Lines 143-163
Link Here
|
143 |
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) |
143 |
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) |
144 |
{ |
144 |
{ |
145 |
int rv; |
145 |
int rv; |
146 |
X509_OBJECT *obj = NULL; |
146 |
X509_OBJECT obj; |
147 |
EVP_PKEY *pkey = NULL; |
147 |
EVP_PKEY *pkey = NULL; |
148 |
X509 *issuer_cert; |
148 |
X509 *issuer_cert; |
149 |
|
149 |
|
150 |
/* get issuer certificate */ |
150 |
/* get issuer certificate */ |
151 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); |
151 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); |
152 |
if (rv <= 0) { |
152 |
if (rv <= 0) { |
153 |
set_error("getting the certificate of the crl-issuer failed"); |
153 |
set_error("getting the certificate of the crl-issuer failed"); |
154 |
return -1; |
154 |
return -1; |
155 |
} |
155 |
} |
156 |
/* extract public key and verify signature */ |
156 |
/* extract public key and verify signature */ |
157 |
issuer_cert = X509_OBJECT_get0_X509(obj); |
157 |
issuer_cert = X509_OBJECT_get0_X509((&obj)); |
158 |
pkey = X509_get_pubkey(issuer_cert); |
158 |
pkey = X509_get_pubkey(issuer_cert); |
159 |
if (obj) |
159 |
X509_OBJECT_free_contents(&obj); |
160 |
X509_OBJECT_free(obj); |
|
|
161 |
if (pkey == NULL) { |
160 |
if (pkey == NULL) { |
162 |
set_error("getting the issuer's public key failed"); |
161 |
set_error("getting the issuer's public key failed"); |
163 |
return -1; |
162 |
return -1; |
Lines 203-215
Link Here
|
203 |
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) |
202 |
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) |
204 |
{ |
203 |
{ |
205 |
int rv, i, j; |
204 |
int rv, i, j; |
206 |
X509_OBJECT *obj = NULL; |
205 |
X509_OBJECT obj; |
207 |
X509_REVOKED *rev = NULL; |
206 |
X509_REVOKED *rev = NULL; |
208 |
STACK_OF(DIST_POINT) * dist_points; |
207 |
STACK_OF(DIST_POINT) * dist_points; |
209 |
DIST_POINT *point; |
208 |
DIST_POINT *point; |
210 |
GENERAL_NAME *name; |
209 |
GENERAL_NAME *name; |
211 |
X509_CRL *crl; |
210 |
X509_CRL *crl; |
212 |
X509 *x509_ca = NULL; |
211 |
X509 *x509_ca = NULL; |
|
|
212 |
EVP_PKEY crl_pkey; |
213 |
|
213 |
|
214 |
DBG1("crl policy: %d", policy); |
214 |
DBG1("crl policy: %d", policy); |
215 |
if (policy == CRLP_NONE) { |
215 |
if (policy == CRLP_NONE) { |
Lines 227-254
Link Here
|
227 |
} else if (policy == CRLP_OFFLINE) { |
227 |
} else if (policy == CRLP_OFFLINE) { |
228 |
/* OFFLINE */ |
228 |
/* OFFLINE */ |
229 |
DBG("looking for an dedicated local crl"); |
229 |
DBG("looking for an dedicated local crl"); |
230 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); |
230 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); |
231 |
if (rv <= 0) { |
231 |
if (rv <= 0) { |
232 |
set_error("no dedicated crl available"); |
232 |
set_error("no dedicated crl available"); |
233 |
return -1; |
233 |
return -1; |
234 |
} |
234 |
} |
235 |
crl = X509_OBJECT_get0_X509_CRL(obj); |
235 |
crl = X509_OBJECT_get0_X509_CRL((&obj)); |
236 |
if (obj) |
236 |
X509_OBJECT_free_contents(&obj); |
237 |
X509_OBJECT_free(obj); |
|
|
238 |
} else if (policy == CRLP_ONLINE) { |
237 |
} else if (policy == CRLP_ONLINE) { |
239 |
/* ONLINE */ |
238 |
/* ONLINE */ |
240 |
DBG("extracting crl distribution points"); |
239 |
DBG("extracting crl distribution points"); |
241 |
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); |
240 |
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); |
242 |
if (dist_points == NULL) { |
241 |
if (dist_points == NULL) { |
243 |
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */ |
242 |
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */ |
244 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); |
243 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); |
245 |
if (rv <= 0) { |
244 |
if (rv <= 0) { |
246 |
set_error("no dedicated ca certificate available"); |
245 |
set_error("no dedicated ca certificate available"); |
247 |
return -1; |
246 |
return -1; |
248 |
} |
247 |
} |
249 |
x509_ca = X509_OBJECT_get0_X509(obj); |
248 |
x509_ca = X509_OBJECT_get0_X509((&obj)); |
250 |
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); |
249 |
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); |
251 |
X509_OBJECT_free(obj); |
250 |
X509_OBJECT_free_contents(&obj); |
252 |
if (dist_points == NULL) { |
251 |
if (dist_points == NULL) { |
253 |
set_error("neither the user nor the ca certificate does contain a crl distribution point"); |
252 |
set_error("neither the user nor the ca certificate does contain a crl distribution point"); |
254 |
return -1; |
253 |
return -1; |
Lines 296-305
Link Here
|
296 |
} else if (rv == 0) { |
295 |
} else if (rv == 0) { |
297 |
return 0; |
296 |
return 0; |
298 |
} |
297 |
} |
|
|
298 |
DBG("checking revocation"); |
299 |
rv = X509_CRL_get0_by_cert(crl, &rev, x509); |
299 |
rv = X509_CRL_get0_by_cert(crl, &rev, x509); |
300 |
X509_CRL_free(crl); |
300 |
X509_CRL_free(crl); |
301 |
X509_REVOKED_free(rev); |
301 |
return (rv == 0); |
302 |
return (rv == -1); |
|
|
303 |
} |
302 |
} |
304 |
|
303 |
|
305 |
static int add_hash( X509_LOOKUP *lookup, const char *dir) { |
304 |
static int add_hash( X509_LOOKUP *lookup, const char *dir) { |