Initial chain verify code: not tested probably not working
at present. However nothing enables it yet so this doesn't matter :-)
This commit is contained in:
parent
6d3724d3b0
commit
1126239111
17
CHANGES
17
CHANGES
@ -4,8 +4,21 @@
|
|||||||
|
|
||||||
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
|
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
|
||||||
|
|
||||||
*) Support for the authority information access extension. Not
|
*) Very preliminary certificate chain verify code. Currently just tests
|
||||||
very well tested yet.
|
the untrusted certificates for consistency with the verify purpose
|
||||||
|
(which is set when the X509_STORE_CTX structure is set up) and checks
|
||||||
|
the pathlength. Totally untested at present: needs some extra
|
||||||
|
functionality in the verify program first. There is a
|
||||||
|
NO_CHAIN_VERIFY compilation option to keep the old behaviour: this is
|
||||||
|
because when it is finally working it will reject chains with
|
||||||
|
invalid extensions whereas before it made no checks at all.
|
||||||
|
|
||||||
|
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
|
||||||
|
which should be used for version portability: especially since the
|
||||||
|
verify structure is likely to change more often now.
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
|
*) Support for the authority information access extension.
|
||||||
[Steve Henson]
|
[Steve Henson]
|
||||||
|
|
||||||
*) Modify RSA and DSA PEM read routines to transparently handle
|
*) Modify RSA and DSA PEM read routines to transparently handle
|
||||||
|
@ -381,6 +381,17 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
|
|||||||
return(tmp);
|
return(tmp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
X509_STORE_CTX *X509_STORE_CTX_new(void)
|
||||||
|
{
|
||||||
|
return (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
|
||||||
|
}
|
||||||
|
|
||||||
|
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
X509_STORE_CTX_cleanup(ctx);
|
||||||
|
Free(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
||||||
STACK_OF(X509) *chain)
|
STACK_OF(X509) *chain)
|
||||||
{
|
{
|
||||||
@ -389,6 +400,8 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
|||||||
ctx->cert=x509;
|
ctx->cert=x509;
|
||||||
ctx->untrusted=chain;
|
ctx->untrusted=chain;
|
||||||
ctx->last_untrusted=0;
|
ctx->last_untrusted=0;
|
||||||
|
ctx->chain_purpose=0;
|
||||||
|
ctx->trust_purpose=0;
|
||||||
ctx->valid=0;
|
ctx->valid=0;
|
||||||
ctx->chain=NULL;
|
ctx->chain=NULL;
|
||||||
ctx->depth=9;
|
ctx->depth=9;
|
||||||
|
@ -120,6 +120,12 @@ const char *X509_verify_cert_error_string(long n)
|
|||||||
return("certificate chain too long");
|
return("certificate chain too long");
|
||||||
case X509_V_ERR_CERT_REVOKED:
|
case X509_V_ERR_CERT_REVOKED:
|
||||||
return("certificate revoked");
|
return("certificate revoked");
|
||||||
|
case X509_V_ERR_INVALID_CA:
|
||||||
|
return ("invalid CA certificate");
|
||||||
|
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
||||||
|
return ("path length constraint exceeded");
|
||||||
|
case X509_V_ERR_INVALID_PURPOSE:
|
||||||
|
return ("unsupported certificate purpose");
|
||||||
case X509_V_ERR_APPLICATION_VERIFICATION:
|
case X509_V_ERR_APPLICATION_VERIFICATION:
|
||||||
return("application verification failure");
|
return("application verification failure");
|
||||||
default:
|
default:
|
||||||
|
@ -67,9 +67,11 @@
|
|||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/asn1.h>
|
#include <openssl/asn1.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
#include <openssl/objects.h>
|
#include <openssl/objects.h>
|
||||||
|
|
||||||
static int null_callback(int ok,X509_STORE_CTX *e);
|
static int null_callback(int ok,X509_STORE_CTX *e);
|
||||||
|
static int check_chain_purpose(X509_STORE_CTX *ctx);
|
||||||
static int internal_verify(X509_STORE_CTX *ctx);
|
static int internal_verify(X509_STORE_CTX *ctx);
|
||||||
const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
|
const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
|
||||||
|
|
||||||
@ -290,6 +292,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||||||
if (!ok) goto end;
|
if (!ok) goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* We have the chain complete: now we need to check its purpose */
|
||||||
|
if(ctx->chain_purpose > 0) ok = check_chain_purpose(ctx);
|
||||||
|
|
||||||
|
if(!ok) goto end;
|
||||||
|
|
||||||
/* We may as well copy down any DSA parameters that are required */
|
/* We may as well copy down any DSA parameters that are required */
|
||||||
X509_get_pubkey_parameters(NULL,ctx->chain);
|
X509_get_pubkey_parameters(NULL,ctx->chain);
|
||||||
|
|
||||||
@ -308,6 +315,47 @@ end:
|
|||||||
return(ok);
|
return(ok);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check a certificate chains extensions for consistency
|
||||||
|
* with the supplied purpose
|
||||||
|
*/
|
||||||
|
|
||||||
|
static int check_chain_purpose(X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
#ifdef NO_CHAIN_VERIFY
|
||||||
|
return 1;
|
||||||
|
#else
|
||||||
|
int i, ok=0;
|
||||||
|
X509 *x;
|
||||||
|
int (*cb)();
|
||||||
|
cb=ctx->ctx->verify_cb;
|
||||||
|
if (cb == NULL) cb=null_callback;
|
||||||
|
/* Check all untrusted certificates */
|
||||||
|
for(i = 0; i < ctx->last_untrusted; i++) {
|
||||||
|
x = sk_X509_value(ctx->chain, i);
|
||||||
|
if(!X509_check_purpose(x, ctx->chain_purpose, i)) {
|
||||||
|
if(i) ctx->error = X509_V_ERR_INVALID_CA;
|
||||||
|
else ctx->error = X509_V_ERR_INVALID_PURPOSE;
|
||||||
|
ctx->error_depth = i;
|
||||||
|
ctx->current_cert = x;
|
||||||
|
ok=cb(0,ctx);
|
||||||
|
if(!ok) goto end;
|
||||||
|
}
|
||||||
|
/* Check pathlen */
|
||||||
|
if((i > 1) && (x->ex_pathlen != -1)
|
||||||
|
&& (i > (x->ex_pathlen + 1))) {
|
||||||
|
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
||||||
|
ctx->error_depth = i;
|
||||||
|
ctx->current_cert = x;
|
||||||
|
ok=cb(0,ctx);
|
||||||
|
if(!ok) goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ok = 1;
|
||||||
|
end:
|
||||||
|
return(ok);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
static int internal_verify(X509_STORE_CTX *ctx)
|
static int internal_verify(X509_STORE_CTX *ctx)
|
||||||
{
|
{
|
||||||
int i,ok=0,n;
|
int i,ok=0,n;
|
||||||
@ -648,6 +696,16 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
|||||||
ctx->untrusted=sk;
|
ctx->untrusted=sk;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void X509_STORE_CTX_chain_purpose(X509_STORE_CTX *ctx, int purpose)
|
||||||
|
{
|
||||||
|
ctx->chain_purpose = purpose;
|
||||||
|
}
|
||||||
|
|
||||||
|
void X509_STORE_CTX_trust_purpose(X509_STORE_CTX *ctx, int purpose)
|
||||||
|
{
|
||||||
|
ctx->trust_purpose = purpose;
|
||||||
|
}
|
||||||
|
|
||||||
IMPLEMENT_STACK_OF(X509)
|
IMPLEMENT_STACK_OF(X509)
|
||||||
IMPLEMENT_ASN1_SET_OF(X509)
|
IMPLEMENT_ASN1_SET_OF(X509)
|
||||||
|
|
||||||
|
@ -202,6 +202,8 @@ struct x509_store_state_st /* X509_STORE_CTX */
|
|||||||
/* The following are set by the caller */
|
/* The following are set by the caller */
|
||||||
X509 *cert; /* The cert to check */
|
X509 *cert; /* The cert to check */
|
||||||
STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
|
STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
|
||||||
|
int chain_purpose; /* purpose to check untrusted certificates */
|
||||||
|
int trust_purpose; /* trust setting to check */
|
||||||
|
|
||||||
/* The following is built up */
|
/* The following is built up */
|
||||||
int depth; /* how far to go looking up certs */
|
int depth; /* how far to go looking up certs */
|
||||||
@ -258,6 +260,9 @@ struct x509_store_state_st /* X509_STORE_CTX */
|
|||||||
#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
|
#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
|
||||||
#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
|
#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
|
||||||
#define X509_V_ERR_CERT_REVOKED 23
|
#define X509_V_ERR_CERT_REVOKED 23
|
||||||
|
#define X509_V_ERR_INVALID_CA 24
|
||||||
|
#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
|
||||||
|
#define X509_V_ERR_INVALID_PURPOSE 26
|
||||||
|
|
||||||
/* The application is not happy */
|
/* The application is not happy */
|
||||||
#define X509_V_ERR_APPLICATION_VERIFICATION 50
|
#define X509_V_ERR_APPLICATION_VERIFICATION 50
|
||||||
@ -285,6 +290,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
|
|||||||
X509_STORE *X509_STORE_new(void );
|
X509_STORE *X509_STORE_new(void );
|
||||||
void X509_STORE_free(X509_STORE *v);
|
void X509_STORE_free(X509_STORE *v);
|
||||||
|
|
||||||
|
X509_STORE_CTX *X509_STORE_CTX_new(void);
|
||||||
|
void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
|
||||||
void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
|
void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
|
||||||
X509 *x509, STACK_OF(X509) *chain);
|
X509 *x509, STACK_OF(X509) *chain);
|
||||||
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
|
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
|
||||||
@ -340,6 +347,8 @@ X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
|
|||||||
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
|
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
|
||||||
void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
|
void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
|
||||||
void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
|
void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
|
||||||
|
void X509_STORE_CTX_chain_purpose(X509_STORE_CTX *ctx, int purpose);
|
||||||
|
void X509_STORE_CTX_trust_purpose(X509_STORE_CTX *ctx, int purpose);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user