Revert "Fix 11: validate certificates against its corresponding CRL."

author Alberto Leiva Popper <ydahhrk@gmail.com>

Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)

committer Alberto Leiva Popper <ydahhrk@gmail.com>

Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)
author Alberto Leiva Popper <ydahhrk@gmail.com>
Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)
committer Alberto Leiva Popper <ydahhrk@gmail.com>
Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)
diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c

index e85206ff3d844556424243533b664285224b9256..d4a1a7ef53fbf243b3d722ec16a04eb4000ebe32 100644 (file)
--- a/src/asn1/signed_data.c
+++ b/src/asn1/signed_data.c
@@ -24,8 +24,7 @@ int
  signed_object_args_init(struct signed_object_args *args,
      struct rpki_uri *uri,
      STACK_OF(X509_CRL) *crls,
-    bool force_inherit,
-    bool use_crldp)
+    bool force_inherit)
  {
         args->res = resources_create(force_inherit);
         if (args->res == NULL)
@@ -33,7 +32,6 @@ signed_object_args_init(struct signed_object_args *args,
  
         args->uri = uri;
         args->crls = crls;
-       args->use_crldp = use_crldp;
         memset(&args->refs, 0, sizeof(args->refs));
         return 0;
  }
@@ -65,7 +63,6 @@ static int
  handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
      OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature)
  {
-       STACK_OF(X509_CRL) *crls;
         const unsigned char *tmp;
         X509 *cert;
         enum rpki_policy policy;
@@ -93,44 +90,25 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
                 goto end1;
         }
  
-       crls = args->crls;
-       if (args->use_crldp) {
-               crls = sk_X509_CRL_new_null();
-               if (crls == NULL) {
-                       error = pr_enomem();
-                       goto end2;
-               }
-       }
-
-       error = certificate_validate_chain(cert, crls);
+       error = certificate_validate_chain(cert, args->crls);
         if (error)
-               goto end3;
+               goto end2;
         error = certificate_validate_rfc6487(cert, false);
         if (error)
-               goto end3;
+               goto end2;
         error = certificate_validate_extensions_ee(cert, sid, &args->refs,
             &policy);
         if (error)
-               goto end3;
+               goto end2;
         error = certificate_validate_signature(cert, signedData, signature);
         if (error)
-               goto end3;
-
-       /* Validate in CRL at CRLDP */
-       if (args->use_crldp) {
-               error = certificate_revoked_at_crldp(cert, &args->refs);
-               if (error)
-                       goto end3;
-       }
+               goto end2;
  
         resources_set_policy(args->res, policy);
         error = certificate_get_resources(cert, args->res);
         if (error)
-               goto end3;
+               goto end2;
  
-end3:
-       if (args->use_crldp)
-               sk_X509_CRL_free(crls);
  end2:
         X509_free(cert);
  end1:
diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h

index 15a0d06ed29c07bc03ad7067338d9bdabc258f17..ed0e5dbd30241cd175cc95223269d9263e34b8ea 100644 (file)
--- a/src/asn1/signed_data.h
+++ b/src/asn1/signed_data.h
@@ -18,8 +18,6 @@ struct signed_object_args {
         STACK_OF(X509_CRL) *crls;
         /** A copy of the resources carried by the embedded certificate. */
         struct resources *res;
-       /** Check if the certificate is revoked at CRLDP, not at crls stack */
-       bool use_crldp;
         /**
          * A bunch of URLs found in the embedded certificate's extensions,
          * recorded for future validation.
@@ -28,7 +26,7 @@ struct signed_object_args {
  };
  
  int signed_object_args_init(struct signed_object_args *, struct rpki_uri *,
-    STACK_OF(X509_CRL) *, bool, bool);
+    STACK_OF(X509_CRL) *, bool);
  void signed_object_args_cleanup(struct signed_object_args *);
  
  int signed_data_decode(ANY_t *, struct signed_object_args *args,
diff --git a/src/object/certificate.c b/src/object/certificate.c

index b64926a0afc347188a16175001554d2ace154b54..37bc077c3a7dcf1ba404f06e11923c29db7b8c1c 100644 (file)
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -15,7 +15,6 @@
  #include "asn1/oid.h"
  #include "asn1/asn1c/IPAddrBlocks.h"
  #include "crypto/hash.h"
-#include "object/crl.h"
  #include "object/name.h"
  #include "object/manifest.h"
  #include "rsync/rsync.h"
@@ -580,24 +579,6 @@ end:
         return error;
  }
  
-static bool
-cert_revoked(ASN1_INTEGER *serialNumber, X509_CRL *crl)
-{
-       STACK_OF(X509_REVOKED) *revoked;
-       X509_REVOKED *item;
-       int index;
-
-       revoked = X509_CRL_get_REVOKED(crl);
-       for (index = 0; index < sk_X509_REVOKED_num(revoked); index++) {
-               item = sk_X509_REVOKED_value(revoked, index);
-               if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(item),
-                   serialNumber) == 0)
-                       return true;
-       }
-
-       return false;
-}
-
  int
  certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls)
  {
@@ -630,21 +611,7 @@ certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls)
  
         X509_STORE_CTX_trusted_stack(ctx,
             certstack_get_x509s(validation_certstack(state)));
-
-       /*
-        * The function 'X509_STORE_CTX_set0_crls' could be used with a
-        * 'X509_VERIFY_PARAM' of 'X509_V_FLAG_CRL_CHECK', but this didn't
-        * worked as expected.
-        * 
-        * Instead of that, fetch the last CRL (father's) and check revoked
-        * serials "manually".
-        */
-       if (sk_X509_CRL_num(crls) > 0 &&
-           cert_revoked(X509_get_serialNumber(cert),
-           sk_X509_CRL_value(crls, sk_X509_CRL_num(crls) - 1))) {
-               pr_err("Certificate validation failed: certificate is revoked");
-               goto abort;
-       }
+       X509_STORE_CTX_set0_crls(ctx, crls);
  
         /*
          * HERE'S THE MEAT OF LIBCRYPTO'S VALIDATION.
@@ -685,35 +652,6 @@ abort:
         return -EINVAL;
  }
  
-/*
- * Load the CRL at CRLDP @refs and check if @cert is revoked there
- */
-int
-certificate_revoked_at_crldp(X509 *cert, struct certificate_refs *refs)
-{
-       X509_CRL *crl;
-       struct rpki_uri *uri;
-       int error;
-
-       error = uri_create_str(&uri, refs->crldp, strlen(refs->crldp));
-       if (error)
-               return error;
-
-       error = crl_load(uri, &crl);
-       if (error)
-               goto release_uri;
-
-       /* Everything OK so far, error 0 is valid */
-       if (cert_revoked(X509_get_serialNumber(cert), crl)) {
-               error = pr_err("Certificate validation failed: certificate is revoked at CRL");
-       }
-
-       X509_CRL_free(crl);
-release_uri:
-       uri_refput(uri);
-       return error;
-}
-
  static int
  handle_ip_extension(X509_EXTENSION *ext, struct resources *resources)
  {
diff --git a/src/object/certificate.h b/src/object/certificate.h

index a11859c7f42523d84a3a8b3cd825cabd5a95095c..5167cf804ac7efdc86b8556ebe847f1aa895f486 100644 (file)
--- a/src/object/certificate.h
+++ b/src/object/certificate.h
@@ -45,8 +45,6 @@ int certificate_get_resources(X509 *, struct resources *);
  int certificate_validate_extensions_ee(X509 *, OCTET_STRING_t *,
      struct certificate_refs *, enum rpki_policy *);
  
-int certificate_revoked_at_crldp(X509 *cert, struct certificate_refs *refs);
-
  int certificate_traverse(struct rpp *, struct rpki_uri *);
  
  #endif /* SRC_OBJECT_CERTIFICATE_H_ */
diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c

index c25e6e07915ab0fafd2842627cf1fe3f9daa8d94..42f82ca0fffdd9fdddb815588f3d69e9ab82db61 100644 (file)
--- a/src/object/ghostbusters.c
+++ b/src/object/ghostbusters.c
@@ -28,7 +28,7 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp)
         if (error)
                 goto end1;
  
-       error = signed_object_args_init(&sobj_args, uri, crl, true, false);
+       error = signed_object_args_init(&sobj_args, uri, crl, true);
         if (error)
                 goto end1;
  
diff --git a/src/object/manifest.c b/src/object/manifest.c

index 58485cae4202097e7ceb56280496fc3d06fc2bfa..9515ce7f462e5ac722100f2de287e3388b76432b 100644 (file)
--- a/src/object/manifest.c
+++ b/src/object/manifest.c
@@ -217,7 +217,7 @@ handle_manifest(struct rpki_uri *uri, STACK_OF(X509_CRL) *crls, struct rpp **pp)
         pr_debug_add("Manifest '%s' {", uri_get_printable(uri));
         fnstack_push_uri(uri);
  
-       error = signed_object_args_init(&sobj_args, uri, crls, false, true);
+       error = signed_object_args_init(&sobj_args, uri, crls, false);
         if (error)
                 goto end1;
  
diff --git a/src/object/roa.c b/src/object/roa.c

index 541c39878941bfbcc6bbb62a43cbf90450d48ef9..30be931c80f9c3a96b7770feb289928bb6bbcf69 100644 (file)
--- a/src/object/roa.c
+++ b/src/object/roa.c
@@ -256,7 +256,7 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp)
         if (error)
                 goto revert_fnstack;
  
-       error = signed_object_args_init(&sobj_args, uri, crl, false, false);
+       error = signed_object_args_init(&sobj_args, uri, crl, false);
         if (error)
                 goto revert_fnstack;
author	Alberto Leiva Popper <ydahhrk@gmail.com>
	Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)
committer	Alberto Leiva Popper <ydahhrk@gmail.com>
	Wed, 24 Jul 2019 16:51:58 +0000 (11:51 -0500)
src/asn1/signed_data.c		patch \| blob \| blame \| history
src/asn1/signed_data.h		patch \| blob \| blame \| history
src/object/certificate.c		patch \| blob \| blame \| history
src/object/certificate.h		patch \| blob \| blame \| history
src/object/ghostbusters.c		patch \| blob \| blame \| history
src/object/manifest.c		patch \| blob \| blame \| history
src/object/roa.c		patch \| blob \| blame \| history