From 0930251df814f3993bf2c598761e0c7c6d0d62a2 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 24 May 2014 23:55:19 +0100 Subject: Don't use expired certificates if possible. When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359 --- crypto/x509/x509_lu.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'crypto/x509/x509_lu.c') diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index cce90848a2..79281c6bdb 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -61,6 +61,7 @@ #include #include #include +#include "x509_lcl.h" X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { @@ -639,6 +640,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; + *issuer = NULL; xn=X509_get_issuer_name(x); ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); if (ok != X509_LU_X509) @@ -660,8 +662,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) /* If certificate matches all OK */ if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; - return 1; + if (x509_check_cert_time(ctx, obj.data.x509, 1)) + { + *issuer = obj.data.x509; + return 1; + } } X509_OBJECT_free_contents(&obj); @@ -683,13 +688,22 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; - X509_OBJECT_up_ref_count(pobj); ret = 1; - break; + /* + * If times check, exit with match, + * otherwise keep looking. Leave last + * match in issuer so we return nearest + * match if no certificate time is OK. + */ + + if (x509_check_cert_time(ctx, *issuer, 1)) + break; } } } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (*issuer) + CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return ret; } -- cgit v1.2.3