oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Change logic for default trust anchors, make it be either default

Browse Source 
trust anchor, the user supplied, or non at all.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21066 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2007-06-12 19:29:56 +00:00
parent 7e4d71a9bc
commit 28ec0adc8b
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
lib/hx509/cert.c
View File

@@ -43,6 +43,7 @@ struct hx509_verify_ctx_data {
#define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2
#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280 4
#define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS 8
#define HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS 16
time_t time_now;
unsigned int max_depth;
#define HX509_VERIFY_MAX_DEPTH 30
@@ -51,6 +52,7 @@ struct hx509_verify_ctx_data {
#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
#define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS)
#define ALLOW_DEF_TA(ctx) (((ctx)->flags & HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS) == 0)
struct _hx509_cert_attrs {
size_t len;
@@ -291,10 +293,10 @@ hx509_cert
hx509_cert_ref(hx509_cert cert)
{
if (cert->ref <= 0)
_hx509_abort("refcount <= 0");
_hx509_abort("cert refcount <= 0");
cert->ref++;
if (cert->ref == 0)
_hx509_abort("refcount == 0");
_hx509_abort("cert refcount == 0");
return cert;
}
@@ -359,6 +361,15 @@ hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
}
void
hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
ctx->flags |= HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
else
ctx->flags &= ~HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
}
static const Extension *
find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
{
@@ -1488,15 +1499,15 @@ hx509_verify_path(hx509_context context,
/*
*
*/
ret = hx509_certs_init(context, "MEMORY:trust-anchors", 0, NULL, &anchors);
if (ret)
goto out;
ret = hx509_certs_merge(context, anchors, ctx->trust_anchors);
if (ret)
goto out;
ret = hx509_certs_merge(context, anchors, context->default_trust_anchors);
if (ret)
goto out;
if (ctx->trust_anchors)
anchors = _hx509_certs_ref(ctx->trust_anchors);
else if (context->default_trust_anchors && ALLOW_DEF_TA(ctx))
anchors = _hx509_certs_ref(context->default_trust_anchors);
else {
ret = hx509_certs_init(context, "MEMORY:no-TA", 0, NULL, &anchors);
if (ret)
goto out;
}
/*
* Calculate the path from the certificate user presented to the