Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
This commit is contained in:
Dr. Stephen Henson
parent
e998f8aeb8
commit
57912ed329
8 changed files with 117 additions and 22 deletions
4
CHANGES
4
CHANGES
|
|
@ -4,6 +4,10 @@
|
||||||
|
|
||||||
Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
|
Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
|
||||||
|
|
||||||
|
*) New option -crl_download in several openssl utilities to download CRLs
|
||||||
|
from CRLDP extension in certificates.
|
||||||
|
[Steve Henson]
|
||||||
|
|
||||||
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
|
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
|
||||||
[Steve Henson]
|
[Steve Henson]
|
||||||
|
|
||||||
|
|
|
||||||
79
apps/apps.c
79
apps/apps.c
|
|
@ -929,7 +929,7 @@ end:
|
||||||
return(x);
|
return(x);
|
||||||
}
|
}
|
||||||
|
|
||||||
X509_CRL *load_crl(char *infile, int format)
|
X509_CRL *load_crl(const char *infile, int format)
|
||||||
{
|
{
|
||||||
X509_CRL *x=NULL;
|
X509_CRL *x=NULL;
|
||||||
BIO *in=NULL;
|
BIO *in=NULL;
|
||||||
|
|
@ -2963,6 +2963,83 @@ void print_cert_checks(BIO *bio, X509 *x,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Get first http URL from a DIST_POINT structure */
|
||||||
|
|
||||||
|
static const char *get_dp_url(DIST_POINT *dp)
|
||||||
|
{
|
||||||
|
GENERAL_NAMES *gens;
|
||||||
|
GENERAL_NAME *gen;
|
||||||
|
int i, gtype;
|
||||||
|
ASN1_STRING *uri;
|
||||||
|
if (!dp->distpoint || dp->distpoint->type != 0)
|
||||||
|
return NULL;
|
||||||
|
gens = dp->distpoint->name.fullname;
|
||||||
|
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
|
||||||
|
{
|
||||||
|
gen = sk_GENERAL_NAME_value(gens, i);
|
||||||
|
uri = GENERAL_NAME_get0_value(gen, >ype);
|
||||||
|
if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6)
|
||||||
|
{
|
||||||
|
char *uptr = (char *)ASN1_STRING_data(uri);
|
||||||
|
if (!strncmp(uptr, "http://", 7))
|
||||||
|
return uptr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Look through a CRLDP structure and attempt to find an http URL to downloads
|
||||||
|
* a CRL from.
|
||||||
|
*/
|
||||||
|
|
||||||
|
static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
const char *urlptr = NULL;
|
||||||
|
for (i = 0; i < sk_DIST_POINT_num(crldp); i++)
|
||||||
|
{
|
||||||
|
DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
|
||||||
|
urlptr = get_dp_url(dp);
|
||||||
|
if (urlptr)
|
||||||
|
return load_crl(urlptr, FORMAT_HTTP);
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Example of downloading CRLs from CRLDP: not usable for real world
|
||||||
|
* as it always downloads, doesn't support non-blocking I/O and doesn't
|
||||||
|
* cache anything.
|
||||||
|
*/
|
||||||
|
|
||||||
|
static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
||||||
|
{
|
||||||
|
X509 *x;
|
||||||
|
STACK_OF(X509_CRL) *crls = NULL;
|
||||||
|
X509_CRL *crl;
|
||||||
|
STACK_OF(DIST_POINT) *crldp;
|
||||||
|
x = X509_STORE_CTX_get_current_cert(ctx);
|
||||||
|
crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
|
||||||
|
crl = load_crl_crldp(crldp);
|
||||||
|
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
||||||
|
if (!crl)
|
||||||
|
return NULL;
|
||||||
|
crls = sk_X509_CRL_new_null();
|
||||||
|
sk_X509_CRL_push(crls, crl);
|
||||||
|
/* Try to download delta CRL */
|
||||||
|
crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
|
||||||
|
crl = load_crl_crldp(crldp);
|
||||||
|
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
||||||
|
if (crl)
|
||||||
|
sk_X509_CRL_push(crls, crl);
|
||||||
|
return crls;
|
||||||
|
}
|
||||||
|
|
||||||
|
void store_setup_crl_download(X509_STORE *st)
|
||||||
|
{
|
||||||
|
X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Platform-specific sections
|
* Platform-specific sections
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -245,7 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
|
||||||
int add_oid_section(BIO *err, CONF *conf);
|
int add_oid_section(BIO *err, CONF *conf);
|
||||||
X509 *load_cert(BIO *err, const char *file, int format,
|
X509 *load_cert(BIO *err, const char *file, int format,
|
||||||
const char *pass, ENGINE *e, const char *cert_descrip);
|
const char *pass, ENGINE *e, const char *cert_descrip);
|
||||||
X509_CRL *load_crl(char *infile, int format);
|
X509_CRL *load_crl(const char *infile, int format);
|
||||||
int load_cert_crl_http(const char *url, BIO *err,
|
int load_cert_crl_http(const char *url, BIO *err,
|
||||||
X509 **pcert, X509_CRL **pcrl);
|
X509 **pcert, X509_CRL **pcrl);
|
||||||
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
|
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
|
||||||
|
|
@ -343,6 +343,8 @@ void print_cert_checks(BIO *bio, X509 *x,
|
||||||
const unsigned char *checkemail,
|
const unsigned char *checkemail,
|
||||||
const char *checkip);
|
const char *checkip);
|
||||||
|
|
||||||
|
void store_setup_crl_download(X509_STORE *st);
|
||||||
|
|
||||||
#define FORMAT_UNDEF 0
|
#define FORMAT_UNDEF 0
|
||||||
#define FORMAT_ASN1 1
|
#define FORMAT_ASN1 1
|
||||||
#define FORMAT_TEXT 2
|
#define FORMAT_TEXT 2
|
||||||
|
|
|
||||||
|
|
@ -196,9 +196,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
|
||||||
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
|
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
|
||||||
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
|
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
|
||||||
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
|
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
|
||||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
|
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download);
|
||||||
int ssl_load_stores(SSL_CTX *ctx,
|
int ssl_load_stores(SSL_CTX *ctx,
|
||||||
const char *vfyCApath, const char *vfyCAfile,
|
const char *vfyCApath, const char *vfyCAfile,
|
||||||
const char *chCApath, const char *chCAfile,
|
const char *chCApath, const char *chCAfile,
|
||||||
STACK_OF(X509_CRL) *crls);
|
STACK_OF(X509_CRL) *crls, int crl_download);
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
24
apps/s_cb.c
24
apps/s_cb.c
|
|
@ -1603,32 +1603,28 @@ static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
|
||||||
{
|
{
|
||||||
X509_CRL *crl;
|
X509_CRL *crl;
|
||||||
int i;
|
int i;
|
||||||
if (crls)
|
for (i = 0; i < sk_X509_CRL_num(crls); i++)
|
||||||
{
|
{
|
||||||
for (i = 0; i < sk_X509_CRL_num(crls); i++)
|
crl = sk_X509_CRL_value(crls, i);
|
||||||
{
|
X509_STORE_add_crl(st, crl);
|
||||||
crl = sk_X509_CRL_value(crls, i);
|
|
||||||
X509_STORE_add_crl(st, crl);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
|
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
|
||||||
{
|
{
|
||||||
X509_STORE *st;
|
X509_STORE *st;
|
||||||
if (crls)
|
st = SSL_CTX_get_cert_store(ctx);
|
||||||
{
|
add_crls_store(st, crls);
|
||||||
st = SSL_CTX_get_cert_store(ctx);
|
if (crl_download)
|
||||||
add_crls_store(st, crls);
|
store_setup_crl_download(st);
|
||||||
}
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssl_load_stores(SSL_CTX *ctx,
|
int ssl_load_stores(SSL_CTX *ctx,
|
||||||
const char *vfyCApath, const char *vfyCAfile,
|
const char *vfyCApath, const char *vfyCAfile,
|
||||||
const char *chCApath, const char *chCAfile,
|
const char *chCApath, const char *chCAfile,
|
||||||
STACK_OF(X509_CRL) *crls)
|
STACK_OF(X509_CRL) *crls, int crl_download)
|
||||||
{
|
{
|
||||||
X509_STORE *vfy = NULL, *ch = NULL;
|
X509_STORE *vfy = NULL, *ch = NULL;
|
||||||
int rv = 0;
|
int rv = 0;
|
||||||
|
|
@ -1639,6 +1635,8 @@ int ssl_load_stores(SSL_CTX *ctx,
|
||||||
goto err;
|
goto err;
|
||||||
add_crls_store(vfy, crls);
|
add_crls_store(vfy, crls);
|
||||||
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
||||||
|
if (crl_download)
|
||||||
|
store_setup_crl_download(vfy);
|
||||||
}
|
}
|
||||||
if (chCApath || chCAfile)
|
if (chCApath || chCAfile)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -638,6 +638,7 @@ static char *jpake_secret = NULL;
|
||||||
|
|
||||||
char *crl_file = NULL;
|
char *crl_file = NULL;
|
||||||
int crl_format = FORMAT_PEM;
|
int crl_format = FORMAT_PEM;
|
||||||
|
int crl_download = 0;
|
||||||
STACK_OF(X509_CRL) *crls = NULL;
|
STACK_OF(X509_CRL) *crls = NULL;
|
||||||
|
|
||||||
meth=SSLv23_client_method();
|
meth=SSLv23_client_method();
|
||||||
|
|
@ -714,6 +715,8 @@ static char *jpake_secret = NULL;
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
crl_file= *(++argv);
|
crl_file= *(++argv);
|
||||||
}
|
}
|
||||||
|
else if (strcmp(*argv,"-crl_download") == 0)
|
||||||
|
crl_download = 1;
|
||||||
else if (strcmp(*argv,"-sess_out") == 0)
|
else if (strcmp(*argv,"-sess_out") == 0)
|
||||||
{
|
{
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
|
|
@ -1193,7 +1196,8 @@ bad:
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
|
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
|
||||||
|
crls, crl_download))
|
||||||
{
|
{
|
||||||
BIO_printf(bio_err, "Error loading store locations\n");
|
BIO_printf(bio_err, "Error loading store locations\n");
|
||||||
ERR_print_errors(bio_err);
|
ERR_print_errors(bio_err);
|
||||||
|
|
@ -1255,7 +1259,7 @@ bad:
|
||||||
/* goto end; */
|
/* goto end; */
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl_ctx_add_crls(ctx, crls);
|
ssl_ctx_add_crls(ctx, crls, crl_download);
|
||||||
if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
|
if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -987,6 +987,7 @@ int MAIN(int argc, char *argv[])
|
||||||
|
|
||||||
char *crl_file = NULL;
|
char *crl_file = NULL;
|
||||||
int crl_format = FORMAT_PEM;
|
int crl_format = FORMAT_PEM;
|
||||||
|
int crl_download = 0;
|
||||||
STACK_OF(X509_CRL) *crls = NULL;
|
STACK_OF(X509_CRL) *crls = NULL;
|
||||||
|
|
||||||
meth=SSLv23_server_method();
|
meth=SSLv23_server_method();
|
||||||
|
|
@ -1059,6 +1060,8 @@ int MAIN(int argc, char *argv[])
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
crl_file= *(++argv);
|
crl_file= *(++argv);
|
||||||
}
|
}
|
||||||
|
else if (strcmp(*argv,"-crl_download") == 0)
|
||||||
|
crl_download = 1;
|
||||||
#ifndef OPENSSL_NO_TLSEXT
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
else if (strcmp(*argv,"-authz") == 0)
|
else if (strcmp(*argv,"-authz") == 0)
|
||||||
{
|
{
|
||||||
|
|
@ -1674,12 +1677,13 @@ bad:
|
||||||
if (vpm)
|
if (vpm)
|
||||||
SSL_CTX_set1_param(ctx, vpm);
|
SSL_CTX_set1_param(ctx, vpm);
|
||||||
|
|
||||||
ssl_ctx_add_crls(ctx, crls);
|
ssl_ctx_add_crls(ctx, crls, 0);
|
||||||
|
|
||||||
if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
|
if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
|
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
|
||||||
|
crls, crl_download))
|
||||||
{
|
{
|
||||||
BIO_printf(bio_err, "Error loading store locations\n");
|
BIO_printf(bio_err, "Error loading store locations\n");
|
||||||
ERR_print_errors(bio_err);
|
ERR_print_errors(bio_err);
|
||||||
|
|
@ -1740,7 +1744,7 @@ bad:
|
||||||
if (vpm)
|
if (vpm)
|
||||||
SSL_CTX_set1_param(ctx2, vpm);
|
SSL_CTX_set1_param(ctx2, vpm);
|
||||||
|
|
||||||
ssl_ctx_add_crls(ctx2, crls);
|
ssl_ctx_add_crls(ctx2, crls, 0);
|
||||||
|
|
||||||
if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
|
if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
|
||||||
|
|
@ -88,6 +88,7 @@ int MAIN(int argc, char **argv)
|
||||||
X509_STORE *cert_ctx=NULL;
|
X509_STORE *cert_ctx=NULL;
|
||||||
X509_LOOKUP *lookup=NULL;
|
X509_LOOKUP *lookup=NULL;
|
||||||
X509_VERIFY_PARAM *vpm = NULL;
|
X509_VERIFY_PARAM *vpm = NULL;
|
||||||
|
int crl_download = 0;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
char *engine=NULL;
|
char *engine=NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -145,6 +146,8 @@ int MAIN(int argc, char **argv)
|
||||||
if (argc-- < 1) goto end;
|
if (argc-- < 1) goto end;
|
||||||
crlfile= *(++argv);
|
crlfile= *(++argv);
|
||||||
}
|
}
|
||||||
|
else if (strcmp(*argv,"-crl_download") == 0)
|
||||||
|
crl_download = 1;
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
else if (strcmp(*argv,"-engine") == 0)
|
else if (strcmp(*argv,"-engine") == 0)
|
||||||
{
|
{
|
||||||
|
|
@ -223,6 +226,9 @@ int MAIN(int argc, char **argv)
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
|
if (crl_download)
|
||||||
|
store_setup_crl_download(cert_ctx);
|
||||||
if (argc < 1)
|
if (argc < 1)
|
||||||
{
|
{
|
||||||
if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
|
if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue