diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2006-09-21 12:42:15 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2006-09-21 12:42:15 +0000 |
commit | 010fa0b33169cfc9179bda29c34c05af80f78e27 (patch) | |
tree | caa4ce10ab61977cce2363a0fcdb32514caba7db /crypto/x509 | |
parent | 4ca7d975af7581473a587a59b9f8e39a69247dc0 (diff) |
Tidy up CRL handling by checking for critical extensions when it is
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.
Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509.h | 7 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 59 | ||||
-rw-r--r-- | crypto/x509/x_all.c | 6 |
3 files changed, 19 insertions, 53 deletions
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index de93bf9005..f28086c175 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -420,13 +420,13 @@ typedef struct x509_cert_pair_st { XN_FLAG_FN_LN | \ XN_FLAG_FN_ALIGN) -typedef struct X509_revoked_st +struct x509_revoked_st { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; STACK_OF(X509_EXTENSION) /* optional */ *extensions; int sequence; /* load sequence */ - } X509_REVOKED; + }; DECLARE_STACK_OF(X509_REVOKED) DECLARE_ASN1_SET_OF(X509_REVOKED) @@ -460,6 +460,7 @@ struct X509_crl_st #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif + X509_CRL_METHOD *meth; } /* X509_CRL */; DECLARE_STACK_OF(X509_CRL) @@ -969,6 +970,8 @@ DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO) DECLARE_ASN1_FUNCTIONS(X509_CRL) int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); +int X509_CRL_get0_by_serial(X509_CRL *crl, + X509_REVOKED **ret, ASN1_INTEGER *serial); X509_PKEY * X509_PKEY_new(void ); void X509_PKEY_free(X509_PKEY *a); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1252439f1e..d1aa3dafd6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -937,60 +937,29 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { - int idx, ok; - X509_REVOKED rtmp; - STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; - /* Look for serial number of certificate in CRL */ - rtmp.serialNumber = X509_get_serialNumber(x); - /* Sort revoked into serial number order if not already sorted. - * Do this under a lock to avoid race condition. - */ - if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) - { - CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); - sk_X509_REVOKED_sort(crl->crl->revoked); - CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); - } - idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* If found assume revoked: want something cleverer than + int ok; + /* Look for serial number of certificate in CRL + * If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - if(idx >= 0) + if (X509_CRL_get0_by_serial(crl, NULL, X509_get_serialNumber(x)) > 0) { ctx->error = X509_V_ERR_CERT_REVOKED; ok = ctx->verify_cb(0, ctx); - if (!ok) return 0; + if (!ok) + return 0; } - if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - return 1; - - /* See if we have any critical CRL extensions: since we - * currently only handle IDP the CRL must be rejected if any others - * are present. - * This code accesses the X509_CRL structure directly: applications - * shouldn't do this. - */ - - exts = crl->crl->extensions; - - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + if (crl->flags & EXFLAG_CRITICAL) { - ext = sk_X509_EXTENSION_value(exts, idx); - if (ext->critical > 0) - { - /* We handle IDP now so permit it */ - if (OBJ_obj2nid(ext->object) == - NID_issuing_distribution_point) - continue; - ctx->error = - X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if(!ok) return 0; - break; - } + if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) + return 0; } + return 1; } diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 9039caad60..de516f8fd4 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -83,12 +83,6 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) a->sig_alg,a->signature,a->req_info,r)); } -int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r) - { - return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - a->sig_alg, a->signature,a->crl,r)); - } - int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) { return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), |