1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* crypto/x509/x509_vfy.c */ 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com). 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to. The following conditions 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA, 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used. 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in the 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * documentation and/or other materials provided with the distribution. 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software 32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * must display the following acknowledgement: 33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes cryptographic software written by 34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Eric Young (eay@cryptsoft.com)" 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The word 'cryptographic' can be left out if the rouines from the library 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * being used are not cryptographic related :-). 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the apps directory (application code) you must include an acknowledgement: 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE. 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed. i.e. this code cannot simply be 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.] 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 59656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h> 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <time.h> 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <errno.h> 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "cryptlib.h" 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/crypto.h> 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/lhash.h> 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/buffer.h> 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/evp.h> 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/asn1.h> 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/x509.h> 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/x509v3.h> 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/objects.h> 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 73221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* CRL score values */ 74221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 75221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* No unhandled critical extensions */ 76221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 77221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_NOCRITICAL 0x100 78221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 79221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* certificate is within CRL scope */ 80221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 81221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_SCOPE 0x080 82221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 83221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* CRL times valid */ 84221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 85221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_TIME 0x040 86221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 87221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Issuer name matches certificate */ 88221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 89221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_ISSUER_NAME 0x020 90221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 91221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* If this score or above CRL is probably valid */ 92221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 93221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) 94221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 95221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* CRL issuer is certificate issuer */ 96221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 97221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_ISSUER_CERT 0x018 98221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 99221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* CRL issuer is on certificate path */ 100221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 101221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_SAME_PATH 0x008 102221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 103221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* CRL issuer matches CRL AKID */ 104221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 105221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_AKID 0x004 106221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 107221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Have a delta CRL with valid times */ 108221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 109221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#define CRL_SCORE_TIME_DELTA 0x002 110221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int null_callback(int ok,X509_STORE_CTX *e); 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_chain_extensions(X509_STORE_CTX *ctx); 115221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_name_constraints(X509_STORE_CTX *ctx); 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_trust(X509_STORE_CTX *ctx); 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_revocation(X509_STORE_CTX *ctx); 118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_cert(X509_STORE_CTX *ctx); 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_policy(X509_STORE_CTX *ctx); 120221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 121221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 122221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int *preasons, 123221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *crl, X509 *x); 124221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int get_crl_delta(X509_STORE_CTX *ctx, 125221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 126221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 127221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *base, STACK_OF(X509_CRL) *crls); 128221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 129221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 **pissuer, int *pcrl_score); 130221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 131221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int *preasons); 132221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 133221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_crl_chain(X509_STORE_CTX *ctx, 134221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509) *cert_path, 135221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509) *crl_path); 136221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int internal_verify(X509_STORE_CTX *ctx); 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectconst char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int null_callback(int ok, X509_STORE_CTX *e) 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#if 0 147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int x509_subject_cmp(X509 **a, X509 **b) 148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_subject_name_cmp(*a,*b); 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_verify_cert(X509_STORE_CTX *ctx) 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x,*xtmp,*chain_ss=NULL; 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int bad_chain = 0; 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM *param = ctx->param; 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int depth,i,ok=0; 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int num; 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*cb)(int xok,X509_STORE_CTX *xctx); 161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(X509) *sktmp=NULL; 162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->cert == NULL) 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=ctx->verify_cb; 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* first we make sure the chain we are going to build is 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * present and that the first entry is in place */ 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->chain == NULL) 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (!sk_X509_push(ctx->chain,ctx->cert))) 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted=1; 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We use a temporary STACK so we can chop and hack at it */ 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->untrusted != NULL 186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) 187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num=sk_X509_num(ctx->chain); 193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=sk_X509_value(ctx->chain,num-1); 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project depth=param->depth; 195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (;;) 198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we have enough, we break */ 200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (depth < num) break; /* FIXME: If this happens, we should take 201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * note of it and, if appropriate, use the 202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * X509_V_ERR_CERT_CHAIN_TOO_LONG error 203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * code later. 204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we are self signed, we break */ 207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->check_issued(ctx, x,x)) break; 208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we were passed a cert chain, use it first */ 210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->untrusted != NULL) 211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xtmp=find_issuer(ctx, sktmp,x); 213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (xtmp != NULL) 214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!sk_X509_push(ctx->chain,xtmp)) 216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 221656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (void)sk_X509_delete_ptr(sktmp,xtmp); 222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted++; 223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=xtmp; 224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num++; 225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* reparse the full chain for 226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the next one */ 227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project continue; 228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* at this point, chain should contain a list of untrusted 234656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * certificates. We now need to add at least one trusted one, 235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * if possible, otherwise we complain. */ 236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 237656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Examine last certificate in chain and see if it 238656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * is self signed. 239656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 240656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 241656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=sk_X509_num(ctx->chain); 242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=sk_X509_value(ctx->chain,i-1); 243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->check_issued(ctx, x, x)) 244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 245656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we have a self signed certificate */ 246656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sk_X509_num(ctx->chain) == 1) 247656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 248656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We have a single self signed certificate: see if 249656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * we can find it in the store. We must have an exact 250656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * match to avoid possible impersonation. 251656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 252656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->get_issuer(&xtmp, ctx, x); 253656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ok <= 0) || X509_cmp(x, xtmp)) 254656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 255656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 257656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=i-1; 258656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ok == 1) X509_free(xtmp); 259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bad_chain = 1; 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 261656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 264656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We have a match: replace certificate with store version 266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * so we get any trust settings. 267656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_free(x); 269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = xtmp; 270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (void)sk_X509_set(ctx->chain, i - 1, x); 271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted=0; 272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* extract and save self signed certificate for later use */ 277656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project chain_ss=sk_X509_pop(ctx->chain); 278656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted--; 279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num--; 280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=sk_X509_value(ctx->chain,num-1); 281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We now lookup certs from the certificate store */ 285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (;;) 286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we have enough, we break */ 288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (depth < num) break; 289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we are self signed, we break */ 291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->check_issued(ctx,x,x)) break; 292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->get_issuer(&xtmp, ctx, x); 294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ok < 0) return ok; 296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ok == 0) break; 297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 298656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = xtmp; 299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!sk_X509_push(ctx->chain,x)) 300656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_free(xtmp); 302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 303656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 304656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num++; 306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 307656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 308656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we now have our chain, lets check it... */ 309656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 310656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Is last certificate looked up self signed? */ 311656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->check_issued(ctx,x,x)) 312656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 313656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) 314656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 315656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->last_untrusted >= num) 316656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 317656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 318656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 319656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 320656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 321656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 322656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 323656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 324656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk_X509_push(ctx->chain,chain_ss); 325656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project num++; 326656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted=num; 327656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=chain_ss; 328656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 329656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project chain_ss=NULL; 330656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 331656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 332656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=num-1; 333656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bad_chain = 1; 334656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 336656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 337656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 338656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We have the chain complete: now we need to check its purpose */ 339656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = check_chain_extensions(ctx); 340656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 341656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 342656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 343221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check name constraints */ 344221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 345221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = check_name_constraints(ctx); 346221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 347221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) goto end; 348221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* The chain extensions are OK: check trust */ 350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (param->trust > 0) ok = check_trust(ctx); 352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We may as well copy down any DSA parameters that are required */ 356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_get_pubkey_parameters(NULL,ctx->chain); 357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 358656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Check revocation status: we do this after copying parameters 359656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * because they may be needed for CRL signature verification. 360656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 361656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 362656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->check_revocation(ctx); 363656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ok) goto end; 364656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 365656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* At this point, we have a chain and need to verify it */ 366656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->verify != NULL) 367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=ctx->verify(ctx); 368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=internal_verify(ctx); 370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ok) goto end; 371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RFC3779 373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* RFC 3779 path validation, now that CRL check has been done */ 374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = v3_asid_validate_path(ctx); 375656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 376656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = v3_addr_validate_path(ctx); 377656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 378656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 379656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 380656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we get this far evaluate policies */ 381656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 382656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->check_policy(ctx); 383656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ok) goto end; 384656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (0) 385656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 386656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectend: 387656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_get_pubkey_parameters(NULL,ctx->chain); 388656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 389656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sktmp != NULL) sk_X509_free(sktmp); 390656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (chain_ss != NULL) X509_free(chain_ss); 391656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 392656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 393656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 394656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 395656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Given a STACK_OF(X509) find the issuer of cert (if any) 396656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 397656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 398656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 399656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 400656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 401656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *issuer; 402656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 0; i < sk_X509_num(sk); i++) 403656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 404656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project issuer = sk_X509_value(sk, i); 405656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->check_issued(ctx, x, issuer)) 406656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return issuer; 407656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 408656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return NULL; 409656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 410656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 411656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Given a possible certificate and issuer check them */ 412656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 413656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 414656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 415656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret; 416656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = X509_check_issued(issuer, x); 417656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == X509_V_OK) 418656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 419656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we haven't asked for issuer errors don't set ctx */ 420656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) 421656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 422656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 423656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = ret; 424656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_issuer = issuer; 426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->verify_cb(0, ctx); 427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Alternative lookup method: look from a STACK stored in other_ctx */ 431656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 432656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 433656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *issuer = find_issuer(ctx, ctx->other_ctx, x); 435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*issuer) 436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 437656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 439656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 444656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Check a certificate chains extensions for consistency 446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * with the supplied purpose 447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 448656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 449656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_chain_extensions(X509_STORE_CTX *ctx) 450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef OPENSSL_NO_CHAIN_VERIFY 452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 454e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu int i, ok=0, must_be_ca, plen = 0; 455656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 456656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*cb)(int xok,X509_STORE_CTX *xctx); 457656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int proxy_path_length = 0; 458221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int purpose; 459221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int allow_proxy_certs; 460656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=ctx->verify_cb; 461656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 462656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* must_be_ca can have 1 of 3 values: 463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -1: we accept both CA and non-CA certificates, to allow direct 464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project use of self-signed certificates (which are marked as CA). 465656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 0: we only accept non-CA certificates. This is currently not 466656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project used, but the possibility is present for future extensions. 467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1: we only accept CA certificates. This is currently used for 468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project all certificates in the chain except the leaf certificate. 469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 470656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project must_be_ca = -1; 471656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 472221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* CRL path validation */ 473221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->parent) 474221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 475221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom allow_proxy_certs = 0; 476221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom purpose = X509_PURPOSE_CRL_SIGN; 477221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 478221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 479221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 480221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom allow_proxy_certs = 481221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 482221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* A hack to keep people who don't want to modify their 483221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom software happy */ 484221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 485221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom allow_proxy_certs = 1; 486221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom purpose = ctx->param->purpose; 487221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 488656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 489656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Check all untrusted certificates */ 490656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 0; i < ctx->last_untrusted; i++) 491656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 492656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret; 493656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = sk_X509_value(ctx->chain, i); 494656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 495656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (x->ex_flags & EXFLAG_CRITICAL)) 496656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 497656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 499656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 501656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 502656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 503656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) 504656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 507656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = X509_check_ca(x); 512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch(must_be_ca) 513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case -1: 515656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 516656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (ret != 1) && (ret != 0)) 517656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 518656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 0; 519656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_INVALID_CA; 520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 522656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 1; 523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case 0: 525656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret != 0) 526656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 527656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 0; 528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_INVALID_NON_CA; 529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 530656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 531656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 1; 532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ret == 0) 535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (ret != 1))) 537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 0; 539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_INVALID_CA; 540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 1; 543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == 0) 546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 547656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 549656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 550656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 552656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param->purpose > 0) 553656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 554221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ret = X509_check_purpose(x, purpose, must_be_ca > 0); 555656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ret == 0) 556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (ret != 1))) 558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_INVALID_PURPOSE; 560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 566e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* Check pathlen if not self issued */ 567e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 568e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu && (x->ex_pathlen != -1) 569e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu && (plen > (x->ex_pathlen + proxy_path_length + 1))) 570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 574656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 576656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 577e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* Increment path length if not self issued */ 578e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (!(x->ex_flags & EXFLAG_SI)) 579e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu plen++; 580656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If this certificate is a proxy certificate, the next 581656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project certificate must be another proxy certificate or a EE 582656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project certificate. If not, the next certificate must be a 583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CA certificate. */ 584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (x->ex_flags & EXFLAG_PROXY) 585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) 587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = 589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project proxy_path_length++; 596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project must_be_ca = 0; 597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project must_be_ca = 1; 600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = 1; 602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project end: 603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 604656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 607221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_name_constraints(X509_STORE_CTX *ctx) 608221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 609221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *x; 610221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i, j, rv; 611221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check name constraints for all certificates */ 612221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) 613221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 614221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom x = sk_X509_value(ctx->chain, i); 615221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Ignore self issued certs unless last in chain */ 616221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i && (x->ex_flags & EXFLAG_SI)) 617221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom continue; 618221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check against constraints for all certificates higher in 619221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * chain including trust anchor. Trust anchor not strictly 620221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * speaking needed but if it includes constraints it is to be 621221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * assumed it expects them to be obeyed. 622221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 623221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) 624221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 625221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; 626221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (nc) 627221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 628221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom rv = NAME_CONSTRAINTS_check(x, nc); 629221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (rv != X509_V_OK) 630221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 631221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = rv; 632221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error_depth = i; 633221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_cert = x; 634221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ctx->verify_cb(0,ctx)) 635221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 636221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 637221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 638221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 639221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 640221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 641221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 642221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 643656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_trust(X509_STORE_CTX *ctx) 644656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef OPENSSL_NO_CHAIN_VERIFY 646656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 647656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 648656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i, ok; 649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*cb)(int xok,X509_STORE_CTX *xctx); 651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=ctx->verify_cb; 652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* For now just check the last certificate in the chain */ 653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i = sk_X509_num(ctx->chain) - 1; 654656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = sk_X509_value(ctx->chain, i); 655656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = X509_check_trust(x, ctx->param->trust, 0); 656656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ok == X509_TRUST_TRUSTED) 657656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 658656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 659656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 660656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ok == X509_TRUST_REJECTED) 661656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_CERT_REJECTED; 662656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 663656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_CERT_UNTRUSTED; 664656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = cb(0, ctx); 665656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 666656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 667656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 668656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 669656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_revocation(X509_STORE_CTX *ctx) 670656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 671656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i, last, ok; 672656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 673656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 675656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project last = sk_X509_num(ctx->chain) - 1; 676656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 677221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 678221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If checking CRL paths this isn't the EE certificate */ 679221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->parent) 680221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 681656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project last = 0; 682221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 683656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for(i = 0; i <= last; i++) 684656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 685656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth = i; 686656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = check_cert(ctx); 687656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return ok; 688656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 689656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 690656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 691656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 692656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_cert(X509_STORE_CTX *ctx) 693656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 694221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *crl = NULL, *dcrl = NULL; 695656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 696656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ok, cnum; 697ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root unsigned int last_reasons; 698656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cnum = ctx->error_depth; 699656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = sk_X509_value(ctx->chain, cnum); 700656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 701221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_issuer = NULL; 702ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom ctx->current_crl_score = 0; 703221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_reasons = 0; 704221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom while (ctx->current_reasons != CRLDP_ALL_REASONS) 705656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 706ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root last_reasons = ctx->current_reasons; 707221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Try to retrieve relevant CRL */ 708221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->get_crl) 709221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->get_crl(ctx, &crl, x); 710221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 711221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = get_crl_delta(ctx, &crl, &dcrl, x); 712221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If error looking up CRL, nothing we can do except 713221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * notify callback 714221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 715221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) 716221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 717221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 718221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 719221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 720221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 721221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_crl = crl; 722221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->check_crl(ctx, crl); 723221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 724221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 725221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 726221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (dcrl) 727221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 728221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->check_crl(ctx, dcrl); 729221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 730221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 731221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->cert_crl(ctx, dcrl, x); 732221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 733221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 734221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 735221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 736221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = 1; 737221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 738221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Don't look in full CRL if delta reason is removefromCRL */ 739221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ok != 2) 740221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 741221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->cert_crl(ctx, crl, x); 742221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 743221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 744221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 745221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 746221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_free(crl); 747221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_free(dcrl); 748221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl = NULL; 749221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom dcrl = NULL; 750ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root /* If reasons not updated we wont get anywhere by 751ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root * another iteration, so exit loop. 752ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root */ 753ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root if (last_reasons == ctx->current_reasons) 754ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root { 755ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 756ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root ok = ctx->verify_cb(0, ctx); 757ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root goto err; 758ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root } 759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project err: 761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_CRL_free(crl); 762221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_free(dcrl); 763221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 764221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_crl = NULL; 765656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 766656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 767656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 768656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 769656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Check CRL times against values in X509_STORE_CTX */ 770656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 771656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 772656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 773656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project time_t *ptime; 774656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 775221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (notify) 776221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_crl = crl; 777656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 778656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptime = &ctx->param->check_time; 779656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 780656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptime = NULL; 781656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 782656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 783656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) 784656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 785221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!notify) 786221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 788221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ctx->verify_cb(0, ctx)) 789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 790656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 791656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 792656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i > 0) 793656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 794221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!notify) 795221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 797221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ctx->verify_cb(0, ctx)) 798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(X509_CRL_get_nextUpdate(crl)) 802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 804656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 805656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) 806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 807221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!notify) 808221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 809656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 810221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ctx->verify_cb(0, ctx)) 811656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 812656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 813221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Ignore expiry of base CRL is delta is valid */ 814221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) 815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 816221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!notify) 817221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 819221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ctx->verify_cb(0, ctx)) 820656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 821656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 822656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 823656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 824221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (notify) 825221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_crl = NULL; 826656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 828656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 830221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 831221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 **pissuer, int *pscore, unsigned int *preasons, 832221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509_CRL) *crls) 833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 834221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i, crl_score, best_score = *pscore; 835221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int reasons, best_reasons = 0; 836221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *x = ctx->current_cert; 837656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_CRL *crl, *best_crl = NULL; 838221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 839221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 840656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 0; i < sk_X509_CRL_num(crls); i++) 841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project crl = sk_X509_CRL_value(crls, i); 843221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom reasons = *preasons; 844221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 845221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 846221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl_score > best_score) 847656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 848221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom best_crl = crl; 849221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom best_crl_issuer = crl_issuer; 850221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom best_score = crl_score; 851221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom best_reasons = reasons; 852656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 853656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 854221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 855656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (best_crl) 856656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 857221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (*pcrl) 858221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_free(*pcrl); 859656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *pcrl = best_crl; 860221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pissuer = best_crl_issuer; 861221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pscore = best_score; 862221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *preasons = best_reasons; 863221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 864221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (*pdcrl) 865221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 866221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_free(*pdcrl); 867221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pdcrl = NULL; 868221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 869221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); 870656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 871221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 872221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (best_score >= CRL_SCORE_VALID) 873221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 874221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 875656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 876656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 877656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 878221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Compare two CRL extensions for delta checking purposes. They should be 879221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * both present or both absent. If both present all fields must be identical. 880656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 881221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 882221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 883656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 884221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ASN1_OCTET_STRING *exta, *extb; 885221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i; 88604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom i = X509_CRL_get_ext_by_NID(a, nid, -1); 887221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i >= 0) 888656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 889221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Can't have multiple occurrences */ 890221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 891221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 892221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 893221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 894221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 895221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom exta = NULL; 896221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 89704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom i = X509_CRL_get_ext_by_NID(b, nid, -1); 898221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 899221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i >= 0) 900221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 901221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 902221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 903221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 904221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 905221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 906221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 907221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom extb = NULL; 908221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 909221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!exta && !extb) 910656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 911221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 912221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!exta || !extb) 913221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 914221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 915221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 916221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ASN1_OCTET_STRING_cmp(exta, extb)) 917221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 918221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 919221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 920221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 921221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 922221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* See if a base and delta are compatible */ 923221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 924221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_delta_base(X509_CRL *delta, X509_CRL *base) 925221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 926221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Delta CRL must be a delta */ 927221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!delta->base_crl_number) 928221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 929221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Base must have a CRL number */ 930221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!base->crl_number) 931221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 932221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Issuer names must match */ 933221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_NAME_cmp(X509_CRL_get_issuer(base), 934221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL_get_issuer(delta))) 935221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 936221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* AKID and IDP must match */ 937221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 938221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 939221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 940221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 941221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Delta CRL base number must not exceed Full CRL number. */ 942221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 943221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 944221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Delta CRL number must exceed full CRL number */ 945221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 946221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 947221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 948221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 949221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 950221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* For a given base CRL find a delta... maybe extend to delta scoring 951221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * or retrieve a chain of deltas... 952221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 953221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 954221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 955221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *base, STACK_OF(X509_CRL) *crls) 956221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 957221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *delta; 958221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i; 959221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 960221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 961221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 962221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 963221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_X509_CRL_num(crls); i++) 964221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 965221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom delta = sk_X509_CRL_value(crls, i); 966221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (check_delta_base(delta, base)) 967221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 968221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (check_crl_time(ctx, delta, 0)) 969221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pscore |= CRL_SCORE_TIME_DELTA; 970221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 971221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *dcrl = delta; 972221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 973221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 974221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 975221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *dcrl = NULL; 976221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 977221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 978221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* For a given CRL return how suitable it is for the supplied certificate 'x'. 979221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * The return value is a mask of several criteria. 980221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * If the issuer is not the certificate issuer this is returned in *pissuer. 981221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * The reasons mask is also used to determine if the CRL is suitable: if 982221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * no new reasons the CRL is rejected, otherwise reasons is updated. 983221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 984221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 985221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 986221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int *preasons, 987221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *crl, X509 *x) 988221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 989221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 990221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int crl_score = 0; 991221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int tmp_reasons = *preasons, crl_reasons; 992221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 993221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* First see if we can reject CRL straight away */ 994221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 995221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Invalid IDP cannot be processed */ 996221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & IDP_INVALID) 997221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 998221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Reason codes or indirect CRLs need extended CRL support */ 999221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 1000221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1001221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 1002221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1003221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1004221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (crl->idp_flags & IDP_REASONS) 1005221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1006221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If no new reasons reject */ 1007221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(crl->idp_reasons & ~tmp_reasons)) 1008221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1009221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1010221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Don't process deltas at this stage */ 1011221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (crl->base_crl_number) 1012221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1013221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If issuer name doesn't match certificate need indirect CRL */ 1014221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) 1015221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1016221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(crl->idp_flags & IDP_INDIRECT)) 1017221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1018221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1019221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 1020221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_score |= CRL_SCORE_ISSUER_NAME; 1021221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1022221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(crl->flags & EXFLAG_CRITICAL)) 1023221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_score |= CRL_SCORE_NOCRITICAL; 1024221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1025221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check expiry */ 1026221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (check_crl_time(ctx, crl, 0)) 1027221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_score |= CRL_SCORE_TIME; 1028221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1029221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check authority key ID and locate certificate issuer */ 1030221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_akid_check(ctx, crl, pissuer, &crl_score); 1031221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1032221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If we can't locate certificate issuer at this point forget it */ 1033221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1034221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(crl_score & CRL_SCORE_AKID)) 1035221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1036221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1037221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check cert for matching CRL distribution points */ 1038221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1039221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) 1040221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1041221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If no new reasons reject */ 1042221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(crl_reasons & ~tmp_reasons)) 1043221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1044221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom tmp_reasons |= crl_reasons; 1045221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_score |= CRL_SCORE_SCOPE; 1046656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1047656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1048221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *preasons = tmp_reasons; 1049221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1050221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return crl_score; 1051221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1052221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1053656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1054221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 1055221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 **pissuer, int *pcrl_score) 1056221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1057221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *crl_issuer = NULL; 1058221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_NAME *cnm = X509_CRL_get_issuer(crl); 1059221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int cidx = ctx->error_depth; 1060221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i; 1061221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1062221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (cidx != sk_X509_num(ctx->chain) - 1) 1063221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom cidx++; 1064221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1065221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_issuer = sk_X509_value(ctx->chain, cidx); 1066221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1067221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1068656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1069221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (*pcrl_score & CRL_SCORE_ISSUER_NAME) 1070656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1071221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 1072221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pissuer = crl_issuer; 1073221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 1074221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1075221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1076221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1077221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) 1078221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1079221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_issuer = sk_X509_value(ctx->chain, cidx); 1080221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1081221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom continue; 1082221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1083221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1084221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1085221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pissuer = crl_issuer; 1086221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 1087221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1088221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1089221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1090221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Anything else needs extended CRL support */ 1091221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1092221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 1093221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 1094221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1095221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Otherwise the CRL issuer is not on the path. Look for it in the 1096221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * set of untrusted certificates. 1097221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1098221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_X509_num(ctx->untrusted); i++) 1099221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1100221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_issuer = sk_X509_value(ctx->untrusted, i); 1101221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1102221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom continue; 1103221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1104221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1105221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pissuer = crl_issuer; 1106221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pcrl_score |= CRL_SCORE_AKID; 1107221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return; 1108221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1109221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1110221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1111221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1112221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Check the path of a CRL issuer certificate. This creates a new 1113221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * X509_STORE_CTX and populates it with most of the parameters from the 1114221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * parent. This could be optimised somewhat since a lot of path checking 1115221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * will be duplicated by the parent, but this will rarely be used in 1116221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * practice. 1117221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1118221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1119221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1120221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1121221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_STORE_CTX crl_ctx; 1122221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int ret; 1123221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Don't allow recursive CRL path validation */ 1124221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->parent) 1125221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1126221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) 1127221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return -1; 1128221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1129221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_ctx.crls = ctx->crls; 1130221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Copy verify params across */ 1131221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); 1132221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1133221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_ctx.parent = ctx; 1134221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_ctx.verify_cb = ctx->verify_cb; 1135221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1136221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Verify CRL issuer */ 1137221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ret = X509_verify_cert(&crl_ctx); 1138221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1139221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ret <= 0) 1140221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 1141221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1142221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check chain is acceptable */ 1143221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1144221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1145221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom err: 1146221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_STORE_CTX_cleanup(&crl_ctx); 1147221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ret; 1148221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1149221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1150221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* RFC3280 says nothing about the relationship between CRL path 1151221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * and certificate path, which could lead to situations where a 1152221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * certificate could be revoked or validated by a CA not authorised 1153221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * to do so. RFC5280 is more strict and states that the two paths must 1154221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * end in the same trust anchor, though some discussions remain... 1155221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * until this is resolved we use the RFC5280 version 1156221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1157221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1158221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int check_crl_chain(X509_STORE_CTX *ctx, 1159221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509) *cert_path, 1160221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509) *crl_path) 1161221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1162221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *cert_ta, *crl_ta; 1163221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1164221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1165221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!X509_cmp(cert_ta, crl_ta)) 1166221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1167221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1168221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1169221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1170221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Check for match between two dist point names: three separate cases. 1171221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 1. Both are relative names and compare X509_NAME types. 1172221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. 1173221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 3. Both are full names and compare two GENERAL_NAMES. 1174221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 4. One is NULL: automatic match. 1175221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1176221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1177221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1178221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1179221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1180221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_NAME *nm = NULL; 1181221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom GENERAL_NAMES *gens = NULL; 1182221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom GENERAL_NAME *gena, *genb; 1183221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i, j; 1184221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!a || !b) 1185221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1186221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (a->type == 1) 1187221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1188221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!a->dpname) 1189221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1190221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Case 1: two X509_NAME */ 1191221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (b->type == 1) 1192221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1193221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!b->dpname) 1194221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1195221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!X509_NAME_cmp(a->dpname, b->dpname)) 1196221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1197221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 1198221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1199221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1200221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Case 2: set name and GENERAL_NAMES appropriately */ 1201221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom nm = a->dpname; 1202221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom gens = b->name.fullname; 1203221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1204221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (b->type == 1) 1205221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1206221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!b->dpname) 1207221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1208221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Case 2: set name and GENERAL_NAMES appropriately */ 1209221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom gens = a->name.fullname; 1210221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom nm = b->dpname; 1211221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1212221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1213221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1214221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (nm) 1215221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1216221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) 1217221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1218221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom gena = sk_GENERAL_NAME_value(gens, i); 1219221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (gena->type != GEN_DIRNAME) 1220221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom continue; 1221221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1222221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1227221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Else case 3: two GENERAL_NAMES */ 1228221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1229221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) 1230221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1231221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1232221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) 1233221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1234221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1235221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!GENERAL_NAME_cmp(gena, genb)) 1236221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1237221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1238221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1239221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1240221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1241221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1242221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1243221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1244221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1245221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1246221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i; 1247221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_NAME *nm = X509_CRL_get_issuer(crl); 1248221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If no CRLissuer return is successful iff don't need a match */ 1249221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!dp->CRLissuer) 1250221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1251221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 1252221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1253221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1254221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (gen->type != GEN_DIRNAME) 1255221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom continue; 1256221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1257221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1258221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1259221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1260221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1261221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1262221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Check CRLDP and IDP */ 1263221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1264221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1265221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int *preasons) 1266221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1267221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int i; 1268221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & IDP_ONLYATTR) 1269221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1270221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (x->ex_flags & EXFLAG_CA) 1271221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1272221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & IDP_ONLYUSER) 1273221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1274221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1275221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 1276221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1277221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & IDP_ONLYCA) 1278221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1279221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1280221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *preasons = crl->idp_reasons; 1281221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 1282221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1283221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1284221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crldp_check_crlissuer(dp, crl, crl_score)) 1285221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1286221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!crl->idp || 1287221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom idp_check_dp(dp->distpoint, crl->idp->distpoint)) 1288221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1289221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *preasons &= dp->dp_reasons; 1290221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1291221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1292221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1293221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1294221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1295221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1296221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1297221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1298221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1299221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* Retrieve CRL corresponding to current certificate. 1300221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * If deltas enabled try to find a delta CRL too 1301221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1302221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1303221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic int get_crl_delta(X509_STORE_CTX *ctx, 1304221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1305221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1306221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int ok; 1307221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509 *issuer = NULL; 1308221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int crl_score = 0; 1309221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned int reasons; 1310221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_CRL *crl = NULL, *dcrl = NULL; 1311221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom STACK_OF(X509_CRL) *skcrl; 1312221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_NAME *nm = X509_get_issuer_name(x); 1313221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom reasons = ctx->current_reasons; 1314221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = get_crl_sk(ctx, &crl, &dcrl, 1315221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom &issuer, &crl_score, &reasons, ctx->crls); 1316221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1317221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ok) 1318221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto done; 1319221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1320221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Lookup CRLs from store */ 1321221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1322221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom skcrl = ctx->lookup_crls(ctx, nm); 1323221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1324221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If no CRLs found and a near match from get_crl_sk use that */ 1325221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!skcrl && crl) 1326221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto done; 1327221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1328221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); 1329221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1330221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1331221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1332221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom done: 1333221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1334221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If we got any kind of CRL use it and return success */ 1335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (crl) 1336221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1337221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_issuer = issuer; 1338221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_crl_score = crl_score; 1339221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->current_reasons = reasons; 1340221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pcrl = crl; 1341221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom *pdcrl = dcrl; 1342221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1343221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1344221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1345221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1346656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1347656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Check CRL validity */ 1349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *issuer = NULL; 1352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *ikey = NULL; 1353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ok = 0, chnum, cnum; 1354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cnum = ctx->error_depth; 1355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project chnum = sk_X509_num(ctx->chain) - 1; 1356221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* if we have an alternative CRL issuer cert use that */ 1357221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->current_issuer) 1358221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom issuer = ctx->current_issuer; 1359221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1360221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Else find CRL issuer: if not last certificate then issuer 1361656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * is next certificate in chain. 1362656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1363221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (cnum < chnum) 1364656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project issuer = sk_X509_value(ctx->chain, cnum + 1); 1365656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1366656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project issuer = sk_X509_value(ctx->chain, chnum); 1368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If not self signed, can't check signature */ 1369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ctx->check_issued(ctx, issuer, issuer)) 1370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->verify_cb(0, ctx); 1373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ok) goto err; 1374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1375656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1376656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1377656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(issuer) 1378656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1379221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Skip most tests for deltas because they have already 1380221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * been done 1381221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1382221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!crl->base_crl_number) 1383656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1384221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check for cRLSign bit if keyUsage present */ 1385221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1386221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom !(issuer->ex_kusage & KU_CRL_SIGN)) 1387221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1388221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1389221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 1390221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) goto err; 1391221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1392221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1393221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) 1394221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1395221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1396221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 1397221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) goto err; 1398221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1399221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1400221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) 1401221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1402221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (check_crl_path(ctx, ctx->current_issuer) <= 0) 1403221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1404221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1405221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 1406221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) goto err; 1407221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1408221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1409221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1410221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (crl->idp_flags & IDP_INVALID) 1411221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1412221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_INVALID_EXTENSION; 1413221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 1414221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) goto err; 1415221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1416221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1417221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1418221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1419221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1420221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!(ctx->current_crl_score & CRL_SCORE_TIME)) 1421221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1422221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = check_crl_time(ctx, crl, 1); 1423221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 1424221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 1425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Attempt to get issuer certificate public key */ 1428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ikey = X509_get_pubkey(issuer); 1429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!ikey) 1431656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1432656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1433656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->verify_cb(0, ctx); 1434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto err; 1435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1437656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Verify CRL signature */ 1439656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(X509_CRL_verify(crl, ikey) <= 0) 1440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->verify_cb(0, ctx); 1443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto err; 1444656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1448656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = 1; 1449656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project err: 1451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(ikey); 1452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 1453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1454656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1455656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Check certificate against CRL */ 1456656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1457656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1458221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int ok; 1459221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_REVOKED *rev; 1460221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* The rules changed for this... previously if a CRL contained 1461221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * unhandled critical extensions it could still be used to indicate 1462221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * a certificate was revoked. This has since been changed since 1463221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * critical extension can change the meaning of CRL entries. 1464221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 14657f7ea2d72f2e316ba518e82f06513e3477840c15Kenny Root if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 14667f7ea2d72f2e316ba518e82f06513e3477840c15Kenny Root && (crl->flags & EXFLAG_CRITICAL)) 1467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1468221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1469221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ok = ctx->verify_cb(0, ctx); 1470221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ok) 1471221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1473221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Look for serial number of certificate in CRL 1474221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * If found make sure reason is not removeFromCRL. 1475656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1476221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (X509_CRL_get0_by_cert(crl, &rev, x)) 1477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1478221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1479221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 2; 1480656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_CERT_REVOKED; 1481656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = ctx->verify_cb(0, ctx); 1482221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ok) 1483221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1484656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1485656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1486656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1487656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1488656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1489656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_policy(X509_STORE_CTX *ctx) 1490656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1491656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret; 1492221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->parent) 1493221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 1; 1494656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1495656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->param->policies, ctx->param->flags); 1496656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == 0) 1497656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1499656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1501656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Invalid or inconsistent extensions */ 1502656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == -1) 1503656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1504656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Locate certificates with bad extensions and notify 1505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * callback. 1506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1507656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 1508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 1509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 1; i < sk_X509_num(ctx->chain); i++) 1510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = sk_X509_value(ctx->chain, i); 1512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) 1513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project continue; 1514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = x; 1515656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1516221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(!ctx->verify_cb(0, ctx)) 1517221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return 0; 1518656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1519656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == -2) 1522656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = NULL; 1524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; 1525656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->verify_cb(0, ctx); 1526656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1527656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) 1529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1530656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert = NULL; 1531656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error = X509_V_OK; 1532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->verify_cb(2, ctx)) 1533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project time_t *ptime; 1542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 1543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 1545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptime = &ctx->param->check_time; 1546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1547656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptime = NULL; 1548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1549656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=X509_cmp_time(X509_get_notBefore(x), ptime); 1550656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) 1551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1552656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1553656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 1554656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->verify_cb(0, ctx)) 1555656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i > 0) 1559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 1562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->verify_cb(0, ctx)) 1563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=X509_cmp_time(X509_get_notAfter(x), ptime); 1567656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) 1568656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1569656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 1571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->verify_cb(0, ctx)) 1572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1574656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < 0) 1576656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1577656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1578656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=x; 1579656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->verify_cb(0, ctx)) 1580656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1581656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1582656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int internal_verify(X509_STORE_CTX *ctx) 1587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ok=0,n; 1589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *xs,*xi; 1590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *pkey=NULL; 1591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*cb)(int xok,X509_STORE_CTX *xctx); 1592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=ctx->verify_cb; 1594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=sk_X509_num(ctx->chain); 1596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=n-1; 1597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n--; 1598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xi=sk_X509_value(ctx->chain,n); 1599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->check_issued(ctx, xi, xi)) 1601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xs=xi; 1602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1604656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n <= 0) 1605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=xi; 1608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=cb(0,ctx); 1609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 1610656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1611656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n--; 1614656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=n; 1615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xs=sk_X509_value(ctx->chain,n); 1616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1618656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1619656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* ctx->error=0; not needed */ 1620656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project while (n >= 0) 1621656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=n; 162398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 162498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom /* Skip signature check for self signed certificates unless 162598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * explicitly asked for. It doesn't add any security and 162698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * just wastes time. 162798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom */ 162898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) 1629656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1630656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((pkey=X509_get_pubkey(xi)) == NULL) 1631656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1632656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1633656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=xi; 1634656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=(*cb)(0,ctx); 1635656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 1636656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1637656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (X509_verify(xs,pkey) <= 0) 1638656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1639656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1640656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=xs; 1641656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=(*cb)(0,ctx); 1642656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) 1643656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1644656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(pkey); 1645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 1646656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1647656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1648656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(pkey); 1649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey=NULL; 1650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xs->valid = 1; 1653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1654656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok = check_cert_time(ctx, xs); 1655656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) 1656656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 1657656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1658656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* The last error (if any) is still in the error value */ 1659656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_issuer=xi; 1660656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=xs; 1661656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=(*cb)(1,ctx); 1662656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) goto end; 1663656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1664656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n--; 1665656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n >= 0) 1666656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1667656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xi=xs; 1668656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project xs=sk_X509_value(ctx->chain,n); 1669656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1670656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1671656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ok=1; 1672656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectend: 1673656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ok; 1674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1675656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1676221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromint X509_cmp_current_time(const ASN1_TIME *ctm) 1677656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 1678656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_cmp_time(ctm, NULL); 1679656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 1680656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1681221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromint X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1682656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1683656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project char *str; 1684656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ASN1_TIME atm; 1685656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project long offset; 1686656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project char buff1[24],buff2[24],*p; 1687656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j; 1688656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1689656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=buff1; 1690656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=ctm->length; 1691656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project str=(char *)ctm->data; 1692656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctm->type == V_ASN1_UTCTIME) 1693656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1694656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((i < 11) || (i > 17)) return 0; 1695656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,str,10); 1696656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=10; 1697656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project str+=10; 1698656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1699656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1700656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1701656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < 13) return 0; 1702656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,str,12); 1703656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=12; 1704656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project str+=12; 1705656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1706656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1707656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((*str == 'Z') || (*str == '-') || (*str == '+')) 1708656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { *(p++)='0'; *(p++)='0'; } 1709656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1710656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1711656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)= *(str++); 1712656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)= *(str++); 1713656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Skip any fractional seconds... */ 1714656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*str == '.') 1715656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1716656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project str++; 1717656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project while ((*str >= '0') && (*str <= '9')) str++; 1718656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1719656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1720656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1721656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)='Z'; 1722656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)='\0'; 1723656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1724656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*str == 'Z') 1725656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project offset=0; 1726656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1727656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1728656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((*str != '+') && (*str != '-')) 1729656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1730656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1731656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project offset+=(str[3]-'0')*10+(str[4]-'0'); 1732656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (*str == '-') 1733656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project offset= -offset; 1734656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1735656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project atm.type=ctm->type; 1736221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom atm.flags = 0; 1737656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project atm.length=sizeof(buff2); 1738656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project atm.data=(unsigned char *)buff2; 1739656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 17407b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1741656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1742656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1743656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctm->type == V_ASN1_UTCTIME) 1744656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1745656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1746656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < 50) i+=100; /* cf. RFC 2459 */ 1747656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1748656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (j < 50) j+=100; 1749656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1750656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < j) return -1; 1751656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i > j) return 1; 1752656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1753656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=strcmp(buff1,buff2); 1754656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) /* wait a second then return younger :-) */ 1755656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 1756656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1757656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return i; 1758656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 1762656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_time_adj(s, adj, NULL); 1763656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 1764656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1765221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1766221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1767221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1768221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1769221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1770221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1771221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int offset_day, long offset_sec, time_t *in_tm) 1772656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1773656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project time_t t; 1774656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1775656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (in_tm) t = *in_tm; 1776656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else time(&t); 1777656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1778221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) 1779221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1780221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->type == V_ASN1_UTCTIME) 1781221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1782221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->type == V_ASN1_GENERALIZEDTIME) 1783221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1784221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom offset_sec); 1785221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1786221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ASN1_TIME_adj(s, t, offset_day, offset_sec); 1787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1788656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1790656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1791656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *ktmp=NULL,*ktmp2; 1792656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j; 1793656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1794656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1795656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<sk_X509_num(chain); i++) 1797656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ktmp == NULL) 1800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1804656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EVP_PKEY_missing_parameters(ktmp)) 1805656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 1806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1807656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1808656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(ktmp); 1809656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ktmp=NULL; 1810656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1811656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1812656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ktmp == NULL) 1813656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1814656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1816656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1817656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* first, populate the other certs */ 1819656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (j=i-1; j >= 0; j--) 1820656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1821656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1822656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_copy_parameters(ktmp2,ktmp); 1823656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(ktmp2); 1824656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1825656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1826656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(ktmp); 1828656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1830656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1831656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1832656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1834656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* This function is (usually) called only once, by 1835656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1836656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1837656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project new_func, dup_func, free_func); 1838656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1839656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1840656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1843656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1844656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1845656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1846656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1847656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1848656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1849656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1850656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1851656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1852656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->error; 1853656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1854656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1855656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1856656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1857656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=err; 1858656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1859656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1860656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1861656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1862656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->error_depth; 1863656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1864656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1865656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectX509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1866656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1867656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->current_cert; 1868656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1869656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1870656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectSTACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 1871656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1872656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->chain; 1873656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1874656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1875656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectSTACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 1876656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1877656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 1878656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 1879656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(X509) *chain; 1880656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1881656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 0; i < sk_X509_num(chain); i++) 1882656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1883656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x = sk_X509_value(chain, i); 1884656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1885656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1886656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return chain; 1887656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1888656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1889221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromX509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1890221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1891221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ctx->current_issuer; 1892221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1893221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1894221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromX509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1895221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1896221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ctx->current_crl; 1897221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1898221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1899221304ee937bc0910948a8be1320cb8cc4eb6d36Brian CarlstromX509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1900221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1901221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return ctx->parent; 1902221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1903221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1904656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1905656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1906656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cert=x; 1907656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1908656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1909656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1910656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1911656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->untrusted=sk; 1912656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1913656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1914656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1915656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1916656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->crls=sk; 1917656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1918656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1919656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1920656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1921656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1922656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1923656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1924656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1925656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1926656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1927656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1928656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1929656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* This function is used to set the X509_STORE_CTX purpose and trust 1930656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * values. This is intended to be used when another structure has its 1931656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * own trust and purpose values which (if set) will be inherited by 1932656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the ctx. If they aren't set then we will usually have a default 1933656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * purpose in mind which should then be used to set the trust value. 1934656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * An example of this is SSL use: an SSL structure will have its own 1935656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * purpose and trust settings which the application can set: if they 1936656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * aren't set then we use the default of SSL client/server. 1937656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1938656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1939656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 1940656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int purpose, int trust) 1941656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 1942656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int idx; 1943656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If purpose not set use default */ 1944656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!purpose) purpose = def_purpose; 1945656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If we have a purpose then check it is valid */ 1946656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (purpose) 1947656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1948656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_PURPOSE *ptmp; 1949656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project idx = X509_PURPOSE_get_by_id(purpose); 1950656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (idx == -1) 1951656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1952656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1953656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_R_UNKNOWN_PURPOSE_ID); 1954656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1955656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1956656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptmp = X509_PURPOSE_get0(idx); 1957656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ptmp->trust == X509_TRUST_DEFAULT) 1958656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1959656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project idx = X509_PURPOSE_get_by_id(def_purpose); 1960656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (idx == -1) 1961656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1962656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1963656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_R_UNKNOWN_PURPOSE_ID); 1964656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1965656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1966656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ptmp = X509_PURPOSE_get0(idx); 1967656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1968656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If trust not set then get from purpose default */ 1969656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!trust) trust = ptmp->trust; 1970656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1971656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (trust) 1972656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1973656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project idx = X509_TRUST_get_by_id(trust); 1974656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (idx == -1) 1975656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1976656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1977656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_R_UNKNOWN_TRUST_ID); 1978656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 1979656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1980656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1981656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1982656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1983656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (trust && !ctx->param->trust) ctx->param->trust = trust; 1984656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 1985656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 1986656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1987656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectX509_STORE_CTX *X509_STORE_CTX_new(void) 1988656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 1989656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_STORE_CTX *ctx; 1990656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); 1991656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx) 1992656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1993656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1994656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return NULL; 1995656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1996656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memset(ctx, 0, sizeof(X509_STORE_CTX)); 1997656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx; 1998656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 1999656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2000656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_free(X509_STORE_CTX *ctx) 2001656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 2002656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_STORE_CTX_cleanup(ctx); 2003656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(ctx); 2004656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 2005656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2006656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 2007656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(X509) *chain) 2008656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2009656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret = 1; 2010656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->ctx=store; 2011656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_method=0; 2012656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cert=x509; 2013656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->untrusted=chain; 2014656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->crls = NULL; 2015656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->last_untrusted=0; 2016656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->other_ctx=NULL; 2017656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->valid=0; 2018656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->chain=NULL; 2019656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error=0; 2020656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->explicit_policy=0; 2021656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->error_depth=0; 2022656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_cert=NULL; 2023656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->current_issuer=NULL; 2024ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom ctx->current_crl=NULL; 2025ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom ctx->current_crl_score=0; 2026ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom ctx->current_reasons=0; 2027656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->tree = NULL; 2028221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->parent = NULL; 2029656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2030656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->param = X509_VERIFY_PARAM_new(); 2031656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2032656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ctx->param) 2033656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2034656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2035656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 2036656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2037656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2038656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Inherit callbacks and flags from X509_STORE if not set 2039656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * use defaults. 2040656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2041656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2042656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2043656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store) 2044656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2045656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 204643c12e3d4f9bbbbd4a8ba7b149686437514bc6b6Brian Carlstrom ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 2047656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2048656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store) 2049656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2050656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify_cb = store->verify_cb; 2051656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cleanup = store->cleanup; 2052656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2053656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2054656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cleanup = 0; 2055656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2056656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret) 2057656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = X509_VERIFY_PARAM_inherit(ctx->param, 2058656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM_lookup("default")); 2059656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2060656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == 0) 2061656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2062656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2063656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 2064656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2065656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2066656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->check_issued) 2067656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_issued = store->check_issued; 2068656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2069656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_issued = check_issued; 2070656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2071656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->get_issuer) 2072656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->get_issuer = store->get_issuer; 2073656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2074656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->get_issuer = X509_STORE_CTX_get1_issuer; 2075656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2076656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->verify_cb) 2077656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify_cb = store->verify_cb; 2078656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2079656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify_cb = null_callback; 2080656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2081656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->verify) 2082656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify = store->verify; 2083656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2084656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify = internal_verify; 2085656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2086656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->check_revocation) 2087656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_revocation = store->check_revocation; 2088656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2089656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_revocation = check_revocation; 2090656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2091656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->get_crl) 2092656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->get_crl = store->get_crl; 2093656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2094221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->get_crl = NULL; 2095656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2096656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->check_crl) 2097656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_crl = store->check_crl; 2098656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2099656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_crl = check_crl; 2100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (store && store->cert_crl) 2102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cert_crl = store->cert_crl; 2103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->cert_crl = cert_crl; 2105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2106221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (store && store->lookup_certs) 2107221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->lookup_certs = store->lookup_certs; 2108221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 2109221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->lookup_certs = X509_STORE_get1_certs; 2110221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 2111221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (store && store->lookup_crls) 2112221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->lookup_crls = store->lookup_crls; 2113221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 2114221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ctx->lookup_crls = X509_STORE_get1_crls; 2115221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 2116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->check_policy = check_policy; 2117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* This memset() can't make any sense anyway, so it's removed. As 2120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a 2121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * corresponding "new" here and remove this bogus initialisation. */ 2122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 2123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &(ctx->ex_data))) 2125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(ctx); 2127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 2129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 2131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Set alternative lookup method: just a STACK of trusted certificates. 2134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This avoids X509_STORE nastiness where it isn't needed. 2135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project{ 2139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->other_ctx = sk; 2140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->get_issuer = get_issuer_sk; 2141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 2142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->cleanup) ctx->cleanup(ctx); 2146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param != NULL) 2147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2148221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ctx->parent == NULL) 2149221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom X509_VERIFY_PARAM_free(ctx->param); 2150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->param=NULL; 2151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->tree != NULL) 2153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_policy_tree_free(ctx->tree); 2155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->tree=NULL; 2156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->chain != NULL) 2158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk_X509_pop_free(ctx->chain,X509_free); 2160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->chain=NULL; 2161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 2163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 2164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM_set_time(ctx->param, t); 2179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*verify_cb)(int, X509_STORE_CTX *)) 2183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->verify_cb=verify_cb; 2185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectX509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->tree; 2190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->explicit_policy; 2195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const X509_VERIFY_PARAM *param; 2200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project param = X509_VERIFY_PARAM_lookup(name); 2201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!param) 2202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 2203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return X509_VERIFY_PARAM_inherit(ctx->param, param); 2204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectX509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return ctx->param; 2209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectvoid X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ctx->param) 2214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_VERIFY_PARAM_free(ctx->param); 2215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ctx->param = param; 2216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_STACK_OF(X509) 2219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_ASN1_SET_OF(X509) 2220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2221656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_STACK_OF(X509_NAME) 2222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_STACK_OF(X509_ATTRIBUTE) 2224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) 2225