X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fx509%2Fx509_minimal.t0;h=bce37ad4f12a5bc25ac10b4b833b73945593f449;hp=7b7b2e6106fe7a009aec35e497d525e8d0c49521;hb=8e86598b33f9df81d1f77d6cc32568d9ae119d67;hpb=3f00688b9d9f483a6ca97e659eea104995ea15b7;ds=sidebyside diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0 index 7b7b2e6..bce37ad 100644 --- a/src/x509/x509_minimal.t0 +++ b/src/x509/x509_minimal.t0 @@ -171,8 +171,13 @@ preamble { #include #endif +/* + * The T0 compiler will produce these prototypes declarations in the + * header. + * void br_x509_minimal_init_main(void *ctx); void br_x509_minimal_run(void *ctx); + */ /* see bearssl_x509.h */ void @@ -300,7 +305,7 @@ const br_x509_class br_x509_minimal_vtable = { xm_get_pkey }; -#define CTX ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) +#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) #define CONTEXT_NAME br_x509_minimal_context #define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK) @@ -974,9 +979,13 @@ cc: printOID ( -- ) { } \ Extensions with specific processing. -OID: basicConstraints 2.5.29.19 -OID: keyUsage 2.5.29.15 -OID: subjectAltName 2.5.29.17 +OID: basicConstraints 2.5.29.19 +OID: keyUsage 2.5.29.15 +OID: subjectAltName 2.5.29.17 +OID: certificatePolicies 2.5.29.32 + +\ Policy qualifier "pointer to CPS" +OID: id-qt-cps 1.3.6.1.5.5.7.2.1 \ Extensions which are ignored when encountered, even if critical. OID: authorityKeyIdentifier 2.5.29.35 @@ -1050,6 +1059,49 @@ OID: subjectInfoAccess 1.3.6.1.5.5.7.1.11 \ We don't care about subsequent bytes. skip-close-elt ; +\ Process a Certificate Policies extension. +\ +\ Since we don't actually support full policies processing, this function +\ only checks that the extension contents can be safely ignored. Indeed, +\ we don't validate against a specific set of policies (in RFC 5280 +\ terminology, user-initial-policy-set only contains the special value +\ any-policy). Moreover, we don't support policy constraints (if a +\ critical Policy Constraints extension is encountered, the validation +\ will fail). Therefore, we can safely ignore the contents of this +\ extension, except if it is critical AND one of the policy OID has a +\ qualifier which is distinct from id-qt-cps (because id-qt-cps is +\ specially designated by RFC 5280 has having no mandated action). +\ +\ This function is called only if the extension is critical. +: process-certPolicies ( lim -- lim ) + \ Extension value is a SEQUENCE OF PolicyInformation. + read-sequence-open + begin dup while + \ PolicyInformation ::= SEQUENCE { + \ policyIdentifier OBJECT IDENTIFIER, + \ policyQualifiers SEQUENCE OF PolicyQualifierInfo OPTIONAL + \ } + read-sequence-open + read-OID drop + dup if + read-sequence-open + begin dup while + \ PolicyQualifierInfo ::= SEQUENCE { + \ policyQualifierId OBJECT IDENTIFIER, + \ qualifier ANY + \ } + read-sequence-open + read-OID drop id-qt-cps eqOID ifnot + ERR_X509_CRITICAL_EXTENSION fail + then + skip-close-elt + repeat + close-elt + then + close-elt + repeat + close-elt ; + \ Process a Subject Alt Name extension. Returned value is a boolean set \ to true if the expected server name was matched against a dNSName in \ the extension. @@ -1304,6 +1356,18 @@ OID: subjectInfoAccess 1.3.6.1.5.5.7.1.11 then enduf + \ We don't implement full processing of + \ policies. The call below mostly checks + \ that the contents of the Certificate + \ Policies extension can be safely ignored. + certificatePolicies eqOID uf + critical if + process-certPolicies + else + skip-remaining + then + enduf + \ Extensions which are always ignored, \ even if critical. authorityKeyIdentifier eqOID uf