v3_ncons.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583
  1. /*
  2. * Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include "internal/numbers.h"
  11. #include <stdio.h>
  12. #include "internal/asn1_int.h"
  13. #include <openssl/asn1t.h>
  14. #include <openssl/conf.h>
  15. #include <openssl/x509v3.h>
  16. #include "internal/x509_int.h"
  17. #include "ext_dat.h"
  18. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  19. X509V3_CTX *ctx,
  20. STACK_OF(CONF_VALUE) *nval);
  21. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
  22. BIO *bp, int ind);
  23. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  24. STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
  25. int ind, const char *name);
  26. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
  27. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
  28. static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
  29. static int nc_dn(X509_NAME *sub, X509_NAME *nm);
  30. static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
  31. static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
  32. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
  33. static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
  34. const X509V3_EXT_METHOD v3_name_constraints = {
  35. NID_name_constraints, 0,
  36. ASN1_ITEM_ref(NAME_CONSTRAINTS),
  37. 0, 0, 0, 0,
  38. 0, 0,
  39. 0, v2i_NAME_CONSTRAINTS,
  40. i2r_NAME_CONSTRAINTS, 0,
  41. NULL
  42. };
  43. ASN1_SEQUENCE(GENERAL_SUBTREE) = {
  44. ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
  45. ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
  46. ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
  47. } ASN1_SEQUENCE_END(GENERAL_SUBTREE)
  48. ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
  49. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
  50. GENERAL_SUBTREE, 0),
  51. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
  52. GENERAL_SUBTREE, 1),
  53. } ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
  54. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
  55. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
  56. /*
  57. * We cannot use strncasecmp here because that applies locale specific rules.
  58. * For example in Turkish 'I' is not the uppercase character for 'i'. We need to
  59. * do a simple ASCII case comparison ignoring the locale (that is why we use
  60. * numeric constants below).
  61. */
  62. static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
  63. {
  64. for (; n > 0; n--, s1++, s2++) {
  65. if (*s1 != *s2) {
  66. unsigned char c1 = (unsigned char)*s1, c2 = (unsigned char)*s2;
  67. /* Convert to lower case */
  68. if (c1 >= 0x41 /* A */ && c1 <= 0x5A /* Z */)
  69. c1 += 0x20;
  70. if (c2 >= 0x41 /* A */ && c2 <= 0x5A /* Z */)
  71. c2 += 0x20;
  72. if (c1 == c2)
  73. continue;
  74. if (c1 < c2)
  75. return -1;
  76. /* c1 > c2 */
  77. return 1;
  78. } else if (*s1 == 0) {
  79. /* If we get here we know that *s2 == 0 too */
  80. return 0;
  81. }
  82. }
  83. return 0;
  84. }
  85. static int ia5casecmp(const char *s1, const char *s2)
  86. {
  87. return ia5ncasecmp(s1, s2, SIZE_MAX);
  88. }
  89. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  90. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
  91. {
  92. int i;
  93. CONF_VALUE tval, *val;
  94. STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
  95. NAME_CONSTRAINTS *ncons = NULL;
  96. GENERAL_SUBTREE *sub = NULL;
  97. ncons = NAME_CONSTRAINTS_new();
  98. if (ncons == NULL)
  99. goto memerr;
  100. for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
  101. val = sk_CONF_VALUE_value(nval, i);
  102. if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
  103. ptree = &ncons->permittedSubtrees;
  104. tval.name = val->name + 10;
  105. } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
  106. ptree = &ncons->excludedSubtrees;
  107. tval.name = val->name + 9;
  108. } else {
  109. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
  110. goto err;
  111. }
  112. tval.value = val->value;
  113. sub = GENERAL_SUBTREE_new();
  114. if (sub == NULL)
  115. goto memerr;
  116. if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
  117. goto err;
  118. if (*ptree == NULL)
  119. *ptree = sk_GENERAL_SUBTREE_new_null();
  120. if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
  121. goto memerr;
  122. sub = NULL;
  123. }
  124. return ncons;
  125. memerr:
  126. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
  127. err:
  128. NAME_CONSTRAINTS_free(ncons);
  129. GENERAL_SUBTREE_free(sub);
  130. return NULL;
  131. }
  132. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
  133. BIO *bp, int ind)
  134. {
  135. NAME_CONSTRAINTS *ncons = a;
  136. do_i2r_name_constraints(method, ncons->permittedSubtrees,
  137. bp, ind, "Permitted");
  138. do_i2r_name_constraints(method, ncons->excludedSubtrees,
  139. bp, ind, "Excluded");
  140. return 1;
  141. }
  142. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  143. STACK_OF(GENERAL_SUBTREE) *trees,
  144. BIO *bp, int ind, const char *name)
  145. {
  146. GENERAL_SUBTREE *tree;
  147. int i;
  148. if (sk_GENERAL_SUBTREE_num(trees) > 0)
  149. BIO_printf(bp, "%*s%s:\n", ind, "", name);
  150. for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
  151. tree = sk_GENERAL_SUBTREE_value(trees, i);
  152. BIO_printf(bp, "%*s", ind + 2, "");
  153. if (tree->base->type == GEN_IPADD)
  154. print_nc_ipadd(bp, tree->base->d.ip);
  155. else
  156. GENERAL_NAME_print(bp, tree->base);
  157. BIO_puts(bp, "\n");
  158. }
  159. return 1;
  160. }
  161. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
  162. {
  163. int i, len;
  164. unsigned char *p;
  165. p = ip->data;
  166. len = ip->length;
  167. BIO_puts(bp, "IP:");
  168. if (len == 8) {
  169. BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
  170. p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
  171. } else if (len == 32) {
  172. for (i = 0; i < 16; i++) {
  173. BIO_printf(bp, "%X", p[0] << 8 | p[1]);
  174. p += 2;
  175. if (i == 7)
  176. BIO_puts(bp, "/");
  177. else if (i != 15)
  178. BIO_puts(bp, ":");
  179. }
  180. } else
  181. BIO_printf(bp, "IP Address:<invalid>");
  182. return 1;
  183. }
  184. #define NAME_CHECK_MAX (1 << 20)
  185. static int add_lengths(int *out, int a, int b)
  186. {
  187. /* sk_FOO_num(NULL) returns -1 but is effectively 0 when iterating. */
  188. if (a < 0)
  189. a = 0;
  190. if (b < 0)
  191. b = 0;
  192. if (a > INT_MAX - b)
  193. return 0;
  194. *out = a + b;
  195. return 1;
  196. }
  197. /*-
  198. * Check a certificate conforms to a specified set of constraints.
  199. * Return values:
  200. * X509_V_OK: All constraints obeyed.
  201. * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
  202. * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
  203. * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
  204. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
  205. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
  206. * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
  207. */
  208. int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
  209. {
  210. int r, i, name_count, constraint_count;
  211. X509_NAME *nm;
  212. nm = X509_get_subject_name(x);
  213. /*
  214. * Guard against certificates with an excessive number of names or
  215. * constraints causing a computationally expensive name constraints check.
  216. */
  217. if (!add_lengths(&name_count, X509_NAME_entry_count(nm),
  218. sk_GENERAL_NAME_num(x->altname))
  219. || !add_lengths(&constraint_count,
  220. sk_GENERAL_SUBTREE_num(nc->permittedSubtrees),
  221. sk_GENERAL_SUBTREE_num(nc->excludedSubtrees))
  222. || (name_count > 0 && constraint_count > NAME_CHECK_MAX / name_count))
  223. return X509_V_ERR_UNSPECIFIED;
  224. if (X509_NAME_entry_count(nm) > 0) {
  225. GENERAL_NAME gntmp;
  226. gntmp.type = GEN_DIRNAME;
  227. gntmp.d.directoryName = nm;
  228. r = nc_match(&gntmp, nc);
  229. if (r != X509_V_OK)
  230. return r;
  231. gntmp.type = GEN_EMAIL;
  232. /* Process any email address attributes in subject name */
  233. for (i = -1;;) {
  234. const X509_NAME_ENTRY *ne;
  235. i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
  236. if (i == -1)
  237. break;
  238. ne = X509_NAME_get_entry(nm, i);
  239. gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
  240. if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
  241. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  242. r = nc_match(&gntmp, nc);
  243. if (r != X509_V_OK)
  244. return r;
  245. }
  246. }
  247. for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
  248. GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
  249. r = nc_match(gen, nc);
  250. if (r != X509_V_OK)
  251. return r;
  252. }
  253. return X509_V_OK;
  254. }
  255. int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
  256. {
  257. int r, i;
  258. X509_NAME *nm;
  259. ASN1_STRING stmp;
  260. GENERAL_NAME gntmp;
  261. stmp.flags = 0;
  262. stmp.type = V_ASN1_IA5STRING;
  263. gntmp.type = GEN_DNS;
  264. gntmp.d.dNSName = &stmp;
  265. nm = X509_get_subject_name(x);
  266. /* Process any commonName attributes in subject name */
  267. for (i = -1;;) {
  268. X509_NAME_ENTRY *ne;
  269. ASN1_STRING *hn;
  270. i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
  271. if (i == -1)
  272. break;
  273. ne = X509_NAME_get_entry(nm, i);
  274. hn = X509_NAME_ENTRY_get_data(ne);
  275. /* Only process attributes that look like host names */
  276. if (asn1_valid_host(hn)) {
  277. unsigned char *h;
  278. int hlen = ASN1_STRING_to_UTF8(&h, hn);
  279. if (hlen <= 0)
  280. return X509_V_ERR_OUT_OF_MEM;
  281. stmp.length = hlen;
  282. stmp.data = h;
  283. r = nc_match(&gntmp, nc);
  284. OPENSSL_free(h);
  285. if (r != X509_V_OK)
  286. return r;
  287. }
  288. }
  289. return X509_V_OK;
  290. }
  291. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
  292. {
  293. GENERAL_SUBTREE *sub;
  294. int i, r, match = 0;
  295. /*
  296. * Permitted subtrees: if any subtrees exist of matching the type at
  297. * least one subtree must match.
  298. */
  299. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
  300. sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
  301. if (gen->type != sub->base->type)
  302. continue;
  303. if (sub->minimum || sub->maximum)
  304. return X509_V_ERR_SUBTREE_MINMAX;
  305. /* If we already have a match don't bother trying any more */
  306. if (match == 2)
  307. continue;
  308. if (match == 0)
  309. match = 1;
  310. r = nc_match_single(gen, sub->base);
  311. if (r == X509_V_OK)
  312. match = 2;
  313. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  314. return r;
  315. }
  316. if (match == 1)
  317. return X509_V_ERR_PERMITTED_VIOLATION;
  318. /* Excluded subtrees: must not match any of these */
  319. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
  320. sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
  321. if (gen->type != sub->base->type)
  322. continue;
  323. if (sub->minimum || sub->maximum)
  324. return X509_V_ERR_SUBTREE_MINMAX;
  325. r = nc_match_single(gen, sub->base);
  326. if (r == X509_V_OK)
  327. return X509_V_ERR_EXCLUDED_VIOLATION;
  328. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  329. return r;
  330. }
  331. return X509_V_OK;
  332. }
  333. static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
  334. {
  335. switch (base->type) {
  336. case GEN_DIRNAME:
  337. return nc_dn(gen->d.directoryName, base->d.directoryName);
  338. case GEN_DNS:
  339. return nc_dns(gen->d.dNSName, base->d.dNSName);
  340. case GEN_EMAIL:
  341. return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
  342. case GEN_URI:
  343. return nc_uri(gen->d.uniformResourceIdentifier,
  344. base->d.uniformResourceIdentifier);
  345. case GEN_IPADD:
  346. return nc_ip(gen->d.iPAddress, base->d.iPAddress);
  347. default:
  348. return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
  349. }
  350. }
  351. /*
  352. * directoryName name constraint matching. The canonical encoding of
  353. * X509_NAME makes this comparison easy. It is matched if the subtree is a
  354. * subset of the name.
  355. */
  356. static int nc_dn(X509_NAME *nm, X509_NAME *base)
  357. {
  358. /* Ensure canonical encodings are up to date. */
  359. if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
  360. return X509_V_ERR_OUT_OF_MEM;
  361. if (base->modified && i2d_X509_NAME(base, NULL) < 0)
  362. return X509_V_ERR_OUT_OF_MEM;
  363. if (base->canon_enclen > nm->canon_enclen)
  364. return X509_V_ERR_PERMITTED_VIOLATION;
  365. if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
  366. return X509_V_ERR_PERMITTED_VIOLATION;
  367. return X509_V_OK;
  368. }
  369. static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
  370. {
  371. char *baseptr = (char *)base->data;
  372. char *dnsptr = (char *)dns->data;
  373. /* Empty matches everything */
  374. if (!*baseptr)
  375. return X509_V_OK;
  376. /*
  377. * Otherwise can add zero or more components on the left so compare RHS
  378. * and if dns is longer and expect '.' as preceding character.
  379. */
  380. if (dns->length > base->length) {
  381. dnsptr += dns->length - base->length;
  382. if (*baseptr != '.' && dnsptr[-1] != '.')
  383. return X509_V_ERR_PERMITTED_VIOLATION;
  384. }
  385. if (ia5casecmp(baseptr, dnsptr))
  386. return X509_V_ERR_PERMITTED_VIOLATION;
  387. return X509_V_OK;
  388. }
  389. static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
  390. {
  391. const char *baseptr = (char *)base->data;
  392. const char *emlptr = (char *)eml->data;
  393. const char *baseat = strchr(baseptr, '@');
  394. const char *emlat = strchr(emlptr, '@');
  395. if (!emlat)
  396. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  397. /* Special case: initial '.' is RHS match */
  398. if (!baseat && (*baseptr == '.')) {
  399. if (eml->length > base->length) {
  400. emlptr += eml->length - base->length;
  401. if (ia5casecmp(baseptr, emlptr) == 0)
  402. return X509_V_OK;
  403. }
  404. return X509_V_ERR_PERMITTED_VIOLATION;
  405. }
  406. /* If we have anything before '@' match local part */
  407. if (baseat) {
  408. if (baseat != baseptr) {
  409. if ((baseat - baseptr) != (emlat - emlptr))
  410. return X509_V_ERR_PERMITTED_VIOLATION;
  411. /* Case sensitive match of local part */
  412. if (strncmp(baseptr, emlptr, emlat - emlptr))
  413. return X509_V_ERR_PERMITTED_VIOLATION;
  414. }
  415. /* Position base after '@' */
  416. baseptr = baseat + 1;
  417. }
  418. emlptr = emlat + 1;
  419. /* Just have hostname left to match: case insensitive */
  420. if (ia5casecmp(baseptr, emlptr))
  421. return X509_V_ERR_PERMITTED_VIOLATION;
  422. return X509_V_OK;
  423. }
  424. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
  425. {
  426. const char *baseptr = (char *)base->data;
  427. const char *hostptr = (char *)uri->data;
  428. const char *p = strchr(hostptr, ':');
  429. int hostlen;
  430. /* Check for foo:// and skip past it */
  431. if (!p || (p[1] != '/') || (p[2] != '/'))
  432. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  433. hostptr = p + 3;
  434. /* Determine length of hostname part of URI */
  435. /* Look for a port indicator as end of hostname first */
  436. p = strchr(hostptr, ':');
  437. /* Otherwise look for trailing slash */
  438. if (!p)
  439. p = strchr(hostptr, '/');
  440. if (!p)
  441. hostlen = strlen(hostptr);
  442. else
  443. hostlen = p - hostptr;
  444. if (hostlen == 0)
  445. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  446. /* Special case: initial '.' is RHS match */
  447. if (*baseptr == '.') {
  448. if (hostlen > base->length) {
  449. p = hostptr + hostlen - base->length;
  450. if (ia5ncasecmp(p, baseptr, base->length) == 0)
  451. return X509_V_OK;
  452. }
  453. return X509_V_ERR_PERMITTED_VIOLATION;
  454. }
  455. if ((base->length != (int)hostlen)
  456. || ia5ncasecmp(hostptr, baseptr, hostlen))
  457. return X509_V_ERR_PERMITTED_VIOLATION;
  458. return X509_V_OK;
  459. }
  460. static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)
  461. {
  462. int hostlen, baselen, i;
  463. unsigned char *hostptr, *baseptr, *maskptr;
  464. hostptr = ip->data;
  465. hostlen = ip->length;
  466. baseptr = base->data;
  467. baselen = base->length;
  468. /* Invalid if not IPv4 or IPv6 */
  469. if (!((hostlen == 4) || (hostlen == 16)))
  470. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  471. if (!((baselen == 8) || (baselen == 32)))
  472. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  473. /* Do not match IPv4 with IPv6 */
  474. if (hostlen * 2 != baselen)
  475. return X509_V_ERR_PERMITTED_VIOLATION;
  476. maskptr = base->data + hostlen;
  477. /* Considering possible not aligned base ipAddress */
  478. /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
  479. for (i = 0; i < hostlen; i++)
  480. if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
  481. return X509_V_ERR_PERMITTED_VIOLATION;
  482. return X509_V_OK;
  483. }