From 13d91d5382c1b2152dcf3e56f2d8f90a7cca8ca0 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Thu, 13 Sep 2012 09:22:41 +0000 Subject: [PATCH] CRLs are handled by caNl now. --- org.gridsite.core/src/canl_mod_gridsite.c | 207 +----------------------------- 1 file changed, 1 insertion(+), 206 deletions(-) diff --git a/org.gridsite.core/src/canl_mod_gridsite.c b/org.gridsite.core/src/canl_mod_gridsite.c index 21acdcf..6ace057 100644 --- a/org.gridsite.core/src/canl_mod_gridsite.c +++ b/org.gridsite.core/src/canl_mod_gridsite.c @@ -3448,211 +3448,6 @@ static int mod_gridsite_perm_handler(request_rec *r) return retcode; } -#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) -/* - Include this here until libgridsite functions can be used -*/ -int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) -{ - server_rec *s = c->base_server; - SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); - SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module); - modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); - X509_OBJECT obj; - X509_NAME *subject, *issuer; - X509 *cert; - X509_CRL *crl; - EVP_PKEY *pubkey; - int i, n, rc; - - /* - * Unless a revocation store for CRLs was created we - * cannot do any CRL-based verification, of course. - */ - if (!mctx->crl) { - return ok; - } - - /* - * Determine certificate ingredients in advance - */ - cert = X509_STORE_CTX_get_current_cert(ctx); - subject = X509_get_subject_name(cert); - issuer = X509_get_issuer_name(cert); - - /* - * OpenSSL provides the general mechanism to deal with CRLs but does not - * use them automatically when verifying certificates, so we do it - * explicitly here. We will check the CRL for the currently checked - * certificate, if there is such a CRL in the store. - * - * We come through this procedure for each certificate in the certificate - * chain, starting with the root-CA's certificate. At each step we've to - * both verify the signature on the CRL (to make sure it's a valid CRL) - * and it's revocation list (to make sure the current certificate isn't - * revoked). But because to check the signature on the CRL we need the - * public key of the issuing CA certificate (which was already processed - * one round before), we've a little problem. But we can both solve it and - * at the same time optimize the processing by using the following - * verification scheme (idea and code snippets borrowed from the GLOBUS - * project): - * - * 1. We'll check the signature of a CRL in each step when we find a CRL - * through the _subject_ name of the current certificate. This CRL - * itself will be needed the first time in the next round, of course. - * But we do the signature processing one round before this where the - * public key of the CA is available. - * - * 2. We'll check the revocation list of a CRL in each step when - * we find a CRL through the _issuer_ name of the current certificate. - * This CRLs signature was then already verified one round before. - * - * This verification scheme allows a CA to revoke its own certificate as - * well, of course. - */ - - /* - * Try to retrieve a CRL corresponding to the _subject_ of - * the current certificate in order to verify it's integrity. - */ - memset((char *)&obj, 0, sizeof(obj)); - { - X509_STORE_CTX pStoreCtx; - X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL); - rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, subject, &obj); - X509_STORE_CTX_cleanup(&pStoreCtx); - } - - crl = obj.data.crl; - - if ((rc > 0) && crl) { - /* - * Log information about CRL - * (A little bit complicated because of ASN.1 and BIOs...) - */ - if (s->loglevel >= APLOG_DEBUG) { - char buff[512]; /* should be plenty */ - BIO *bio = BIO_new(BIO_s_mem()); - - BIO_printf(bio, "CA CRL: Issuer: "); - X509_NAME_print(bio, issuer, 0); - - BIO_printf(bio, ", lastUpdate: "); - ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl)); - - BIO_printf(bio, ", nextUpdate: "); - ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); - - n = BIO_read(bio, buff, sizeof(buff) - 1); - buff[n] = '\0'; - - BIO_free(bio); - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff); - } - - /* - * Verify the signature on this CRL - */ - pubkey = X509_get_pubkey(cert); - rc = X509_CRL_verify(crl, pubkey); -#ifdef OPENSSL_VERSION_NUMBER - /* Only refcounted in OpenSSL */ - if (pubkey) - EVP_PKEY_free(pubkey); -#endif - if (rc <= 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "Invalid signature on CRL"); - - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); - X509_OBJECT_free_contents(&obj); - return FALSE; - } - - /* - * Check date of CRL to make sure it's not expired - */ - i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); - - if (i == 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "Found CRL has invalid nextUpdate field"); - - X509_STORE_CTX_set_error(ctx, - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); - X509_OBJECT_free_contents(&obj); - - return FALSE; - } - - if (i < 0) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "Found CRL is expired - " - "revoking all certificates until you get updated CRL"); - - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); - X509_OBJECT_free_contents(&obj); - - return FALSE; - } - - X509_OBJECT_free_contents(&obj); - } - - /* - * Try to retrieve a CRL corresponding to the _issuer_ of - * the current certificate in order to check for revocation. - */ - memset((char *)&obj, 0, sizeof(obj)); - { - X509_STORE_CTX pStoreCtx; - X509_STORE_CTX_init(&pStoreCtx, mctx->crl, NULL, NULL); - rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, issuer, &obj); - X509_STORE_CTX_cleanup(&pStoreCtx); - } - - crl = obj.data.crl; - if ((rc > 0) && crl) { - /* - * Check if the current certificate is revoked by this CRL - */ - n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); - - for (i = 0; i < n; i++) { - X509_REVOKED *revoked = - sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - -// ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked); - ASN1_INTEGER *sn = revoked->serialNumber; - - if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) { - if (s->loglevel >= APLOG_DEBUG) { - char *cp = X509_NAME_oneline(issuer, NULL, 0); - char *serial = i2s_ASN1_INTEGER(NULL,sn); - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Certificate with serial %s " - "revoked per CRL from issuer %s", - serial, cp); - OPENSSL_free(cp); - free(serial); - } - - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); - X509_OBJECT_free_contents(&obj); - - return FALSE; - } - } - - X509_OBJECT_free_contents(&obj); - } - - return ok; -} -#endif - int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) { SSL *ssl = (SSL *) X509_STORE_CTX_get_app_data(ctx); @@ -3666,7 +3461,7 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) #if AP_MODULE_MAGIC_AT_LEAST(20051115,0) SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); - int verify, depth; + int verify; #endif STACK_OF(X509) *certstack; GRSTx509Chain *grst_chain; -- 1.8.2.3