static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
-static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid);
+static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer);
static int idp_check_scope(X509 *x, X509_CRL *crl);
static int internal_verify(X509_STORE_CTX *ctx);
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
*/
X509_free(x);
x = xtmp;
- sk_X509_set(ctx->chain, i - 1, x);
+ (void)sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted=0;
}
}
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
- int i, ok=0, must_be_ca;
+ int i, ok=0, must_be_ca, plen = 0;
X509 *x;
int (*cb)(int xok,X509_STORE_CTX *xctx);
int proxy_path_length = 0;
if (!ok) goto end;
}
}
- /* Check pathlen */
- if ((i > 1) && (x->ex_pathlen != -1)
- && (i > (x->ex_pathlen + proxy_path_length + 1)))
+ /* Check pathlen if not self issued */
+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+ && (x->ex_pathlen != -1)
+ && (plen > (x->ex_pathlen + proxy_path_length + 1)))
{
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ok=cb(0,ctx);
if (!ok) goto end;
}
+ /* Increment path length if not self issued */
+ if (!(x->ex_flags & EXFLAG_SI))
+ plen++;
/* If this certificate is a proxy certificate, the next
certificate must be another proxy certificate or a EE
certificate. If not, the next certificate must be a
cnum = ctx->error_depth;
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
+ ctx->current_issuer = NULL;
/* Try to retrieve relevant CRL */
ok = ctx->get_crl(ctx, &crl, x);
/* If error looking up CRL, nothing we can do except
{
int i, crl_score, best_score = -1;
X509_CRL *crl, *best_crl = NULL;
+ X509 *crl_issuer, *best_crl_issuer = NULL;
for (i = 0; i < sk_X509_CRL_num(crls); i++)
{
crl_score = 0;
+ crl_issuer = NULL;
crl = sk_X509_CRL_value(crls, i);
if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
continue;
else
crl_score |= CRL_SCORE_SCOPE;
- if (crl->akid)
- {
- if (crl_akid_check(ctx, crl->akid))
- crl_score |= CRL_SCORE_AKID;
- }
- else
+ if (crl_akid_check(ctx, crl, &crl_issuer))
crl_score |= CRL_SCORE_AKID;
-
- if (crl_score == CRL_SCORE_ALL)
+ /* If CRL matches criteria and issuer is not different use it */
+ if (crl_score == CRL_SCORE_ALL && !crl_issuer)
{
*pcrl = crl;
CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
if (crl_score > best_score)
{
best_crl = crl;
+ best_crl_issuer = crl_issuer;
best_score = crl_score;
}
}
if (best_crl)
{
*pcrl = best_crl;
+ ctx->current_issuer = best_crl_issuer;
CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
}
-
+
return 0;
}
-static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
+static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
{
+ X509 *crl_issuer;
int cidx = ctx->error_depth;
+ if (!crl->akid)
+ return 1;
if (cidx != sk_X509_num(ctx->chain) - 1)
cidx++;
- if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
return 1;
+ /* If crl_issuer is self issued we may get a match further along the
+ * chain.
+ */
+ if (crl_issuer->ex_flags & EXFLAG_SI)
+ {
+ for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
+ {
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
+ {
+ *pissuer = crl_issuer;
+ return 1;
+ }
+ if (!(crl_issuer->ex_flags & EXFLAG_SI))
+ break;
+ }
+ }
+
return 0;
}
+/* Check for match between two dist point names: three separate cases.
+ * 1. Both are relative names and compare X509_NAME types.
+ * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
+ * 3. Both are full names and compare two GENERAL_NAMES.
+ */
+
+
+static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
+ {
+ X509_NAME *nm = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gena, *genb;
+ int i, j;
+ if (a->type == 1)
+ {
+ if (!a->dpname)
+ return 0;
+ /* Case 1: two X509_NAME */
+ if (b->type == 1)
+ {
+ if (!b->dpname)
+ return 0;
+ if (!X509_NAME_cmp(a->dpname, b->dpname))
+ return 1;
+ else
+ return 0;
+ }
+ /* Case 2: set name and GENERAL_NAMES appropriately */
+ nm = a->dpname;
+ gens = b->name.fullname;
+ }
+ else if (b->type == 1)
+ {
+ if (!b->dpname)
+ return 0;
+ /* Case 2: set name and GENERAL_NAMES appropriately */
+ gens = a->name.fullname;
+ nm = b->dpname;
+ }
+
+ /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
+ if (nm)
+ {
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+ {
+ gena = sk_GENERAL_NAME_value(gens, i);
+ if (gena->type != GEN_DIRNAME)
+ continue;
+ if (!X509_NAME_cmp(nm, gena->d.directoryName))
+ return 1;
+ }
+ return 0;
+ }
+
+ /* Else case 3: two GENERAL_NAMES */
+
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
+ {
+ gena = sk_GENERAL_NAME_value(a->name.fullname, i);
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
+ {
+ genb = sk_GENERAL_NAME_value(b->name.fullname, j);
+ if (!GENERAL_NAME_cmp(gena, genb))
+ return 1;
+ }
+ }
+
+ return 0;
+
+ }
/* Check IDP name matches at least one CRLDP name */
static int idp_check_scope(X509 *x, X509_CRL *crl)
{
- int i, j, k;
- GENERAL_NAMES *inames, *dnames;
+ int i;
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
if (x->ex_flags & EXFLAG_CA)
}
if (!crl->idp->distpoint)
return 1;
- if (crl->idp->distpoint->type != 0)
- return 1;
if (!x->crldp)
return 0;
- inames = crl->idp->distpoint->name.fullname;
- for (i = 0; i < sk_GENERAL_NAME_num(inames); i++)
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
{
- GENERAL_NAME *igen = sk_GENERAL_NAME_value(inames, i);
- for (j = 0; j < sk_DIST_POINT_num(x->crldp); j++)
- {
- DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, j);
- /* We don't handle these at present */
- if (dp->reasons || dp->CRLissuer)
- continue;
- if (!dp->distpoint || (dp->distpoint->type != 0))
- continue;
- dnames = dp->distpoint->name.fullname;
- for (k = 0; k < sk_GENERAL_NAME_num(dnames); k++)
- {
- GENERAL_NAME *cgen =
- sk_GENERAL_NAME_value(dnames, k);
- if (!GENERAL_NAME_cmp(igen, cgen))
- return 1;
- }
- }
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
+ /* We don't handle these at present */
+ if (dp->reasons || dp->CRLissuer)
+ continue;
+ if (idp_check_dp(dp->distpoint, crl->idp->distpoint))
+ return 1;
}
return 0;
}
int ok = 0, chnum, cnum;
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
- /* Find CRL issuer: if not last certificate then issuer
+ /* if we have an alternative CRL issuer cert use that */
+ if (ctx->current_issuer)
+ issuer = ctx->current_issuer;
+ /* Else find CRL issuer: if not last certificate then issuer
* is next certificate in chain.
*/
- if(cnum < chnum)
+ else if (cnum < chnum)
issuer = sk_X509_value(ctx->chain, cnum + 1);
else
{