Ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a25176072e02db9254f0e0c84c805cd)
ossl_x509.c
Go to the documentation of this file.
1/*
2 * 'OpenSSL for Ruby' project
3 * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4 * All rights reserved.
5 */
6/*
7 * This program is licensed under the same licence as Ruby.
8 * (See the file 'LICENCE'.)
9 */
10#include "ossl.h"
11
13
14#define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
15#define DefX509Default(x,i) \
16 rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
17
18ASN1_TIME *
20{
21 time_t sec;
22
23 int off_days;
24
25 ossl_time_split(time, &sec, &off_days);
26 return X509_time_adj_ex(s, off_days, 0, &sec);
27}
28
29void
31{
32#if 0
33 mOSSL = rb_define_module("OpenSSL");
34#endif
35
37
46
47 /* Constants are up-to-date with 1.1.1. */
48
49 /* Certificate verification error code */
50 DefX509Const(V_OK);
51#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
52 DefX509Const(V_ERR_UNSPECIFIED);
53#endif
54 DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
55 DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
56 DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
57 DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE);
58 DefX509Const(V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY);
59 DefX509Const(V_ERR_CERT_SIGNATURE_FAILURE);
60 DefX509Const(V_ERR_CRL_SIGNATURE_FAILURE);
61 DefX509Const(V_ERR_CERT_NOT_YET_VALID);
62 DefX509Const(V_ERR_CERT_HAS_EXPIRED);
63 DefX509Const(V_ERR_CRL_NOT_YET_VALID);
64 DefX509Const(V_ERR_CRL_HAS_EXPIRED);
65 DefX509Const(V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD);
66 DefX509Const(V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD);
67 DefX509Const(V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD);
68 DefX509Const(V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
69 DefX509Const(V_ERR_OUT_OF_MEM);
70 DefX509Const(V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
71 DefX509Const(V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
72 DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
73 DefX509Const(V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
74 DefX509Const(V_ERR_CERT_CHAIN_TOO_LONG);
75 DefX509Const(V_ERR_CERT_REVOKED);
76 DefX509Const(V_ERR_INVALID_CA);
77 DefX509Const(V_ERR_PATH_LENGTH_EXCEEDED);
78 DefX509Const(V_ERR_INVALID_PURPOSE);
79 DefX509Const(V_ERR_CERT_UNTRUSTED);
80 DefX509Const(V_ERR_CERT_REJECTED);
81 DefX509Const(V_ERR_SUBJECT_ISSUER_MISMATCH);
82 DefX509Const(V_ERR_AKID_SKID_MISMATCH);
83 DefX509Const(V_ERR_AKID_ISSUER_SERIAL_MISMATCH);
84 DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
85 DefX509Const(V_ERR_UNABLE_TO_GET_CRL_ISSUER);
86 DefX509Const(V_ERR_UNHANDLED_CRITICAL_EXTENSION);
87 DefX509Const(V_ERR_KEYUSAGE_NO_CRL_SIGN);
88 DefX509Const(V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION);
89 DefX509Const(V_ERR_INVALID_NON_CA);
90 DefX509Const(V_ERR_PROXY_PATH_LENGTH_EXCEEDED);
91 DefX509Const(V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE);
92 DefX509Const(V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);
93 DefX509Const(V_ERR_INVALID_EXTENSION);
94 DefX509Const(V_ERR_INVALID_POLICY_EXTENSION);
95 DefX509Const(V_ERR_NO_EXPLICIT_POLICY);
96 DefX509Const(V_ERR_DIFFERENT_CRL_SCOPE);
97 DefX509Const(V_ERR_UNSUPPORTED_EXTENSION_FEATURE);
98 DefX509Const(V_ERR_UNNESTED_RESOURCE);
99 DefX509Const(V_ERR_PERMITTED_VIOLATION);
100 DefX509Const(V_ERR_EXCLUDED_VIOLATION);
101 DefX509Const(V_ERR_SUBTREE_MINMAX);
102 DefX509Const(V_ERR_APPLICATION_VERIFICATION);
103 DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_TYPE);
104 DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
105 DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
106 DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
107#if defined(X509_V_ERR_PATH_LOOP)
108 DefX509Const(V_ERR_PATH_LOOP);
109#endif
110#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
111 DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
112 DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
113 DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
114 DefX509Const(V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM);
115 DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
116 DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
117#endif
118#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
119 DefX509Const(V_ERR_HOSTNAME_MISMATCH);
120 DefX509Const(V_ERR_EMAIL_MISMATCH);
121 DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
122#endif
123#if defined(X509_V_ERR_DANE_NO_MATCH)
124 DefX509Const(V_ERR_DANE_NO_MATCH);
125#endif
126#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
127 DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
128 DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
129 DefX509Const(V_ERR_CA_MD_TOO_WEAK);
130#endif
131#if defined(X509_V_ERR_INVALID_CALL)
132 DefX509Const(V_ERR_INVALID_CALL);
133#endif
134#if defined(X509_V_ERR_STORE_LOOKUP)
135 DefX509Const(V_ERR_STORE_LOOKUP);
136#endif
137#if defined(X509_V_ERR_NO_VALID_SCTS)
138 DefX509Const(V_ERR_NO_VALID_SCTS);
139#endif
140#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
141 DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
142#endif
143#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
144 DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
145 DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
146 DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
147#endif
148
149 /* Certificate verify flags */
150 /* Set by Store#flags= and StoreContext#flags=. */
151 DefX509Const(V_FLAG_USE_CHECK_TIME);
152 /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
153 * certificate chain leaf. */
154 DefX509Const(V_FLAG_CRL_CHECK);
155 /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for all
156 * certificates in the certificate chain */
157 DefX509Const(V_FLAG_CRL_CHECK_ALL);
158 /* Set by Store#flags= and StoreContext#flags=. Disables critical extension
159 * checking. */
160 DefX509Const(V_FLAG_IGNORE_CRITICAL);
161 /* Set by Store#flags= and StoreContext#flags=. Disables workarounds for
162 * broken certificates. */
163 DefX509Const(V_FLAG_X509_STRICT);
164 /* Set by Store#flags= and StoreContext#flags=. Enables proxy certificate
165 * verification. */
166 DefX509Const(V_FLAG_ALLOW_PROXY_CERTS);
167 /* Set by Store#flags= and StoreContext#flags=. Enables certificate policy
168 * constraints checking. */
169 DefX509Const(V_FLAG_POLICY_CHECK);
170 /* Set by Store#flags= and StoreContext#flags=.
171 * Implies V_FLAG_POLICY_CHECK */
172 DefX509Const(V_FLAG_EXPLICIT_POLICY);
173 /* Set by Store#flags= and StoreContext#flags=.
174 * Implies V_FLAG_POLICY_CHECK */
175 DefX509Const(V_FLAG_INHIBIT_ANY);
176 /* Set by Store#flags= and StoreContext#flags=.
177 * Implies V_FLAG_POLICY_CHECK */
178 DefX509Const(V_FLAG_INHIBIT_MAP);
179 /* Set by Store#flags= and StoreContext#flags=. */
180 DefX509Const(V_FLAG_NOTIFY_POLICY);
181 /* Set by Store#flags= and StoreContext#flags=. Enables some additional
182 * features including support for indirect signed CRLs. */
183 DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
184 /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
185 * specified, deltas are ignored. */
186 DefX509Const(V_FLAG_USE_DELTAS);
187 /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
188 * signature of the root self-signed CA. */
189 DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
190#if defined(X509_V_FLAG_TRUSTED_FIRST)
191 /* Set by Store#flags= and StoreContext#flags=. When constructing a
192 * certificate chain, search the Store first for the issuer certificate.
193 * Enabled by default in OpenSSL >= 1.1.0. */
194 DefX509Const(V_FLAG_TRUSTED_FIRST);
195#endif
196#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
197 /* Set by Store#flags= and StoreContext#flags=.
198 * Enables Suite B 128 bit only mode. */
199 DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
200#endif
201#if defined(X509_V_FLAG_SUITEB_192_LOS)
202 /* Set by Store#flags= and StoreContext#flags=.
203 * Enables Suite B 192 bit only mode. */
204 DefX509Const(V_FLAG_SUITEB_192_LOS);
205#endif
206#if defined(X509_V_FLAG_SUITEB_128_LOS)
207 /* Set by Store#flags= and StoreContext#flags=.
208 * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
209 DefX509Const(V_FLAG_SUITEB_128_LOS);
210#endif
211#if defined(X509_V_FLAG_PARTIAL_CHAIN)
212 /* Set by Store#flags= and StoreContext#flags=.
213 * Allows partial chains if at least one certificate is in trusted store. */
214 DefX509Const(V_FLAG_PARTIAL_CHAIN);
215#endif
216#if defined(X509_V_FLAG_NO_ALT_CHAINS)
217 /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
218 * a alternative chain. No effect in OpenSSL >= 1.1.0. */
219 DefX509Const(V_FLAG_NO_ALT_CHAINS);
220#endif
221#if defined(X509_V_FLAG_NO_CHECK_TIME)
222 /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
223 * validity period of certificates and CRLs. No effect when the current
224 * time is explicitly set by Store#time= or StoreContext#time=. */
225 DefX509Const(V_FLAG_NO_CHECK_TIME);
226#endif
227
228 /* Set by Store#purpose=. SSL/TLS client. */
229 DefX509Const(PURPOSE_SSL_CLIENT);
230 /* Set by Store#purpose=. SSL/TLS server. */
231 DefX509Const(PURPOSE_SSL_SERVER);
232 /* Set by Store#purpose=. Netscape SSL server. */
233 DefX509Const(PURPOSE_NS_SSL_SERVER);
234 /* Set by Store#purpose=. S/MIME signing. */
235 DefX509Const(PURPOSE_SMIME_SIGN);
236 /* Set by Store#purpose=. S/MIME encryption. */
237 DefX509Const(PURPOSE_SMIME_ENCRYPT);
238 /* Set by Store#purpose=. CRL signing */
239 DefX509Const(PURPOSE_CRL_SIGN);
240 /* Set by Store#purpose=. No checks. */
241 DefX509Const(PURPOSE_ANY);
242 /* Set by Store#purpose=. OCSP helper. */
243 DefX509Const(PURPOSE_OCSP_HELPER);
244 /* Set by Store#purpose=. Time stamps signer. */
245 DefX509Const(PURPOSE_TIMESTAMP_SIGN);
246
247 DefX509Const(TRUST_COMPAT);
248 DefX509Const(TRUST_SSL_CLIENT);
249 DefX509Const(TRUST_SSL_SERVER);
250 DefX509Const(TRUST_EMAIL);
251 DefX509Const(TRUST_OBJECT_SIGN);
252 DefX509Const(TRUST_OCSP_SIGN);
253 DefX509Const(TRUST_OCSP_REQUEST);
254 DefX509Const(TRUST_TSA);
255
256 DefX509Default(CERT_AREA, cert_area);
257 DefX509Default(CERT_DIR, cert_dir);
258 DefX509Default(CERT_FILE, cert_file);
259 DefX509Default(CERT_DIR_ENV, cert_dir_env);
260 DefX509Default(CERT_FILE_ENV, cert_file_env);
261 DefX509Default(PRIVATE_DIR, private_dir);
262}
VALUE rb_define_module(const char *)
Definition: class.c:785
VALUE rb_define_module_under(VALUE, const char *)
Definition: class.c:810
VALUE mOSSL
Definition: ossl.c:231
void ossl_time_split(VALUE time, time_t *sec, int *days)
Definition: ossl_asn1.c:73
#define DefX509Const(x)
Definition: ossl_x509.c:14
#define DefX509Default(x, i)
Definition: ossl_x509.c:15
ASN1_TIME * ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
Definition: ossl_x509.c:19
VALUE mX509
Definition: ossl_x509.c:12
void Init_ossl_x509(void)
Definition: ossl_x509.c:30
void Init_ossl_x509ext(void)
Definition: ossl_x509ext.c:438
void Init_ossl_x509revoked(void)
void Init_ossl_x509attr(void)
void Init_ossl_x509cert(void)
void Init_ossl_x509name(void)
void Init_ossl_x509store(void)
void Init_ossl_x509crl(void)
Definition: ossl_x509crl.c:505
void Init_ossl_x509req(void)
Definition: ossl_x509req.c:409
time_t time(time_t *_timer)
unsigned long VALUE