Fixed #6148: multiple ceritificate purposes

OpenSSL certificate verification can only check a single purpose.
Run the checks with all allowed purposes and accept any.
This commit is contained in:
akallabeth 2020-05-12 13:00:13 +02:00 committed by akallabeth
parent a1f2c1e161
commit 5cfc3e8593

View File

@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)
BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path) BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
{ {
size_t i;
const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
X509_STORE_CTX* csc; X509_STORE_CTX* csc;
BOOL status = FALSE; BOOL status = FALSE;
X509_STORE* cert_ctx = NULL; X509_STORE* cert_ctx = NULL;
@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM); X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
} }
X509_STORE_set_flags(cert_ctx, 0);
for (i = 0; i < ARRAYSIZE(purposes); i++)
{
int rc = -1;
int purpose = purposes[i];
csc = X509_STORE_CTX_new(); csc = X509_STORE_CTX_new();
if (csc == NULL) if (csc == NULL)
goto end; goto skip;
X509_STORE_set_flags(cert_ctx, 0);
if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain)) if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
goto end; goto skip;
X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY); X509_STORE_CTX_set_purpose(csc, purpose);
X509_STORE_CTX_set_verify_cb(csc, verify_cb); X509_STORE_CTX_set_verify_cb(csc, verify_cb);
if (X509_verify_cert(csc) == 1) rc = X509_verify_cert(csc);
status = TRUE; skip:
X509_STORE_CTX_free(csc); X509_STORE_CTX_free(csc);
if (rc == 1)
{
status = TRUE;
break;
}
}
X509_STORE_free(cert_ctx); X509_STORE_free(cert_ctx);
end: end:
return status; return status;