Dr. Stephen Henson
4a253652ee
Add opaque ID structure.
...
Move the IP, email and host checking fields from the public
X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID
structure. By doing this the structure can be modified in future
without risk of breaking any applications.
(cherry picked from commit adc6bd73e3
)
Conflicts:
crypto/x509/x509_vpm.c
2013-12-13 15:42:16 +00:00
Dr. Stephen Henson
102302b05b
Fix for partial chain notification.
...
For consistency with other cases if we are performing
partial chain verification with just one certificate
notify the callback with ok==1.
(cherry picked from commit 852553d9005e13aed7feb986a5d71cb885b994c7)
2013-12-13 15:39:55 +00:00
Dr. Stephen Henson
52073b7675
Partial path fix.
...
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
2013-09-08 19:26:59 +01:00
Dr. Stephen Henson
4b26645c1a
Fix verify loop with CRL checking.
...
PR #3090
Reported by: Franck Youssef <fry@open.ch>
If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.
This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
2013-07-12 17:48:41 +01:00
Ben Laurie
f00c54ae2e
Fix warning.
2013-01-06 19:03:48 +00:00
Dr. Stephen Henson
2dabd82236
Make partial chain checking work if we only have the EE certificate in
...
the trust store.
2012-12-21 18:31:32 +00:00
Dr. Stephen Henson
51e7a4378a
New verify flag to return success if we have any certificate in the
...
trusted store instead of the default which is to return an error if
we can't build the complete chain.
2012-12-13 18:14:46 +00:00
Dr. Stephen Henson
abd2ed012b
Fix two bugs which affect delta CRL handling:
...
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
2012-12-06 18:24:28 +00:00
Dr. Stephen Henson
3bf15e2974
Integrate host, email and IP address checks into X509_verify.
...
Add new verify options to set checks.
Remove previous -check* commands from s_client and s_server.
2012-12-05 18:35:20 +00:00
Dr. Stephen Henson
2e8cb108dc
initial support for delta CRL generations by diffing two full CRLs
2012-12-04 18:35:36 +00:00
Dr. Stephen Henson
3b0648ebc9
Rename Suite B functions for consistency.
...
New function X509_chain_up_ref to dup and up the reference count of
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
2012-08-03 15:58:15 +00:00
Dr. Stephen Henson
3ad344a517
add suite B chain validation flags and associated verify errors
2012-08-03 13:51:43 +00:00
Dr. Stephen Henson
d895f7f060
don't do loop check for single self signed certificate
2012-03-05 15:48:13 +00:00
Dr. Stephen Henson
c2035bffe7
PR: 2606
...
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve
Handle timezones correctly in UTCTime.
2011-09-23 13:39:23 +00:00
Dr. Stephen Henson
0486cce653
Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
...
produce an error (CVE-2011-3207)
2011-09-06 15:15:09 +00:00
Dr. Stephen Henson
2b3936e882
avoid verification loops in trusted store when path building
2010-12-25 20:45:59 +00:00
Dr. Stephen Henson
da7b0b2261
Submitted by: Jonathan Dixon <joth@chromium.org>
...
Reviewed by: steve
If store is NULL set flags correctly.
2010-11-02 15:58:58 +00:00
Dr. Stephen Henson
db28aa86e0
add -trusted_first option and verify flag
2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
2da2ff5065
tidy verify code. xn not used any more and check for self signed more efficiently
2010-02-25 11:18:26 +00:00
Dr. Stephen Henson
fbd2164044
Experimental support for partial chain verification: if an intermediate
...
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.
2010-02-25 00:17:22 +00:00
Dr. Stephen Henson
446a6a8af7
PR: 2103
...
Submitted by: Rob Austein <sra@hactrn.net>
Approved by: steve@openssl.org
Initialise atm.flags to 0.
2009-11-17 13:25:53 +00:00
Dr. Stephen Henson
2008e714f3
Add missing functions to allow access to newer X509_STORE_CTX status
...
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
2009-10-31 19:22:18 +00:00
Dr. Stephen Henson
45cd59ac71
If not checking all certificates don't attempt to find a CRL
...
for the leaf certificate of a CRL path.
2009-10-23 12:06:35 +00:00
Dr. Stephen Henson
d11d977da4
Need to check <= 0 here.
2009-10-22 23:12:05 +00:00
Dr. Stephen Henson
4f59432c06
Oops, s can be NULL
2009-09-04 11:30:59 +00:00
Dr. Stephen Henson
17b5326ba9
PR: 2013
...
Submitted by: steve@openssl.org
Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.
Add error checking to CRL generation in ca utility when nextUpdate is being
set.
2009-09-02 13:54:50 +00:00
Dr. Stephen Henson
f3be6c7b7d
Update from 1.0.0-stable.
2009-06-26 11:29:26 +00:00
Dr. Stephen Henson
31db43df08
Update from 0.9.8-stable.
2009-06-15 15:01:00 +00:00
Dr. Stephen Henson
e5fa864f62
Updates from 1.0.0-stable.
2009-04-15 15:27:03 +00:00
Dr. Stephen Henson
87d3a0cd90
Experimental new date handling routines. These fix issues with X509_time_adj()
...
and should avoid any OS date limitations such as the year 2038 bug.
2008-10-07 22:55:27 +00:00
Geoff Thorpe
fa0f834c20
Fix build warnings.
2008-09-15 04:02:37 +00:00
Ben Laurie
43048d13c8
Fix warning.
2008-09-07 13:22:34 +00:00
Dr. Stephen Henson
d43c4497ce
Initial support for delta CRLs. If "use deltas" flag is set attempt to find
...
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06
Add support for CRLs partitioned by reason code.
...
Tidy CRL scoring system.
Add new CRL path validation error.
2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
d0fff69dc9
Initial indirect CRL support.
2008-08-20 16:42:19 +00:00
Dr. Stephen Henson
9d84d4ed5e
Initial support for CRL path validation. This supports distinct certificate
...
and CRL signing keys.
2008-08-13 16:00:11 +00:00
Dr. Stephen Henson
2e0c7db950
Initial code to support distinct certificate and CRL signing keys where the
...
CRL issuer is not part of the main path.
Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
2008-08-12 16:07:52 +00:00
Dr. Stephen Henson
002e66c0e8
Support for policy mappings extension.
...
Delete X509_POLICY_REF code.
Fix handling of invalid policy extensions to return the correct error.
Add command line option to inhibit policy mappings.
2008-08-12 10:32:56 +00:00
Dr. Stephen Henson
e9746e03ee
Initial support for name constraints certificate extension.
...
TODO: robustness checking on name forms.
2008-08-08 15:35:29 +00:00
Dr. Stephen Henson
3e727a3b37
Add support for nameRelativeToCRLIssuer field in distribution point name
...
fields.
2008-08-04 15:34:27 +00:00
Dr. Stephen Henson
5cbd203302
Initial support for alternative CRL issuing certificates.
...
Allow inibit any policy flag to be set in apps.
2008-07-30 15:49:12 +00:00
Dr. Stephen Henson
db50661fce
X509 verification fixes.
...
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
2008-07-13 14:25:36 +00:00
Dr. Stephen Henson
56c7754cab
Avoid warnings.
2008-02-28 14:05:01 +00:00
Dr. Stephen Henson
a6fbcb4220
Change safestack reimplementation to match 0.9.8.
...
Fix additional gcc 4.2 value not used warnings.
2007-09-07 13:25:15 +00:00
Richard Levitte
82bf227e91
After objects have been freed, NULLify the pointers so there will be no double
...
free of those objects
2007-02-07 01:42:46 +00:00
Dr. Stephen Henson
560b79cbff
Constify version strings and some structures.
2007-01-21 13:07:17 +00:00
Nils Larsch
91b73acb19
use const ASN1_TIME *
2006-12-11 22:35:51 +00:00
Dr. Stephen Henson
10ca15f3fa
Fix change to OPENSSL_NO_RFC3779
2006-12-06 13:36:48 +00:00
Ben Laurie
96ea4ae91c
Add RFC 3779 support.
2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
010fa0b331
Tidy up CRL handling by checking for critical extensions when it is
...
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.
Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
2006-09-21 12:42:15 +00:00