-/* $OpenBSD: x509_internal.h,v 1.8 2021/07/10 15:52:59 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.9 2021/08/19 03:44:00 beck Exp $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
int x509_vfy_check_trust(X509_STORE_CTX *ctx);
int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
void x509v3_cache_extensions(X509 *x);
+X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
int notafter);
-/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.42 2021/08/19 03:44:00 beck Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
int full_chain)
{
+ X509 *match = NULL;
int i;
if (!x509_verify_cert_cache_extensions(cert))
return 0;
+ /* Check the provided roots */
for (i = 0; i < sk_X509_num(ctx->roots); i++) {
if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
return !full_chain ||
x509_verify_cert_self_signed(cert);
}
- /*
- * XXX what if this is a by_dir thing? this currently isn't
- * handled so this case is a bit messed up for loonix with
- * by directory trust bundles...
- */
+
+ /* Check by lookup if we have a legacy xsc */
+ if (ctx->xsc != NULL) {
+ if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
+ cert)) != NULL) {
+ X509_free(match);
+ return !full_chain ||
+ x509_verify_cert_self_signed(cert);
+ }
+ }
+
return 0;
}
-/* $OpenBSD: x509_vfy.c,v 1.86 2021/02/25 17:29:22 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
return xtmp;
}
+X509 *
+x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
+{
+ if (ctx->lookup_certs == NULL || ctx->ctx == NULL ||
+ ctx->ctx->objs == NULL)
+ return NULL;
+ return lookup_cert_match(ctx, x);
+}
+
static int
check_trust(X509_STORE_CTX *ctx)
{
projects / openbsd / commitdiff