aboutsummaryrefslogtreecommitdiff
path: root/crypto
diff options
context:
space:
mode:
authorRich Salz <rsalz@openssl.org>2016-04-14 23:59:26 -0400
committerRich Salz <rsalz@openssl.org>2016-04-15 13:21:43 -0400
commitf0e0fd51fd8307f6eae64862ad9aaea113f1177a (patch)
treeb00de87cb2fd4dc437de5994d3c8028dd9262460 /crypto
parent34da11b39d2421f546ec568f355875eec353844c (diff)
downloadopenssl-f0e0fd51fd8307f6eae64862ad9aaea113f1177a.zip
openssl-f0e0fd51fd8307f6eae64862ad9aaea113f1177a.tar.gz
openssl-f0e0fd51fd8307f6eae64862ad9aaea113f1177a.tar.bz2
Make many X509_xxx types opaque.
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/cms/cms_smime.c19
-rw-r--r--crypto/include/internal/x509_int.h82
-rw-r--r--crypto/ocsp/ocsp_vfy.c82
-rw-r--r--crypto/pkcs7/pk7_smime.c19
-rw-r--r--crypto/ts/ts_rsp_verify.c31
-rw-r--r--crypto/x509/by_file.c1
-rw-r--r--crypto/x509/x509_err.c2
-rw-r--r--crypto/x509/x509_lcl.h65
-rw-r--r--crypto/x509/x509_lu.c33
-rw-r--r--crypto/x509/x509_vfy.c44
10 files changed, 311 insertions, 67 deletions
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index e84b7e7..98054b3 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -273,21 +273,26 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
STACK_OF(X509) *certs,
STACK_OF(X509_CRL) *crls)
{
- X509_STORE_CTX ctx;
+ X509_STORE_CTX *ctx = X509_STORE_CTX_new();
X509 *signer;
int i, j, r = 0;
+
+ if (ctx == NULL) {
+ CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL);
- if (!X509_STORE_CTX_init(&ctx, store, signer, certs)) {
+ if (!X509_STORE_CTX_init(ctx, store, signer, certs)) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT, CMS_R_STORE_INIT_ERROR);
goto err;
}
- X509_STORE_CTX_set_default(&ctx, "smime_sign");
+ X509_STORE_CTX_set_default(ctx, "smime_sign");
if (crls)
- X509_STORE_CTX_set0_crls(&ctx, crls);
+ X509_STORE_CTX_set0_crls(ctx, crls);
- i = X509_verify_cert(&ctx);
+ i = X509_verify_cert(ctx);
if (i <= 0) {
- j = X509_STORE_CTX_get_error(&ctx);
+ j = X509_STORE_CTX_get_error(ctx);
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT,
CMS_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
@@ -296,7 +301,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
}
r = 1;
err:
- X509_STORE_CTX_cleanup(&ctx);
+ X509_STORE_CTX_free(ctx);
return r;
}
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index fc032ae..ee49f2a 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -217,6 +217,77 @@ struct x509_st {
CRYPTO_RWLOCK *lock;
} /* X509 */ ;
+/*
+ * This is a used when verifying cert chains. Since the gathering of the
+ * cert chain can take some time (and have to be 'retried', this needs to be
+ * kept and passed around.
+ */
+struct x509_store_ctx_st { /* X509_STORE_CTX */
+ X509_STORE *ctx;
+ /* used when looking up certs */
+ int current_method;
+ /* The following are set by the caller */
+ /* The cert to check */
+ X509 *cert;
+ /* chain of X509s - untrusted - passed in */
+ STACK_OF(X509) *untrusted;
+ /* set of CRLs passed in */
+ STACK_OF(X509_CRL) *crls;
+ X509_VERIFY_PARAM *param;
+ /* Other info for use with get_issuer() */
+ void *other_ctx;
+ /* Callbacks for various operations */
+ /* called to verify a certificate */
+ int (*verify) (X509_STORE_CTX *ctx);
+ /* error callback */
+ int (*verify_cb) (int ok, X509_STORE_CTX *ctx);
+ /* get issuers cert from ctx */
+ int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+ /* check issued */
+ int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+ /* Check revocation status of chain */
+ int (*check_revocation) (X509_STORE_CTX *ctx);
+ /* retrieve CRL */
+ int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+ /* Check CRL validity */
+ int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
+ /* Check certificate against CRL */
+ int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+ int (*check_policy) (X509_STORE_CTX *ctx);
+ STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
+ STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
+ int (*cleanup) (X509_STORE_CTX *ctx);
+ /* The following is built up */
+ /* if 0, rebuild chain */
+ int valid;
+ /* number of untrusted certs */
+ int num_untrusted;
+ /* chain of X509s - built up and trusted */
+ STACK_OF(X509) *chain;
+ /* Valid policy tree */
+ X509_POLICY_TREE *tree;
+ /* Require explicit policy value */
+ int explicit_policy;
+ /* When something goes wrong, this is why */
+ int error_depth;
+ int error;
+ X509 *current_cert;
+ /* cert currently being tested as valid issuer */
+ X509 *current_issuer;
+ /* current CRL */
+ X509_CRL *current_crl;
+ /* score of current CRL */
+ int current_crl_score;
+ /* Reason mask */
+ unsigned int current_reasons;
+ /* For CRL path validation: parent context */
+ X509_STORE_CTX *parent;
+ CRYPTO_EX_DATA ex_data;
+ SSL_DANE *dane;
+ /* signed via bare TA public key, rather than CA certificate */
+ int bare_ta_signed;
+};
+
/* PKCS#8 private key info structure */
struct pkcs8_priv_key_info_st {
@@ -230,3 +301,14 @@ struct X509_sig_st {
X509_ALGOR *algor;
ASN1_OCTET_STRING *digest;
};
+
+struct x509_object_st {
+ /* one of the above types */
+ X509_LOOKUP_TYPE type;
+ union {
+ char *ptr;
+ X509 *x509;
+ X509_CRL *crl;
+ EVP_PKEY *pkey;
+ } data;
+};
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 356c797..aba623c 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -82,13 +82,18 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *untrusted = NULL;
- X509_STORE_CTX ctx;
+ X509_STORE_CTX *ctx = NULL;
int i, ret = ocsp_find_signer(&signer, bs, certs, flags);
if (!ret) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
- goto end;
+ goto err;
+ }
+ ctx = X509_STORE_CTX_new();
+ if (ctx == NULL) {
+ OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto err;
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
@@ -99,7 +104,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
ret = OCSP_BASICRESP_verify(bs, skey, 0);
if (!skey || ret <= 0) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
- goto end;
+ goto err;
}
}
if (!(flags & OCSP_NOVERIFY)) {
@@ -111,30 +116,28 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
for (i = 0; i < sk_X509_num(certs); i++) {
if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
- goto end;
+ goto err;
}
}
} else {
untrusted = bs->certs;
}
- init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
+ init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
if (!init_res) {
- ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
- goto end;
+ goto err;
}
- X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
- ret = X509_verify_cert(&ctx);
- chain = X509_STORE_CTX_get1_chain(&ctx);
- X509_STORE_CTX_cleanup(&ctx);
+ X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
+ ret = X509_verify_cert(ctx);
+ chain = X509_STORE_CTX_get1_chain(ctx);
if (ret <= 0) {
- i = X509_STORE_CTX_get_error(&ctx);
+ i = X509_STORE_CTX_get_error(ctx);
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(i));
- goto end;
+ goto err;
}
if (flags & OCSP_NOCHECKS) {
ret = 1;
@@ -148,7 +151,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
/* If fatal error or valid match then finish */
if (ret != 0)
- goto end;
+ goto err;
/*
* Easy case: explicitly trusted. Get root CA and check for explicit
@@ -160,12 +163,16 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
- goto end;
+ goto err;
}
ret = 1;
+ goto end;
}
+ err:
+ ret = 0;
end:
+ X509_STORE_CTX_free(ctx);
sk_X509_pop_free(chain, X509_free);
if (bs->certs && certs)
sk_X509_free(untrusted);
@@ -367,24 +374,30 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
X509 *signer;
X509_NAME *nm;
GENERAL_NAME *gen;
- int ret;
- X509_STORE_CTX ctx;
+ int ret = 0;
+ X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+
+ if (ctx == NULL) {
+ OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
if (!req->optionalSignature) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
- return 0;
+ goto err;
}
gen = req->tbsRequest.requestorName;
if (!gen || gen->type != GEN_DIRNAME) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
- return 0;
+ goto err;
}
nm = gen->d.directoryName;
ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
- return 0;
+ goto err;
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
flags |= OCSP_NOVERIFY;
@@ -394,35 +407,42 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
ret = OCSP_REQUEST_verify(req, skey);
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
- return 0;
+ goto err;
}
}
if (!(flags & OCSP_NOVERIFY)) {
int init_res;
if (flags & OCSP_NOCHAIN)
- init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+ init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
else
- init_res = X509_STORE_CTX_init(&ctx, store, signer,
+ init_res = X509_STORE_CTX_init(ctx, store, signer,
req->optionalSignature->certs);
if (!init_res) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
- return 0;
+ goto err;
}
- X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
- X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
- ret = X509_verify_cert(&ctx);
- X509_STORE_CTX_cleanup(&ctx);
+ X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
+ X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
+ ret = X509_verify_cert(ctx);
if (ret <= 0) {
- ret = X509_STORE_CTX_get_error(&ctx);
+ ret = X509_STORE_CTX_get_error(ctx);
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
OCSP_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(ret));
- return 0;
+ goto err;
}
}
- return 1;
+ ret = 1;
+ goto end;
+
+err:
+ ret = 0;
+end:
+ X509_STORE_CTX_free(ctx);
+ return ret;
+
}
static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 8027640..b146f68 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -257,7 +257,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
X509 *signer;
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
PKCS7_SIGNER_INFO *si;
- X509_STORE_CTX cert_ctx;
+ X509_STORE_CTX *cert_ctx = NULL;
char *buf = NULL;
int i, j = 0, k, ret = 0;
BIO *p7bio = NULL;
@@ -306,26 +306,28 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
/* Now verify the certificates */
+ cert_ctx = X509_STORE_CTX_new();
+ if (cert_ctx == NULL)
+ goto err;
if (!(flags & PKCS7_NOVERIFY))
for (k = 0; k < sk_X509_num(signers); k++) {
signer = sk_X509_value(signers, k);
if (!(flags & PKCS7_NOCHAIN)) {
- if (!X509_STORE_CTX_init(&cert_ctx, store, signer,
+ if (!X509_STORE_CTX_init(cert_ctx, store, signer,
p7->d.sign->cert)) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
goto err;
}
- X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
- } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) {
+ X509_STORE_CTX_set_default(cert_ctx, "smime_sign");
+ } else if (!X509_STORE_CTX_init(cert_ctx, store, signer, NULL)) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
goto err;
}
if (!(flags & PKCS7_NOCRL))
- X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
- i = X509_verify_cert(&cert_ctx);
+ X509_STORE_CTX_set0_crls(cert_ctx, p7->d.sign->crl);
+ i = X509_verify_cert(cert_ctx);
if (i <= 0)
- j = X509_STORE_CTX_get_error(&cert_ctx);
- X509_STORE_CTX_cleanup(&cert_ctx);
+ j = X509_STORE_CTX_get_error(cert_ctx);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,
PKCS7_R_CERTIFICATE_VERIFY_ERROR);
@@ -404,6 +406,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
ret = 1;
err:
+ X509_STORE_CTX_free(cert_ctx);
OPENSSL_free(buf);
if (tmpin == indata) {
if (indata)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index e6e213a..89b86e1 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -211,27 +211,36 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509 *signer, STACK_OF(X509) **chain)
{
- X509_STORE_CTX cert_ctx;
+ X509_STORE_CTX *cert_ctx = NULL;
int i;
- int ret = 1;
+ int ret = 0;
*chain = NULL;
- if (!X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted))
- return 0;
- X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
- i = X509_verify_cert(&cert_ctx);
+ cert_ctx = X509_STORE_CTX_new();
+ if (cert_ctx == NULL) {
+ TSerr(TS_F_TS_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!X509_STORE_CTX_init(cert_ctx, store, signer, untrusted))
+ goto end;
+ X509_STORE_CTX_set_purpose(cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
+ i = X509_verify_cert(cert_ctx);
if (i <= 0) {
- int j = X509_STORE_CTX_get_error(&cert_ctx);
+ int j = X509_STORE_CTX_get_error(cert_ctx);
TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(j));
- ret = 0;
- } else {
- *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
+ goto err;
}
+ *chain = X509_STORE_CTX_get1_chain(cert_ctx);
+ ret = 1;
+ goto end;
- X509_STORE_CTX_cleanup(&cert_ctx);
+err:
+ ret = 0;
+end:
+ X509_STORE_CTX_free(cert_ctx);
return ret;
}
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 51d642d..eea7a7e 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -64,6 +64,7 @@
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
+#include "x509_lcl.h"
static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
long argl, char **ret);
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 90a22de..d140d52 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -126,6 +126,8 @@ static ERR_STRING_DATA X509_str_functs[] = {
{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT),
"X509_STORE_CTX_purpose_inherit"},
+ {ERR_FUNC(X509_F_X509_STORE_GET_X509_BY_SUBJECT),
+ "X509_STORE_get_X509_by_subject"},
{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"},
{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"},
{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 603c177..db98a10 100644
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -115,6 +115,71 @@ struct x509_crl_method_st {
int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
};
+struct x509_lookup_method_st {
+ const char *name;
+ int (*new_item) (X509_LOOKUP *ctx);
+ void (*free) (X509_LOOKUP *ctx);
+ int (*init) (X509_LOOKUP *ctx);
+ int (*shutdown) (X509_LOOKUP *ctx);
+ int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
+ char **ret);
+ int (*get_by_subject) (X509_LOOKUP *ctx, int type, X509_NAME *name,
+ X509_OBJECT *ret);
+ int (*get_by_issuer_serial) (X509_LOOKUP *ctx, int type, X509_NAME *name,
+ ASN1_INTEGER *serial, X509_OBJECT *ret);
+ int (*get_by_fingerprint) (X509_LOOKUP *ctx, int type,
+ unsigned char *bytes, int len,
+ X509_OBJECT *ret);
+ int (*get_by_alias) (X509_LOOKUP *ctx, int type, char *str, int len,
+ X509_OBJECT *ret);
+};
+
+/* This is the functions plus an instance of the local variables. */
+struct x509_lookup_st {
+ int init; /* have we been started */
+ int skip; /* don't use us. */
+ X509_LOOKUP_METHOD *method; /* the functions */
+ char *method_data; /* method data */
+ X509_STORE *store_ctx; /* who owns us */
+};
+
+/*
+ * This is used to hold everything. It is used for all certificate
+ * validation. Once we have a certificate chain, the 'verify' function is
+ * then called to actually check the cert chain.
+ */
+struct x509_store_st {
+ /* The following is a cache of trusted certs */
+ int cache; /* if true, stash any hits */
+ STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
+ /* These are external lookup methods */
+ STACK_OF(X509_LOOKUP) *get_cert_methods;
+ X509_VERIFY_PARAM *param;
+ /* Callbacks for various operations */
+ /* called to verify a certificate */
+ int (*verify) (X509_STORE_CTX *ctx);
+ /* error callback */
+ int (*verify_cb) (int ok, X509_STORE_CTX *ctx);
+ /* get issuers cert from ctx */
+ int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+ /* check issued */
+ int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+ /* Check revocation status of chain */
+ int (*check_revocation) (X509_STORE_CTX *ctx);
+ /* retrieve CRL */
+ int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+ /* Check CRL validity */
+ int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
+ /* Check certificate against CRL */
+ int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+ STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
+ STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
+ int (*cleanup) (X509_STORE_CTX *ctx);
+ CRYPTO_EX_DATA ex_data;
+ int references;
+ CRYPTO_RWLOCK *lock;
+};
+
typedef struct lookup_dir_hashes_st BY_DIR_HASH;
typedef struct lookup_dir_entry_st BY_DIR_ENTRY;
DEFINE_STACK_OF(BY_DIR_HASH)
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index f9802c5..b822966 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -294,6 +294,23 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
}
}
+X509_OBJECT *X509_STORE_get_X509_by_subject(X509_STORE_CTX *vs, int type,
+ X509_NAME *name)
+{
+ X509_OBJECT *ret;
+
+ ret = OPENSSL_malloc(sizeof (*ret));
+ if (ret == NULL) {
+ X509err(X509_F_X509_STORE_GET_X509_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ if (!X509_STORE_get_by_subject(vs, type, name, ret)) {
+ OPENSSL_free(ret);
+ return NULL;
+ }
+ return ret;
+}
+
int X509_STORE_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
X509_NAME *name, X509_OBJECT *ret)
{
@@ -414,9 +431,22 @@ void X509_OBJECT_up_ref_count(X509_OBJECT *a)
}
}
+X509 *X509_OBJECT_get0_X509(X509_OBJECT *a)
+{
+ return a->data.x509;
+}
+
+void X509_OBJECT_free(X509_OBJECT *a)
+{
+ if (a == NULL)
+ return;
+ X509_OBJECT_free_contents(a);
+ OPENSSL_free(a);
+}
+
void X509_OBJECT_free_contents(X509_OBJECT *a)
{
- if (!a)
+ if (a == NULL)
return;
switch (a->type) {
default:
@@ -613,6 +643,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
X509_NAME *xn;
X509_OBJECT obj, *pobj;
int i, ok, idx, ret;
+
*issuer = NULL;
xn = X509_get_issuer_name(x);
ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2c3efdd..312b112 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1994,7 +1994,7 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
return ctx->current_cert;
}
-STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
+STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
{
return ctx->chain;
}
@@ -2026,11 +2026,6 @@ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
ctx->cert = x;
}
-void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
-{
- ctx->untrusted = sk;
-}
-
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
ctx->crls = sk;
@@ -2278,8 +2273,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
* Set alternative lookup method: just a STACK of trusted certificates. This
* avoids X509_STORE nastiness where it isn't needed.
*/
-
-void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
@@ -2329,11 +2323,43 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
- int (*verify_cb) (int, X509_STORE_CTX *))
+ X509_STORE_CTX_verify_cb verify_cb)
{
ctx->verify_cb = verify_cb;
}
+X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
+{
+ return ctx->verify_cb;
+}
+
+X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+ return ctx->cert;
+}
+
+STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
+{
+ return ctx->untrusted;
+}
+
+void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+ sk_X509_pop_free(ctx->chain, X509_free);
+ ctx->chain = sk;
+}
+
+void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
+ X509_STORE_CTX_verify verify)
+{
+ ctx->verify = verify;
+}
+
+X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
+{
+ return ctx->verify;
+}
+
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
{
return ctx->tree;
generated by cgit v1.1 at 2024-09-14 03:34:56 +0000