From 068fdce877a956e86c2281dd3e0643faca362c5e Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 7 Mar 2000 14:04:29 +0000 Subject: New compatability trust and purpose settings. --- crypto/x509/x509.h | 4 +++- crypto/x509/x509_trs.c | 17 +++++++++-------- crypto/x509/x509_vfy.c | 15 +++++++++++---- 3 files changed, 23 insertions(+), 13 deletions(-) (limited to 'crypto/x509') diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index d3336d9ceb..0192272e7c 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -284,7 +284,9 @@ DECLARE_STACK_OF(X509_TRUST) /* standard trust ids */ -#define X509_TRUST_ANY 1 +#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */ + +#define X509_TRUST_COMPAT 1 #define X509_TRUST_SSL_CLIENT 2 #define X509_TRUST_SSL_SERVER 3 #define X509_TRUST_EMAIL 4 diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 9f7d67952d..c779aaf94d 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -65,7 +65,7 @@ static int tr_cmp(X509_TRUST **a, X509_TRUST **b); static void trtable_free(X509_TRUST *p); static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); -static int trust_any(X509_TRUST *trust, X509 *x, int flags); +static int trust_compat(X509_TRUST *trust, X509 *x, int flags); static int obj_trust(int id, X509 *x, int flags); static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; @@ -76,7 +76,7 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; */ static X509_TRUST trstandard[] = { -{X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL}, +{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL}, {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, @@ -107,8 +107,8 @@ int X509_check_trust(X509 *x, int id, int flags) X509_TRUST *pt; int idx; if(id == -1) return 1; - if(!(idx = X509_TRUST_get_by_id(id))) - return default_trust(id, x, flags); + idx = X509_TRUST_get_by_id(id); + if(idx == -1) return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } @@ -230,6 +230,11 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) /* we don't have any trust settings: for compatibility * we return trusted if it is self signed */ + return trust_compat(trust, x, flags); +} + +static int trust_compat(X509_TRUST *trust, X509 *x, int flags) +{ X509_check_purpose(x, -1, 0); if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; else return X509_TRUST_UNTRUSTED; @@ -257,7 +262,3 @@ static int obj_trust(int id, X509 *x, int flags) return X509_TRUST_UNTRUSTED; } -static int trust_any(X509_TRUST *trust, X509 *x, int flags) -{ - return X509_TRUST_TRUSTED; -} diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 8563f65695..3ddb2303d3 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -771,18 +771,25 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, if(!purpose) purpose = def_purpose; /* If we have a purpose then check it is valid */ if(purpose) { + X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); if(idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; } - /* If trust not set then get from purpose default */ - if(!trust) { - X509_PURPOSE *ptmp; + ptmp = X509_PURPOSE_get0(idx); + if(ptmp->trust == X509_TRUST_DEFAULT) { + idx = X509_PURPOSE_get_by_id(def_purpose); + if(idx == -1) { + X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, + X509_R_UNKNOWN_PURPOSE_ID); + return 0; + } ptmp = X509_PURPOSE_get0(idx); - trust = ptmp->trust; } + /* If trust not set then get from purpose default */ + if(!trust) trust = ptmp->trust; } if(trust) { idx = X509_TRUST_get_by_id(trust); -- cgit v1.2.3