Don't use expired certificates if possible.
When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359
This commit is contained in:
parent
6c21b860ba
commit
0930251df8
3 changed files with 37 additions and 9 deletions
|
@ -68,3 +68,5 @@ struct X509_VERIFY_PARAM_ID_st
|
|||
unsigned char *ip; /* If not NULL IP address to match */
|
||||
size_t iplen; /* Length of IP address */
|
||||
};
|
||||
|
||||
int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
|
||||
|
|
|
@ -61,6 +61,7 @@
|
|||
#include <openssl/lhash.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "x509_lcl.h"
|
||||
|
||||
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
|
||||
{
|
||||
|
@ -639,6 +640,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
|||
X509_NAME *xn;
|
||||
X509_OBJECT obj, *pobj;
|
||||
int i, ok, idx, ret;
|
||||
*issuer = NULL;
|
||||
xn=X509_get_issuer_name(x);
|
||||
ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
|
||||
if (ok != X509_LU_X509)
|
||||
|
@ -660,8 +662,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
|||
/* If certificate matches all OK */
|
||||
if (ctx->check_issued(ctx, x, obj.data.x509))
|
||||
{
|
||||
*issuer = obj.data.x509;
|
||||
return 1;
|
||||
if (x509_check_cert_time(ctx, obj.data.x509, 1))
|
||||
{
|
||||
*issuer = obj.data.x509;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
X509_OBJECT_free_contents(&obj);
|
||||
|
||||
|
@ -683,13 +688,22 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
|||
if (ctx->check_issued(ctx, x, pobj->data.x509))
|
||||
{
|
||||
*issuer = pobj->data.x509;
|
||||
X509_OBJECT_up_ref_count(pobj);
|
||||
ret = 1;
|
||||
break;
|
||||
/*
|
||||
* If times check, exit with match,
|
||||
* otherwise keep looking. Leave last
|
||||
* match in issuer so we return nearest
|
||||
* match if no certificate time is OK.
|
||||
*/
|
||||
|
||||
if (x509_check_cert_time(ctx, *issuer, 1))
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
|
||||
if (*issuer)
|
||||
CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
|
@ -469,14 +469,18 @@ end:
|
|||
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
|
||||
{
|
||||
int i;
|
||||
X509 *issuer;
|
||||
X509 *issuer, *rv = NULL;;
|
||||
for (i = 0; i < sk_X509_num(sk); i++)
|
||||
{
|
||||
issuer = sk_X509_value(sk, i);
|
||||
if (ctx->check_issued(ctx, x, issuer))
|
||||
return issuer;
|
||||
{
|
||||
rv = issuer;
|
||||
if (x509_check_cert_time(ctx, rv, 1))
|
||||
break;
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
return rv;
|
||||
}
|
||||
|
||||
/* Given a possible certificate and issuer check them */
|
||||
|
@ -1694,7 +1698,7 @@ static int check_policy(X509_STORE_CTX *ctx)
|
|||
return 1;
|
||||
}
|
||||
|
||||
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
||||
int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
|
||||
{
|
||||
time_t *ptime;
|
||||
int i;
|
||||
|
@ -1707,6 +1711,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
|||
i=X509_cmp_time(X509_get_notBefore(x), ptime);
|
||||
if (i == 0)
|
||||
{
|
||||
if (quiet)
|
||||
return 0;
|
||||
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
|
||||
ctx->current_cert=x;
|
||||
if (!ctx->verify_cb(0, ctx))
|
||||
|
@ -1715,6 +1721,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
|||
|
||||
if (i > 0)
|
||||
{
|
||||
if (quiet)
|
||||
return 0;
|
||||
ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
ctx->current_cert=x;
|
||||
if (!ctx->verify_cb(0, ctx))
|
||||
|
@ -1724,6 +1732,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
|||
i=X509_cmp_time(X509_get_notAfter(x), ptime);
|
||||
if (i == 0)
|
||||
{
|
||||
if (quiet)
|
||||
return 0;
|
||||
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
|
||||
ctx->current_cert=x;
|
||||
if (!ctx->verify_cb(0, ctx))
|
||||
|
@ -1732,6 +1742,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
|
|||
|
||||
if (i < 0)
|
||||
{
|
||||
if (quiet)
|
||||
return 0;
|
||||
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
ctx->current_cert=x;
|
||||
if (!ctx->verify_cb(0, ctx))
|
||||
|
@ -1815,7 +1827,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
|
|||
xs->valid = 1;
|
||||
|
||||
check_cert:
|
||||
ok = check_cert_time(ctx, xs);
|
||||
ok = x509_check_cert_time(ctx, xs, 0);
|
||||
if (!ok)
|
||||
goto end;
|
||||
|
||||
|
|
Loading…
Reference in a new issue