Fixed #6148: multiple ceritificate purposes
OpenSSL certificate verification can only check a single purpose. Run the checks with all allowed purposes and accept any.
This commit is contained in:
parent
a1f2c1e161
commit
5cfc3e8593
@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)
|
|||||||
|
|
||||||
BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
|
BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
|
||||||
{
|
{
|
||||||
|
size_t i;
|
||||||
|
const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
|
||||||
X509_STORE_CTX* csc;
|
X509_STORE_CTX* csc;
|
||||||
BOOL status = FALSE;
|
BOOL status = FALSE;
|
||||||
X509_STORE* cert_ctx = NULL;
|
X509_STORE* cert_ctx = NULL;
|
||||||
@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
|
|||||||
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
|
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
X509_STORE_set_flags(cert_ctx, 0);
|
||||||
|
|
||||||
|
for (i = 0; i < ARRAYSIZE(purposes); i++)
|
||||||
|
{
|
||||||
|
int rc = -1;
|
||||||
|
int purpose = purposes[i];
|
||||||
csc = X509_STORE_CTX_new();
|
csc = X509_STORE_CTX_new();
|
||||||
|
|
||||||
if (csc == NULL)
|
if (csc == NULL)
|
||||||
goto end;
|
goto skip;
|
||||||
|
|
||||||
X509_STORE_set_flags(cert_ctx, 0);
|
|
||||||
|
|
||||||
if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
|
if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
|
||||||
goto end;
|
goto skip;
|
||||||
|
|
||||||
X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY);
|
X509_STORE_CTX_set_purpose(csc, purpose);
|
||||||
X509_STORE_CTX_set_verify_cb(csc, verify_cb);
|
X509_STORE_CTX_set_verify_cb(csc, verify_cb);
|
||||||
|
|
||||||
if (X509_verify_cert(csc) == 1)
|
rc = X509_verify_cert(csc);
|
||||||
status = TRUE;
|
skip:
|
||||||
|
|
||||||
X509_STORE_CTX_free(csc);
|
X509_STORE_CTX_free(csc);
|
||||||
|
if (rc == 1)
|
||||||
|
{
|
||||||
|
status = TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
X509_STORE_free(cert_ctx);
|
X509_STORE_free(cert_ctx);
|
||||||
end:
|
end:
|
||||||
return status;
|
return status;
|
||||||
|
Loading…
Reference in New Issue
Block a user