diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2000-09-05 17:53:58 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2000-09-05 17:53:58 +0000 |
commit | 2f043896d14f5b1ced08bcc8bec3e38e7a18d96f (patch) | |
tree | 30c91e35a2b02dadc58fc56355894b4345142e51 /crypto/x509 | |
parent | 29eb7d9ce0488690cca532d0ecb4075b5ca59209 (diff) | |
download | openssl-2f043896d14f5b1ced08bcc8bec3e38e7a18d96f.tar.gz |
*BIG* verify code reorganisation.
The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.
The new code performs several tests on a candidate issuer
certificate based on certificate extensions.
It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.
Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...
This must have broken something though :-(
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/by_dir.c | 4 | ||||
-rw-r--r-- | crypto/x509/x509.h | 2 | ||||
-rw-r--r-- | crypto/x509/x509_lu.c | 241 | ||||
-rw-r--r-- | crypto/x509/x509_txt.c | 9 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 248 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 41 |
6 files changed, 349 insertions, 196 deletions
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index c5920cc7dd..cac64a6f40 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -326,7 +326,9 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, /* we have added it to the cache so now pull * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); - tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,&stmp); + j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); if (tmp != NULL) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 9768754fa7..db80eda8e0 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -275,6 +275,8 @@ typedef struct x509_st unsigned long ex_kusage; unsigned long ex_xkusage; unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + struct AUTHORITY_KEYID_st *akid; #ifndef NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 68f26f149b..8dfd75591c 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -62,7 +62,6 @@ #include <openssl/x509.h> static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL; -static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_meth=NULL; X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { @@ -155,39 +154,21 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, return(ctx->method->get_by_alias(ctx,type,str,len,ret)); } -static unsigned long x509_object_hash(X509_OBJECT *a) - { - unsigned long h; - - switch (a->type) - { - case X509_LU_X509: - h=X509_NAME_hash(a->data.x509->cert_info->subject); - break; - case X509_LU_CRL: - h=X509_NAME_hash(a->data.crl->crl->issuer); - break; - default: - /* abort(); */ - return 0; - } - return(h); - } - -static int x509_object_cmp(X509_OBJECT *a, X509_OBJECT *b) - { - int ret; - - ret=(a->type - b->type); - if (ret) return(ret); - switch (a->type) - { - case X509_LU_X509: - ret=X509_subject_name_cmp(a->data.x509,b->data.x509); - break; - case X509_LU_CRL: - ret=X509_CRL_cmp(a->data.crl,b->data.crl); - break; + +static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) + { + int ret; + + ret=((*a)->type - (*b)->type); + if (ret) return(ret); + switch ((*a)->type) + { + case X509_LU_X509: + ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); + break; + case X509_LU_CRL: + ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl); + break; default: /* abort(); */ return 0; @@ -201,7 +182,7 @@ X509_STORE *X509_STORE_new(void) if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) return(NULL); - ret->certs=lh_new(x509_object_hash,x509_object_cmp); + ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->cache=1; ret->get_cert_methods=sk_X509_LOOKUP_new_null(); ret->verify=NULL; @@ -247,10 +228,9 @@ void X509_STORE_free(X509_STORE *vfy) X509_LOOKUP_free(lu); } sk_X509_LOOKUP_free(sk); + sk_X509_OBJECT_pop_free(vfy->objs, cleanup); CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data); - lh_doall(vfy->certs,cleanup); - lh_free(vfy->certs); OPENSSL_free(vfy); } @@ -294,7 +274,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT stmp,*tmp; int i,j; - tmp=X509_OBJECT_retrieve_by_subject(ctx->certs,type,name); + tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); if (tmp == NULL) { @@ -329,6 +309,73 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, return(1); } +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) + { + X509_OBJECT *obj; + int ret=1; + + if (x == NULL) return(0); + obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) + { + X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); + return(0); + } + obj->type=X509_LU_X509; + obj->data.x509=x; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); + + + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) + { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); + ret=0; + } + else sk_X509_OBJECT_push(ctx->objs, obj); + + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + return(ret); + } + +int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) + { + X509_OBJECT *obj; + int ret=1; + + if (x == NULL) return(0); + obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) + { + X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); + return(0); + } + obj->type=X509_LU_CRL; + obj->data.crl=x; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); + + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) + { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); + ret=0; + } + else sk_X509_OBJECT_push(ctx->objs, obj); + + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + return(ret); + } + void X509_OBJECT_up_ref_count(X509_OBJECT *a) { switch (a->type) @@ -355,10 +402,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a) } } -X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type, +int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) { - X509_OBJECT stmp,*tmp; + X509_OBJECT stmp; X509 x509_s; X509_CINF cinf_s; X509_CRL crl_s; @@ -379,54 +426,98 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type, break; default: /* abort(); */ - return NULL; + return -1; } - tmp=(X509_OBJECT *)lh_retrieve(h,&stmp); - return(tmp); + return sk_X509_OBJECT_find(h,&stmp); } -X509_STORE_CTX *X509_STORE_CTX_new(void) +X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name) { - X509_STORE_CTX *ctx; - ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); - if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX)); - return ctx; + int idx; + idx = X509_OBJECT_idx_by_subject(h, type, name); + if(idx==-1) return NULL; + return sk_X509_OBJECT_value(h, idx); } -void X509_STORE_CTX_free(X509_STORE_CTX *ctx) +X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) { - X509_STORE_CTX_cleanup(ctx); - OPENSSL_free(ctx); + int idx, i; + X509_OBJECT *obj; + idx = sk_X509_OBJECT_find(h, x); + if(idx == -1) return NULL; + if(x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx); + for(i = idx; i < sk_X509_OBJECT_num(h); i++) { + obj = sk_X509_OBJECT_value(h, i); + if(x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) return NULL; + if((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509)) return obj; + } + return NULL; } -void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, - STACK_OF(X509) *chain) - { - ctx->ctx=store; - ctx->current_method=0; - ctx->cert=x509; - ctx->untrusted=chain; - ctx->last_untrusted=0; - ctx->purpose=0; - ctx->trust=0; - ctx->valid=0; - ctx->chain=NULL; - ctx->depth=9; - ctx->error=0; - ctx->current_cert=NULL; - memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); - } -void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) - { - if (ctx->chain != NULL) +/* Try to get issuer certificate from store. Due to limitations + * of the API this can only retrieve a single certificate matching + * a given subject name. However it will fill the cache with all + * matching certificates, so we can examine the cache for all + * matches. + * + * Return values are: + * 1 lookup successful. + * 0 certificate not found. + * -1 some other error. + */ + + +int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +{ + X509_NAME *xn; + X509_OBJECT obj, *pobj; + int i, ok, idx; + xn=X509_get_issuer_name(x); + ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); + if (ok != X509_LU_X509) { - sk_X509_pop_free(ctx->chain,X509_free); - ctx->chain=NULL; + if (ok == X509_LU_RETRY) + { + X509_OBJECT_free_contents(&obj); + X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY); + return -1; + } + else if (ok != X509_LU_FAIL) + { + X509_OBJECT_free_contents(&obj); + /* not good :-(, break anyway */ + return -1; + } + return 0; + } + /* If certificate matches all OK */ + if(ctx->check_issued(ctx, x, obj.data.x509)) { + *issuer = obj.data.x509; + return 1; + } + X509_OBJECT_free_contents(&obj); + /* Else find index of first matching cert */ + idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); + /* This shouldn't normally happen since we already have one match */ + if(idx == -1) return 0; + + /* Look through all matching certificates for a suitable issuer */ + for(i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) { + pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); + /* See if we've ran out of matches */ + if(pobj->type != X509_LU_X509) return 0; + if(X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0; + if(ctx->check_issued(ctx, x, pobj->data.x509)) { + *issuer = pobj->data.x509; + X509_OBJECT_up_ref_count(pobj); + return 1; } - CRYPTO_free_ex_data(x509_store_ctx_meth,ctx,&(ctx->ex_data)); - memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); } + return 0; +} IMPLEMENT_STACK_OF(X509_LOOKUP) +IMPLEMENT_STACK_OF(X509_OBJECT) diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 209cf53191..cfb478d4bc 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -132,6 +132,15 @@ const char *X509_verify_cert_error_string(long n) return ("certificate rejected"); case X509_V_ERR_APPLICATION_VERIFICATION: return("application verification failure"); + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: + return("subject issuer mismatch"); + case X509_V_ERR_AKID_SKID_MISMATCH: + return("authority and subject key identifier mismatch"); + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: + return("authority and issuer serial number mismatch"); + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: + return("key usage does not include certificate signing"); + default: sprintf(buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ccc031377a..07a8bd44b6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -71,6 +71,8 @@ #include <openssl/objects.h> static int null_callback(int ok,X509_STORE_CTX *e); +static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_purpose(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int internal_verify(X509_STORE_CTX *ctx); @@ -99,7 +101,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { X509 *x,*xtmp,*chain_ss=NULL; X509_NAME *xn; - X509_OBJECT obj; int depth,i,ok=0; int num; int (*cb)(); @@ -111,7 +112,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return(-1); } - cb=ctx->ctx->verify_cb; + cb=ctx->verify_cb; if (cb == NULL) cb=null_callback; /* first we make sure the chain we are going to build is @@ -152,13 +153,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ xn=X509_get_issuer_name(x); - if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0) - break; + if (ctx->check_issued(ctx, x,x)) break; /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp=X509_find_by_subject(sktmp,xn); + xtmp=find_issuer(ctx, sktmp,x); if (xtmp != NULL) { if (!sk_X509_push(ctx->chain,xtmp)) @@ -183,11 +183,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * certificates. We now need to add at least one trusted one, * if possible, otherwise we complain. */ + /* Examine last certificate in chain and see if it + * is self signed. + */ + i=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,i-1); xn = X509_get_subject_name(x); - if (X509_NAME_cmp(xn,X509_get_issuer_name(x)) - == 0) + if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ if (sk_X509_num(ctx->chain) == 1) @@ -196,13 +199,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ - ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); - if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) + ok = ctx->get_issuer(&xtmp, ctx, x); + if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert=x; ctx->error_depth=i-1; - if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj); + if(ok == 1) X509_free(xtmp); ok=cb(0,ctx); if (!ok) goto end; } @@ -212,14 +215,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * so we get any trust settings. */ X509_free(x); - x = obj.data.x509; + x = xtmp; sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted=0; } } else { - /* worry more about this one elsewhere */ + /* extract and save self signed certificate for later use */ chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; @@ -235,30 +238,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ xn=X509_get_issuer_name(x); - if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0) - break; + if (ctx->check_issued(ctx,x,x)) break; - ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); - if (ok != X509_LU_X509) - { - if (ok == X509_LU_RETRY) - { - X509_OBJECT_free_contents(&obj); - X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY); - return(ok); - } - else if (ok != X509_LU_FAIL) - { - X509_OBJECT_free_contents(&obj); - /* not good :-(, break anyway */ - return(ok); - } - break; - } - x=obj.data.x509; - if (!sk_X509_push(ctx->chain,obj.data.x509)) + ok = ctx->get_issuer(&xtmp, ctx, x); + + if (ok < 0) return ok; + if(ok == 0) break; + + x = xtmp; + if (!sk_X509_push(ctx->chain,x)) { - X509_OBJECT_free_contents(&obj); + X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return(0); } @@ -267,9 +257,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* we now have our chain, lets check it... */ xn=X509_get_issuer_name(x); - if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0) + + /* Is last certificate looked up self signed? */ + if (!ctx->check_issued(ctx,x,x)) { - if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0)) + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; @@ -308,8 +300,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_get_pubkey_parameters(NULL,ctx->chain); /* At this point, we have a chain and just need to verify it */ - if (ctx->ctx->verify != NULL) - ok=ctx->ctx->verify(ctx); + if (ctx->verify != NULL) + ok=ctx->verify(ctx); else ok=internal_verify(ctx); if (0) @@ -322,6 +314,51 @@ end: return(ok); } + +/* Given a STACK_OF(X509) find the issuer of cert (if any) + */ + +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +{ + int i; + X509 *issuer; + for(i = 0; i < sk_X509_num(sk); i++) { + issuer = sk_X509_value(sk, i); + if(ctx->check_issued(ctx, x, issuer)) return issuer; + } + return NULL; +} + +/* Given a possible certificate and issuer check them */ + +static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +{ + int ret; + ret = X509_check_issued(issuer, x); + if(ret == X509_V_OK) return 1; + else { + ctx->error = ret; + ctx->current_cert = x; + ctx->current_issuer = issuer; + if(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK) + return ctx->verify_cb(0, ctx); + else return 0; + } + return 0; +} + +/* Alternative lookup method: look from a STACK stored in other_ctx */ + +static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +{ + *issuer = find_issuer(ctx, ctx->other_ctx, x); + if(*issuer) { + CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); + return 1; + } else return 0; +} + + /* Check a certificate chains extensions for consistency * with the supplied purpose */ @@ -334,7 +371,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) int i, ok=0; X509 *x; int (*cb)(); - cb=ctx->ctx->verify_cb; + cb=ctx->verify_cb; if (cb == NULL) cb=null_callback; /* Check all untrusted certificates */ for(i = 0; i < ctx->last_untrusted; i++) { @@ -371,7 +408,7 @@ static int check_trust(X509_STORE_CTX *ctx) int i, ok; X509 *x; int (*cb)(); - cb=ctx->ctx->verify_cb; + cb=ctx->verify_cb; if (cb == NULL) cb=null_callback; /* For now just check the last certificate in the chain */ i = sk_X509_num(ctx->chain) - 1; @@ -394,7 +431,7 @@ static int internal_verify(X509_STORE_CTX *ctx) EVP_PKEY *pkey=NULL; int (*cb)(); - cb=ctx->ctx->verify_cb; + cb=ctx->verify_cb; if (cb == NULL) cb=null_callback; n=sk_X509_num(ctx->chain); @@ -629,76 +666,6 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) return(1); } -int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) - { - X509_OBJECT *obj,*r; - int ret=1; - - if (x == NULL) return(0); - obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { - X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); - return(0); - } - obj->type=X509_LU_X509; - obj->data.x509=x; - - CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); - - X509_OBJECT_up_ref_count(obj); - - r=(X509_OBJECT *)lh_insert(ctx->certs,obj); - if (r != NULL) - { /* oops, put it back */ - lh_delete(ctx->certs,obj); - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - lh_insert(ctx->certs,r); - X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret=0; - } - - CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - - return(ret); - } - -int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) - { - X509_OBJECT *obj,*r; - int ret=1; - - if (x == NULL) return(0); - obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { - X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); - return(0); - } - obj->type=X509_LU_CRL; - obj->data.crl=x; - - CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); - - X509_OBJECT_up_ref_count(obj); - - r=(X509_OBJECT *)lh_insert(ctx->certs,obj); - if (r != NULL) - { /* oops, put it back */ - lh_delete(ctx->certs,obj); - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - lh_insert(ctx->certs,r); - X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret=0; - } - - CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - - return(ret); - } - int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { @@ -828,6 +795,65 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, return 1; } +X509_STORE_CTX *X509_STORE_CTX_new(void) +{ + X509_STORE_CTX *ctx; + ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); + if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX)); + return ctx; +} + +void X509_STORE_CTX_free(X509_STORE_CTX *ctx) +{ + X509_STORE_CTX_cleanup(ctx); + OPENSSL_free(ctx); +} + +void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, + STACK_OF(X509) *chain) + { + ctx->ctx=store; + ctx->current_method=0; + ctx->cert=x509; + ctx->untrusted=chain; + ctx->last_untrusted=0; + ctx->purpose=0; + ctx->trust=0; + ctx->valid=0; + ctx->chain=NULL; + ctx->depth=9; + ctx->error=0; + ctx->current_cert=NULL; + ctx->current_issuer=NULL; + ctx->check_issued = check_issued; + ctx->get_issuer = X509_STORE_CTX_get1_issuer; + ctx->verify_cb = store->verify_cb; + ctx->verify = store->verify; + ctx->cleanup = NULL; + memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); + } + +/* Set alternative lookup method: just a STACK of trusted certificates. + * This avoids X509_STORE nastiness where it isn't needed. + */ + +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + ctx->other_ctx = sk; + ctx->get_issuer = get_issuer_sk; +} + +void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) + { + if(ctx->cleanup) ctx->cleanup(ctx); + if (ctx->chain != NULL) + { + sk_X509_pop_free(ctx->chain,X509_free); + ctx->chain=NULL; + } + CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data)); + memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); + } IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index cc0bd3dbc2..71d56bb6dc 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -131,6 +131,7 @@ typedef struct x509_object_st typedef struct x509_lookup_st X509_LOOKUP; DECLARE_STACK_OF(X509_LOOKUP) +DECLARE_STACK_OF(X509_OBJECT) /* This is a static that defines the function interface */ typedef struct x509_lookup_method_st @@ -162,11 +163,7 @@ typedef struct x509_store_st { /* The following is a cache of trusted certs */ int cache; /* if true, stash any hits */ -#ifndef NO_LHASH - LHASH *certs; /* cached certs; */ -#else - char *certs; -#endif + STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ /* These are external lookup methods */ STACK_OF(X509_LOOKUP) *get_cert_methods; @@ -194,7 +191,7 @@ struct x509_lookup_st X509_STORE *store_ctx; /* who owns us */ }; -/* This is a temporary used when processing cert chains. Since the +/* This is a used when verifying cert chains. Since the * gathering of the cert chain can take some time (and have to be * 'retried', this needs to be kept and passed around. */ struct x509_store_state_st /* X509_STORE_CTX */ @@ -207,6 +204,16 @@ struct x509_store_state_st /* X509_STORE_CTX */ STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ + time_t check_time; /* time to make verify at */ + unsigned long flags; /* Various verify flags */ + void *other_ctx; /* Other info for use with get_issuer() */ + + /* Callbacks for various operations */ + int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ + int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ + int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ + int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ + int (*cleanup)(X509_STORE_CTX *ctx); /* The following is built up */ int depth; /* how far to go looking up certs */ @@ -218,6 +225,7 @@ struct x509_store_state_st /* X509_STORE_CTX */ int error_depth; int error; X509 *current_cert; + X509 *current_issuer; /* cert currently being tested as valid issuer */ CRYPTO_EX_DATA ex_data; }; @@ -268,10 +276,20 @@ struct x509_store_state_st /* X509_STORE_CTX */ #define X509_V_ERR_INVALID_PURPOSE 26 #define X509_V_ERR_CERT_UNTRUSTED 27 #define X509_V_ERR_CERT_REJECTED 28 +/* These are 'informational' when looking for issuer cert */ +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 +/* Certificate verify flags */ + +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ + /* These functions are being redefined in another directory, and clash when the linker is case-insensitive, so let's hide them a little, by giving them an extra 'o' at the @@ -287,18 +305,23 @@ struct x509_store_state_st /* X509_STORE_CTX */ #define X509v3_add_standard_extensions oX509v3_add_standard_extensions #endif -#ifndef NO_LHASH -X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h,int type,X509_NAME *name); -#endif +int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name); +X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name); +X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x); void X509_OBJECT_up_ref_count(X509_OBJECT *a); void X509_OBJECT_free_contents(X509_OBJECT *a); X509_STORE *X509_STORE_new(void ); void X509_STORE_free(X509_STORE *v); X509_STORE_CTX *X509_STORE_CTX_new(void); + +int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + void X509_STORE_CTX_free(X509_STORE_CTX *ctx); void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain); +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); |