libcrypto/x509/x509_crld.c

/* $OpenBSD: x509_crld.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include <string.h>

#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>

#include "x509_local.h"

static void *v2i_crld(const X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
    int indent);

const X509V3_EXT_METHOD v3_crld = {
	.ext_nid = NID_crl_distribution_points,
	.ext_flags = 0,
	.it = &CRL_DIST_POINTS_it,
	.ext_new = NULL,
	.ext_free = NULL,
	.d2i = NULL,
	.i2d = NULL,
	.i2s = NULL,
	.s2i = NULL,
	.i2v = NULL,
	.v2i = v2i_crld,
	.i2r = i2r_crldp,
	.r2i = NULL,
	.usr_data = NULL,
};

const X509V3_EXT_METHOD v3_freshest_crl = {
	.ext_nid = NID_freshest_crl,
	.ext_flags = 0,
	.it = &CRL_DIST_POINTS_it,
	.ext_new = NULL,
	.ext_free = NULL,
	.d2i = NULL,
	.i2d = NULL,
	.i2s = NULL,
	.s2i = NULL,
	.i2v = NULL,
	.v2i = v2i_crld,
	.i2r = i2r_crldp,
	.r2i = NULL,
	.usr_data = NULL,
};

static STACK_OF(GENERAL_NAME) *
gnames_from_sectname(X509V3_CTX *ctx, char *sect)
{
	STACK_OF(CONF_VALUE) *gnsect;
	STACK_OF(GENERAL_NAME) *gens;

	if (*sect == '@')
		gnsect = X509V3_get_section(ctx, sect + 1);
	else
		gnsect = X509V3_parse_list(sect);
	if (!gnsect) {
		X509V3error(X509V3_R_SECTION_NOT_FOUND);
		return NULL;
	}
	gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
	if (*sect == '@')
		X509V3_section_free(ctx, gnsect);
	else
		sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
	return gens;
}

static int
set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
{
	STACK_OF(GENERAL_NAME) *fnm = NULL;
	STACK_OF(X509_NAME_ENTRY) *rnm = NULL;

	if (!strncmp(cnf->name, "fullname", 9)) {
		fnm = gnames_from_sectname(ctx, cnf->value);
		if (!fnm)
			goto err;
	} else if (!strcmp(cnf->name, "relativename")) {
		int ret;
		STACK_OF(CONF_VALUE) *dnsect;
		X509_NAME *nm;
		nm = X509_NAME_new();
		if (!nm)
			return -1;
		dnsect = X509V3_get_section(ctx, cnf->value);
		if (!dnsect) {
			X509V3error(X509V3_R_SECTION_NOT_FOUND);
			X509_NAME_free(nm);
			return -1;
		}
		ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
		X509V3_section_free(ctx, dnsect);
		rnm = nm->entries;
		nm->entries = NULL;
		X509_NAME_free(nm);
		if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
			goto err;
		/* Since its a name fragment can't have more than one
		 * RDNSequence
		 */
		if (sk_X509_NAME_ENTRY_value(rnm,
		    sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
			X509V3error(X509V3_R_INVALID_MULTIPLE_RDNS);
			goto err;
		}
	} else
		return 0;

	if (*pdp) {
		X509V3error(X509V3_R_DISTPOINT_ALREADY_SET);
		goto err;
	}

	*pdp = DIST_POINT_NAME_new();
	if (!*pdp)
		goto err;
	if (fnm) {
		(*pdp)->type = 0;
		(*pdp)->name.fullname = fnm;
	} else {
		(*pdp)->type = 1;
		(*pdp)->name.relativename = rnm;
	}

	return 1;

err:
	sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
	sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
	return -1;
}

static const BIT_STRING_BITNAME reason_flags[] = {
	{0, "Unused", "unused"},
	{1, "Key Compromise", "keyCompromise"},
	{2, "CA Compromise", "CACompromise"},
	{3, "Affiliation Changed", "affiliationChanged"},
	{4, "Superseded", "superseded"},
	{5, "Cessation Of Operation", "cessationOfOperation"},
	{6, "Certificate Hold", "certificateHold"},
	{7, "Privilege Withdrawn", "privilegeWithdrawn"},
	{8, "AA Compromise", "AACompromise"},
	{-1, NULL, NULL}
};

static int
set_reasons(ASN1_BIT_STRING **preas, char *value)
{
	STACK_OF(CONF_VALUE) *rsk = NULL;
	const BIT_STRING_BITNAME *pbn;
	const char *bnam;
	int i, ret = 0;

	if (*preas != NULL)
		return 0;
	rsk = X509V3_parse_list(value);
	if (rsk == NULL)
		return 0;
	for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
		bnam = sk_CONF_VALUE_value(rsk, i)->name;
		if (!*preas) {
			*preas = ASN1_BIT_STRING_new();
			if (!*preas)
				goto err;
		}
		for (pbn = reason_flags; pbn->lname; pbn++) {
			if (!strcmp(pbn->sname, bnam)) {
				if (!ASN1_BIT_STRING_set_bit(*preas,
				    pbn->bitnum, 1))
					goto err;
				break;
			}
		}
		if (!pbn->lname)
			goto err;
	}
	ret = 1;

err:
	sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
	return ret;
}

static int
print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
{
	int first = 1;
	const BIT_STRING_BITNAME *pbn;

	BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
	for (pbn = reason_flags; pbn->lname; pbn++) {
		if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
			if (first)
				first = 0;
			else
				BIO_puts(out, ", ");
			BIO_puts(out, pbn->lname);
		}
	}
	if (first)
		BIO_puts(out, "<EMPTY>\n");
	else
		BIO_puts(out, "\n");
	return 1;
}

static DIST_POINT *
crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
	int i;
	CONF_VALUE *cnf;
	DIST_POINT *point = NULL;

	point = DIST_POINT_new();
	if (!point)
		goto err;
	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
		int ret;
		cnf = sk_CONF_VALUE_value(nval, i);
		ret = set_dist_point_name(&point->distpoint, ctx, cnf);
		if (ret > 0)
			continue;
		if (ret < 0)
			goto err;
		if (!strcmp(cnf->name, "reasons")) {
			if (!set_reasons(&point->reasons, cnf->value))
				goto err;
		}
		else if (!strcmp(cnf->name, "CRLissuer")) {
			point->CRLissuer =
			    gnames_from_sectname(ctx, cnf->value);
			if (!point->CRLissuer)
				goto err;
		}
	}

	return point;

err:
	DIST_POINT_free(point);
	return NULL;
}

static void *
v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *nval)
{
	STACK_OF(DIST_POINT) *crld = NULL;
	GENERAL_NAMES *gens = NULL;
	GENERAL_NAME *gen = NULL;
	CONF_VALUE *cnf;
	int i;

	if (!(crld = sk_DIST_POINT_new_null()))
		goto merr;
	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
		DIST_POINT *point;
		cnf = sk_CONF_VALUE_value(nval, i);
		if (!cnf->value) {
			STACK_OF(CONF_VALUE) *dpsect;
			dpsect = X509V3_get_section(ctx, cnf->name);
			if (!dpsect)
				goto err;
			point = crldp_from_section(ctx, dpsect);
			X509V3_section_free(ctx, dpsect);
			if (!point)
				goto err;
			if (!sk_DIST_POINT_push(crld, point)) {
				DIST_POINT_free(point);
				goto merr;
			}
		} else {
			if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
				goto err;
			if (!(gens = GENERAL_NAMES_new()))
				goto merr;
			if (!sk_GENERAL_NAME_push(gens, gen))
				goto merr;
			gen = NULL;
			if (!(point = DIST_POINT_new()))
				goto merr;
			if (!sk_DIST_POINT_push(crld, point)) {
				DIST_POINT_free(point);
				goto merr;
			}
			if (!(point->distpoint = DIST_POINT_NAME_new()))
				goto merr;
			point->distpoint->name.fullname = gens;
			point->distpoint->type = 0;
			gens = NULL;
		}
	}
	return crld;

merr:
	X509V3error(ERR_R_MALLOC_FAILURE);
err:
	GENERAL_NAME_free(gen);
	GENERAL_NAMES_free(gens);
	sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
	return NULL;
}

static int
dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
{
	DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;

	switch (operation) {
	case ASN1_OP_NEW_POST:
		dpn->dpname = NULL;
		break;

	case ASN1_OP_FREE_POST:
		if (dpn->dpname)
			X509_NAME_free(dpn->dpname);
		break;
	}
	return 1;
}


static const ASN1_AUX DIST_POINT_NAME_aux = {
	.app_data = NULL,
	.flags = 0,
	.ref_offset = 0,
	.ref_lock = 0,
	.asn1_cb = dpn_cb,
	.enc_offset = 0,
};
static const ASN1_TEMPLATE DIST_POINT_NAME_ch_tt[] = {
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
		.tag = 0,
		.offset = offsetof(DIST_POINT_NAME, name.fullname),
		.field_name = "name.fullname",
		.item = &GENERAL_NAME_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF,
		.tag = 1,
		.offset = offsetof(DIST_POINT_NAME, name.relativename),
		.field_name = "name.relativename",
		.item = &X509_NAME_ENTRY_it,
	},
};

const ASN1_ITEM DIST_POINT_NAME_it = {
	.itype = ASN1_ITYPE_CHOICE,
	.utype = offsetof(DIST_POINT_NAME, type),
	.templates = DIST_POINT_NAME_ch_tt,
	.tcount = sizeof(DIST_POINT_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
	.funcs = &DIST_POINT_NAME_aux,
	.size = sizeof(DIST_POINT_NAME),
	.sname = "DIST_POINT_NAME",
};


DIST_POINT_NAME *
d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
{
	return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
	    &DIST_POINT_NAME_it);
}
LCRYPTO_ALIAS(d2i_DIST_POINT_NAME);

int
i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
{
	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
}
LCRYPTO_ALIAS(i2d_DIST_POINT_NAME);

DIST_POINT_NAME *
DIST_POINT_NAME_new(void)
{
	return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
}
LCRYPTO_ALIAS(DIST_POINT_NAME_new);

void
DIST_POINT_NAME_free(DIST_POINT_NAME *a)
{
	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
}
LCRYPTO_ALIAS(DIST_POINT_NAME_free);

static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = {
	{
		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 0,
		.offset = offsetof(DIST_POINT, distpoint),
		.field_name = "distpoint",
		.item = &DIST_POINT_NAME_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 1,
		.offset = offsetof(DIST_POINT, reasons),
		.field_name = "reasons",
		.item = &ASN1_BIT_STRING_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
		.tag = 2,
		.offset = offsetof(DIST_POINT, CRLissuer),
		.field_name = "CRLissuer",
		.item = &GENERAL_NAME_it,
	},
};

const ASN1_ITEM DIST_POINT_it = {
	.itype = ASN1_ITYPE_SEQUENCE,
	.utype = V_ASN1_SEQUENCE,
	.templates = DIST_POINT_seq_tt,
	.tcount = sizeof(DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
	.funcs = NULL,
	.size = sizeof(DIST_POINT),
	.sname = "DIST_POINT",
};


DIST_POINT *
d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
{
	return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
	    &DIST_POINT_it);
}
LCRYPTO_ALIAS(d2i_DIST_POINT);

int
i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
{
	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
}
LCRYPTO_ALIAS(i2d_DIST_POINT);

DIST_POINT *
DIST_POINT_new(void)
{
	return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
}
LCRYPTO_ALIAS(DIST_POINT_new);

void
DIST_POINT_free(DIST_POINT *a)
{
	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
}
LCRYPTO_ALIAS(DIST_POINT_free);

static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = {
	.flags = ASN1_TFLG_SEQUENCE_OF,
	.tag = 0,
	.offset = 0,
	.field_name = "CRLDistributionPoints",
	.item = &DIST_POINT_it,
};

const ASN1_ITEM CRL_DIST_POINTS_it = {
	.itype = ASN1_ITYPE_PRIMITIVE,
	.utype = -1,
	.templates = &CRL_DIST_POINTS_item_tt,
	.tcount = 0,
	.funcs = NULL,
	.size = 0,
	.sname = "CRL_DIST_POINTS",
};


CRL_DIST_POINTS *
d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
{
	return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
	    &CRL_DIST_POINTS_it);
}
LCRYPTO_ALIAS(d2i_CRL_DIST_POINTS);

int
i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
{
	return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
}
LCRYPTO_ALIAS(i2d_CRL_DIST_POINTS);

CRL_DIST_POINTS *
CRL_DIST_POINTS_new(void)
{
	return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
}
LCRYPTO_ALIAS(CRL_DIST_POINTS_new);

void
CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
{
	ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
}
LCRYPTO_ALIAS(CRL_DIST_POINTS_free);

static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = {
	{
		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 0,
		.offset = offsetof(ISSUING_DIST_POINT, distpoint),
		.field_name = "distpoint",
		.item = &DIST_POINT_NAME_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 1,
		.offset = offsetof(ISSUING_DIST_POINT, onlyuser),
		.field_name = "onlyuser",
		.item = &ASN1_FBOOLEAN_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 2,
		.offset = offsetof(ISSUING_DIST_POINT, onlyCA),
		.field_name = "onlyCA",
		.item = &ASN1_FBOOLEAN_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 3,
		.offset = offsetof(ISSUING_DIST_POINT, onlysomereasons),
		.field_name = "onlysomereasons",
		.item = &ASN1_BIT_STRING_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 4,
		.offset = offsetof(ISSUING_DIST_POINT, indirectCRL),
		.field_name = "indirectCRL",
		.item = &ASN1_FBOOLEAN_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
		.tag = 5,
		.offset = offsetof(ISSUING_DIST_POINT, onlyattr),
		.field_name = "onlyattr",
		.item = &ASN1_FBOOLEAN_it,
	},
};

const ASN1_ITEM ISSUING_DIST_POINT_it = {
	.itype = ASN1_ITYPE_SEQUENCE,
	.utype = V_ASN1_SEQUENCE,
	.templates = ISSUING_DIST_POINT_seq_tt,
	.tcount = sizeof(ISSUING_DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
	.funcs = NULL,
	.size = sizeof(ISSUING_DIST_POINT),
	.sname = "ISSUING_DIST_POINT",
};


ISSUING_DIST_POINT *
d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
{
	return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
	    &ISSUING_DIST_POINT_it);
}
LCRYPTO_ALIAS(d2i_ISSUING_DIST_POINT);

int
i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
{
	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
}
LCRYPTO_ALIAS(i2d_ISSUING_DIST_POINT);

ISSUING_DIST_POINT *
ISSUING_DIST_POINT_new(void)
{
	return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
}
LCRYPTO_ALIAS(ISSUING_DIST_POINT_new);

void
ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
{
	ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
}
LCRYPTO_ALIAS(ISSUING_DIST_POINT_free);

static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
    int indent);
static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *nval);

const X509V3_EXT_METHOD v3_idp = {
	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
	&ISSUING_DIST_POINT_it,
	0, 0, 0, 0,
	0, 0,
	0,
	v2i_idp,
	i2r_idp, 0,
	NULL
};

static void *
v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *nval)
{
	ISSUING_DIST_POINT *idp = NULL;
	CONF_VALUE *cnf;
	char *name, *val;
	int i, ret;

	idp = ISSUING_DIST_POINT_new();
	if (!idp)
		goto merr;
	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
		cnf = sk_CONF_VALUE_value(nval, i);
		name = cnf->name;
		val = cnf->value;
		ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
		if (ret > 0)
			continue;
		if (ret < 0)
			goto err;
		if (!strcmp(name, "onlyuser")) {
			if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
				goto err;
		}
		else if (!strcmp(name, "onlyCA")) {
			if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
				goto err;
		}
		else if (!strcmp(name, "onlyAA")) {
			if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
				goto err;
		}
		else if (!strcmp(name, "indirectCRL")) {
			if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
				goto err;
		}
		else if (!strcmp(name, "onlysomereasons")) {
			if (!set_reasons(&idp->onlysomereasons, val))
				goto err;
		} else {
			X509V3error(X509V3_R_INVALID_NAME);
			X509V3_conf_err(cnf);
			goto err;
		}
	}
	return idp;

merr:
	X509V3error(ERR_R_MALLOC_FAILURE);
err:
	ISSUING_DIST_POINT_free(idp);
	return NULL;
}

static int
print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
{
	int i;

	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
		BIO_printf(out, "%*s", indent + 2, "");
		GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
		BIO_puts(out, "\n");
	}
	return 1;
}

static int
print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
{
	if (dpn->type == 0) {
		BIO_printf(out, "%*sFull Name:\n", indent, "");
		print_gens(out, dpn->name.fullname, indent);
	} else {
		X509_NAME ntmp;
		ntmp.entries = dpn->name.relativename;
		BIO_printf(out, "%*sRelative Name:\n%*s",
		    indent, "", indent + 2, "");
		X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
		BIO_puts(out, "\n");
	}
	return 1;
}

static int
i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
{
	ISSUING_DIST_POINT *idp = pidp;

	if (idp->distpoint)
		print_distpoint(out, idp->distpoint, indent);
	if (idp->onlyuser > 0)
		BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
	if (idp->onlyCA > 0)
		BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
	if (idp->indirectCRL > 0)
		BIO_printf(out, "%*sIndirect CRL\n", indent, "");
	if (idp->onlysomereasons)
		print_reasons(out, "Only Some Reasons",
	    idp->onlysomereasons, indent);
	if (idp->onlyattr > 0)
		BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
	if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
	    (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
	    (idp->onlyattr <= 0))
		BIO_printf(out, "%*s<EMPTY>\n", indent, "");

	return 1;
}

static int
i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
{
	STACK_OF(DIST_POINT) *crld = pcrldp;
	DIST_POINT *point;
	int i;

	for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
		BIO_puts(out, "\n");
		point = sk_DIST_POINT_value(crld, i);
		if (point->distpoint)
			print_distpoint(out, point->distpoint, indent);
		if (point->reasons)
			print_reasons(out, "Reasons", point->reasons,
		    indent);
		if (point->CRLissuer) {
			BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
			print_gens(out, point->CRLissuer, indent);
		}
	}
	return 1;
}

int
DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
{
	int i;
	STACK_OF(X509_NAME_ENTRY) *frag;
	X509_NAME_ENTRY *ne;

	if (!dpn || (dpn->type != 1))
		return 1;
	frag = dpn->name.relativename;
	dpn->dpname = X509_NAME_dup(iname);
	if (!dpn->dpname)
		return 0;
	for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
		ne = sk_X509_NAME_ENTRY_value(frag, i);
		if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
			X509_NAME_free(dpn->dpname);
			dpn->dpname = NULL;
			return 0;
		}
	}
	/* generate cached encoding of name */
	if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
		X509_NAME_free(dpn->dpname);
		dpn->dpname = NULL;
		return 0;
	}
	return 1;
}
LCRYPTO_ALIAS(DIST_POINT_set_dpname);