mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 21:01:27 +00:00
Skip to trusted certs early in the chain
This helps in the case where an intermediate certificate is directly trusted.
In that case we want to ignore what comes after it in the chain, not only for
performance but also to avoid false negatives (eg an old root being no longer
trusted while the newer intermediate is directly trusted).
see #220
backport of fdbdd72
This commit is contained in:
parent
15f1088ef6
commit
1c38550bbd
|
@ -1930,6 +1930,25 @@ static int x509_crt_verify_child(
|
||||||
*flags |= x509_crt_verifycrl(child, parent, ca_crl);
|
*flags |= x509_crt_verifycrl(child, parent, ca_crl);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Look for a grandparent in trusted CAs */
|
||||||
|
for( grandparent = trust_ca;
|
||||||
|
grandparent != NULL;
|
||||||
|
grandparent = grandparent->next )
|
||||||
|
{
|
||||||
|
if( x509_crt_check_parent( parent, grandparent,
|
||||||
|
0, path_cnt == 0 ) == 0 )
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( grandparent != NULL )
|
||||||
|
{
|
||||||
|
ret = x509_crt_verify_top( parent, grandparent, ca_crl,
|
||||||
|
path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
/* Look for a grandparent upwards the chain */
|
/* Look for a grandparent upwards the chain */
|
||||||
for( grandparent = parent->next;
|
for( grandparent = parent->next;
|
||||||
grandparent != NULL;
|
grandparent != NULL;
|
||||||
|
@ -1944,17 +1963,20 @@ static int x509_crt_verify_child(
|
||||||
if( grandparent != NULL )
|
if( grandparent != NULL )
|
||||||
{
|
{
|
||||||
ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
|
ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
|
||||||
path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
path_cnt + 1, &parent_flags,
|
||||||
|
f_vrfy, p_vrfy );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ret = x509_crt_verify_top( parent, trust_ca, ca_crl,
|
ret = x509_crt_verify_top( parent, trust_ca, ca_crl,
|
||||||
path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
|
path_cnt + 1, &parent_flags,
|
||||||
|
f_vrfy, p_vrfy );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* child is verified to be a child of the parent, call verify callback */
|
/* child is verified to be a child of the parent, call verify callback */
|
||||||
if( NULL != f_vrfy )
|
if( NULL != f_vrfy )
|
||||||
|
@ -2035,6 +2057,22 @@ int x509_crt_verify( x509_crt *crt,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Look for a parent in trusted CAs */
|
||||||
|
for( parent = trust_ca; parent != NULL; parent = parent->next )
|
||||||
|
{
|
||||||
|
if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( parent != NULL )
|
||||||
|
{
|
||||||
|
ret = x509_crt_verify_top( crt, parent, ca_crl,
|
||||||
|
pathlen, flags, f_vrfy, p_vrfy );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
/* Look for a parent upwards the chain */
|
/* Look for a parent upwards the chain */
|
||||||
for( parent = crt->next; parent != NULL; parent = parent->next )
|
for( parent = crt->next; parent != NULL; parent = parent->next )
|
||||||
{
|
{
|
||||||
|
@ -2057,6 +2095,7 @@ int x509_crt_verify( x509_crt *crt,
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if( *flags != 0 )
|
if( *flags != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||||
|
|
|
@ -723,6 +723,10 @@ X509 Certificate verification callback: intermediate ca, root included
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n"
|
x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n"
|
||||||
|
|
||||||
|
X509 Certificate verification callback: intermediate ca trusted
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
|
x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-int-ca.crt":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n"
|
||||||
|
|
||||||
X509 Certificate verification callback: two intermediates
|
X509 Certificate verification callback: two intermediates
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
||||||
|
@ -731,6 +735,14 @@ X509 Certificate verification callback: two intermediates, root included
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
||||||
|
|
||||||
|
X509 Certificate verification callback: two intermediates, top int trusted
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
|
x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
||||||
|
|
||||||
|
X509 Certificate verification callback: two intermediates, low int trusted
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_PKCS1_V15:POLARSSL_SHA256_C
|
||||||
|
x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-int-ca3.crt":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n"
|
||||||
|
|
||||||
X509 Parse Selftest
|
X509 Parse Selftest
|
||||||
depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_CERTS_C
|
depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_CERTS_C
|
||||||
x509_selftest:
|
x509_selftest:
|
||||||
|
|
Loading…
Reference in a new issue