git.ipfire.org Git - thirdparty/asterisk.git/commit

author	George Joseph <gjoseph@sangoma.com>
	Wed, 18 Jun 2025 20:38:08 +0000 (14:38 -0600)
committer	George Joseph <gjoseph@sangoma.com>
	Thu, 26 Jun 2025 18:15:05 +0000 (12:15 -0600)
commit	6770dc31b7ecca8b56e238837a3da96a13954595
tree	564642d5d52506163eae621fcc0473b7d6679c7e	tree
parent	6c1417b228970cd810fb71e59a0803a8202fb159	commit \| diff

res_stir_shaken.so: Handle X5U certificate chains.

The verification process will now load a full certificate chain retrieved
via the X5U URL instead of loading only the end user cert.

* Renamed crypto_load_cert_from_file() and crypto_load_cert_from_memory()
to crypto_load_cert_chain_from_file() and crypto_load_cert_chain_from_memory()
respectively.

* The two load functions now continue to load certs from the file or memory
PEMs and store them in a separate stack of untrusted certs specific to the
current verification context.

* crypto_is_cert_trusted() now uses the stack of untrusted certs that were
extracted from the PEM in addition to any untrusted certs that were passed
in from the configuration (and any CA certs passed in from the config of
course).

Resolves: #1272

UserNote: The STIR/SHAKEN verification process will now load a full
certificate chain retrieved via the X5U URL instead of loading only
the end user cert.

(cherry picked from commit ec2591c60b63e05d1b74eb5a80408974fed0f2a4)

res/res_stir_shaken/attestation_config.c		diff \| blob \| blame \| history
res/res_stir_shaken/common_config.c		diff \| blob \| blame \| history
res/res_stir_shaken/crypto_utils.c		diff \| blob \| blame \| history
res/res_stir_shaken/crypto_utils.h		diff \| blob \| blame \| history
res/res_stir_shaken/verification.c		diff \| blob \| blame \| history
res/res_stir_shaken/verification.h		diff \| blob \| blame \| history