Fix a bug introduced in 1.11.6 where we tried to check CRL signatures

against the wrong key, causing any check to fail. Clean up the NIST X.509 path validation tests and run them by default.
author: lloyd <[email protected]> 2014-02-08 15:50:01 +0000
committer: lloyd <[email protected]> 2014-02-08 15:50:01 +0000
commit: 7def8d303e3cf0f1a27ee8ebcb8ae5137261a361 (patch)
tree: 144e644bda4c58b80a9f8b9422bc6e723701e4b1 /src/lib/cert
parent: 1895c74f25debdf1a9d1ca9e539ec6cb598012a7 (diff)
4 files changed, 13 insertions, 13 deletions
diff --git a/src/lib/cert/x509/cert_status.h b/src/lib/cert/x509/cert_status.h
index 0ff5ad5f0..d343d2e58 100644
--- a/src/lib/cert/x509/cert_status.h
+++ b/src/lib/cert/x509/cert_status.h
@@ -38,6 +38,7 @@ enum Certificate_Status_Code {
    CRL_NOT_YET_VALID,
    CRL_HAS_EXPIRED,
    CRL_NOT_FOUND,
+   CRL_BAD_SIGNATURE,
 
    OCSP_CERT_NOT_LISTED,
    OCSP_NOT_YET_VALID,
diff --git a/src/lib/cert/x509/certstor.cpp b/src/lib/cert/x509/certstor.cpp
index e8b3a0718..7d708edd9 100644
--- a/src/lib/cert/x509/certstor.cpp
+++ b/src/lib/cert/x509/certstor.cpp
@@ -10,7 +10,7 @@
 
 namespace Botan {
 
-const X509_CRL* Certificate_Store::find_crl(const X509_Certificate&) const
+const X509_CRL* Certificate_Store::find_crl_for(const X509_Certificate&) const
    {
    return nullptr;
    }
@@ -86,7 +86,7 @@ void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl)
    m_crls.push_back(crl);
    }
 
-const X509_CRL* Certificate_Store_In_Memory::find_crl(const X509_Certificate& subject) const
+const X509_CRL* Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
    {
    const std::vector<byte>& key_id = subject.authority_key_id();
 
diff --git a/src/lib/cert/x509/certstor.h b/src/lib/cert/x509/certstor.h
index fc37d8327..8c9fd9610 100644
--- a/src/lib/cert/x509/certstor.h
+++ b/src/lib/cert/x509/certstor.h
@@ -27,7 +27,7 @@ class BOTAN_DLL Certificate_Store
       virtual const X509_Certificate*
          find_cert(const X509_DN& subject_dn, const std::vector<byte>& key_id) const = 0;
 
-      virtual const X509_CRL* find_crl(const X509_Certificate& subject) const;
+      virtual const X509_CRL* find_crl_for(const X509_Certificate& subject) const;
 
       bool certificate_known(const X509_Certificate& cert) const
          {
@@ -62,7 +62,7 @@ class BOTAN_DLL Certificate_Store_In_Memory : public Certificate_Store
          const X509_DN& subject_dn,
          const std::vector<byte>& key_id) const override;
 
-      const X509_CRL* find_crl(const X509_Certificate& subject) const override;
+      const X509_CRL* find_crl_for(const X509_Certificate& subject) const override;
    private:
       // TODO: Add indexing on the DN and key id to avoid linear search
       std::vector<X509_Certificate> m_certs;
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index edbceaadd..4f1971311 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -34,15 +34,12 @@ const X509_Certificate* find_issuing_cert(const X509_Certificate& cert,
    return nullptr;
    }
 
-const X509_CRL* find_crls_from(const X509_Certificate& cert,
-                               const std::vector<Certificate_Store*>& certstores)
+const X509_CRL* find_crls_for(const X509_Certificate& cert,
+                              const std::vector<Certificate_Store*>& certstores)
    {
-   const X509_DN issuer_dn = cert.subject_dn();
-   const std::vector<byte> auth_key_id = cert.subject_key_id();
-
    for(size_t i = 0; i != certstores.size(); ++i)
       {
-      if(const X509_CRL* crl = certstores[i]->find_crl(cert))
+      if(const X509_CRL* crl = certstores[i]->find_crl_for(cert))
          return crl;
       }
 
@@ -152,12 +149,12 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa
             }
          }
 
-      const X509_CRL* crl_p = find_crls_from(ca, certstores);
+      const X509_CRL* crl_p = find_crls_for(subject, certstores);
 
       if(!crl_p)
          {
          if(restrictions.require_revocation_information())
-            return Certificate_Status_Code::NO_REVOCATION_DATA;
+            return Certificate_Status_Code::CRL_NOT_FOUND;
          continue;
          }
 
@@ -173,7 +170,7 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa
          return Certificate_Status_Code::CRL_HAS_EXPIRED;
 
       if(crl.check_signature(ca.subject_public_key()) == false)
-         return Certificate_Status_Code::SIGNATURE_ERROR;
+         return Certificate_Status_Code::CRL_BAD_SIGNATURE;
 
       if(crl.is_revoked(subject))
          return Certificate_Status_Code::CERT_IS_REVOKED;
@@ -333,6 +330,8 @@ std::string Path_Validation_Result::status_string(Certificate_Status_Code code)
          return "CRL has expired";
       case CRL_NOT_FOUND:
          return "CRL not found";
+      case CRL_BAD_SIGNATURE:
+         return "CRL has invalid signature";
       case CA_CERT_CANNOT_SIGN:
          return "CA certificate cannot sign";
       case CA_CERT_NOT_FOR_CERT_ISSUER:
author	lloyd <[email protected]>	2014-02-08 15:50:01 +0000
committer	lloyd <[email protected]>	2014-02-08 15:50:01 +0000
commit	7def8d303e3cf0f1a27ee8ebcb8ae5137261a361 (patch)
tree	144e644bda4c58b80a9f8b9422bc6e723701e4b1 /src/lib/cert
parent	1895c74f25debdf1a9d1ca9e539ec6cb598012a7 (diff)