]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/x509/x509_vfy.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
*** empty log message ***
[thirdparty/openssl.git] / crypto / x509 / x509_vfy.c
1 /* crypto/x509/x509_vfy.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include <time.h>
61 #include <errno.h>
62 #include <sys/types.h>
63 #include <sys/stat.h>
64
65 #include "crypto.h"
66 #include "cryptlib.h"
67 #include "lhash.h"
68 #include "buffer.h"
69 #include "evp.h"
70 #include "asn1.h"
71 #include "x509.h"
72 #include "objects.h"
73 #include "pem.h"
74
75 #ifndef NOPROTO
76 static int null_callback(int ok,X509_STORE_CTX *e);
77 static int internal_verify(X509_STORE_CTX *ctx);
78 #else
79 static int null_callback();
80 static int internal_verify();
81 #endif
82
83 char *X509_version="X.509 part of OpenSSL 0.9.1c 23-Dec-1998";
84 static STACK *x509_store_ctx_method=NULL;
85 static int x509_store_ctx_num=0;
86 #if 0
87 static int x509_store_num=1;
88 static STACK *x509_store_method=NULL;
89 #endif
90
91 static int null_callback(ok,e)
92 int ok;
93 X509_STORE_CTX *e;
94 {
95 return(ok);
96 }
97
98 #if 0
99 static int x509_subject_cmp(a,b)
100 X509 **a,**b;
101 {
102 return(X509_subject_name_cmp(*a,*b));
103 }
104 #endif
105
106 int X509_verify_cert(ctx)
107 X509_STORE_CTX *ctx;
108 {
109 X509 *x,*xtmp,*chain_ss=NULL;
110 X509_NAME *xn;
111 X509_OBJECT obj;
112 int depth,i,ok=0;
113 int num;
114 int (*cb)();
115 STACK *sktmp=NULL;
116
117 if (ctx->cert == NULL)
118 {
119 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
120 return(-1);
121 }
122
123 cb=ctx->ctx->verify_cb;
124 if (cb == NULL) cb=null_callback;
125
126 /* first we make sure the chain we are going to build is
127 * present and that the first entry is in place */
128 if (ctx->chain == NULL)
129 {
130 if ( ((ctx->chain=sk_new_null()) == NULL) ||
131 (!sk_push(ctx->chain,(char *)ctx->cert)))
132 {
133 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
134 goto end;
135 }
136 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
137 ctx->last_untrusted=1;
138 }
139
140 /* We use a temporary so we can chop and hack at it */
141 if ((ctx->untrusted != NULL) && (sktmp=sk_dup(ctx->untrusted)) == NULL)
142 {
143 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
144 goto end;
145 }
146
147 num=sk_num(ctx->chain);
148 x=(X509 *)sk_value(ctx->chain,num-1);
149 depth=ctx->depth;
150
151
152 for (;;)
153 {
154 /* If we have enough, we break */
155 if (depth <= num) break;
156
157 /* If we are self signed, we break */
158 xn=X509_get_issuer_name(x);
159 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
160 break;
161
162 /* If we were passed a cert chain, use it first */
163 if (ctx->untrusted != NULL)
164 {
165 xtmp=X509_find_by_subject(sktmp,xn);
166 if (xtmp != NULL)
167 {
168 if (!sk_push(ctx->chain,(char *)xtmp))
169 {
170 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
171 goto end;
172 }
173 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
174 sk_delete_ptr(sktmp,(char *)xtmp);
175 ctx->last_untrusted++;
176 x=xtmp;
177 num++;
178 /* reparse the full chain for
179 * the next one */
180 continue;
181 }
182 }
183 break;
184 }
185
186 /* at this point, chain should contain a list of untrusted
187 * certificates. We now need to add at least one trusted one,
188 * if possible, otherwise we complain. */
189
190 i=sk_num(ctx->chain);
191 x=(X509 *)sk_value(ctx->chain,i-1);
192 if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
193 == 0)
194 {
195 /* we have a self signed certificate */
196 if (sk_num(ctx->chain) == 1)
197 {
198 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
199 ctx->current_cert=x;
200 ctx->error_depth=i-1;
201 ok=cb(0,ctx);
202 if (!ok) goto end;
203 }
204 else
205 {
206 /* worry more about this one elsewhere */
207 chain_ss=(X509 *)sk_pop(ctx->chain);
208 ctx->last_untrusted--;
209 num--;
210 x=(X509 *)sk_value(ctx->chain,num-1);
211 }
212 }
213
214 /* We now lookup certs from the certificate store */
215 for (;;)
216 {
217 /* If we have enough, we break */
218 if (depth <= num) break;
219
220 /* If we are self signed, we break */
221 xn=X509_get_issuer_name(x);
222 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
223 break;
224
225 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
226 if (ok != X509_LU_X509)
227 {
228 if (ok == X509_LU_RETRY)
229 {
230 X509_OBJECT_free_contents(&obj);
231 X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
232 return(ok);
233 }
234 else if (ok != X509_LU_FAIL)
235 {
236 X509_OBJECT_free_contents(&obj);
237 /* not good :-(, break anyway */
238 return(ok);
239 }
240 break;
241 }
242 x=obj.data.x509;
243 if (!sk_push(ctx->chain,(char *)obj.data.x509))
244 {
245 X509_OBJECT_free_contents(&obj);
246 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
247 return(0);
248 }
249 num++;
250 }
251
252 /* we now have our chain, lets check it... */
253 xn=X509_get_issuer_name(x);
254 if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
255 {
256 if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
257 {
258 if (ctx->last_untrusted >= num)
259 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
260 else
261 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
262 ctx->current_cert=x;
263 }
264 else
265 {
266
267 sk_push(ctx->chain,(char *)chain_ss);
268 num++;
269 ctx->last_untrusted=num;
270 ctx->current_cert=chain_ss;
271 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
272 chain_ss=NULL;
273 }
274
275 ctx->error_depth=num-1;
276 ok=cb(0,ctx);
277 if (!ok) goto end;
278 }
279
280 /* We may as well copy down any DSA parameters that are required */
281 X509_get_pubkey_parameters(NULL,ctx->chain);
282
283 /* At this point, we have a chain and just need to verify it */
284 if (ctx->ctx->verify != NULL)
285 ok=ctx->ctx->verify(ctx);
286 else
287 ok=internal_verify(ctx);
288 if (0)
289 {
290 end:
291 X509_get_pubkey_parameters(NULL,ctx->chain);
292 }
293 if (sktmp != NULL) sk_free(sktmp);
294 if (chain_ss != NULL) X509_free(chain_ss);
295 return(ok);
296 }
297
298 static int internal_verify(ctx)
299 X509_STORE_CTX *ctx;
300 {
301 int i,ok=0,n;
302 X509 *xs,*xi;
303 EVP_PKEY *pkey=NULL;
304 int (*cb)();
305
306 cb=ctx->ctx->verify_cb;
307 if (cb == NULL) cb=null_callback;
308
309 n=sk_num(ctx->chain);
310 ctx->error_depth=n-1;
311 n--;
312 xi=(X509 *)sk_value(ctx->chain,n);
313 if (X509_NAME_cmp(X509_get_subject_name(xi),
314 X509_get_issuer_name(xi)) == 0)
315 xs=xi;
316 else
317 {
318 if (n <= 0)
319 {
320 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
321 ctx->current_cert=xi;
322 ok=cb(0,ctx);
323 goto end;
324 }
325 else
326 {
327 n--;
328 ctx->error_depth=n;
329 xs=(X509 *)sk_value(ctx->chain,n);
330 }
331 }
332
333 /* ctx->error=0; not needed */
334 while (n >= 0)
335 {
336 ctx->error_depth=n;
337 if (!xs->valid)
338 {
339 if ((pkey=X509_get_pubkey(xi)) == NULL)
340 {
341 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
342 ctx->current_cert=xi;
343 ok=(*cb)(0,ctx);
344 if (!ok) goto end;
345 }
346 if (X509_verify(xs,pkey) <= 0)
347 {
348 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
349 ctx->current_cert=xs;
350 ok=(*cb)(0,ctx);
351 if (!ok) goto end;
352 }
353 pkey=NULL;
354
355 i=X509_cmp_current_time(X509_get_notBefore(xs));
356 if (i == 0)
357 {
358 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
359 ctx->current_cert=xs;
360 ok=(*cb)(0,ctx);
361 if (!ok) goto end;
362 }
363 if (i > 0)
364 {
365 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
366 ctx->current_cert=xs;
367 ok=(*cb)(0,ctx);
368 if (!ok) goto end;
369 }
370 xs->valid=1;
371 }
372
373 i=X509_cmp_current_time(X509_get_notAfter(xs));
374 if (i == 0)
375 {
376 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
377 ctx->current_cert=xs;
378 ok=(*cb)(0,ctx);
379 if (!ok) goto end;
380 }
381
382 if (i < 0)
383 {
384 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
385 ctx->current_cert=xs;
386 ok=(*cb)(0,ctx);
387 if (!ok) goto end;
388 }
389
390 /* CRL CHECK */
391
392 /* The last error (if any) is still in the error value */
393 ctx->current_cert=xs;
394 ok=(*cb)(1,ctx);
395 if (!ok) goto end;
396
397 n--;
398 if (n >= 0)
399 {
400 xi=xs;
401 xs=(X509 *)sk_value(ctx->chain,n);
402 }
403 }
404 ok=1;
405 end:
406 return(ok);
407 }
408
409 int X509_cmp_current_time(ctm)
410 ASN1_UTCTIME *ctm;
411 {
412 char *str;
413 ASN1_UTCTIME atm;
414 time_t offset;
415 char buff1[24],buff2[24],*p;
416 int i,j;
417
418 p=buff1;
419 i=ctm->length;
420 str=(char *)ctm->data;
421 if ((i < 11) || (i > 17)) return(0);
422 memcpy(p,str,10);
423 p+=10;
424 str+=10;
425
426 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
427 { *(p++)='0'; *(p++)='0'; }
428 else { *(p++)= *(str++); *(p++)= *(str++); }
429 *(p++)='Z';
430 *(p++)='\0';
431
432 if (*str == 'Z')
433 offset=0;
434 else
435 {
436 if ((*str != '+') && (str[5] != '-'))
437 return(0);
438 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
439 offset+=(str[3]-'0')*10+(str[4]-'0');
440 if (*str == '-')
441 offset= -offset;
442 }
443 atm.type=V_ASN1_UTCTIME;
444 atm.length=sizeof(buff2);
445 atm.data=(unsigned char *)buff2;
446
447 X509_gmtime_adj(&atm,-offset);
448
449 i=(buff1[0]-'0')*10+(buff1[1]-'0');
450 if (i < 70) i+=100;
451 j=(buff2[0]-'0')*10+(buff2[1]-'0');
452 if (j < 70) j+=100;
453
454 if (i < j) return (-1);
455 if (i > j) return (1);
456 i=strcmp(buff1,buff2);
457 if (i == 0) /* wait a second then return younger :-) */
458 return(-1);
459 else
460 return(i);
461 }
462
463 ASN1_UTCTIME *X509_gmtime_adj(s, adj)
464 ASN1_UTCTIME *s;
465 long adj;
466 {
467 time_t t;
468
469 time(&t);
470 t+=adj;
471 return(ASN1_UTCTIME_set(s,t));
472 }
473
474 int X509_get_pubkey_parameters(pkey,chain)
475 EVP_PKEY *pkey;
476 STACK *chain;
477 {
478 EVP_PKEY *ktmp=NULL,*ktmp2;
479 int i,j;
480
481 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
482
483 for (i=0; i<sk_num(chain); i++)
484 {
485 ktmp=X509_get_pubkey((X509 *)sk_value(chain,i));
486 if (ktmp == NULL)
487 {
488 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
489 return(0);
490 }
491 if (!EVP_PKEY_missing_parameters(ktmp))
492 break;
493 else
494 {
495 ktmp=NULL;
496 }
497 }
498 if (ktmp == NULL)
499 {
500 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
501 return(0);
502 }
503
504 /* first, populate the other certs */
505 for (j=i-1; j >= 0; j--)
506 {
507 ktmp2=X509_get_pubkey((X509 *)sk_value(chain,j));
508 EVP_PKEY_copy_parameters(ktmp2,ktmp);
509 }
510
511 if (pkey != NULL)
512 EVP_PKEY_copy_parameters(pkey,ktmp);
513 return(1);
514 }
515
516 int X509_STORE_add_cert(ctx,x)
517 X509_STORE *ctx;
518 X509 *x;
519 {
520 X509_OBJECT *obj,*r;
521 int ret=1;
522
523 if (x == NULL) return(0);
524 obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
525 if (obj == NULL)
526 {
527 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
528 return(0);
529 }
530 obj->type=X509_LU_X509;
531 obj->data.x509=x;
532
533 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
534
535 X509_OBJECT_up_ref_count(obj);
536
537 r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
538 if (r != NULL)
539 { /* oops, put it back */
540 lh_delete(ctx->certs,(char *)obj);
541 X509_OBJECT_free_contents(obj);
542 Free(obj);
543 lh_insert(ctx->certs,(char *)r);
544 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
545 ret=0;
546 }
547
548 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
549
550 return(ret);
551 }
552
553 int X509_STORE_add_crl(ctx,x)
554 X509_STORE *ctx;
555 X509_CRL *x;
556 {
557 X509_OBJECT *obj,*r;
558 int ret=1;
559
560 if (x == NULL) return(0);
561 obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
562 if (obj == NULL)
563 {
564 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
565 return(0);
566 }
567 obj->type=X509_LU_CRL;
568 obj->data.crl=x;
569
570 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
571
572 X509_OBJECT_up_ref_count(obj);
573
574 r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
575 if (r != NULL)
576 { /* oops, put it back */
577 lh_delete(ctx->certs,(char *)obj);
578 X509_OBJECT_free_contents(obj);
579 Free(obj);
580 lh_insert(ctx->certs,(char *)r);
581 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
582 ret=0;
583 }
584
585 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
586
587 return(ret);
588 }
589
590 int X509_STORE_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
591 long argl;
592 char *argp;
593 int (*new_func)();
594 int (*dup_func)();
595 void (*free_func)();
596 {
597 x509_store_ctx_num++;
598 return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
599 &x509_store_ctx_method,
600 argl,argp,new_func,dup_func,free_func));
601 }
602
603 int X509_STORE_CTX_set_ex_data(ctx,idx,data)
604 X509_STORE_CTX *ctx;
605 int idx;
606 char *data;
607 {
608 return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
609 }
610
611 char *X509_STORE_CTX_get_ex_data(ctx,idx)
612 X509_STORE_CTX *ctx;
613 int idx;
614 {
615 return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
616 }
617
618 int X509_STORE_CTX_get_error(ctx)
619 X509_STORE_CTX *ctx;
620 {
621 return(ctx->error);
622 }
623
624 void X509_STORE_CTX_set_error(ctx,err)
625 X509_STORE_CTX *ctx;
626 int err;
627 {
628 ctx->error=err;
629 }
630
631 int X509_STORE_CTX_get_error_depth(ctx)
632 X509_STORE_CTX *ctx;
633 {
634 return(ctx->error_depth);
635 }
636
637 X509 *X509_STORE_CTX_get_current_cert(ctx)
638 X509_STORE_CTX *ctx;
639 {
640 return(ctx->current_cert);
641 }
642
643 STACK *X509_STORE_CTX_get_chain(ctx)
644 X509_STORE_CTX *ctx;
645 {
646 return(ctx->chain);
647 }
648
649 void X509_STORE_CTX_set_cert(ctx,x)
650 X509_STORE_CTX *ctx;
651 X509 *x;
652 {
653 ctx->cert=x;
654 }
655
656 void X509_STORE_CTX_set_chain(ctx,sk)
657 X509_STORE_CTX *ctx;
658 STACK *sk;
659 {
660 ctx->untrusted=sk;
661 }
662
663
A mirror of the official openssl repository