Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
4b96839f
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
4b96839f
编写于
8月 29, 2008
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add support for CRLs partitioned by reason code.
Tidy CRL scoring system. Add new CRL path validation error.
上级
249a77f5
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
288 addition
and
164 deletion
+288
-164
CHANGES
CHANGES
+13
-1
crypto/asn1/x_crl.c
crypto/asn1/x_crl.c
+2
-0
crypto/x509/x509_txt.c
crypto/x509/x509_txt.c
+2
-0
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+253
-163
crypto/x509/x509_vfy.h
crypto/x509/x509_vfy.h
+4
-0
crypto/x509v3/v3_crld.c
crypto/x509v3/v3_crld.c
+1
-0
crypto/x509v3/v3_purp.c
crypto/x509v3/v3_purp.c
+10
-0
crypto/x509v3/x509v3.h
crypto/x509v3/x509v3.h
+3
-0
未找到文件。
CHANGES
浏览文件 @
4b96839f
...
...
@@ -4,6 +4,18 @@
Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
*) Support for CRLs partitioned by reason code. Reorganise CRL processing
code and add additional score elements. Validate alternate CRL paths
as part of the CRL checking and indicate a new error "CRL path validation
error" in this case. Applications wanting additional details can use
the verify callback and check the new "parent" field. If this is not
NULL CRL path validation is taking place. Existing applications wont
see this because it requires extended CRL support which is off by
default.
This work was sponsored by Google.
[Steve Henson]
*) Support for freshest CRL extension.
This work was sponsored by Google.
...
...
@@ -12,7 +24,7 @@
*) Initial indirect CRL support. Currently only supported in the CRLs
passed directly and not via lookup. Process certificate issuer
CRL entry extension and lookup CRL entries by bother issuer name
and serial number. Check and proces CRL issuer entry in IDP extension.
and serial number. Check and proces
s
CRL issuer entry in IDP extension.
This work was sponsored by Google.
[Steve Henson]
...
...
crypto/asn1/x_crl.c
浏览文件 @
4b96839f
...
...
@@ -203,6 +203,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
crl
->
akid
=
NULL
;
crl
->
flags
=
0
;
crl
->
idp_flags
=
0
;
crl
->
idp_reasons
=
CRLDP_ALL_REASONS
;
crl
->
meth
=
default_crl_method
;
crl
->
meth_data
=
NULL
;
crl
->
issuers
=
NULL
;
...
...
@@ -308,6 +309,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
if
(
idp
->
onlysomereasons
->
length
>
1
)
crl
->
idp_reasons
|=
(
idp
->
onlysomereasons
->
data
[
1
]
<<
8
);
crl
->
idp_reasons
&=
CRLDP_ALL_REASONS
;
}
DIST_POINT_set_dpname
(
idp
->
distpoint
,
X509_CRL_get_issuer
(
crl
));
...
...
crypto/x509/x509_txt.c
浏览文件 @
4b96839f
...
...
@@ -181,6 +181,8 @@ const char *X509_verify_cert_error_string(long n)
return
(
"unsupported or invalid name constraint syntax"
);
case
X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
:
return
(
"unsupported or invalid name syntax"
);
case
X509_V_ERR_CRL_PATH_VALIDATION_ERROR
:
return
(
"CRL path validation error"
);
default:
BIO_snprintf
(
buf
,
sizeof
buf
,
"error number %ld"
,
n
);
...
...
crypto/x509/x509_vfy.c
浏览文件 @
4b96839f
...
...
@@ -79,12 +79,19 @@ static int check_trust(X509_STORE_CTX *ctx);
static
int
check_revocation
(
X509_STORE_CTX
*
ctx
);
static
int
check_cert
(
X509_STORE_CTX
*
ctx
);
static
int
check_policy
(
X509_STORE_CTX
*
ctx
);
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
);
static
int
idp_check_scope
(
X509
*
x
,
X509_CRL
*
crl
,
int
*
pimatch
);
static
int
get_crl_score
(
X509_STORE_CTX
*
ctx
,
X509
**
pissuer
,
unsigned
int
*
preasons
,
X509_CRL
*
crl
,
X509
*
x
);
static
void
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
,
int
*
pcrl_score
);
static
int
crl_crldp_check
(
X509
*
x
,
X509_CRL
*
crl
,
int
crl_score
,
unsigned
int
*
preasons
);
static
int
check_crl_path
(
X509_STORE_CTX
*
ctx
,
X509
*
x
);
static
int
check_crl_chain
(
X509_STORE_CTX
*
ctx
,
STACK_OF
(
X509
)
*
cert_path
,
STACK_OF
(
X509
)
*
crl_path
);
static
int
internal_verify
(
X509_STORE_CTX
*
ctx
);
const
char
X509_version
[]
=
"X.509"
OPENSSL_VERSION_PTEXT
;
...
...
@@ -649,24 +656,33 @@ static int check_cert(X509_STORE_CTX *ctx)
x
=
sk_X509_value
(
ctx
->
chain
,
cnum
);
ctx
->
current_cert
=
x
;
ctx
->
current_issuer
=
NULL
;
/* Try to retrieve relevant CRL */
ok
=
ctx
->
get_crl
(
ctx
,
&
crl
,
x
);
/* If error looking up CRL, nothing we can do except
* notify callback
*/
if
(
!
ok
)
ctx
->
current_reasons
=
0
;
while
(
ctx
->
current_reasons
!=
CRLDP_ALL_REASONS
)
{
ctx
->
error
=
X509_V_ERR_UNABLE_TO_GET_CRL
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
goto
err
;
/* Try to retrieve relevant CRL */
ok
=
ctx
->
get_crl
(
ctx
,
&
crl
,
x
);
/* If error looking up CRL, nothing we can do except
* notify callback
*/
if
(
!
ok
)
{
ctx
->
error
=
X509_V_ERR_UNABLE_TO_GET_CRL
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
goto
err
;
}
ctx
->
current_crl
=
crl
;
ok
=
ctx
->
check_crl
(
ctx
,
crl
);
if
(
!
ok
)
goto
err
;
ok
=
ctx
->
cert_crl
(
ctx
,
crl
,
x
);
if
(
!
ok
)
goto
err
;
X509_CRL_free
(
crl
);
crl
=
NULL
;
}
ctx
->
current_crl
=
crl
;
ok
=
ctx
->
check_crl
(
ctx
,
crl
);
if
(
!
ok
)
goto
err
;
ok
=
ctx
->
cert_crl
(
ctx
,
crl
,
x
);
err:
ctx
->
current_crl
=
NULL
;
X509_CRL_free
(
crl
);
ctx
->
current_crl
=
NULL
;
return
ok
;
}
...
...
@@ -677,7 +693,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
{
time_t
*
ptime
;
int
i
;
ctx
->
current_crl
=
crl
;
if
(
notify
)
ctx
->
current_crl
=
crl
;
if
(
ctx
->
param
->
flags
&
X509_V_FLAG_USE_CHECK_TIME
)
ptime
=
&
ctx
->
param
->
check_time
;
else
...
...
@@ -686,15 +703,19 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
i
=
X509_cmp_time
(
X509_CRL_get_lastUpdate
(
crl
),
ptime
);
if
(
i
==
0
)
{
if
(
!
notify
)
return
0
;
ctx
->
error
=
X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
;
if
(
!
notify
||
!
ctx
->
verify_cb
(
0
,
ctx
))
if
(
!
ctx
->
verify_cb
(
0
,
ctx
))
return
0
;
}
if
(
i
>
0
)
{
if
(
!
notify
)
return
0
;
ctx
->
error
=
X509_V_ERR_CRL_NOT_YET_VALID
;
if
(
!
notify
||
!
ctx
->
verify_cb
(
0
,
ctx
))
if
(
!
ctx
->
verify_cb
(
0
,
ctx
))
return
0
;
}
...
...
@@ -704,133 +725,205 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
if
(
i
==
0
)
{
if
(
!
notify
)
return
0
;
ctx
->
error
=
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
;
if
(
!
notify
||
!
ctx
->
verify_cb
(
0
,
ctx
))
if
(
!
ctx
->
verify_cb
(
0
,
ctx
))
return
0
;
}
if
(
i
<
0
)
{
if
(
!
notify
)
return
0
;
ctx
->
error
=
X509_V_ERR_CRL_HAS_EXPIRED
;
if
(
!
notify
||
!
ctx
->
verify_cb
(
0
,
ctx
))
if
(
!
ctx
->
verify_cb
(
0
,
ctx
))
return
0
;
}
}
ctx
->
current_crl
=
NULL
;
if
(
notify
)
ctx
->
current_crl
=
NULL
;
return
1
;
}
/* Based on a set of possible CRLs decide which one is best suited
* to handle the current certificate. This is determined by a number
* of criteria. If any of the "must" criteria is not satisfied then
* the candidate CRL is rejected. If all "must" and all "should" are
* satisfied the CRL is accepted. If no CRL satisfies all criteria then
* a "best CRL" is used to provide some meaningful error information.
*
* CRL issuer name must match "nm" if not NULL.
* If IDP is present:
* a. it must be consistent.
* b. onlyuser, onlyCA, onlyAA should match certificate being checked.
* c. indirectCRL must be FALSE.
* d. onlysomereason must be absent.
* e. if name present a DP in certificate CRLDP must match.
* If AKID present it should match certificate AKID.
* Check time should fall between lastUpdate and nextUpdate.
*/
/* CRL score values */
/* No unhandled critical extensions */
#define CRL_SCORE_NOCRITICAL 0x100
/* certificate is within CRL scope */
#define CRL_SCORE_SCOPE 0x080
/* CRL times valid */
#define CRL_SCORE_TIME 0x040
/* Issuer name matches certificate */
/* IDP name field matches CRLDP or IDP name not present */
#define CRL_SCORE_SCOPE 4
/* AKID present and matches cert, or AKID not present */
#define CRL_SCORE_AKID 2
/* times OK */
#define CRL_SCORE_TIME 1
#define CRL_SCORE_ISSUER_NAME 0x020
#define CRL_SCORE_ALL 7
/* If this score or above CRL is probably valid */
/* IDP flags which cause a CRL to be rejected */
#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
#define IDP_REJECT (IDP_INVALID|IDP_REASONS)
/* CRL issuer is certificate issuer */
static
int
get_crl_sk
(
X509_STORE_CTX
*
ctx
,
X509_CRL
**
pcrl
,
X509_NAME
*
nm
,
STACK_OF
(
X509_CRL
)
*
crls
)
#define CRL_SCORE_ISSUER_CERT 0x018
/* CRL issuer is on certificate path */
#define CRL_SCORE_SAME_PATH 0x008
/* CRL issuer matches CRL AKID */
#define CRL_SCORE_AKID 0x004
/* CRL is complete, not delta */
#define CRL_SCORE_COMPLETE 0x002
static
int
get_crl_sk
(
X509_STORE_CTX
*
ctx
,
X509_CRL
**
pcrl
,
X509
**
pissuer
,
int
*
pscore
,
unsigned
int
*
preasons
,
STACK_OF
(
X509_CRL
)
*
crls
)
{
int
i
,
crl_score
,
best_score
=
-
1
;
int
i
,
crl_score
,
best_score
=
*
pscore
;
unsigned
int
reasons
,
best_reasons
;
X509
*
x
=
ctx
->
current_cert
;
X509_CRL
*
crl
,
*
best_crl
=
NULL
;
X509
*
crl_issuer
,
*
best_crl_issuer
=
NULL
;
for
(
i
=
0
;
i
<
sk_X509_CRL_num
(
crls
);
i
++
)
{
int
imatch
=
1
;
crl_score
=
0
;
crl_issuer
=
NULL
;
crl
=
sk_X509_CRL_value
(
crls
,
i
);
if
(
nm
&&
X509_NAME_cmp
(
nm
,
X509_CRL_get_issuer
(
crl
)))
{
/* Issuer name does not match: could be indirect */
if
(
!
(
ctx
->
param
->
flags
&
X509_V_FLAG_EXTENDED_CRL_SUPPORT
))
continue
;
if
(
!
(
crl
->
idp_flags
&
IDP_INDIRECT
))
continue
;
imatch
=
0
;
}
if
(
check_crl_time
(
ctx
,
crl
,
0
))
crl_score
|=
CRL_SCORE_TIME
;
if
(
crl
->
idp_flags
&
IDP_PRESENT
)
{
if
(
crl
->
idp_flags
&
IDP_REJECT
)
continue
;
if
(
idp_check_scope
(
ctx
->
current_cert
,
crl
,
&
imatch
))
crl_score
|=
CRL_SCORE_SCOPE
;
}
else
crl_score
|=
CRL_SCORE_SCOPE
;
/* If no issuer match at this point try next CRL */
if
(
!
imatch
)
continue
;
if
(
crl_akid_check
(
ctx
,
crl
,
&
crl_issuer
))
crl_score
|=
CRL_SCORE_AKID
;
/* If CRL matches criteria and issuer is not different use it */
if
(
crl_score
==
CRL_SCORE_ALL
&&
!
crl_issuer
)
{
*
pcrl
=
crl
;
CRYPTO_add
(
&
crl
->
references
,
1
,
CRYPTO_LOCK_X509_CRL
);
return
1
;
}
reasons
=
*
preasons
;
crl_score
=
get_crl_score
(
ctx
,
&
crl_issuer
,
&
reasons
,
crl
,
x
);
if
(
crl_score
>
best_score
)
{
best_crl
=
crl
;
best_crl_issuer
=
crl_issuer
;
best_score
=
crl_score
;
best_reasons
=
reasons
;
}
}
if
(
best_crl
)
{
if
(
*
pcrl
)
X509_CRL_free
(
*
pcrl
);
*
pcrl
=
best_crl
;
ctx
->
current_issuer
=
best_crl_issuer
;
*
pissuer
=
best_crl_issuer
;
*
pscore
=
best_score
;
*
preasons
=
best_reasons
;
CRYPTO_add
(
&
best_crl
->
references
,
1
,
CRYPTO_LOCK_X509
);
}
if
(
best_score
>=
CRL_SCORE_VALID
)
return
1
;
return
0
;
}
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
)
/* For a given CRL return how suitable it is for the supplied certificate 'x'.
* The return value is a mask of several criteria.
* If the issuer is not the certificate issuer this is returned in *pissuer.
* The reasons mask is also used to determine if the CRL is suitable: if
* no new reasons the CRL is rejected, otherwise reasons is updated.
*/
static
int
get_crl_score
(
X509_STORE_CTX
*
ctx
,
X509
**
pissuer
,
unsigned
int
*
preasons
,
X509_CRL
*
crl
,
X509
*
x
)
{
int
crl_score
=
0
;
unsigned
int
tmp_reasons
=
*
preasons
,
crl_reasons
;
/* First see if we can reject CRL straight away */
/* Invalid IDP cannot be processed */
if
(
crl
->
idp_flags
&
IDP_INVALID
)
return
0
;
/* Reason codes or indirect CRLs need extended CRL support */
if
(
!
(
ctx
->
param
->
flags
&
X509_V_FLAG_EXTENDED_CRL_SUPPORT
))
{
if
(
crl
->
idp_flags
&
(
IDP_INDIRECT
|
IDP_REASONS
))
return
0
;
}
else
if
(
crl
->
idp_flags
&
IDP_REASONS
)
{
/* If no new reasons reject */
if
(
!
(
crl
->
idp_reasons
&
~
tmp_reasons
))
return
0
;
}
/* If issuer name doesn't match certificate need indirect CRL */
if
(
X509_NAME_cmp
(
X509_get_issuer_name
(
x
),
X509_CRL_get_issuer
(
crl
)))
{
if
(
!
(
crl
->
idp_flags
&
IDP_INDIRECT
))
return
0
;
}
else
crl_score
|=
CRL_SCORE_ISSUER_NAME
;
if
(
!
(
crl
->
flags
&
EXFLAG_CRITICAL
))
crl_score
|=
CRL_SCORE_NOCRITICAL
;
/* Check expiry */
if
(
check_crl_time
(
ctx
,
crl
,
0
))
crl_score
|=
CRL_SCORE_TIME
;
/* Check authority key ID and locate certificate issuer */
crl_akid_check
(
ctx
,
crl
,
pissuer
,
&
crl_score
);
/* If we can't locate certificate issuer at this point forget it */
if
(
!
(
crl_score
&
CRL_SCORE_AKID
))
return
0
;
/* Check cert for matching CRL distribution points */
if
(
crl_crldp_check
(
x
,
crl
,
crl_score
,
&
crl_reasons
))
{
/* If no new reasons reject */
if
(
!
(
crl_reasons
&
~
tmp_reasons
))
return
0
;
tmp_reasons
|=
crl_reasons
;
crl_score
|=
CRL_SCORE_SCOPE
;
}
*
preasons
=
tmp_reasons
;
return
crl_score
;
}
static
void
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
,
int
*
pcrl_score
)
{
X509
*
crl_issuer
;
X509
*
crl_issuer
=
NULL
;
X509_NAME
*
cnm
=
X509_CRL_get_issuer
(
crl
);
int
cidx
=
ctx
->
error_depth
;
int
i
;
if
(
!
crl
->
akid
)
return
1
;
if
(
cidx
!=
sk_X509_num
(
ctx
->
chain
)
-
1
)
cidx
++
;
crl_issuer
=
sk_X509_value
(
ctx
->
chain
,
cidx
);
if
(
X509_check_akid
(
crl_issuer
,
crl
->
akid
)
==
X509_V_OK
)
return
1
;
{
if
(
*
pcrl_score
&
CRL_SCORE_ISSUER_NAME
)
{
*
pcrl_score
|=
CRL_SCORE_AKID
|
CRL_SCORE_ISSUER_CERT
;
*
pissuer
=
crl_issuer
;
return
;
}
}
for
(
cidx
++
;
cidx
<
sk_X509_num
(
ctx
->
chain
);
cidx
++
)
{
crl_issuer
=
sk_X509_value
(
ctx
->
chain
,
cidx
);
...
...
@@ -838,15 +931,16 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
continue
;
if
(
X509_check_akid
(
crl_issuer
,
crl
->
akid
)
==
X509_V_OK
)
{
*
pcrl_score
|=
CRL_SCORE_AKID
|
CRL_SCORE_SAME_PATH
;
*
pissuer
=
crl_issuer
;
return
1
;
return
;
}
}
/* Anything else needs extended CRL support */
if
(
!
(
ctx
->
param
->
flags
&
X509_V_FLAG_EXTENDED_CRL_SUPPORT
))
return
0
;
return
;
/* Otherwise the CRL issuer is not on the path. Look for it in the
* set of untrusted certificates.
...
...
@@ -854,20 +948,15 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
for
(
i
=
0
;
i
<
sk_X509_num
(
ctx
->
untrusted
);
i
++
)
{
crl_issuer
=
sk_X509_value
(
ctx
->
untrusted
,
i
);
if
(
X509_NAME_cmp
(
X509_get_subject_name
(
crl_issuer
),
X509_CRL_get_issuer
(
crl
)))
if
(
X509_NAME_cmp
(
X509_get_subject_name
(
crl_issuer
),
cnm
))
continue
;
if
(
X509_check_akid
(
crl_issuer
,
crl
->
akid
)
==
X509_V_OK
)
{
if
(
check_crl_path
(
ctx
,
crl_issuer
))
{
*
pissuer
=
crl_issuer
;
return
1
;
}
*
pissuer
=
crl_issuer
;
*
pcrl_score
|=
CRL_SCORE_AKID
;
return
;
}
}
return
0
;
}
/* Check the path of a CRL issuer certificate. This creates a new
...
...
@@ -881,6 +970,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
{
X509_STORE_CTX
crl_ctx
;
int
ret
;
/* Don't allow recursive CRL path validation */
if
(
ctx
->
parent
)
return
0
;
if
(
!
X509_STORE_CTX_init
(
&
crl_ctx
,
ctx
->
ctx
,
x
,
ctx
->
untrusted
))
...
...
@@ -896,14 +986,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
/* Verify CRL issuer */
ret
=
X509_verify_cert
(
&
crl_ctx
);
/* Maybe send path check result back to parent? */
if
(
!
ret
)
goto
err
;
/* Check chain is acceptable */
ret
=
check_crl_chain
(
ctx
,
ctx
->
chain
,
crl_ctx
.
chain
);
err:
X509_STORE_CTX_cleanup
(
&
crl_ctx
);
return
ret
;
...
...
@@ -1003,30 +1091,28 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
}
static
int
idp_check_crlissuer
(
DIST_POINT
*
dp
,
X509_CRL
*
crl
,
int
*
pimatch
)
static
int
crldp_check_crlissuer
(
DIST_POINT
*
dp
,
X509_CRL
*
crl
,
int
crl_score
)
{
int
i
;
X509_NAME
*
nm
=
X509_CRL_get_issuer
(
crl
);
/* If no CRLissuer return is successful iff don't need a match */
if
(
!
dp
->
CRLissuer
)
return
*
pimatch
;
return
!!
(
crl_score
&
CRL_SCORE_ISSUER_NAME
)
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
dp
->
CRLissuer
);
i
++
)
{
GENERAL_NAME
*
gen
=
sk_GENERAL_NAME_value
(
dp
->
CRLissuer
,
i
);
if
(
gen
->
type
!=
GEN_DIRNAME
)
continue
;
if
(
!
X509_NAME_cmp
(
gen
->
d
.
directoryName
,
nm
))
{
*
pimatch
=
1
;
return
1
;
}
}
return
0
;
}
/* Check
IDP name matches at least one CRLDP name
*/
/* Check
CRLDP and IDP
*/
static
int
idp_check_scope
(
X509
*
x
,
X509_CRL
*
crl
,
int
*
pimatch
)
static
int
crl_crldp_check
(
X509
*
x
,
X509_CRL
*
crl
,
int
crl_score
,
unsigned
int
*
preasons
)
{
int
i
;
if
(
crl
->
idp_flags
&
IDP_ONLYATTR
)
...
...
@@ -1041,20 +1127,22 @@ static int idp_check_scope(X509 *x, X509_CRL *crl, int *pimatch)
if
(
crl
->
idp_flags
&
IDP_ONLYCA
)
return
0
;
}
if
(
!
crl
->
idp
->
distpoint
&&
*
pimatch
)
return
1
;
*
preasons
=
crl
->
idp_reasons
;
for
(
i
=
0
;
i
<
sk_DIST_POINT_num
(
x
->
crldp
);
i
++
)
{
DIST_POINT
*
dp
=
sk_DIST_POINT_value
(
x
->
crldp
,
i
);
/* We don't handle these at present */
if
(
dp
->
reasons
)
continue
;
if
(
idp_check_dp
(
dp
->
distpoint
,
crl
->
idp
->
distpoint
))
if
(
crldp_check_crlissuer
(
dp
,
crl
,
crl_score
))
{
if
(
idp_check_crlissuer
(
dp
,
crl
,
pimatch
))
if
(
!
crl
->
idp
||
idp_check_dp
(
dp
->
distpoint
,
crl
->
idp
->
distpoint
))
{
*
preasons
&=
dp
->
dp_reasons
;
return
1
;
}
}
}
if
((
!
crl
->
idp
||
!
crl
->
idp
->
distpoint
)
&&
(
crl_score
&
CRL_SCORE_ISSUER_NAME
))
return
1
;
return
0
;
}
...
...
@@ -1066,39 +1154,37 @@ static int idp_check_scope(X509 *x, X509_CRL *crl, int *pimatch)
static
int
get_crl
(
X509_STORE_CTX
*
ctx
,
X509_CRL
**
pcrl
,
X509
*
x
)
{
int
ok
;
X509
*
issuer
=
NULL
;
int
crl_score
=
0
;
unsigned
int
reasons
;
X509_CRL
*
crl
=
NULL
;
STACK_OF
(
X509_CRL
)
*
skcrl
;
X509_NAME
*
nm
;
nm
=
X509_get_issuer_name
(
x
)
;
ok
=
get_crl_sk
(
ctx
,
&
crl
,
nm
,
ctx
->
crls
);
X509_NAME
*
nm
=
X509_get_issuer_name
(
x
)
;
reasons
=
ctx
->
current_reasons
;
ok
=
get_crl_sk
(
ctx
,
&
crl
,
&
issuer
,
&
crl_score
,
&
reasons
,
ctx
->
crls
);
if
(
ok
)
{
*
pcrl
=
crl
;
return
1
;
}
goto
done
;
/* Lookup CRLs from store */
skcrl
=
ctx
->
lookup_crls
(
ctx
,
nm
);
/* If no CRLs found and a near match from get_crl_sk use that */
if
(
!
skcrl
)
{
if
(
crl
)
{
*
pcrl
=
crl
;
return
1
;
}
return
0
;
}
if
(
!
skcrl
&&
crl
)
goto
done
;
get_crl_sk
(
ctx
,
&
crl
,
NULL
,
skcrl
);
get_crl_sk
(
ctx
,
&
crl
,
&
issuer
,
&
crl_score
,
&
reasons
,
skcrl
);
sk_X509_CRL_pop_free
(
skcrl
,
X509_CRL_free
);
done:
/* If we got any kind of CRL use it and return success */
if
(
crl
)
{
ctx
->
current_issuer
=
issuer
;
ctx
->
current_crl_score
=
crl_score
;
ctx
->
current_reasons
=
reasons
;
*
pcrl
=
crl
;
return
1
;
}
...
...
@@ -1145,27 +1231,35 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if
(
!
ok
)
goto
err
;
}
if
(
crl
->
idp_flags
&
IDP_PRESENT
)
if
(
!
(
ctx
->
current_crl_score
&
CRL_SCORE_SCOPE
))
{
ctx
->
error
=
X509_V_ERR_DIFFERENT_CRL_SCOPE
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
if
(
!
(
ctx
->
current_crl_score
&
CRL_SCORE_TIME
))
{
ok
=
check_crl_time
(
ctx
,
crl
,
1
);
if
(
!
ok
)
goto
err
;
}
if
(
!
(
ctx
->
current_crl_score
&
CRL_SCORE_SAME_PATH
))
{
if
(
!
check_crl_path
(
ctx
,
ctx
->
current_issuer
))
{
int
dmy
=
1
;
if
(
crl
->
idp_flags
&
IDP_INVALID
)
{
ctx
->
error
=
X509_V_ERR_INVALID_EXTENSION
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
if
(
crl
->
idp_flags
&
IDP_REASONS
)
{
ctx
->
error
=
X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
if
(
!
idp_check_scope
(
ctx
->
current_cert
,
crl
,
&
dmy
))
{
ctx
->
error
=
X509_V_ERR_DIFFERENT_CRL_SCOPE
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
ctx
->
error
=
X509_V_ERR_CRL_PATH_VALIDATION_ERROR
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
}
if
(
crl
->
idp_flags
&
IDP_INVALID
)
{
ctx
->
error
=
X509_V_ERR_INVALID_EXTENSION
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
/* Attempt to get issuer certificate public key */
...
...
@@ -1189,10 +1283,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
}
}
ok
=
check_crl_time
(
ctx
,
crl
,
1
);
if
(
!
ok
)
goto
err
;
ok
=
1
;
err:
...
...
crypto/x509/x509_vfy.h
浏览文件 @
4b96839f
...
...
@@ -269,6 +269,9 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
X509
*
current_issuer
;
/* cert currently being tested as valid issuer */
X509_CRL
*
current_crl
;
/* current CRL */
int
current_crl_score
;
/* score of current CRL */
unsigned
int
current_reasons
;
/* Reason mask */
X509_STORE_CTX
*
parent
;
/* For CRL path validation: parent context */
CRYPTO_EX_DATA
ex_data
;
...
...
@@ -349,6 +352,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
...
...
crypto/x509v3/v3_crld.c
浏览文件 @
4b96839f
...
...
@@ -191,6 +191,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
}
static
const
BIT_STRING_BITNAME
reason_flags
[]
=
{
{
0
,
"Unused"
,
"unused"
},
{
1
,
"Key Compromise"
,
"keyCompromise"
},
{
2
,
"CA Compromise"
,
"CACompromise"
},
{
3
,
"Affiliation Changed"
,
"affiliationChanged"
},
...
...
crypto/x509v3/v3_purp.c
浏览文件 @
4b96839f
...
...
@@ -318,6 +318,16 @@ static void setup_dp(X509 *x, DIST_POINT *dp)
{
X509_NAME
*
iname
=
NULL
;
int
i
;
if
(
dp
->
reasons
)
{
if
(
dp
->
reasons
->
length
>
0
)
dp
->
dp_reasons
=
dp
->
reasons
->
data
[
0
];
if
(
dp
->
reasons
->
length
>
1
)
dp
->
dp_reasons
|=
(
dp
->
reasons
->
data
[
1
]
<<
8
);
dp
->
dp_reasons
&=
CRLDP_ALL_REASONS
;
}
else
dp
->
dp_reasons
=
CRLDP_ALL_REASONS
;
if
(
!
dp
->
distpoint
||
(
dp
->
distpoint
->
type
!=
1
))
return
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
dp
->
CRLissuer
);
i
++
)
...
...
crypto/x509v3/x509v3.h
浏览文件 @
4b96839f
...
...
@@ -223,11 +223,14 @@ union {
/* If relativename then this contains the full distribution point name */
X509_NAME
*
dpname
;
}
DIST_POINT_NAME
;
/* All existing reasons */
#define CRLDP_ALL_REASONS 0x807f
struct
DIST_POINT_st
{
DIST_POINT_NAME
*
distpoint
;
ASN1_BIT_STRING
*
reasons
;
GENERAL_NAMES
*
CRLissuer
;
int
dp_reasons
;
};
typedef
STACK_OF
(
DIST_POINT
)
CRL_DIST_POINTS
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录