+/* Check CRL times against values in X509_STORE_CTX */
+
+static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+ {
+ time_t *ptime;
+ int i;
+ ctx->current_crl = crl;
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+ ptime = &ctx->param->check_time;
+ else
+ ptime = NULL;
+
+ i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+ if (i == 0)
+ {
+ ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+ if (!notify || !ctx->verify_cb(0, ctx))
+ return 0;
+ }
+
+ if (i > 0)
+ {
+ ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+ if (!notify || !ctx->verify_cb(0, ctx))
+ return 0;
+ }
+
+ if(X509_CRL_get_nextUpdate(crl))
+ {
+ i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+
+ if (i == 0)
+ {
+ ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+ if (!notify || !ctx->verify_cb(0, ctx))
+ return 0;
+ }
+
+ if (i < 0)
+ {
+ ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+ if (!notify || !ctx->verify_cb(0, ctx))
+ return 0;
+ }
+ }
+
+ ctx->current_crl = NULL;
+
+ return 1;
+ }
+
+/* Based on a set of possible CRLs decide which one is best suited
+ * to handle the current certificate. This is determined by a number
+ * of criteria. If any of the "must" criteria is not satisfied then
+ * the candidate CRL is rejected. If all "must" and all "should" are
+ * satisfied the CRL is accepted. If no CRL satisfies all criteria then
+ * a "best CRL" is used to provide some meaningful error information.
+ *
+ * CRL issuer name must match "nm" if not NULL.
+ * If IDP is present:
+ * a. it must be consistent.
+ * b. onlyuser, onlyCA, onlyAA should match certificate being checked.
+ * c. indirectCRL must be FALSE.
+ * d. onlysomereason must be absent.
+ * e. if name present a DP in certificate CRLDP must match.
+ * If AKID present it should match certificate AKID.
+ * Check time should fall between lastUpdate and nextUpdate.
+ */
+
+/* IDP name field matches CRLDP or IDP name not present */
+#define CRL_SCORE_SCOPE 4
+/* AKID present and matches cert, or AKID not present */
+#define CRL_SCORE_AKID 2
+/* times OK */
+#define CRL_SCORE_TIME 1
+
+#define CRL_SCORE_ALL 7
+
+/* IDP flags which cause a CRL to be rejected */
+
+#define IDP_REJECT (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
+
+static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
+ X509_NAME *nm, STACK_OF(X509_CRL) *crls)
+ {
+ int i, crl_score, best_score = -1;
+ X509_CRL *crl, *best_crl = NULL;
+ for (i = 0; i < sk_X509_CRL_num(crls); i++)
+ {
+ crl_score = 0;
+ crl = sk_X509_CRL_value(crls, i);
+ if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+ continue;
+ if (check_crl_time(ctx, crl, 0))
+ crl_score |= CRL_SCORE_TIME;
+
+ if (crl->idp_flags & IDP_PRESENT)
+ {
+ if (crl->idp_flags & IDP_REJECT)
+ continue;
+ if (idp_check_scope(ctx->current_cert, crl))
+ crl_score |= CRL_SCORE_SCOPE;
+ }
+ else
+ crl_score |= CRL_SCORE_SCOPE;
+
+ if (crl->akid)
+ {
+ if (crl_akid_check(ctx, crl->akid))
+ crl_score |= CRL_SCORE_AKID;
+ }
+ else
+ crl_score |= CRL_SCORE_AKID;
+
+ if (crl_score == CRL_SCORE_ALL)
+ {
+ *pcrl = crl;
+ CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+ return 1;
+ }
+
+ if (crl_score > best_score)
+ {
+ best_crl = crl;
+ best_score = crl_score;
+ }
+ }
+ if (best_crl)
+ {
+ *pcrl = best_crl;
+ CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
+ }
+
+ return 0;
+ }
+
+static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
+ {
+ int cidx = ctx->error_depth;
+ if (cidx != sk_X509_num(ctx->chain) - 1)
+ cidx++;
+ if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
+ return 1;
+ return 0;
+ }
+
+
+/* Check IDP name matches at least one CRLDP name */
+
+static int idp_check_scope(X509 *x, X509_CRL *crl)
+ {
+ int i, j, k;
+ GENERAL_NAMES *inames, *dnames;
+ if (crl->idp_flags & IDP_ONLYATTR)
+ return 0;
+ if (x->ex_flags & EXFLAG_CA)
+ {
+ if (crl->idp_flags & IDP_ONLYUSER)
+ return 0;
+ }
+ else
+ {
+ if (crl->idp_flags & IDP_ONLYCA)
+ return 0;
+ }
+ if (!crl->idp->distpoint)
+ return 1;
+ if (crl->idp->distpoint->type != 0)
+ return 1;
+ if (!x->crldp)
+ return 0;
+ inames = crl->idp->distpoint->name.fullname;
+ for (i = 0; i < sk_GENERAL_NAME_num(inames); i++)
+ {
+ GENERAL_NAME *igen = sk_GENERAL_NAME_value(inames, i);
+ for (j = 0; j < sk_DIST_POINT_num(x->crldp); j++)
+ {
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, j);
+ /* We don't handle these at present */
+ if (dp->reasons || dp->CRLissuer)
+ continue;
+ if (!dp->distpoint || (dp->distpoint->type != 0))
+ continue;
+ dnames = dp->distpoint->name.fullname;
+ for (k = 0; k < sk_GENERAL_NAME_num(dnames); k++)
+ {
+ GENERAL_NAME *cgen =
+ sk_GENERAL_NAME_value(dnames, k);
+ if (!GENERAL_NAME_cmp(igen, cgen))
+ return 1;
+ }
+ }
+ }
+ return 0;
+ }
+
+/* Retrieve CRL corresponding to current certificate. Currently only
+ * one CRL is retrieved. Multiple CRLs may be needed if we handle
+ * CRLs partitioned on reason code later.