Lines Matching defs:crl
77 /* CRL score values */
83 /* certificate is within CRL scope */
87 /* CRL times valid */
95 /* If this score or above CRL is probably valid */
99 /* CRL issuer is certificate issuer */
103 /* CRL issuer is on certificate path */
107 /* CRL issuer matches CRL AKID */
111 /* Have a delta CRL with valid times */
128 X509_CRL *crl, X509 *x);
133 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
135 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
419 * because they may be needed for CRL signature verification.
527 /* CRL path validation */
806 /* If checking CRL paths this isn't the EE certificate */
823 X509_CRL *crl = NULL, *dcrl = NULL;
836 /* Try to retrieve relevant CRL */
838 ok = ctx->get_crl(ctx, &crl, x);
840 ok = get_crl_delta(ctx, &crl, &dcrl, x);
841 /* If error looking up CRL, nothing we can do except
850 ctx->current_crl = crl;
851 ok = ctx->check_crl(ctx, crl);
867 /* Don't look in full CRL if delta reason is removefromCRL */
870 ok = ctx->cert_crl(ctx, crl, x);
875 X509_CRL_free(crl);
877 crl = NULL;
890 X509_CRL_free(crl);
898 /* Check CRL times against values in X509_STORE_CTX */
900 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
905 ctx->current_crl = crl;
911 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
930 if(X509_CRL_get_nextUpdate(crl))
932 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
942 /* Ignore expiry of base CRL is delta is valid */
967 X509_CRL *crl, *best_crl = NULL;
972 crl = sk_X509_CRL_value(crls, i);
974 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
978 best_crl = crl;
1008 /* Compare two CRL extensions for delta checking purposes. They should be
1056 /* Delta CRL must be a delta */
1059 /* Base must have a CRL number */
1071 /* Delta CRL base number must not exceed Full CRL number. */
1074 /* Delta CRL number must exceed full CRL number */
1080 /* For a given base CRL find a delta... maybe extend to delta scoring
1108 /* For a given CRL return how suitable it is for the supplied certificate 'x'.
1111 * The reasons mask is also used to determine if the CRL is suitable: if
1112 * no new reasons the CRL is rejected, otherwise reasons is updated.
1117 X509_CRL *crl, X509 *x)
1123 /* First see if we can reject CRL straight away */
1126 if (crl->idp_flags & IDP_INVALID)
1128 /* Reason codes or indirect CRLs need extended CRL support */
1131 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1134 else if (crl->idp_flags & IDP_REASONS)
1137 if (!(crl->idp_reasons & ~tmp_reasons))
1141 else if (crl->base_crl_number)
1143 /* If issuer name doesn't match certificate need indirect CRL */
1144 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1146 if (!(crl->idp_flags & IDP_INDIRECT))
1152 if (!(crl->flags & EXFLAG_CRITICAL))
1156 if (check_crl_time(ctx, crl, 0))
1160 crl_akid_check(ctx, crl, pissuer, &crl_score);
1167 /* Check cert for matching CRL distribution points */
1169 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1184 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1188 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1197 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1212 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1220 /* Anything else needs extended CRL support */
1225 /* Otherwise the CRL issuer is not on the path. Look for it in the
1233 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1242 /* Check the path of a CRL issuer certificate. This creates a new
1253 /* Don't allow recursive CRL path validation */
1266 /* Verify CRL issuer */
1280 /* RFC3280 says nothing about the relationship between CRL path
1374 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1377 X509_NAME *nm = X509_CRL_get_issuer(crl);
1394 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1398 if (crl->idp_flags & IDP_ONLYATTR)
1402 if (crl->idp_flags & IDP_ONLYUSER)
1407 if (crl->idp_flags & IDP_ONLYCA)
1410 *preasons = crl->idp_reasons;
1414 if (crldp_check_crlissuer(dp, crl, crl_score))
1416 if (!crl->idp ||
1417 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1424 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1429 /* Retrieve CRL corresponding to current certificate.
1430 * If deltas enabled try to find a delta CRL too
1440 X509_CRL *crl = NULL, *dcrl = NULL;
1444 ok = get_crl_sk(ctx, &crl, &dcrl,
1455 if (!skcrl && crl)
1458 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1464 /* If we got any kind of CRL use it and return success */
1465 if (crl)
1470 *pcrl = crl;
1478 /* Check CRL validity */
1479 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1486 /* if we have an alternative CRL issuer cert use that */
1490 /* Else find CRL issuer: if not last certificate then issuer
1512 if (!crl->base_crl_number)
1540 if (crl->idp_flags & IDP_INVALID)
1552 ok = check_crl_time(ctx, crl, 1);
1569 rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1577 /* Verify CRL signature */
1578 if(X509_CRL_verify(crl, ikey) <= 0)
1594 /* Check certificate against CRL */
1595 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1599 /* The rules changed for this... previously if a CRL contained
1602 * critical extension can change the meaning of CRL entries.
1605 && (crl->flags & EXFLAG_CRITICAL))
1612 /* Look for serial number of certificate in CRL
1615 if (X509_CRL_get0_by_cert(crl, &rev, x))
1934 /* Make a delta CRL as the diff between two full CRLs */
1939 X509_CRL *crl = NULL;
1949 /* Base and new CRL must have a CRL number */
1973 /* Newer CRL number must exceed full CRL number */
1986 /* Create new CRL */
1987 crl = X509_CRL_new();
1988 if (!crl || !X509_CRL_set_version(crl, 1))
1991 if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
1994 if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
1996 if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
1999 /* Set base CRL number: must be critical */
2001 if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
2004 /* Copy extensions across from newest CRL to delta: this will set
2005 * CRL number to correct value too.
2012 if (!X509_CRL_add_ext(crl, ext, -1))
2033 if (!X509_CRL_add0_revoked(crl, rvtmp))
2042 if (skey && md && !X509_CRL_sign(crl, skey, md))
2045 return crl;
2049 if (crl)
2050 X509_CRL_free(crl);
