Allow checking of self-signed certifictes if a flag is set.
This commit is contained in:
Dr. Stephen Henson
parent
e16818108f
commit
710c1c34d1
7
CHANGES
7
CHANGES
@ -808,9 +808,10 @@
|
||||
|
||||
Changes between 0.9.8k and 0.9.8l [xx XXX xxxx]
|
||||
|
||||
*) Don't check self signed certificate signatures in X509_verify_cert():
|
||||
it just wastes time without adding any security. As a useful side effect
|
||||
self signed root CAs with non-FIPS digests are now usable in FIPS mode.
|
||||
*) Don't check self signed certificate signatures in X509_verify_cert()
|
||||
by default (a flag can override this): it just wastes time without
|
||||
adding any security. As a useful side effect self signed root CAs
|
||||
with non-FIPS digests are now usable in FIPS mode.
|
||||
[Steve Henson]
|
||||
|
||||
*) In dtls1_process_out_of_seq_message() the check if the current message
|
||||
|
||||
@ -2256,6 +2256,8 @@ int args_verify(char ***pargs, int *pargc,
|
||||
flags |= X509_V_FLAG_USE_DELTAS;
|
||||
else if (!strcmp(arg, "-policy_print"))
|
||||
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
||||
else if (!strcmp(arg, "-check_ss_sig"))
|
||||
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
|
||||
else
|
||||
return 0;
|
||||
|
||||
|
||||
@ -1130,6 +1130,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
|
||||
/* NOTE: this certificate can/should be self signed, unless it was
|
||||
* a certificate request in which case it is not. */
|
||||
X509_STORE_CTX_set_cert(&xsc,x);
|
||||
X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
|
||||
if (!reqfile && X509_verify_cert(&xsc) <= 0)
|
||||
goto end;
|
||||
|
||||
|
||||
@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
|
||||
{
|
||||
ctx->error_depth=n;
|
||||
|
||||
/* Skip signature check for self signed certificates. It
|
||||
* doesn't add any security and just wastes time.
|
||||
/* Skip signature check for self signed certificates unless
|
||||
* explicitly asked for. It doesn't add any security and
|
||||
* just wastes time.
|
||||
*/
|
||||
if (!xs->valid && xs != xi)
|
||||
if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
|
||||
{
|
||||
if ((pkey=X509_get_pubkey(xi)) == NULL)
|
||||
{
|
||||
|
||||
@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
||||
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
|
||||
/* Delta CRL support */
|
||||
#define X509_V_FLAG_USE_DELTAS 0x2000
|
||||
/* Check selfsigned CA signature */
|
||||
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
||||
|
||||
|
||||
#define X509_VP_FLAG_DEFAULT 0x1
|
||||
#define X509_VP_FLAG_OVERWRITE 0x2
|
||||
|
||||
@ -401,7 +401,7 @@ portion of a message so they may be included manually. If signing
|
||||
then many S/MIME mail clients check the signers certificate's email
|
||||
address matches that specified in the From: address.
|
||||
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||
|
||||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
|
||||
@ -101,7 +101,7 @@ also used when building the client certificate chain.
|
||||
A file containing trusted certificates to use during server authentication
|
||||
and to use when attempting to build the client certificate chain.
|
||||
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||
|
||||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
|
||||
@ -259,7 +259,7 @@ portion of a message so they may be included manually. If signing
|
||||
then many S/MIME mail clients check the signers certificate's email
|
||||
address matches that specified in the From: address.
|
||||
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
|
||||
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||
|
||||
Set various options of certificate chain verification. See
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
|
||||
@ -135,6 +135,11 @@ signing keys.
|
||||
|
||||
Enable support for delta CRLs.
|
||||
|
||||
=item B<-check_ss_sig>
|
||||
|
||||
Verify the signature on the self-signed root CA. This is disabled by default
|
||||
because it doesn't add any security.
|
||||
|
||||
=item B<->
|
||||
|
||||
marks the last option. All arguments following this are assumed to be
|
||||
|
||||
Loading…
Reference in New Issue
Block a user