Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
authorDr. Stephen Henson <steve@openssl.org>
Thu, 14 Sep 2006 17:25:02 +0000 (17:25 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 14 Sep 2006 17:25:02 +0000 (17:25 +0000)
handling to support this.

CHANGES
crypto/x509/x509_txt.c
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.h
crypto/x509v3/v3_purp.c
crypto/x509v3/x509v3.h

diff --git a/CHANGES b/CHANGES
index d205bca..506e8fa 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,18 @@
 
  Changes between 0.9.8d and 0.9.9  [xx XXX xxxx]
 
+  *) Partial support for Issuing Distribution Point CRL extension. CRLs
+     partitioned by DP are handled but no indirect CRL or reason partitioning
+     (yet). Complete overhaul of CRL handling: now the most suitable CRL is
+     selected via a scoring technique which handles IDP and AKID in CRLs.
+     [Steve Henson]
+
+  *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
+     will ultimately be used for all verify operations: this will remove the
+     X509_STORE dependency on certificate verification and allow alternative
+     lookup methods.  X509_STORE based implementations of these two callbacks.
+     [Steve Henson]
+
   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
      Modify get_crl() to find a valid (unexpired) CRL if possible.
      [Steve Henson]
index 7dd2b76..92f47a0 100644 (file)
@@ -162,6 +162,10 @@ const char *X509_verify_cert_error_string(long n)
                return("invalid or inconsistent certificate policy extension");
        case X509_V_ERR_NO_EXPLICIT_POLICY:
                return("no explicit policy");
+       case X509_V_ERR_DIFFERENT_CRL_SCOPE:
+       return("Different CRL scope");
+       case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
+       return("Unsupported extension feature");
        default:
                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
index f1f5fb9..2292b27 100644 (file)
@@ -78,6 +78,8 @@ static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
+static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid);
+static int idp_check_scope(X509 *x, X509_CRL *crl);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
@@ -649,30 +651,81 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
        return 1;
        }
 
-/* Lookup CRLs from the supplied list. Look for matching isser name
- * and validity. If we can't find a valid CRL return the last one
- * with matching name. This gives more meaningful error codes. Otherwise
- * we'd get a CRL not found error if a CRL existed with matching name but
- * was invalid.
+/* Based on a set of possible CRLs decide which one is best suited
+ * to handle the current certificate. This is determined by a number
+ * of criteria. If any of the "must" criteria is not satisfied then
+ * the candidate CRL is rejected. If all "must" and all "should" are
+ * satisfied the CRL is accepted. If no CRL satisfies all criteria then
+ * a "best CRL" is used to provide some meaningful error information.
+ *
+ * CRL issuer name must match "nm" if not NULL.
+ * If IDP is present:
+ *   a. it must be consistent.
+ *   b. onlyuser, onlyCA, onlyAA should match certificate being checked.
+ *   c. indirectCRL must be FALSE.
+ *   d. onlysomereason must be absent.
+ *   e. if name present a DP in certificate CRLDP must match.
+ * If AKID present it should match certificate AKID.
+ * Check time should fall between lastUpdate and nextUpdate.
  */
 
+/* IDP name field matches CRLDP or IDP name not present */
+#define CRL_SCORE_SCOPE                4
+/* AKID present and matches cert, or AKID not present */
+#define CRL_SCORE_AKID         2
+/* times OK */
+#define CRL_SCORE_TIME         1
+
+#define CRL_SCORE_ALL          7
+
+/* IDP flags which cause a CRL to be rejected */
+
+#define IDP_REJECT     (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
+
 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
                        X509_NAME *nm, STACK_OF(X509_CRL) *crls)
        {
-       int i;
+       int i, crl_score, best_score = -1;
        X509_CRL *crl, *best_crl = NULL;
        for (i = 0; i < sk_X509_CRL_num(crls); i++)
                {
+               crl_score = 0;
                crl = sk_X509_CRL_value(crls, i);
                if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
                        continue;
                if (check_crl_time(ctx, crl, 0))
+                       crl_score |= CRL_SCORE_TIME;
+
+               if (crl->idp_flags & IDP_PRESENT)
+                       {
+                       if (crl->idp_flags & IDP_REJECT)
+                               continue;
+                       if (idp_check_scope(ctx->current_cert, crl))
+                               crl_score |= CRL_SCORE_SCOPE;
+                       }
+               else
+                       crl_score |= CRL_SCORE_SCOPE;
+
+               if (crl->akid)
+                       {
+                       if (crl_akid_check(ctx, crl->akid))
+                               crl_score |= CRL_SCORE_AKID;
+                       }
+               else
+                       crl_score |= CRL_SCORE_AKID;
+
+               if (crl_score == CRL_SCORE_ALL)
                        {
                        *pcrl = crl;
                        CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
                        return 1;
                        }
-               best_crl = crl;
+
+               if (crl_score > best_score)
+                       {
+                       best_crl = crl;
+                       best_score = crl_score;
+                       }
                }
        if (best_crl)
                {
@@ -683,9 +736,71 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
        return 0;
        }
 
-/* Retrieve CRL corresponding to certificate: currently just a
- * subject lookup: maybe use AKID later...
+static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
+       {
+       int cidx = ctx->error_depth;
+       if (cidx != sk_X509_num(ctx->chain) - 1)
+               cidx++;
+       if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
+               return 1;
+       return 0;
+       }
+
+
+/* Check IDP name matches at least one CRLDP name */
+
+static int idp_check_scope(X509 *x, X509_CRL *crl)
+       {
+       int i, j, k;
+       GENERAL_NAMES *inames, *dnames;
+       if (crl->idp_flags & IDP_ONLYATTR)
+               return 0;
+       if (x->ex_flags & EXFLAG_CA)
+               {
+               if (crl->idp_flags & IDP_ONLYUSER)
+                       return 0;
+               }
+       else
+               {
+               if (crl->idp_flags & IDP_ONLYCA)
+                       return 0;
+               }
+       if (!crl->idp->distpoint)
+               return 1;
+       if (crl->idp->distpoint->type != 0)
+               return 1;
+       if (!x->crldp)
+               return 0;
+       inames = crl->idp->distpoint->name.fullname;
+       for (i = 0; i < sk_GENERAL_NAME_num(inames); i++)
+               {
+               GENERAL_NAME *igen = sk_GENERAL_NAME_value(inames, i);
+               for (j = 0; j < sk_DIST_POINT_num(x->crldp); j++)
+                       {
+                       DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, j);
+                       /* We don't handle these at present */
+                       if (dp->reasons || dp->CRLissuer)
+                               continue;
+                       if (!dp->distpoint || (dp->distpoint->type != 0))
+                               continue;
+                       dnames = dp->distpoint->name.fullname;
+                       for (k = 0; k < sk_GENERAL_NAME_num(dnames); k++)
+                               {
+                               GENERAL_NAME *cgen =
+                                       sk_GENERAL_NAME_value(dnames, k);
+                               if (!GENERAL_NAME_cmp(igen, cgen))
+                                       return 1;
+                               }
+                       }
+               }
+       return 0;
+       }
+
+/* Retrieve CRL corresponding to current certificate. Currently only
+ * one CRL is retrieved. Multiple CRLs may be needed if we handle
+ * CRLs partitioned on reason code later.
  */
+       
 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
        {
        int ok;
@@ -765,6 +880,28 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
                        if(!ok) goto err;
                        }
 
+               if (crl->idp_flags & IDP_PRESENT)
+                       {
+                       if (crl->idp_flags & IDP_INVALID)
+                               {
+                               ctx->error = X509_V_ERR_INVALID_EXTENSION;
+                               ok = ctx->verify_cb(0, ctx);
+                               if(!ok) goto err;
+                               }
+                       if (crl->idp_flags & (IDP_REASONS|IDP_INDIRECT))
+                               {
+                               ctx->error = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE;
+                               ok = ctx->verify_cb(0, ctx);
+                               if(!ok) goto err;
+                               }
+                       if (!idp_check_scope(ctx->current_cert, crl))
+                               {
+                               ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
+                               ok = ctx->verify_cb(0, ctx);
+                               if(!ok) goto err;
+                               }
+                       }
+
                /* Attempt to get issuer certificate public key */
                ikey = X509_get_pubkey(issuer);
 
@@ -843,6 +980,10 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
                ext = sk_X509_EXTENSION_value(exts, idx);
                if (ext->critical > 0)
                        {
+                       /* We handle IDP now so permit it */
+                       if (OBJ_obj2nid(ext->object) ==
+                               NID_issuing_distribution_point)
+                               continue;
                        ctx->error =
                                X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                        ok = ctx->verify_cb(0, ctx);
index d546cd9..322637a 100644 (file)
@@ -334,6 +334,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_INVALID_EXTENSION                    41
 #define                X509_V_ERR_INVALID_POLICY_EXTENSION             42
 #define                X509_V_ERR_NO_EXPLICIT_POLICY                   43
+#define                X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
+#define                X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45
 
 
 /* The application is not happy */
index ee2f08f..47b7e0f 100644 (file)
@@ -644,39 +644,14 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
        x509v3_cache_extensions(issuer);
        x509v3_cache_extensions(subject);
-       if(subject->akid) {
-               /* Check key ids (if present) */
-               if(subject->akid->keyid && issuer->skid &&
-                ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
-                               return X509_V_ERR_AKID_SKID_MISMATCH;
-               /* Check serial number */
-               if(subject->akid->serial &&
-                       ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
-                                               subject->akid->serial))
-                               return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-               /* Check issuer name */
-               if(subject->akid->issuer) {
-                       /* Ugh, for some peculiar reason AKID includes
-                        * SEQUENCE OF GeneralName. So look for a DirName.
-                        * There may be more than one but we only take any
-                        * notice of the first.
-                        */
-                       GENERAL_NAMES *gens;
-                       GENERAL_NAME *gen;
-                       X509_NAME *nm = NULL;
-                       int i;
-                       gens = subject->akid->issuer;
-                       for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-                               gen = sk_GENERAL_NAME_value(gens, i);
-                               if(gen->type == GEN_DIRNAME) {
-                                       nm = gen->d.dirn;
-                                       break;
-                               }
-                       }
-                       if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
-                               return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+
+       if(subject->akid)
+               {
+               int ret = X509_check_akid(issuer, subject->akid);
+               if (ret != X509_V_OK)
+                       return ret;
                }
-       }
+
        if(subject->ex_flags & EXFLAG_PROXY)
                {
                if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
@@ -687,3 +662,45 @@ int X509_check_issued(X509 *issuer, X509 *subject)
        return X509_V_OK;
 }
 
+int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
+       {
+
+       if(!akid)
+               return X509_V_OK;
+
+       /* Check key ids (if present) */
+       if(akid->keyid && issuer->skid &&
+                ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+                               return X509_V_ERR_AKID_SKID_MISMATCH;
+       /* Check serial number */
+       if(akid->serial &&
+               ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
+                               return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+       /* Check issuer name */
+       if(akid->issuer)
+               {
+               /* Ugh, for some peculiar reason AKID includes
+                * SEQUENCE OF GeneralName. So look for a DirName.
+                * There may be more than one but we only take any
+                * notice of the first.
+                */
+               GENERAL_NAMES *gens;
+               GENERAL_NAME *gen;
+               X509_NAME *nm = NULL;
+               int i;
+               gens = akid->issuer;
+               for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+                       {
+                       gen = sk_GENERAL_NAME_value(gens, i);
+                       if(gen->type == GEN_DIRNAME)
+                               {
+                               nm = gen->d.dirn;
+                               break;
+                               }
+                       }
+               if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+                       return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+               }
+       return X509_V_OK;
+       }
+
index da349e5..26884d4 100644 (file)
@@ -632,6 +632,7 @@ int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
+int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);