Use the ASN1_BOOLEAN typedef in ISSUING_DIST_POINT
ASN1_BOOLEAN is int, so this is a no-op. But they're parsed as
ASN1_FBOOLEAN (boolean with default false), so we should use the
typedef.
Also leave some TODOs for future cleanup opportunities.
Change-Id: I7b060e7530f0ef1afb3818c043727feb6fd4fcbf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63940
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c999523..f4f5efe 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -276,7 +276,9 @@
}
// Convert IDP into a more convenient form
-
+//
+// TODO(davidben): Each of these flags are already booleans, so this is not
+// really more convenient. We can probably remove |idp_flags|.
static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) {
int idp_only = 0;
// Set various flags according to IDP
@@ -294,6 +296,11 @@
crl->idp_flags |= IDP_ONLYATTR;
}
+ // Per RFC 5280, section 5.2.5, at most one of onlyContainsUserCerts,
+ // onlyContainsCACerts, and onlyContainsAttributeCerts may be true.
+ //
+ // TODO(crbug.com/boringssl/443): Move this check to the |ISSUING_DIST_POINT|
+ // parser.
if (idp_only > 1) {
crl->idp_flags |= IDP_INVALID;
}
@@ -306,6 +313,8 @@
crl->idp_flags |= IDP_REASONS;
}
+ // TODO(davidben): The new verifier does not support nameRelativeToCRLIssuer.
+ // Remove this?
return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
}
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 2be0e54..e15e698 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -301,11 +301,11 @@
struct ISSUING_DIST_POINT_st {
DIST_POINT_NAME *distpoint;
- int onlyuser;
- int onlyCA;
+ ASN1_BOOLEAN onlyuser;
+ ASN1_BOOLEAN onlyCA;
ASN1_BIT_STRING *onlysomereasons;
- int indirectCRL;
- int onlyattr;
+ ASN1_BOOLEAN indirectCRL;
+ ASN1_BOOLEAN onlyattr;
};
// X509_PURPOSE stuff
