From e1a27eb34a6bf40af1bd6450d0fb3d57f6e24ab5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 27 Mar 2004 22:49:28 +0000 Subject: [PATCH] Allow CRLs to be passed into X509_STORE_CTX. This is useful when the verified structure can contain its own CRLs (such as PKCS#7 signedData). Tidy up some of the verify code. --- CHANGES | 6 + crypto/pkcs7/pk7_smime.c | 2 + crypto/pkcs7/pkcs7.h | 1 + crypto/x509/x509_vfy.c | 256 ++++++++++++++++++++++++++------------- crypto/x509/x509_vfy.h | 2 + 5 files changed, 183 insertions(+), 84 deletions(-) diff --git a/CHANGES b/CHANGES index b242e468ea..c5c2ebba9b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Add a local set of CRLs that can be used by X509_verify_cert() as well + as looking them up. This is useful when the verified structure may contain + CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs + present unless the new PKCS7_NO_CRL flag is asserted. + [Steve Henson] + *) Extend ASN1 oid configuration module. It now additionally accepts the syntax: diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 333a8aa38d..6aca0222da 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -217,6 +217,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } + if (!(flags & PKCS7_NOCRL)) + X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl); i = X509_verify_cert(&cert_ctx); if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx); X509_STORE_CTX_cleanup(&cert_ctx); diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index 788cd5d6c0..9dc3c0caa0 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -265,6 +265,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7) #define PKCS7_NOOLDMIMETYPE 0x400 #define PKCS7_CRLFEOL 0x800 #define PKCS7_STREAM 0x1000 +#define PKCS7_NOCRL 0x2000 /* Flags: for compatibility with older code */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2e4d0b823a..3e82f95486 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -499,17 +499,124 @@ static int check_cert(X509_STORE_CTX *ctx) } +/* Check CRL times against values in X509_STORE_CTX */ + +static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) + { + time_t *ptime; + int i; + ctx->current_crl = crl; + if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) + ptime = &ctx->check_time; + else + ptime = NULL; + + i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) + { + ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if(X509_CRL_get_nextUpdate(crl)) + { + i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); + + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) + { + ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + } + + ctx->current_crl = NULL; + + return 1; + } + +/* Lookup CRLs from the supplied list. Look for matching isser name + * and validity. If we can't find a valid CRL return the last one + * with matching name. This gives more meaningful error codes. Otherwise + * we'd get a CRL not found error if a CRL existed with matching name but + * was invalid. + */ + +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, + X509_NAME *nm, STACK_OF(X509_CRL) *crls) + { + int i; + X509_CRL *crl, *best_crl = NULL; + for (i = 0; i < sk_X509_CRL_num(crls); i++) + { + crl = sk_X509_CRL_value(crls, i); + if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) + continue; + if (check_crl_time(ctx, crl, 0)) + { + *pcrl = crl; + CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509); + return 1; + } + best_crl = crl; + } + if (best_crl) + { + *pcrl = best_crl; + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509); + } + + return 0; + } + /* Retrieve CRL corresponding to certificate: currently just a * subject lookup: maybe use AKID later... - * Also might look up any included CRLs too (e.g PKCS#7 signedData). */ -static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) { int ok; + X509_CRL *crl = NULL; X509_OBJECT xobj; - ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); - if (!ok) return 0; - *crl = xobj.data.crl; + X509_NAME *nm; + nm = X509_get_issuer_name(x); + ok = get_crl_sk(ctx, &crl, nm, ctx->crls); + if (ok) + { + *pcrl = crl; + return 1; + } + + ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj); + + if (!ok) + { + /* If we got a near match from get_crl_sk use that */ + if (crl) + { + *pcrl = crl; + return 1; + } + return 0; + } + + *pcrl = xobj.data.crl; + if (crl) + X509_CRL_free(crl); return 1; } @@ -518,8 +625,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; - int ok = 0, chnum, cnum, i; - time_t *ptime; + int ok = 0, chnum, cnum; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* Find CRL issuer: if not last certificate then issuer @@ -571,45 +677,8 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) } } - /* OK, CRL signature valid check times */ - if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) - ptime = &ctx->check_time; - else - ptime = NULL; - - i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if (i > 0) - { - ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if(X509_CRL_get_nextUpdate(crl)) - { - i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); - - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if (i < 0) - { - ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - } + if (!check_crl_time(ctx, crl, 1)) + goto err; ok = 1; @@ -665,12 +734,58 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } +static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) + { + time_t *ptime; + int i; + + if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) + ptime = &ctx->check_time; + else + ptime = NULL; + + i=X509_cmp_time(X509_get_notBefore(x), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) + { + ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + i=X509_cmp_time(X509_get_notAfter(x), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) + { + ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + return 1; + } + static int internal_verify(X509_STORE_CTX *ctx) { - int i,ok=0,n; + int ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; - time_t *ptime; int (*cb)(); cb=ctx->verify_cb; @@ -679,10 +794,7 @@ static int internal_verify(X509_STORE_CTX *ctx) ctx->error_depth=n-1; n--; xi=sk_X509_value(ctx->chain,n); - if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) - ptime = &ctx->check_time; - else - ptime = NULL; + if (ctx->check_issued(ctx, xi, xi)) xs=xi; else @@ -735,41 +847,12 @@ static int internal_verify(X509_STORE_CTX *ctx) } EVP_PKEY_free(pkey); pkey=NULL; - - i=X509_cmp_time(X509_get_notBefore(xs), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } - if (i > 0) - { - ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } - xs->valid=1; } - i=X509_cmp_time(X509_get_notAfter(xs), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } + xs->valid = 1; - if (i < 0) - { - ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } + if (!check_cert_time(ctx, xs)) + goto end; /* The last error (if any) is still in the error value */ ctx->current_cert=xs; @@ -1000,6 +1083,11 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) ctx->untrusted=sk; } +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) + { + ctx->crls=sk; + } + int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 41644a9fe2..3deb5e4002 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -218,6 +218,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ /* The following are set by the caller */ X509 *cert; /* The cert to check */ STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ + STACK_OF(X509_CRL) *crls; /* CRLs */ int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ time_t check_time; /* time to make verify at */ @@ -409,6 +410,7 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x); void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk); +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk); int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,