Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
0090a686
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
大约 1 年 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
0090a686
编写于
12月 06, 2012
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
上级
f5a7d5b1
变更
8
显示空白变更内容
内联
并排
Showing
8 changed file
with
113 addition
and
22 deletion
+113
-22
CHANGES
CHANGES
+4
-0
apps/apps.c
apps/apps.c
+78
-1
apps/apps.h
apps/apps.h
+3
-1
apps/s_apps.h
apps/s_apps.h
+2
-2
apps/s_cb.c
apps/s_cb.c
+11
-13
apps/s_client.c
apps/s_client.c
+6
-2
apps/s_server.c
apps/s_server.c
+3
-3
apps/verify.c
apps/verify.c
+6
-0
未找到文件。
CHANGES
浏览文件 @
0090a686
...
...
@@ -4,6 +4,10 @@
Changes between 1.0.x and 1.1.0 [xx XXX xxxx]
*) New option -crl_download in several openssl utilities to download CRLs
from CRLDP extension in certificates.
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
...
...
apps/apps.c
浏览文件 @
0090a686
...
...
@@ -929,7 +929,7 @@ end:
return
(
x
);
}
X509_CRL
*
load_crl
(
char
*
infile
,
int
format
)
X509_CRL
*
load_crl
(
c
onst
c
har
*
infile
,
int
format
)
{
X509_CRL
*
x
=
NULL
;
BIO
*
in
=
NULL
;
...
...
@@ -2974,6 +2974,83 @@ void print_cert_checks(BIO *bio, X509 *x,
}
}
/* Get first http URL from a DIST_POINT structure */
static
const
char
*
get_dp_url
(
DIST_POINT
*
dp
)
{
GENERAL_NAMES
*
gens
;
GENERAL_NAME
*
gen
;
int
i
,
gtype
;
ASN1_STRING
*
uri
;
if
(
!
dp
->
distpoint
||
dp
->
distpoint
->
type
!=
0
)
return
NULL
;
gens
=
dp
->
distpoint
->
name
.
fullname
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
gens
);
i
++
)
{
gen
=
sk_GENERAL_NAME_value
(
gens
,
i
);
uri
=
GENERAL_NAME_get0_value
(
gen
,
&
gtype
);
if
(
gtype
==
GEN_URI
&&
ASN1_STRING_length
(
uri
)
>
6
)
{
char
*
uptr
=
(
char
*
)
ASN1_STRING_data
(
uri
);
if
(
!
strncmp
(
uptr
,
"http://"
,
7
))
return
uptr
;
}
}
return
NULL
;
}
/* Look through a CRLDP structure and attempt to find an http URL to downloads
* a CRL from.
*/
static
X509_CRL
*
load_crl_crldp
(
STACK_OF
(
DIST_POINT
)
*
crldp
)
{
int
i
;
const
char
*
urlptr
=
NULL
;
for
(
i
=
0
;
i
<
sk_DIST_POINT_num
(
crldp
);
i
++
)
{
DIST_POINT
*
dp
=
sk_DIST_POINT_value
(
crldp
,
i
);
urlptr
=
get_dp_url
(
dp
);
if
(
urlptr
)
return
load_crl
(
urlptr
,
FORMAT_HTTP
);
}
return
NULL
;
}
/* Example of downloading CRLs from CRLDP: not usable for real world
* as it always downloads, doesn't support non-blocking I/O and doesn't
* cache anything.
*/
static
STACK_OF
(
X509_CRL
)
*
crls_http_cb
(
X509_STORE_CTX
*
ctx
,
X509_NAME
*
nm
)
{
X509
*
x
;
STACK_OF
(
X509_CRL
)
*
crls
=
NULL
;
X509_CRL
*
crl
;
STACK_OF
(
DIST_POINT
)
*
crldp
;
x
=
X509_STORE_CTX_get_current_cert
(
ctx
);
crldp
=
X509_get_ext_d2i
(
x
,
NID_crl_distribution_points
,
NULL
,
NULL
);
crl
=
load_crl_crldp
(
crldp
);
sk_DIST_POINT_pop_free
(
crldp
,
DIST_POINT_free
);
if
(
!
crl
)
return
NULL
;
crls
=
sk_X509_CRL_new_null
();
sk_X509_CRL_push
(
crls
,
crl
);
/* Try to download delta CRL */
crldp
=
X509_get_ext_d2i
(
x
,
NID_freshest_crl
,
NULL
,
NULL
);
crl
=
load_crl_crldp
(
crldp
);
sk_DIST_POINT_pop_free
(
crldp
,
DIST_POINT_free
);
if
(
crl
)
sk_X509_CRL_push
(
crls
,
crl
);
return
crls
;
}
void
store_setup_crl_download
(
X509_STORE
*
st
)
{
X509_STORE_set_lookup_crls_cb
(
st
,
crls_http_cb
);
}
/*
* Platform-specific sections
*/
...
...
apps/apps.h
浏览文件 @
0090a686
...
...
@@ -245,7 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
int
add_oid_section
(
BIO
*
err
,
CONF
*
conf
);
X509
*
load_cert
(
BIO
*
err
,
const
char
*
file
,
int
format
,
const
char
*
pass
,
ENGINE
*
e
,
const
char
*
cert_descrip
);
X509_CRL
*
load_crl
(
char
*
infile
,
int
format
);
X509_CRL
*
load_crl
(
c
onst
c
har
*
infile
,
int
format
);
int
load_cert_crl_http
(
const
char
*
url
,
BIO
*
err
,
X509
**
pcert
,
X509_CRL
**
pcrl
);
EVP_PKEY
*
load_key
(
BIO
*
err
,
const
char
*
file
,
int
format
,
int
maybe_stdin
,
...
...
@@ -343,6 +343,8 @@ void print_cert_checks(BIO *bio, X509 *x,
const
unsigned
char
*
checkemail
,
const
char
*
checkip
);
void
store_setup_crl_download
(
X509_STORE
*
st
);
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
#define FORMAT_TEXT 2
...
...
apps/s_apps.h
浏览文件 @
0090a686
...
...
@@ -197,9 +197,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int
*
badarg
,
BIO
*
err
,
STACK_OF
(
OPENSSL_STRING
)
**
pstr
);
int
args_ssl_call
(
SSL_CTX
*
ctx
,
BIO
*
err
,
SSL_CONF_CTX
*
cctx
,
STACK_OF
(
OPENSSL_STRING
)
*
str
,
int
no_ecdhe
);
int
ssl_ctx_add_crls
(
SSL_CTX
*
ctx
,
STACK_OF
(
X509_CRL
)
*
crls
);
int
ssl_ctx_add_crls
(
SSL_CTX
*
ctx
,
STACK_OF
(
X509_CRL
)
*
crls
,
int
crl_download
);
int
ssl_load_stores
(
SSL_CTX
*
ctx
,
const
char
*
vfyCApath
,
const
char
*
vfyCAfile
,
const
char
*
chCApath
,
const
char
*
chCAfile
,
STACK_OF
(
X509_CRL
)
*
crls
);
STACK_OF
(
X509_CRL
)
*
crls
,
int
crl_download
);
#endif
apps/s_cb.c
浏览文件 @
0090a686
...
...
@@ -1660,32 +1660,28 @@ static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
{
X509_CRL
*
crl
;
int
i
;
if
(
crls
)
{
for
(
i
=
0
;
i
<
sk_X509_CRL_num
(
crls
);
i
++
)
{
crl
=
sk_X509_CRL_value
(
crls
,
i
);
X509_STORE_add_crl
(
st
,
crl
);
}
}
return
1
;
}
int
ssl_ctx_add_crls
(
SSL_CTX
*
ctx
,
STACK_OF
(
X509_CRL
)
*
crls
)
int
ssl_ctx_add_crls
(
SSL_CTX
*
ctx
,
STACK_OF
(
X509_CRL
)
*
crls
,
int
crl_download
)
{
X509_STORE
*
st
;
if
(
crls
)
{
st
=
SSL_CTX_get_cert_store
(
ctx
);
add_crls_store
(
st
,
crls
);
}
if
(
crl_download
)
store_setup_crl_download
(
st
);
return
1
;
}
int
ssl_load_stores
(
SSL_CTX
*
ctx
,
const
char
*
vfyCApath
,
const
char
*
vfyCAfile
,
const
char
*
chCApath
,
const
char
*
chCAfile
,
STACK_OF
(
X509_CRL
)
*
crls
)
STACK_OF
(
X509_CRL
)
*
crls
,
int
crl_download
)
{
X509_STORE
*
vfy
=
NULL
,
*
ch
=
NULL
;
int
rv
=
0
;
...
...
@@ -1696,6 +1692,8 @@ int ssl_load_stores(SSL_CTX *ctx,
goto
err
;
add_crls_store
(
vfy
,
crls
);
SSL_CTX_set1_verify_cert_store
(
ctx
,
vfy
);
if
(
crl_download
)
store_setup_crl_download
(
vfy
);
}
if
(
chCApath
||
chCAfile
)
{
...
...
apps/s_client.c
浏览文件 @
0090a686
...
...
@@ -635,6 +635,7 @@ int MAIN(int argc, char **argv)
char
*
crl_file
=
NULL
;
int
crl_format
=
FORMAT_PEM
;
int
crl_download
=
0
;
STACK_OF
(
X509_CRL
)
*
crls
=
NULL
;
meth
=
SSLv23_client_method
();
...
...
@@ -711,6 +712,8 @@ int MAIN(int argc, char **argv)
if
(
--
argc
<
1
)
goto
bad
;
crl_file
=
*
(
++
argv
);
}
else
if
(
strcmp
(
*
argv
,
"-crl_download"
)
==
0
)
crl_download
=
1
;
else
if
(
strcmp
(
*
argv
,
"-sess_out"
)
==
0
)
{
if
(
--
argc
<
1
)
goto
bad
;
...
...
@@ -1192,7 +1195,8 @@ bad:
goto
end
;
}
if
(
!
ssl_load_stores
(
ctx
,
vfyCApath
,
vfyCAfile
,
chCApath
,
chCAfile
,
crls
))
if
(
!
ssl_load_stores
(
ctx
,
vfyCApath
,
vfyCAfile
,
chCApath
,
chCAfile
,
crls
,
crl_download
))
{
BIO_printf
(
bio_err
,
"Error loading store locations
\n
"
);
ERR_print_errors
(
bio_err
);
...
...
@@ -1254,7 +1258,7 @@ bad:
/* goto end; */
}
ssl_ctx_add_crls
(
ctx
,
crls
);
ssl_ctx_add_crls
(
ctx
,
crls
,
crl_download
);
if
(
!
set_cert_key_stuff
(
ctx
,
cert
,
key
,
NULL
,
build_chain
))
goto
end
;
...
...
apps/s_server.c
浏览文件 @
0090a686
...
...
@@ -1715,12 +1715,12 @@ bad:
if
(
vpm
)
SSL_CTX_set1_param
(
ctx
,
vpm
);
ssl_ctx_add_crls
(
ctx
,
crls
);
ssl_ctx_add_crls
(
ctx
,
crls
,
0
);
if
(
!
args_ssl_call
(
ctx
,
bio_err
,
cctx
,
ssl_args
,
no_ecdhe
))
goto
end
;
if
(
!
ssl_load_stores
(
ctx
,
vfyCApath
,
vfyCAfile
,
chCApath
,
chCAfile
,
crls
))
if
(
!
ssl_load_stores
(
ctx
,
vfyCApath
,
vfyCAfile
,
chCApath
,
chCAfile
,
crls
,
0
))
{
BIO_printf
(
bio_err
,
"Error loading store locations
\n
"
);
ERR_print_errors
(
bio_err
);
...
...
@@ -1783,7 +1783,7 @@ bad:
if
(
vpm
)
SSL_CTX_set1_param
(
ctx2
,
vpm
);
ssl_ctx_add_crls
(
ctx2
,
crls
);
ssl_ctx_add_crls
(
ctx2
,
crls
,
0
);
if
(
!
args_ssl_call
(
ctx2
,
bio_err
,
cctx
,
ssl_args
,
no_ecdhe
))
goto
end
;
...
...
apps/verify.c
浏览文件 @
0090a686
...
...
@@ -88,6 +88,7 @@ int MAIN(int argc, char **argv)
X509_STORE
*
cert_ctx
=
NULL
;
X509_LOOKUP
*
lookup
=
NULL
;
X509_VERIFY_PARAM
*
vpm
=
NULL
;
int
crl_download
=
0
;
#ifndef OPENSSL_NO_ENGINE
char
*
engine
=
NULL
;
#endif
...
...
@@ -145,6 +146,8 @@ int MAIN(int argc, char **argv)
if
(
argc
--
<
1
)
goto
end
;
crlfile
=
*
(
++
argv
);
}
else
if
(
strcmp
(
*
argv
,
"-crl_download"
)
==
0
)
crl_download
=
1
;
#ifndef OPENSSL_NO_ENGINE
else
if
(
strcmp
(
*
argv
,
"-engine"
)
==
0
)
{
...
...
@@ -222,6 +225,9 @@ int MAIN(int argc, char **argv)
goto
end
;
}
if
(
crl_download
)
store_setup_crl_download
(
cert_ctx
);
if
(
argc
<
1
)
check
(
cert_ctx
,
NULL
,
untrusted
,
trusted
,
crls
,
e
);
else
for
(
i
=
0
;
i
<
argc
;
i
++
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录