From b7e071d468fd49ea9bbc98532eb8d0fff0bf974a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 3 Nov 2020 17:22:45 +0000 Subject: Hook X509_STORE_CTX get_issuer() callback from new X509 verifier. If we fail to find a parent certificate from either the supplied roots or intermediates and we have a X509_STORE_CTX, call its get_issuer() callback to see if it can supply a suitable certificate. This makes things like certificates by directory (aka by_dir) work correctly. Issue noted by Uwe Werler ok beck@ tb@ --- src/lib/libcrypto/x509/x509_verify.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index 124d4ba34e..6ab1cad2ad 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.16 2020/10/26 12:01:01 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.17 2020/11/03 17:22:45 jsing Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -401,7 +401,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, { unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; X509 *candidate; - int i, depth, count; + int i, depth, count, ret; depth = sk_X509_num(current_chain->certs); if (depth > 0) @@ -428,7 +428,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, cert_md, 1, candidate, current_chain); } } - if (ctx->intermediates != NULL) { for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { candidate = sk_X509_value(ctx->intermediates, i); @@ -438,6 +437,21 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, } } } + if (ctx->xsc != NULL) { + if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { + x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_STORE_LOOKUP, 0); + return; + } + if (ret > 0) { + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 1, candidate, current_chain); + } + X509_free(candidate); + } + } + if (ctx->chains_count > count) { if (ctx->xsc != NULL) { ctx->xsc->error = X509_V_OK; -- cgit v1.2.3-55-g6feb