oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add a strict rfc3280 verification flag. rfc3280 requires certificates

Browse Source 
to have KeyUsage.keyCertSign if they are to be used for signing of
certificates, but the step in the verifiation is optional.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18086 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-09-15 05:59:35 +00:00
parent 697eae9c9d
commit 41e00c0c70
1 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
lib/hx509/cert.c
View File

@@ -35,18 +35,20 @@
RCSID("$Id$"); RCSID("$Id$");
#include "crypto-headers.h" #include "crypto-headers.h"
struct hx509_verify_ctx_data { struct hx509_verify_ctx_data {
hx509_certs trust_anchors; hx509_certs trust_anchors;
int flags; int flags;
#define HX509_VERIFY_CTX_F_TIME_SET 1 #define HX509_VERIFY_CTX_F_TIME_SET 1
#define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2 #define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2
#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280 4
time_t time_now; time_t time_now;
unsigned int max_depth; unsigned int max_depth;
#define HX509_VERIFY_MAX_DEPTH 30 #define HX509_VERIFY_MAX_DEPTH 30
hx509_revoke_ctx revoke_ctx; hx509_revoke_ctx revoke_ctx;
}; };
#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
struct _hx509_cert_attrs { struct _hx509_cert_attrs {
size_t len; size_t len;
hx509_cert_attribute *val; hx509_cert_attribute *val;
@@ -333,6 +335,15 @@ hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE; ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
} }
void
hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
ctx->flags |= HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
else
ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
}
static const Extension * static const Extension *
find_extension(const Certificate *cert, const heim_oid *oid, int *idx) find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
{ {
@@ -752,11 +763,14 @@ find_parent(hx509_context context,
} }
} }
#if 0
/* /*
* Assume trust anchors isn't proxy certificates, require * Assume trust anchors isn't proxy certificates, require
* KeyUsage.KeyCertSign * KeyUsage.KeyCertSign
*/ */
q.match |= HX509_QUERY_KU_KEYCERTSIGN; q.match |= HX509_QUERY_KU_KEYCERTSIGN;
#endif
ret = hx509_certs_find(context, trust_anchors, &q, parent); ret = hx509_certs_find(context, trust_anchors, &q, parent);
if (ret == 0) { if (ret == 0) {
free_AuthorityKeyIdentifier(&ai); free_AuthorityKeyIdentifier(&ai);
@@ -782,7 +796,7 @@ find_parent(hx509_context context,
} }
hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND, hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
"Failed to find issuer for" "Failed to find issuer for "
"certificate with subject: %s", str); "certificate with subject: %s", str);
free(str); free(str);
} }
@@ -1398,7 +1412,9 @@ hx509_verify_path(hx509_context context,
switch (type) { switch (type) {
case CA_CERT: case CA_CERT:
ret = check_key_usage(context, c, 1 << 5, TRUE); /* XXX make constants */ /* XXX make constants for keyusage */
ret = check_key_usage(context, c, 1 << 5,
REQUIRE_RFC3280(ctx) ? TRUE : FALSE);
if (ret) if (ret)
goto out; goto out;
break; break;