generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Allow various X509_STORE_CTX properties to be

Browse Source 
inherited from X509_STORE.

Add CRL checking options to other applications.
This commit is contained in:
Dr. Stephen Henson 2001-05-09 00:30:39 +00:00
parent ff43e2e155
commit bdee69f718
8 changed files with 148 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGES
View File

@ -11,6 +11,21 @@
*) applies to 0.9.6a (/0.9.6b) and 0.9.7 *) applies to 0.9.6a (/0.9.6b) and 0.9.7
+) applies to 0.9.7 only +) applies to 0.9.7 only
+) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
structure. These are inherited by X509_STORE_CTX when it is
initialised. This allows various defaults to be set in the
X509_STORE structure (such as flags for CRL checking and custom
purpose or trust settings) for functions which only use X509_STORE_CTX
internally such as S/MIME.
Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
trust settings if they are not set in X509_STORE. This allows X509_STORE
purposes and trust (in S/MIME for example) to override any set by default.
Add command line options for CRL checking to smime, s_client and s_server
applications.
[Steve Henson]
+) Initial CRL based revocation checking. If the CRL checking flag(s) +) Initial CRL based revocation checking. If the CRL checking flag(s)
are set then the CRL is looked up in the X509_STORE structure and are set then the CRL is looked up in the X509_STORE structure and
its validity and signature checked, then if the certificate is found its validity and signature checked, then if the certificate is found
@ -3381,7 +3396,7 @@
copied!) copied!)
[Bodo Moeller] [Bodo Moeller]
*) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode
worked. worked.
*) Fix problems with no-hmac etc. *) Fix problems with no-hmac etc.

9
apps/s_client.c
View File

@ -166,6 +166,7 @@ int MAIN(int argc, char **argv)
{ {
int off=0; int off=0;
SSL *con=NULL,*con2=NULL; SSL *con=NULL,*con2=NULL;
X509_STORE *store = NULL;
int s,k,width,state=0; int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL; char *cbuf=NULL,*sbuf=NULL;
int cbuf_len,cbuf_off; int cbuf_len,cbuf_off;
@ -181,7 +182,7 @@ int MAIN(int argc, char **argv)
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL; SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0; int ret=1,in_init=1,i,nbio_test=0;
int prexit = 0; int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL; SSL_METHOD *meth=NULL;
BIO *sbio; BIO *sbio;
char *inrand=NULL; char *inrand=NULL;
@ -255,6 +256,10 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
cert_file= *(++argv); cert_file= *(++argv);
} }
else if (strcmp(*argv,"-crl_check") == 0)
vflags |= X509_V_FLAG_CRL_CHECK;
else if (strcmp(*argv,"-crl_check_all") == 0)
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (strcmp(*argv,"-prexit") == 0) else if (strcmp(*argv,"-prexit") == 0)
prexit=1; prexit=1;
else if (strcmp(*argv,"-crlf") == 0) else if (strcmp(*argv,"-crlf") == 0)
@ -436,6 +441,8 @@ bad:
/* goto end; */ /* goto end; */
} }
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
con=SSL_new(ctx); con=SSL_new(ctx);
#ifndef OPENSSL_NO_KRB5 #ifndef OPENSSL_NO_KRB5

12
apps/s_server.c
View File

@ -414,6 +414,8 @@ int MAIN(int, char **);
int MAIN(int argc, char *argv[]) int MAIN(int argc, char *argv[])
{ {
X509_STORE *store = NULL;
int vflags = 0;
short port=PORT; short port=PORT;
char *CApath=NULL,*CAfile=NULL; char *CApath=NULL,*CAfile=NULL;
char *context = NULL; char *context = NULL;
@ -518,6 +520,14 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
CApath= *(++argv); CApath= *(++argv);
} }
else if (strcmp(*argv,"-crl_check") == 0)
{
vflags |= X509_V_FLAG_CRL_CHECK;
}
else if (strcmp(*argv,"-crl_check") == 0)
{
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
}
else if (strcmp(*argv,"-serverpref") == 0) else if (strcmp(*argv,"-serverpref") == 0)
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
else if (strcmp(*argv,"-cipher") == 0) else if (strcmp(*argv,"-cipher") == 0)
@ -721,6 +731,8 @@ bad:
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
/* goto end; */ /* goto end; */
} }
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
if (!no_dhe) if (!no_dhe)

10
apps/smime.c
View File

@ -97,7 +97,7 @@ int MAIN(int argc, char **argv)
STACK_OF(X509) *encerts = NULL, *other = NULL; STACK_OF(X509) *encerts = NULL, *other = NULL;
BIO *in = NULL, *out = NULL, *indata = NULL; BIO *in = NULL, *out = NULL, *indata = NULL;
int badarg = 0; int badarg = 0;
int flags = PKCS7_DETACHED; int flags = PKCS7_DETACHED, store_flags = 0;
char *to = NULL, *from = NULL, *subject = NULL; char *to = NULL, *from = NULL, *subject = NULL;
char *CAfile = NULL, *CApath = NULL; char *CAfile = NULL, *CApath = NULL;
char *passargin = NULL, *passin = NULL; char *passargin = NULL, *passin = NULL;
@ -150,6 +150,10 @@ int MAIN(int argc, char **argv)
flags |= PKCS7_BINARY; flags |= PKCS7_BINARY;
else if (!strcmp (*args, "-nosigs")) else if (!strcmp (*args, "-nosigs"))
flags |= PKCS7_NOSIGS; flags |= PKCS7_NOSIGS;
else if (!strcmp (*args, "-crl_check"))
store_flags |= X509_V_FLAG_CRL_CHECK;
else if (!strcmp (*args, "-crl_check_all"))
store_flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (!strcmp(*args,"-rand")) { else if (!strcmp(*args,"-rand")) {
if (args[1]) { if (args[1]) {
args++; args++;
@ -304,6 +308,8 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
BIO_printf (bio_err, "-passin arg input file pass phrase source\n"); BIO_printf (bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
@ -447,8 +453,10 @@ int MAIN(int argc, char **argv)
if(operation == SMIME_VERIFY) { if(operation == SMIME_VERIFY) {
if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end; if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end;
X509_STORE_set_flags(store, store_flags);
} }
ret = 3; ret = 3;
if(operation == SMIME_ENCRYPT) { if(operation == SMIME_ENCRYPT) {

2
apps/verify.c
View File

@ -287,10 +287,10 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
goto end; goto end;
} }
X509_STORE_set_flags(ctx, vflags);
X509_STORE_CTX_init(csc,ctx,x,uchain); X509_STORE_CTX_init(csc,ctx,x,uchain);
if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
X509_STORE_CTX_set_flags(csc, vflags);
i=X509_verify_cert(csc); i=X509_verify_cert(csc);
X509_STORE_CTX_free(csc); X509_STORE_CTX_free(csc);

23
crypto/x509/x509_lu.c
View File

@ -185,8 +185,22 @@ X509_STORE *X509_STORE_new(void)
ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
ret->cache=1; ret->cache=1;
ret->get_cert_methods=sk_X509_LOOKUP_new_null(); ret->get_cert_methods=sk_X509_LOOKUP_new_null();
ret->verify=NULL; ret->verify=0;
ret->verify_cb=NULL; ret->verify_cb=0;
ret->purpose = 0;
ret->trust = 0;
ret->flags = 0;
ret->get_issuer = 0;
ret->check_issued = 0;
ret->check_revocation = 0;
ret->get_crl = 0;
ret->check_crl = 0;
ret->cert_crl = 0;
ret->cleanup = 0;
memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA)); memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
ret->references=1; ret->references=1;
ret->depth=0; ret->depth=0;
@ -525,5 +539,10 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
return 0; return 0;
} }
void X509_STORE_set_flags(X509_STORE *ctx, long flags)
{
ctx->flags |= flags;
}
IMPLEMENT_STACK_OF(X509_LOOKUP) IMPLEMENT_STACK_OF(X509_LOOKUP)
IMPLEMENT_STACK_OF(X509_OBJECT) IMPLEMENT_STACK_OF(X509_OBJECT)

104
crypto/x509/x509_vfy.c
View File

@ -112,7 +112,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
} }
cb=ctx->verify_cb; cb=ctx->verify_cb;
if (cb == NULL) cb=null_callback;
/* first we make sure the chain we are going to build is /* first we make sure the chain we are going to build is
* present and that the first entry is in place */ * present and that the first entry is in place */
@ -352,8 +351,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
ctx->error = ret; ctx->error = ret;
ctx->current_cert = x; ctx->current_cert = x;
ctx->current_issuer = issuer; ctx->current_issuer = issuer;
if (ctx->verify_cb) return ctx->verify_cb(0, ctx);
return ctx->verify_cb(0, ctx);
return 0; return 0;
} }
@ -385,7 +383,6 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
X509 *x; X509 *x;
int (*cb)(); int (*cb)();
cb=ctx->verify_cb; cb=ctx->verify_cb;
if (cb == NULL) cb=null_callback;
/* Check all untrusted certificates */ /* Check all untrusted certificates */
for (i = 0; i < ctx->last_untrusted; i++) for (i = 0; i < ctx->last_untrusted; i++)
{ {
@ -427,7 +424,6 @@ static int check_trust(X509_STORE_CTX *ctx)
X509 *x; X509 *x;
int (*cb)(); int (*cb)();
cb=ctx->verify_cb; cb=ctx->verify_cb;
if (cb == NULL) cb=null_callback;
/* For now just check the last certificate in the chain */ /* For now just check the last certificate in the chain */
i = sk_X509_num(ctx->chain) - 1; i = sk_X509_num(ctx->chain) - 1;
x = sk_X509_value(ctx->chain, i); x = sk_X509_value(ctx->chain, i);
@ -479,8 +475,7 @@ static int check_cert(X509_STORE_CTX *ctx)
if(!ok) if(!ok)
{ {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
if (ctx->verify_cb) ok = ctx->verify_cb(0, ctx);
ok = ctx->verify_cb(0, ctx);
goto err; goto err;
} }
ctx->current_crl = crl; ctx->current_crl = crl;
@ -529,8 +524,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if(!ctx->check_issued(ctx, issuer, issuer)) if(!ctx->check_issued(ctx, issuer, issuer))
{ {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
if(ctx->verify_cb) ok = ctx->verify_cb(0, ctx);
ok = ctx->verify_cb(0, ctx);
if(!ok) goto err; if(!ok) goto err;
} }
} }
@ -544,8 +538,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if(!ikey) if(!ikey)
{ {
ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
if(ctx->verify_cb) ok = ctx->verify_cb(0, ctx);
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
else else
@ -554,8 +547,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if(X509_CRL_verify(crl, ikey) <= 0) if(X509_CRL_verify(crl, ikey) <= 0)
{ {
ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
if(ctx->verify_cb) ok = ctx->verify_cb(0, ctx);
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
} }
@ -571,18 +563,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if (i == 0) if (i == 0)
{ {
ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
ok= 0; ok = ctx->verify_cb(0, ctx);
if(ctx->verify_cb)
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
if (i > 0) if (i > 0)
{ {
ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
ok= 0; ok = ctx->verify_cb(0, ctx);
if(ctx->verify_cb)
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
@ -593,18 +581,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if (i == 0) if (i == 0)
{ {
ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
ok= 0; ok = ctx->verify_cb(0, ctx);
if(ctx->verify_cb)
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
if (i < 0) if (i < 0)
{ {
ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
ok= 0; ok = ctx->verify_cb(0, ctx);
if(ctx->verify_cb)
ok = ctx->verify_cb(0, ctx);
if (!ok) goto err; if (!ok) goto err;
} }
} }
@ -630,8 +614,7 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
* this to handle entry extensions in V2 CRLs. * this to handle entry extensions in V2 CRLs.
*/ */
ctx->error = X509_V_ERR_CERT_REVOKED; ctx->error = X509_V_ERR_CERT_REVOKED;
if (ctx->verify_cb) ok = ctx->verify_cb(0, ctx);
ok = ctx->verify_cb(0, ctx);
return ok; return ok;
} }
@ -644,7 +627,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
int (*cb)(); int (*cb)();
cb=ctx->verify_cb; cb=ctx->verify_cb;
if (cb == NULL) cb=null_callback;
n=sk_X509_num(ctx->chain); n=sk_X509_num(ctx->chain);
ctx->error_depth=n-1; ctx->error_depth=n-1;
@ -1041,8 +1023,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
} }
} }
if (purpose) ctx->purpose = purpose; if (purpose && !ctx->purpose) ctx->purpose = purpose;
if (trust) ctx->trust = trust; if (trust && !ctx->trust) ctx->trust = trust;
return 1; return 1;
} }
@ -1068,8 +1050,8 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
ctx->cert=x509; ctx->cert=x509;
ctx->untrusted=chain; ctx->untrusted=chain;
ctx->last_untrusted=0; ctx->last_untrusted=0;
ctx->purpose=0; ctx->purpose=store->purpose;
ctx->trust=0; ctx->trust=store->trust;
ctx->check_time=0; ctx->check_time=0;
ctx->flags=0; ctx->flags=0;
ctx->other_ctx=NULL; ctx->other_ctx=NULL;
@ -1080,15 +1062,55 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
ctx->error_depth=0; ctx->error_depth=0;
ctx->current_cert=NULL; ctx->current_cert=NULL;
ctx->current_issuer=NULL; ctx->current_issuer=NULL;
ctx->check_issued = check_issued;
ctx->get_issuer = X509_STORE_CTX_get1_issuer; /* Inherit callbacks and flags from X509_STORE if not set
ctx->verify_cb = store->verify_cb; * use defaults.
ctx->verify = store->verify; */
ctx->check_revocation = check_revocation;
ctx->get_crl = get_crl; ctx->flags = store->flags;
ctx->check_crl = check_crl;
ctx->cert_crl = cert_crl; if (store->check_issued)
ctx->cleanup = 0; ctx->check_issued = store->check_issued;
else
ctx->check_issued = check_issued;
if (store->get_issuer)
ctx->get_issuer = store->get_issuer;
else
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
if (store->verify_cb)
ctx->verify_cb = store->verify_cb;
else
ctx->verify_cb = null_callback;
if (store->verify)
ctx->verify = store->verify;
else
ctx->verify = internal_verify;
if (store->check_revocation)
ctx->check_revocation = store->check_revocation;
else
ctx->check_revocation = check_revocation;
if (store->get_crl)
ctx->get_crl = store->get_crl;
else
ctx->get_crl = get_crl;
if (store->check_crl)
ctx->check_crl = store->check_crl;
else
ctx->check_crl = check_crl;
if (store->cert_crl)
ctx->cert_crl = store->cert_crl;
else
ctx->cert_crl = cert_crl;
ctx->cleanup = store->cleanup;
memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
} }

18
crypto/x509/x509_vfy.h
View File

@ -168,8 +168,24 @@ typedef struct x509_store_st
/* These are external lookup methods */ /* These are external lookup methods */
STACK_OF(X509_LOOKUP) *get_cert_methods; STACK_OF(X509_LOOKUP) *get_cert_methods;
/* The following fields are not used by X509_STORE but are
* inherited by X509_STORE_CTX when it is initialised.
*/
unsigned long flags; /* Various verify flags */
int purpose;
int trust;
/* Callbacks for various operations */
int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
int (*cleanup)(X509_STORE_CTX *ctx);
CRYPTO_EX_DATA ex_data; CRYPTO_EX_DATA ex_data;
int references; int references;
@ -309,6 +325,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
X509_STORE *X509_STORE_new(void ); X509_STORE *X509_STORE_new(void );
void X509_STORE_free(X509_STORE *v); void X509_STORE_free(X509_STORE *v);
void X509_STORE_set_flags(X509_STORE *ctx, long flags);
X509_STORE_CTX *X509_STORE_CTX_new(void); X509_STORE_CTX *X509_STORE_CTX_new(void);
int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);