From 090d848ea89b112587cf2e5b26acfaaae6bf79c2 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 18 Sep 1999 01:42:02 +0000 Subject: [PATCH] Various CRL enhancements tidies and workaround for broken CRLs. --- CHANGES | 8 +++++ apps/crl.c | 76 ++++++++++++++++++++++++++++++++++++++++++--- crypto/asn1/x_crl.c | 21 ++++++------- 3 files changed, 88 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 50cbc71392..7b9cf1cf8d 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,14 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Add new -verify -CAfile and -CApath options to the crl program, these + will lookup a CRL issuers certificate and verify the signature in a + similar way to the verify program. Tidy up the crl program so it + no longer acesses structures directly. Make the ASN1 CRL parsing a bit + less strict. It will now permit CRL extensions even if it is not + a V2 CRL: this will allow it to tolerate some broken CRLs. + [Steve Henson] + *) Initialize all non-automatic variables each time one of the openssl sub-programs is started (this is necessary as they may be started multiple times from the "OpenSSL>" prompt). diff --git a/apps/crl.c b/apps/crl.c index e0757d9319..9bab031c81 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -85,6 +85,8 @@ static char *crl_usage[]={ " -lastupdate - lastUpdate field\n", " -nextupdate - nextUpdate field\n", " -noout - no CRL output\n", +" -CAfile name - verify CRL using certificates in file \"name\"\n", +" -CApath dir - verify CRL using certificates in \"dir\"\n", NULL }; @@ -94,12 +96,19 @@ static BIO *bio_out=NULL; int MAIN(int argc, char **argv) { X509_CRL *x=NULL; + char *CAfile = NULL, *CApath = NULL; int ret=1,i,num,badops=0; BIO *out=NULL; int informat,outformat; char *infile=NULL,*outfile=NULL; int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0; char **pp,buf[256]; + X509_STORE *store = NULL; + X509_STORE_CTX ctx; + X509_LOOKUP *lookup = NULL; + X509_OBJECT xobj; + EVP_PKEY *pkey; + int do_ver = 0; apps_startup(); @@ -146,6 +155,20 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } + else if (strcmp(*argv,"-CApath") == 0) + { + if (--argc < 1) goto bad; + CApath = *(++argv); + do_ver = 1; + } + else if (strcmp(*argv,"-CAfile") == 0) + { + if (--argc < 1) goto bad; + CAfile = *(++argv); + do_ver = 1; + } + else if (strcmp(*argv,"-verify") == 0) + do_ver = 1; else if (strcmp(*argv,"-text") == 0) text = 1; else if (strcmp(*argv,"-hash") == 0) @@ -181,32 +204,71 @@ bad: x=load_crl(infile,informat); if (x == NULL) { goto end; } + if(do_ver) { + store = X509_STORE_new(); + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL) goto end; + if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) + X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL) goto end; + if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) + X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + ERR_clear_error(); + + X509_STORE_CTX_init(&ctx, store, NULL, NULL); + + i = X509_STORE_get_by_subject(&ctx, X509_LU_X509, + X509_CRL_get_issuer(x), &xobj); + if(i <= 0) { + BIO_printf(bio_err, + "Error getting CRL issuer certificate\n"); + goto end; + } + pkey = X509_get_pubkey(xobj.data.x509); + X509_OBJECT_free_contents(&xobj); + if(!pkey) { + BIO_printf(bio_err, + "Error getting CRL issuer public key\n"); + goto end; + } + i = X509_CRL_verify(x, pkey); + EVP_PKEY_free(pkey); + if(i < 0) goto end; + if(i == 0) BIO_printf(bio_err, "verify failure\n"); + else BIO_printf(bio_err, "verify OK\n"); + } + if (num) { for (i=1; i<=num; i++) { if (issuer == i) { - X509_NAME_oneline(x->crl->issuer,buf,256); + X509_NAME_oneline(X509_CRL_get_issuer(x), + buf,256); BIO_printf(bio_out,"issuer= %s\n",buf); } if (hash == i) { BIO_printf(bio_out,"%08lx\n", - X509_NAME_hash(x->crl->issuer)); + X509_NAME_hash(X509_CRL_get_issuer(x))); } if (lastupdate == i) { BIO_printf(bio_out,"lastUpdate="); - ASN1_TIME_print(bio_out,x->crl->lastUpdate); + ASN1_TIME_print(bio_out, + X509_CRL_get_lastUpdate(x)); BIO_printf(bio_out,"\n"); } if (nextupdate == i) { BIO_printf(bio_out,"nextUpdate="); - if (x->crl->nextUpdate != NULL) - ASN1_TIME_print(bio_out,x->crl->nextUpdate); + if (X509_CRL_get_nextUpdate(x)) + ASN1_TIME_print(bio_out, + X509_CRL_get_nextUpdate(x)); else BIO_printf(bio_out,"NONE"); BIO_printf(bio_out,"\n"); @@ -252,6 +314,10 @@ end: BIO_free(bio_out); bio_out=NULL; X509_CRL_free(x); + if(store) { + X509_STORE_CTX_cleanup(&ctx); + X509_STORE_free(store); + } X509V3_EXT_cleanup(); EXIT(ret); } diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index cd46bbebc2..25657a8799 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -190,20 +190,17 @@ X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, unsigned char **pp, } } - if (ver >= 1) + if (ret->extensions != NULL) { - if (ret->extensions != NULL) - { - while (sk_X509_EXTENSION_num(ret->extensions)) - X509_EXTENSION_free( - sk_X509_EXTENSION_pop(ret->extensions)); - } - - M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions, - d2i_X509_EXTENSION, - X509_EXTENSION_free,0, - V_ASN1_SEQUENCE); + while (sk_X509_EXTENSION_num(ret->extensions)) + X509_EXTENSION_free( + sk_X509_EXTENSION_pop(ret->extensions)); } + + M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions, + d2i_X509_EXTENSION, + X509_EXTENSION_free,0, + V_ASN1_SEQUENCE); M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO); } -- 2.25.1