Fix the verifier to use the trust store

the trust store is yet another obscure way to add a trust anchor
author: beck <> 2024-02-01 23:16:38 +0000
committer: beck <> 2024-02-01 23:16:38 +0000
commit: 62ef18e423cd8c7565d847dcaab4b8f450e709c8 (patch)
tree: e81e5d5b6df5169c4c0066932a5d84091614d019
parent: 9a5bd9b75cf441125c089dafcb5438192c5316ee (diff)
download: openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.tar.gz
openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.tar.bz2
openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.zip
1 files changed, 13 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index c4c89a23b9..19bb925d9c 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -287,6 +287,18 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
        /* Check by lookup if we have a legacy xsc */
        if (ctx->xsc != NULL) {
+                /*
+                 * "alternative" lookup method, using the "trusted" stack in the
+                 * xsc as the source for roots.
+                 */
+                if (ctx->xsc->trusted != NULL) {
+                        for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) {
+                                if (X509_cmp(sk_X509_value(ctx->xsc->trusted,
+                                    i), cert) == 0)
+                                        return x509_verify_check_chain_end(cert,
+                                            full_chain);
+                        }
+                }
                if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
                    cert)) != NULL) {
                        X509_free(match);
author	beck <>	2024-02-01 23:16:38 +0000
committer	beck <>	2024-02-01 23:16:38 +0000
commit	62ef18e423cd8c7565d847dcaab4b8f450e709c8 (patch)
tree	e81e5d5b6df5169c4c0066932a5d84091614d019
parent	9a5bd9b75cf441125c089dafcb5438192c5316ee (diff)
download	openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.tar.gz openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.tar.bz2 openbsd-62ef18e423cd8c7565d847dcaab4b8f450e709c8.zip

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index c4c89a23b9..19bb925d9c 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -287,6 +287,18 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx ctx, X509 cert,
287		287
288	/* Check by lookup if we have a legacy xsc */	288	/* Check by lookup if we have a legacy xsc */
289	if (ctx->xsc != NULL) {	289	if (ctx->xsc != NULL) {
		290	/*
		291	* "alternative" lookup method, using the "trusted" stack in the
		292	* xsc as the source for roots.
		293	*/
		294	if (ctx->xsc->trusted != NULL) {
		295	for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) {
		296	if (X509_cmp(sk_X509_value(ctx->xsc->trusted,
		297	i), cert) == 0)
		298	return x509_verify_check_chain_end(cert,
		299	full_chain);
		300	}
		301	}
290	if ((match = x509_vfy_lookup_cert_match(ctx->xsc,	302	if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
291	cert)) != NULL) {	303	cert)) != NULL) {
292	X509_free(match);	304	X509_free(match);