Commit 5d7c222d authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

New X509_VERIFY_PARAM structure and associated functionality. 

This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.
parent d993addb

CHANGES

+8 −0
Original line number Diff line number Diff line
@@ -4,6 +4,14 @@ 


 Changes between 0.9.7e and 0.9.8  [xx XXX xxxx]



  *) New structure X509_VERIFY_PARAM which combines current verify parameters,

     update associated structures and add various utility functions.



     Add new policy related verify parameters, include policy checking in 

     standard verify code. Enhance 'smime' application with extra parameters

     to support policy checking and print out.

     [Steve Henson]



  *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3

     Nehemiah processors. These extensions support AES encryption in hardware

     as well as RNG (though RNG support is currently disabled).

apps/Makefile.ssl

+4 −2
Original line number Diff line number Diff line
@@ -62,14 +62,16 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er 
	rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \

	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \

	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \

	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o

	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \

	ocsp.o 



E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \

	pkcs7.c crl2p7.c crl.c \

	rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \

	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \

	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \

	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c

	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \

	ocsp.c



SRC=$(E_SRC)

apps/apps.c

+65 −0
Original line number Diff line number Diff line
@@ -2140,3 +2140,68 @@ int WIN32_rename(char *from, char *to) 
#endif

	}

#endif



int args_verify(char ***pargs, int *badarg, BIO *err, X509_VERIFY_PARAM **pm)

	{

	ASN1_OBJECT *otmp = NULL;

	unsigned long flags = 0;

	char *arg = **pargs, *argn = (*pargs)[1];

	if (!strcmp(arg, "-policy"))

		{

		if (!argn)

			*badarg = 1;

		else

			{

			otmp = OBJ_txt2obj(argn, 0);

			if (!otmp)

				{

				BIO_printf(err, "Invalid Policy \"%s\"\n",

									argn);

				*badarg = 1;

				}

			}

		(*pargs)++;

		}

	else if (!strcmp(arg, "-ignore_critical"))

		flags |= X509_V_FLAG_IGNORE_CRITICAL;

	else if (!strcmp(arg, "-issuer_checks"))

		flags |= X509_V_FLAG_CB_ISSUER_CHECK;

	else if (!strcmp(arg, "-crl_check"))

		flags |=  X509_V_FLAG_CRL_CHECK;

	else if (!strcmp(arg, "-crl_check_all"))

		flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;

	else if (!strcmp(arg, "-policy_check"))

		flags |= X509_V_FLAG_POLICY_CHECK;

	else if (!strcmp(arg, "-explicit_policy"))

		flags |= X509_V_FLAG_EXPLICIT_POLICY;

	else if (!strcmp(arg, "-x509_strict"))

		flags |= X509_V_FLAG_X509_STRICT;

	else if (!strcmp(arg, "-policy_print"))

		flags |= X509_V_FLAG_NOTIFY_POLICY;

	else

		return 0;



	if (*badarg)

		{

		if (*pm)

			X509_VERIFY_PARAM_free(*pm);

		*pm = NULL;

		return 1;

		}



	if (!*pm && !(*pm = X509_VERIFY_PARAM_new()))

		{

		*badarg = 1;

		return 1;

		}



	if (otmp)

		X509_VERIFY_PARAM_add0_policy(*pm, otmp);

	if (flags)

		X509_VERIFY_PARAM_set_flags(*pm, flags);



	(*pargs)++;



	return 1;



	}

apps/apps.h

+1 −0
Original line number Diff line number Diff line
@@ -317,6 +317,7 @@ int index_name_cmp(const char **a, const char **b); 
int parse_yesno(char *str, int def);



X509_NAME *parse_name(char *str, long chtype, int multirdn);

int args_verify(char ***pargs, int *badarg, BIO *err, X509_VERIFY_PARAM **pm);



#define FORMAT_UNDEF    0

#define FORMAT_ASN1     1

apps/smime.c

+72 −8
Original line number Diff line number Diff line
@@ -3,7 +3,7 @@ 
 * project.

 */

/* ====================================================================

 * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions
@@ -64,10 +64,13 @@ 
#include <openssl/crypto.h>

#include <openssl/pem.h>

#include <openssl/err.h>

#include <openssl/x509_vfy.h>

#include <openssl/x509v3.h>



#undef PROG

#define PROG smime_main

static int save_certs(char *signerfile, STACK_OF(X509) *signers);

static int smime_cb(int ok, X509_STORE_CTX *ctx);



#define SMIME_OP	0x10

#define SMIME_ENCRYPT	(1 | SMIME_OP)
@@ -96,7 +99,7 @@ int MAIN(int argc, char **argv) 
	STACK_OF(X509) *encerts = NULL, *other = NULL;

	BIO *in = NULL, *out = NULL, *indata = NULL;

	int badarg = 0;

	int flags = PKCS7_DETACHED, store_flags = 0;

	int flags = PKCS7_DETACHED;

	char *to = NULL, *from = NULL, *subject = NULL;

	char *CAfile = NULL, *CApath = NULL;

	char *passargin = NULL, *passin = NULL;
@@ -108,6 +111,8 @@ int MAIN(int argc, char **argv) 
	char *engine=NULL;

#endif



	X509_VERIFY_PARAM *vpm = NULL;



	args = argv + 1;

	ret = 1;
@@ -172,10 +177,6 @@ int MAIN(int argc, char **argv) 
				flags |= PKCS7_NOOLDMIMETYPE;

		else if (!strcmp (*args, "-crlfeol"))

				flags |= PKCS7_CRLFEOL;

		else if (!strcmp (*args, "-crl_check"))

				store_flags |= X509_V_FLAG_CRL_CHECK;

		else if (!strcmp (*args, "-crl_check_all"))

				store_flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;

		else if (!strcmp(*args,"-rand")) {

			if (args[1]) {

				args++;
@@ -269,10 +270,14 @@ int MAIN(int argc, char **argv) 
				args++;

				contfile = *args;

			} else badarg = 1;

		} else badarg = 1;

		} else if (args_verify(&args, &badarg, bio_err, &vpm))

			continue;

		else

			badarg = 1;

		args++;

	}





	if(operation == SMIME_SIGN) {

		if(!signerfile) {

			BIO_printf(bio_err, "No signer certificate specified\n");
@@ -473,7 +478,9 @@ int MAIN(int argc, char **argv) 


	if(operation == SMIME_VERIFY) {

		if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end;

		X509_STORE_set_flags(store, store_flags);

		X509_STORE_set_verify_cb_func(store, smime_cb);

		if (vpm)

			X509_STORE_set1_param(store, vpm);

	}
@@ -569,6 +576,8 @@ end: 
	if(ret) ERR_print_errors(bio_err);

	sk_X509_pop_free(encerts, X509_free);

	sk_X509_pop_free(other, X509_free);

	if (vpm)

		X509_VERIFY_PARAM_free(vpm);

	X509_STORE_free(store);

	X509_free(cert);

	X509_free(recip);
@@ -595,3 +604,58 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers) 
	return 1;

}

	



static void nodes_print(BIO *out, char *name, STACK_OF(X509_POLICY_NODE) *nodes)

	{

	X509_POLICY_NODE *node;

	int i;

	BIO_printf(out, "%s Policies:", name);

	if (nodes)

		{

		BIO_puts(out, "\n");

		for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)

			{

			node = sk_X509_POLICY_NODE_value(nodes, i);

			X509_POLICY_NODE_print(out, node, 2);

			}

		}

	else

		BIO_puts(out, " <empty>\n");

	}



static void policies_print(BIO *out, X509_STORE_CTX *ctx)

	{

	X509_POLICY_TREE *tree;

	int explicit;

	tree = X509_STORE_CTX_get0_policy_tree(ctx);

	explicit = X509_STORE_CTX_get_explicit_policy(ctx);



	BIO_printf(out, "Require explicit Policy: %s\n",

				explicit ? "True" : "False");



	nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));

	nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));

	}



/* Minimal callback just to output policy info (if any) */



static int smime_cb(int ok, X509_STORE_CTX *ctx)

	{

	BIO *out;

	int error;



	error = X509_STORE_CTX_get_error(ctx);



	if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)

		&& ((error != X509_V_OK) || (ok != 2)))

		return ok;



	out = BIO_new_fp(stderr, BIO_NOCLOSE);



	policies_print(out, ctx);



	BIO_free(out);



	return ok;



	}