Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
5cbd2033
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
9 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
5cbd2033
编写于
7月 30, 2008
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Initial support for alternative CRL issuing certificates.
Allow inibit any policy flag to be set in apps.
上级
592a207b
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
46 addition
and
14 deletion
+46
-14
CHANGES
CHANGES
+5
-0
apps/apps.c
apps/apps.c
+2
-0
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.c
+39
-14
未找到文件。
CHANGES
浏览文件 @
5cbd2033
...
...
@@ -4,6 +4,11 @@
Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
*) Initial support for different CRL issuing certificates. This covers a
simple case where the self issued certificates in the chain exist and
the real CRL issuer is higher in the existing chain.
[Steve Henson]
*) Removed effectively defunct crypto/store from the build.
[Ben Laurie]
...
...
apps/apps.c
浏览文件 @
5cbd2033
...
...
@@ -2233,6 +2233,8 @@ int args_verify(char ***pargs, int *pargc,
flags
|=
X509_V_FLAG_POLICY_CHECK
;
else
if
(
!
strcmp
(
arg
,
"-explicit_policy"
))
flags
|=
X509_V_FLAG_EXPLICIT_POLICY
;
else
if
(
!
strcmp
(
arg
,
"-inhibit_any"
))
flags
|=
X509_V_FLAG_INHIBIT_ANY
;
else
if
(
!
strcmp
(
arg
,
"-x509_strict"
))
flags
|=
X509_V_FLAG_X509_STRICT
;
else
if
(
!
strcmp
(
arg
,
"-policy_print"
))
...
...
crypto/x509/x509_vfy.c
浏览文件 @
5cbd2033
...
...
@@ -78,7 +78,7 @@ static int check_trust(X509_STORE_CTX *ctx);
static
int
check_revocation
(
X509_STORE_CTX
*
ctx
);
static
int
check_cert
(
X509_STORE_CTX
*
ctx
);
static
int
check_policy
(
X509_STORE_CTX
*
ctx
);
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
AUTHORITY_KEYID
*
akid
);
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
);
static
int
idp_check_scope
(
X509
*
x
,
X509_CRL
*
crl
);
static
int
internal_verify
(
X509_STORE_CTX
*
ctx
);
const
char
X509_version
[]
=
"X.509"
OPENSSL_VERSION_PTEXT
;
...
...
@@ -590,6 +590,7 @@ static int check_cert(X509_STORE_CTX *ctx)
cnum
=
ctx
->
error_depth
;
x
=
sk_X509_value
(
ctx
->
chain
,
cnum
);
ctx
->
current_cert
=
x
;
ctx
->
current_issuer
=
NULL
;
/* Try to retrieve relevant CRL */
ok
=
ctx
->
get_crl
(
ctx
,
&
crl
,
x
);
/* If error looking up CRL, nothing we can do except
...
...
@@ -699,9 +700,11 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
{
int
i
,
crl_score
,
best_score
=
-
1
;
X509_CRL
*
crl
,
*
best_crl
=
NULL
;
X509
*
crl_issuer
,
*
best_crl_issuer
=
NULL
;
for
(
i
=
0
;
i
<
sk_X509_CRL_num
(
crls
);
i
++
)
{
crl_score
=
0
;
crl_issuer
=
NULL
;
crl
=
sk_X509_CRL_value
(
crls
,
i
);
if
(
nm
&&
X509_NAME_cmp
(
nm
,
X509_CRL_get_issuer
(
crl
)))
continue
;
...
...
@@ -718,15 +721,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
else
crl_score
|=
CRL_SCORE_SCOPE
;
if
(
crl
->
akid
)
{
if
(
crl_akid_check
(
ctx
,
crl
->
akid
))
crl_score
|=
CRL_SCORE_AKID
;
}
else
if
(
crl_akid_check
(
ctx
,
crl
,
&
crl_issuer
))
crl_score
|=
CRL_SCORE_AKID
;
if
(
crl_score
==
CRL_SCORE_ALL
)
/* If CRL matches criteria and issuer is not different use it */
if
(
crl_score
==
CRL_SCORE_ALL
&&
!
crl_issuer
)
{
*
pcrl
=
crl
;
CRYPTO_add
(
&
crl
->
references
,
1
,
CRYPTO_LOCK_X509_CRL
);
...
...
@@ -736,25 +734,49 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
if
(
crl_score
>
best_score
)
{
best_crl
=
crl
;
best_crl_issuer
=
crl_issuer
;
best_score
=
crl_score
;
}
}
if
(
best_crl
)
{
*
pcrl
=
best_crl
;
ctx
->
current_issuer
=
best_crl_issuer
;
CRYPTO_add
(
&
best_crl
->
references
,
1
,
CRYPTO_LOCK_X509
);
}
return
0
;
}
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
AUTHORITY_KEYID
*
akid
)
static
int
crl_akid_check
(
X509_STORE_CTX
*
ctx
,
X509_CRL
*
crl
,
X509
**
pissuer
)
{
X509
*
crl_issuer
;
int
cidx
=
ctx
->
error_depth
;
if
(
!
crl
->
akid
)
return
1
;
if
(
cidx
!=
sk_X509_num
(
ctx
->
chain
)
-
1
)
cidx
++
;
if
(
X509_check_akid
(
sk_X509_value
(
ctx
->
chain
,
cidx
),
akid
)
==
X509_V_OK
)
crl_issuer
=
sk_X509_value
(
ctx
->
chain
,
cidx
);
if
(
X509_check_akid
(
crl_issuer
,
crl
->
akid
)
==
X509_V_OK
)
return
1
;
/* If crl_issuer is self issued we may get a match further along the
* chain.
*/
if
(
crl_issuer
->
ex_flags
&
EXFLAG_SI
)
{
for
(
cidx
++
;
cidx
<
sk_X509_num
(
ctx
->
chain
);
cidx
++
)
{
crl_issuer
=
sk_X509_value
(
ctx
->
chain
,
cidx
);
if
(
X509_check_akid
(
crl_issuer
,
crl
->
akid
)
==
X509_V_OK
)
{
*
pissuer
=
crl_issuer
;
return
1
;
}
if
(
!
(
crl_issuer
->
ex_flags
&
EXFLAG_SI
))
break
;
}
}
return
0
;
}
...
...
@@ -864,10 +886,13 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
int
ok
=
0
,
chnum
,
cnum
;
cnum
=
ctx
->
error_depth
;
chnum
=
sk_X509_num
(
ctx
->
chain
)
-
1
;
/* Find CRL issuer: if not last certificate then issuer
/* if we have an alternative CRL issuer cert use that */
if
(
ctx
->
current_issuer
)
issuer
=
ctx
->
current_issuer
;
/* Else find CRL issuer: if not last certificate then issuer
* is next certificate in chain.
*/
if
(
cnum
<
chnum
)
else
if
(
cnum
<
chnum
)
issuer
=
sk_X509_value
(
ctx
->
chain
,
cnum
+
1
);
else
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录