[openssl.org #647] Bug in X509_load_cert_crl_file()

Sun, 22 Jun 2003 23:49:23 -0700 

Hi All

I have CA certificates and CRLs in one file. I am passing this file to
SSL_CTX_load_verify_locations(CAfile).

SSL_CTX_load_verify_location() indirectly calls PEM_X509_INFO_read_bio()
& X509_load_cert_crl_file().

PEM_X509_INFO_read_bio() pushes X509_INFO object onto the stack whenever
the next retrieved object (X509_INFO->x509 or X509_INFO->crl etc..) is
of same type. But whenever the next retrieved object is of different
type (first is of type X509 and second is of type CRL) it stores the
both objects in same X509_INFO object and push that onto the stack. When
we finished reading the file we returned stack.

In X509_load_cert_crl_file() we add  X509 certificate and crl to
X509_STORE_CTX using the following code.

    inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
    BIO_free(in);
    if(!inf) {
        X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
        return 0;
    }
    for(i = 0; i < sk_X509_INFO_num(inf); i++) {
        itmp = sk_X509_INFO_value(inf, i);
        if(itmp->x509) {
            X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
            count++;
        } else if(itmp->crl) {
            X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
            count++;
        }
    }

e.g. I have 3 X509 certificates and 3 crls in a file. The order is first
3 certificates and after that 3 crls.

In this case sk_X509_INFO_num(infI) returns 5 and we can add only total
of five certificates, crls to certificate store. This is because when we
pushed X509_INFO objects onto the stack one of them had pointer to x509
as well as crl. Code shown above in bold font does not handle such
X509_INFO objects properly. It always adds X509 object to certificate
store and misses crl object.

I think the code shown above in bold font should be like this...

        if(itmp->x509){
            X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
            count++;
        }
        if(itmp->crl) {
            X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
            count++;
        }

Waiting for your replies....

Regards
Amar


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to