Lines Matching refs:crl
73 /* CRL score values */
79 /* certificate is within CRL scope */
83 /* CRL times valid */
91 /* If this score or above CRL is probably valid */
95 /* CRL issuer is certificate issuer */
99 /* CRL issuer is on certificate path */
103 /* CRL issuer matches CRL AKID */
107 /* Have a delta CRL with valid times */
123 X509_CRL *crl, X509 *x);
128 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
130 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
364 * because they may be needed for CRL signature verification.
378 /* RFC 3779 path validation, now that CRL check has been done */
477 /* CRL path validation */
683 /* If checking CRL paths this isn't the EE certificate */
699 X509_CRL *crl = NULL, *dcrl = NULL;
709 /* Try to retrieve relevant CRL */
711 ok = ctx->get_crl(ctx, &crl, x);
713 ok = get_crl_delta(ctx, &crl, &dcrl, x);
714 /* If error looking up CRL, nothing we can do except
723 ctx->current_crl = crl;
724 ok = ctx->check_crl(ctx, crl);
740 /* Don't look in full CRL if delta reason is removefromCRL */
743 ok = ctx->cert_crl(ctx, crl, x);
748 X509_CRL_free(crl);
750 crl = NULL;
754 X509_CRL_free(crl);
762 /* Check CRL times against values in X509_STORE_CTX */
764 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
769 ctx->current_crl = crl;
775 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
794 if(X509_CRL_get_nextUpdate(crl))
796 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
806 /* Ignore expiry of base CRL is delta is valid */
830 X509_CRL *crl, *best_crl = NULL;
835 crl = sk_X509_CRL_value(crls, i);
837 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
841 best_crl = crl;
871 /* Compare two CRL extensions for delta checking purposes. They should be
919 /* Delta CRL must be a delta */
922 /* Base must have a CRL number */
934 /* Delta CRL base number must not exceed Full CRL number. */
937 /* Delta CRL number must exceed full CRL number */
943 /* For a given base CRL find a delta... maybe extend to delta scoring
971 /* For a given CRL return how suitable it is for the supplied certificate 'x'.
974 * The reasons mask is also used to determine if the CRL is suitable: if
975 * no new reasons the CRL is rejected, otherwise reasons is updated.
980 X509_CRL *crl, X509 *x)
986 /* First see if we can reject CRL straight away */
989 if (crl->idp_flags & IDP_INVALID)
991 /* Reason codes or indirect CRLs need extended CRL support */
994 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
997 else if (crl->idp_flags & IDP_REASONS)
1000 if (!(crl->idp_reasons & ~tmp_reasons))
1004 else if (crl->base_crl_number)
1006 /* If issuer name doesn't match certificate need indirect CRL */
1007 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1009 if (!(crl->idp_flags & IDP_INDIRECT))
1015 if (!(crl->flags & EXFLAG_CRITICAL))
1019 if (check_crl_time(ctx, crl, 0))
1023 crl_akid_check(ctx, crl, pissuer, &crl_score);
1030 /* Check cert for matching CRL distribution points */
1032 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1047 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1051 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1060 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1075 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1083 /* Anything else needs extended CRL support */
1088 /* Otherwise the CRL issuer is not on the path. Look for it in the
1096 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1105 /* Check the path of a CRL issuer certificate. This creates a new
1116 /* Don't allow recursive CRL path validation */
1129 /* Verify CRL issuer */
1143 /* RFC3280 says nothing about the relationship between CRL path
1237 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1240 X509_NAME *nm = X509_CRL_get_issuer(crl);
1257 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1261 if (crl->idp_flags & IDP_ONLYATTR)
1265 if (crl->idp_flags & IDP_ONLYUSER)
1270 if (crl->idp_flags & IDP_ONLYCA)
1273 *preasons = crl->idp_reasons;
1277 if (crldp_check_crlissuer(dp, crl, crl_score))
1279 if (!crl->idp ||
1280 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1287 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1292 /* Retrieve CRL corresponding to current certificate.
1293 * If deltas enabled try to find a delta CRL too
1303 X509_CRL *crl = NULL, *dcrl = NULL;
1307 ok = get_crl_sk(ctx, &crl, &dcrl,
1318 if (!skcrl && crl)
1321 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1327 /* If we got any kind of CRL use it and return success */
1328 if (crl)
1333 *pcrl = crl;
1341 /* Check CRL validity */
1342 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1349 /* if we have an alternative CRL issuer cert use that */
1353 /* Else find CRL issuer: if not last certificate then issuer
1375 if (!crl->base_crl_number)
1403 if (crl->idp_flags & IDP_INVALID)
1415 ok = check_crl_time(ctx, crl, 1);
1431 /* Verify CRL signature */
1432 if(X509_CRL_verify(crl, ikey) <= 0)
1448 /* Check certificate against CRL */
1449 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1453 /* The rules changed for this... previously if a CRL contained
1456 * critical extension can change the meaning of CRL entries.
1458 if (crl->flags & EXFLAG_CRITICAL)
1467 /* Look for serial number of certificate in CRL
1470 if (X509_CRL_get0_by_cert(crl, &rev, x))
