[openssl-dev] [openssl-users] Failed to access LDAP server when a valid certificate is at <hash>.1+
Misaki Miyashita
misaki.miyashita at oracle.com
Mon Jan 8 22:46:15 UTC 2018
(switching the alias to openssl-dev at openssl.org)
I would like to suggest the following fix so that a valid certificate at
<hash>.x can be recognized during the cert validation even when <hash>.0
is linking to a bad/expired certificate. This may not be the most
elegant solution, but it is a minimal change with low impact to the rest
of the code.
Could I possibly get a review on the change? and possibly be considered
to be integrated to the upstream?
(This is for the 1.0.1 branch)
Thanks in advance.
-- misaki
--- a/crypto/x509/x509_vfy.c 2017-11-02 07:32:58.000000000 -0700
+++ b/crypto/x509/x509_vfy.c 2017-12-11 12:37:55.591835780 -0800
@@ -185,6 +185,39 @@
return xtmp;
}
+/*
+ * Look through the trust store setup by get_issuer() and
+ * return the certificate which matches the server cert 'x'
+ * via 'xtmp'.
+ */
+static int X509_get_cert(X509 **xtmp, X509_STORE_CTX *ctx, X509 *x)
+{
+ X509_OBJECT *tmp;
+ int i;
+ int ret = 0;
+
+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+ for (i = 0; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
+ tmp = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+ if (tmp == NULL) {
+ goto exit;
+ }
+ if (X509_cmp(tmp->data.x509, x) == 0) {
+ /*
+ * Found the cert in the trust store which matches the
+ * server cert. Increment the ref count and return.
+ */
+ X509_OBJECT_up_ref_count(tmp);
+ *xtmp = tmp->data.x509;
+ ret = 1;
+ goto exit;
+ }
+ }
+exit:
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+ return ret;
+}
+
int X509_verify_cert(X509_STORE_CTX *ctx)
{
X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
@@ -316,9 +350,13 @@
* We have a single self signed certificate: see if we can
* find it in the store. We must have an exact match
to avoid
* possible impersonation.
+ * get_issuer() sets up the trust store for the subject and
+ * returns the first cert via 'xtmp'. The first cert in the
+ * trust store may not be the certificate that we are
interested
+ * in. Look through the trust store to see there is an
exact match.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
+ if ((ok <= 0) || (X509_get_cert(&xtmp, ctx, x) != 1)) {
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
ctx->current_cert = x;
ctx->error_depth = i - 1;
On 10/21/17 03:21 PM, Viktor Dukhovni wrote:
>
> On Oct 21, 2017, at 11:20 AM, Misaki Miyashita <misaki.miyashita at oracle.com> wrote:
>
>> We encountered a problem using OpenLDAP with OpenSSL when there were more than one certificate with the same subject.
>>
>> Does OpenSSL stop searching for a valid certificate when it finds a certificate with matching DN?
> Yes, when a matching issuer is found in the trust store, but is expired
> no alternative certificates will be tested. You need to remove outdated
> issuer certificates from your trust store before they expire.
>
More information about the openssl-dev
mailing list