On 01/ 8/18 04:46 PM, Misaki Miyashita wrote:
(switching the alias to openssl-dev@openssl.org)
I would like to suggest the following fix so that a valid certificate
at <hash>.x can be recognized during the cert validation even when
<hash>.0 is linking to a bad/expired certificate. This may not be the
most elegant solution, but it is a minimal change with low impact to
the rest of the code.
Could I possibly get a review on the change? and possibly be
considered to be integrated to the upstream?
(This is for the 1.0.1 branch)
Sorry, I meant to say it is for the 1.0.2 branch.
Thanks in advance.
-- misaki
--- a/crypto/x509/x509_vfy.c 2017-11-02 07:32:58.000000000 -0700
+++ b/crypto/x509/x509_vfy.c 2017-12-11 12:37:55.591835780 -0800
@@ -185,6 +185,39 @@
return xtmp;
}
+/*
+ * Look through the trust store setup by get_issuer() and
+ * return the certificate which matches the server cert 'x'
+ * via 'xtmp'.
+ */
+static int X509_get_cert(X509 **xtmp, X509_STORE_CTX *ctx, X509 *x)
+{
+ X509_OBJECT *tmp;
+ int i;
+ int ret = 0;
+
+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+ for (i = 0; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
+ tmp = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+ if (tmp == NULL) {
+ goto exit;
+ }
+ if (X509_cmp(tmp->data.x509, x) == 0) {
+ /*
+ * Found the cert in the trust store which matches the
+ * server cert. Increment the ref count and return.
+ */
+ X509_OBJECT_up_ref_count(tmp);
+ *xtmp = tmp->data.x509;
+ ret = 1;
+ goto exit;
+ }
+ }
+exit:
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+ return ret;
+}
+
int X509_verify_cert(X509_STORE_CTX *ctx)
{
X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
@@ -316,9 +350,13 @@
* We have a single self signed certificate: see if
we can
* find it in the store. We must have an exact match
to avoid
* possible impersonation.
+ * get_issuer() sets up the trust store for the
subject and
+ * returns the first cert via 'xtmp'. The first cert
in the
+ * trust store may not be the certificate that we are
interested
+ * in. Look through the trust store to see there is
an exact match.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
+ if ((ok <= 0) || (X509_get_cert(&xtmp, ctx, x) != 1)) {
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
ctx->current_cert = x;
ctx->error_depth = i - 1;
On 10/21/17 03:21 PM, Viktor Dukhovni wrote:
On Oct 21, 2017, at 11:20 AM, Misaki Miyashita
<misaki.miyash...@oracle.com> wrote:
We encountered a problem using OpenLDAP with OpenSSL when there were
more than one certificate with the same subject.
Does OpenSSL stop searching for a valid certificate when it finds a
certificate with matching DN?
Yes, when a matching issuer is found in the trust store, but is expired
no alternative certificates will be tested. You need to remove outdated
issuer certificates from your trust store before they expire.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
