1- /* $OpenBSD: x509_verify.c,v 1.39 2021/07/12 15:12:38 beck Exp $ */
1+ /* $OpenBSD: x509_verify.c,v 1.40 2021/08/18 15:10:46 beck Exp $ */
22/*
33 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
44 *
@@ -307,6 +307,71 @@ x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx)
307307 return 1 ;
308308}
309309
310+ /* Perform legacy style validation of a chain */
311+ static int
312+ x509_verify_ctx_validate_legacy_chain (struct x509_verify_ctx * ctx ,
313+ struct x509_verify_chain * chain , size_t depth )
314+ {
315+ int ret = 0 ;
316+
317+ if (ctx -> xsc == NULL )
318+ return 1 ;
319+
320+ /*
321+ * If we have a legacy xsc, choose a validated chain, and
322+ * apply the extensions, revocation, and policy checks just
323+ * like the legacy code did. We do this here instead of as
324+ * building the chains to more easily support the callback and
325+ * the bewildering array of VERIFY_PARAM knobs that are there
326+ * for the fiddling.
327+ */
328+
329+ /* These may be set in one of the following calls. */
330+ ctx -> xsc -> error = X509_V_OK ;
331+ ctx -> xsc -> error_depth = 0 ;
332+
333+ if (!x509_verify_ctx_set_xsc_chain (ctx , chain , 0 , 1 ))
334+ goto err ;
335+
336+ /*
337+ * XXX currently this duplicates some work done in chain
338+ * build, but we keep it here until we have feature parity
339+ */
340+ if (!x509_vfy_check_chain_extensions (ctx -> xsc ))
341+ goto err ;
342+
343+ if (!x509_constraints_chain (ctx -> xsc -> chain ,
344+ & ctx -> xsc -> error , & ctx -> xsc -> error_depth )) {
345+ X509 * cert = sk_X509_value (ctx -> xsc -> chain , depth );
346+ if (!x509_verify_cert_error (ctx , cert ,
347+ ctx -> xsc -> error_depth , ctx -> xsc -> error , 0 ))
348+ goto err ;
349+ }
350+
351+ if (!x509_vfy_check_revocation (ctx -> xsc ))
352+ goto err ;
353+
354+ if (!x509_vfy_check_policy (ctx -> xsc ))
355+ goto err ;
356+
357+ ret = 1 ;
358+
359+ err :
360+ /*
361+ * The above checks may have set ctx->xsc->error and
362+ * ctx->xsc->error_depth - save these for later on.
363+ */
364+ if (ctx -> xsc -> error != X509_V_OK ) {
365+ if (ctx -> xsc -> error_depth < 0 ||
366+ ctx -> xsc -> error_depth >= X509_VERIFY_MAX_CHAIN_CERTS )
367+ return 0 ;
368+ chain -> cert_errors [ctx -> xsc -> error_depth ] =
369+ ctx -> xsc -> error ;
370+ }
371+
372+ return ret ;
373+ }
374+
310375/* Add a validated chain to our list of valid chains */
311376static int
312377x509_verify_ctx_add_chain (struct x509_verify_ctx * ctx ,
@@ -328,59 +393,12 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
328393 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY )
329394 chain -> cert_errors [depth ] = X509_V_OK ;
330395
331- /*
332- * If we have a legacy xsc, choose a validated chain,
333- * and apply the extensions, revocation, and policy checks
334- * just like the legacy code did. We do this here instead
335- * of as building the chains to more easily support the
336- * callback and the bewildering array of VERIFY_PARAM
337- * knobs that are there for the fiddling.
338- */
339- if (ctx -> xsc != NULL ) {
340- /* These may be set in one of the following calls. */
341- ctx -> xsc -> error = X509_V_OK ;
342- ctx -> xsc -> error_depth = 0 ;
343-
344- if (!x509_verify_ctx_set_xsc_chain (ctx , chain , 0 , 1 ))
345- return 0 ;
346-
347- /*
348- * XXX currently this duplicates some work done
349- * in chain build, but we keep it here until
350- * we have feature parity
351- */
352- if (!x509_vfy_check_chain_extensions (ctx -> xsc ))
353- return 0 ;
354-
355- if (!x509_constraints_chain (ctx -> xsc -> chain ,
356- & ctx -> xsc -> error , & ctx -> xsc -> error_depth )) {
357- X509 * cert = sk_X509_value (ctx -> xsc -> chain , depth );
358- if (!x509_verify_cert_error (ctx , cert ,
359- ctx -> xsc -> error_depth , ctx -> xsc -> error , 0 ))
360- return 0 ;
361- }
362-
363- if (!x509_vfy_check_revocation (ctx -> xsc ))
364- return 0 ;
365-
366- if (!x509_vfy_check_policy (ctx -> xsc ))
367- return 0 ;
396+ if (!x509_verify_ctx_validate_legacy_chain (ctx , chain , depth ))
397+ return 0 ;
368398
369- /*
370- * The above checks may have set ctx->xsc->error and
371- * ctx->xsc->error_depth - save these for later on.
372- */
373- if (ctx -> xsc -> error != X509_V_OK ) {
374- if (ctx -> xsc -> error_depth < 0 ||
375- ctx -> xsc -> error_depth >= X509_VERIFY_MAX_CHAIN_CERTS )
376- return 0 ;
377- chain -> cert_errors [ctx -> xsc -> error_depth ] =
378- ctx -> xsc -> error ;
379- }
380- }
381399 /*
382- * no xsc means we are being called from the non-legacy API,
383- * extensions and purpose are dealt with as the chain is built.
400+ * In the non-legacy code, extensions and purpose are dealt
401+ * with as the chain is built.
384402 *
385403 * The non-legacy api returns multiple chains but does not do
386404 * any revocation checking (it must be done by the caller on
0 commit comments