diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-05-24 23:55:19 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-05-25 04:50:15 +0100 |
commit | 0930251df814f3993bf2c598761e0c7c6d0d62a2 (patch) | |
tree | f3e1c9cfaf47569bf8d767b911684b6d175f77af /crypto/x509/x509_lu.c | |
parent | 6c21b860ba8f0de64c6e96972ef3c728728d01a0 (diff) | |
download | openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.tar.gz |
Don't use expired certificates if possible.
When looking for the issuer of a certificate, if current candidate is
expired, continue looking. Only return an expired certificate if no valid
certificates are found.
PR#3359
Diffstat (limited to 'crypto/x509/x509_lu.c')
-rw-r--r-- | crypto/x509/x509_lu.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index cce90848a2..79281c6bdb 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -61,6 +61,7 @@ #include <openssl/lhash.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { @@ -639,6 +640,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; + *issuer = NULL; xn=X509_get_issuer_name(x); ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); if (ok != X509_LU_X509) @@ -660,8 +662,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) /* If certificate matches all OK */ if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; - return 1; + if (x509_check_cert_time(ctx, obj.data.x509, 1)) + { + *issuer = obj.data.x509; + return 1; + } } X509_OBJECT_free_contents(&obj); @@ -683,13 +688,22 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; - X509_OBJECT_up_ref_count(pobj); ret = 1; - break; + /* + * If times check, exit with match, + * otherwise keep looking. Leave last + * match in issuer so we return nearest + * match if no certificate time is OK. + */ + + if (x509_check_cert_time(ctx, *issuer, 1)) + break; } } } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (*issuer) + CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return ret; } |