Initial support for alternative CRL issuing certificates.
Allow inibit any policy flag to be set in apps.
This commit is contained in:
Dr. Stephen Henson
parent
592a207b94
commit
5cbd203302
5
CHANGES
5
CHANGES
@ -4,6 +4,11 @@
|
|||||||
|
|
||||||
Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
|
Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
|
||||||
|
|
||||||
|
*) Initial support for different CRL issuing certificates. This covers a
|
||||||
|
simple case where the self issued certificates in the chain exist and
|
||||||
|
the real CRL issuer is higher in the existing chain.
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
*) Removed effectively defunct crypto/store from the build.
|
*) Removed effectively defunct crypto/store from the build.
|
||||||
[Ben Laurie]
|
[Ben Laurie]
|
||||||
|
|
||||||
|
|||||||
@ -2233,6 +2233,8 @@ int args_verify(char ***pargs, int *pargc,
|
|||||||
flags |= X509_V_FLAG_POLICY_CHECK;
|
flags |= X509_V_FLAG_POLICY_CHECK;
|
||||||
else if (!strcmp(arg, "-explicit_policy"))
|
else if (!strcmp(arg, "-explicit_policy"))
|
||||||
flags |= X509_V_FLAG_EXPLICIT_POLICY;
|
flags |= X509_V_FLAG_EXPLICIT_POLICY;
|
||||||
|
else if (!strcmp(arg, "-inhibit_any"))
|
||||||
|
flags |= X509_V_FLAG_INHIBIT_ANY;
|
||||||
else if (!strcmp(arg, "-x509_strict"))
|
else if (!strcmp(arg, "-x509_strict"))
|
||||||
flags |= X509_V_FLAG_X509_STRICT;
|
flags |= X509_V_FLAG_X509_STRICT;
|
||||||
else if (!strcmp(arg, "-policy_print"))
|
else if (!strcmp(arg, "-policy_print"))
|
||||||
|
|||||||
@ -78,7 +78,7 @@ static int check_trust(X509_STORE_CTX *ctx);
|
|||||||
static int check_revocation(X509_STORE_CTX *ctx);
|
static int check_revocation(X509_STORE_CTX *ctx);
|
||||||
static int check_cert(X509_STORE_CTX *ctx);
|
static int check_cert(X509_STORE_CTX *ctx);
|
||||||
static int check_policy(X509_STORE_CTX *ctx);
|
static int check_policy(X509_STORE_CTX *ctx);
|
||||||
static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid);
|
static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer);
|
||||||
static int idp_check_scope(X509 *x, X509_CRL *crl);
|
static int idp_check_scope(X509 *x, X509_CRL *crl);
|
||||||
static int internal_verify(X509_STORE_CTX *ctx);
|
static int internal_verify(X509_STORE_CTX *ctx);
|
||||||
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
|
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
|
||||||
@ -590,6 +590,7 @@ static int check_cert(X509_STORE_CTX *ctx)
|
|||||||
cnum = ctx->error_depth;
|
cnum = ctx->error_depth;
|
||||||
x = sk_X509_value(ctx->chain, cnum);
|
x = sk_X509_value(ctx->chain, cnum);
|
||||||
ctx->current_cert = x;
|
ctx->current_cert = x;
|
||||||
|
ctx->current_issuer = NULL;
|
||||||
/* Try to retrieve relevant CRL */
|
/* Try to retrieve relevant CRL */
|
||||||
ok = ctx->get_crl(ctx, &crl, x);
|
ok = ctx->get_crl(ctx, &crl, x);
|
||||||
/* If error looking up CRL, nothing we can do except
|
/* If error looking up CRL, nothing we can do except
|
||||||
@ -699,9 +700,11 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
|
|||||||
{
|
{
|
||||||
int i, crl_score, best_score = -1;
|
int i, crl_score, best_score = -1;
|
||||||
X509_CRL *crl, *best_crl = NULL;
|
X509_CRL *crl, *best_crl = NULL;
|
||||||
|
X509 *crl_issuer, *best_crl_issuer = NULL;
|
||||||
for (i = 0; i < sk_X509_CRL_num(crls); i++)
|
for (i = 0; i < sk_X509_CRL_num(crls); i++)
|
||||||
{
|
{
|
||||||
crl_score = 0;
|
crl_score = 0;
|
||||||
|
crl_issuer = NULL;
|
||||||
crl = sk_X509_CRL_value(crls, i);
|
crl = sk_X509_CRL_value(crls, i);
|
||||||
if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
|
if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
|
||||||
continue;
|
continue;
|
||||||
@ -718,15 +721,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
|
|||||||
else
|
else
|
||||||
crl_score |= CRL_SCORE_SCOPE;
|
crl_score |= CRL_SCORE_SCOPE;
|
||||||
|
|
||||||
if (crl->akid)
|
if (crl_akid_check(ctx, crl, &crl_issuer))
|
||||||
{
|
|
||||||
if (crl_akid_check(ctx, crl->akid))
|
|
||||||
crl_score |= CRL_SCORE_AKID;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
crl_score |= CRL_SCORE_AKID;
|
crl_score |= CRL_SCORE_AKID;
|
||||||
|
/* If CRL matches criteria and issuer is not different use it */
|
||||||
if (crl_score == CRL_SCORE_ALL)
|
if (crl_score == CRL_SCORE_ALL && !crl_issuer)
|
||||||
{
|
{
|
||||||
*pcrl = crl;
|
*pcrl = crl;
|
||||||
CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
|
CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
|
||||||
@ -736,25 +734,49 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
|
|||||||
if (crl_score > best_score)
|
if (crl_score > best_score)
|
||||||
{
|
{
|
||||||
best_crl = crl;
|
best_crl = crl;
|
||||||
|
best_crl_issuer = crl_issuer;
|
||||||
best_score = crl_score;
|
best_score = crl_score;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (best_crl)
|
if (best_crl)
|
||||||
{
|
{
|
||||||
*pcrl = best_crl;
|
*pcrl = best_crl;
|
||||||
|
ctx->current_issuer = best_crl_issuer;
|
||||||
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
|
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
|
static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
|
||||||
{
|
{
|
||||||
|
X509 *crl_issuer;
|
||||||
int cidx = ctx->error_depth;
|
int cidx = ctx->error_depth;
|
||||||
|
if (!crl->akid)
|
||||||
|
return 1;
|
||||||
if (cidx != sk_X509_num(ctx->chain) - 1)
|
if (cidx != sk_X509_num(ctx->chain) - 1)
|
||||||
cidx++;
|
cidx++;
|
||||||
if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
|
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
||||||
|
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
|
||||||
return 1;
|
return 1;
|
||||||
|
/* If crl_issuer is self issued we may get a match further along the
|
||||||
|
* chain.
|
||||||
|
*/
|
||||||
|
if (crl_issuer->ex_flags & EXFLAG_SI)
|
||||||
|
{
|
||||||
|
for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
|
||||||
|
{
|
||||||
|
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
||||||
|
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
|
||||||
|
{
|
||||||
|
*pissuer = crl_issuer;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (!(crl_issuer->ex_flags & EXFLAG_SI))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -864,10 +886,13 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
|
|||||||
int ok = 0, chnum, cnum;
|
int ok = 0, chnum, cnum;
|
||||||
cnum = ctx->error_depth;
|
cnum = ctx->error_depth;
|
||||||
chnum = sk_X509_num(ctx->chain) - 1;
|
chnum = sk_X509_num(ctx->chain) - 1;
|
||||||
/* Find CRL issuer: if not last certificate then issuer
|
/* if we have an alternative CRL issuer cert use that */
|
||||||
|
if (ctx->current_issuer)
|
||||||
|
issuer = ctx->current_issuer;
|
||||||
|
/* Else find CRL issuer: if not last certificate then issuer
|
||||||
* is next certificate in chain.
|
* is next certificate in chain.
|
||||||
*/
|
*/
|
||||||
if(cnum < chnum)
|
else if (cnum < chnum)
|
||||||
issuer = sk_X509_value(ctx->chain, cnum + 1);
|
issuer = sk_X509_value(ctx->chain, cnum + 1);
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user