diff options
author | Ben Laurie <ben@openssl.org> | 2012-12-14 12:53:53 +0000 |
---|---|---|
committer | Ben Laurie <ben@openssl.org> | 2012-12-14 12:53:53 +0000 |
commit | d65b8b2162f33ac0d53dace588a0847ed827626c (patch) | |
tree | 7fc5f91d14728ccb6934605677bd537b847e6998 /crypto/ocsp | |
parent | 5dca1e338c068931a1cdcb76d8db303a3d3dce25 (diff) |
Backport OCSP fixes.
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 73 |
1 files changed, 66 insertions, 7 deletions
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 8a5e788d96..214b4020fe 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -77,8 +77,10 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *tmpchain = NULL; + X509_STORE *tmpstore = NULL; X509_STORE_CTX ctx; - int i, ret = 0; + int i, ret; ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { @@ -86,7 +88,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) - flags |= OCSP_NOVERIFY; + chain = certs; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; @@ -102,6 +104,60 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if (!(flags & OCSP_NOVERIFY)) { int init_res; + + /* If we trust the signer, we don't need to build a chain. + * (If the signer is a root certificate, X509_verify_cert() + * would fail anyway!) + */ + if (chain == certs) goto verified_chain; + + /* If we trust some "other" certificates, mark them as + * explicitly trusted (because some of them might be + * Intermediate CA Certificates), put them in a store and + * attempt to build a trusted chain. + */ + if ((flags & OCSP_TRUSTOTHER) && (certs != NULL)) + { + ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign); + tmpstore = X509_STORE_new(); + if (!tmpstore) + { + ret = -1; + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); + goto end; + } + for (i = 0; i < sk_X509_num(certs); i++) + { + X509 *xother = sk_X509_value(certs, i); + X509_add1_trust_object(xother, objtmp); + if (!X509_STORE_add_cert(tmpstore, xother)) + { + ret = -1; + goto end; + } + } + + init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL); + if (!init_res) + { + ret = -1; + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); + goto end; + } + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(&ctx); + if (ret == 1) + { + chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); + X509_STORE_CTX_cleanup(&ctx); + goto verified_chain; + } + X509_STORE_CTX_cleanup(&ctx); + } + + /* Attempt to build a chain up to a Root Certificate in the + * trust store provided by the caller. + */ if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else @@ -115,16 +171,18 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); - chain = X509_STORE_CTX_get1_chain(&ctx); + chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); - if (ret <= 0) + if (ret <= 0) { i = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i)); - goto end; - } + goto end; + } + + verified_chain: if(flags & OCSP_NOCHECKS) { ret = 1; @@ -155,7 +213,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: - if(chain) sk_X509_pop_free(chain, X509_free); + if(tmpchain) sk_X509_pop_free(tmpchain, X509_free); + if(tmpstore) X509_STORE_free(tmpstore); return ret; } |