|
Lines 143-163
Link Here
|
| 143 |
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) |
143 |
static int verify_crl(X509_CRL * crl, X509_STORE_CTX * ctx) |
| 144 |
{ |
144 |
{ |
| 145 |
int rv; |
145 |
int rv; |
| 146 |
X509_OBJECT *obj = NULL; |
146 |
X509_OBJECT obj; |
| 147 |
EVP_PKEY *pkey = NULL; |
147 |
EVP_PKEY *pkey = NULL; |
| 148 |
X509 *issuer_cert; |
148 |
X509 *issuer_cert; |
| 149 |
|
149 |
|
| 150 |
/* get issuer certificate */ |
150 |
/* get issuer certificate */ |
| 151 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), obj); |
151 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj); |
| 152 |
if (rv <= 0) { |
152 |
if (rv <= 0) { |
| 153 |
set_error("getting the certificate of the crl-issuer failed"); |
153 |
set_error("getting the certificate of the crl-issuer failed"); |
| 154 |
return -1; |
154 |
return -1; |
| 155 |
} |
155 |
} |
| 156 |
/* extract public key and verify signature */ |
156 |
/* extract public key and verify signature */ |
| 157 |
issuer_cert = X509_OBJECT_get0_X509(obj); |
157 |
issuer_cert = X509_OBJECT_get0_X509((&obj)); |
| 158 |
pkey = X509_get_pubkey(issuer_cert); |
158 |
pkey = X509_get_pubkey(issuer_cert); |
| 159 |
if (obj) |
159 |
X509_OBJECT_free_contents(&obj); |
| 160 |
X509_OBJECT_free(obj); |
|
|
| 161 |
if (pkey == NULL) { |
160 |
if (pkey == NULL) { |
| 162 |
set_error("getting the issuer's public key failed"); |
161 |
set_error("getting the issuer's public key failed"); |
| 163 |
return -1; |
162 |
return -1; |
|
Lines 203-215
Link Here
|
| 203 |
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) |
202 |
static int check_for_revocation(X509 * x509, X509_STORE_CTX * ctx, crl_policy_t policy) |
| 204 |
{ |
203 |
{ |
| 205 |
int rv, i, j; |
204 |
int rv, i, j; |
| 206 |
X509_OBJECT *obj = NULL; |
205 |
X509_OBJECT obj; |
| 207 |
X509_REVOKED *rev = NULL; |
206 |
X509_REVOKED *rev = NULL; |
| 208 |
STACK_OF(DIST_POINT) * dist_points; |
207 |
STACK_OF(DIST_POINT) * dist_points; |
| 209 |
DIST_POINT *point; |
208 |
DIST_POINT *point; |
| 210 |
GENERAL_NAME *name; |
209 |
GENERAL_NAME *name; |
| 211 |
X509_CRL *crl; |
210 |
X509_CRL *crl; |
| 212 |
X509 *x509_ca = NULL; |
211 |
X509 *x509_ca = NULL; |
|
|
212 |
EVP_PKEY crl_pkey; |
| 213 |
|
213 |
|
| 214 |
DBG1("crl policy: %d", policy); |
214 |
DBG1("crl policy: %d", policy); |
| 215 |
if (policy == CRLP_NONE) { |
215 |
if (policy == CRLP_NONE) { |
|
Lines 227-254
Link Here
|
| 227 |
} else if (policy == CRLP_OFFLINE) { |
227 |
} else if (policy == CRLP_OFFLINE) { |
| 228 |
/* OFFLINE */ |
228 |
/* OFFLINE */ |
| 229 |
DBG("looking for an dedicated local crl"); |
229 |
DBG("looking for an dedicated local crl"); |
| 230 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), obj); |
230 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x509), &obj); |
| 231 |
if (rv <= 0) { |
231 |
if (rv <= 0) { |
| 232 |
set_error("no dedicated crl available"); |
232 |
set_error("no dedicated crl available"); |
| 233 |
return -1; |
233 |
return -1; |
| 234 |
} |
234 |
} |
| 235 |
crl = X509_OBJECT_get0_X509_CRL(obj); |
235 |
crl = X509_OBJECT_get0_X509_CRL((&obj)); |
| 236 |
if (obj) |
236 |
X509_OBJECT_free_contents(&obj); |
| 237 |
X509_OBJECT_free(obj); |
|
|
| 238 |
} else if (policy == CRLP_ONLINE) { |
237 |
} else if (policy == CRLP_ONLINE) { |
| 239 |
/* ONLINE */ |
238 |
/* ONLINE */ |
| 240 |
DBG("extracting crl distribution points"); |
239 |
DBG("extracting crl distribution points"); |
| 241 |
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); |
240 |
dist_points = X509_get_ext_d2i(x509, NID_crl_distribution_points, NULL, NULL); |
| 242 |
if (dist_points == NULL) { |
241 |
if (dist_points == NULL) { |
| 243 |
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */ |
242 |
/* if there is not crl distribution point in the certificate hava a look at the ca certificate */ |
| 244 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), obj); |
243 |
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(x509), &obj); |
| 245 |
if (rv <= 0) { |
244 |
if (rv <= 0) { |
| 246 |
set_error("no dedicated ca certificate available"); |
245 |
set_error("no dedicated ca certificate available"); |
| 247 |
return -1; |
246 |
return -1; |
| 248 |
} |
247 |
} |
| 249 |
x509_ca = X509_OBJECT_get0_X509(obj); |
248 |
x509_ca = X509_OBJECT_get0_X509((&obj)); |
| 250 |
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); |
249 |
dist_points = X509_get_ext_d2i(x509_ca, NID_crl_distribution_points, NULL, NULL); |
| 251 |
X509_OBJECT_free(obj); |
250 |
X509_OBJECT_free_contents(&obj); |
| 252 |
if (dist_points == NULL) { |
251 |
if (dist_points == NULL) { |
| 253 |
set_error("neither the user nor the ca certificate does contain a crl distribution point"); |
252 |
set_error("neither the user nor the ca certificate does contain a crl distribution point"); |
| 254 |
return -1; |
253 |
return -1; |
|
Lines 296-305
Link Here
|
| 296 |
} else if (rv == 0) { |
295 |
} else if (rv == 0) { |
| 297 |
return 0; |
296 |
return 0; |
| 298 |
} |
297 |
} |
|
|
298 |
DBG("checking revocation"); |
| 299 |
rv = X509_CRL_get0_by_cert(crl, &rev, x509); |
299 |
rv = X509_CRL_get0_by_cert(crl, &rev, x509); |
| 300 |
X509_CRL_free(crl); |
300 |
X509_CRL_free(crl); |
| 301 |
X509_REVOKED_free(rev); |
301 |
return (rv == 0); |
| 302 |
return (rv == -1); |
|
|
| 303 |
} |
302 |
} |
| 304 |
|
303 |
|
| 305 |
static int add_hash( X509_LOOKUP *lookup, const char *dir) { |
304 |
static int add_hash( X509_LOOKUP *lookup, const char *dir) { |
