Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
bc7535bc
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
bc7535bc
编写于
9月 14, 2006
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
handling to support this.
上级
83357f04
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
218 addition
and
41 deletion
+218
-41
CHANGES
CHANGES
+12
-0
crypto/x509/x509_txt.c
crypto/x509/x509_txt.c
+4
-0
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+150
-9
crypto/x509/x509_vfy.h
crypto/x509/x509_vfy.h
+2
-0
crypto/x509v3/v3_purp.c
crypto/x509v3/v3_purp.c
+49
-32
crypto/x509v3/x509v3.h
crypto/x509v3/x509v3.h
+1
-0
未找到文件。
CHANGES
浏览文件 @
bc7535bc
...
...
@@ -4,6 +4,18 @@
Changes between 0.9.8d and 0.9.9 [xx XXX xxxx]
*) Partial support for Issuing Distribution Point CRL extension. CRLs
partitioned by DP are handled but no indirect CRL or reason partitioning
(yet). Complete overhaul of CRL handling: now the most suitable CRL is
selected via a scoring technique which handles IDP and AKID in CRLs.
[Steve Henson]
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
will ultimately be used for all verify operations: this will remove the
X509_STORE dependency on certificate verification and allow alternative
lookup methods. X509_STORE based implementations of these two callbacks.
[Steve Henson]
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
Modify get_crl() to find a valid (unexpired) CRL if possible.
[Steve Henson]
...
...
crypto/x509/x509_txt.c
浏览文件 @
bc7535bc
...
...
@@ -162,6 +162,10 @@ const char *X509_verify_cert_error_string(long n)
return
(
"invalid or inconsistent certificate policy extension"
);
case
X509_V_ERR_NO_EXPLICIT_POLICY
:
return
(
"no explicit policy"
);
case
X509_V_ERR_DIFFERENT_CRL_SCOPE
:
return
(
"Different CRL scope"
);
case
X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
:
return
(
"Unsupported extension feature"
);
default:
BIO_snprintf
(
buf
,
sizeof
buf
,
"error number %ld"
,
n
);
return
(
buf
);
...
...
crypto/x509/x509_vfy.c
浏览文件 @
bc7535bc
...
...
@@ -78,6 +78,8 @@ static int check_trust(X509_STORE_CTX *ctx);
static
int
check_revocation
(
X509_STORE_CTX
*
ctx
);
static
int
check_cert
(
X509_STORE_CTX
*
ctx
);
static
int
check_policy
(
X509_STORE_CTX
*
ctx
);
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
AUTHORITY_KEYID
*
akid
);
static
int
idp_check_scope
(
X509
*
x
,
X509_CRL
*
crl
);
static
int
internal_verify
(
X509_STORE_CTX
*
ctx
);
const
char
*
X509_version
=
"X.509"
OPENSSL_VERSION_PTEXT
;
...
...
@@ -649,30 +651,81 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
return
1
;
}
/* Lookup CRLs from the supplied list. Look for matching isser name
* and validity. If we can't find a valid CRL return the last one
* with matching name. This gives more meaningful error codes. Otherwise
* we'd get a CRL not found error if a CRL existed with matching name but
* was invalid.
/* Based on a set of possible CRLs decide which one is best suited
* to handle the current certificate. This is determined by a number
* of criteria. If any of the "must" criteria is not satisfied then
* the candidate CRL is rejected. If all "must" and all "should" are
* satisfied the CRL is accepted. If no CRL satisfies all criteria then
* a "best CRL" is used to provide some meaningful error information.
*
* CRL issuer name must match "nm" if not NULL.
* If IDP is present:
* a. it must be consistent.
* b. onlyuser, onlyCA, onlyAA should match certificate being checked.
* c. indirectCRL must be FALSE.
* d. onlysomereason must be absent.
* e. if name present a DP in certificate CRLDP must match.
* If AKID present it should match certificate AKID.
* Check time should fall between lastUpdate and nextUpdate.
*/
/* IDP name field matches CRLDP or IDP name not present */
#define CRL_SCORE_SCOPE 4
/* AKID present and matches cert, or AKID not present */
#define CRL_SCORE_AKID 2
/* times OK */
#define CRL_SCORE_TIME 1
#define CRL_SCORE_ALL 7
/* IDP flags which cause a CRL to be rejected */
#define IDP_REJECT (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
static
int
get_crl_sk
(
X509_STORE_CTX
*
ctx
,
X509_CRL
**
pcrl
,
X509_NAME
*
nm
,
STACK_OF
(
X509_CRL
)
*
crls
)
{
int
i
;
int
i
,
crl_score
,
best_score
=
-
1
;
X509_CRL
*
crl
,
*
best_crl
=
NULL
;
for
(
i
=
0
;
i
<
sk_X509_CRL_num
(
crls
);
i
++
)
{
crl_score
=
0
;
crl
=
sk_X509_CRL_value
(
crls
,
i
);
if
(
nm
&&
X509_NAME_cmp
(
nm
,
X509_CRL_get_issuer
(
crl
)))
continue
;
if
(
check_crl_time
(
ctx
,
crl
,
0
))
crl_score
|=
CRL_SCORE_TIME
;
if
(
crl
->
idp_flags
&
IDP_PRESENT
)
{
if
(
crl
->
idp_flags
&
IDP_REJECT
)
continue
;
if
(
idp_check_scope
(
ctx
->
current_cert
,
crl
))
crl_score
|=
CRL_SCORE_SCOPE
;
}
else
crl_score
|=
CRL_SCORE_SCOPE
;
if
(
crl
->
akid
)
{
if
(
crl_akid_check
(
ctx
,
crl
->
akid
))
crl_score
|=
CRL_SCORE_AKID
;
}
else
crl_score
|=
CRL_SCORE_AKID
;
if
(
crl_score
==
CRL_SCORE_ALL
)
{
*
pcrl
=
crl
;
CRYPTO_add
(
&
crl
->
references
,
1
,
CRYPTO_LOCK_X509_CRL
);
return
1
;
}
best_crl
=
crl
;
if
(
crl_score
>
best_score
)
{
best_crl
=
crl
;
best_score
=
crl_score
;
}
}
if
(
best_crl
)
{
...
...
@@ -683,9 +736,71 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
return
0
;
}
/* Retrieve CRL corresponding to certificate: currently just a
* subject lookup: maybe use AKID later...
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
AUTHORITY_KEYID
*
akid
)
{
int
cidx
=
ctx
->
error_depth
;
if
(
cidx
!=
sk_X509_num
(
ctx
->
chain
)
-
1
)
cidx
++
;
if
(
X509_check_akid
(
sk_X509_value
(
ctx
->
chain
,
cidx
),
akid
)
==
X509_V_OK
)
return
1
;
return
0
;
}
/* Check IDP name matches at least one CRLDP name */
static
int
idp_check_scope
(
X509
*
x
,
X509_CRL
*
crl
)
{
int
i
,
j
,
k
;
GENERAL_NAMES
*
inames
,
*
dnames
;
if
(
crl
->
idp_flags
&
IDP_ONLYATTR
)
return
0
;
if
(
x
->
ex_flags
&
EXFLAG_CA
)
{
if
(
crl
->
idp_flags
&
IDP_ONLYUSER
)
return
0
;
}
else
{
if
(
crl
->
idp_flags
&
IDP_ONLYCA
)
return
0
;
}
if
(
!
crl
->
idp
->
distpoint
)
return
1
;
if
(
crl
->
idp
->
distpoint
->
type
!=
0
)
return
1
;
if
(
!
x
->
crldp
)
return
0
;
inames
=
crl
->
idp
->
distpoint
->
name
.
fullname
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
inames
);
i
++
)
{
GENERAL_NAME
*
igen
=
sk_GENERAL_NAME_value
(
inames
,
i
);
for
(
j
=
0
;
j
<
sk_DIST_POINT_num
(
x
->
crldp
);
j
++
)
{
DIST_POINT
*
dp
=
sk_DIST_POINT_value
(
x
->
crldp
,
j
);
/* We don't handle these at present */
if
(
dp
->
reasons
||
dp
->
CRLissuer
)
continue
;
if
(
!
dp
->
distpoint
||
(
dp
->
distpoint
->
type
!=
0
))
continue
;
dnames
=
dp
->
distpoint
->
name
.
fullname
;
for
(
k
=
0
;
k
<
sk_GENERAL_NAME_num
(
dnames
);
k
++
)
{
GENERAL_NAME
*
cgen
=
sk_GENERAL_NAME_value
(
dnames
,
k
);
if
(
!
GENERAL_NAME_cmp
(
igen
,
cgen
))
return
1
;
}
}
}
return
0
;
}
/* Retrieve CRL corresponding to current certificate. Currently only
* one CRL is retrieved. Multiple CRLs may be needed if we handle
* CRLs partitioned on reason code later.
*/
static
int
get_crl
(
X509_STORE_CTX
*
ctx
,
X509_CRL
**
pcrl
,
X509
*
x
)
{
int
ok
;
...
...
@@ -765,6 +880,28 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if
(
!
ok
)
goto
err
;
}
if
(
crl
->
idp_flags
&
IDP_PRESENT
)
{
if
(
crl
->
idp_flags
&
IDP_INVALID
)
{
ctx
->
error
=
X509_V_ERR_INVALID_EXTENSION
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
if
(
crl
->
idp_flags
&
(
IDP_REASONS
|
IDP_INDIRECT
))
{
ctx
->
error
=
X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
if
(
!
idp_check_scope
(
ctx
->
current_cert
,
crl
))
{
ctx
->
error
=
X509_V_ERR_DIFFERENT_CRL_SCOPE
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
if
(
!
ok
)
goto
err
;
}
}
/* Attempt to get issuer certificate public key */
ikey
=
X509_get_pubkey
(
issuer
);
...
...
@@ -843,6 +980,10 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
ext
=
sk_X509_EXTENSION_value
(
exts
,
idx
);
if
(
ext
->
critical
>
0
)
{
/* We handle IDP now so permit it */
if
(
OBJ_obj2nid
(
ext
->
object
)
==
NID_issuing_distribution_point
)
continue
;
ctx
->
error
=
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
;
ok
=
ctx
->
verify_cb
(
0
,
ctx
);
...
...
crypto/x509/x509_vfy.h
浏览文件 @
bc7535bc
...
...
@@ -334,6 +334,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_INVALID_EXTENSION 41
#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
#define X509_V_ERR_NO_EXPLICIT_POLICY 43
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
/* The application is not happy */
...
...
crypto/x509v3/v3_purp.c
浏览文件 @
bc7535bc
...
...
@@ -644,39 +644,14 @@ int X509_check_issued(X509 *issuer, X509 *subject)
return
X509_V_ERR_SUBJECT_ISSUER_MISMATCH
;
x509v3_cache_extensions
(
issuer
);
x509v3_cache_extensions
(
subject
);
if
(
subject
->
akid
)
{
/* Check key ids (if present) */
if
(
subject
->
akid
->
keyid
&&
issuer
->
skid
&&
ASN1_OCTET_STRING_cmp
(
subject
->
akid
->
keyid
,
issuer
->
skid
)
)
return
X509_V_ERR_AKID_SKID_MISMATCH
;
/* Check serial number */
if
(
subject
->
akid
->
serial
&&
ASN1_INTEGER_cmp
(
X509_get_serialNumber
(
issuer
),
subject
->
akid
->
serial
))
return
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
;
/* Check issuer name */
if
(
subject
->
akid
->
issuer
)
{
/* Ugh, for some peculiar reason AKID includes
* SEQUENCE OF GeneralName. So look for a DirName.
* There may be more than one but we only take any
* notice of the first.
*/
GENERAL_NAMES
*
gens
;
GENERAL_NAME
*
gen
;
X509_NAME
*
nm
=
NULL
;
int
i
;
gens
=
subject
->
akid
->
issuer
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
gens
);
i
++
)
{
gen
=
sk_GENERAL_NAME_value
(
gens
,
i
);
if
(
gen
->
type
==
GEN_DIRNAME
)
{
nm
=
gen
->
d
.
dirn
;
break
;
}
}
if
(
nm
&&
X509_NAME_cmp
(
nm
,
X509_get_issuer_name
(
issuer
)))
return
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
;
if
(
subject
->
akid
)
{
int
ret
=
X509_check_akid
(
issuer
,
subject
->
akid
);
if
(
ret
!=
X509_V_OK
)
return
ret
;
}
}
if
(
subject
->
ex_flags
&
EXFLAG_PROXY
)
{
if
(
ku_reject
(
issuer
,
KU_DIGITAL_SIGNATURE
))
...
...
@@ -687,3 +662,45 @@ int X509_check_issued(X509 *issuer, X509 *subject)
return
X509_V_OK
;
}
int
X509_check_akid
(
X509
*
issuer
,
AUTHORITY_KEYID
*
akid
)
{
if
(
!
akid
)
return
X509_V_OK
;
/* Check key ids (if present) */
if
(
akid
->
keyid
&&
issuer
->
skid
&&
ASN1_OCTET_STRING_cmp
(
akid
->
keyid
,
issuer
->
skid
)
)
return
X509_V_ERR_AKID_SKID_MISMATCH
;
/* Check serial number */
if
(
akid
->
serial
&&
ASN1_INTEGER_cmp
(
X509_get_serialNumber
(
issuer
),
akid
->
serial
))
return
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
;
/* Check issuer name */
if
(
akid
->
issuer
)
{
/* Ugh, for some peculiar reason AKID includes
* SEQUENCE OF GeneralName. So look for a DirName.
* There may be more than one but we only take any
* notice of the first.
*/
GENERAL_NAMES
*
gens
;
GENERAL_NAME
*
gen
;
X509_NAME
*
nm
=
NULL
;
int
i
;
gens
=
akid
->
issuer
;
for
(
i
=
0
;
i
<
sk_GENERAL_NAME_num
(
gens
);
i
++
)
{
gen
=
sk_GENERAL_NAME_value
(
gens
,
i
);
if
(
gen
->
type
==
GEN_DIRNAME
)
{
nm
=
gen
->
d
.
dirn
;
break
;
}
}
if
(
nm
&&
X509_NAME_cmp
(
nm
,
X509_get_issuer_name
(
issuer
)))
return
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
;
}
return
X509_V_OK
;
}
crypto/x509v3/x509v3.h
浏览文件 @
bc7535bc
...
...
@@ -632,6 +632,7 @@ int X509_check_purpose(X509 *x, int id, int ca);
int
X509_supported_extension
(
X509_EXTENSION
*
ex
);
int
X509_PURPOSE_set
(
int
*
p
,
int
purpose
);
int
X509_check_issued
(
X509
*
issuer
,
X509
*
subject
);
int
X509_check_akid
(
X509
*
issuer
,
AUTHORITY_KEYID
*
akid
);
int
X509_PURPOSE_get_count
(
void
);
X509_PURPOSE
*
X509_PURPOSE_get0
(
int
idx
);
int
X509_PURPOSE_get_by_sname
(
char
*
sname
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录