Experimental support for partial chain verification: if an intermediate
certificate is explicitly trusted (using -addtrust option to x509 utility for example) the verification is sucessful even if the chain is not complete.
This commit is contained in:
parent
04e4b82726
commit
fbd2164044
3 changed files with 52 additions and 27 deletions
10
CHANGES
10
CHANGES
|
@ -4,6 +4,16 @@
|
|||
|
||||
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) Initial experimental support for explicitly trusted non-root CAs.
|
||||
OpenSSL still tries to build a complete chain to a root but if an
|
||||
intermediate CA has a trust setting included that is used. The first
|
||||
setting is used: whether to trust or reject.
|
||||
[Steve Henson]
|
||||
|
||||
*) New -verify_name option in command line utilities to set verification
|
||||
parameters by name.
|
||||
[Steve Henson]
|
||||
|
||||
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
|
||||
Add CMAC pkey methods.
|
||||
[Steve Henson]
|
||||
|
|
|
@ -114,6 +114,15 @@ int X509_check_trust(X509 *x, int id, int flags)
|
|||
X509_TRUST *pt;
|
||||
int idx;
|
||||
if(id == -1) return 1;
|
||||
/* We get this as a default value */
|
||||
if (id == 0)
|
||||
{
|
||||
int rv;
|
||||
rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
|
||||
if (rv != X509_TRUST_UNTRUSTED)
|
||||
return rv;
|
||||
return trust_compat(NULL, x, 0);
|
||||
}
|
||||
idx = X509_TRUST_get_by_id(id);
|
||||
if(idx == -1) return default_trust(id, x, flags);
|
||||
pt = X509_TRUST_get0(idx);
|
||||
|
|
|
@ -312,8 +312,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||
/* we now have our chain, lets check it... */
|
||||
xn=X509_get_issuer_name(x);
|
||||
|
||||
/* Is last certificate looked up self signed? */
|
||||
if (!ctx->check_issued(ctx,x,x))
|
||||
i = check_trust(ctx);
|
||||
|
||||
/* If explicitly rejected error */
|
||||
if (i == X509_TRUST_REJECTED)
|
||||
goto end;
|
||||
/* If not explicitly trusted then indicate error */
|
||||
if (i != X509_TRUST_TRUSTED)
|
||||
{
|
||||
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
|
||||
{
|
||||
|
@ -351,12 +356,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
|||
|
||||
if (!ok) goto end;
|
||||
|
||||
/* The chain extensions are OK: check trust */
|
||||
|
||||
if (param->trust > 0) ok = check_trust(ctx);
|
||||
|
||||
if (!ok) goto end;
|
||||
|
||||
/* We may as well copy down any DSA parameters that are required */
|
||||
X509_get_pubkey_parameters(NULL,ctx->chain);
|
||||
|
||||
|
@ -647,28 +646,35 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
|
|||
|
||||
static int check_trust(X509_STORE_CTX *ctx)
|
||||
{
|
||||
#ifdef OPENSSL_NO_CHAIN_VERIFY
|
||||
return 1;
|
||||
#else
|
||||
int i, ok;
|
||||
X509 *x;
|
||||
X509 *x = NULL;
|
||||
int (*cb)(int xok,X509_STORE_CTX *xctx);
|
||||
cb=ctx->verify_cb;
|
||||
/* For now just check the last certificate in the chain */
|
||||
i = sk_X509_num(ctx->chain) - 1;
|
||||
x = sk_X509_value(ctx->chain, i);
|
||||
ok = X509_check_trust(x, ctx->param->trust, 0);
|
||||
if (ok == X509_TRUST_TRUSTED)
|
||||
return 1;
|
||||
ctx->error_depth = i;
|
||||
ctx->current_cert = x;
|
||||
if (ok == X509_TRUST_REJECTED)
|
||||
ctx->error = X509_V_ERR_CERT_REJECTED;
|
||||
else
|
||||
ctx->error = X509_V_ERR_CERT_UNTRUSTED;
|
||||
ok = cb(0, ctx);
|
||||
return ok;
|
||||
#endif
|
||||
/* Check all trusted certificates in chain */
|
||||
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++)
|
||||
{
|
||||
x = sk_X509_value(ctx->chain, i);
|
||||
ok = X509_check_trust(x, ctx->param->trust, 0);
|
||||
/* If explicitly trusted return trusted */
|
||||
if (ok == X509_TRUST_TRUSTED)
|
||||
return X509_TRUST_TRUSTED;
|
||||
/* If explicitly rejected notify callback and reject if
|
||||
* not overridden.
|
||||
*/
|
||||
if (ok == X509_TRUST_REJECTED)
|
||||
{
|
||||
ctx->error_depth = i;
|
||||
ctx->current_cert = x;
|
||||
ctx->error = X509_V_ERR_CERT_REJECTED;
|
||||
ok = cb(0, ctx);
|
||||
if (!ok)
|
||||
return X509_TRUST_REJECTED;
|
||||
}
|
||||
}
|
||||
/* If no trusted certs in chain at all return untrusted and
|
||||
* allow standard (no issuer cert) etc errors to be indicated.
|
||||
*/
|
||||
return X509_TRUST_UNTRUSTED;
|
||||
}
|
||||
|
||||
static int check_revocation(X509_STORE_CTX *ctx)
|
||||
|
|
Loading…
Reference in a new issue