRUST_SSL_SERVER);
244  DefX509Const(TRUST_EMAIL);
245  DefX509Const(TRUST_OBJECT_SIGN);
246  DefX509Const(TRUST_OCSP_SIGN);
247  DefX509Const(TRUST_OCSP_REQUEST);
248  DefX509Const(TRUST_TSA);
249 
250  DefX509Default(CERT_AREA, cert_area);
251  DefX509Default(CERT_DIR, cert_dir);
252  DefX509Default(CERT_FILE, cert_file);
253  DefX509Default(CERT_DIR_ENV, cert_dir_env);
254  DefX509Default(CERT_FILE_ENV, cert_file_env);
255  DefX509Default(PRIVATE_DIR, private_dir);
256 }
Init_ossl_x509crl
void Init_ossl_x509crl(void)
Definition: ossl_x509crl.c:508
Init_ossl_x509ext
void Init_ossl_x509ext(void)
Definition: ossl_x509ext.c:450
rb_define_module_under
VALUE rb_define_module_under(VALUE outer, const char *name)
Definition: class.c:914
ossl_x509_time_adjust
ASN1_TIME * ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
Definition: ossl_x509.c:19
Init_ossl_x509store
void Init_ossl_x509store(void)
Definition: ossl_x509store.c:844
Init_ossl_x509attr
void Init_ossl_x509attr(void)
Definition: ossl_x509attr.c:305
rb_define_module
VALUE rb_define_module(const char *name)
Definition: class.c:887
mX509
VALUE mX509
Definition: ossl_x509.c:12
ossl.h
ossl_time_split
void ossl_time_split(VALUE time, time_t *sec, int *days)
Definition: ossl_asn1.c:73
Init_ossl_x509
void Init_ossl_x509(void)
Definition: ossl_x509.c:30
DefX509Default
#define DefX509Default(x, i)
Definition: ossl_x509.c:15
Init_ossl_x509req
void Init_ossl_x509req(void)
Definition: ossl_x509req.c:412
Init_ossl_x509name
void Init_ossl_x509name(void)
Definition: ossl_x509name.c:507
mOSSL
VALUE mOSSL
Definition: ossl.c:237
DefX509Const
#define DefX509Const(x)
Definition: ossl_x509.c:14
Init_ossl_x509revoked
void Init_ossl_x509revoked(void)
Definition: ossl_x509revoked.c:276
VALUE
unsigned long VALUE
Definition: value.h:38
Init_ossl_x509cert
void Init_ossl_x509cert(void)
Definition: ossl_x509cert.c:865
Generated by   doxygen 1.8.17