grpc 1.24.0 → 1.25.0

data/third_party/boringssl/crypto/x509/x_x509.c

@@ -313,6 +313,12 @@ int i2d_X509_AUX(X509 *a, unsigned char **pp)
     return length;
 }
 
+int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
+{
+    x->cert_info->enc.modified = 1;
+    return i2d_X509_CINF(x->cert_info, pp);
+}
+
 void X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg,
                          const X509 *x)
 {

data/third_party/boringssl/crypto/x509v3/ext_dat.h

@@ -107,19 +107,17 @@ static const X509V3_EXT_METHOD *const standard_exts[] = {
     &v3_ext_ku,
     &v3_delta_crl,
     &v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
     &v3_crl_invdate,
-#endif
     &v3_sxnet,
     &v3_info,
 #ifndef OPENSSL_NO_OCSP
     &v3_ocsp_nonce,
     &v3_ocsp_crlid,
     &v3_ocsp_accresp,
-    &v3_ocsp_nocheck,
     &v3_ocsp_acutoff,
     &v3_ocsp_serviceloc,
 #endif
+    &v3_ocsp_nocheck,
     &v3_sinfo,
     &v3_policy_constraints,
 #ifndef OPENSSL_NO_OCSP

data/third_party/boringssl/crypto/x509v3/internal.h

@@ -0,0 +1,56 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_X509V3_INTERNAL_H
+#define OPENSSL_HEADER_X509V3_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// x509v3_bytes_to_hex encodes |len| bytes from |buffer| to hex and returns a
+// newly-allocated NUL-terminated string containing the result, or NULL on
+// allocation error.
+//
+// Note this function was historically named |hex_to_string| in OpenSSL, not
+// |string_to_hex|.
+char *x509v3_bytes_to_hex(const unsigned char *buffer, long len);
+
+// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated
+// array containing the result, or NULL on error. On success, it sets |*len| to
+// the length of the result. Colon separators between bytes in the input are
+// allowed and ignored.
+//
+// Note this function was historically named |string_to_hex| in OpenSSL, not
+// |hex_to_string|.
+unsigned char *x509v3_hex_to_bytes(const char *str, long *len);
+
+// x509v3_name_cmp returns zero if |name| is equal to |cmp| or begins with |cmp|
+// followed by '.'. Otherwise, it returns a non-zero number.
+int x509v3_name_cmp(const char *name, const char *cmp);
+
+// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero
+// otherwise.
+OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in,
+                                              size_t len);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_X509V3_INTERNAL_H */

data/third_party/boringssl/crypto/x509v3/pcy_cache.c

@@ -93,6 +93,7 @@ static int policy_cache_create(X509 *x,
         /*
          * Duplicate policy OIDs are illegal: reject if matches found.
          */
+        sk_X509_POLICY_DATA_sort(cache->data);
         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
             if (cache->anyPolicy) {
                 ret = -1;
@@ -262,6 +263,7 @@ X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
     X509_POLICY_DATA tmp;
 
     tmp.valid_policy = (ASN1_OBJECT *)id;
+    sk_X509_POLICY_DATA_sort(cache->data);
     if (!sk_X509_POLICY_DATA_find(cache->data, &idx, &tmp))
         return NULL;
     return sk_X509_POLICY_DATA_value(cache->data, idx);

data/third_party/boringssl/crypto/x509v3/pcy_node.c

@@ -83,6 +83,7 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
     n.valid_policy = (ASN1_OBJECT *)id;
     l.data = &n;
 
+    sk_X509_POLICY_NODE_sort(nodes);
     if (!sk_X509_POLICY_NODE_find(nodes, &idx, &l))
         return NULL;
 

data/third_party/boringssl/crypto/x509v3/pcy_tree.c

@@ -543,9 +543,11 @@ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
         *pnodes = policy_node_cmp_new();
         if (!*pnodes)
             return 0;
-    } else if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy))
+    } else {
+      sk_X509_POLICY_NODE_sort(*pnodes);
+      if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy))
         return 1;
-
+    }
     if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
         return 0;
 

data/third_party/boringssl/crypto/x509v3/v3_akey.c

@@ -66,6 +66,9 @@
 #include <openssl/obj.h>
 #include <openssl/x509v3.h>
 
+#include "internal.h"
+
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                                  AUTHORITY_KEYID *akeyid,
                                                  STACK_OF(CONF_VALUE)
@@ -92,14 +95,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 {
     char *tmp;
     if (akeyid->keyid) {
-        tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+        tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);
         X509V3_add_value("keyid", tmp, &extlist);
         OPENSSL_free(tmp);
     }
     if (akeyid->issuer)
         extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
     if (akeyid->serial) {
-        tmp = hex_to_string(akeyid->serial->data, akeyid->serial->length);
+        tmp = x509v3_bytes_to_hex(akeyid->serial->data, akeyid->serial->length);
         X509V3_add_value("serial", tmp, &extlist);
         OPENSSL_free(tmp);
     }

data/third_party/boringssl/crypto/x509v3/v3_alt.c

@@ -64,6 +64,9 @@
 #include <openssl/obj.h>
 #include <openssl/x509v3.h>
 
+#include "internal.h"
+
+
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx,
                                       STACK_OF(CONF_VALUE) *nval);
@@ -207,15 +210,18 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
         break;
 
     case GEN_EMAIL:
-        BIO_printf(out, "email:%s", gen->d.ia5->data);
+        BIO_printf(out, "email:");
+        ASN1_STRING_print(out, gen->d.ia5);
         break;
 
     case GEN_DNS:
-        BIO_printf(out, "DNS:%s", gen->d.ia5->data);
+        BIO_printf(out, "DNS:");
+        ASN1_STRING_print(out, gen->d.ia5);
         break;
 
     case GEN_URI:
-        BIO_printf(out, "URI:%s", gen->d.ia5->data);
+        BIO_printf(out, "URI:");
+        ASN1_STRING_print(out, gen->d.ia5);
         break;
 
     case GEN_DIRNAME:
@@ -261,7 +267,7 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!name_cmp(cnf->name, "issuer") && cnf->value &&
+        if (!x509v3_name_cmp(cnf->name, "issuer") && cnf->value &&
             !strcmp(cnf->value, "copy")) {
             if (!copy_issuer(ctx, gens))
                 goto err;
@@ -331,11 +337,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!name_cmp(cnf->name, "email") && cnf->value &&
+        if (!x509v3_name_cmp(cnf->name, "email") && cnf->value &&
             !strcmp(cnf->value, "copy")) {
             if (!copy_email(ctx, gens, 0))
                 goto err;
-        } else if (!name_cmp(cnf->name, "email") && cnf->value &&
+        } else if (!x509v3_name_cmp(cnf->name, "email") && cnf->value &&
                    !strcmp(cnf->value, "move")) {
             if (!copy_email(ctx, gens, 1))
                 goto err;
@@ -545,19 +551,19 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
         return NULL;
     }
 
-    if (!name_cmp(name, "email"))
+    if (!x509v3_name_cmp(name, "email"))
         type = GEN_EMAIL;
-    else if (!name_cmp(name, "URI"))
+    else if (!x509v3_name_cmp(name, "URI"))
         type = GEN_URI;
-    else if (!name_cmp(name, "DNS"))
+    else if (!x509v3_name_cmp(name, "DNS"))
         type = GEN_DNS;
-    else if (!name_cmp(name, "RID"))
+    else if (!x509v3_name_cmp(name, "RID"))
         type = GEN_RID;
-    else if (!name_cmp(name, "IP"))
+    else if (!x509v3_name_cmp(name, "IP"))
         type = GEN_IPADD;
-    else if (!name_cmp(name, "dirName"))
+    else if (!x509v3_name_cmp(name, "dirName"))
         type = GEN_DIRNAME;
-    else if (!name_cmp(name, "otherName"))
+    else if (!x509v3_name_cmp(name, "otherName"))
         type = GEN_OTHERNAME;
     else {
         OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_OPTION);

data/third_party/boringssl/crypto/x509v3/v3_conf.c

@@ -69,6 +69,7 @@
 #include <openssl/x509v3.h>
 
 #include "../internal.h"
+#include "internal.h"
 
 static int v3_check_critical(char **value);
 static int v3_check_generic(char **value);
@@ -278,7 +279,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
     }
 
     if (gen_type == 1)
-        ext_der = string_to_hex(value, &ext_len);
+        ext_der = x509v3_hex_to_bytes(value, &ext_len);
     else if (gen_type == 2)
         ext_der = generic_asn1(value, ctx, &ext_len);
 

data/third_party/boringssl/crypto/x509v3/v3_cpols.c

@@ -69,6 +69,7 @@
 #include <openssl/stack.h>
 #include <openssl/x509v3.h>
 
+#include "internal.h"
 #include "pcy_int.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
@@ -231,7 +232,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
             }
             pol->policyid = pobj;
 
-        } else if (!name_cmp(cnf->name, "CPS")) {
+        } else if (!x509v3_name_cmp(cnf->name, "CPS")) {
             if (!pol->qualifiers)
                 pol->qualifiers = sk_POLICYQUALINFO_new_null();
             if (!(qual = POLICYQUALINFO_new()))
@@ -251,7 +252,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
             if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
                                  strlen(cnf->value)))
                 goto merr;
-        } else if (!name_cmp(cnf->name, "userNotice")) {
+        } else if (!x509v3_name_cmp(cnf->name, "userNotice")) {
             STACK_OF(CONF_VALUE) *unot;
             if (*cnf->value != '@') {
                 OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXPECTED_A_SECTION_NAME);

data/third_party/boringssl/crypto/x509v3/v3_genn.c

@@ -100,12 +100,7 @@ ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
 
 IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
 
-GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
-{
-    return (GENERAL_NAME *)ASN1_dup((i2d_of_void *)i2d_GENERAL_NAME,
-                                    (d2i_of_void *)d2i_GENERAL_NAME,
-                                    (char *)a);
-}
+IMPLEMENT_ASN1_DUP_FUNCTION(GENERAL_NAME)
 
 /* Returns 0 if they are equal, != 0 otherwise. */
 int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)

data/third_party/boringssl/crypto/x509v3/v3_lib.c

@@ -116,6 +116,7 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
     if (!ext_list)
         return NULL;
 
+    sk_X509V3_EXT_METHOD_sort(ext_list);
     if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp))
         return NULL;
     return sk_X509V3_EXT_METHOD_value(ext_list, idx);

data/third_party/boringssl/crypto/x509v3/v3_ocsp.c

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/x509v3.h>
+
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/nid.h>
+
+/*
+ * OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
+                            BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+                            void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+                              X509V3_CTX *ctx, const char *str);
+
+const X509V3_EXT_METHOD v3_crl_invdate = {
+    NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+    0, 0, 0, 0,
+    0, 0,
+    0, 0,
+    i2r_ocsp_acutoff, 0,
+    NULL
+};
+
+const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+    NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
+    0, 0, 0, 0,
+    0, s2i_ocsp_nocheck,
+    0, 0,
+    i2r_ocsp_nocheck, 0,
+    NULL
+};
+
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
+                            BIO *bp, int ind)
+{
+    if (BIO_printf(bp, "%*s", ind, "") <= 0)
+        return 0;
+    if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
+        return 0;
+    return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
+                            BIO *out, int indent)
+{
+    return 1;
+}
+
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+                              X509V3_CTX *ctx, const char *str)
+{
+    return ASN1_NULL_new();
+}

data/third_party/boringssl/crypto/x509v3/v3_pci.c

@@ -44,6 +44,7 @@
 #include <openssl/x509v3.h>
 
 #include "../internal.h"
+#include "internal.h"
 
 
 static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
@@ -123,7 +124,7 @@ static int process_pci_value(CONF_VALUE *val,
         }
         if (strncmp(val->value, "hex:", 4) == 0) {
             unsigned char *tmp_data2 =
-                string_to_hex(val->value + 4, &val_len);
+                x509v3_hex_to_bytes(val->value + 4, &val_len);
 
             if (!tmp_data2) {
                 OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_HEX_DIGIT);

data/third_party/boringssl/crypto/x509v3/v3_purp.c

@@ -80,7 +80,6 @@
 
 static void x509v3_cache_extensions(X509 *x);
 
-static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
                                     int ca);
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
@@ -205,6 +204,7 @@ int X509_PURPOSE_get_by_id(int purpose)
     if (!xptable)
         return -1;
 
+    sk_X509_PURPOSE_sort(xptable);
     if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp))
         return -1;
     return idx + X509_PURPOSE_COUNT;
@@ -562,39 +562,20 @@ static void x509v3_cache_extensions(X509 *x)
     CRYPTO_MUTEX_unlock_write(&x->lock);
 }
 
-/*
- * CA checks common to all purposes return codes: 0 not a CA 1 is a CA 2
- * basicConstraints absent so "maybe" a CA 3 basicConstraints absent but self
- * signed V1. 4 basicConstraints absent but keyUsage present and keyCertSign
- * asserted.
- */
-
+/* check_ca returns one if |x| should be considered a CA certificate and zero
+ * otherwise. */
 static int check_ca(const X509 *x)
 {
     /* keyUsage if present should allow cert signing */
     if (ku_reject(x, KU_KEY_CERT_SIGN))
         return 0;
-    if (x->ex_flags & EXFLAG_BCONS) {
-        if (x->ex_flags & EXFLAG_CA)
-            return 1;
-        /* If basicConstraints says not a CA then say so */
-        else
-            return 0;
-    } else {
-        /* we support V1 roots for...  uh, I don't really know why. */
-        if ((x->ex_flags & V1_ROOT) == V1_ROOT)
-            return 3;
-        /*
-         * If key usage present it must have certSign so tolerate it
-         */
-        else if (x->ex_flags & EXFLAG_KUSAGE)
-            return 4;
-        /* Older certificates could have Netscape-specific CA types */
-        else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
-            return 5;
-        /* can this still be regarded a CA certificate?  I doubt it */
-        return 0;
+    /* Version 1 certificates are considered CAs and don't have extensions. */
+    if ((x->ex_flags & V1_ROOT) == V1_ROOT) {
+        return 1;
     }
+    /* Otherwise, it's only a CA if basicConstraints says so. */
+    return ((x->ex_flags & EXFLAG_BCONS) &&
+            (x->ex_flags & EXFLAG_CA));
 }
 
 int X509_check_ca(X509 *x)
@@ -603,27 +584,13 @@ int X509_check_ca(X509 *x)
     return check_ca(x);
 }
 
-/* Check SSL CA: common checks for SSL client and server */
-static int check_ssl_ca(const X509 *x)
-{
-    int ca_ret;
-    ca_ret = check_ca(x);
-    if (!ca_ret)
-        return 0;
-    /* check nsCertType if present */
-    if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
-        return ca_ret;
-    else
-        return 0;
-}
-
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
                                     int ca)
 {
     if (xku_reject(x, XKU_SSL_CLIENT))
         return 0;
     if (ca)
-        return check_ssl_ca(x);
+        return check_ca(x);
     /* We need to do digital signatures or key agreement */
     if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))
         return 0;
@@ -644,10 +611,10 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
                                     int ca)
 {
-    if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC))
+    if (xku_reject(x, XKU_SSL_SERVER))
         return 0;
     if (ca)
-        return check_ssl_ca(x);
+        return check_ca(x);
 
     if (ns_reject(x, NS_SSL_SERVER))
         return 0;
@@ -671,29 +638,23 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
     return ret;
 }
 
-/* common S/MIME checks */
+/* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
+ * (|ca| is one) certificate, and zero otherwise. */
 static int purpose_smime(const X509 *x, int ca)
 {
     if (xku_reject(x, XKU_SMIME))
         return 0;
     if (ca) {
-        int ca_ret;
-        ca_ret = check_ca(x);
-        if (!ca_ret)
-            return 0;
         /* check nsCertType if present */
-        if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
-            return ca_ret;
-        else
-            return 0;
+        if ((x->ex_flags & EXFLAG_NSCERT) &&
+            (x->ex_nscert & NS_SMIME_CA) == 0) {
+          return 0;
+        }
+
+        return check_ca(x);
     }
     if (x->ex_flags & EXFLAG_NSCERT) {
-        if (x->ex_nscert & NS_SMIME)
-            return 1;
-        /* Workaround for some buggy certificates */
-        if (x->ex_nscert & NS_SSL_CLIENT)
-            return 2;
-        return 0;
+        return (x->ex_nscert & NS_SMIME) == NS_SMIME;
     }
     return 1;
 }
@@ -726,11 +687,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
                                   int ca)
 {
     if (ca) {
-        int ca_ret;
-        if ((ca_ret = check_ca(x)) != 2)
-            return ca_ret;
-        else
-            return 0;
+        return check_ca(x);
     }
     if (ku_reject(x, KU_CRL_SIGN))
         return 0;
@@ -744,10 +701,6 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
 
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
-    /*
-     * Must be a valid CA.  Should we really support the "I don't know" value
-     * (2)?
-     */
     if (ca)
         return check_ca(x);
     /* leaf certificate is checked in OCSP_verify() */
@@ -864,3 +817,28 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
     }
     return X509_V_OK;
 }
+
+uint32_t X509_get_extension_flags(X509 *x)
+{
+    /* Call for side-effect of computing hash and caching extensions */
+    X509_check_purpose(x, -1, -1);
+    return x->ex_flags;
+}
+
+uint32_t X509_get_key_usage(X509 *x)
+{
+    /* Call for side-effect of computing hash and caching extensions */
+    X509_check_purpose(x, -1, -1);
+    if (x->ex_flags & EXFLAG_KUSAGE)
+        return x->ex_kusage;
+    return UINT32_MAX;
+}
+
+uint32_t X509_get_extended_key_usage(X509 *x)
+{
+    /* Call for side-effect of computing hash and caching extensions */
+    X509_check_purpose(x, -1, -1);
+    if (x->ex_flags & EXFLAG_XKUSAGE)
+        return x->ex_xkusage;
+    return UINT32_MAX;
+}