oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Change logic for default trust anchors, make it be either default

Browse Source 
trust anchor, the user supplied, or non at all.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21066 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2007-06-12 19:29:56 +00:00
parent 7e4d71a9bc
commit 28ec0adc8b
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
lib/hx509/cert.c
View File

@@ -43,6 +43,7 @@ struct hx509_verify_ctx_data {
#define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2 #define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2
#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280 4 #define HX509_VERIFY_CTX_F_REQUIRE_RFC3280 4
#define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS 8 #define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS 8
#define HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS 16
time_t time_now; time_t time_now;
unsigned int max_depth; unsigned int max_depth;
#define HX509_VERIFY_MAX_DEPTH 30 #define HX509_VERIFY_MAX_DEPTH 30
@@ -51,6 +52,7 @@ struct hx509_verify_ctx_data {
#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280) #define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
#define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS) #define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS)
#define ALLOW_DEF_TA(ctx) (((ctx)->flags & HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS) == 0)
struct _hx509_cert_attrs { struct _hx509_cert_attrs {
size_t len; size_t len;
@@ -291,10 +293,10 @@ hx509_cert
hx509_cert_ref(hx509_cert cert) hx509_cert_ref(hx509_cert cert)
{ {
if (cert->ref <= 0) if (cert->ref <= 0)
_hx509_abort("refcount <= 0"); _hx509_abort("cert refcount <= 0");
cert->ref++; cert->ref++;
if (cert->ref == 0) if (cert->ref == 0)
_hx509_abort("refcount == 0"); _hx509_abort("cert refcount == 0");
return cert; return cert;
} }
@@ -359,6 +361,15 @@ hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280; ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
} }
void
hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
ctx->flags |= HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
else
ctx->flags &= ~HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
}
static const Extension * static const Extension *
find_extension(const Certificate *cert, const heim_oid *oid, int *idx) find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
{ {
@@ -1488,15 +1499,15 @@ hx509_verify_path(hx509_context context,
/* /*
* *
*/ */
ret = hx509_certs_init(context, "MEMORY:trust-anchors", 0, NULL, &anchors); if (ctx->trust_anchors)
if (ret) anchors = _hx509_certs_ref(ctx->trust_anchors);
goto out; else if (context->default_trust_anchors && ALLOW_DEF_TA(ctx))
ret = hx509_certs_merge(context, anchors, ctx->trust_anchors); anchors = _hx509_certs_ref(context->default_trust_anchors);
if (ret) else {
goto out; ret = hx509_certs_init(context, "MEMORY:no-TA", 0, NULL, &anchors);
ret = hx509_certs_merge(context, anchors, context->default_trust_anchors);
if (ret) if (ret)
goto out; goto out;
}
/* /*
* Calculate the path from the certificate user presented to the * Calculate the path from the certificate user presented to the