]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* crypto/x509/x509_vfy.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
60 | #include <time.h> | |
61 | #include <errno.h> | |
d02b48c6 RE |
62 | |
63 | #include "cryptlib.h" | |
17f389bb | 64 | #include <openssl/crypto.h> |
ec577822 BM |
65 | #include <openssl/lhash.h> |
66 | #include <openssl/buffer.h> | |
67 | #include <openssl/evp.h> | |
68 | #include <openssl/asn1.h> | |
69 | #include <openssl/x509.h> | |
11262391 | 70 | #include <openssl/x509v3.h> |
ec577822 | 71 | #include <openssl/objects.h> |
d02b48c6 | 72 | |
d02b48c6 | 73 | static int null_callback(int ok,X509_STORE_CTX *e); |
2f043896 DSH |
74 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); |
75 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); | |
11262391 | 76 | static int check_chain_purpose(X509_STORE_CTX *ctx); |
51630a37 | 77 | static int check_trust(X509_STORE_CTX *ctx); |
b545dc67 DSH |
78 | static int check_revocation(X509_STORE_CTX *ctx); |
79 | static int check_cert(X509_STORE_CTX *ctx); | |
d02b48c6 | 80 | static int internal_verify(X509_STORE_CTX *ctx); |
e778802f | 81 | const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; |
b4cadc6e | 82 | |
d02b48c6 | 83 | |
6b691a5c | 84 | static int null_callback(int ok, X509_STORE_CTX *e) |
d02b48c6 | 85 | { |
f684090c | 86 | return ok; |
d02b48c6 RE |
87 | } |
88 | ||
89 | #if 0 | |
6b691a5c | 90 | static int x509_subject_cmp(X509 **a, X509 **b) |
d02b48c6 | 91 | { |
f684090c | 92 | return X509_subject_name_cmp(*a,*b); |
d02b48c6 RE |
93 | } |
94 | #endif | |
95 | ||
6b691a5c | 96 | int X509_verify_cert(X509_STORE_CTX *ctx) |
d02b48c6 RE |
97 | { |
98 | X509 *x,*xtmp,*chain_ss=NULL; | |
99 | X509_NAME *xn; | |
d02b48c6 RE |
100 | int depth,i,ok=0; |
101 | int num; | |
102 | int (*cb)(); | |
f73e07cf | 103 | STACK_OF(X509) *sktmp=NULL; |
d02b48c6 RE |
104 | |
105 | if (ctx->cert == NULL) | |
106 | { | |
107 | X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); | |
f684090c | 108 | return -1; |
d02b48c6 RE |
109 | } |
110 | ||
2f043896 | 111 | cb=ctx->verify_cb; |
d02b48c6 RE |
112 | |
113 | /* first we make sure the chain we are going to build is | |
114 | * present and that the first entry is in place */ | |
115 | if (ctx->chain == NULL) | |
116 | { | |
7e258a56 BL |
117 | if ( ((ctx->chain=sk_X509_new_null()) == NULL) || |
118 | (!sk_X509_push(ctx->chain,ctx->cert))) | |
d02b48c6 RE |
119 | { |
120 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
121 | goto end; | |
122 | } | |
123 | CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); | |
124 | ctx->last_untrusted=1; | |
125 | } | |
126 | ||
f76d8c47 | 127 | /* We use a temporary STACK so we can chop and hack at it */ |
f73e07cf BL |
128 | if (ctx->untrusted != NULL |
129 | && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) | |
d02b48c6 RE |
130 | { |
131 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
132 | goto end; | |
133 | } | |
134 | ||
7e258a56 BL |
135 | num=sk_X509_num(ctx->chain); |
136 | x=sk_X509_value(ctx->chain,num-1); | |
d02b48c6 RE |
137 | depth=ctx->depth; |
138 | ||
139 | ||
140 | for (;;) | |
141 | { | |
142 | /* If we have enough, we break */ | |
d797727b | 143 | if (depth < num) break; /* FIXME: If this happens, we should take |
a9642be6 BM |
144 | * note of it and, if appropriate, use the |
145 | * X509_V_ERR_CERT_CHAIN_TOO_LONG error | |
146 | * code later. | |
147 | */ | |
d02b48c6 RE |
148 | |
149 | /* If we are self signed, we break */ | |
150 | xn=X509_get_issuer_name(x); | |
2f043896 | 151 | if (ctx->check_issued(ctx, x,x)) break; |
d02b48c6 RE |
152 | |
153 | /* If we were passed a cert chain, use it first */ | |
154 | if (ctx->untrusted != NULL) | |
155 | { | |
2f043896 | 156 | xtmp=find_issuer(ctx, sktmp,x); |
d02b48c6 RE |
157 | if (xtmp != NULL) |
158 | { | |
7e258a56 | 159 | if (!sk_X509_push(ctx->chain,xtmp)) |
d02b48c6 RE |
160 | { |
161 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | |
162 | goto end; | |
163 | } | |
164 | CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); | |
f73e07cf | 165 | sk_X509_delete_ptr(sktmp,xtmp); |
d02b48c6 RE |
166 | ctx->last_untrusted++; |
167 | x=xtmp; | |
168 | num++; | |
169 | /* reparse the full chain for | |
170 | * the next one */ | |
171 | continue; | |
172 | } | |
173 | } | |
174 | break; | |
175 | } | |
176 | ||
177 | /* at this point, chain should contain a list of untrusted | |
178 | * certificates. We now need to add at least one trusted one, | |
179 | * if possible, otherwise we complain. */ | |
180 | ||
2f043896 DSH |
181 | /* Examine last certificate in chain and see if it |
182 | * is self signed. | |
183 | */ | |
184 | ||
7e258a56 BL |
185 | i=sk_X509_num(ctx->chain); |
186 | x=sk_X509_value(ctx->chain,i-1); | |
f76d8c47 | 187 | xn = X509_get_subject_name(x); |
2f043896 | 188 | if (ctx->check_issued(ctx, x, x)) |
d02b48c6 RE |
189 | { |
190 | /* we have a self signed certificate */ | |
7e258a56 | 191 | if (sk_X509_num(ctx->chain) == 1) |
d02b48c6 | 192 | { |
f76d8c47 DSH |
193 | /* We have a single self signed certificate: see if |
194 | * we can find it in the store. We must have an exact | |
195 | * match to avoid possible impersonation. | |
196 | */ | |
2f043896 DSH |
197 | ok = ctx->get_issuer(&xtmp, ctx, x); |
198 | if ((ok <= 0) || X509_cmp(x, xtmp)) | |
f76d8c47 DSH |
199 | { |
200 | ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; | |
201 | ctx->current_cert=x; | |
202 | ctx->error_depth=i-1; | |
b7c190d9 | 203 | if (ok == 1) X509_free(xtmp); |
f76d8c47 DSH |
204 | ok=cb(0,ctx); |
205 | if (!ok) goto end; | |
206 | } | |
207 | else | |
208 | { | |
209 | /* We have a match: replace certificate with store version | |
210 | * so we get any trust settings. | |
211 | */ | |
212 | X509_free(x); | |
2f043896 | 213 | x = xtmp; |
f76d8c47 DSH |
214 | sk_X509_set(ctx->chain, i - 1, x); |
215 | ctx->last_untrusted=0; | |
216 | } | |
d02b48c6 RE |
217 | } |
218 | else | |
219 | { | |
2f043896 | 220 | /* extract and save self signed certificate for later use */ |
7e258a56 | 221 | chain_ss=sk_X509_pop(ctx->chain); |
d02b48c6 RE |
222 | ctx->last_untrusted--; |
223 | num--; | |
7e258a56 | 224 | x=sk_X509_value(ctx->chain,num-1); |
d02b48c6 RE |
225 | } |
226 | } | |
227 | ||
228 | /* We now lookup certs from the certificate store */ | |
229 | for (;;) | |
230 | { | |
231 | /* If we have enough, we break */ | |
7f89714e | 232 | if (depth < num) break; |
d02b48c6 RE |
233 | |
234 | /* If we are self signed, we break */ | |
235 | xn=X509_get_issuer_name(x); | |
2f043896 | 236 | if (ctx->check_issued(ctx,x,x)) break; |
d02b48c6 | 237 | |
2f043896 DSH |
238 | ok = ctx->get_issuer(&xtmp, ctx, x); |
239 | ||
240 | if (ok < 0) return ok; | |
b7c190d9 | 241 | if (ok == 0) break; |
2f043896 DSH |
242 | |
243 | x = xtmp; | |
244 | if (!sk_X509_push(ctx->chain,x)) | |
d02b48c6 | 245 | { |
2f043896 | 246 | X509_free(xtmp); |
d02b48c6 | 247 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
f684090c | 248 | return 0; |
d02b48c6 RE |
249 | } |
250 | num++; | |
251 | } | |
252 | ||
253 | /* we now have our chain, lets check it... */ | |
254 | xn=X509_get_issuer_name(x); | |
2f043896 DSH |
255 | |
256 | /* Is last certificate looked up self signed? */ | |
257 | if (!ctx->check_issued(ctx,x,x)) | |
d02b48c6 | 258 | { |
2f043896 | 259 | if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) |
d02b48c6 RE |
260 | { |
261 | if (ctx->last_untrusted >= num) | |
262 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | |
263 | else | |
264 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; | |
265 | ctx->current_cert=x; | |
266 | } | |
267 | else | |
268 | { | |
269 | ||
7e258a56 | 270 | sk_X509_push(ctx->chain,chain_ss); |
d02b48c6 RE |
271 | num++; |
272 | ctx->last_untrusted=num; | |
273 | ctx->current_cert=chain_ss; | |
274 | ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; | |
275 | chain_ss=NULL; | |
276 | } | |
277 | ||
278 | ctx->error_depth=num-1; | |
279 | ok=cb(0,ctx); | |
280 | if (!ok) goto end; | |
281 | } | |
282 | ||
11262391 | 283 | /* We have the chain complete: now we need to check its purpose */ |
b7c190d9 | 284 | if (ctx->purpose > 0) ok = check_chain_purpose(ctx); |
11262391 | 285 | |
b7c190d9 | 286 | if (!ok) goto end; |
11262391 | 287 | |
51630a37 DSH |
288 | /* The chain extensions are OK: check trust */ |
289 | ||
b7c190d9 | 290 | if (ctx->trust > 0) ok = check_trust(ctx); |
51630a37 | 291 | |
b7c190d9 | 292 | if (!ok) goto end; |
51630a37 | 293 | |
d02b48c6 RE |
294 | /* We may as well copy down any DSA parameters that are required */ |
295 | X509_get_pubkey_parameters(NULL,ctx->chain); | |
296 | ||
b545dc67 DSH |
297 | /* Check revocation status: we do this after copying parameters |
298 | * because they may be needed for CRL signature verification. | |
299 | */ | |
300 | ||
301 | ok = ctx->check_revocation(ctx); | |
302 | if(!ok) goto end; | |
303 | ||
d02b48c6 | 304 | /* At this point, we have a chain and just need to verify it */ |
2f043896 DSH |
305 | if (ctx->verify != NULL) |
306 | ok=ctx->verify(ctx); | |
d02b48c6 RE |
307 | else |
308 | ok=internal_verify(ctx); | |
dfeab068 RE |
309 | if (0) |
310 | { | |
d02b48c6 | 311 | end: |
dfeab068 RE |
312 | X509_get_pubkey_parameters(NULL,ctx->chain); |
313 | } | |
f73e07cf | 314 | if (sktmp != NULL) sk_X509_free(sktmp); |
d02b48c6 | 315 | if (chain_ss != NULL) X509_free(chain_ss); |
f684090c | 316 | return ok; |
d02b48c6 RE |
317 | } |
318 | ||
2f043896 DSH |
319 | |
320 | /* Given a STACK_OF(X509) find the issuer of cert (if any) | |
321 | */ | |
322 | ||
323 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) | |
324 | { | |
325 | int i; | |
326 | X509 *issuer; | |
b7c190d9 | 327 | for (i = 0; i < sk_X509_num(sk); i++) |
82aec1cc | 328 | { |
2f043896 | 329 | issuer = sk_X509_value(sk, i); |
b7c190d9 | 330 | if (ctx->check_issued(ctx, x, issuer)) |
82aec1cc BM |
331 | return issuer; |
332 | } | |
2f043896 DSH |
333 | return NULL; |
334 | } | |
335 | ||
336 | /* Given a possible certificate and issuer check them */ | |
337 | ||
338 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) | |
339 | { | |
340 | int ret; | |
341 | ret = X509_check_issued(issuer, x); | |
82aec1cc BM |
342 | if (ret == X509_V_OK) |
343 | return 1; | |
dbba890c DSH |
344 | /* If we haven't asked for issuer errors don't set ctx */ |
345 | if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)) | |
346 | return 0; | |
347 | ||
348 | ctx->error = ret; | |
349 | ctx->current_cert = x; | |
350 | ctx->current_issuer = issuer; | |
bdee69f7 | 351 | return ctx->verify_cb(0, ctx); |
2f043896 DSH |
352 | return 0; |
353 | } | |
354 | ||
355 | /* Alternative lookup method: look from a STACK stored in other_ctx */ | |
356 | ||
357 | static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | |
358 | { | |
359 | *issuer = find_issuer(ctx, ctx->other_ctx, x); | |
82aec1cc BM |
360 | if (*issuer) |
361 | { | |
2f043896 DSH |
362 | CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); |
363 | return 1; | |
82aec1cc BM |
364 | } |
365 | else | |
366 | return 0; | |
2f043896 DSH |
367 | } |
368 | ||
369 | ||
11262391 DSH |
370 | /* Check a certificate chains extensions for consistency |
371 | * with the supplied purpose | |
372 | */ | |
373 | ||
374 | static int check_chain_purpose(X509_STORE_CTX *ctx) | |
375 | { | |
cf1b7d96 | 376 | #ifdef OPENSSL_NO_CHAIN_VERIFY |
11262391 DSH |
377 | return 1; |
378 | #else | |
379 | int i, ok=0; | |
380 | X509 *x; | |
381 | int (*cb)(); | |
2f043896 | 382 | cb=ctx->verify_cb; |
11262391 | 383 | /* Check all untrusted certificates */ |
b7c190d9 | 384 | for (i = 0; i < ctx->last_untrusted; i++) |
82aec1cc | 385 | { |
11262391 | 386 | x = sk_X509_value(ctx->chain, i); |
f1558bb4 DSH |
387 | if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) |
388 | && (x->ex_flags & EXFLAG_CRITICAL)) | |
389 | { | |
390 | ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; | |
391 | ctx->error_depth = i; | |
392 | ctx->current_cert = x; | |
393 | ok=cb(0,ctx); | |
394 | if (!ok) goto end; | |
395 | } | |
82aec1cc BM |
396 | if (!X509_check_purpose(x, ctx->purpose, i)) |
397 | { | |
398 | if (i) | |
399 | ctx->error = X509_V_ERR_INVALID_CA; | |
400 | else | |
401 | ctx->error = X509_V_ERR_INVALID_PURPOSE; | |
11262391 DSH |
402 | ctx->error_depth = i; |
403 | ctx->current_cert = x; | |
404 | ok=cb(0,ctx); | |
82aec1cc BM |
405 | if (!ok) goto end; |
406 | } | |
11262391 | 407 | /* Check pathlen */ |
b7c190d9 | 408 | if ((i > 1) && (x->ex_pathlen != -1) |
82aec1cc BM |
409 | && (i > (x->ex_pathlen + 1))) |
410 | { | |
11262391 DSH |
411 | ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; |
412 | ctx->error_depth = i; | |
413 | ctx->current_cert = x; | |
414 | ok=cb(0,ctx); | |
82aec1cc BM |
415 | if (!ok) goto end; |
416 | } | |
11262391 | 417 | } |
11262391 | 418 | ok = 1; |
82aec1cc | 419 | end: |
f684090c | 420 | return ok; |
11262391 DSH |
421 | #endif |
422 | } | |
423 | ||
51630a37 DSH |
424 | static int check_trust(X509_STORE_CTX *ctx) |
425 | { | |
cf1b7d96 | 426 | #ifdef OPENSSL_NO_CHAIN_VERIFY |
51630a37 DSH |
427 | return 1; |
428 | #else | |
429 | int i, ok; | |
430 | X509 *x; | |
431 | int (*cb)(); | |
2f043896 | 432 | cb=ctx->verify_cb; |
51630a37 DSH |
433 | /* For now just check the last certificate in the chain */ |
434 | i = sk_X509_num(ctx->chain) - 1; | |
435 | x = sk_X509_value(ctx->chain, i); | |
13938ace | 436 | ok = X509_check_trust(x, ctx->trust, 0); |
82aec1cc BM |
437 | if (ok == X509_TRUST_TRUSTED) |
438 | return 1; | |
b545dc67 | 439 | ctx->error_depth = i; |
51630a37 | 440 | ctx->current_cert = x; |
82aec1cc BM |
441 | if (ok == X509_TRUST_REJECTED) |
442 | ctx->error = X509_V_ERR_CERT_REJECTED; | |
443 | else | |
444 | ctx->error = X509_V_ERR_CERT_UNTRUSTED; | |
51630a37 | 445 | ok = cb(0, ctx); |
f684090c | 446 | return ok; |
51630a37 DSH |
447 | #endif |
448 | } | |
449 | ||
b545dc67 DSH |
450 | static int check_revocation(X509_STORE_CTX *ctx) |
451 | { | |
452 | int i, last, ok; | |
453 | if (!(ctx->flags & X509_V_FLAG_CRL_CHECK)) | |
454 | return 1; | |
455 | if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) | |
456 | last = 0; | |
457 | else | |
458 | last = sk_X509_num(ctx->chain) - 1; | |
459 | for(i = 0; i <= last; i++) | |
460 | { | |
461 | ctx->error_depth = i; | |
462 | ok = check_cert(ctx); | |
463 | if (!ok) return ok; | |
464 | } | |
465 | return 1; | |
466 | } | |
467 | ||
468 | static int check_cert(X509_STORE_CTX *ctx) | |
469 | { | |
470 | X509_CRL *crl = NULL; | |
471 | X509 *x; | |
472 | int ok, cnum; | |
473 | cnum = ctx->error_depth; | |
474 | x = sk_X509_value(ctx->chain, cnum); | |
475 | ctx->current_cert = x; | |
476 | /* Try to retrieve relevant CRL */ | |
477 | ok = ctx->get_crl(ctx, &crl, x); | |
478 | /* If error looking up CRL, nothing we can do except | |
479 | * notify callback | |
480 | */ | |
481 | if(!ok) | |
482 | { | |
483 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; | |
bdee69f7 | 484 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
485 | goto err; |
486 | } | |
487 | ctx->current_crl = crl; | |
488 | ok = ctx->check_crl(ctx, crl); | |
489 | if (!ok) goto err; | |
490 | ok = ctx->cert_crl(ctx, crl, x); | |
491 | err: | |
492 | ctx->current_crl = NULL; | |
493 | X509_CRL_free(crl); | |
494 | return ok; | |
495 | ||
496 | } | |
497 | ||
498 | /* Retrieve CRL corresponding to certificate: currently just a | |
499 | * subject lookup: maybe use AKID later... | |
500 | * Also might look up any included CRLs too (e.g PKCS#7 signedData). | |
501 | */ | |
502 | static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) | |
503 | { | |
504 | int ok; | |
505 | X509_OBJECT xobj; | |
506 | ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); | |
507 | if (!ok) return 0; | |
508 | *crl = xobj.data.crl; | |
509 | return 1; | |
510 | } | |
511 | ||
512 | /* Check CRL validity */ | |
513 | static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) | |
514 | { | |
515 | X509 *issuer = NULL; | |
516 | EVP_PKEY *ikey = NULL; | |
517 | int ok = 0, chnum, cnum, i; | |
518 | time_t *ptime; | |
519 | cnum = ctx->error_depth; | |
520 | chnum = sk_X509_num(ctx->chain) - 1; | |
521 | /* Find CRL issuer: if not last certificate then issuer | |
522 | * is next certificate in chain. | |
523 | */ | |
524 | if(cnum < chnum) | |
525 | issuer = sk_X509_value(ctx->chain, cnum + 1); | |
526 | else | |
527 | { | |
528 | issuer = sk_X509_value(ctx->chain, chnum); | |
529 | /* If not self signed, can't check signature */ | |
530 | if(!ctx->check_issued(ctx, issuer, issuer)) | |
531 | { | |
532 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; | |
bdee69f7 | 533 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
534 | if(!ok) goto err; |
535 | } | |
536 | } | |
537 | ||
538 | if(issuer) | |
539 | { | |
540 | ||
541 | /* Attempt to get issuer certificate public key */ | |
542 | ikey = X509_get_pubkey(issuer); | |
543 | ||
544 | if(!ikey) | |
545 | { | |
546 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | |
bdee69f7 | 547 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
548 | if (!ok) goto err; |
549 | } | |
550 | else | |
551 | { | |
552 | /* Verify CRL signature */ | |
553 | if(X509_CRL_verify(crl, ikey) <= 0) | |
554 | { | |
555 | ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; | |
bdee69f7 | 556 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
557 | if (!ok) goto err; |
558 | } | |
559 | } | |
560 | } | |
561 | ||
562 | /* OK, CRL signature valid check times */ | |
563 | if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) | |
564 | ptime = &ctx->check_time; | |
565 | else | |
566 | ptime = NULL; | |
567 | ||
568 | i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); | |
569 | if (i == 0) | |
570 | { | |
571 | ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; | |
bdee69f7 | 572 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
573 | if (!ok) goto err; |
574 | } | |
575 | ||
576 | if (i > 0) | |
577 | { | |
578 | ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; | |
bdee69f7 | 579 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
580 | if (!ok) goto err; |
581 | } | |
582 | ||
583 | if(X509_CRL_get_nextUpdate(crl)) | |
584 | { | |
585 | i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); | |
586 | ||
587 | if (i == 0) | |
588 | { | |
589 | ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; | |
bdee69f7 | 590 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
591 | if (!ok) goto err; |
592 | } | |
593 | ||
594 | if (i < 0) | |
595 | { | |
596 | ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; | |
bdee69f7 | 597 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
598 | if (!ok) goto err; |
599 | } | |
600 | } | |
601 | ||
602 | ok = 1; | |
603 | ||
604 | err: | |
605 | EVP_PKEY_free(ikey); | |
606 | return ok; | |
607 | } | |
608 | ||
609 | /* Check certificate against CRL */ | |
610 | static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | |
611 | { | |
612 | int idx, ok; | |
613 | X509_REVOKED rtmp; | |
614 | /* Look for serial number of certificate in CRL */ | |
615 | rtmp.serialNumber = X509_get_serialNumber(x); | |
616 | idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); | |
617 | /* Not found: OK */ | |
618 | if(idx == -1) return 1; | |
619 | /* Otherwise revoked: want something cleverer than | |
620 | * this to handle entry extensions in V2 CRLs. | |
621 | */ | |
622 | ctx->error = X509_V_ERR_CERT_REVOKED; | |
bdee69f7 | 623 | ok = ctx->verify_cb(0, ctx); |
b545dc67 DSH |
624 | return ok; |
625 | } | |
626 | ||
6b691a5c | 627 | static int internal_verify(X509_STORE_CTX *ctx) |
d02b48c6 RE |
628 | { |
629 | int i,ok=0,n; | |
630 | X509 *xs,*xi; | |
631 | EVP_PKEY *pkey=NULL; | |
bbb72003 | 632 | time_t *ptime; |
d02b48c6 RE |
633 | int (*cb)(); |
634 | ||
2f043896 | 635 | cb=ctx->verify_cb; |
d02b48c6 | 636 | |
7e258a56 | 637 | n=sk_X509_num(ctx->chain); |
d02b48c6 RE |
638 | ctx->error_depth=n-1; |
639 | n--; | |
7e258a56 | 640 | xi=sk_X509_value(ctx->chain,n); |
82aec1cc BM |
641 | if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) |
642 | ptime = &ctx->check_time; | |
643 | else | |
644 | ptime = NULL; | |
bbb72003 | 645 | if (ctx->check_issued(ctx, xi, xi)) |
d02b48c6 RE |
646 | xs=xi; |
647 | else | |
648 | { | |
649 | if (n <= 0) | |
650 | { | |
651 | ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; | |
652 | ctx->current_cert=xi; | |
653 | ok=cb(0,ctx); | |
654 | goto end; | |
655 | } | |
656 | else | |
657 | { | |
658 | n--; | |
659 | ctx->error_depth=n; | |
7e258a56 | 660 | xs=sk_X509_value(ctx->chain,n); |
d02b48c6 RE |
661 | } |
662 | } | |
663 | ||
664 | /* ctx->error=0; not needed */ | |
665 | while (n >= 0) | |
666 | { | |
667 | ctx->error_depth=n; | |
668 | if (!xs->valid) | |
669 | { | |
670 | if ((pkey=X509_get_pubkey(xi)) == NULL) | |
671 | { | |
672 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | |
673 | ctx->current_cert=xi; | |
674 | ok=(*cb)(0,ctx); | |
675 | if (!ok) goto end; | |
676 | } | |
677 | if (X509_verify(xs,pkey) <= 0) | |
78f3a2aa BM |
678 | /* XXX For the final trusted self-signed cert, |
679 | * this is a waste of time. That check should | |
680 | * optional so that e.g. 'openssl x509' can be | |
681 | * used to detect invalid self-signatures, but | |
682 | * we don't verify again and again in SSL | |
683 | * handshakes and the like once the cert has | |
684 | * been declared trusted. */ | |
d02b48c6 RE |
685 | { |
686 | ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; | |
687 | ctx->current_cert=xs; | |
688 | ok=(*cb)(0,ctx); | |
582e5929 DSH |
689 | if (!ok) |
690 | { | |
691 | EVP_PKEY_free(pkey); | |
692 | goto end; | |
693 | } | |
d02b48c6 | 694 | } |
cfcf6453 | 695 | EVP_PKEY_free(pkey); |
d02b48c6 RE |
696 | pkey=NULL; |
697 | ||
bbb72003 | 698 | i=X509_cmp_time(X509_get_notBefore(xs), ptime); |
d02b48c6 RE |
699 | if (i == 0) |
700 | { | |
701 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; | |
702 | ctx->current_cert=xs; | |
703 | ok=(*cb)(0,ctx); | |
704 | if (!ok) goto end; | |
705 | } | |
706 | if (i > 0) | |
707 | { | |
708 | ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; | |
709 | ctx->current_cert=xs; | |
710 | ok=(*cb)(0,ctx); | |
711 | if (!ok) goto end; | |
712 | } | |
713 | xs->valid=1; | |
714 | } | |
715 | ||
bbb72003 | 716 | i=X509_cmp_time(X509_get_notAfter(xs), ptime); |
d02b48c6 RE |
717 | if (i == 0) |
718 | { | |
719 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; | |
720 | ctx->current_cert=xs; | |
721 | ok=(*cb)(0,ctx); | |
722 | if (!ok) goto end; | |
723 | } | |
724 | ||
725 | if (i < 0) | |
726 | { | |
727 | ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; | |
728 | ctx->current_cert=xs; | |
729 | ok=(*cb)(0,ctx); | |
730 | if (!ok) goto end; | |
731 | } | |
732 | ||
d02b48c6 RE |
733 | /* The last error (if any) is still in the error value */ |
734 | ctx->current_cert=xs; | |
735 | ok=(*cb)(1,ctx); | |
736 | if (!ok) goto end; | |
737 | ||
738 | n--; | |
739 | if (n >= 0) | |
740 | { | |
741 | xi=xs; | |
7e258a56 | 742 | xs=sk_X509_value(ctx->chain,n); |
d02b48c6 RE |
743 | } |
744 | } | |
745 | ok=1; | |
746 | end: | |
f684090c | 747 | return ok; |
d02b48c6 RE |
748 | } |
749 | ||
284ef5f3 | 750 | int X509_cmp_current_time(ASN1_TIME *ctm) |
bbb72003 DSH |
751 | { |
752 | return X509_cmp_time(ctm, NULL); | |
753 | } | |
754 | ||
755 | int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) | |
d02b48c6 RE |
756 | { |
757 | char *str; | |
284ef5f3 | 758 | ASN1_TIME atm; |
d02b48c6 RE |
759 | time_t offset; |
760 | char buff1[24],buff2[24],*p; | |
761 | int i,j; | |
762 | ||
763 | p=buff1; | |
764 | i=ctm->length; | |
765 | str=(char *)ctm->data; | |
82aec1cc BM |
766 | if (ctm->type == V_ASN1_UTCTIME) |
767 | { | |
f684090c | 768 | if ((i < 11) || (i > 17)) return 0; |
284ef5f3 DSH |
769 | memcpy(p,str,10); |
770 | p+=10; | |
771 | str+=10; | |
82aec1cc BM |
772 | } |
773 | else | |
774 | { | |
775 | if (i < 13) return 0; | |
284ef5f3 DSH |
776 | memcpy(p,str,12); |
777 | p+=12; | |
778 | str+=12; | |
82aec1cc | 779 | } |
d02b48c6 RE |
780 | |
781 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) | |
782 | { *(p++)='0'; *(p++)='0'; } | |
284ef5f3 DSH |
783 | else |
784 | { | |
785 | *(p++)= *(str++); | |
786 | *(p++)= *(str++); | |
787 | /* Skip any fractional seconds... */ | |
82aec1cc | 788 | if (*str == '.') |
284ef5f3 DSH |
789 | { |
790 | str++; | |
b7c190d9 | 791 | while ((*str >= '0') && (*str <= '9')) str++; |
284ef5f3 | 792 | } |
82aec1cc BM |
793 | |
794 | } | |
d02b48c6 RE |
795 | *(p++)='Z'; |
796 | *(p++)='\0'; | |
797 | ||
798 | if (*str == 'Z') | |
799 | offset=0; | |
800 | else | |
801 | { | |
802 | if ((*str != '+') && (str[5] != '-')) | |
f684090c | 803 | return 0; |
d02b48c6 RE |
804 | offset=((str[1]-'0')*10+(str[2]-'0'))*60; |
805 | offset+=(str[3]-'0')*10+(str[4]-'0'); | |
806 | if (*str == '-') | |
dfeab068 | 807 | offset= -offset; |
d02b48c6 | 808 | } |
284ef5f3 | 809 | atm.type=ctm->type; |
d02b48c6 RE |
810 | atm.length=sizeof(buff2); |
811 | atm.data=(unsigned char *)buff2; | |
812 | ||
bbb72003 | 813 | X509_time_adj(&atm,-offset*60, cmp_time); |
d02b48c6 | 814 | |
b7c190d9 | 815 | if (ctm->type == V_ASN1_UTCTIME) |
284ef5f3 DSH |
816 | { |
817 | i=(buff1[0]-'0')*10+(buff1[1]-'0'); | |
818 | if (i < 50) i+=100; /* cf. RFC 2459 */ | |
819 | j=(buff2[0]-'0')*10+(buff2[1]-'0'); | |
820 | if (j < 50) j+=100; | |
d02b48c6 | 821 | |
f684090c BM |
822 | if (i < j) return -1; |
823 | if (i > j) return 1; | |
284ef5f3 | 824 | } |
d02b48c6 RE |
825 | i=strcmp(buff1,buff2); |
826 | if (i == 0) /* wait a second then return younger :-) */ | |
f684090c | 827 | return -1; |
d02b48c6 | 828 | else |
f684090c | 829 | return i; |
d02b48c6 RE |
830 | } |
831 | ||
284ef5f3 | 832 | ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) |
bbb72003 DSH |
833 | { |
834 | return X509_time_adj(s, adj, NULL); | |
835 | } | |
836 | ||
837 | ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm) | |
d02b48c6 RE |
838 | { |
839 | time_t t; | |
ba8e2824 | 840 | int type = -1; |
d02b48c6 | 841 | |
b7c190d9 | 842 | if (in_tm) t = *in_tm; |
bbb72003 DSH |
843 | else time(&t); |
844 | ||
d02b48c6 | 845 | t+=adj; |
ba8e2824 DSH |
846 | if (s) type = s->type; |
847 | if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t); | |
848 | if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t); | |
849 | return ASN1_TIME_set(s, t); | |
d02b48c6 RE |
850 | } |
851 | ||
7e258a56 | 852 | int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) |
d02b48c6 RE |
853 | { |
854 | EVP_PKEY *ktmp=NULL,*ktmp2; | |
855 | int i,j; | |
856 | ||
f684090c | 857 | if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; |
d02b48c6 | 858 | |
7e258a56 | 859 | for (i=0; i<sk_X509_num(chain); i++) |
d02b48c6 | 860 | { |
7e258a56 | 861 | ktmp=X509_get_pubkey(sk_X509_value(chain,i)); |
d02b48c6 RE |
862 | if (ktmp == NULL) |
863 | { | |
864 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); | |
f684090c | 865 | return 0; |
d02b48c6 RE |
866 | } |
867 | if (!EVP_PKEY_missing_parameters(ktmp)) | |
868 | break; | |
869 | else | |
870 | { | |
cfcf6453 | 871 | EVP_PKEY_free(ktmp); |
d02b48c6 RE |
872 | ktmp=NULL; |
873 | } | |
874 | } | |
875 | if (ktmp == NULL) | |
876 | { | |
877 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); | |
f684090c | 878 | return 0; |
d02b48c6 RE |
879 | } |
880 | ||
881 | /* first, populate the other certs */ | |
882 | for (j=i-1; j >= 0; j--) | |
883 | { | |
7e258a56 | 884 | ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); |
d02b48c6 | 885 | EVP_PKEY_copy_parameters(ktmp2,ktmp); |
cfcf6453 | 886 | EVP_PKEY_free(ktmp2); |
d02b48c6 RE |
887 | } |
888 | ||
cfcf6453 DSH |
889 | if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); |
890 | EVP_PKEY_free(ktmp); | |
f684090c | 891 | return 1; |
d02b48c6 RE |
892 | } |
893 | ||
dd9d233e DSH |
894 | int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, |
895 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |
3ac82faa BM |
896 | { |
897 | /* This function is (usually) called only once, by | |
79aa04ef GT |
898 | * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ |
899 | return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, | |
900 | new_func, dup_func, free_func); | |
3ac82faa | 901 | } |
58964a49 | 902 | |
6b691a5c | 903 | int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) |
58964a49 | 904 | { |
f684090c | 905 | return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); |
58964a49 RE |
906 | } |
907 | ||
6b691a5c | 908 | void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) |
58964a49 | 909 | { |
f684090c | 910 | return CRYPTO_get_ex_data(&ctx->ex_data,idx); |
58964a49 RE |
911 | } |
912 | ||
6b691a5c | 913 | int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) |
58964a49 | 914 | { |
f684090c | 915 | return ctx->error; |
58964a49 RE |
916 | } |
917 | ||
6b691a5c | 918 | void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) |
58964a49 RE |
919 | { |
920 | ctx->error=err; | |
921 | } | |
922 | ||
6b691a5c | 923 | int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) |
58964a49 | 924 | { |
f684090c | 925 | return ctx->error_depth; |
58964a49 RE |
926 | } |
927 | ||
6b691a5c | 928 | X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) |
58964a49 | 929 | { |
f684090c | 930 | return ctx->current_cert; |
58964a49 RE |
931 | } |
932 | ||
7e258a56 | 933 | STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) |
58964a49 | 934 | { |
f684090c | 935 | return ctx->chain; |
58964a49 RE |
936 | } |
937 | ||
c7cb16a8 | 938 | STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) |
25f923dd DSH |
939 | { |
940 | int i; | |
941 | X509 *x; | |
942 | STACK_OF(X509) *chain; | |
b7c190d9 BM |
943 | if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; |
944 | for (i = 0; i < sk_X509_num(chain); i++) | |
82aec1cc | 945 | { |
25f923dd DSH |
946 | x = sk_X509_value(chain, i); |
947 | CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | |
82aec1cc | 948 | } |
f684090c | 949 | return chain; |
25f923dd DSH |
950 | } |
951 | ||
6b691a5c | 952 | void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) |
58964a49 RE |
953 | { |
954 | ctx->cert=x; | |
955 | } | |
956 | ||
6b691a5c | 957 | void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) |
58964a49 RE |
958 | { |
959 | ctx->untrusted=sk; | |
960 | } | |
961 | ||
13938ace | 962 | int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) |
11262391 | 963 | { |
13938ace | 964 | return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); |
11262391 DSH |
965 | } |
966 | ||
bb7cd4e3 | 967 | int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) |
11262391 | 968 | { |
bb7cd4e3 | 969 | return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); |
11262391 DSH |
970 | } |
971 | ||
13938ace DSH |
972 | /* This function is used to set the X509_STORE_CTX purpose and trust |
973 | * values. This is intended to be used when another structure has its | |
974 | * own trust and purpose values which (if set) will be inherited by | |
975 | * the ctx. If they aren't set then we will usually have a default | |
976 | * purpose in mind which should then be used to set the trust value. | |
977 | * An example of this is SSL use: an SSL structure will have its own | |
978 | * purpose and trust settings which the application can set: if they | |
979 | * aren't set then we use the default of SSL client/server. | |
980 | */ | |
981 | ||
982 | int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, | |
983 | int purpose, int trust) | |
51630a37 | 984 | { |
51630a37 | 985 | int idx; |
13938ace | 986 | /* If purpose not set use default */ |
82aec1cc | 987 | if (!purpose) purpose = def_purpose; |
13938ace | 988 | /* If we have a purpose then check it is valid */ |
82aec1cc BM |
989 | if (purpose) |
990 | { | |
068fdce8 | 991 | X509_PURPOSE *ptmp; |
13938ace | 992 | idx = X509_PURPOSE_get_by_id(purpose); |
b7c190d9 | 993 | if (idx == -1) |
82aec1cc | 994 | { |
13938ace DSH |
995 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
996 | X509_R_UNKNOWN_PURPOSE_ID); | |
997 | return 0; | |
82aec1cc | 998 | } |
068fdce8 | 999 | ptmp = X509_PURPOSE_get0(idx); |
b7c190d9 | 1000 | if (ptmp->trust == X509_TRUST_DEFAULT) |
82aec1cc | 1001 | { |
068fdce8 | 1002 | idx = X509_PURPOSE_get_by_id(def_purpose); |
b7c190d9 | 1003 | if (idx == -1) |
82aec1cc | 1004 | { |
068fdce8 DSH |
1005 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
1006 | X509_R_UNKNOWN_PURPOSE_ID); | |
1007 | return 0; | |
82aec1cc | 1008 | } |
6d0d5431 | 1009 | ptmp = X509_PURPOSE_get0(idx); |
82aec1cc | 1010 | } |
068fdce8 | 1011 | /* If trust not set then get from purpose default */ |
b7c190d9 | 1012 | if (!trust) trust = ptmp->trust; |
82aec1cc | 1013 | } |
b7c190d9 | 1014 | if (trust) |
82aec1cc | 1015 | { |
13938ace | 1016 | idx = X509_TRUST_get_by_id(trust); |
b7c190d9 | 1017 | if (idx == -1) |
82aec1cc | 1018 | { |
13938ace DSH |
1019 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
1020 | X509_R_UNKNOWN_TRUST_ID); | |
1021 | return 0; | |
82aec1cc | 1022 | } |
13938ace | 1023 | } |
13938ace | 1024 | |
bdee69f7 DSH |
1025 | if (purpose && !ctx->purpose) ctx->purpose = purpose; |
1026 | if (trust && !ctx->trust) ctx->trust = trust; | |
51630a37 DSH |
1027 | return 1; |
1028 | } | |
1029 | ||
2f043896 DSH |
1030 | X509_STORE_CTX *X509_STORE_CTX_new(void) |
1031 | { | |
1032 | X509_STORE_CTX *ctx; | |
1033 | ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); | |
79aa04ef GT |
1034 | if (!ctx) |
1035 | { | |
1036 | X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); | |
1037 | return NULL; | |
1038 | } | |
1039 | memset(ctx, 0, sizeof(X509_STORE_CTX)); | |
2f043896 DSH |
1040 | return ctx; |
1041 | } | |
1042 | ||
1043 | void X509_STORE_CTX_free(X509_STORE_CTX *ctx) | |
1044 | { | |
1045 | X509_STORE_CTX_cleanup(ctx); | |
1046 | OPENSSL_free(ctx); | |
1047 | } | |
1048 | ||
79aa04ef | 1049 | int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, |
2f043896 DSH |
1050 | STACK_OF(X509) *chain) |
1051 | { | |
1052 | ctx->ctx=store; | |
1053 | ctx->current_method=0; | |
1054 | ctx->cert=x509; | |
1055 | ctx->untrusted=chain; | |
1056 | ctx->last_untrusted=0; | |
bdee69f7 DSH |
1057 | ctx->purpose=store->purpose; |
1058 | ctx->trust=store->trust; | |
82aec1cc BM |
1059 | ctx->check_time=0; |
1060 | ctx->flags=0; | |
1061 | ctx->other_ctx=NULL; | |
2f043896 DSH |
1062 | ctx->valid=0; |
1063 | ctx->chain=NULL; | |
1064 | ctx->depth=9; | |
1065 | ctx->error=0; | |
82aec1cc | 1066 | ctx->error_depth=0; |
2f043896 DSH |
1067 | ctx->current_cert=NULL; |
1068 | ctx->current_issuer=NULL; | |
bdee69f7 DSH |
1069 | |
1070 | /* Inherit callbacks and flags from X509_STORE if not set | |
1071 | * use defaults. | |
1072 | */ | |
1073 | ||
1074 | ctx->flags = store->flags; | |
1075 | ||
1076 | if (store->check_issued) | |
1077 | ctx->check_issued = store->check_issued; | |
1078 | else | |
1079 | ctx->check_issued = check_issued; | |
1080 | ||
1081 | if (store->get_issuer) | |
1082 | ctx->get_issuer = store->get_issuer; | |
1083 | else | |
1084 | ctx->get_issuer = X509_STORE_CTX_get1_issuer; | |
1085 | ||
1086 | if (store->verify_cb) | |
1087 | ctx->verify_cb = store->verify_cb; | |
1088 | else | |
1089 | ctx->verify_cb = null_callback; | |
1090 | ||
1091 | if (store->verify) | |
1092 | ctx->verify = store->verify; | |
1093 | else | |
1094 | ctx->verify = internal_verify; | |
1095 | ||
1096 | if (store->check_revocation) | |
1097 | ctx->check_revocation = store->check_revocation; | |
1098 | else | |
1099 | ctx->check_revocation = check_revocation; | |
1100 | ||
1101 | if (store->get_crl) | |
1102 | ctx->get_crl = store->get_crl; | |
1103 | else | |
1104 | ctx->get_crl = get_crl; | |
1105 | ||
1106 | if (store->check_crl) | |
1107 | ctx->check_crl = store->check_crl; | |
1108 | else | |
1109 | ctx->check_crl = check_crl; | |
1110 | ||
1111 | if (store->cert_crl) | |
1112 | ctx->cert_crl = store->cert_crl; | |
1113 | else | |
1114 | ctx->cert_crl = cert_crl; | |
1115 | ||
1116 | ctx->cleanup = store->cleanup; | |
1117 | ||
79aa04ef GT |
1118 | /* This memset() can't make any sense anyway, so it's removed. As |
1119 | * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a | |
1120 | * corresponding "new" here and remove this bogus initialisation. */ | |
1121 | /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ | |
1122 | if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, | |
1123 | &(ctx->ex_data))) | |
1124 | { | |
1125 | OPENSSL_free(ctx); | |
1126 | X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); | |
1127 | return 0; | |
1128 | } | |
1129 | return 1; | |
2f043896 DSH |
1130 | } |
1131 | ||
1132 | /* Set alternative lookup method: just a STACK of trusted certificates. | |
1133 | * This avoids X509_STORE nastiness where it isn't needed. | |
1134 | */ | |
1135 | ||
1136 | void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) | |
1137 | { | |
1138 | ctx->other_ctx = sk; | |
1139 | ctx->get_issuer = get_issuer_sk; | |
1140 | } | |
1141 | ||
1142 | void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) | |
1143 | { | |
b7c190d9 | 1144 | if (ctx->cleanup) ctx->cleanup(ctx); |
2f043896 DSH |
1145 | if (ctx->chain != NULL) |
1146 | { | |
1147 | sk_X509_pop_free(ctx->chain,X509_free); | |
1148 | ctx->chain=NULL; | |
1149 | } | |
79aa04ef | 1150 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); |
2f043896 DSH |
1151 | memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); |
1152 | } | |
13938ace | 1153 | |
bbb72003 DSH |
1154 | void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags) |
1155 | { | |
f684090c | 1156 | ctx->flags |= flags; |
bbb72003 DSH |
1157 | } |
1158 | ||
1159 | void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t) | |
1160 | { | |
f684090c BM |
1161 | ctx->check_time = t; |
1162 | ctx->flags |= X509_V_FLAG_USE_CHECK_TIME; | |
bbb72003 DSH |
1163 | } |
1164 | ||
db089ad6 LJ |
1165 | void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, |
1166 | int (*verify_cb)(int, X509_STORE_CTX *)) | |
1167 | { | |
1168 | ctx->verify_cb=verify_cb; | |
1169 | } | |
1170 | ||
f73e07cf BL |
1171 | IMPLEMENT_STACK_OF(X509) |
1172 | IMPLEMENT_ASN1_SET_OF(X509) | |
d500de16 | 1173 | |
f73e07cf | 1174 | IMPLEMENT_STACK_OF(X509_NAME) |
d500de16 | 1175 | |
f5fedc04 | 1176 | IMPLEMENT_STACK_OF(X509_ATTRIBUTE) |
d500de16 | 1177 | IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) |