Hi Steve,
Dr. Stephen Henson wrote:
On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote:
I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate >= checkTime and thisUpdate <= now. b) CRL is considered to be able to deliver revocation information if thisUpdate <= notAfter from the certificate (because after that time the certificate might be removed from the CRL).
That could certainly be added as a verify flag but I'm a bit wary of doing that by default.
Would something like the attached patch be acceptable ? (please ignore versin info in the diff)
This patch also adds checking of the revokation time against the checkTime
Bye
Goetz
-- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com
Index: x509_vfy.c =================================================================== RCS file: /usr/cvsroot/openssl/crypto/x509/x509_vfy.c,v retrieving revision 1.11 diff -u -r1.11 x509_vfy.c --- x509_vfy.c 2004/03/17 16:37:10 1.11 +++ x509_vfy.c 2004/09/15 16:35:17 @@ -587,9 +587,14 @@ if (i > 0) { - ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; + if ( !(ctx->flags & X509_V_FLAG_USE_CHECK_TIME) || + !(ctx->flags & X509_V_FLAG_ACCEPT_NEWER_CRL) || + (X509_cmp_time(X509_CRL_get_lastUpdate(crl), NULL)>=0) ) + { + ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; + ok = ctx->verify_cb(0, ctx); + if (!ok) goto err; + } } if(X509_CRL_get_nextUpdate(crl)) @@ -621,10 +626,11 @@ /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { - int idx, ok; + int idx, ok, cmp; X509_REVOKED rtmp; STACK_OF(X509_EXTENSION) *exts; X509_EXTENSION *ext; + ASN1_TIME *crltime, *certtime; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); @@ -633,7 +639,46 @@ */ if(idx >= 0) { - ctx->error = X509_V_ERR_CERT_REVOKED; + /* now check the revocation date (if available) */ + X509_REVOKED *ptmp = sk_X509_REVOKED_value(crl->crl->revoked,idx); + cmp = 1; /* default: assume revoked before date */ + if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME && + ptmp && ptmp->revocationDate) + { + time_t *ptime = &ctx->check_time; + cmp = X509_cmp_time(ptmp->revocationDate, ptime); + if (cmp > 0) cmp = 0; /* revoked after check time */ + else cmp = 1; /* revoked before check time*/ + } + if (cmp > 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + } + + // if crl.ThisUpdate > certificate.notValidAfter the serial number may have been removed from CRL + // -> do not trust + certtime = X509_get_notAfter(x); + crltime = X509_CRL_get_lastUpdate(crl); + if (certtime->type == crltime->type) + cmp = ASN1_STRING_cmp(crltime, certtime); + else + { + ASN1_GENERALIZEDTIME *certt= ASN1_TIME_to_generalizedtime(certtime,NULL); + ASN1_GENERALIZEDTIME *crlt = ASN1_TIME_to_generalizedtime(crltime, NULL); + if (certt && crlt) + cmp = ASN1_STRING_cmp(crlt, certt); + else + cmp = 1; + if (certt) ASN1_GENERALIZEDTIME_free(certt); + if (crlt) ASN1_GENERALIZEDTIME_free(crlt); + } + + if (cmp > 0) + {// this CRL is too old, we are not able to get the right one + ctx->error= X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); if (!ok) return 0; } Index: x509_vfy.h =================================================================== RCS file: /usr/cvsroot/openssl/crypto/x509/x509_vfy.h,v retrieving revision 1.7 diff -u -r1.7 x509_vfy.h --- x509_vfy.h 2004/03/17 16:37:10 1.7 +++ x509_vfy.h 2004/09/15 16:35:17 @@ -324,6 +324,8 @@ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* on check cert with time: accept CRLs that are issued after check time */ +#define X509_V_FLAG_ACCEPT_NEWER_CRL 0x40 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name);
smime.p7s
Description: S/MIME Cryptographic Signature