1 /* $OpenBSD: x509_vfy.c,v 1.103 2022/08/31 07:15:31 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <errno.h> 60 #include <stdio.h> 61 #include <string.h> 62 #include <time.h> 63 #include <unistd.h> 64 65 #include <openssl/opensslconf.h> 66 67 #include <openssl/asn1.h> 68 #include <openssl/buffer.h> 69 #include <openssl/crypto.h> 70 #include <openssl/err.h> 71 #include <openssl/evp.h> 72 #include <openssl/lhash.h> 73 #include <openssl/objects.h> 74 #include <openssl/x509.h> 75 #include <openssl/x509v3.h> 76 #include "asn1_locl.h" 77 #include "vpm_int.h" 78 #include "x509_internal.h" 79 80 /* CRL score values */ 81 82 /* No unhandled critical extensions */ 83 84 #define CRL_SCORE_NOCRITICAL 0x100 85 86 /* certificate is within CRL scope */ 87 88 #define CRL_SCORE_SCOPE 0x080 89 90 /* CRL times valid */ 91 92 #define CRL_SCORE_TIME 0x040 93 94 /* Issuer name matches certificate */ 95 96 #define CRL_SCORE_ISSUER_NAME 0x020 97 98 /* If this score or above CRL is probably valid */ 99 100 #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) 101 102 /* CRL issuer is certificate issuer */ 103 104 #define CRL_SCORE_ISSUER_CERT 0x018 105 106 /* CRL issuer is on certificate path */ 107 108 #define CRL_SCORE_SAME_PATH 0x008 109 110 /* CRL issuer matches CRL AKID */ 111 112 #define CRL_SCORE_AKID 0x004 113 114 /* Have a delta CRL with valid times */ 115 116 #define CRL_SCORE_TIME_DELTA 0x002 117 118 static int null_callback(int ok, X509_STORE_CTX *e); 119 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 120 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, 121 int allow_expired); 122 static int check_chain_extensions(X509_STORE_CTX *ctx); 123 static int check_name_constraints(X509_STORE_CTX *ctx); 124 static int check_trust(X509_STORE_CTX *ctx); 125 static int check_revocation(X509_STORE_CTX *ctx); 126 static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth); 127 static int check_policy(X509_STORE_CTX *ctx); 128 129 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 130 unsigned int *preasons, X509_CRL *crl, X509 *x); 131 static int get_crl_delta(X509_STORE_CTX *ctx, 132 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 133 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 134 X509_CRL *base, STACK_OF(X509_CRL) *crls); 135 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, 136 int *pcrl_score); 137 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 138 unsigned int *preasons); 139 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 140 static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, 141 STACK_OF(X509) *crl_path); 142 static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, 143 int clamp_notafter); 144 145 static int internal_verify(X509_STORE_CTX *ctx); 146 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); 147 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); 148 static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err); 149 150 int ASN1_time_tm_clamp_notafter(struct tm *tm); 151 152 static int 153 null_callback(int ok, X509_STORE_CTX *e) 154 { 155 return ok; 156 } 157 158 #if 0 159 static int 160 x509_subject_cmp(X509 **a, X509 **b) 161 { 162 return X509_subject_name_cmp(*a, *b); 163 } 164 #endif 165 166 /* Return 1 if a certificate is self signed */ 167 static int 168 cert_self_signed(X509 *x) 169 { 170 X509_check_purpose(x, -1, 0); 171 if (x->ex_flags & EXFLAG_SS) 172 return 1; 173 else 174 return 0; 175 } 176 177 static int 178 check_id_error(X509_STORE_CTX *ctx, int errcode) 179 { 180 ctx->error = errcode; 181 ctx->current_cert = ctx->cert; 182 ctx->error_depth = 0; 183 return ctx->verify_cb(0, ctx); 184 } 185 186 static int 187 check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) 188 { 189 int i, n; 190 char *name; 191 192 n = sk_OPENSSL_STRING_num(id->hosts); 193 free(id->peername); 194 id->peername = NULL; 195 196 for (i = 0; i < n; ++i) { 197 name = sk_OPENSSL_STRING_value(id->hosts, i); 198 if (X509_check_host(x, name, strlen(name), id->hostflags, 199 &id->peername) > 0) 200 return 1; 201 } 202 return n == 0; 203 } 204 205 static int 206 check_id(X509_STORE_CTX *ctx) 207 { 208 X509_VERIFY_PARAM *vpm = ctx->param; 209 X509_VERIFY_PARAM_ID *id = vpm->id; 210 X509 *x = ctx->cert; 211 212 if (id->hosts && check_hosts(x, id) <= 0) { 213 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) 214 return 0; 215 } 216 if (id->email != NULL && X509_check_email(x, id->email, id->emaillen, 0) 217 <= 0) { 218 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) 219 return 0; 220 } 221 if (id->ip != NULL && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) { 222 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) 223 return 0; 224 } 225 return 1; 226 } 227 228 int 229 x509_vfy_check_id(X509_STORE_CTX *ctx) { 230 return check_id(ctx); 231 } 232 233 /* 234 * This is the effectively broken legacy OpenSSL chain builder. It 235 * might find an unvalidated chain and leave it sitting in 236 * ctx->chain. It does not correctly handle many cases where multiple 237 * chains could exist. 238 * 239 * Oh no.. I know a dirty word... 240 * Oooooooh.. 241 */ 242 static int 243 X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok) 244 { 245 X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; 246 int bad_chain = 0; 247 X509_VERIFY_PARAM *param = ctx->param; 248 int ok = 0, ret = 0; 249 int depth, i; 250 int num, j, retry, trust; 251 int (*cb) (int xok, X509_STORE_CTX *xctx); 252 STACK_OF(X509) *sktmp = NULL; 253 254 cb = ctx->verify_cb; 255 256 /* 257 * First we make sure the chain we are going to build is 258 * present and that the first entry is in place. 259 */ 260 ctx->chain = sk_X509_new_null(); 261 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) { 262 X509error(ERR_R_MALLOC_FAILURE); 263 ctx->error = X509_V_ERR_OUT_OF_MEM; 264 goto end; 265 } 266 X509_up_ref(ctx->cert); 267 ctx->num_untrusted = 1; 268 269 /* We use a temporary STACK so we can chop and hack at it */ 270 if (ctx->untrusted != NULL && 271 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { 272 X509error(ERR_R_MALLOC_FAILURE); 273 ctx->error = X509_V_ERR_OUT_OF_MEM; 274 goto end; 275 } 276 277 num = sk_X509_num(ctx->chain); 278 x = sk_X509_value(ctx->chain, num - 1); 279 depth = param->depth; 280 281 for (;;) { 282 /* If we have enough, we break */ 283 /* FIXME: If this happens, we should take 284 * note of it and, if appropriate, use the 285 * X509_V_ERR_CERT_CHAIN_TOO_LONG error code 286 * later. 287 */ 288 if (depth < num) 289 break; 290 /* If we are self signed, we break */ 291 if (cert_self_signed(x)) 292 break; 293 /* 294 * If asked see if we can find issuer in trusted store first 295 */ 296 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { 297 ok = ctx->get_issuer(&xtmp, ctx, x); 298 if (ok < 0) { 299 ctx->error = X509_V_ERR_STORE_LOOKUP; 300 goto end; 301 } 302 /* 303 * If successful for now free up cert so it 304 * will be picked up again later. 305 */ 306 if (ok > 0) { 307 X509_free(xtmp); 308 break; 309 } 310 } 311 /* If we were passed a cert chain, use it first */ 312 if (ctx->untrusted != NULL) { 313 /* 314 * If we do not find a non-expired untrusted cert, peek 315 * ahead and see if we can satisify this from the trusted 316 * store. If not, see if we have an expired untrusted cert. 317 */ 318 xtmp = find_issuer(ctx, sktmp, x, 0); 319 if (xtmp == NULL && 320 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) { 321 ok = ctx->get_issuer(&xtmp, ctx, x); 322 if (ok < 0) { 323 ctx->error = X509_V_ERR_STORE_LOOKUP; 324 goto end; 325 } 326 if (ok > 0) { 327 X509_free(xtmp); 328 break; 329 } 330 xtmp = find_issuer(ctx, sktmp, x, 1); 331 } 332 if (xtmp != NULL) { 333 if (!sk_X509_push(ctx->chain, xtmp)) { 334 X509error(ERR_R_MALLOC_FAILURE); 335 ctx->error = X509_V_ERR_OUT_OF_MEM; 336 ok = 0; 337 goto end; 338 } 339 X509_up_ref(xtmp); 340 (void)sk_X509_delete_ptr(sktmp, xtmp); 341 ctx->num_untrusted++; 342 x = xtmp; 343 num++; 344 /* 345 * reparse the full chain for the next one 346 */ 347 continue; 348 } 349 } 350 break; 351 } 352 /* Remember how many untrusted certs we have */ 353 j = num; 354 355 /* 356 * At this point, chain should contain a list of untrusted 357 * certificates. We now need to add at least one trusted one, 358 * if possible, otherwise we complain. 359 */ 360 361 do { 362 /* 363 * Examine last certificate in chain and see if it is 364 * self signed. 365 */ 366 i = sk_X509_num(ctx->chain); 367 x = sk_X509_value(ctx->chain, i - 1); 368 if (cert_self_signed(x)) { 369 /* we have a self signed certificate */ 370 if (i == 1) { 371 /* 372 * We have a single self signed 373 * certificate: see if we can find it 374 * in the store. We must have an exact 375 * match to avoid possible 376 * impersonation. 377 */ 378 ok = ctx->get_issuer(&xtmp, ctx, x); 379 if ((ok <= 0) || X509_cmp(x, xtmp)) { 380 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 381 ctx->current_cert = x; 382 ctx->error_depth = i - 1; 383 if (ok == 1) 384 X509_free(xtmp); 385 bad_chain = 1; 386 ok = cb(0, ctx); 387 if (!ok) 388 goto end; 389 } else { 390 /* 391 * We have a match: replace 392 * certificate with store 393 * version so we get any trust 394 * settings. 395 */ 396 X509_free(x); 397 x = xtmp; 398 (void)sk_X509_set(ctx->chain, i - 1, x); 399 ctx->num_untrusted = 0; 400 } 401 } else { 402 /* 403 * extract and save self signed 404 * certificate for later use 405 */ 406 chain_ss = sk_X509_pop(ctx->chain); 407 ctx->num_untrusted--; 408 num--; 409 j--; 410 x = sk_X509_value(ctx->chain, num - 1); 411 } 412 } 413 /* We now lookup certs from the certificate store */ 414 for (;;) { 415 /* If we have enough, we break */ 416 if (depth < num) 417 break; 418 /* If we are self signed, we break */ 419 if (cert_self_signed(x)) 420 break; 421 ok = ctx->get_issuer(&xtmp, ctx, x); 422 423 if (ok < 0) { 424 ctx->error = X509_V_ERR_STORE_LOOKUP; 425 goto end; 426 } 427 if (ok == 0) 428 break; 429 x = xtmp; 430 if (!sk_X509_push(ctx->chain, x)) { 431 X509_free(xtmp); 432 X509error(ERR_R_MALLOC_FAILURE); 433 ctx->error = X509_V_ERR_OUT_OF_MEM; 434 ok = 0; 435 goto end; 436 } 437 num++; 438 } 439 440 /* we now have our chain, lets check it... */ 441 trust = check_trust(ctx); 442 443 /* If explicitly rejected error */ 444 if (trust == X509_TRUST_REJECTED) { 445 ok = 0; 446 goto end; 447 } 448 /* 449 * If it's not explicitly trusted then check if there 450 * is an alternative chain that could be used. We only 451 * do this if we haven't already checked via 452 * TRUSTED_FIRST and the user hasn't switched off 453 * alternate chain checking 454 */ 455 retry = 0; 456 if (trust != X509_TRUST_TRUSTED && 457 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && 458 !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { 459 while (j-- > 1) { 460 xtmp2 = sk_X509_value(ctx->chain, j - 1); 461 ok = ctx->get_issuer(&xtmp, ctx, xtmp2); 462 if (ok < 0) 463 goto end; 464 /* Check if we found an alternate chain */ 465 if (ok > 0) { 466 /* 467 * Free up the found cert 468 * we'll add it again later 469 */ 470 X509_free(xtmp); 471 /* 472 * Dump all the certs above 473 * this point - we've found an 474 * alternate chain 475 */ 476 while (num > j) { 477 xtmp = sk_X509_pop(ctx->chain); 478 X509_free(xtmp); 479 num--; 480 } 481 ctx->num_untrusted = sk_X509_num(ctx->chain); 482 retry = 1; 483 break; 484 } 485 } 486 } 487 } while (retry); 488 489 /* 490 * If not explicitly trusted then indicate error unless it's a single 491 * self signed certificate in which case we've indicated an error already 492 * and set bad_chain == 1 493 */ 494 if (trust != X509_TRUST_TRUSTED && !bad_chain) { 495 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { 496 if (ctx->num_untrusted >= num) 497 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 498 else 499 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 500 ctx->current_cert = x; 501 } else { 502 if (!sk_X509_push(ctx->chain, chain_ss)) { 503 X509error(ERR_R_MALLOC_FAILURE); 504 ctx->error = X509_V_ERR_OUT_OF_MEM; 505 ok = 0; 506 goto end; 507 } 508 num++; 509 ctx->num_untrusted = num; 510 ctx->current_cert = chain_ss; 511 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 512 chain_ss = NULL; 513 } 514 515 ctx->error_depth = num - 1; 516 bad_chain = 1; 517 ok = cb(0, ctx); 518 if (!ok) 519 goto end; 520 } 521 522 ret = 1; 523 end: 524 sk_X509_free(sktmp); 525 X509_free(chain_ss); 526 *bad = bad_chain; 527 *out_ok = ok; 528 529 return ret; 530 } 531 532 static int 533 X509_verify_cert_legacy(X509_STORE_CTX *ctx) 534 { 535 int ok = 0, bad_chain; 536 537 ctx->error = X509_V_OK; /* Initialize to OK */ 538 539 if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok)) 540 goto end; 541 542 /* We have the chain complete: now we need to check its purpose */ 543 ok = check_chain_extensions(ctx); 544 if (!ok) 545 goto end; 546 547 /* Check that the chain satisfies the security level. */ 548 ok = x509_vfy_check_security_level(ctx); 549 if (!ok) 550 goto end; 551 552 /* Check name constraints */ 553 ok = check_name_constraints(ctx); 554 if (!ok) 555 goto end; 556 557 #ifndef OPENSSL_NO_RFC3779 558 ok = X509v3_asid_validate_path(ctx); 559 if (!ok) 560 goto end; 561 562 ok = X509v3_addr_validate_path(ctx); 563 if (!ok) 564 goto end; 565 #endif 566 567 ok = check_id(ctx); 568 if (!ok) 569 goto end; 570 571 /* 572 * Check revocation status: we do this after copying parameters because 573 * they may be needed for CRL signature verification. 574 */ 575 ok = ctx->check_revocation(ctx); 576 if (!ok) 577 goto end; 578 579 /* At this point, we have a chain and need to verify it */ 580 if (ctx->verify != NULL) 581 ok = ctx->verify(ctx); 582 else 583 ok = internal_verify(ctx); 584 if (!ok) 585 goto end; 586 587 /* If we get this far evaluate policies */ 588 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 589 ok = ctx->check_policy(ctx); 590 591 end: 592 /* Safety net, error returns must set ctx->error */ 593 if (ok <= 0 && ctx->error == X509_V_OK) 594 ctx->error = X509_V_ERR_UNSPECIFIED; 595 596 return ok; 597 } 598 599 int 600 X509_verify_cert(X509_STORE_CTX *ctx) 601 { 602 STACK_OF(X509) *roots = NULL; 603 struct x509_verify_ctx *vctx = NULL; 604 int chain_count = 0; 605 606 if (ctx->cert == NULL) { 607 X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 608 ctx->error = X509_V_ERR_INVALID_CALL; 609 return -1; 610 } 611 if (ctx->chain != NULL) { 612 /* 613 * This X509_STORE_CTX has already been used to verify 614 * a cert. We cannot do another one. 615 */ 616 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 617 ctx->error = X509_V_ERR_INVALID_CALL; 618 return -1; 619 } 620 if (ctx->param->id->poisoned) { 621 /* 622 * This X509_STORE_CTX had failures setting 623 * up verify parameters. We can not use it. 624 */ 625 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 626 ctx->error = X509_V_ERR_INVALID_CALL; 627 return -1; 628 } 629 if (ctx->error != X509_V_ERR_INVALID_CALL) { 630 /* 631 * This X509_STORE_CTX has not been properly initialized. 632 */ 633 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 634 ctx->error = X509_V_ERR_INVALID_CALL; 635 return -1; 636 } 637 638 /* 639 * If the certificate's public key is too weak, don't bother 640 * continuing. 641 */ 642 if (!check_key_level(ctx, ctx->cert) && 643 !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) 644 return 0; 645 646 /* 647 * If flags request legacy, use the legacy verifier. If we 648 * requested "no alt chains" from the age of hammer pants, use 649 * the legacy verifier because the multi chain verifier really 650 * does find all the "alt chains". 651 * 652 * XXX deprecate the NO_ALT_CHAINS flag? 653 */ 654 if ((ctx->param->flags & X509_V_FLAG_LEGACY_VERIFY) || 655 (ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) 656 return X509_verify_cert_legacy(ctx); 657 658 /* Use the modern multi-chain verifier from x509_verify_cert */ 659 660 if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) { 661 ctx->error = X509_V_OK; /* Initialize to OK */ 662 chain_count = x509_verify(vctx, NULL, NULL); 663 } 664 x509_verify_ctx_free(vctx); 665 666 sk_X509_pop_free(roots, X509_free); 667 668 /* if we succeed we have a chain in ctx->chain */ 669 return (chain_count > 0 && ctx->chain != NULL); 670 } 671 672 /* Given a STACK_OF(X509) find the issuer of cert (if any) 673 */ 674 675 static X509 * 676 find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, 677 int allow_expired) 678 { 679 int i; 680 X509 *issuer, *rv = NULL; 681 682 for (i = 0; i < sk_X509_num(sk); i++) { 683 issuer = sk_X509_value(sk, i); 684 if (ctx->check_issued(ctx, x, issuer)) { 685 if (x509_check_cert_time(ctx, issuer, -1)) 686 return issuer; 687 if (allow_expired) 688 rv = issuer; 689 } 690 } 691 return rv; 692 } 693 694 /* Given a possible certificate and issuer check them */ 695 696 static int 697 check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 698 { 699 int ret; 700 701 ret = X509_check_issued(issuer, x); 702 if (ret == X509_V_OK) 703 return 1; 704 /* If we haven't asked for issuer errors don't set ctx */ 705 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) 706 return 0; 707 708 ctx->error = ret; 709 ctx->current_cert = x; 710 ctx->current_issuer = issuer; 711 return ctx->verify_cb(0, ctx); 712 } 713 714 /* Alternative lookup method: look from a STACK stored in other_ctx */ 715 716 static int 717 get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 718 { 719 *issuer = find_issuer(ctx, ctx->other_ctx, x, 1); 720 if (*issuer) { 721 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); 722 return 1; 723 } else 724 return 0; 725 } 726 727 /* Check a certificate chains extensions for consistency 728 * with the supplied purpose 729 */ 730 731 int 732 x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) 733 { 734 #ifdef OPENSSL_NO_CHAIN_VERIFY 735 return 1; 736 #else 737 int i, ok = 0, must_be_ca, plen = 0; 738 X509 *x; 739 int (*cb)(int xok, X509_STORE_CTX *xctx); 740 int proxy_path_length = 0; 741 int purpose; 742 int allow_proxy_certs; 743 744 cb = ctx->verify_cb; 745 746 /* must_be_ca can have 1 of 3 values: 747 -1: we accept both CA and non-CA certificates, to allow direct 748 use of self-signed certificates (which are marked as CA). 749 0: we only accept non-CA certificates. This is currently not 750 used, but the possibility is present for future extensions. 751 1: we only accept CA certificates. This is currently used for 752 all certificates in the chain except the leaf certificate. 753 */ 754 must_be_ca = -1; 755 756 /* CRL path validation */ 757 if (ctx->parent) { 758 allow_proxy_certs = 0; 759 purpose = X509_PURPOSE_CRL_SIGN; 760 } else { 761 allow_proxy_certs = 762 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 763 purpose = ctx->param->purpose; 764 } 765 766 /* Check all untrusted certificates */ 767 for (i = 0; i < ctx->num_untrusted; i++) { 768 int ret; 769 x = sk_X509_value(ctx->chain, i); 770 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && 771 (x->ex_flags & EXFLAG_CRITICAL)) { 772 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 773 ctx->error_depth = i; 774 ctx->current_cert = x; 775 ok = cb(0, ctx); 776 if (!ok) 777 goto end; 778 } 779 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { 780 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 781 ctx->error_depth = i; 782 ctx->current_cert = x; 783 ok = cb(0, ctx); 784 if (!ok) 785 goto end; 786 } 787 ret = X509_check_ca(x); 788 switch (must_be_ca) { 789 case -1: 790 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 791 (ret != 1) && (ret != 0)) { 792 ret = 0; 793 ctx->error = X509_V_ERR_INVALID_CA; 794 } else 795 ret = 1; 796 break; 797 case 0: 798 if (ret != 0) { 799 ret = 0; 800 ctx->error = X509_V_ERR_INVALID_NON_CA; 801 } else 802 ret = 1; 803 break; 804 default: 805 if ((ret == 0) || 806 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 807 (ret != 1))) { 808 ret = 0; 809 ctx->error = X509_V_ERR_INVALID_CA; 810 } else 811 ret = 1; 812 break; 813 } 814 if (ret == 0) { 815 ctx->error_depth = i; 816 ctx->current_cert = x; 817 ok = cb(0, ctx); 818 if (!ok) 819 goto end; 820 } 821 if (ctx->param->purpose > 0) { 822 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 823 if ((ret == 0) || 824 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 825 (ret != 1))) { 826 ctx->error = X509_V_ERR_INVALID_PURPOSE; 827 ctx->error_depth = i; 828 ctx->current_cert = x; 829 ok = cb(0, ctx); 830 if (!ok) 831 goto end; 832 } 833 } 834 /* Check pathlen if not self issued */ 835 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && 836 (x->ex_pathlen != -1) && 837 (plen > (x->ex_pathlen + proxy_path_length + 1))) { 838 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 839 ctx->error_depth = i; 840 ctx->current_cert = x; 841 ok = cb(0, ctx); 842 if (!ok) 843 goto end; 844 } 845 /* Increment path length if not self issued */ 846 if (!(x->ex_flags & EXFLAG_SI)) 847 plen++; 848 /* If this certificate is a proxy certificate, the next 849 certificate must be another proxy certificate or a EE 850 certificate. If not, the next certificate must be a 851 CA certificate. */ 852 if (x->ex_flags & EXFLAG_PROXY) { 853 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { 854 ctx->error = 855 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 856 ctx->error_depth = i; 857 ctx->current_cert = x; 858 ok = cb(0, ctx); 859 if (!ok) 860 goto end; 861 } 862 proxy_path_length++; 863 must_be_ca = 0; 864 } else 865 must_be_ca = 1; 866 } 867 ok = 1; 868 869 end: 870 return ok; 871 #endif 872 } 873 874 static int 875 check_chain_extensions(X509_STORE_CTX *ctx) { 876 return x509_vfy_check_chain_extensions(ctx); 877 } 878 879 static int 880 check_name_constraints(X509_STORE_CTX *ctx) 881 { 882 if (!x509_constraints_chain(ctx->chain, &ctx->error, 883 &ctx->error_depth)) { 884 ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); 885 if (!ctx->verify_cb(0, ctx)) 886 return 0; 887 } 888 return 1; 889 } 890 891 /* Given a certificate try and find an exact match in the store */ 892 893 static X509 * 894 lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) 895 { 896 STACK_OF(X509) *certs; 897 X509 *xtmp = NULL; 898 size_t i; 899 900 /* Lookup all certs with matching subject name */ 901 certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); 902 if (certs == NULL) 903 return NULL; 904 905 /* Look for exact match */ 906 for (i = 0; i < sk_X509_num(certs); i++) { 907 xtmp = sk_X509_value(certs, i); 908 if (!X509_cmp(xtmp, x)) 909 break; 910 } 911 912 if (i < sk_X509_num(certs)) 913 X509_up_ref(xtmp); 914 else 915 xtmp = NULL; 916 917 sk_X509_pop_free(certs, X509_free); 918 return xtmp; 919 } 920 921 X509 * 922 x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) 923 { 924 if (ctx->lookup_certs == NULL || ctx->store == NULL || 925 ctx->store->objs == NULL) 926 return NULL; 927 return lookup_cert_match(ctx, x); 928 } 929 930 static int 931 check_trust(X509_STORE_CTX *ctx) 932 { 933 size_t i; 934 int ok; 935 X509 *x = NULL; 936 int (*cb) (int xok, X509_STORE_CTX *xctx); 937 938 cb = ctx->verify_cb; 939 /* Check all trusted certificates in chain */ 940 for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) { 941 x = sk_X509_value(ctx->chain, i); 942 ok = X509_check_trust(x, ctx->param->trust, 0); 943 944 /* If explicitly trusted return trusted */ 945 if (ok == X509_TRUST_TRUSTED) 946 return X509_TRUST_TRUSTED; 947 /* 948 * If explicitly rejected notify callback and reject if not 949 * overridden. 950 */ 951 if (ok == X509_TRUST_REJECTED) { 952 ctx->error_depth = i; 953 ctx->current_cert = x; 954 ctx->error = X509_V_ERR_CERT_REJECTED; 955 ok = cb(0, ctx); 956 if (!ok) 957 return X509_TRUST_REJECTED; 958 } 959 } 960 /* 961 * If we accept partial chains and have at least one trusted certificate 962 * return success. 963 */ 964 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { 965 X509 *mx; 966 if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain)) 967 return X509_TRUST_TRUSTED; 968 x = sk_X509_value(ctx->chain, 0); 969 mx = lookup_cert_match(ctx, x); 970 if (mx) { 971 (void)sk_X509_set(ctx->chain, 0, mx); 972 X509_free(x); 973 ctx->num_untrusted = 0; 974 return X509_TRUST_TRUSTED; 975 } 976 } 977 978 /* 979 * If no trusted certs in chain at all return untrusted and allow 980 * standard (no issuer cert) etc errors to be indicated. 981 */ 982 return X509_TRUST_UNTRUSTED; 983 } 984 985 int 986 x509_vfy_check_trust(X509_STORE_CTX *ctx) 987 { 988 return check_trust(ctx); 989 } 990 991 static int 992 check_revocation(X509_STORE_CTX *ctx) 993 { 994 int i, last, ok; 995 996 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 997 return 1; 998 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 999 last = sk_X509_num(ctx->chain) - 1; 1000 else { 1001 /* If checking CRL paths this isn't the EE certificate */ 1002 if (ctx->parent) 1003 return 1; 1004 last = 0; 1005 } 1006 for (i = 0; i <= last; i++) { 1007 ok = check_cert(ctx, ctx->chain, i); 1008 if (!ok) 1009 return ok; 1010 } 1011 return 1; 1012 } 1013 1014 int 1015 x509_vfy_check_revocation(X509_STORE_CTX *ctx) 1016 { 1017 return check_revocation(ctx); 1018 } 1019 1020 static int 1021 check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth) 1022 { 1023 X509_CRL *crl = NULL, *dcrl = NULL; 1024 X509 *x; 1025 int ok = 0, cnum; 1026 unsigned int last_reasons; 1027 1028 cnum = ctx->error_depth = depth; 1029 x = sk_X509_value(chain, cnum); 1030 ctx->current_cert = x; 1031 ctx->current_issuer = NULL; 1032 ctx->current_crl_score = 0; 1033 ctx->current_reasons = 0; 1034 while (ctx->current_reasons != CRLDP_ALL_REASONS) { 1035 last_reasons = ctx->current_reasons; 1036 /* Try to retrieve relevant CRL */ 1037 if (ctx->get_crl) 1038 ok = ctx->get_crl(ctx, &crl, x); 1039 else 1040 ok = get_crl_delta(ctx, &crl, &dcrl, x); 1041 /* If error looking up CRL, nothing we can do except 1042 * notify callback 1043 */ 1044 if (!ok) { 1045 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 1046 ok = ctx->verify_cb(0, ctx); 1047 goto err; 1048 } 1049 ctx->current_crl = crl; 1050 ok = ctx->check_crl(ctx, crl); 1051 if (!ok) 1052 goto err; 1053 1054 if (dcrl) { 1055 ok = ctx->check_crl(ctx, dcrl); 1056 if (!ok) 1057 goto err; 1058 ok = ctx->cert_crl(ctx, dcrl, x); 1059 if (!ok) 1060 goto err; 1061 } else 1062 ok = 1; 1063 1064 /* Don't look in full CRL if delta reason is removefromCRL */ 1065 if (ok != 2) { 1066 ok = ctx->cert_crl(ctx, crl, x); 1067 if (!ok) 1068 goto err; 1069 } 1070 1071 ctx->current_crl = NULL; 1072 X509_CRL_free(crl); 1073 X509_CRL_free(dcrl); 1074 crl = NULL; 1075 dcrl = NULL; 1076 /* If reasons not updated we wont get anywhere by 1077 * another iteration, so exit loop. 1078 */ 1079 if (last_reasons == ctx->current_reasons) { 1080 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 1081 ok = ctx->verify_cb(0, ctx); 1082 goto err; 1083 } 1084 } 1085 1086 err: 1087 ctx->current_crl = NULL; 1088 X509_CRL_free(crl); 1089 X509_CRL_free(dcrl); 1090 return ok; 1091 } 1092 1093 /* Check CRL times against values in X509_STORE_CTX */ 1094 1095 static int 1096 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 1097 { 1098 time_t *ptime; 1099 int i; 1100 1101 if (notify) 1102 ctx->current_crl = crl; 1103 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 1104 ptime = &ctx->param->check_time; 1105 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) 1106 return (1); 1107 else 1108 ptime = NULL; 1109 1110 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 1111 if (i == 0) { 1112 if (!notify) 1113 return 0; 1114 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 1115 if (!ctx->verify_cb(0, ctx)) 1116 return 0; 1117 } 1118 1119 if (i > 0) { 1120 if (!notify) 1121 return 0; 1122 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; 1123 if (!ctx->verify_cb(0, ctx)) 1124 return 0; 1125 } 1126 1127 if (X509_CRL_get_nextUpdate(crl)) { 1128 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 1129 1130 if (i == 0) { 1131 if (!notify) 1132 return 0; 1133 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 1134 if (!ctx->verify_cb(0, ctx)) 1135 return 0; 1136 } 1137 /* Ignore expiry of base CRL is delta is valid */ 1138 if ((i < 0) && 1139 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { 1140 if (!notify) 1141 return 0; 1142 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; 1143 if (!ctx->verify_cb(0, ctx)) 1144 return 0; 1145 } 1146 } 1147 1148 if (notify) 1149 ctx->current_crl = NULL; 1150 1151 return 1; 1152 } 1153 1154 static int 1155 get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 1156 X509 **pissuer, int *pscore, unsigned int *preasons, 1157 STACK_OF(X509_CRL) *crls) 1158 { 1159 int i, crl_score, best_score = *pscore; 1160 unsigned int reasons, best_reasons = 0; 1161 X509 *x = ctx->current_cert; 1162 X509_CRL *crl, *best_crl = NULL; 1163 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 1164 1165 for (i = 0; i < sk_X509_CRL_num(crls); i++) { 1166 crl = sk_X509_CRL_value(crls, i); 1167 reasons = *preasons; 1168 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 1169 1170 if (crl_score > best_score) { 1171 best_crl = crl; 1172 best_crl_issuer = crl_issuer; 1173 best_score = crl_score; 1174 best_reasons = reasons; 1175 } 1176 } 1177 1178 if (best_crl) { 1179 if (*pcrl) 1180 X509_CRL_free(*pcrl); 1181 *pcrl = best_crl; 1182 *pissuer = best_crl_issuer; 1183 *pscore = best_score; 1184 *preasons = best_reasons; 1185 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 1186 if (*pdcrl) { 1187 X509_CRL_free(*pdcrl); 1188 *pdcrl = NULL; 1189 } 1190 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); 1191 } 1192 1193 if (best_score >= CRL_SCORE_VALID) 1194 return 1; 1195 1196 return 0; 1197 } 1198 1199 /* Compare two CRL extensions for delta checking purposes. They should be 1200 * both present or both absent. If both present all fields must be identical. 1201 */ 1202 1203 static int 1204 crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 1205 { 1206 ASN1_OCTET_STRING *exta, *extb; 1207 int i; 1208 1209 i = X509_CRL_get_ext_by_NID(a, nid, -1); 1210 if (i >= 0) { 1211 /* Can't have multiple occurrences */ 1212 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 1213 return 0; 1214 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 1215 } else 1216 exta = NULL; 1217 1218 i = X509_CRL_get_ext_by_NID(b, nid, -1); 1219 1220 if (i >= 0) { 1221 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 1222 return 0; 1223 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 1224 } else 1225 extb = NULL; 1226 1227 if (!exta && !extb) 1228 return 1; 1229 1230 if (!exta || !extb) 1231 return 0; 1232 1233 if (ASN1_OCTET_STRING_cmp(exta, extb)) 1234 return 0; 1235 1236 return 1; 1237 } 1238 1239 /* See if a base and delta are compatible */ 1240 1241 static int 1242 check_delta_base(X509_CRL *delta, X509_CRL *base) 1243 { 1244 /* Delta CRL must be a delta */ 1245 if (!delta->base_crl_number) 1246 return 0; 1247 /* Base must have a CRL number */ 1248 if (!base->crl_number) 1249 return 0; 1250 /* Issuer names must match */ 1251 if (X509_NAME_cmp(X509_CRL_get_issuer(base), 1252 X509_CRL_get_issuer(delta))) 1253 return 0; 1254 /* AKID and IDP must match */ 1255 if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 1256 return 0; 1257 if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 1258 return 0; 1259 /* Delta CRL base number must not exceed Full CRL number. */ 1260 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 1261 return 0; 1262 /* Delta CRL number must exceed full CRL number */ 1263 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 1264 return 1; 1265 return 0; 1266 } 1267 1268 /* For a given base CRL find a delta... maybe extend to delta scoring 1269 * or retrieve a chain of deltas... 1270 */ 1271 1272 static void 1273 get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, 1274 STACK_OF(X509_CRL) *crls) 1275 { 1276 X509_CRL *delta; 1277 int i; 1278 1279 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 1280 return; 1281 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 1282 return; 1283 for (i = 0; i < sk_X509_CRL_num(crls); i++) { 1284 delta = sk_X509_CRL_value(crls, i); 1285 if (check_delta_base(delta, base)) { 1286 if (check_crl_time(ctx, delta, 0)) 1287 *pscore |= CRL_SCORE_TIME_DELTA; 1288 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 1289 *dcrl = delta; 1290 return; 1291 } 1292 } 1293 *dcrl = NULL; 1294 } 1295 1296 /* For a given CRL return how suitable it is for the supplied certificate 'x'. 1297 * The return value is a mask of several criteria. 1298 * If the issuer is not the certificate issuer this is returned in *pissuer. 1299 * The reasons mask is also used to determine if the CRL is suitable: if 1300 * no new reasons the CRL is rejected, otherwise reasons is updated. 1301 */ 1302 1303 static int 1304 get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, 1305 X509_CRL *crl, X509 *x) 1306 { 1307 int crl_score = 0; 1308 unsigned int tmp_reasons = *preasons, crl_reasons; 1309 1310 /* First see if we can reject CRL straight away */ 1311 1312 /* Invalid IDP cannot be processed */ 1313 if (crl->idp_flags & IDP_INVALID) 1314 return 0; 1315 /* Reason codes or indirect CRLs need extended CRL support */ 1316 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { 1317 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 1318 return 0; 1319 } else if (crl->idp_flags & IDP_REASONS) { 1320 /* If no new reasons reject */ 1321 if (!(crl->idp_reasons & ~tmp_reasons)) 1322 return 0; 1323 } 1324 /* Don't process deltas at this stage */ 1325 else if (crl->base_crl_number) 1326 return 0; 1327 /* If issuer name doesn't match certificate need indirect CRL */ 1328 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { 1329 if (!(crl->idp_flags & IDP_INDIRECT)) 1330 return 0; 1331 } else 1332 crl_score |= CRL_SCORE_ISSUER_NAME; 1333 1334 if (!(crl->flags & EXFLAG_CRITICAL)) 1335 crl_score |= CRL_SCORE_NOCRITICAL; 1336 1337 /* Check expiry */ 1338 if (check_crl_time(ctx, crl, 0)) 1339 crl_score |= CRL_SCORE_TIME; 1340 1341 /* Check authority key ID and locate certificate issuer */ 1342 crl_akid_check(ctx, crl, pissuer, &crl_score); 1343 1344 /* If we can't locate certificate issuer at this point forget it */ 1345 1346 if (!(crl_score & CRL_SCORE_AKID)) 1347 return 0; 1348 1349 /* Check cert for matching CRL distribution points */ 1350 1351 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { 1352 /* If no new reasons reject */ 1353 if (!(crl_reasons & ~tmp_reasons)) 1354 return 0; 1355 tmp_reasons |= crl_reasons; 1356 crl_score |= CRL_SCORE_SCOPE; 1357 } 1358 1359 *preasons = tmp_reasons; 1360 1361 return crl_score; 1362 } 1363 1364 static void 1365 crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, 1366 int *pcrl_score) 1367 { 1368 X509 *crl_issuer = NULL; 1369 X509_NAME *cnm = X509_CRL_get_issuer(crl); 1370 int cidx = ctx->error_depth; 1371 int i; 1372 1373 if (cidx != sk_X509_num(ctx->chain) - 1) 1374 cidx++; 1375 1376 crl_issuer = sk_X509_value(ctx->chain, cidx); 1377 1378 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1379 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { 1380 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 1381 *pissuer = crl_issuer; 1382 return; 1383 } 1384 } 1385 1386 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) { 1387 crl_issuer = sk_X509_value(ctx->chain, cidx); 1388 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1389 continue; 1390 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1391 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1392 *pissuer = crl_issuer; 1393 return; 1394 } 1395 } 1396 1397 /* Anything else needs extended CRL support */ 1398 1399 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 1400 return; 1401 1402 /* Otherwise the CRL issuer is not on the path. Look for it in the 1403 * set of untrusted certificates. 1404 */ 1405 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { 1406 crl_issuer = sk_X509_value(ctx->untrusted, i); 1407 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1408 continue; 1409 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1410 *pissuer = crl_issuer; 1411 *pcrl_score |= CRL_SCORE_AKID; 1412 return; 1413 } 1414 } 1415 } 1416 1417 /* Check the path of a CRL issuer certificate. This creates a new 1418 * X509_STORE_CTX and populates it with most of the parameters from the 1419 * parent. This could be optimised somewhat since a lot of path checking 1420 * will be duplicated by the parent, but this will rarely be used in 1421 * practice. 1422 */ 1423 1424 static int 1425 check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1426 { 1427 X509_STORE_CTX crl_ctx; 1428 int ret; 1429 1430 /* Don't allow recursive CRL path validation */ 1431 if (ctx->parent) 1432 return 0; 1433 if (!X509_STORE_CTX_init(&crl_ctx, ctx->store, x, ctx->untrusted)) { 1434 ret = -1; 1435 goto err; 1436 } 1437 1438 crl_ctx.crls = ctx->crls; 1439 /* Copy verify params across */ 1440 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); 1441 1442 crl_ctx.parent = ctx; 1443 crl_ctx.verify_cb = ctx->verify_cb; 1444 1445 /* Verify CRL issuer */ 1446 ret = X509_verify_cert(&crl_ctx); 1447 1448 if (ret <= 0) 1449 goto err; 1450 1451 /* Check chain is acceptable */ 1452 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1453 1454 err: 1455 X509_STORE_CTX_cleanup(&crl_ctx); 1456 return ret; 1457 } 1458 1459 /* RFC3280 says nothing about the relationship between CRL path 1460 * and certificate path, which could lead to situations where a 1461 * certificate could be revoked or validated by a CA not authorised 1462 * to do so. RFC5280 is more strict and states that the two paths must 1463 * end in the same trust anchor, though some discussions remain... 1464 * until this is resolved we use the RFC5280 version 1465 */ 1466 1467 static int 1468 check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, 1469 STACK_OF(X509) *crl_path) 1470 { 1471 X509 *cert_ta, *crl_ta; 1472 1473 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1474 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1475 if (!X509_cmp(cert_ta, crl_ta)) 1476 return 1; 1477 return 0; 1478 } 1479 1480 /* Check for match between two dist point names: three separate cases. 1481 * 1. Both are relative names and compare X509_NAME types. 1482 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. 1483 * 3. Both are full names and compare two GENERAL_NAMES. 1484 * 4. One is NULL: automatic match. 1485 */ 1486 1487 static int 1488 idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1489 { 1490 X509_NAME *nm = NULL; 1491 GENERAL_NAMES *gens = NULL; 1492 GENERAL_NAME *gena, *genb; 1493 int i, j; 1494 1495 if (!a || !b) 1496 return 1; 1497 if (a->type == 1) { 1498 if (!a->dpname) 1499 return 0; 1500 /* Case 1: two X509_NAME */ 1501 if (b->type == 1) { 1502 if (!b->dpname) 1503 return 0; 1504 if (!X509_NAME_cmp(a->dpname, b->dpname)) 1505 return 1; 1506 else 1507 return 0; 1508 } 1509 /* Case 2: set name and GENERAL_NAMES appropriately */ 1510 nm = a->dpname; 1511 gens = b->name.fullname; 1512 } else if (b->type == 1) { 1513 if (!b->dpname) 1514 return 0; 1515 /* Case 2: set name and GENERAL_NAMES appropriately */ 1516 gens = a->name.fullname; 1517 nm = b->dpname; 1518 } 1519 1520 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1521 if (nm) { 1522 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 1523 gena = sk_GENERAL_NAME_value(gens, i); 1524 if (gena->type != GEN_DIRNAME) 1525 continue; 1526 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1527 return 1; 1528 } 1529 return 0; 1530 } 1531 1532 /* Else case 3: two GENERAL_NAMES */ 1533 1534 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) { 1535 gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1536 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { 1537 genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1538 if (!GENERAL_NAME_cmp(gena, genb)) 1539 return 1; 1540 } 1541 } 1542 1543 return 0; 1544 } 1545 1546 static int 1547 crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1548 { 1549 int i; 1550 X509_NAME *nm = X509_CRL_get_issuer(crl); 1551 1552 /* If no CRLissuer return is successful iff don't need a match */ 1553 if (!dp->CRLissuer) 1554 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1555 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { 1556 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1557 if (gen->type != GEN_DIRNAME) 1558 continue; 1559 if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1560 return 1; 1561 } 1562 return 0; 1563 } 1564 1565 /* Check CRLDP and IDP */ 1566 1567 static int 1568 crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) 1569 { 1570 int i; 1571 1572 if (crl->idp_flags & IDP_ONLYATTR) 1573 return 0; 1574 if (x->ex_flags & EXFLAG_CA) { 1575 if (crl->idp_flags & IDP_ONLYUSER) 1576 return 0; 1577 } else { 1578 if (crl->idp_flags & IDP_ONLYCA) 1579 return 0; 1580 } 1581 *preasons = crl->idp_reasons; 1582 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { 1583 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1584 if (crldp_check_crlissuer(dp, crl, crl_score)) { 1585 if (!crl->idp || 1586 idp_check_dp(dp->distpoint, crl->idp->distpoint)) { 1587 *preasons &= dp->dp_reasons; 1588 return 1; 1589 } 1590 } 1591 } 1592 if ((!crl->idp || !crl->idp->distpoint) && 1593 (crl_score & CRL_SCORE_ISSUER_NAME)) 1594 return 1; 1595 return 0; 1596 } 1597 1598 /* Retrieve CRL corresponding to current certificate. 1599 * If deltas enabled try to find a delta CRL too 1600 */ 1601 1602 static int 1603 get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1604 { 1605 int ok; 1606 X509 *issuer = NULL; 1607 int crl_score = 0; 1608 unsigned int reasons; 1609 X509_CRL *crl = NULL, *dcrl = NULL; 1610 STACK_OF(X509_CRL) *skcrl; 1611 X509_NAME *nm = X509_get_issuer_name(x); 1612 1613 reasons = ctx->current_reasons; 1614 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, 1615 ctx->crls); 1616 if (ok) 1617 goto done; 1618 1619 /* Lookup CRLs from store */ 1620 skcrl = ctx->lookup_crls(ctx, nm); 1621 1622 /* If no CRLs found and a near match from get_crl_sk use that */ 1623 if (!skcrl && crl) 1624 goto done; 1625 1626 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); 1627 1628 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1629 1630 done: 1631 1632 /* If we got any kind of CRL use it and return success */ 1633 if (crl) { 1634 ctx->current_issuer = issuer; 1635 ctx->current_crl_score = crl_score; 1636 ctx->current_reasons = reasons; 1637 *pcrl = crl; 1638 *pdcrl = dcrl; 1639 return 1; 1640 } 1641 1642 return 0; 1643 } 1644 1645 /* Check CRL validity */ 1646 static int 1647 check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1648 { 1649 X509 *issuer = NULL; 1650 EVP_PKEY *ikey = NULL; 1651 int ok = 0, chnum, cnum; 1652 1653 cnum = ctx->error_depth; 1654 chnum = sk_X509_num(ctx->chain) - 1; 1655 /* if we have an alternative CRL issuer cert use that */ 1656 if (ctx->current_issuer) { 1657 issuer = ctx->current_issuer; 1658 } else if (cnum < chnum) { 1659 /* 1660 * Else find CRL issuer: if not last certificate then issuer 1661 * is next certificate in chain. 1662 */ 1663 issuer = sk_X509_value(ctx->chain, cnum + 1); 1664 } else { 1665 issuer = sk_X509_value(ctx->chain, chnum); 1666 /* If not self signed, can't check signature */ 1667 if (!ctx->check_issued(ctx, issuer, issuer)) { 1668 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1669 ok = ctx->verify_cb(0, ctx); 1670 if (!ok) 1671 goto err; 1672 } 1673 } 1674 1675 if (issuer) { 1676 /* Skip most tests for deltas because they have already 1677 * been done 1678 */ 1679 if (!crl->base_crl_number) { 1680 /* Check for cRLSign bit if keyUsage present */ 1681 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1682 !(issuer->ex_kusage & KU_CRL_SIGN)) { 1683 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1684 ok = ctx->verify_cb(0, ctx); 1685 if (!ok) 1686 goto err; 1687 } 1688 1689 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { 1690 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1691 ok = ctx->verify_cb(0, ctx); 1692 if (!ok) 1693 goto err; 1694 } 1695 1696 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { 1697 if (check_crl_path(ctx, 1698 ctx->current_issuer) <= 0) { 1699 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1700 ok = ctx->verify_cb(0, ctx); 1701 if (!ok) 1702 goto err; 1703 } 1704 } 1705 1706 if (crl->idp_flags & IDP_INVALID) { 1707 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1708 ok = ctx->verify_cb(0, ctx); 1709 if (!ok) 1710 goto err; 1711 } 1712 1713 1714 } 1715 1716 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { 1717 ok = check_crl_time(ctx, crl, 1); 1718 if (!ok) 1719 goto err; 1720 } 1721 1722 /* Attempt to get issuer certificate public key */ 1723 ikey = X509_get_pubkey(issuer); 1724 1725 if (!ikey) { 1726 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1727 ok = ctx->verify_cb(0, ctx); 1728 if (!ok) 1729 goto err; 1730 } else { 1731 /* Verify CRL signature */ 1732 if (X509_CRL_verify(crl, ikey) <= 0) { 1733 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; 1734 ok = ctx->verify_cb(0, ctx); 1735 if (!ok) 1736 goto err; 1737 } 1738 } 1739 } 1740 1741 ok = 1; 1742 1743 err: 1744 EVP_PKEY_free(ikey); 1745 return ok; 1746 } 1747 1748 /* Check certificate against CRL */ 1749 static int 1750 cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1751 { 1752 int ok; 1753 X509_REVOKED *rev; 1754 1755 /* The rules changed for this... previously if a CRL contained 1756 * unhandled critical extensions it could still be used to indicate 1757 * a certificate was revoked. This has since been changed since 1758 * critical extension can change the meaning of CRL entries. 1759 */ 1760 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && 1761 (crl->flags & EXFLAG_CRITICAL)) { 1762 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1763 ok = ctx->verify_cb(0, ctx); 1764 if (!ok) 1765 return 0; 1766 } 1767 /* Look for serial number of certificate in CRL 1768 * If found make sure reason is not removeFromCRL. 1769 */ 1770 if (X509_CRL_get0_by_cert(crl, &rev, x)) { 1771 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1772 return 2; 1773 ctx->error = X509_V_ERR_CERT_REVOKED; 1774 ok = ctx->verify_cb(0, ctx); 1775 if (!ok) 1776 return 0; 1777 } 1778 1779 return 1; 1780 } 1781 1782 int 1783 x509_vfy_check_policy(X509_STORE_CTX *ctx) 1784 { 1785 int ret; 1786 1787 if (ctx->parent) 1788 return 1; 1789 1790 /* X509_policy_check always allocates a new tree. */ 1791 X509_policy_tree_free(ctx->tree); 1792 ctx->tree = NULL; 1793 1794 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1795 ctx->param->policies, ctx->param->flags); 1796 if (ret == 0) { 1797 X509error(ERR_R_MALLOC_FAILURE); 1798 return 0; 1799 } 1800 /* Invalid or inconsistent extensions */ 1801 if (ret == -1) { 1802 /* Locate certificates with bad extensions and notify 1803 * callback. 1804 */ 1805 X509 *x; 1806 int i; 1807 for (i = 1; i < sk_X509_num(ctx->chain); i++) { 1808 x = sk_X509_value(ctx->chain, i); 1809 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) 1810 continue; 1811 ctx->current_cert = x; 1812 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1813 if (!ctx->verify_cb(0, ctx)) 1814 return 0; 1815 } 1816 return 1; 1817 } 1818 if (ret == -2) { 1819 ctx->current_cert = NULL; 1820 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; 1821 return ctx->verify_cb(0, ctx); 1822 } 1823 1824 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { 1825 ctx->current_cert = NULL; 1826 ctx->error = X509_V_OK; 1827 if (!ctx->verify_cb(2, ctx)) 1828 return 0; 1829 } 1830 1831 return 1; 1832 } 1833 1834 static int 1835 check_policy(X509_STORE_CTX *ctx) 1836 { 1837 return x509_vfy_check_policy(ctx); 1838 } 1839 1840 /* 1841 * Inform the verify callback of an error. 1842 * 1843 * If x is not NULL it is the error cert, otherwise use the chain cert 1844 * at depth. 1845 * 1846 * If err is not X509_V_OK, that's the error value, otherwise leave 1847 * unchanged (presumably set by the caller). 1848 * 1849 * Returns 0 to abort verification with an error, non-zero to continue. 1850 */ 1851 static int 1852 verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) 1853 { 1854 ctx->error_depth = depth; 1855 ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); 1856 if (err != X509_V_OK) 1857 ctx->error = err; 1858 return ctx->verify_cb(0, ctx); 1859 } 1860 1861 1862 /* Mimic OpenSSL '0 for failure' ick */ 1863 static int 1864 time_t_bogocmp(time_t a, time_t b) 1865 { 1866 if (a == -1 || b == -1) 1867 return 0; 1868 if (a <= b) 1869 return -1; 1870 return 1; 1871 } 1872 1873 /* 1874 * Check certificate validity times. 1875 * 1876 * If depth >= 0, invoke verification callbacks on error, otherwise just return 1877 * the validation status. 1878 * 1879 * Return 1 on success, 0 otherwise. 1880 */ 1881 int 1882 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) 1883 { 1884 time_t ptime; 1885 int i; 1886 1887 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 1888 ptime = ctx->param->check_time; 1889 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) 1890 return 1; 1891 else 1892 ptime = time(NULL); 1893 1894 if (x->ex_flags & EXFLAG_SET) 1895 i = time_t_bogocmp(x->not_before, ptime); 1896 else 1897 i = X509_cmp_time(X509_get_notBefore(x), &ptime); 1898 1899 if (i >= 0 && depth < 0) 1900 return 0; 1901 if (i == 0 && !verify_cb_cert(ctx, x, depth, 1902 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) 1903 return 0; 1904 if (i > 0 && !verify_cb_cert(ctx, x, depth, 1905 X509_V_ERR_CERT_NOT_YET_VALID)) 1906 return 0; 1907 1908 if (x->ex_flags & EXFLAG_SET) 1909 i = time_t_bogocmp(x->not_after, ptime); 1910 else 1911 i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); 1912 1913 if (i <= 0 && depth < 0) 1914 return 0; 1915 if (i == 0 && !verify_cb_cert(ctx, x, depth, 1916 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)) 1917 return 0; 1918 if (i < 0 && !verify_cb_cert(ctx, x, depth, 1919 X509_V_ERR_CERT_HAS_EXPIRED)) 1920 return 0; 1921 1922 return 1; 1923 } 1924 1925 static int 1926 x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified) 1927 { 1928 int n = sk_X509_num(ctx->chain) - 1; 1929 X509 *xi = sk_X509_value(ctx->chain, n); 1930 X509 *xs; 1931 1932 if (ctx->check_issued(ctx, xi, xi)) 1933 xs = xi; 1934 else { 1935 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { 1936 xs = xi; 1937 goto check_cert; 1938 } 1939 if (n <= 0) 1940 return verify_cb_cert(ctx, xi, 0, 1941 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); 1942 n--; 1943 ctx->error_depth = n; 1944 xs = sk_X509_value(ctx->chain, n); 1945 } 1946 1947 /* 1948 * Do not clear ctx->error=0, it must be "sticky", only the 1949 * user's callback is allowed to reset errors (at its own 1950 * peril). 1951 */ 1952 while (n >= 0) { 1953 1954 /* 1955 * Skip signature check for self signed certificates 1956 * unless explicitly asked for. It doesn't add any 1957 * security and just wastes time. If the issuer's 1958 * public key is unusable, report the issuer 1959 * certificate and its depth (rather than the depth of 1960 * the subject). 1961 */ 1962 if (!chain_verified && ( xs != xi || 1963 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { 1964 EVP_PKEY *pkey; 1965 if ((pkey = X509_get_pubkey(xi)) == NULL) { 1966 if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, 1967 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) 1968 return 0; 1969 } else if (X509_verify(xs, pkey) <= 0) { 1970 if (!verify_cb_cert(ctx, xs, n, 1971 X509_V_ERR_CERT_SIGNATURE_FAILURE)) { 1972 EVP_PKEY_free(pkey); 1973 return 0; 1974 } 1975 } 1976 EVP_PKEY_free(pkey); 1977 } 1978 check_cert: 1979 /* Calls verify callback as needed */ 1980 if (!chain_verified && !x509_check_cert_time(ctx, xs, n)) 1981 return 0; 1982 1983 /* 1984 * Signal success at this depth. However, the 1985 * previous error (if any) is retained. 1986 */ 1987 ctx->current_issuer = xi; 1988 ctx->current_cert = xs; 1989 ctx->error_depth = n; 1990 if (!ctx->verify_cb(1, ctx)) 1991 return 0; 1992 1993 if (--n >= 0) { 1994 xi = xs; 1995 xs = sk_X509_value(ctx->chain, n); 1996 } 1997 } 1998 return 1; 1999 } 2000 2001 static int 2002 internal_verify(X509_STORE_CTX *ctx) 2003 { 2004 return x509_vfy_internal_verify(ctx, 0); 2005 } 2006 2007 /* 2008 * Internal verify, but with a chain where the verification 2009 * math has already been performed. 2010 */ 2011 int 2012 x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx) 2013 { 2014 return x509_vfy_internal_verify(ctx, 1); 2015 } 2016 2017 int 2018 X509_cmp_current_time(const ASN1_TIME *ctm) 2019 { 2020 return X509_cmp_time(ctm, NULL); 2021 } 2022 2023 /* 2024 * Compare a possibly unvalidated ASN1_TIME string against a time_t 2025 * using RFC 5280 rules for the time string. If *cmp_time is NULL 2026 * the current system time is used. 2027 * 2028 * XXX NOTE that unlike what you expect a "cmp" function to do in C, 2029 * XXX this one is "special", and returns 0 for error. 2030 * 2031 * Returns: 2032 * -1 if the ASN1_time is earlier than OR the same as *cmp_time. 2033 * 1 if the ASN1_time is later than *cmp_time. 2034 * 0 on error. 2035 */ 2036 static int 2037 X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter) 2038 { 2039 time_t compare, cert_time; 2040 2041 if (cmp_time == NULL) 2042 compare = time(NULL); 2043 else 2044 compare = *cmp_time; 2045 2046 if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) == 2047 -1) 2048 return 0; /* invalid time */ 2049 2050 if (cert_time <= compare) 2051 return -1; /* 0 is used for error, so map same to less than */ 2052 2053 return 1; 2054 } 2055 2056 int 2057 X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 2058 { 2059 return X509_cmp_time_internal(ctm, cmp_time, 0); 2060 } 2061 2062 2063 ASN1_TIME * 2064 X509_gmtime_adj(ASN1_TIME *s, long adj) 2065 { 2066 return X509_time_adj(s, adj, NULL); 2067 } 2068 2069 ASN1_TIME * 2070 X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_time) 2071 { 2072 return X509_time_adj_ex(s, 0, offset_sec, in_time); 2073 } 2074 2075 ASN1_TIME * 2076 X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time) 2077 { 2078 time_t t; 2079 if (in_time == NULL) 2080 t = time(NULL); 2081 else 2082 t = *in_time; 2083 2084 return ASN1_TIME_adj(s, t, offset_day, offset_sec); 2085 } 2086 2087 int 2088 X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 2089 { 2090 EVP_PKEY *ktmp = NULL, *ktmp2; 2091 int i, j; 2092 2093 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) 2094 return 1; 2095 2096 for (i = 0; i < sk_X509_num(chain); i++) { 2097 ktmp = X509_get0_pubkey(sk_X509_value(chain, i)); 2098 if (ktmp == NULL) { 2099 X509error(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 2100 return 0; 2101 } 2102 if (!EVP_PKEY_missing_parameters(ktmp)) 2103 break; 2104 else 2105 ktmp = NULL; 2106 } 2107 if (ktmp == NULL) { 2108 X509error(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 2109 return 0; 2110 } 2111 2112 /* first, populate the other certs */ 2113 for (j = i - 1; j >= 0; j--) { 2114 if ((ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j))) == NULL) 2115 return 0; 2116 if (!EVP_PKEY_copy_parameters(ktmp2, ktmp)) 2117 return 0; 2118 } 2119 2120 if (pkey != NULL) 2121 if (!EVP_PKEY_copy_parameters(pkey, ktmp)) 2122 return 0; 2123 return 1; 2124 } 2125 2126 int 2127 X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 2128 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 2129 { 2130 /* This function is (usually) called only once, by 2131 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 2132 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, 2133 argl, argp, new_func, dup_func, free_func); 2134 } 2135 2136 int 2137 X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 2138 { 2139 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 2140 } 2141 2142 void * 2143 X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 2144 { 2145 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 2146 } 2147 2148 int 2149 X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 2150 { 2151 return ctx->error; 2152 } 2153 2154 void 2155 X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 2156 { 2157 ctx->error = err; 2158 } 2159 2160 int 2161 X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 2162 { 2163 return ctx->error_depth; 2164 } 2165 2166 void 2167 X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) 2168 { 2169 ctx->error_depth = depth; 2170 } 2171 2172 X509 * 2173 X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 2174 { 2175 return ctx->current_cert; 2176 } 2177 2178 void 2179 X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) 2180 { 2181 ctx->current_cert = x; 2182 } 2183 2184 STACK_OF(X509) * 2185 X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 2186 { 2187 return ctx->chain; 2188 } 2189 2190 STACK_OF(X509) * 2191 X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs) 2192 { 2193 return xs->chain; 2194 } 2195 2196 STACK_OF(X509) * 2197 X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 2198 { 2199 int i; 2200 X509 *x; 2201 STACK_OF(X509) *chain; 2202 2203 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) 2204 return NULL; 2205 for (i = 0; i < sk_X509_num(chain); i++) { 2206 x = sk_X509_value(chain, i); 2207 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 2208 } 2209 return chain; 2210 } 2211 2212 X509 * 2213 X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 2214 { 2215 return ctx->current_issuer; 2216 } 2217 2218 X509_CRL * 2219 X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 2220 { 2221 return ctx->current_crl; 2222 } 2223 2224 X509_STORE_CTX * 2225 X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 2226 { 2227 return ctx->parent; 2228 } 2229 2230 X509_STORE * 2231 X509_STORE_CTX_get0_store(X509_STORE_CTX *xs) 2232 { 2233 return xs->store; 2234 } 2235 2236 void 2237 X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 2238 { 2239 ctx->cert = x; 2240 } 2241 2242 void 2243 X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2244 { 2245 ctx->untrusted = sk; 2246 } 2247 2248 void 2249 X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 2250 { 2251 ctx->crls = sk; 2252 } 2253 2254 int 2255 X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 2256 { 2257 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 2258 } 2259 2260 int 2261 X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 2262 { 2263 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 2264 } 2265 2266 /* This function is used to set the X509_STORE_CTX purpose and trust 2267 * values. This is intended to be used when another structure has its 2268 * own trust and purpose values which (if set) will be inherited by 2269 * the ctx. If they aren't set then we will usually have a default 2270 * purpose in mind which should then be used to set the trust value. 2271 * An example of this is SSL use: an SSL structure will have its own 2272 * purpose and trust settings which the application can set: if they 2273 * aren't set then we use the default of SSL client/server. 2274 */ 2275 2276 int 2277 X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 2278 int purpose, int trust) 2279 { 2280 int idx; 2281 2282 /* If purpose not set use default */ 2283 if (!purpose) 2284 purpose = def_purpose; 2285 /* If we have a purpose then check it is valid */ 2286 if (purpose) { 2287 X509_PURPOSE *ptmp; 2288 idx = X509_PURPOSE_get_by_id(purpose); 2289 if (idx == -1) { 2290 X509error(X509_R_UNKNOWN_PURPOSE_ID); 2291 return 0; 2292 } 2293 ptmp = X509_PURPOSE_get0(idx); 2294 if (ptmp->trust == X509_TRUST_DEFAULT) { 2295 idx = X509_PURPOSE_get_by_id(def_purpose); 2296 if (idx == -1) { 2297 X509error(X509_R_UNKNOWN_PURPOSE_ID); 2298 return 0; 2299 } 2300 ptmp = X509_PURPOSE_get0(idx); 2301 } 2302 /* If trust not set then get from purpose default */ 2303 if (!trust) 2304 trust = ptmp->trust; 2305 } 2306 if (trust) { 2307 idx = X509_TRUST_get_by_id(trust); 2308 if (idx == -1) { 2309 X509error(X509_R_UNKNOWN_TRUST_ID); 2310 return 0; 2311 } 2312 } 2313 2314 if (purpose && !ctx->param->purpose) 2315 ctx->param->purpose = purpose; 2316 if (trust && !ctx->param->trust) 2317 ctx->param->trust = trust; 2318 return 1; 2319 } 2320 2321 X509_STORE_CTX * 2322 X509_STORE_CTX_new(void) 2323 { 2324 X509_STORE_CTX *ctx; 2325 2326 ctx = calloc(1, sizeof(X509_STORE_CTX)); 2327 if (!ctx) { 2328 X509error(ERR_R_MALLOC_FAILURE); 2329 return NULL; 2330 } 2331 return ctx; 2332 } 2333 2334 void 2335 X509_STORE_CTX_free(X509_STORE_CTX *ctx) 2336 { 2337 if (ctx == NULL) 2338 return; 2339 2340 X509_STORE_CTX_cleanup(ctx); 2341 free(ctx); 2342 } 2343 2344 int 2345 X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 2346 STACK_OF(X509) *chain) 2347 { 2348 int param_ret = 1; 2349 2350 /* 2351 * Make sure everything is initialized properly even in case of an 2352 * early return due to an error. 2353 * 2354 * While this 'ctx' can be reused, X509_STORE_CTX_cleanup() will have 2355 * freed everything and memset ex_data anyway. This also allows us 2356 * to safely use X509_STORE_CTX variables from the stack which will 2357 * have uninitialized data. 2358 */ 2359 memset(ctx, 0, sizeof(*ctx)); 2360 2361 /* 2362 * Start with this set to not valid - it will be set to valid 2363 * in X509_verify_cert. 2364 */ 2365 ctx->error = X509_V_ERR_INVALID_CALL; 2366 2367 /* 2368 * Set values other than 0. Keep this in the same order as 2369 * X509_STORE_CTX except for values that may fail. All fields that 2370 * may fail should go last to make sure 'ctx' is as consistent as 2371 * possible even on early exits. 2372 */ 2373 ctx->store = store; 2374 ctx->cert = x509; 2375 ctx->untrusted = chain; 2376 2377 if (store && store->verify) 2378 ctx->verify = store->verify; 2379 else 2380 ctx->verify = internal_verify; 2381 2382 if (store && store->verify_cb) 2383 ctx->verify_cb = store->verify_cb; 2384 else 2385 ctx->verify_cb = null_callback; 2386 2387 if (store && store->get_issuer) 2388 ctx->get_issuer = store->get_issuer; 2389 else 2390 ctx->get_issuer = X509_STORE_CTX_get1_issuer; 2391 2392 if (store && store->check_issued) 2393 ctx->check_issued = store->check_issued; 2394 else 2395 ctx->check_issued = check_issued; 2396 2397 if (store && store->check_revocation) 2398 ctx->check_revocation = store->check_revocation; 2399 else 2400 ctx->check_revocation = check_revocation; 2401 2402 if (store && store->get_crl) 2403 ctx->get_crl = store->get_crl; 2404 else 2405 ctx->get_crl = NULL; 2406 2407 if (store && store->check_crl) 2408 ctx->check_crl = store->check_crl; 2409 else 2410 ctx->check_crl = check_crl; 2411 2412 if (store && store->cert_crl) 2413 ctx->cert_crl = store->cert_crl; 2414 else 2415 ctx->cert_crl = cert_crl; 2416 2417 ctx->check_policy = check_policy; 2418 2419 if (store && store->lookup_certs) 2420 ctx->lookup_certs = store->lookup_certs; 2421 else 2422 ctx->lookup_certs = X509_STORE_get1_certs; 2423 2424 if (store && store->lookup_crls) 2425 ctx->lookup_crls = store->lookup_crls; 2426 else 2427 ctx->lookup_crls = X509_STORE_get1_crls; 2428 2429 if (store && store->cleanup) 2430 ctx->cleanup = store->cleanup; 2431 else 2432 ctx->cleanup = NULL; 2433 2434 ctx->param = X509_VERIFY_PARAM_new(); 2435 if (!ctx->param) { 2436 X509error(ERR_R_MALLOC_FAILURE); 2437 return 0; 2438 } 2439 2440 /* Inherit callbacks and flags from X509_STORE if not set 2441 * use defaults. 2442 */ 2443 if (store) 2444 param_ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2445 else 2446 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 2447 2448 if (param_ret) 2449 param_ret = X509_VERIFY_PARAM_inherit(ctx->param, 2450 X509_VERIFY_PARAM_lookup("default")); 2451 2452 if (param_ret == 0) { 2453 X509error(ERR_R_MALLOC_FAILURE); 2454 return 0; 2455 } 2456 2457 if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2458 &(ctx->ex_data)) == 0) { 2459 X509error(ERR_R_MALLOC_FAILURE); 2460 return 0; 2461 } 2462 return 1; 2463 } 2464 2465 /* Set alternative lookup method: just a STACK of trusted certificates. 2466 * This avoids X509_STORE nastiness where it isn't needed. 2467 */ 2468 2469 void 2470 X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2471 { 2472 ctx->other_ctx = sk; 2473 ctx->get_issuer = get_issuer_sk; 2474 } 2475 2476 void 2477 X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2478 { 2479 X509_STORE_CTX_trusted_stack(ctx, sk); 2480 } 2481 2482 void 2483 X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2484 { 2485 if (ctx->cleanup) 2486 ctx->cleanup(ctx); 2487 if (ctx->param != NULL) { 2488 if (ctx->parent == NULL) 2489 X509_VERIFY_PARAM_free(ctx->param); 2490 ctx->param = NULL; 2491 } 2492 if (ctx->tree != NULL) { 2493 X509_policy_tree_free(ctx->tree); 2494 ctx->tree = NULL; 2495 } 2496 if (ctx->chain != NULL) { 2497 sk_X509_pop_free(ctx->chain, X509_free); 2498 ctx->chain = NULL; 2499 } 2500 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, 2501 ctx, &(ctx->ex_data)); 2502 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); 2503 } 2504 2505 void 2506 X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2507 { 2508 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2509 } 2510 2511 void 2512 X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2513 { 2514 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2515 } 2516 2517 void 2518 X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2519 { 2520 X509_VERIFY_PARAM_set_time(ctx->param, t); 2521 } 2522 2523 int 2524 (*X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx))(int, X509_STORE_CTX *) 2525 { 2526 return ctx->verify_cb; 2527 } 2528 2529 void 2530 X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2531 int (*verify_cb)(int, X509_STORE_CTX *)) 2532 { 2533 ctx->verify_cb = verify_cb; 2534 } 2535 2536 int 2537 (*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))(X509_STORE_CTX *) 2538 { 2539 return ctx->verify; 2540 } 2541 2542 void 2543 X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, int (*verify)(X509_STORE_CTX *)) 2544 { 2545 ctx->verify = verify; 2546 } 2547 2548 X509 * 2549 X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) 2550 { 2551 return ctx->cert; 2552 } 2553 2554 STACK_OF(X509) * 2555 X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) 2556 { 2557 return ctx->untrusted; 2558 } 2559 2560 void 2561 X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2562 { 2563 ctx->untrusted = sk; 2564 } 2565 2566 void 2567 X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2568 { 2569 sk_X509_pop_free(ctx->chain, X509_free); 2570 ctx->chain = sk; 2571 } 2572 2573 X509_POLICY_TREE * 2574 X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2575 { 2576 return ctx->tree; 2577 } 2578 2579 int 2580 X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2581 { 2582 return ctx->explicit_policy; 2583 } 2584 2585 int 2586 X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) 2587 { 2588 return ctx->num_untrusted; 2589 } 2590 2591 int 2592 X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2593 { 2594 const X509_VERIFY_PARAM *param; 2595 param = X509_VERIFY_PARAM_lookup(name); 2596 if (!param) 2597 return 0; 2598 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2599 } 2600 2601 X509_VERIFY_PARAM * 2602 X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2603 { 2604 return ctx->param; 2605 } 2606 2607 void 2608 X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2609 { 2610 if (ctx->param) 2611 X509_VERIFY_PARAM_free(ctx->param); 2612 ctx->param = param; 2613 } 2614 2615 /* 2616 * Check if |bits| are adequate for |security level|. 2617 * Returns 1 if ok, 0 otherwise. 2618 */ 2619 static int 2620 enough_bits_for_security_level(int bits, int level) 2621 { 2622 /* 2623 * Sigh. OpenSSL does this silly squashing, so we will 2624 * too. Derp for Derp compatibility being important. 2625 */ 2626 if (level < 0) 2627 level = 0; 2628 if (level > 5) 2629 level = 5; 2630 2631 switch (level) { 2632 case 0: 2633 return 1; 2634 case 1: 2635 return bits >= 80; 2636 case 2: 2637 return bits >= 112; 2638 case 3: 2639 return bits >= 128; 2640 case 4: 2641 return bits >= 192; 2642 case 5: 2643 return bits >= 256; 2644 default: 2645 return 0; 2646 } 2647 } 2648 2649 /* 2650 * Check whether the public key of |cert| meets the security level of |ctx|. 2651 * 2652 * Returns 1 on success, 0 otherwise. 2653 */ 2654 static int 2655 check_key_level(X509_STORE_CTX *ctx, X509 *cert) 2656 { 2657 EVP_PKEY *pkey; 2658 int bits; 2659 2660 /* Unsupported or malformed keys are not secure */ 2661 if ((pkey = X509_get0_pubkey(cert)) == NULL) 2662 return 0; 2663 2664 if ((bits = EVP_PKEY_security_bits(pkey)) <= 0) 2665 return 0; 2666 2667 return enough_bits_for_security_level(bits, ctx->param->security_level); 2668 } 2669 2670 /* 2671 * Check whether the signature digest algorithm of |cert| meets the security 2672 * level of |ctx|. Do not check trust anchors (self-signed or not). 2673 * 2674 * Returns 1 on success, 0 otherwise. 2675 */ 2676 static int 2677 check_sig_level(X509_STORE_CTX *ctx, X509 *cert) 2678 { 2679 const EVP_MD *md; 2680 int bits, nid, md_nid; 2681 2682 if ((nid = X509_get_signature_nid(cert)) == NID_undef) 2683 return 0; 2684 2685 /* 2686 * Look up signature algorithm digest. 2687 */ 2688 2689 if (!OBJ_find_sigid_algs(nid, &md_nid, NULL)) 2690 return 0; 2691 2692 if (md_nid == NID_undef) 2693 return 0; 2694 2695 if ((md = EVP_get_digestbynid(md_nid)) == NULL) 2696 return 0; 2697 2698 /* Assume 4 bits of collision resistance for each hash octet. */ 2699 bits = EVP_MD_size(md) * 4; 2700 2701 return enough_bits_for_security_level(bits, ctx->param->security_level); 2702 } 2703 2704 int 2705 x509_vfy_check_security_level(X509_STORE_CTX *ctx) 2706 { 2707 int num = sk_X509_num(ctx->chain); 2708 int i; 2709 2710 if (ctx->param->security_level <= 0) 2711 return 1; 2712 2713 for (i = 0; i < num; i++) { 2714 X509 *cert = sk_X509_value(ctx->chain, i); 2715 2716 /* 2717 * We've already checked the security of the leaf key, so here 2718 * we only check the security of issuer keys. 2719 */ 2720 if (i > 0) { 2721 if (!check_key_level(ctx, cert) && 2722 !verify_cb_cert(ctx, cert, i, 2723 X509_V_ERR_CA_KEY_TOO_SMALL)) 2724 return 0; 2725 } 2726 2727 /* 2728 * We also check the signature algorithm security of all certs 2729 * except those of the trust anchor at index num - 1. 2730 */ 2731 if (i == num - 1) 2732 break; 2733 2734 if (!check_sig_level(ctx, cert) && 2735 !verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK)) 2736 return 0; 2737 } 2738 return 1; 2739 } 2740