X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Focsp%2Focsp_vfy.c;h=214b4020fee79aa9cbca456a48097ac263073551;hp=be9bf5b0f0720df4a058a9ed0aa01acf0a0b1947;hb=ec40e5ff4233bc1d931f13103591d44b420de2d9;hpb=2e5975285e2b65261ce780fa3f5744277b66db34 diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index be9bf5b0f0..214b4020fe 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -77,8 +77,10 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *tmpchain = NULL; + X509_STORE *tmpstore = NULL; X509_STORE_CTX ctx; - int i, ret = 0; + int i, ret; ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { @@ -86,7 +88,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) - flags |= OCSP_NOVERIFY; + chain = certs; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; @@ -102,28 +104,85 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if (!(flags & OCSP_NOVERIFY)) { int init_res; + + /* If we trust the signer, we don't need to build a chain. + * (If the signer is a root certificate, X509_verify_cert() + * would fail anyway!) + */ + if (chain == certs) goto verified_chain; + + /* If we trust some "other" certificates, mark them as + * explicitly trusted (because some of them might be + * Intermediate CA Certificates), put them in a store and + * attempt to build a trusted chain. + */ + if ((flags & OCSP_TRUSTOTHER) && (certs != NULL)) + { + ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign); + tmpstore = X509_STORE_new(); + if (!tmpstore) + { + ret = -1; + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); + goto end; + } + for (i = 0; i < sk_X509_num(certs); i++) + { + X509 *xother = sk_X509_value(certs, i); + X509_add1_trust_object(xother, objtmp); + if (!X509_STORE_add_cert(tmpstore, xother)) + { + ret = -1; + goto end; + } + } + + init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL); + if (!init_res) + { + ret = -1; + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); + goto end; + } + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(&ctx); + if (ret == 1) + { + chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); + X509_STORE_CTX_cleanup(&ctx); + goto verified_chain; + } + X509_STORE_CTX_cleanup(&ctx); + } + + /* Attempt to build a chain up to a Root Certificate in the + * trust store provided by the caller. + */ if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); - chain = X509_STORE_CTX_get1_chain(&ctx); + chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) + if (ret <= 0) { i = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i)); - goto end; - } + goto end; + } + + verified_chain: if(flags & OCSP_NOCHECKS) { ret = 1; @@ -154,7 +213,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: - if(chain) sk_X509_pop_free(chain, X509_free); + if(tmpchain) sk_X509_pop_free(tmpchain, X509_free); + if(tmpstore) X509_STORE_free(tmpstore); return ret; } @@ -308,6 +368,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, } mdlen = EVP_MD_size(dgst); + if (mdlen < 0) + return -1; if ((cid->issuerNameHash->length != mdlen) || (cid->issuerKeyHash->length != mdlen)) return 0;