s4: import lorikeet-heimdal-200810271034

metze

1 files changed, 121 insertions, 121 deletions

diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index 3597896c0c..121847faaa 100644
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -1,34 +1,34 @@
 /*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
- *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
- *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
- *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #include "hx_locl.h"
@@ -141,7 +141,7 @@ hx509_context_init(hx509_context *context)
  * the existans of a revokation method (OCSP, CRL) or not. Note that
  * hx509_verify_path(), hx509_cms_verify_signed(), and other function
  * call hx509_revoke_verify().
- * 
+ *
  * @param context hx509 context to change the flag for.
  * @param flag zero, revokation method required, non zero missing
  * revokation method ok
@@ -160,7 +160,7 @@ hx509_context_set_missing_revoke(hx509_context context, int flag)
 
 /**
  * Free the context allocated by hx509_context_init().
- * 
+ *
  * @param context context to be freed.
  *
  * @ingroup hx509
@@ -205,7 +205,7 @@ _hx509_cert_get_version(const Certificate *t)
 
 /**
  * Allocate and init an hx509 certificate object from the decoded
- * certificate `c´.
+ * certificate `c´.
  *
  * @param context A hx509 context.
  * @param c
@@ -268,7 +268,7 @@ hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
  */
 
 int
-hx509_cert_init_data(hx509_context context, 
+hx509_cert_init_data(hx509_context context,
 		     const void *ptr,
 		     size_t len,
 		     hx509_cert *cert)
@@ -294,7 +294,7 @@ hx509_cert_init_data(hx509_context context,
 }
 
 void
-_hx509_cert_set_release(hx509_cert cert, 
+_hx509_cert_set_release(hx509_cert cert,
 			_hx509_cert_release_func release,
 			void *ctx)
 {
@@ -383,7 +383,7 @@ hx509_cert_ref(hx509_cert cert)
 
 /**
  * Allocate an verification context that is used fo control the
- * verification process. 
+ * verification process.
  *
  * @param context A hx509 context.
  * @param ctx returns a pointer to a hx509_verify_ctx object.
@@ -405,7 +405,7 @@ hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
     c->max_depth = HX509_VERIFY_MAX_DEPTH;
 
     *ctx = c;
-    
+
     return 0;
 }
 
@@ -576,7 +576,7 @@ find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
 
     if (c->version == NULL || *c->version < 2 || c->extensions == NULL)
 	return NULL;
-    
+
     for (;*idx < c->extensions->len; (*idx)++) {
 	if (der_heim_oid_cmp(&c->extensions->val[*idx].extnID, oid) == 0)
 	    return &c->extensions->val[(*idx)++];
@@ -585,7 +585,7 @@ find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
 }
 
 static int
-find_extension_auth_key_id(const Certificate *subject, 
+find_extension_auth_key_id(const Certificate *subject,
 			   AuthorityKeyIdentifier *ai)
 {
     const Extension *e;
@@ -597,9 +597,9 @@ find_extension_auth_key_id(const Certificate *subject,
     e = find_extension(subject, oid_id_x509_ce_authorityKeyIdentifier(), &i);
     if (e == NULL)
 	return HX509_EXTENSION_NOT_FOUND;
-    
-    return decode_AuthorityKeyIdentifier(e->extnValue.data, 
-					 e->extnValue.length, 
+
+    return decode_AuthorityKeyIdentifier(e->extnValue.data,
+					 e->extnValue.length,
 					 ai, &size);
 }
 
@@ -616,14 +616,14 @@ _hx509_find_extension_subject_key_id(const Certificate *issuer,
     e = find_extension(issuer, oid_id_x509_ce_subjectKeyIdentifier(), &i);
     if (e == NULL)
 	return HX509_EXTENSION_NOT_FOUND;
-    
-    return decode_SubjectKeyIdentifier(e->extnValue.data, 
+
+    return decode_SubjectKeyIdentifier(e->extnValue.data,
 				       e->extnValue.length,
 				       si, &size);
 }
 
 static int
-find_extension_name_constraints(const Certificate *subject, 
+find_extension_name_constraints(const Certificate *subject,
 				NameConstraints *nc)
 {
     const Extension *e;
@@ -635,9 +635,9 @@ find_extension_name_constraints(const Certificate *subject,
     e = find_extension(subject, oid_id_x509_ce_nameConstraints(), &i);
     if (e == NULL)
 	return HX509_EXTENSION_NOT_FOUND;
-    
-    return decode_NameConstraints(e->extnValue.data, 
-				  e->extnValue.length, 
+
+    return decode_NameConstraints(e->extnValue.data,
+				  e->extnValue.length,
 				  nc, &size);
 }
 
@@ -653,8 +653,8 @@ find_extension_subject_alt_name(const Certificate *cert, int *i,
     e = find_extension(cert, oid_id_x509_ce_subjectAltName(), i);
     if (e == NULL)
 	return HX509_EXTENSION_NOT_FOUND;
-    
-    return decode_GeneralNames(e->extnValue.data, 
+
+    return decode_GeneralNames(e->extnValue.data,
 			       e->extnValue.length,
 			       sa, &size);
 }
@@ -671,8 +671,8 @@ find_extension_eku(const Certificate *cert, ExtKeyUsage *eku)
     e = find_extension(cert, oid_id_x509_ce_extKeyUsage(), &i);
     if (e == NULL)
 	return HX509_EXTENSION_NOT_FOUND;
-    
-    return decode_ExtKeyUsage(e->extnValue.data, 
+
+    return decode_ExtKeyUsage(e->extnValue.data,
 			      e->extnValue.length,
 			      eku, &size);
 }
@@ -716,7 +716,7 @@ hx509_free_octet_string_list(hx509_octet_string_list *list)
 
 /**
  * Return a list of subjectAltNames specified by oid in the
- * certificate. On error the 
+ * certificate. On error the
  *
  * The returned list of octet string should be freed with
  * hx509_free_octet_string_list().
@@ -758,11 +758,11 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context,
 
 	for (j = 0; j < sa.len; j++) {
 	    if (sa.val[j].element == choice_GeneralName_otherName &&
-		der_heim_oid_cmp(&sa.val[j].u.otherName.type_id, oid) == 0) 
+		der_heim_oid_cmp(&sa.val[j].u.otherName.type_id, oid) == 0)
 	    {
 		ret = add_to_list(list, &sa.val[j].u.otherName.value);
 		if (ret) {
-		    hx509_set_error_string(context, 0, ret, 
+		    hx509_set_error_string(context, 0, ret,
 					   "Error adding an exra SAN to "
 					   "return list");
 		    hx509_free_octet_string_list(list);
@@ -778,7 +778,7 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context,
 
 
 static int
-check_key_usage(hx509_context context, const Certificate *cert, 
+check_key_usage(hx509_context context, const Certificate *cert,
 		unsigned flags, int req_present)
 {
     const Extension *e;
@@ -800,7 +800,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
 	}
 	return 0;
     }
-    
+
     ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &size);
     if (ret)
 	return ret;
@@ -827,7 +827,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
  */
 
 int
-_hx509_check_key_usage(hx509_context context, hx509_cert cert, 
+_hx509_check_key_usage(hx509_context context, hx509_cert cert,
 		       unsigned flags, int req_present)
 {
     return check_key_usage(context, _hx509_get_cert(cert), flags, req_present);
@@ -836,7 +836,7 @@ _hx509_check_key_usage(hx509_context context, hx509_cert cert,
 enum certtype { PROXY_CERT, EE_CERT, CA_CERT };
 
 static int
-check_basic_constraints(hx509_context context, const Certificate *cert, 
+check_basic_constraints(hx509_context context, const Certificate *cert,
 			enum certtype type, int depth)
 {
     BasicConstraints bc;
@@ -865,8 +865,8 @@ check_basic_constraints(hx509_context context, const Certificate *cert,
 	}
 	}
     }
-    
-    ret = decode_BasicConstraints(e->extnValue.data, 
+
+    ret = decode_BasicConstraints(e->extnValue.data,
 				  e->extnValue.length, &bc,
 				  &size);
     if (ret)
@@ -901,14 +901,14 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
     SubjectKeyIdentifier si;
     int ret_ai, ret_si, ret;
 
-    ret = _hx509_name_cmp(&issuer->tbsCertificate.subject, 
+    ret = _hx509_name_cmp(&issuer->tbsCertificate.subject,
 			  &subject->tbsCertificate.issuer,
 			  &diff);
     if (ret)
 	return ret;
     if (diff)
 	return diff;
-    
+
     memset(&ai, 0, sizeof(ai));
     memset(&si, 0, sizeof(si));
 
@@ -937,7 +937,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
 	    goto out;
 	}
     }
-    
+
     if (ai.keyIdentifier == NULL) {
 	Name name;
 
@@ -946,7 +946,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
 	if (ai.authorityCertSerialNumber == NULL)
 	    return -1;
 
-	diff = der_heim_integer_cmp(ai.authorityCertSerialNumber, 
+	diff = der_heim_integer_cmp(ai.authorityCertSerialNumber,
 				    &issuer->tbsCertificate.serialNumber);
 	if (diff)
 	    return diff;
@@ -955,12 +955,12 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
 	if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
 	    return -1;
 	
-	name.element = 
+	name.element =
 	    ai.authorityCertIssuer->val[0].u.directoryName.element;
-	name.u.rdnSequence = 
+	name.u.rdnSequence =
 	    ai.authorityCertIssuer->val[0].u.directoryName.u.rdnSequence;
 
-	ret = _hx509_name_cmp(&issuer->tbsCertificate.subject, 
+	ret = _hx509_name_cmp(&issuer->tbsCertificate.subject,
 			      &name,
 			      &diff);
 	if (ret)
@@ -1008,7 +1008,7 @@ certificate_is_self_signed(hx509_context context,
 			   int *self_signed)
 {
     int ret, diff;
-    ret = _hx509_name_cmp(&cert->tbsCertificate.subject, 
+    ret = _hx509_name_cmp(&cert->tbsCertificate.subject,
 			  &cert->tbsCertificate.issuer, &diff);
     *self_signed = (diff == 0);
     if (ret)
@@ -1033,7 +1033,7 @@ find_parent(hx509_context context,
 	    time_t time_now,
 	    hx509_certs trust_anchors,
 	    hx509_path *path,
-	    hx509_certs pool, 
+	    hx509_certs pool,
 	    hx509_cert current,
 	    hx509_cert *parent)
 {
@@ -1043,7 +1043,7 @@ find_parent(hx509_context context,
 
     *parent = NULL;
     memset(&ai, 0, sizeof(ai));
-    
+
     _hx509_query_clear(&q);
 
     if (!subject_null_p(current->data)) {
@@ -1122,8 +1122,8 @@ find_parent(hx509_context context,
  */
 
 static int
-is_proxy_cert(hx509_context context, 
-	      const Certificate *cert, 
+is_proxy_cert(hx509_context context,
+	      const Certificate *cert,
 	      ProxyCertInfo *rinfo)
 {
     ProxyCertInfo info;
@@ -1140,8 +1140,8 @@ is_proxy_cert(hx509_context context,
 	return HX509_EXTENSION_NOT_FOUND;
     }
 
-    ret = decode_ProxyCertInfo(e->extnValue.data, 
-			       e->extnValue.length, 
+    ret = decode_ProxyCertInfo(e->extnValue.data,
+			       e->extnValue.length,
 			       &info,
 			       &size);
     if (ret) {
@@ -1151,7 +1151,7 @@ is_proxy_cert(hx509_context context,
     if (size != e->extnValue.length) {
 	free_ProxyCertInfo(&info);
 	hx509_clear_error_string(context);
-	return HX509_EXTRA_DATA_AFTER_STRUCTURE; 
+	return HX509_EXTRA_DATA_AFTER_STRUCTURE;
     }
     if (rinfo == NULL)
 	free_ProxyCertInfo(&info);
@@ -1187,7 +1187,7 @@ void
 _hx509_path_free(hx509_path *path)
 {
     unsigned i;
-    
+
     for (i = 0; i < path->len; i++)
 	hx509_cert_free(path->val[i]);
     free(path->val);
@@ -1208,7 +1208,7 @@ _hx509_path_free(hx509_path *path)
  * The path includes a path from the top certificate to the anchor
  * certificate.
  *
- * The caller needs to free `path´ both on successful built path and
+ * The caller needs to free `path´ both on successful built path and
  * failure.
  */
 
@@ -1236,7 +1236,7 @@ _hx509_calculate_path(hx509_context context,
 
     while (!certificate_is_anchor(context, anchors, current)) {
 
-	ret = find_parent(context, time_now, anchors, path, 
+	ret = find_parent(context, time_now, anchors, path,
 			  pool, current, &parent);
 	hx509_cert_free(current);
 	if (ret)
@@ -1256,8 +1256,8 @@ _hx509_calculate_path(hx509_context context,
 	}
     }
 
-    if ((flags & HX509_CALCULATE_PATH_NO_ANCHOR) && 
-	path->len > 0 && 
+    if ((flags & HX509_CALCULATE_PATH_NO_ANCHOR) &&
+	path->len > 0 &&
 	certificate_is_anchor(context, anchors, path->val[path->len - 1]))
     {
 	hx509_cert_free(path->val[path->len - 1]);
@@ -1297,7 +1297,7 @@ _hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
     diff = der_heim_bit_string_cmp(&p->signatureValue, &q->signatureValue);
     if (diff)
 	return diff;
-    diff = _hx509_AlgorithmIdentifier_cmp(&p->signatureAlgorithm, 
+    diff = _hx509_AlgorithmIdentifier_cmp(&p->signatureAlgorithm,
 					  &q->signatureAlgorithm);
     if (diff)
 	return diff;
@@ -1481,7 +1481,7 @@ hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *s
 
 int
 hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context,
-					hx509_cert p, 
+					hx509_cert p,
 					AlgorithmIdentifier *alg)
 {
     int ret;
@@ -1534,7 +1534,7 @@ _hx509_cert_private_decrypt(hx509_context context,
     return _hx509_private_key_private_decrypt(context,
 					      ciphertext,
 					      encryption_oid,
-					      p->private_key, 
+					      p->private_key,
 					      cleartext);
 }
 
@@ -1623,7 +1623,7 @@ match_RDN(const RelativeDistinguishedName *c,
 
     if (c->len != n->len)
 	return HX509_NAME_CONSTRAINT_ERROR;
-    
+
     for (i = 0; i < n->len; i++) {
 	int diff, ret;
 
@@ -1654,13 +1654,13 @@ match_X501Name(const Name *c, const Name *n)
 	    return ret;
     }
     return 0;
-} 
+}
 
 
 static int
 match_general_name(const GeneralName *c, const GeneralName *n, int *match)
 {
-    /* 
+    /*
      * Name constraints only apply to the same name type, see RFC3280,
      * 4.2.1.11.
      */
@@ -1741,7 +1741,7 @@ match_general_name(const GeneralName *c, const GeneralName *n, int *match)
 }
 
 static int
-match_alt_name(const GeneralName *n, const Certificate *c, 
+match_alt_name(const GeneralName *n, const Certificate *c,
 	       int *same, int *match)
 {
     GeneralNames sa;
@@ -1790,14 +1790,14 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
 	    && !subject_null_p(c))
 	{
 	    GeneralName certname;
-	    
+	
 	    memset(&certname, 0, sizeof(certname));
 	    certname.element = choice_GeneralName_directoryName;
-	    certname.u.directoryName.element = 
+	    certname.u.directoryName.element =
 		c->tbsCertificate.subject.element;
-	    certname.u.directoryName.u.rdnSequence = 
+	    certname.u.directoryName.u.rdnSequence =
 		c->tbsCertificate.subject.u.rdnSequence;
-    
+
 	    ret = match_general_name(&t->val[i].base, &certname, &name);
 	}
 
@@ -1814,7 +1814,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
 }
 
 static int
-check_name_constraints(hx509_context context, 
+check_name_constraints(hx509_context context,
 		       const hx509_name_constraints *nc,
 		       const Certificate *c)
 {
@@ -1978,13 +1978,13 @@ hx509_verify_path(hx509_context context,
 		ret = certificate_is_self_signed(context, c, &selfsigned);
 		if (ret)
 		    goto out;
-		if (selfsigned) 
+		if (selfsigned)
 		    selfsigned_depth++;
 	    }
 
 	    break;
 	case PROXY_CERT: {
-	    ProxyCertInfo info;	    
+	    ProxyCertInfo info;	
 
 	    if (is_proxy_cert(context, c, &info) == 0) {
 		int j;
@@ -2005,7 +2005,7 @@ hx509_verify_path(hx509_context context,
 		j = 0;
 		if (find_extension(c, oid_id_x509_ce_subjectAltName(), &j)) {
 		    ret = HX509_PROXY_CERT_INVALID;
-		    hx509_set_error_string(context, 0, ret, 
+		    hx509_set_error_string(context, 0, ret,
 					   "Proxy certificate have explicity "
 					   "forbidden subjectAltName");
 		    goto out;
@@ -2014,13 +2014,13 @@ hx509_verify_path(hx509_context context,
 		j = 0;
 		if (find_extension(c, oid_id_x509_ce_issuerAltName(), &j)) {
 		    ret = HX509_PROXY_CERT_INVALID;
-		    hx509_set_error_string(context, 0, ret, 
+		    hx509_set_error_string(context, 0, ret,
 					   "Proxy certificate have explicity "
 					   "forbidden issuerAltName");
 		    goto out;
 		}
 			
-		/* 
+		/*
 		 * The subject name of the proxy certificate should be
 		 * CN=XXX,<proxy issuer>, prune of CN and check if its
 		 * the same over the whole chain of proxy certs and
@@ -2050,7 +2050,7 @@ hx509_verify_path(hx509_context context,
 		}
 
 		j = proxy_issuer.u.rdnSequence.len;
-		if (proxy_issuer.u.rdnSequence.len < 2 
+		if (proxy_issuer.u.rdnSequence.len < 2
 		    || proxy_issuer.u.rdnSequence.val[j - 1].len > 1
 		    || der_heim_oid_cmp(&proxy_issuer.u.rdnSequence.val[j - 1].val[0].type,
 					oid_id_at_commonName()))
@@ -2080,7 +2080,7 @@ hx509_verify_path(hx509_context context,
 
 		break;
 	    } else {
-		/* 
+		/*
 		 * Now we are done with the proxy certificates, this
 		 * cert was an EE cert and we we will fall though to
 		 * EE checking below.
@@ -2097,7 +2097,7 @@ hx509_verify_path(hx509_context context,
 	     */
 	    if (proxy_cert_depth) {
 
-		ret = _hx509_name_cmp(&proxy_issuer, 
+		ret = _hx509_name_cmp(&proxy_issuer,
 				      &c->tbsCertificate.subject, &diff);
 		if (ret) {
 		    hx509_set_error_string(context, 0, ret, "out of memory");
@@ -2121,11 +2121,11 @@ hx509_verify_path(hx509_context context,
 	    break;
 	}
 
-	ret = check_basic_constraints(context, c, type, 
+	ret = check_basic_constraints(context, c, type,
 				      i - proxy_cert_depth - selfsigned_depth);
 	if (ret)
 	    goto out;
-	    
+	
 	/*
 	 * Don't check the trust anchors expiration time since they
 	 * are transported out of band, from RFC3820.
@@ -2211,7 +2211,7 @@ hx509_verify_path(hx509_context context,
 	    int parent = (i < path.len - 1) ? i + 1 : i;
 
 	    ret = hx509_revoke_verify(context,
-				      ctx->revoke_ctx, 
+				      ctx->revoke_ctx,
 				      certs,
 				      ctx->time_now,
 				      path.val[i],
@@ -2326,7 +2326,7 @@ hx509_verify_hostname(hx509_context context,
 		      hx509_hostname_type type,
 		      const char *hostname,
 		      const struct sockaddr *sa,
-		      /* XXX krb5_socklen_t */ int sa_size) 
+		      /* XXX krb5_socklen_t */ int sa_size)
 {
     GeneralNames san;
     int ret, i, j;
@@ -2397,8 +2397,8 @@ hx509_verify_hostname(hx509_context context,
 
 int
 _hx509_set_cert_attribute(hx509_context context,
-			  hx509_cert cert, 
-			  const heim_oid *oid, 
+			  hx509_cert cert,
+			  const heim_oid *oid,
 			  const heim_octet_string *attr)
 {
     hx509_cert_attribute a;
@@ -2407,7 +2407,7 @@ _hx509_set_cert_attribute(hx509_context context,
     if (hx509_cert_get_attribute(cert, oid) != NULL)
 	return 0;
 
-    d = realloc(cert->attrs.val, 
+    d = realloc(cert->attrs.val,
 		sizeof(cert->attrs.val[0]) * (cert->attrs.len + 1));
     if (d == NULL) {
 	hx509_clear_error_string(context);
@@ -2421,7 +2421,7 @@ _hx509_set_cert_attribute(hx509_context context,
 
     der_copy_octet_string(attr, &a->data);
     der_copy_oid(oid, &a->oid);
-    
+
     cert->attrs.val[cert->attrs.len] = a;
     cert->attrs.len++;
 
@@ -2517,13 +2517,13 @@ hx509_cert_get_friendly_name(hx509_cert cert)
 	free_PKCS9_friendlyName(&n);
 	return NULL;
     }
-    
+
     cert->friendlyname = malloc(n.val[0].length + 1);
     if (cert->friendlyname == NULL) {
 	free_PKCS9_friendlyName(&n);
 	return NULL;
     }
-    
+
     for (i = 0; i < n.val[0].length; i++) {
 	if (n.val[0].data[i] <= 0xff)
 	    cert->friendlyname[i] = n.val[0].data[i] & 0xff;
@@ -2611,7 +2611,7 @@ hx509_query_match_option(hx509_query *q, hx509_query_option option)
 
 int
 hx509_query_match_issuer_serial(hx509_query *q,
-				const Name *issuer, 
+				const Name *issuer,
 				const heim_integer *serialNumber)
 {
     int ret;
@@ -2840,7 +2840,7 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert
     }
     if ((q->match & HX509_QUERY_MATCH_ISSUER_ID))
 	return 0;
-    if ((q->match & HX509_QUERY_PRIVATE_KEY) && 
+    if ((q->match & HX509_QUERY_PRIVATE_KEY) &&
 	_hx509_cert_private_key(cert) == NULL)
 	return 0;
 
@@ -2900,7 +2900,7 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert
 	heim_octet_string os;
 
 	os.data = c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
-	os.length = 
+	os.length =
 	    c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
 
 	ret = _hx509_verify_signature(context,
@@ -3039,12 +3039,12 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
 	return;
     f = fopen(context->querystat, "r");
     if (f == NULL) {
-	fprintf(out, "No statistic file %s: %s.\n", 
+	fprintf(out, "No statistic file %s: %s.\n",
 		context->querystat, strerror(errno));
 	return;
     }
     rk_cloexec_file(f);
-    
+
     for (i = 0; i < sizeof(stats)/sizeof(stats[0]); i++) {
 	stats[i].index = i;
 	stats[i].stats = 0;
@@ -3075,7 +3075,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
 	errx(1, "out of memory");
 
     rtbl_set_separator (t, "  ");
-    
+
     rtbl_add_column_by_id (t, 0, "Name", 0);
     rtbl_add_column_by_id (t, 1, "Counter", 0);
 
@@ -3083,7 +3083,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
     for (i = 0; i < sizeof(stats)/sizeof(stats[0]); i++) {
 	char str[10];
 
-	if (stats[i].index < sizeof(statname)/sizeof(statname[0])) 
+	if (stats[i].index < sizeof(statname)/sizeof(statname[0]))
 	    rtbl_add_column_entry_by_id (t, 0, statname[stats[i].index]);
 	else {
 	    snprintf(str, sizeof(str), "%d", stats[i].index);
@@ -3096,7 +3096,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
     rtbl_format(t, out);
     rtbl_destroy(t);
 
-    fprintf(out, "\nQueries: multi %lu total %lu\n", 
+    fprintf(out, "\nQueries: multi %lu total %lu\n",
 	    multiqueries, totalqueries);
 }
 
@@ -3166,7 +3166,7 @@ _hx509_cert_get_keyusage(hx509_context context,
     e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i);
     if (e == NULL)
 	return HX509_KU_CERT_MISSING;
-    
+
     ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, ku, &size);
     if (ret)
 	return ret;
@@ -3212,7 +3212,7 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
     os->data = NULL;
     os->length = 0;
 
-    ASN1_MALLOC_ENCODE(Certificate, os->data, os->length, 
+    ASN1_MALLOC_ENCODE(Certificate, os->data, os->length,
 		       _hx509_get_cert(c), &size, ret);
     if (ret) {
 	os->data = NULL;