Hi Steve,
Dr. Stephen Henson wrote:
On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote:
I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate >= checkTime and thisUpdate <= now. b) CRL is considered to be able to deliver revocation information if thisUpdate <= notAfter from the certificate (because after that time the certificate might be removed from the CRL).
That could certainly be added as a verify flag but I'm a bit wary of doing that by default.
Would something like the attached patch be acceptable ? (please ignore versin info in the diff)
This patch also adds checking of the revokation time against the checkTime
Bye
Goetz
-- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com
Index: x509_vfy.c
===================================================================
RCS file: /usr/cvsroot/openssl/crypto/x509/x509_vfy.c,v
retrieving revision 1.11
diff -u -r1.11 x509_vfy.c
--- x509_vfy.c 2004/03/17 16:37:10 1.11
+++ x509_vfy.c 2004/09/15 16:35:17
@@ -587,9 +587,14 @@
if (i > 0)
{
- ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
- ok = ctx->verify_cb(0, ctx);
- if (!ok) goto err;
+ if ( !(ctx->flags & X509_V_FLAG_USE_CHECK_TIME) ||
+ !(ctx->flags & X509_V_FLAG_ACCEPT_NEWER_CRL) ||
+ (X509_cmp_time(X509_CRL_get_lastUpdate(crl), NULL)>=0) )
+ {
+ ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+ ok = ctx->verify_cb(0, ctx);
+ if (!ok) goto err;
+ }
}
if(X509_CRL_get_nextUpdate(crl))
@@ -621,10 +626,11 @@
/* Check certificate against CRL */
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
- int idx, ok;
+ int idx, ok, cmp;
X509_REVOKED rtmp;
STACK_OF(X509_EXTENSION) *exts;
X509_EXTENSION *ext;
+ ASN1_TIME *crltime, *certtime;
/* Look for serial number of certificate in CRL */
rtmp.serialNumber = X509_get_serialNumber(x);
idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
@@ -633,7 +639,46 @@
*/
if(idx >= 0)
{
- ctx->error = X509_V_ERR_CERT_REVOKED;
+ /* now check the revocation date (if available) */
+ X509_REVOKED *ptmp = sk_X509_REVOKED_value(crl->crl->revoked,idx);
+ cmp = 1; /* default: assume revoked before date */
+ if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME &&
+ ptmp && ptmp->revocationDate)
+ {
+ time_t *ptime = &ctx->check_time;
+ cmp = X509_cmp_time(ptmp->revocationDate, ptime);
+ if (cmp > 0) cmp = 0; /* revoked after check time */
+ else cmp = 1; /* revoked before check time*/
+ }
+ if (cmp > 0)
+ {
+ ctx->error = X509_V_ERR_CERT_REVOKED;
+ ok = ctx->verify_cb(0, ctx);
+ if (!ok) return 0;
+ }
+ }
+
+ // if crl.ThisUpdate > certificate.notValidAfter the serial number may have
been removed from CRL
+ // -> do not trust
+ certtime = X509_get_notAfter(x);
+ crltime = X509_CRL_get_lastUpdate(crl);
+ if (certtime->type == crltime->type)
+ cmp = ASN1_STRING_cmp(crltime, certtime);
+ else
+ {
+ ASN1_GENERALIZEDTIME *certt=
ASN1_TIME_to_generalizedtime(certtime,NULL);
+ ASN1_GENERALIZEDTIME *crlt = ASN1_TIME_to_generalizedtime(crltime,
NULL);
+ if (certt && crlt)
+ cmp = ASN1_STRING_cmp(crlt, certt);
+ else
+ cmp = 1;
+ if (certt) ASN1_GENERALIZEDTIME_free(certt);
+ if (crlt) ASN1_GENERALIZEDTIME_free(crlt);
+ }
+
+ if (cmp > 0)
+ {// this CRL is too old, we are not able to get the right one
+ ctx->error= X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
if (!ok) return 0;
}
Index: x509_vfy.h
===================================================================
RCS file: /usr/cvsroot/openssl/crypto/x509/x509_vfy.h,v
retrieving revision 1.7
diff -u -r1.7 x509_vfy.h
--- x509_vfy.h 2004/03/17 16:37:10 1.7
+++ x509_vfy.h 2004/09/15 16:35:17
@@ -324,6 +324,8 @@
#define X509_V_FLAG_IGNORE_CRITICAL 0x10
/* Disable workarounds for broken certificates */
#define X509_V_FLAG_X509_STRICT 0x20
+/* on check cert with time: accept CRLs that are issued after check time */
+#define X509_V_FLAG_ACCEPT_NEWER_CRL 0x40
int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name);
smime.p7s
Description: S/MIME Cryptographic Signature
