- // Do a second pass verify with CRLs in place.
- if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
- X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
- else
- X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
- ret=X509_verify_cert(&ctx);
+ // Pick up any valid CRLs inline.
+ const vector<XSECCryptoX509CRL*>& crls = pkixParams->getCRLs();
+ for (vector<XSECCryptoX509CRL*>::const_iterator j=crls.begin(); j!=crls.end(); ++j) {
+ if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL &&
+ (X509_cmp_time(X509_CRL_get_nextUpdate(static_cast<OpenSSLCryptoX509CRL*>(*j)->getOpenSSLX509CRL()), &now) > 0)) {
+ string crlissuer(X509_NAME_to_string(X509_CRL_get_issuer(static_cast<OpenSSLCryptoX509CRL*>(*j)->getOpenSSLX509CRL())));
+ if (crlissuer.empty() || crlissuers.count(crlissuer)) {
+ // We already have a CRL for this cert, so skip this one.
+ continue;
+ }
+ m_log.debug("added CRL issued by (%s)", crlissuer.c_str());
+ crlissuers.insert(crlissuer);
+ // owned by store
+ X509_STORE_add_crl(store, X509_CRL_dup(static_cast<OpenSSLCryptoX509CRL*>(*j)->getOpenSSLX509CRL()));
+ }
+ }
+
+ // Do a second pass verify with CRLs in place. Reinitialize ctx, see
+ // https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+ if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
+ log_openssl();
+ m_log.error("unable to initialize X509_STORE_CTX");
+ ret = 0;
+ }
+#else
+ X509_STORE_CTX_init(&ctx,store,EE,untrusted);
+#endif
+ if (ret != 0) {
+ X509_STORE_CTX_trusted_stack(&ctx,CAstack);
+ X509_STORE_CTX_set_depth(&ctx,100); // already checked above
+ X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
+ if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
+ ret = X509_verify_cert(&ctx);
+ }