Commit 51630a37 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add trust setting support to the verify code. It now checks the 

trust settings of the root CA.

After a few fixes it seems to work OK.

Still need to add support to SSL and S/MIME code though.
parent 74ecf9e2

CHANGES

+15 −9
Original line number Diff line number Diff line
@@ -12,15 +12,21 @@ 
     DSA key was used because it didn't fix the digest.

     [Steve Henson]



  *) Very preliminary certificate chain verify code. Currently just tests

     the untrusted certificates for consistency with the verify purpose

     (which is set when the X509_STORE_CTX structure is set up) and checks

     the pathlength. There is a NO_CHAIN_VERIFY compilation option to keep

     the old behaviour: this is because when it is finally working it will

     reject chains with invalid extensions whereas before it made no checks

     at all.



     Preliminary untested trust code. 

  *) Initial certificate chain verify code. Currently tests the untrusted

     certificates for consistency with the verify purpose (which is set

     when the X509_STORE_CTX structure is set up) and checks the pathlength.



     There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:

     this is because when it is finally working it will reject chains with

     invalid extensions whereas every previous version of OpenSSL and SSLeay

     made no checks at all.



     Trust code: checks the root CA for the relevant trust settings. Trust

     settings have an initial value consistent with the verify purpose: e.g.

     if the verify purpose is for SSL client use it expects the CA to be

     trusted for SSL client use. However the default value can be changed to

     permit custom trust settings: one example of this would be to only trust

     certificates from a specific "secure" set of CAs.



     Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions

     which should be used for version portability: especially since the

apps/verify.c

+2 −0
Original line number Diff line number Diff line
@@ -85,6 +85,7 @@ int MAIN(int argc, char **argv) 
	X509_LOOKUP *lookup=NULL;



	X509_PURPOSE_add_standard();

	X509_TRUST_add_standard();

	X509V3_add_standard_extensions();

	cert_ctx=X509_STORE_new();

	if (cert_ctx == NULL) goto end;
@@ -199,6 +200,7 @@ end: 
	sk_X509_pop_free(untrusted, X509_free);

	X509V3_EXT_cleanup();

	X509_PURPOSE_cleanup();

	X509_TRUST_cleanup();

	EXIT(ret);

	}

crypto/asn1/t_x509a.c

+5 −5
Original line number Diff line number Diff line
@@ -99,13 +99,13 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) 
	int i;

	if(!aux) return 1;

	if(aux->trust) {

		BIO_printf(out, "%*sTrusted for:\n", indent, "");

		BIO_printf(out, "%*sTrusted Uses:\n", indent, "");

		ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);

	} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");

	} else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");

	if(aux->reject) {

		BIO_printf(out, "%*sUntrusted for:\n", indent, "");

		BIO_printf(out, "%*sRejected Uses:\n", indent, "");

		ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);

	} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");

	} else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");

	if(aux->othertrust) {

		first = 1;

		BIO_printf(out, "%*sOther Trusted Uses:\n%*s",
@@ -121,7 +121,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) 
	}

	if(aux->otherreject) {

		first = 1;

		BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",

		BIO_printf(out, "%*sOther Rejected Uses:\n%*s",

						indent, "", indent + 2, "");

		for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {

			if(!first) BIO_puts(out, ", ");

crypto/x509/x509.h

+2 −0
Original line number Diff line number Diff line
@@ -1098,6 +1098,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); 
#define X509_F_X509_REQ_PRINT				 121

#define X509_F_X509_REQ_PRINT_FP			 122

#define X509_F_X509_REQ_TO_X509				 123

#define X509_F_X509_SET_PURPOSE_AND_TRUST		 134

#define X509_F_X509_STORE_ADD_CERT			 124

#define X509_F_X509_STORE_ADD_CRL			 125

#define X509_F_X509_TO_X509_REQ				 126
@@ -1122,6 +1123,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); 
#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108

#define X509_R_UNKNOWN_KEY_TYPE				 117

#define X509_R_UNKNOWN_NID				 109

#define X509_R_UNKNOWN_TRUST_ID				 120

#define X509_R_UNSUPPORTED_ALGORITHM			 111

#define X509_R_WRONG_LOOKUP_TYPE			 112

crypto/x509/x509_err.c

+3 −1
Original line number Diff line number Diff line
@@ -91,10 +91,11 @@ static ERR_STRING_DATA X509_str_functs[]= 
{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),	"X509_REQ_print"},

{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},

{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},

{ERR_PACK(0,X509_F_X509_SET_PURPOSE_AND_TRUST,0),	"X509_set_purpose_and_trust"},

{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},

{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},

{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},

{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_ADD"},

{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},

{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},

{0,NULL}

	};
@@ -118,6 +119,7 @@ static ERR_STRING_DATA X509_str_reasons[]= 
{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},

{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},

{X509_R_UNKNOWN_NID                      ,"unknown nid"},

{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},

{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},

{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},

{0,NULL}