Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
handling to support this.
This commit is contained in:
parent
83357f047d
commit
bc7535bc7f
6 changed files with 218 additions and 41 deletions
12
CHANGES
12
CHANGES
|
@ -4,6 +4,18 @@
|
|||
|
||||
Changes between 0.9.8d and 0.9.9 [xx XXX xxxx]
|
||||
|
||||
*) Partial support for Issuing Distribution Point CRL extension. CRLs
|
||||
partitioned by DP are handled but no indirect CRL or reason partitioning
|
||||
(yet). Complete overhaul of CRL handling: now the most suitable CRL is
|
||||
selected via a scoring technique which handles IDP and AKID in CRLs.
|
||||
[Steve Henson]
|
||||
|
||||
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
|
||||
will ultimately be used for all verify operations: this will remove the
|
||||
X509_STORE dependency on certificate verification and allow alternative
|
||||
lookup methods. X509_STORE based implementations of these two callbacks.
|
||||
[Steve Henson]
|
||||
|
||||
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
|
||||
Modify get_crl() to find a valid (unexpired) CRL if possible.
|
||||
[Steve Henson]
|
||||
|
|
|
@ -162,6 +162,10 @@ const char *X509_verify_cert_error_string(long n)
|
|||
return("invalid or inconsistent certificate policy extension");
|
||||
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
||||
return("no explicit policy");
|
||||
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
|
||||
return("Different CRL scope");
|
||||
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
|
||||
return("Unsupported extension feature");
|
||||
default:
|
||||
BIO_snprintf(buf,sizeof buf,"error number %ld",n);
|
||||
return(buf);
|
||||
|
|
|
@ -78,6 +78,8 @@ static int check_trust(X509_STORE_CTX *ctx);
|
|||
static int check_revocation(X509_STORE_CTX *ctx);
|
||||
static int check_cert(X509_STORE_CTX *ctx);
|
||||
static int check_policy(X509_STORE_CTX *ctx);
|
||||
static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid);
|
||||
static int idp_check_scope(X509 *x, X509_CRL *crl);
|
||||
static int internal_verify(X509_STORE_CTX *ctx);
|
||||
const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
|
@ -649,30 +651,81 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
|
|||
return 1;
|
||||
}
|
||||
|
||||
/* Lookup CRLs from the supplied list. Look for matching isser name
|
||||
* and validity. If we can't find a valid CRL return the last one
|
||||
* with matching name. This gives more meaningful error codes. Otherwise
|
||||
* we'd get a CRL not found error if a CRL existed with matching name but
|
||||
* was invalid.
|
||||
/* Based on a set of possible CRLs decide which one is best suited
|
||||
* to handle the current certificate. This is determined by a number
|
||||
* of criteria. If any of the "must" criteria is not satisfied then
|
||||
* the candidate CRL is rejected. If all "must" and all "should" are
|
||||
* satisfied the CRL is accepted. If no CRL satisfies all criteria then
|
||||
* a "best CRL" is used to provide some meaningful error information.
|
||||
*
|
||||
* CRL issuer name must match "nm" if not NULL.
|
||||
* If IDP is present:
|
||||
* a. it must be consistent.
|
||||
* b. onlyuser, onlyCA, onlyAA should match certificate being checked.
|
||||
* c. indirectCRL must be FALSE.
|
||||
* d. onlysomereason must be absent.
|
||||
* e. if name present a DP in certificate CRLDP must match.
|
||||
* If AKID present it should match certificate AKID.
|
||||
* Check time should fall between lastUpdate and nextUpdate.
|
||||
*/
|
||||
|
||||
/* IDP name field matches CRLDP or IDP name not present */
|
||||
#define CRL_SCORE_SCOPE 4
|
||||
/* AKID present and matches cert, or AKID not present */
|
||||
#define CRL_SCORE_AKID 2
|
||||
/* times OK */
|
||||
#define CRL_SCORE_TIME 1
|
||||
|
||||
#define CRL_SCORE_ALL 7
|
||||
|
||||
/* IDP flags which cause a CRL to be rejected */
|
||||
|
||||
#define IDP_REJECT (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
|
||||
|
||||
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
|
||||
X509_NAME *nm, STACK_OF(X509_CRL) *crls)
|
||||
{
|
||||
int i;
|
||||
int i, crl_score, best_score = -1;
|
||||
X509_CRL *crl, *best_crl = NULL;
|
||||
for (i = 0; i < sk_X509_CRL_num(crls); i++)
|
||||
{
|
||||
crl_score = 0;
|
||||
crl = sk_X509_CRL_value(crls, i);
|
||||
if (nm && X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
|
||||
continue;
|
||||
if (check_crl_time(ctx, crl, 0))
|
||||
crl_score |= CRL_SCORE_TIME;
|
||||
|
||||
if (crl->idp_flags & IDP_PRESENT)
|
||||
{
|
||||
if (crl->idp_flags & IDP_REJECT)
|
||||
continue;
|
||||
if (idp_check_scope(ctx->current_cert, crl))
|
||||
crl_score |= CRL_SCORE_SCOPE;
|
||||
}
|
||||
else
|
||||
crl_score |= CRL_SCORE_SCOPE;
|
||||
|
||||
if (crl->akid)
|
||||
{
|
||||
if (crl_akid_check(ctx, crl->akid))
|
||||
crl_score |= CRL_SCORE_AKID;
|
||||
}
|
||||
else
|
||||
crl_score |= CRL_SCORE_AKID;
|
||||
|
||||
if (crl_score == CRL_SCORE_ALL)
|
||||
{
|
||||
*pcrl = crl;
|
||||
CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (crl_score > best_score)
|
||||
{
|
||||
best_crl = crl;
|
||||
best_score = crl_score;
|
||||
}
|
||||
}
|
||||
if (best_crl)
|
||||
{
|
||||
|
@ -683,9 +736,71 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Retrieve CRL corresponding to certificate: currently just a
|
||||
* subject lookup: maybe use AKID later...
|
||||
static int crl_akid_check(X509_STORE_CTX *ctx, AUTHORITY_KEYID *akid)
|
||||
{
|
||||
int cidx = ctx->error_depth;
|
||||
if (cidx != sk_X509_num(ctx->chain) - 1)
|
||||
cidx++;
|
||||
if (X509_check_akid(sk_X509_value(ctx->chain, cidx), akid) == X509_V_OK)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Check IDP name matches at least one CRLDP name */
|
||||
|
||||
static int idp_check_scope(X509 *x, X509_CRL *crl)
|
||||
{
|
||||
int i, j, k;
|
||||
GENERAL_NAMES *inames, *dnames;
|
||||
if (crl->idp_flags & IDP_ONLYATTR)
|
||||
return 0;
|
||||
if (x->ex_flags & EXFLAG_CA)
|
||||
{
|
||||
if (crl->idp_flags & IDP_ONLYUSER)
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (crl->idp_flags & IDP_ONLYCA)
|
||||
return 0;
|
||||
}
|
||||
if (!crl->idp->distpoint)
|
||||
return 1;
|
||||
if (crl->idp->distpoint->type != 0)
|
||||
return 1;
|
||||
if (!x->crldp)
|
||||
return 0;
|
||||
inames = crl->idp->distpoint->name.fullname;
|
||||
for (i = 0; i < sk_GENERAL_NAME_num(inames); i++)
|
||||
{
|
||||
GENERAL_NAME *igen = sk_GENERAL_NAME_value(inames, i);
|
||||
for (j = 0; j < sk_DIST_POINT_num(x->crldp); j++)
|
||||
{
|
||||
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, j);
|
||||
/* We don't handle these at present */
|
||||
if (dp->reasons || dp->CRLissuer)
|
||||
continue;
|
||||
if (!dp->distpoint || (dp->distpoint->type != 0))
|
||||
continue;
|
||||
dnames = dp->distpoint->name.fullname;
|
||||
for (k = 0; k < sk_GENERAL_NAME_num(dnames); k++)
|
||||
{
|
||||
GENERAL_NAME *cgen =
|
||||
sk_GENERAL_NAME_value(dnames, k);
|
||||
if (!GENERAL_NAME_cmp(igen, cgen))
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Retrieve CRL corresponding to current certificate. Currently only
|
||||
* one CRL is retrieved. Multiple CRLs may be needed if we handle
|
||||
* CRLs partitioned on reason code later.
|
||||
*/
|
||||
|
||||
static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
|
||||
{
|
||||
int ok;
|
||||
|
@ -765,6 +880,28 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
|
|||
if(!ok) goto err;
|
||||
}
|
||||
|
||||
if (crl->idp_flags & IDP_PRESENT)
|
||||
{
|
||||
if (crl->idp_flags & IDP_INVALID)
|
||||
{
|
||||
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
||||
ok = ctx->verify_cb(0, ctx);
|
||||
if(!ok) goto err;
|
||||
}
|
||||
if (crl->idp_flags & (IDP_REASONS|IDP_INDIRECT))
|
||||
{
|
||||
ctx->error = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE;
|
||||
ok = ctx->verify_cb(0, ctx);
|
||||
if(!ok) goto err;
|
||||
}
|
||||
if (!idp_check_scope(ctx->current_cert, crl))
|
||||
{
|
||||
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
|
||||
ok = ctx->verify_cb(0, ctx);
|
||||
if(!ok) goto err;
|
||||
}
|
||||
}
|
||||
|
||||
/* Attempt to get issuer certificate public key */
|
||||
ikey = X509_get_pubkey(issuer);
|
||||
|
||||
|
@ -843,6 +980,10 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
|
|||
ext = sk_X509_EXTENSION_value(exts, idx);
|
||||
if (ext->critical > 0)
|
||||
{
|
||||
/* We handle IDP now so permit it */
|
||||
if (OBJ_obj2nid(ext->object) ==
|
||||
NID_issuing_distribution_point)
|
||||
continue;
|
||||
ctx->error =
|
||||
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
|
||||
ok = ctx->verify_cb(0, ctx);
|
||||
|
|
|
@ -334,6 +334,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
|
|||
#define X509_V_ERR_INVALID_EXTENSION 41
|
||||
#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
|
||||
#define X509_V_ERR_NO_EXPLICIT_POLICY 43
|
||||
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
|
||||
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
|
||||
|
||||
|
||||
/* The application is not happy */
|
||||
|
|
|
@ -644,39 +644,14 @@ int X509_check_issued(X509 *issuer, X509 *subject)
|
|||
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
|
||||
x509v3_cache_extensions(issuer);
|
||||
x509v3_cache_extensions(subject);
|
||||
if(subject->akid) {
|
||||
/* Check key ids (if present) */
|
||||
if(subject->akid->keyid && issuer->skid &&
|
||||
ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
|
||||
return X509_V_ERR_AKID_SKID_MISMATCH;
|
||||
/* Check serial number */
|
||||
if(subject->akid->serial &&
|
||||
ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
|
||||
subject->akid->serial))
|
||||
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
||||
/* Check issuer name */
|
||||
if(subject->akid->issuer) {
|
||||
/* Ugh, for some peculiar reason AKID includes
|
||||
* SEQUENCE OF GeneralName. So look for a DirName.
|
||||
* There may be more than one but we only take any
|
||||
* notice of the first.
|
||||
*/
|
||||
GENERAL_NAMES *gens;
|
||||
GENERAL_NAME *gen;
|
||||
X509_NAME *nm = NULL;
|
||||
int i;
|
||||
gens = subject->akid->issuer;
|
||||
for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
||||
gen = sk_GENERAL_NAME_value(gens, i);
|
||||
if(gen->type == GEN_DIRNAME) {
|
||||
nm = gen->d.dirn;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
|
||||
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
||||
}
|
||||
|
||||
if(subject->akid)
|
||||
{
|
||||
int ret = X509_check_akid(issuer, subject->akid);
|
||||
if (ret != X509_V_OK)
|
||||
return ret;
|
||||
}
|
||||
|
||||
if(subject->ex_flags & EXFLAG_PROXY)
|
||||
{
|
||||
if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
|
||||
|
@ -687,3 +662,45 @@ int X509_check_issued(X509 *issuer, X509 *subject)
|
|||
return X509_V_OK;
|
||||
}
|
||||
|
||||
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
|
||||
{
|
||||
|
||||
if(!akid)
|
||||
return X509_V_OK;
|
||||
|
||||
/* Check key ids (if present) */
|
||||
if(akid->keyid && issuer->skid &&
|
||||
ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
|
||||
return X509_V_ERR_AKID_SKID_MISMATCH;
|
||||
/* Check serial number */
|
||||
if(akid->serial &&
|
||||
ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
|
||||
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
||||
/* Check issuer name */
|
||||
if(akid->issuer)
|
||||
{
|
||||
/* Ugh, for some peculiar reason AKID includes
|
||||
* SEQUENCE OF GeneralName. So look for a DirName.
|
||||
* There may be more than one but we only take any
|
||||
* notice of the first.
|
||||
*/
|
||||
GENERAL_NAMES *gens;
|
||||
GENERAL_NAME *gen;
|
||||
X509_NAME *nm = NULL;
|
||||
int i;
|
||||
gens = akid->issuer;
|
||||
for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
|
||||
{
|
||||
gen = sk_GENERAL_NAME_value(gens, i);
|
||||
if(gen->type == GEN_DIRNAME)
|
||||
{
|
||||
nm = gen->d.dirn;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
|
||||
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
|
||||
}
|
||||
return X509_V_OK;
|
||||
}
|
||||
|
||||
|
|
|
@ -632,6 +632,7 @@ int X509_check_purpose(X509 *x, int id, int ca);
|
|||
int X509_supported_extension(X509_EXTENSION *ex);
|
||||
int X509_PURPOSE_set(int *p, int purpose);
|
||||
int X509_check_issued(X509 *issuer, X509 *subject);
|
||||
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
|
||||
int X509_PURPOSE_get_count(void);
|
||||
X509_PURPOSE * X509_PURPOSE_get0(int idx);
|
||||
int X509_PURPOSE_get_by_sname(char *sname);
|
||||
|
|
Loading…
Reference in a new issue