Commit 57912ed3 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add code to download CRLs based on CRLDP extension. 

Just a sample, real world applications would have to be cleverer.
parent e998f8ae

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@ 


 Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]



  *) New option -crl_download in several openssl utilities to download CRLs

     from CRLDP extension in certificates.

     [Steve Henson]



  *) New options -CRL and -CRLform for s_client and s_server for CRLs.

     [Steve Henson]

apps/apps.c

+78 −1
Original line number Diff line number Diff line
@@ -929,7 +929,7 @@ end: 
	return(x);

	}



X509_CRL *load_crl(char *infile, int format)

X509_CRL *load_crl(const char *infile, int format)

	{

	X509_CRL *x=NULL;

	BIO *in=NULL;
@@ -2963,6 +2963,83 @@ void print_cert_checks(BIO *bio, X509 *x, 
		}

	}



/* Get first http URL from a DIST_POINT structure */



static const char *get_dp_url(DIST_POINT *dp)

	{

	GENERAL_NAMES *gens;

	GENERAL_NAME *gen;

	int i, gtype;

	ASN1_STRING *uri;

	if (!dp->distpoint || dp->distpoint->type != 0)

		return NULL;

	gens = dp->distpoint->name.fullname;

	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)

		{

		gen = sk_GENERAL_NAME_value(gens, i);

		uri = GENERAL_NAME_get0_value(gen, &gtype);

		if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6)

			{

			char *uptr = (char *)ASN1_STRING_data(uri);

			if (!strncmp(uptr, "http://", 7))

				return uptr;

			}

		}		

	return NULL;

	}

		



/* Look through a CRLDP structure and attempt to find an http URL to downloads

 * a CRL from.

 */



static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)

	{

	int i;

	const char *urlptr = NULL;

	for (i = 0; i < sk_DIST_POINT_num(crldp); i++)

		{

		DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);

		urlptr = get_dp_url(dp);

		if (urlptr)

			return load_crl(urlptr, FORMAT_HTTP);

		}

	return NULL;

	}



/* Example of downloading CRLs from CRLDP: not usable for real world

 * as it always downloads, doesn't support non-blocking I/O and doesn't

 * cache anything.

 */



static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)

	{

	X509 *x;

	STACK_OF(X509_CRL) *crls = NULL;

	X509_CRL *crl;

	STACK_OF(DIST_POINT) *crldp;

	x = X509_STORE_CTX_get_current_cert(ctx);

	crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);

	crl = load_crl_crldp(crldp);

	sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);

	if (!crl)

		return NULL;

	crls = sk_X509_CRL_new_null();

	sk_X509_CRL_push(crls, crl);

	/* Try to download delta CRL */

	crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);

	crl = load_crl_crldp(crldp);

	sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);

	if (crl)

		sk_X509_CRL_push(crls, crl);

	return crls;

	}



void store_setup_crl_download(X509_STORE *st)

	{

	X509_STORE_set_lookup_crls_cb(st, crls_http_cb);

	}



/*

 * Platform-specific sections

 */

apps/apps.h

+3 −1
Original line number Diff line number Diff line
@@ -245,7 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2); 
int add_oid_section(BIO *err, CONF *conf);

X509 *load_cert(BIO *err, const char *file, int format,

	const char *pass, ENGINE *e, const char *cert_descrip);

X509_CRL *load_crl(char *infile, int format);

X509_CRL *load_crl(const char *infile, int format);

int load_cert_crl_http(const char *url, BIO *err,

					X509 **pcert, X509_CRL **pcrl);

EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
@@ -343,6 +343,8 @@ void print_cert_checks(BIO *bio, X509 *x, 
				const unsigned char *checkemail,

				const char *checkip);



void store_setup_crl_download(X509_STORE *st);



#define FORMAT_UNDEF    0

#define FORMAT_ASN1     1

#define FORMAT_TEXT     2

apps/s_apps.h

+2 −2
Original line number Diff line number Diff line
@@ -196,9 +196,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, 
			int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);

int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,

		STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);

int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);

int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download);

int ssl_load_stores(SSL_CTX *ctx,

			const char *vfyCApath, const char *vfyCAfile,

			const char *chCApath, const char *chCAfile,

			STACK_OF(X509_CRL) *crls);

			STACK_OF(X509_CRL) *crls, int crl_download);

#endif

apps/s_cb.c

+11 −13
Original line number Diff line number Diff line
@@ -1603,32 +1603,28 @@ static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls) 
	{

	X509_CRL *crl;

	int i;

	if (crls)

		{

	for (i = 0; i < sk_X509_CRL_num(crls); i++)

		{

		crl = sk_X509_CRL_value(crls, i);

		X509_STORE_add_crl(st, crl);

		}

		}

	return 1;

	}



int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)

int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)

	{

	X509_STORE *st;

	if (crls)

		{

	st = SSL_CTX_get_cert_store(ctx);

	add_crls_store(st, crls);

		}

	if (crl_download)

		store_setup_crl_download(st);

	return 1;

	}



int ssl_load_stores(SSL_CTX *ctx,

			const char *vfyCApath, const char *vfyCAfile,

			const char *chCApath, const char *chCAfile,

			STACK_OF(X509_CRL) *crls)

			STACK_OF(X509_CRL) *crls, int crl_download)

	{

	X509_STORE *vfy = NULL, *ch = NULL;

	int rv = 0;
@@ -1639,6 +1635,8 @@ int ssl_load_stores(SSL_CTX *ctx, 
			goto err;

		add_crls_store(vfy, crls);

		SSL_CTX_set1_verify_cert_store(ctx, vfy);

		if (crl_download)

			store_setup_crl_download(vfy);

		}

	if (chCApath || chCAfile)

		{