]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* crypto/x509/x509_vfy.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
60 | #include <time.h> | |
61 | #include <errno.h> | |
d02b48c6 RE |
62 | |
63 | #include "cryptlib.h" | |
17f389bb | 64 | #include <openssl/crypto.h> |
ec577822 BM |
65 | #include <openssl/lhash.h> |
66 | #include <openssl/buffer.h> | |
67 | #include <openssl/evp.h> | |
68 | #include <openssl/asn1.h> | |
69 | #include <openssl/x509.h> | |
11262391 | 70 | #include <openssl/x509v3.h> |
ec577822 | 71 | #include <openssl/objects.h> |
d02b48c6 | 72 | |
d02b48c6 | 73 | static int null_callback(int ok,X509_STORE_CTX *e); |
2f043896 DSH |
74 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); |
75 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); | |
11262391 | 76 | static int check_chain_purpose(X509_STORE_CTX *ctx); |
51630a37 | 77 | static int check_trust(X509_STORE_CTX *ctx); |
b545dc67 DSH |
78 | static int check_revocation(X509_STORE_CTX *ctx); |
79 | static int check_cert(X509_STORE_CTX *ctx); | |
d02b48c6 | 80 | static int internal_verify(X509_STORE_CTX *ctx); |
e778802f | 81 | const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; |
b4cadc6e | 82 | |
dd9d233e | 83 | static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL; |
58964a49 | 84 | static int x509_store_ctx_num=0; |
3ac82faa | 85 | |
d02b48c6 | 86 | |
6b691a5c | 87 | static int null_callback(int ok, X509_STORE_CTX *e) |
d02b48c6 | 88 | { |
f684090c | 89 | return ok; |
d02b48c6 RE |
90 | } |
91 | ||
92 | #if 0 | |
6b691a5c | 93 | static int x509_subject_cmp(X509 **a, X509 **b) |
d02b48c6 | 94 | { |
f684090c | 95 | return X509_subject_name_cmp(*a,*b); |
d02b48c6 RE |
96 | } |
97 | #endif | |
98 | ||
6b691a5c | 99 | int X509_verify_cert(X509_STORE_CTX *ctx) |
d02b48c6 RE |
100 | { |
101 | X509 *x,*xtmp,*chain_ss=NULL; | |
102 | X509_NAME *xn; | |
d02b48c6 RE |
103 | int depth,i,ok=0; |
104 | int num; | |
105 | int (*cb)(); | |
f73e07cf | 106 | STACK_OF(X509) *sktmp=NULL; |
d02b48c6 RE |
107 | |
108 | if (ctx->cert == NULL) | |
109 | { | |
110 | X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); | |
f684090c | 111 | return -1; |
d02b48c6 RE |
112 | } |
113 | ||
2f043896 | 114 | cb=ctx->verify_cb; |
d02b48c6 RE |
115 | |
116 | /* first we make sure the chain we are going to build is | |
117 | * present and that the first entry is in place */ | |
118 | if (ctx->chain == NULL) | |
119 | { | |
7e258a56 BL |
120 | if ( ((ctx->chain=sk_X509_new_null()) == NULL) || |
121 | (!sk_X509_push(ctx->chain,ctx->cert))) | |
d02b48c6 RE |
122 | { |
123 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
124 | goto end; | |
125 | } | |
126 | CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); | |
127 | ctx->last_untrusted=1; | |
128 | } | |
129 | ||
f76d8c47 | 130 | /* We use a temporary STACK so we can chop and hack at it */ |
f73e07cf BL |
131 | if (ctx->untrusted != NULL |
132 | && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) | |
d02b48c6 RE |
133 | { |
134 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
135 | goto end; | |
136 | } | |
137 | ||
7e258a56 BL |
138 | num=sk_X509_num(ctx->chain); |
139 | x=sk_X509_value(ctx->chain,num-1); | |
d02b48c6 RE |
140 | depth=ctx->depth; |
141 | ||
142 | ||
143 | for (;;) | |
144 | { | |
145 | /* If we have enough, we break */ | |
d797727b | 146 | if (depth < num) break; /* FIXME: If this happens, we should take |
a9642be6 BM |
147 | * note of it and, if appropriate, use the |
148 | * X509_V_ERR_CERT_CHAIN_TOO_LONG error | |
149 | * code later. | |
150 | */ | |
d02b48c6 RE |
151 | |
152 | /* If we are self signed, we break */ | |
153 | xn=X509_get_issuer_name(x); | |
2f043896 | 154 | if (ctx->check_issued(ctx, x,x)) break; |
d02b48c6 RE |
155 | |
156 | /* If we were passed a cert chain, use it first */ | |
157 | if (ctx->untrusted != NULL) | |
158 | { | |
2f043896 | 159 | xtmp=find_issuer(ctx, sktmp,x); |
d02b48c6 RE |
160 | if (xtmp != NULL) |
161 | { | |
7e258a56 | 162 | if (!sk_X509_push(ctx->chain,xtmp)) |
d02b48c6 RE |
163 | { |
164 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
165 | goto end; | |
166 | } | |
167 | CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); | |
f73e07cf | 168 | sk_X509_delete_ptr(sktmp,xtmp); |
d02b48c6 RE |
169 | ctx->last_untrusted++; |
170 | x=xtmp; | |
171 | num++; | |
172 | /* reparse the full chain for | |
173 | * the next one */ | |
174 | continue; | |
175 | } | |
176 | } | |
177 | break; | |
178 | } | |
179 | ||
180 | /* at this point, chain should contain a list of untrusted | |
181 | * certificates. We now need to add at least one trusted one, | |
182 | * if possible, otherwise we complain. */ | |
183 | ||
2f043896 DSH |
184 | /* Examine last certificate in chain and see if it |
185 | * is self signed. | |
186 | */ | |
187 | ||
7e258a56 BL |
188 | i=sk_X509_num(ctx->chain); |
189 | x=sk_X509_value(ctx->chain,i-1); | |
f76d8c47 | 190 | xn = X509_get_subject_name(x); |
2f043896 | 191 | if (ctx->check_issued(ctx, x, x)) |
d02b48c6 RE |
192 | { |
193 | /* we have a self signed certificate */ | |
7e258a56 | 194 | if (sk_X509_num(ctx->chain) == 1) |
d02b48c6 | 195 | { |
f76d8c47 DSH |
196 | /* We have a single self signed certificate: see if |
197 | * we can find it in the store. We must have an exact | |
198 | * match to avoid possible impersonation. | |
199 | */ | |
2f043896 DSH |
200 | ok = ctx->get_issuer(&xtmp, ctx, x); |
201 | if ((ok <= 0) || X509_cmp(x, xtmp)) | |
f76d8c47 DSH |
202 | { |
203 | ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; | |
204 | ctx->current_cert=x; | |
205 | ctx->error_depth=i-1; | |
b7c190d9 | 206 | if (ok == 1) X509_free(xtmp); |
f76d8c47 DSH |
207 | ok=cb(0,ctx); |
208 | if (!ok) goto end; | |
209 | } | |
210 | else | |
211 | { | |
212 | /* We have a match: replace certificate with store version | |
213 | * so we get any trust settings. | |
214 | */ | |
215 | X509_free(x); | |
2f043896 | 216 | x = xtmp; |
f76d8c47 DSH |
217 | sk_X509_set(ctx->chain, i - 1, x); |
218 | ctx->last_untrusted=0; | |
219 | } | |
d02b48c6 RE |
220 | } |
221 | else | |
222 | { | |
2f043896 | 223 | /* extract and save self signed certificate for later use */ |
7e258a56 | 224 | chain_ss=sk_X509_pop(ctx->chain); |
d02b48c6 RE |
225 | ctx->last_untrusted--; |
226 | num--; | |
7e258a56 | 227 | x=sk_X509_value(ctx->chain,num-1); |
d02b48c6 RE |
228 | } |
229 | } | |
230 | ||
231 | /* We now lookup certs from the certificate store */ | |
232 | for (;;) | |
233 | { | |
234 | /* If we have enough, we break */ | |
7f89714e | 235 | if (depth < num) break; |
d02b48c6 RE |
236 | |
237 | /* If we are self signed, we break */ | |
238 | xn=X509_get_issuer_name(x); | |
2f043896 | 239 | if (ctx->check_issued(ctx,x,x)) break; |
d02b48c6 | 240 | |
2f043896 DSH |
241 | ok = ctx->get_issuer(&xtmp, ctx, x); |
242 | ||
243 | if (ok < 0) return ok; | |
b7c190d9 | 244 | if (ok == 0) break; |
2f043896 DSH |
245 | |
246 | x = xtmp; | |
247 | if (!sk_X509_push(ctx->chain,x)) | |
d02b48c6 | 248 | { |
2f043896 | 249 | X509_free(xtmp); |
d02b48c6 | 250 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
f684090c | 251 | return 0; |
d02b48c6 RE |
252 | } |
253 | num++; | |
254 | } | |
255 | ||
256 | /* we now have our chain, lets check it... */ | |
257 | xn=X509_get_issuer_name(x); | |
2f043896 DSH |
258 | |
259 | /* Is last certificate looked up self signed? */ | |
260 | if (!ctx->check_issued(ctx,x,x)) | |
d02b48c6 | 261 | { |
2f043896 | 262 | if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) |
d02b48c6 RE |
263 | { |
264 | if (ctx->last_untrusted >= num) | |
265 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | |
266 | else | |
267 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; | |
268 | ctx->current_cert=x; | |
269 | } | |
270 | else | |
271 | { | |
272 | ||
7e258a56 | 273 | sk_X509_push(ctx->chain,chain_ss); |
d02b48c6 RE |
274 | num++; |
275 | ctx->last_untrusted=num; | |
276 | ctx->current_cert=chain_ss; | |
277 | ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; | |
278 | chain_ss=NULL; | |
279 | } | |
280 | ||
281 | ctx->error_depth=num-1; | |
282 | ok=cb(0,ctx); | |
283 | if (!ok) goto end; | |
284 | } | |
285 | ||
11262391 | 286 | /* We have the chain complete: now we need to check its purpose */ |
b7c190d9 | 287 | if (ctx->purpose > 0) ok = check_chain_purpose(ctx); |
11262391 | 288 | |
b7c190d9 | 289 | if (!ok) goto end; |
11262391 | 290 | |
51630a37 DSH |
291 | /* The chain extensions are OK: check trust */ |
292 | ||
b7c190d9 | 293 | if (ctx->trust > 0) ok = check_trust(ctx); |
51630a37 | 294 | |
b7c190d9 | 295 | if (!ok) goto end; |
51630a37 | 296 | |
d02b48c6 RE |
297 | /* We may as well copy down any DSA parameters that are required */ |
298 | X509_get_pubkey_parameters(NULL,ctx->chain); | |
299 | ||
b545dc67 DSH |
300 | /* Check revocation status: we do this after copying parameters |
301 | * because they may be needed for CRL signature verification. | |
302 | */ | |
303 | ||
304 | ok = ctx->check_revocation(ctx); | |
305 | if(!ok) goto end; | |
306 | ||
d02b48c6 | 307 | /* At this point, we have a chain and just need to verify it */ |
2f043896 DSH |
308 | if (ctx->verify != NULL) |
309 | ok=ctx->verify(ctx); | |
d02b48c6 RE |
310 | else |
311 | ok=internal_verify(ctx); | |
dfeab068 RE |
312 | if (0) |
313 | { | |
d02b48c6 | 314 | end: |
dfeab068 RE |
315 | X509_get_pubkey_parameters(NULL,ctx->chain); |
316 | } | |
f73e07cf | 317 | if (sktmp != NULL) sk_X509_free(sktmp); |
d02b48c6 | 318 | if (chain_ss != NULL) X509_free(chain_ss); |
f684090c | 319 | return ok; |
d02b48c6 RE |
320 | } |
321 | ||
2f043896 DSH |
322 | |
323 | /* Given a STACK_OF(X509) find the issuer of cert (if any) | |
324 | */ | |
325 | ||
326 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) | |
327 | { | |
328 | int i; | |
329 | X509 *issuer; | |
b7c190d9 | 330 | for (i = 0; i < sk_X509_num(sk); i++) |
82aec1cc | 331 | { |
2f043896 | 332 | issuer = sk_X509_value(sk, i); |
b7c190d9 | 333 | if (ctx->check_issued(ctx, x, issuer)) |
82aec1cc BM |
334 | return issuer; |
335 | } | |
2f043896 DSH |
336 | return NULL; |
337 | } | |
338 | ||
339 | /* Given a possible certificate and issuer check them */ | |
340 | ||
341 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) | |
342 | { | |
343 | int ret; | |
344 | ret = X509_check_issued(issuer, x); | |
82aec1cc BM |
345 | if (ret == X509_V_OK) |
346 | return 1; | |
dbba890c DSH |
347 | /* If we haven't asked for issuer errors don't set ctx */ |
348 | if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)) | |
349 | return 0; | |
350 | ||
351 | ctx->error = ret; | |
352 | ctx->current_cert = x; | |
353 | ctx->current_issuer = issuer; | |
bdee69f7 | 354 | return ctx->verify_cb(0, ctx); |
2f043896 DSH |
355 | return 0; |
356 | } | |
357 | ||
358 | /* Alternative lookup method: look from a STACK stored in other_ctx */ | |
359 | ||
360 | static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | |
361 | { | |
362 | *issuer = find_issuer(ctx, ctx->other_ctx, x); | |
82aec1cc BM |
363 | if (*issuer) |
364 | { | |
2f043896 DSH |
365 | CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); |
366 | return 1; | |
82aec1cc BM |
367 | } |
368 | else | |
369 | return 0; | |
2f043896 DSH |
370 | } |
371 | ||
372 | ||
11262391 DSH |
373 | /* Check a certificate chains extensions for consistency |
374 | * with the supplied purpose | |
375 | */ | |
376 | ||
377 | static int check_chain_purpose(X509_STORE_CTX *ctx) | |
378 | { | |
cf1b7d96 | 379 | #ifdef OPENSSL_NO_CHAIN_VERIFY |
11262391 DSH |
380 | return 1; |
381 | #else | |
382 | int i, ok=0; | |
383 | X509 *x; | |
384 | int (*cb)(); | |
2f043896 | 385 | cb=ctx->verify_cb; |
11262391 | 386 | /* Check all untrusted certificates */ |
b7c190d9 | 387 | for (i = 0; i < ctx->last_untrusted; i++) |
82aec1cc | 388 | { |
11262391 | 389 | x = sk_X509_value(ctx->chain, i); |
82aec1cc BM |
390 | if (!X509_check_purpose(x, ctx->purpose, i)) |
391 | { | |
392 | if (i) | |
393 | ctx->error = X509_V_ERR_INVALID_CA; | |
394 | else | |
395 | ctx->error = X509_V_ERR_INVALID_PURPOSE; | |
11262391 DSH |
396 | ctx->error_depth = i; |
397 | ctx->current_cert = x; | |
398 | ok=cb(0,ctx); | |
82aec1cc BM |
399 | if (!ok) goto end; |
400 | } | |
11262391 | 401 | /* Check pathlen */ |
b7c190d9 | 402 | if ((i > 1) && (x->ex_pathlen != -1) |
82aec1cc BM |
403 | && (i > (x->ex_pathlen + 1))) |
404 | { | |
11262391 DSH |
405 | ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; |
406 | ctx->error_depth = i; | |
407 | ctx->current_cert = x; | |
408 | ok=cb(0,ctx); | |
82aec1cc BM |
409 | if (!ok) goto end; |
410 | } | |
11262391 | 411 | } |
11262391 | 412 | ok = 1; |
82aec1cc | 413 | end: |
f684090c | 414 | return ok; |
11262391 DSH |
415 | #endif |
416 | } | |
417 | ||
51630a37 DSH |
418 | static int check_trust(X509_STORE_CTX *ctx) |
419 | { | |
cf1b7d96 | 420 | #ifdef OPENSSL_NO_CHAIN_VERIFY |
51630a37 DSH |
421 | return 1; |
422 | #else | |
423 | int i, ok; | |
424 | X509 *x; | |
425 | int (*cb)(); | |
2f043896 | 426 | cb=ctx->verify_cb; |
51630a37 DSH |
427 | /* For now just check the last certificate in the chain */ |
428 | i = sk_X509_num(ctx->chain) - 1; | |
429 | x = sk_X509_value(ctx->chain, i); | |
13938ace | 430 | ok = X509_check_trust(x, ctx->trust, 0); |
82aec1cc BM |
431 | if (ok == X509_TRUST_TRUSTED) |
432 | return 1; | |
b545dc67 | 433 | ctx->error_depth = i; |
51630a37 | 434 | ctx->current_cert = x; |
82aec1cc BM |
435 | if (ok == X509_TRUST_REJECTED) |
436 | ctx->error = X509_V_ERR_CERT_REJECTED; | |
437 | else | |
438 | ctx->error = X509_V_ERR_CERT_UNTRUSTED; | |
51630a37 | 439 | ok = cb(0, ctx); |
f684090c | 440 | return ok; |
51630a37 DSH |
441 | #endif |
442 | } | |
443 | ||
b545dc67 DSH |
444 | static int check_revocation(X509_STORE_CTX *ctx) |
445 | { | |
446 | int i, last, ok; | |
447 | if (!(ctx->flags & X509_V_FLAG_CRL_CHECK)) | |
448 | return 1; | |
449 | if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) | |
450 | last = 0; | |
451 | else | |
452 | last = sk_X509_num(ctx->chain) - 1; | |
453 | for(i = 0; i <= last; i++) | |
454 | { | |
455 | ctx->error_depth = i; | |
456 | ok = check_cert(ctx); | |
457 | if (!ok) return ok; | |
458 | } | |
459 | return 1; | |
460 | } | |
461 | ||
462 | static int check_cert(X509_STORE_CTX *ctx) | |
463 | { | |
464 | X509_CRL *crl = NULL; | |
465 | X509 *x; | |
466 | int ok, cnum; | |
467 | cnum = ctx->error_depth; | |
468 | x = sk_X509_value(ctx->chain, cnum); | |
469 | ctx->current_cert = x; | |
470 | /* Try to retrieve relevant CRL */ | |
471 | ok = ctx->get_crl(ctx, &crl, x); | |
472 | /* If error looking up CRL, nothing we can do except | |
473 | * notify callback | |
474 | */ | |
475 | if(!ok) | |
476 | { | |
477 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; | |
bdee69f7 | 478 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
479 | goto err; |
480 | } | |
481 | ctx->current_crl = crl; | |
482 | ok = ctx->check_crl(ctx, crl); | |
483 | if (!ok) goto err; | |
484 | ok = ctx->cert_crl(ctx, crl, x); | |
485 | err: | |
486 | ctx->current_crl = NULL; | |
487 | X509_CRL_free(crl); | |
488 | return ok; | |
489 | ||
490 | } | |
491 | ||
492 | /* Retrieve CRL corresponding to certificate: currently just a | |
493 | * subject lookup: maybe use AKID later... | |
494 | * Also might look up any included CRLs too (e.g PKCS#7 signedData). | |
495 | */ | |
496 | static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) | |
497 | { | |
498 | int ok; | |
499 | X509_OBJECT xobj; | |
500 | ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); | |
501 | if (!ok) return 0; | |
502 | *crl = xobj.data.crl; | |
503 | return 1; | |
504 | } | |
505 | ||
506 | /* Check CRL validity */ | |
507 | static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) | |
508 | { | |
509 | X509 *issuer = NULL; | |
510 | EVP_PKEY *ikey = NULL; | |
511 | int ok = 0, chnum, cnum, i; | |
512 | time_t *ptime; | |
513 | cnum = ctx->error_depth; | |
514 | chnum = sk_X509_num(ctx->chain) - 1; | |
515 | /* Find CRL issuer: if not last certificate then issuer | |
516 | * is next certificate in chain. | |
517 | */ | |
518 | if(cnum < chnum) | |
519 | issuer = sk_X509_value(ctx->chain, cnum + 1); | |
520 | else | |
521 | { | |
522 | issuer = sk_X509_value(ctx->chain, chnum); | |
523 | /* If not self signed, can't check signature */ | |
524 | if(!ctx->check_issued(ctx, issuer, issuer)) | |
525 | { | |
526 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; | |
bdee69f7 | 527 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
528 | if(!ok) goto err; |
529 | } | |
530 | } | |
531 | ||
532 | if(issuer) | |
533 | { | |
534 | ||
535 | /* Attempt to get issuer certificate public key */ | |
536 | ikey = X509_get_pubkey(issuer); | |
537 | ||
538 | if(!ikey) | |
539 | { | |
540 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | |
bdee69f7 | 541 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
542 | if (!ok) goto err; |
543 | } | |
544 | else | |
545 | { | |
546 | /* Verify CRL signature */ | |
547 | if(X509_CRL_verify(crl, ikey) <= 0) | |
548 | { | |
549 | ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; | |
bdee69f7 | 550 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
551 | if (!ok) goto err; |
552 | } | |
553 | } | |
554 | } | |
555 | ||
556 | /* OK, CRL signature valid check times */ | |
557 | if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) | |
558 | ptime = &ctx->check_time; | |
559 | else | |
560 | ptime = NULL; | |
561 | ||
562 | i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); | |
563 | if (i == 0) | |
564 | { | |
565 | ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; | |
bdee69f7 | 566 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
567 | if (!ok) goto err; |
568 | } | |
569 | ||
570 | if (i > 0) | |
571 | { | |
572 | ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; | |
bdee69f7 | 573 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
574 | if (!ok) goto err; |
575 | } | |
576 | ||
577 | if(X509_CRL_get_nextUpdate(crl)) | |
578 | { | |
579 | i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); | |
580 | ||
581 | if (i == 0) | |
582 | { | |
583 | ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; | |
bdee69f7 | 584 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
585 | if (!ok) goto err; |
586 | } | |
587 | ||
588 | if (i < 0) | |
589 | { | |
590 | ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; | |
bdee69f7 | 591 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
592 | if (!ok) goto err; |
593 | } | |
594 | } | |
595 | ||
596 | ok = 1; | |
597 | ||
598 | err: | |
599 | EVP_PKEY_free(ikey); | |
600 | return ok; | |
601 | } | |
602 | ||
603 | /* Check certificate against CRL */ | |
604 | static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | |
605 | { | |
606 | int idx, ok; | |
607 | X509_REVOKED rtmp; | |
608 | /* Look for serial number of certificate in CRL */ | |
609 | rtmp.serialNumber = X509_get_serialNumber(x); | |
610 | idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); | |
611 | /* Not found: OK */ | |
612 | if(idx == -1) return 1; | |
613 | /* Otherwise revoked: want something cleverer than | |
614 | * this to handle entry extensions in V2 CRLs. | |
615 | */ | |
616 | ctx->error = X509_V_ERR_CERT_REVOKED; | |
bdee69f7 | 617 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
618 | return ok; |
619 | } | |
620 | ||
6b691a5c | 621 | static int internal_verify(X509_STORE_CTX *ctx) |
d02b48c6 RE |
622 | { |
623 | int i,ok=0,n; | |
624 | X509 *xs,*xi; | |
625 | EVP_PKEY *pkey=NULL; | |
bbb72003 | 626 | time_t *ptime; |
d02b48c6 RE |
627 | int (*cb)(); |
628 | ||
2f043896 | 629 | cb=ctx->verify_cb; |
d02b48c6 | 630 | |
7e258a56 | 631 | n=sk_X509_num(ctx->chain); |
d02b48c6 RE |
632 | ctx->error_depth=n-1; |
633 | n--; | |
7e258a56 | 634 | xi=sk_X509_value(ctx->chain,n); |
82aec1cc BM |
635 | if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) |
636 | ptime = &ctx->check_time; | |
637 | else | |
638 | ptime = NULL; | |
bbb72003 | 639 | if (ctx->check_issued(ctx, xi, xi)) |
d02b48c6 RE |
640 | xs=xi; |
641 | else | |
642 | { | |
643 | if (n <= 0) | |
644 | { | |
645 | ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; | |
646 | ctx->current_cert=xi; | |
647 | ok=cb(0,ctx); | |
648 | goto end; | |
649 | } | |
650 | else | |
651 | { | |
652 | n--; | |
653 | ctx->error_depth=n; | |
7e258a56 | 654 | xs=sk_X509_value(ctx->chain,n); |
d02b48c6 RE |
655 | } |
656 | } | |
657 | ||
658 | /* ctx->error=0; not needed */ | |
659 | while (n >= 0) | |
660 | { | |
661 | ctx->error_depth=n; | |
662 | if (!xs->valid) | |
663 | { | |
664 | if ((pkey=X509_get_pubkey(xi)) == NULL) | |
665 | { | |
666 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | |
667 | ctx->current_cert=xi; | |
668 | ok=(*cb)(0,ctx); | |
669 | if (!ok) goto end; | |
670 | } | |
671 | if (X509_verify(xs,pkey) <= 0) | |
78f3a2aa BM |
672 | /* XXX For the final trusted self-signed cert, |
673 | * this is a waste of time. That check should | |
674 | * optional so that e.g. 'openssl x509' can be | |
675 | * used to detect invalid self-signatures, but | |
676 | * we don't verify again and again in SSL | |
677 | * handshakes and the like once the cert has | |
678 | * been declared trusted. */ | |
d02b48c6 RE |
679 | { |
680 | ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; | |
681 | ctx->current_cert=xs; | |
682 | ok=(*cb)(0,ctx); | |
582e5929 DSH |
683 | if (!ok) |
684 | { | |
685 | EVP_PKEY_free(pkey); | |
686 | goto end; | |
687 | } | |
d02b48c6 | 688 | } |
cfcf6453 | 689 | EVP_PKEY_free(pkey); |
d02b48c6 RE |
690 | pkey=NULL; |
691 | ||
bbb72003 | 692 | i=X509_cmp_time(X509_get_notBefore(xs), ptime); |
d02b48c6 RE |
693 | if (i == 0) |
694 | { | |
695 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; | |
696 | ctx->current_cert=xs; | |
697 | ok=(*cb)(0,ctx); | |
698 | if (!ok) goto end; | |
699 | } | |
700 | if (i > 0) | |
701 | { | |
702 | ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; | |
703 | ctx->current_cert=xs; | |
704 | ok=(*cb)(0,ctx); | |
705 | if (!ok) goto end; | |
706 | } | |
707 | xs->valid=1; | |
708 | } | |
709 | ||
bbb72003 | 710 | i=X509_cmp_time(X509_get_notAfter(xs), ptime); |
d02b48c6 RE |
711 | if (i == 0) |
712 | { | |
713 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; | |
714 | ctx->current_cert=xs; | |
715 | ok=(*cb)(0,ctx); | |
716 | if (!ok) goto end; | |
717 | } | |
718 | ||
719 | if (i < 0) | |
720 | { | |
721 | ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; | |
722 | ctx->current_cert=xs; | |
723 | ok=(*cb)(0,ctx); | |
724 | if (!ok) goto end; | |
725 | } | |
726 | ||
727 | /* CRL CHECK */ | |
728 | ||
729 | /* The last error (if any) is still in the error value */ | |
730 | ctx->current_cert=xs; | |
731 | ok=(*cb)(1,ctx); | |
732 | if (!ok) goto end; | |
733 | ||
734 | n--; | |
735 | if (n >= 0) | |
736 | { | |
737 | xi=xs; | |
7e258a56 | 738 | xs=sk_X509_value(ctx->chain,n); |
d02b48c6 RE |
739 | } |
740 | } | |
741 | ok=1; | |
742 | end: | |
f684090c | 743 | return ok; |
d02b48c6 RE |
744 | } |
745 | ||
284ef5f3 | 746 | int X509_cmp_current_time(ASN1_TIME *ctm) |
bbb72003 DSH |
747 | { |
748 | return X509_cmp_time(ctm, NULL); | |
749 | } | |
750 | ||
751 | int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) | |
d02b48c6 RE |
752 | { |
753 | char *str; | |
284ef5f3 | 754 | ASN1_TIME atm; |
d02b48c6 RE |
755 | time_t offset; |
756 | char buff1[24],buff2[24],*p; | |
757 | int i,j; | |
758 | ||
759 | p=buff1; | |
760 | i=ctm->length; | |
761 | str=(char *)ctm->data; | |
82aec1cc BM |
762 | if (ctm->type == V_ASN1_UTCTIME) |
763 | { | |
f684090c | 764 | if ((i < 11) || (i > 17)) return 0; |
284ef5f3 DSH |
765 | memcpy(p,str,10); |
766 | p+=10; | |
767 | str+=10; | |
82aec1cc BM |
768 | } |
769 | else | |
770 | { | |
771 | if (i < 13) return 0; | |
284ef5f3 DSH |
772 | memcpy(p,str,12); |
773 | p+=12; | |
774 | str+=12; | |
82aec1cc | 775 | } |
d02b48c6 RE |
776 | |
777 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) | |
778 | { *(p++)='0'; *(p++)='0'; } | |
284ef5f3 DSH |
779 | else |
780 | { | |
781 | *(p++)= *(str++); | |
782 | *(p++)= *(str++); | |
783 | /* Skip any fractional seconds... */ | |
82aec1cc | 784 | if (*str == '.') |
284ef5f3 DSH |
785 | { |
786 | str++; | |
b7c190d9 | 787 | while ((*str >= '0') && (*str <= '9')) str++; |
284ef5f3 | 788 | } |
82aec1cc BM |
789 | |
790 | } | |
d02b48c6 RE |
791 | *(p++)='Z'; |
792 | *(p++)='\0'; | |
793 | ||
794 | if (*str == 'Z') | |
795 | offset=0; | |
796 | else | |
797 | { | |
798 | if ((*str != '+') && (str[5] != '-')) | |
f684090c | 799 | return 0; |
d02b48c6 RE |
800 | offset=((str[1]-'0')*10+(str[2]-'0'))*60; |
801 | offset+=(str[3]-'0')*10+(str[4]-'0'); | |
802 | if (*str == '-') | |
dfeab068 | 803 | offset= -offset; |
d02b48c6 | 804 | } |
284ef5f3 | 805 | atm.type=ctm->type; |
d02b48c6 RE |
806 | atm.length=sizeof(buff2); |
807 | atm.data=(unsigned char *)buff2; | |
808 | ||
bbb72003 | 809 | X509_time_adj(&atm,-offset*60, cmp_time); |
d02b48c6 | 810 | |
b7c190d9 | 811 | if (ctm->type == V_ASN1_UTCTIME) |
284ef5f3 DSH |
812 | { |
813 | i=(buff1[0]-'0')*10+(buff1[1]-'0'); | |
814 | if (i < 50) i+=100; /* cf. RFC 2459 */ | |
815 | j=(buff2[0]-'0')*10+(buff2[1]-'0'); | |
816 | if (j < 50) j+=100; | |
d02b48c6 | 817 | |
f684090c BM |
818 | if (i < j) return -1; |
819 | if (i > j) return 1; | |
284ef5f3 | 820 | } |
d02b48c6 RE |
821 | i=strcmp(buff1,buff2); |
822 | if (i == 0) /* wait a second then return younger :-) */ | |
f684090c | 823 | return -1; |
d02b48c6 | 824 | else |
f684090c | 825 | return i; |
d02b48c6 RE |
826 | } |
827 | ||
284ef5f3 | 828 | ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) |
bbb72003 DSH |
829 | { |
830 | return X509_time_adj(s, adj, NULL); | |
831 | } | |
832 | ||
833 | ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm) | |
d02b48c6 RE |
834 | { |
835 | time_t t; | |
ba8e2824 | 836 | int type = -1; |
d02b48c6 | 837 | |
b7c190d9 | 838 | if (in_tm) t = *in_tm; |
bbb72003 DSH |
839 | else time(&t); |
840 | ||
d02b48c6 | 841 | t+=adj; |
ba8e2824 DSH |
842 | if (s) type = s->type; |
843 | if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t); | |
844 | if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t); | |
845 | return ASN1_TIME_set(s, t); | |
d02b48c6 RE |
846 | } |
847 | ||
7e258a56 | 848 | int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) |
d02b48c6 RE |
849 | { |
850 | EVP_PKEY *ktmp=NULL,*ktmp2; | |
851 | int i,j; | |
852 | ||
f684090c | 853 | if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; |
d02b48c6 | 854 | |
7e258a56 | 855 | for (i=0; i<sk_X509_num(chain); i++) |
d02b48c6 | 856 | { |
7e258a56 | 857 | ktmp=X509_get_pubkey(sk_X509_value(chain,i)); |
d02b48c6 RE |
858 | if (ktmp == NULL) |
859 | { | |
860 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); | |
f684090c | 861 | return 0; |
d02b48c6 RE |
862 | } |
863 | if (!EVP_PKEY_missing_parameters(ktmp)) | |
864 | break; | |
865 | else | |
866 | { | |
cfcf6453 | 867 | EVP_PKEY_free(ktmp); |
d02b48c6 RE |
868 | ktmp=NULL; |
869 | } | |
870 | } | |
871 | if (ktmp == NULL) | |
872 | { | |
873 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); | |
f684090c | 874 | return 0; |
d02b48c6 RE |
875 | } |
876 | ||
877 | /* first, populate the other certs */ | |
878 | for (j=i-1; j >= 0; j--) | |
879 | { | |
7e258a56 | 880 | ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); |
d02b48c6 | 881 | EVP_PKEY_copy_parameters(ktmp2,ktmp); |
cfcf6453 | 882 | EVP_PKEY_free(ktmp2); |
d02b48c6 RE |
883 | } |
884 | ||
cfcf6453 DSH |
885 | if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); |
886 | EVP_PKEY_free(ktmp); | |
f684090c | 887 | return 1; |
d02b48c6 RE |
888 | } |
889 | ||
dd9d233e DSH |
890 | int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, |
891 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |
3ac82faa BM |
892 | { |
893 | /* This function is (usually) called only once, by | |
894 | * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). | |
895 | * That function uses locking, so we don't (usually) | |
896 | * have to worry about locking here. For the whole cruel | |
897 | * truth, see crypto/ex_data.c */ | |
b7727ee6 GT |
898 | if(CRYPTO_get_ex_new_index(x509_store_ctx_num, &x509_store_ctx_method, |
899 | argl, argp, new_func, dup_func, free_func) < 0) | |
900 | return -1; | |
901 | return (x509_store_ctx_num++); | |
3ac82faa | 902 | } |
58964a49 | 903 | |
6b691a5c | 904 | int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) |
58964a49 | 905 | { |
f684090c | 906 | return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); |
58964a49 RE |
907 | } |
908 | ||
6b691a5c | 909 | void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) |
58964a49 | 910 | { |
f684090c | 911 | return CRYPTO_get_ex_data(&ctx->ex_data,idx); |
58964a49 RE |
912 | } |
913 | ||
6b691a5c | 914 | int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) |
58964a49 | 915 | { |
f684090c | 916 | return ctx->error; |
58964a49 RE |
917 | } |
918 | ||
6b691a5c | 919 | void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) |
58964a49 RE |
920 | { |
921 | ctx->error=err; | |
922 | } | |
923 | ||
6b691a5c | 924 | int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) |
58964a49 | 925 | { |
f684090c | 926 | return ctx->error_depth; |
58964a49 RE |
927 | } |
928 | ||
6b691a5c | 929 | X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) |
58964a49 | 930 | { |
f684090c | 931 | return ctx->current_cert; |
58964a49 RE |
932 | } |
933 | ||
7e258a56 | 934 | STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) |
58964a49 | 935 | { |
f684090c | 936 | return ctx->chain; |
58964a49 RE |
937 | } |
938 | ||
c7cb16a8 | 939 | STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) |
25f923dd DSH |
940 | { |
941 | int i; | |
942 | X509 *x; | |
943 | STACK_OF(X509) *chain; | |
b7c190d9 BM |
944 | if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; |
945 | for (i = 0; i < sk_X509_num(chain); i++) | |
82aec1cc | 946 | { |
25f923dd DSH |
947 | x = sk_X509_value(chain, i); |
948 | CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | |
82aec1cc | 949 | } |
f684090c | 950 | return chain; |
25f923dd DSH |
951 | } |
952 | ||
6b691a5c | 953 | void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) |
58964a49 RE |
954 | { |
955 | ctx->cert=x; | |
956 | } | |
957 | ||
6b691a5c | 958 | void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) |
58964a49 RE |
959 | { |
960 | ctx->untrusted=sk; | |
961 | } | |
962 | ||
13938ace | 963 | int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) |
11262391 | 964 | { |
13938ace | 965 | return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); |
11262391 DSH |
966 | } |
967 | ||
bb7cd4e3 | 968 | int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) |
11262391 | 969 | { |
bb7cd4e3 | 970 | return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); |
11262391 DSH |
971 | } |
972 | ||
13938ace DSH |
973 | /* This function is used to set the X509_STORE_CTX purpose and trust |
974 | * values. This is intended to be used when another structure has its | |
975 | * own trust and purpose values which (if set) will be inherited by | |
976 | * the ctx. If they aren't set then we will usually have a default | |
977 | * purpose in mind which should then be used to set the trust value. | |
978 | * An example of this is SSL use: an SSL structure will have its own | |
979 | * purpose and trust settings which the application can set: if they | |
980 | * aren't set then we use the default of SSL client/server. | |
981 | */ | |
982 | ||
983 | int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, | |
984 | int purpose, int trust) | |
51630a37 | 985 | { |
51630a37 | 986 | int idx; |
13938ace | 987 | /* If purpose not set use default */ |
82aec1cc | 988 | if (!purpose) purpose = def_purpose; |
13938ace | 989 | /* If we have a purpose then check it is valid */ |
82aec1cc BM |
990 | if (purpose) |
991 | { | |
068fdce8 | 992 | X509_PURPOSE *ptmp; |
13938ace | 993 | idx = X509_PURPOSE_get_by_id(purpose); |
b7c190d9 | 994 | if (idx == -1) |
82aec1cc | 995 | { |
13938ace DSH |
996 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
997 | X509_R_UNKNOWN_PURPOSE_ID); | |
998 | return 0; | |
82aec1cc | 999 | } |
068fdce8 | 1000 | ptmp = X509_PURPOSE_get0(idx); |
b7c190d9 | 1001 | if (ptmp->trust == X509_TRUST_DEFAULT) |
82aec1cc | 1002 | { |
068fdce8 | 1003 | idx = X509_PURPOSE_get_by_id(def_purpose); |
b7c190d9 | 1004 | if (idx == -1) |
82aec1cc | 1005 | { |
068fdce8 DSH |
1006 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
1007 | X509_R_UNKNOWN_PURPOSE_ID); | |
1008 | return 0; | |
82aec1cc | 1009 | } |
6d0d5431 | 1010 | ptmp = X509_PURPOSE_get0(idx); |
82aec1cc | 1011 | } |
068fdce8 | 1012 | /* If trust not set then get from purpose default */ |
b7c190d9 | 1013 | if (!trust) trust = ptmp->trust; |
82aec1cc | 1014 | } |
b7c190d9 | 1015 | if (trust) |
82aec1cc | 1016 | { |
13938ace | 1017 | idx = X509_TRUST_get_by_id(trust); |
b7c190d9 | 1018 | if (idx == -1) |
82aec1cc | 1019 | { |
13938ace DSH |
1020 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
1021 | X509_R_UNKNOWN_TRUST_ID); | |
1022 | return 0; | |
82aec1cc | 1023 | } |
13938ace | 1024 | } |
13938ace | 1025 | |
bdee69f7 DSH |
1026 | if (purpose && !ctx->purpose) ctx->purpose = purpose; |
1027 | if (trust && !ctx->trust) ctx->trust = trust; | |
51630a37 DSH |
1028 | return 1; |
1029 | } | |
1030 | ||
2f043896 DSH |
1031 | X509_STORE_CTX *X509_STORE_CTX_new(void) |
1032 | { | |
1033 | X509_STORE_CTX *ctx; | |
1034 | ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); | |
82aec1cc | 1035 | if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX)); |
2f043896 DSH |
1036 | return ctx; |
1037 | } | |
1038 | ||
1039 | void X509_STORE_CTX_free(X509_STORE_CTX *ctx) | |
1040 | { | |
1041 | X509_STORE_CTX_cleanup(ctx); | |
1042 | OPENSSL_free(ctx); | |
1043 | } | |
1044 | ||
1045 | void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, | |
1046 | STACK_OF(X509) *chain) | |
1047 | { | |
1048 | ctx->ctx=store; | |
1049 | ctx->current_method=0; | |
1050 | ctx->cert=x509; | |
1051 | ctx->untrusted=chain; | |
1052 | ctx->last_untrusted=0; | |
bdee69f7 DSH |
1053 | ctx->purpose=store->purpose; |
1054 | ctx->trust=store->trust; | |
82aec1cc BM |
1055 | ctx->check_time=0; |
1056 | ctx->flags=0; | |
1057 | ctx->other_ctx=NULL; | |
2f043896 DSH |
1058 | ctx->valid=0; |
1059 | ctx->chain=NULL; | |
1060 | ctx->depth=9; | |
1061 | ctx->error=0; | |
82aec1cc | 1062 | ctx->error_depth=0; |
2f043896 DSH |
1063 | ctx->current_cert=NULL; |
1064 | ctx->current_issuer=NULL; | |
bdee69f7 DSH |
1065 | |
1066 | /* Inherit callbacks and flags from X509_STORE if not set | |
1067 | * use defaults. | |
1068 | */ | |
1069 | ||
1070 | ctx->flags = store->flags; | |
1071 | ||
1072 | if (store->check_issued) | |
1073 | ctx->check_issued = store->check_issued; | |
1074 | else | |
1075 | ctx->check_issued = check_issued; | |
1076 | ||
1077 | if (store->get_issuer) | |
1078 | ctx->get_issuer = store->get_issuer; | |
1079 | else | |
1080 | ctx->get_issuer = X509_STORE_CTX_get1_issuer; | |
1081 | ||
1082 | if (store->verify_cb) | |
1083 | ctx->verify_cb = store->verify_cb; | |
1084 | else | |
1085 | ctx->verify_cb = null_callback; | |
1086 | ||
1087 | if (store->verify) | |
1088 | ctx->verify = store->verify; | |
1089 | else | |
1090 | ctx->verify = internal_verify; | |
1091 | ||
1092 | if (store->check_revocation) | |
1093 | ctx->check_revocation = store->check_revocation; | |
1094 | else | |
1095 | ctx->check_revocation = check_revocation; | |
1096 | ||
1097 | if (store->get_crl) | |
1098 | ctx->get_crl = store->get_crl; | |
1099 | else | |
1100 | ctx->get_crl = get_crl; | |
1101 | ||
1102 | if (store->check_crl) | |
1103 | ctx->check_crl = store->check_crl; | |
1104 | else | |
1105 | ctx->check_crl = check_crl; | |
1106 | ||
1107 | if (store->cert_crl) | |
1108 | ctx->cert_crl = store->cert_crl; | |
1109 | else | |
1110 | ctx->cert_crl = cert_crl; | |
1111 | ||
1112 | ctx->cleanup = store->cleanup; | |
1113 | ||
2f043896 DSH |
1114 | memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); |
1115 | } | |
1116 | ||
1117 | /* Set alternative lookup method: just a STACK of trusted certificates. | |
1118 | * This avoids X509_STORE nastiness where it isn't needed. | |
1119 | */ | |
1120 | ||
1121 | void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) | |
1122 | { | |
1123 | ctx->other_ctx = sk; | |
1124 | ctx->get_issuer = get_issuer_sk; | |
1125 | } | |
1126 | ||
1127 | void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) | |
1128 | { | |
b7c190d9 | 1129 | if (ctx->cleanup) ctx->cleanup(ctx); |
2f043896 DSH |
1130 | if (ctx->chain != NULL) |
1131 | { | |
1132 | sk_X509_pop_free(ctx->chain,X509_free); | |
1133 | ctx->chain=NULL; | |
1134 | } | |
1135 | CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data)); | |
1136 | memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); | |
1137 | } | |
13938ace | 1138 | |
bbb72003 DSH |
1139 | void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags) |
1140 | { | |
f684090c | 1141 | ctx->flags |= flags; |
bbb72003 DSH |
1142 | } |
1143 | ||
1144 | void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t) | |
1145 | { | |
f684090c BM |
1146 | ctx->check_time = t; |
1147 | ctx->flags |= X509_V_FLAG_USE_CHECK_TIME; | |
bbb72003 DSH |
1148 | } |
1149 | ||
db089ad6 LJ |
1150 | void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, |
1151 | int (*verify_cb)(int, X509_STORE_CTX *)) | |
1152 | { | |
1153 | ctx->verify_cb=verify_cb; | |
1154 | } | |
1155 | ||
f73e07cf BL |
1156 | IMPLEMENT_STACK_OF(X509) |
1157 | IMPLEMENT_ASN1_SET_OF(X509) | |
d500de16 | 1158 | |
f73e07cf | 1159 | IMPLEMENT_STACK_OF(X509_NAME) |
d500de16 | 1160 | |
f5fedc04 | 1161 | IMPLEMENT_STACK_OF(X509_ATTRIBUTE) |
d500de16 | 1162 | IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) |