From: Alberto Leiva Popper Date: Wed, 24 Jul 2019 16:51:58 +0000 (-0500) Subject: Revert "Fix 11: validate certificates against its corresponding CRL." X-Git-Tag: v1.0.0^2~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d2cf2ed5d1d8f9ccc9ab0917d5d159f6d8efbcb;p=thirdparty%2FFORT-validator.git Revert "Fix 11: validate certificates against its corresponding CRL." This reverts commit fb30fcc5c0898fc32cbaab85c70b26a08b4a97a8. --- diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index e85206ff..d4a1a7ef 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -24,8 +24,7 @@ int signed_object_args_init(struct signed_object_args *args, struct rpki_uri *uri, STACK_OF(X509_CRL) *crls, - bool force_inherit, - bool use_crldp) + bool force_inherit) { args->res = resources_create(force_inherit); if (args->res == NULL) @@ -33,7 +32,6 @@ signed_object_args_init(struct signed_object_args *args, args->uri = uri; args->crls = crls; - args->use_crldp = use_crldp; memset(&args->refs, 0, sizeof(args->refs)); return 0; } @@ -65,7 +63,6 @@ static int handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature) { - STACK_OF(X509_CRL) *crls; const unsigned char *tmp; X509 *cert; enum rpki_policy policy; @@ -93,44 +90,25 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args, goto end1; } - crls = args->crls; - if (args->use_crldp) { - crls = sk_X509_CRL_new_null(); - if (crls == NULL) { - error = pr_enomem(); - goto end2; - } - } - - error = certificate_validate_chain(cert, crls); + error = certificate_validate_chain(cert, args->crls); if (error) - goto end3; + goto end2; error = certificate_validate_rfc6487(cert, false); if (error) - goto end3; + goto end2; error = certificate_validate_extensions_ee(cert, sid, &args->refs, &policy); if (error) - goto end3; + goto end2; error = certificate_validate_signature(cert, signedData, signature); if (error) - goto end3; - - /* Validate in CRL at CRLDP */ - if (args->use_crldp) { - error = certificate_revoked_at_crldp(cert, &args->refs); - if (error) - goto end3; - } + goto end2; resources_set_policy(args->res, policy); error = certificate_get_resources(cert, args->res); if (error) - goto end3; + goto end2; -end3: - if (args->use_crldp) - sk_X509_CRL_free(crls); end2: X509_free(cert); end1: diff --git a/src/asn1/signed_data.h b/src/asn1/signed_data.h index 15a0d06e..ed0e5dbd 100644 --- a/src/asn1/signed_data.h +++ b/src/asn1/signed_data.h @@ -18,8 +18,6 @@ struct signed_object_args { STACK_OF(X509_CRL) *crls; /** A copy of the resources carried by the embedded certificate. */ struct resources *res; - /** Check if the certificate is revoked at CRLDP, not at crls stack */ - bool use_crldp; /** * A bunch of URLs found in the embedded certificate's extensions, * recorded for future validation. @@ -28,7 +26,7 @@ struct signed_object_args { }; int signed_object_args_init(struct signed_object_args *, struct rpki_uri *, - STACK_OF(X509_CRL) *, bool, bool); + STACK_OF(X509_CRL) *, bool); void signed_object_args_cleanup(struct signed_object_args *); int signed_data_decode(ANY_t *, struct signed_object_args *args, diff --git a/src/object/certificate.c b/src/object/certificate.c index b64926a0..37bc077c 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -15,7 +15,6 @@ #include "asn1/oid.h" #include "asn1/asn1c/IPAddrBlocks.h" #include "crypto/hash.h" -#include "object/crl.h" #include "object/name.h" #include "object/manifest.h" #include "rsync/rsync.h" @@ -580,24 +579,6 @@ end: return error; } -static bool -cert_revoked(ASN1_INTEGER *serialNumber, X509_CRL *crl) -{ - STACK_OF(X509_REVOKED) *revoked; - X509_REVOKED *item; - int index; - - revoked = X509_CRL_get_REVOKED(crl); - for (index = 0; index < sk_X509_REVOKED_num(revoked); index++) { - item = sk_X509_REVOKED_value(revoked, index); - if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(item), - serialNumber) == 0) - return true; - } - - return false; -} - int certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls) { @@ -630,21 +611,7 @@ certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls) X509_STORE_CTX_trusted_stack(ctx, certstack_get_x509s(validation_certstack(state))); - - /* - * The function 'X509_STORE_CTX_set0_crls' could be used with a - * 'X509_VERIFY_PARAM' of 'X509_V_FLAG_CRL_CHECK', but this didn't - * worked as expected. - * - * Instead of that, fetch the last CRL (father's) and check revoked - * serials "manually". - */ - if (sk_X509_CRL_num(crls) > 0 && - cert_revoked(X509_get_serialNumber(cert), - sk_X509_CRL_value(crls, sk_X509_CRL_num(crls) - 1))) { - pr_err("Certificate validation failed: certificate is revoked"); - goto abort; - } + X509_STORE_CTX_set0_crls(ctx, crls); /* * HERE'S THE MEAT OF LIBCRYPTO'S VALIDATION. @@ -685,35 +652,6 @@ abort: return -EINVAL; } -/* - * Load the CRL at CRLDP @refs and check if @cert is revoked there - */ -int -certificate_revoked_at_crldp(X509 *cert, struct certificate_refs *refs) -{ - X509_CRL *crl; - struct rpki_uri *uri; - int error; - - error = uri_create_str(&uri, refs->crldp, strlen(refs->crldp)); - if (error) - return error; - - error = crl_load(uri, &crl); - if (error) - goto release_uri; - - /* Everything OK so far, error 0 is valid */ - if (cert_revoked(X509_get_serialNumber(cert), crl)) { - error = pr_err("Certificate validation failed: certificate is revoked at CRL"); - } - - X509_CRL_free(crl); -release_uri: - uri_refput(uri); - return error; -} - static int handle_ip_extension(X509_EXTENSION *ext, struct resources *resources) { diff --git a/src/object/certificate.h b/src/object/certificate.h index a11859c7..5167cf80 100644 --- a/src/object/certificate.h +++ b/src/object/certificate.h @@ -45,8 +45,6 @@ int certificate_get_resources(X509 *, struct resources *); int certificate_validate_extensions_ee(X509 *, OCTET_STRING_t *, struct certificate_refs *, enum rpki_policy *); -int certificate_revoked_at_crldp(X509 *cert, struct certificate_refs *refs); - int certificate_traverse(struct rpp *, struct rpki_uri *); #endif /* SRC_OBJECT_CERTIFICATE_H_ */ diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c index c25e6e07..42f82ca0 100644 --- a/src/object/ghostbusters.c +++ b/src/object/ghostbusters.c @@ -28,7 +28,7 @@ ghostbusters_traverse(struct rpki_uri *uri, struct rpp *pp) if (error) goto end1; - error = signed_object_args_init(&sobj_args, uri, crl, true, false); + error = signed_object_args_init(&sobj_args, uri, crl, true); if (error) goto end1; diff --git a/src/object/manifest.c b/src/object/manifest.c index 58485cae..9515ce7f 100644 --- a/src/object/manifest.c +++ b/src/object/manifest.c @@ -217,7 +217,7 @@ handle_manifest(struct rpki_uri *uri, STACK_OF(X509_CRL) *crls, struct rpp **pp) pr_debug_add("Manifest '%s' {", uri_get_printable(uri)); fnstack_push_uri(uri); - error = signed_object_args_init(&sobj_args, uri, crls, false, true); + error = signed_object_args_init(&sobj_args, uri, crls, false); if (error) goto end1; diff --git a/src/object/roa.c b/src/object/roa.c index 541c3987..30be931c 100644 --- a/src/object/roa.c +++ b/src/object/roa.c @@ -256,7 +256,7 @@ roa_traverse(struct rpki_uri *uri, struct rpp *pp) if (error) goto revert_fnstack; - error = signed_object_args_init(&sobj_args, uri, crl, false, false); + error = signed_object_args_init(&sobj_args, uri, crl, false); if (error) goto revert_fnstack;