From 1932e03d6f86e71730092ee25e274831a4655a13 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Sat, 13 Nov 2010 19:00:19 +0000 Subject: [PATCH] Map fullCRLChain option to checkRevocation option, bypass CRLs entirely if new option not set. --- xmltooling/security/AbstractPKIXTrustEngine.h | 6 +- .../security/impl/AbstractPKIXTrustEngine.cpp | 68 ++++++++++++---------- 2 files changed, 40 insertions(+), 34 deletions(-) diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h index 641e059..354821f 100644 --- a/xmltooling/security/AbstractPKIXTrustEngine.h +++ b/xmltooling/security/AbstractPKIXTrustEngine.h @@ -46,17 +46,17 @@ namespace xmltooling { * If a DOM is supplied, the following XML content is supported: * * * * @param e DOM to supply configuration for provider */ AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr); - /** Controls revocation checking, currently limited to CRLs and supports "optional", "entityOnly", "fullChain". */ + /** Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". */ std::string m_checkRevocation; - /** Flag controls whether every issuer in the trust path must have a CRL loaded. */ + /** Deprecated option, equivalent to checkRevocation="fullChain". */ bool m_fullCRLChain; /** diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp index ba5cfb2..14e854f 100644 --- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp +++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp @@ -57,7 +57,7 @@ namespace { X509* EE, STACK_OF(X509)* untrusted, AbstractPKIXTrustEngine::PKIXValidationInfoIterator* pkixInfo, - bool requireCRL, + bool useCRL, bool fullCRLChain, const vector* inlineCRLs=nullptr ) @@ -90,46 +90,43 @@ namespace { log.debug("supplied (%d) CA certificate(s)", count); + if (useCRL) { #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - count=0; - if (inlineCRLs) { - for (vector::const_iterator j=inlineCRLs->begin(); j!=inlineCRLs->end(); ++j) { + count=0; + if (inlineCRLs) { + for (vector::const_iterator j=inlineCRLs->begin(); j!=inlineCRLs->end(); ++j) { + if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { + // owned by store + X509_STORE_add_crl(store, X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL())); + ++count; + } + } + } + const vector& crls = pkixInfo->getCRLs(); + for (vector::const_iterator j=crls.begin(); j!=crls.end(); ++j) { if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { // owned by store X509_STORE_add_crl(store, X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL())); ++count; } } - } - const vector& crls = pkixInfo->getCRLs(); - for (vector::const_iterator j=crls.begin(); j!=crls.end(); ++j) { - if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { - // owned by store - X509_STORE_add_crl(store, X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL())); - ++count; - } - } - log.debug("supplied (%d) CRL(s)", count); - if (count > 0) { - X509_STORE_set_flags(store, fullCRLChain ? (X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL) : (X509_V_FLAG_CRL_CHECK)); - } - else if (requireCRL) { - log.warn("CRL checking is required, but none were supplied"); - sk_X509_free(CAstack); - X509_STORE_free(store); - return false; - } + log.debug("supplied (%d) CRL(s)", count); + if (count > 0) { + X509_STORE_set_flags(store, fullCRLChain ? (X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL) : (X509_V_FLAG_CRL_CHECK)); + } + else { + log.warn("CRL checking is enabled, but none were supplied"); + sk_X509_free(CAstack); + X509_STORE_free(store); + return false; + } #else - if (requireCRL) { - log.warn("CRL checking is required, but OpenSSL version is too old"); + log.warn("CRL checking is enabled, but OpenSSL version is too old"); sk_X509_free(CAstack); X509_STORE_free(store); return false; - } - else if ((inlineCRLs && !inlineCRLs->empty()) || !pkixInfo->getCRLs().empty()) { - log.warn("OpenSSL versions < 0.9.7 do not support CRL checking"); - } #endif + } // AFAICT, EE and untrusted are passed in but not owned by the ctx. #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) @@ -193,6 +190,15 @@ AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const xercesc::DOMElement* e) m_fullCRLChain(XMLHelper::getAttrBool(e, false, fullCRLChain)), m_checkRevocation(XMLHelper::getAttrString(e, nullptr, checkRevocation)) { + if (m_fullCRLChain) { + Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").warn( + "fullCRLChain option is deprecated, setting checkRevocation to \"fullChain\"" + ); + m_checkRevocation = "fullChain"; + } + else if (m_checkRevocation == "fullChain") { + m_fullCRLChain = true; // in case anything's using this + } } AbstractPKIXTrustEngine::~AbstractPKIXTrustEngine() @@ -370,8 +376,8 @@ bool AbstractPKIXTrustEngine::validateWithCRLs( certChain, pkix.get(), (m_checkRevocation=="entityOnly" || m_checkRevocation=="fullChain"), - (m_fullCRLChain || m_checkRevocation=="fullChain"), - inlineCRLs + (m_checkRevocation=="fullChain"), + (m_checkRevocation=="entityOnly" || m_checkRevocation=="fullChain") ? inlineCRLs : nullptr )) { return true; } -- 2.1.4