Hi.
Attached is a patch that changes the behavior of X509_verify_cert in
crypto/x509/x509_vfy.c
While copying the cert chain into the X509_STORE_CTX, before adding a
cert, a check is done to see if we could reach one of our trust anchors
instead.
This solves the problem with a certificate chain ending in a
certificate not in the trust store, that would be acceptable using a
different path.
Please see this as a request for comments, since I'm not an expert (yet)
on X509 path discovery.
Thanks in advance,
Arne
diff -Naurp openssl-1.0.1c_diffa/crypto/x509/x509_vfy.c openssl-1.0.1c_diffb/crypto/x509/x509_vfy.c
--- openssl-1.0.1c_diffa/crypto/x509/x509_vfy.c Fri Sep 23 15:39:35 2011
+++ openssl-1.0.1c_diffb/crypto/x509/x509_vfy.c Mon Jun 11 14:06:07 2012
@@ -209,6 +209,28 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
{
+ /* Try to do a shortcut to a trust anchor,
+ * therefore look in cert store first */
+ ok = ctx->get_issuer(&xtmp, ctx, x);
+
+ /* error */
+ if (ok < 0) return ok;
+ /* trust anchor found, use it, ignore rest of chain */
+ if (ok != 0)
+ {
+ x = xtmp;
+ if (!sk_X509_push(ctx->chain,x))
+ {
+ X509_free(xtmp);
+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ num++;
+ /* sktmp is freed at the end */
+ break;
+ }
+
+ /* no trust anchor found, continue searching in chain */
xtmp=find_issuer(ctx, sktmp,x);
if (xtmp != NULL)
{
