diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2006-07-25 17:39:38 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2006-07-25 17:39:38 +0000 |
commit | f6e7d014508b020818707d4b1544379e8b742e32 (patch) | |
tree | d974f0b497d3d31a71e4e872ed3a847eb7ceab7c /crypto/x509 | |
parent | edc540211c4852c57c01743a068aecc0e0a97b5c (diff) |
Support for multiple CRLs with same issuer name in X509_STORE. Modify
verify logic to try to use an unexpired CRL if possible.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509.h | 1 | ||||
-rw-r--r-- | crypto/x509/x509_lu.c | 15 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 33 |
3 files changed, 46 insertions, 3 deletions
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index ac5e4b60e4..31bc7539bf 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -1072,6 +1072,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); unsigned long X509_NAME_hash(X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); +int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); #ifndef OPENSSL_NO_FP_API int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag); int X509_print_fp(FILE *bp,X509 *x); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index cd2cfb6d85..fbb1497fe2 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -459,13 +459,24 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x X509_OBJECT *obj; idx = sk_X509_OBJECT_find(h, x); if (idx == -1) return NULL; - if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx); + if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) + return sk_X509_OBJECT_value(h, idx); for (i = idx; i < sk_X509_OBJECT_num(h); i++) { obj = sk_X509_OBJECT_value(h, i); if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) return NULL; - if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509)) + if (x->type == X509_LU_X509) + { + if (!X509_cmp(obj->data.x509, x->data.x509)) + return obj; + } + else if (x->type == X509_LU_CRL) + { + if (!X509_CRL_match(obj->data.crl, x->data.crl)) + return obj; + } + else return obj; } return NULL; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 79dae3d3bf..e2109a4c35 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -713,7 +713,38 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) return 0; } - *pcrl = xobj.data.crl; + /* If CRL times not valid look through store */ + if (!check_crl_time(ctx, xobj.data.crl, 0)) + { + int idx, i; + X509_OBJECT *pobj; + X509_OBJECT_free_contents(&xobj); + idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, + X509_LU_CRL, nm); + if (idx == -1) + return 0; + *pcrl = NULL; + for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) + { + pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); + /* Check to see if it is a CRL and issuer matches */ + if (pobj->type != X509_LU_CRL) + break; + if (X509_NAME_cmp(nm, + X509_CRL_get_issuer(pobj->data.crl))) + break; + /* Set *pcrl because the CRL will either be valid or + * a "best fit" CRL. + */ + *pcrl = pobj->data.crl; + if (check_crl_time(ctx, *pcrl, 0)) + break; + } + if (*pcrl) + CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509); + } + else + *pcrl = xobj.data.crl; if (crl) X509_CRL_free(crl); return 1; |