Allow CRLs to be passed into X509_STORE_CTX. This is useful when the

verified structure can contain its own CRLs (such as PKCS#7 signedData). Tidy up some of the verify code.
author: Dr. Stephen Henson <steve@openssl.org> 2004-03-27 22:49:28 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2004-03-27 22:49:28 +0000
commit: e1a27eb34a6bf40af1bd6450d0fb3d57f6e24ab5 (patch)
tree: 85542e68548159b865c01b76a96ffe8de2ff7beb /crypto/x509
parent: 6446e0c3c8286428374ec738ffdc859802bd3c92 (diff)
2 files changed, 174 insertions, 84 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2e4d0b823a..3e82f95486 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -499,17 +499,124 @@ static int check_cert(X509_STORE_CTX *ctx)
 
 	}
 
+/* Check CRL times against values in X509_STORE_CTX */
+
+static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+	{
+	time_t *ptime;
+	int i;
+	ctx->current_crl = crl;
+	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+		ptime = &ctx->check_time;
+	else
+		ptime = NULL;
+
+	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+		if (!notify || !ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i > 0)
+		{
+		ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+		if (!notify || !ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if(X509_CRL_get_nextUpdate(crl))
+		{
+		i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+
+		if (i == 0)
+			{
+			ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+			if (!notify || !ctx->verify_cb(0, ctx))
+				return 0;
+			}
+
+		if (i < 0)
+			{
+			ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+			if (!notify || !ctx->verify_cb(0, ctx))
+				return 0;
+			}
+		}
+
+	ctx->current_crl = NULL;
+
+	return 1;
+	}
+
+/* Lookup CRLs from the supplied list. Look for matching isser name
+ * and validity. If we can't find a valid CRL return the last one
+ * with matching name. This gives more meaningful error codes. Otherwise
+ * we'd get a CRL not found error if a CRL existed with matching name but
+ * was invalid.
+ */
+
+static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
+			X509_NAME *nm, STACK_OF(X509_CRL) *crls)
+	{
+	int i;
+	X509_CRL *crl, *best_crl = NULL;
+	for (i = 0; i < sk_X509_CRL_num(crls); i++)
+		{
+		crl = sk_X509_CRL_value(crls, i);
+		if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+			continue;
+		if (check_crl_time(ctx, crl, 0))
+			{
+			*pcrl = crl;
+			CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509);
+			return 1;
+			}
+		best_crl = crl;
+		}
+	if (best_crl)
+		{
+		*pcrl = best_crl;
+		CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
+		}
+		
+	return 0;
+	}
+
 /* Retrieve CRL corresponding to certificate: currently just a
  * subject lookup: maybe use AKID later...
- * Also might look up any included CRLs too (e.g PKCS#7 signedData).
  */
-static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
 	{
 	int ok;
+	X509_CRL *crl = NULL;
 	X509_OBJECT xobj;
-	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj);
-	if (!ok) return 0;
-	*crl = xobj.data.crl;
+	X509_NAME *nm;
+	nm = X509_get_issuer_name(x);
+	ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
+	if (ok)
+		{
+		*pcrl = crl;
+		return 1;
+		}
+
+	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
+
+	if (!ok)
+		{
+		/* If we got a near match from get_crl_sk use that */
+		if (crl)
+			{
+			*pcrl = crl;
+			return 1;
+			}
+		return 0;
+		}
+
+	*pcrl = xobj.data.crl;
+	if (crl)
+		X509_CRL_free(crl);
 	return 1;
 	}
 
@@ -518,8 +625,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 	{
 	X509 *issuer = NULL;
 	EVP_PKEY *ikey = NULL;
-	int ok = 0, chnum, cnum, i;
-	time_t *ptime;
+	int ok = 0, chnum, cnum;
 	cnum = ctx->error_depth;
 	chnum = sk_X509_num(ctx->chain) - 1;
 	/* Find CRL issuer: if not last certificate then issuer
@@ -571,45 +677,8 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 			}
 		}
 
-	/* OK, CRL signature valid check times */
-	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
-		ptime = &ctx->check_time;
-	else
-		ptime = NULL;
-
-	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
-	if (i == 0)
-		{
-		ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
-		ok = ctx->verify_cb(0, ctx);
-		if (!ok) goto err;
-		}
-
-	if (i > 0)
-		{
-		ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
-		ok = ctx->verify_cb(0, ctx);
-		if (!ok) goto err;
-		}
-
-	if(X509_CRL_get_nextUpdate(crl))
-		{
-		i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
-
-		if (i == 0)
-			{
-			ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
-			ok = ctx->verify_cb(0, ctx);
-			if (!ok) goto err;
-			}
-
-		if (i < 0)
-			{
-			ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
-			ok = ctx->verify_cb(0, ctx);
-			if (!ok) goto err;
-			}
-		}
+	if (!check_crl_time(ctx, crl, 1))
+		goto err;
 
 	ok = 1;
 
@@ -665,12 +734,58 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	return 1;
 	}
 
+static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+	{
+	time_t *ptime;
+	int i;
+
+	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+		ptime = &ctx->check_time;
+	else
+		ptime = NULL;
+
+	i=X509_cmp_time(X509_get_notBefore(x), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i > 0)
+		{
+		ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	i=X509_cmp_time(X509_get_notAfter(x), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i < 0)
+		{
+		ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	return 1;
+	}
+
 static int internal_verify(X509_STORE_CTX *ctx)
 	{
-	int i,ok=0,n;
+	int ok=0,n;
 	X509 *xs,*xi;
 	EVP_PKEY *pkey=NULL;
-	time_t *ptime;
 	int (*cb)();
 
 	cb=ctx->verify_cb;
@@ -679,10 +794,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
 	ctx->error_depth=n-1;
 	n--;
 	xi=sk_X509_value(ctx->chain,n);
-	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
-		ptime = &ctx->check_time;
-	else
-		ptime = NULL;
+
 	if (ctx->check_issued(ctx, xi, xi))
 		xs=xi;
 	else
@@ -735,41 +847,12 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				}
 			EVP_PKEY_free(pkey);
 			pkey=NULL;
-
-			i=X509_cmp_time(X509_get_notBefore(xs), ptime);
-			if (i == 0)
-				{
-				ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
-				ctx->current_cert=xs;
-				ok=(*cb)(0,ctx);
-				if (!ok) goto end;
-				}
-			if (i > 0)
-				{
-				ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
-				ctx->current_cert=xs;
-				ok=(*cb)(0,ctx);
-				if (!ok) goto end;
-				}
-			xs->valid=1;
 			}
 
-		i=X509_cmp_time(X509_get_notAfter(xs), ptime);
-		if (i == 0)
-			{
-			ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
-			ctx->current_cert=xs;
-			ok=(*cb)(0,ctx);
-			if (!ok) goto end;
-			}
+		xs->valid = 1;
 
-		if (i < 0)
-			{
-			ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
-			ctx->current_cert=xs;
-			ok=(*cb)(0,ctx);
-			if (!ok) goto end;
-			}
+		if (!check_cert_time(ctx, xs))
+			goto end;
 
 		/* The last error (if any) is still in the error value */
 		ctx->current_cert=xs;
@@ -1000,6 +1083,11 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 	ctx->untrusted=sk;
 	}
 
+void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
+	{
+	ctx->crls=sk;
+	}
+
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
 	{
 	return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 41644a9fe2..3deb5e4002 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -218,6 +218,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	/* The following are set by the caller */
 	X509 *cert;		/* The cert to check */
 	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
+	STACK_OF(X509_CRL) *crls; /* CRLs */
 	int purpose;		/* purpose to check untrusted certificates */
 	int trust;		/* trust setting to check */
 	time_t	check_time;	/* time to make verify at */
@@ -409,6 +410,7 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
 void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
 void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
+void	X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
author	Dr. Stephen Henson <steve@openssl.org>	2004-03-27 22:49:28 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2004-03-27 22:49:28 +0000
commit	e1a27eb34a6bf40af1bd6450d0fb3d57f6e24ab5 (patch)
tree	85542e68548159b865c01b76a96ffe8de2ff7beb /crypto/x509
parent	6446e0c3c8286428374ec738ffdc859802bd3c92 (diff)