Home | History | Annotate | Download | only in x509

Lines Matching refs:crl

77 /* CRL score values */
83 /* certificate is within CRL scope */
87 /* CRL times valid */
95 /* If this score or above CRL is probably valid */
99 /* CRL issuer is certificate issuer */
103 /* CRL issuer is on certificate path */
107 /* CRL issuer matches CRL AKID */
111 /* Have a delta CRL with valid times */
127                          unsigned int *preasons, X509_CRL *crl, X509 *x);
133 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
135 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
495      * they may be needed for CRL signature verification.
607     /* CRL path validation */
870         /* If checking CRL paths this isn't the EE certificate */
886     X509_CRL *crl = NULL, *dcrl = NULL;
898         /* Try to retrieve relevant CRL */
900             ok = ctx->get_crl(ctx, &crl, x);
902             ok = get_crl_delta(ctx, &crl, &dcrl, x);
904          * If error looking up CRL, nothing we can do except notify callback
911         ctx->current_crl = crl;
912         ok = ctx->check_crl(ctx, crl);
926         /* Don't look in full CRL if delta reason is removefromCRL */
928             ok = ctx->cert_crl(ctx, crl, x);
933         X509_CRL_free(crl);
935         crl = NULL;
948     X509_CRL_free(crl);
956 /* Check CRL times against values in X509_STORE_CTX */
958 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
963         ctx->current_crl = crl;
969     i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
986     if (X509_CRL_get_nextUpdate(crl)) {
987         i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
996         /* Ignore expiry of base CRL is delta is valid */
1020     X509_CRL *crl, *best_crl = NULL;
1024         crl = sk_X509_CRL_value(crls, i);
1026         crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1029         /* If current CRL is equivalent use it if it is newer */
1033                                X509_CRL_get_lastUpdate(crl)) == 0)
1042         best_crl = crl;
1070  * Compare two CRL extensions for delta checking purposes. They should be
1113     /* Delta CRL must be a delta */
1116     /* Base must have a CRL number */
1127     /* Delta CRL base number must not exceed Full CRL number. */
1130     /* Delta CRL number must exceed full CRL number */
1137  * For a given base CRL find a delta... maybe extend to delta scoring or
1164  * For a given CRL return how suitable it is for the supplied certificate
1167  * also used to determine if the CRL is suitable: if no new reasons the CRL
1172                          unsigned int *preasons, X509_CRL *crl, X509 *x)
1178     /* First see if we can reject CRL straight away */
1181     if (crl->idp_flags & IDP_INVALID)
1183     /* Reason codes or indirect CRLs need extended CRL support */
1185         if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1187     } else if (crl->idp_flags & IDP_REASONS) {
1189         if (!(crl->idp_reasons & ~tmp_reasons))
1193     else if (crl->base_crl_number)
1195     /* If issuer name doesn't match certificate need indirect CRL */
1196     if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1197         if (!(crl->idp_flags & IDP_INDIRECT))
1202     if (!(crl->flags & EXFLAG_CRITICAL))
1206     if (check_crl_time(ctx, crl, 0))
1210     crl_akid_check(ctx, crl, pissuer, &crl_score);
1217     /* Check cert for matching CRL distribution points */
1219     if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1233 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1237     X509_NAME *cnm = X509_CRL_get_issuer(crl);
1246     if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1258         if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1265     /* Anything else needs extended CRL support */
1271      * Otherwise the CRL issuer is not on the path. Look for it in the set of
1278         if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1289         if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1298  * Check the path of a CRL issuer certificate. This creates a new
1308     /* Don't allow recursive CRL path validation */
1321     /* Verify CRL issuer */
1336  * RFC3280 says nothing about the relationship between CRL path and
1421 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1424     X509_NAME *nm = X509_CRL_get_issuer(crl);
1440 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1444     if (crl->idp_flags & IDP_ONLYATTR)
1447         if (crl->idp_flags & IDP_ONLYUSER)
1450         if (crl->idp_flags & IDP_ONLYCA)
1453     *preasons = crl->idp_reasons;
1456         if (crldp_check_crlissuer(dp, crl, crl_score)) {
1457             if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1463     if ((!crl->idp || !crl->idp->distpoint)
1470  * Retrieve CRL corresponding to current certificate. If deltas enabled try
1471  * to find a delta CRL too
1481     X509_CRL *crl = NULL, *dcrl = NULL;
1485     ok = get_crl_sk(ctx, &crl, &dcrl,
1496     if (!skcrl && crl)
1499     get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1505     /* If we got any kind of CRL use it and return success */
1506     if (crl) {
1510         *pcrl = crl;
1518 /* Check CRL validity */
1519 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1526     /* if we have an alternative CRL issuer cert use that */
1531      * Else find CRL issuer: if not last certificate then issuer is next
1551         if (!crl->base_crl_number) {
1577             if (crl->idp_flags & IDP_INVALID) {
1587             ok = check_crl_time(ctx, crl, 1);
1602             rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1609             /* Verify CRL signature */
1610             if (X509_CRL_verify(crl, ikey) <= 0) {
1626 /* Check certificate against CRL */
1627 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1632      * The rules changed for this... previously if a CRL contained unhandled
1635      * change the meaning of CRL entries.
1638         && (crl->flags & EXFLAG_CRITICAL)) {
1645      * Look for serial number of certificate in CRL If found make sure reason
1648     if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1993 /* Make a delta CRL as the diff between two full CRLs */
1998     X509_CRL *crl = NULL;
2007     /* Base and new CRL must have a CRL number */
2026     /* Newer CRL number must exceed full CRL number */
2037     /* Create new CRL */
2038     crl = X509_CRL_new();
2039     if (!crl || !X509_CRL_set_version(crl, 1))
2042     if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
2045     if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
2047     if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
2050     /* Set base CRL number: must be critical */
2052     if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
2056      * Copy extensions across from newest CRL to delta: this will set CRL
2063         if (!X509_CRL_add_ext(crl, ext, -1))
2082             if (!X509_CRL_add0_revoked(crl, rvtmp)) {
2090     if (skey && md && !X509_CRL_sign(crl, skey, md))
2093     return crl;
2097     if (crl)
2098         X509_CRL_free(crl);