From 2dabd822366df7b2608b55d5ca5f31d5d484cbaf Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 21 Dec 2012 18:31:32 +0000 Subject: [PATCH] Make partial chain checking work if we only have the EE certificate in the trust store. --- crypto/x509/x509_vfy.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1983eacf16..92a3cc7a28 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -160,6 +160,32 @@ static int cert_self_signed(X509 *x) return 0; } +/* Given a certificate try and find an exact match in the store */ + +static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) + { + STACK_OF(X509) *certs; + X509 *xtmp; + int i; + /* Lookup all certs with matching subject name */ + certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); + if (certs == NULL) + return NULL; + /* Look for exact match */ + for (i = 0; i < sk_X509_num(certs); i++) + { + xtmp = sk_X509_value(certs, i); + if (!X509_cmp(xtmp, x)) + break; + } + if (i < sk_X509_num(certs)) + CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); + else + xtmp = NULL; + sk_X509_pop_free(certs, X509_free); + return xtmp; + } + int X509_verify_cert(X509_STORE_CTX *ctx) { X509 *x,*xtmp,*chain_ss=NULL; @@ -763,6 +789,19 @@ static int check_trust(X509_STORE_CTX *ctx) { if (ctx->last_untrusted < sk_X509_num(ctx->chain)) return X509_TRUST_TRUSTED; + if (sk_X509_num(ctx->chain) == 1) + { + X509 *mx; + x = sk_X509_value(ctx->chain, 0); + mx = lookup_cert_match(ctx, x); + if (mx) + { + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; + } + } } /* If no trusted certs in chain at all return untrusted and @@ -1705,6 +1744,8 @@ static int internal_verify(X509_STORE_CTX *ctx) xs=xi; else { + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0) + return check_cert_time(ctx, xi); if (n <= 0) { ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; -- 2.25.1