int X509_verify_cert(X509_STORE_CTX *ctx)
{
X509 *x,*xtmp,*chain_ss=NULL;
- X509_NAME *xn;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
int depth,i,ok=0;
*/
/* If we are self signed, we break */
- xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx, x,x)) break;
/* If we were passed a cert chain, use it first */
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
- xn = X509_get_subject_name(x);
if (ctx->check_issued(ctx, x, x))
{
/* we have a self signed certificate */
if (depth < num) break;
/* If we are self signed, we break */
- xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx,x,x)) break;
ok = ctx->get_issuer(&xtmp, ctx, x);
}
/* we now have our chain, lets check it... */
- xn=X509_get_issuer_name(x);
/* Is last certificate looked up self signed? */
if (!ctx->check_issued(ctx,x,x))
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
last = sk_X509_num(ctx->chain) - 1;
else
+ {
+ /* If checking CRL paths this isn't the EE certificate */
+ if (ctx->parent)
+ return 1;
last = 0;
+ }
for(i = 0; i <= last; i++)
{
ctx->error_depth = i;
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
ctx->current_issuer = NULL;
+ ctx->current_crl_score = 0;
ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
STACK_OF(X509_CRL) *crls)
{
int i, crl_score, best_score = *pscore;
- unsigned int reasons, best_reasons;
+ unsigned int reasons, best_reasons = 0;
X509 *x = ctx->current_cert;
X509_CRL *crl, *best_crl = NULL;
- X509 *crl_issuer, *best_crl_issuer = NULL;
+ X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
+
for (i = 0; i < sk_X509_CRL_num(crls); i++)
{
crl = sk_X509_CRL_value(crls, i);
/* Verify CRL issuer */
ret = X509_verify_cert(&crl_ctx);
- if (!ret)
+ if (ret <= 0)
goto err;
/* Check chain is acceptable */
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
{
- if (!check_crl_path(ctx, ctx->current_issuer))
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0)
{
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
while (n >= 0)
{
ctx->error_depth=n;
- if (!xs->valid)
+
+ /* Skip signature check for self signed certificates unless
+ * explicitly asked for. It doesn't add any security and
+ * just wastes time.
+ */
+ if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
{
if ((pkey=X509_get_pubkey(xi)) == NULL)
{
if (!ok) goto end;
}
else if (X509_verify(xs,pkey) <= 0)
- /* XXX For the final trusted self-signed cert,
- * this is a waste of time. That check should
- * optional so that e.g. 'openssl x509' can be
- * used to detect invalid self-signatures, but
- * we don't verify again and again in SSL
- * handshakes and the like once the cert has
- * been declared trusted. */
{
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;
offset= -offset;
}
atm.type=ctm->type;
+ atm.flags = 0;
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME)
return X509_time_adj(s, adj, NULL);
}
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
+ {
+ return X509_time_adj_ex(s, 0, offset_sec, in_tm);
+ }
+
+ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
+ int offset_day, long offset_sec, time_t *in_tm)
{
time_t t;
- int type = -1;
if (in_tm) t = *in_tm;
else time(&t);
- t+=adj;
- if (s) type = s->type;
- if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
- if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t);
- return ASN1_TIME_set(s, t);
+ if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
+ {
+ if (s->type == V_ASN1_UTCTIME)
+ return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
+ if (s->type == V_ASN1_GENERALIZEDTIME)
+ return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
+ offset_sec);
+ }
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
return chain;
}
+X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
+ {
+ return ctx->current_issuer;
+ }
+
+X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
+ {
+ return ctx->current_crl;
+ }
+
+X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
+ {
+ return ctx->parent;
+ }
+
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
{
ctx->cert=x;
ctx->error_depth=0;
ctx->current_cert=NULL;
ctx->current_issuer=NULL;
+ ctx->current_crl=NULL;
+ ctx->current_crl_score=0;
+ ctx->current_reasons=0;
ctx->tree = NULL;
ctx->parent = NULL;
if (store)
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
else
- ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
if (store)
{