diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/cert/x509/cert_status.h | 1 | ||||
| -rw-r--r-- | src/lib/cert/x509/certstor.cpp | 4 | ||||
| -rw-r--r-- | src/lib/cert/x509/certstor.h | 4 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509path.cpp | 17 |
4 files changed, 13 insertions, 13 deletions
diff --git a/src/lib/cert/x509/cert_status.h b/src/lib/cert/x509/cert_status.h index 0ff5ad5f0..d343d2e58 100644 --- a/src/lib/cert/x509/cert_status.h +++ b/src/lib/cert/x509/cert_status.h @@ -38,6 +38,7 @@ enum Certificate_Status_Code { CRL_NOT_YET_VALID, CRL_HAS_EXPIRED, CRL_NOT_FOUND, + CRL_BAD_SIGNATURE, OCSP_CERT_NOT_LISTED, OCSP_NOT_YET_VALID, diff --git a/src/lib/cert/x509/certstor.cpp b/src/lib/cert/x509/certstor.cpp index e8b3a0718..7d708edd9 100644 --- a/src/lib/cert/x509/certstor.cpp +++ b/src/lib/cert/x509/certstor.cpp @@ -10,7 +10,7 @@ namespace Botan { -const X509_CRL* Certificate_Store::find_crl(const X509_Certificate&) const +const X509_CRL* Certificate_Store::find_crl_for(const X509_Certificate&) const { return nullptr; } @@ -86,7 +86,7 @@ void Certificate_Store_In_Memory::add_crl(const X509_CRL& crl) m_crls.push_back(crl); } -const X509_CRL* Certificate_Store_In_Memory::find_crl(const X509_Certificate& subject) const +const X509_CRL* Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const { const std::vector<byte>& key_id = subject.authority_key_id(); diff --git a/src/lib/cert/x509/certstor.h b/src/lib/cert/x509/certstor.h index fc37d8327..8c9fd9610 100644 --- a/src/lib/cert/x509/certstor.h +++ b/src/lib/cert/x509/certstor.h @@ -27,7 +27,7 @@ class BOTAN_DLL Certificate_Store virtual const X509_Certificate* find_cert(const X509_DN& subject_dn, const std::vector<byte>& key_id) const = 0; - virtual const X509_CRL* find_crl(const X509_Certificate& subject) const; + virtual const X509_CRL* find_crl_for(const X509_Certificate& subject) const; bool certificate_known(const X509_Certificate& cert) const { @@ -62,7 +62,7 @@ class BOTAN_DLL Certificate_Store_In_Memory : public Certificate_Store const X509_DN& subject_dn, const std::vector<byte>& key_id) const override; - const X509_CRL* find_crl(const X509_Certificate& subject) const override; + const X509_CRL* find_crl_for(const X509_Certificate& subject) const override; private: // TODO: Add indexing on the DN and key id to avoid linear search std::vector<X509_Certificate> m_certs; diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index edbceaadd..4f1971311 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -34,15 +34,12 @@ const X509_Certificate* find_issuing_cert(const X509_Certificate& cert, return nullptr; } -const X509_CRL* find_crls_from(const X509_Certificate& cert, - const std::vector<Certificate_Store*>& certstores) +const X509_CRL* find_crls_for(const X509_Certificate& cert, + const std::vector<Certificate_Store*>& certstores) { - const X509_DN issuer_dn = cert.subject_dn(); - const std::vector<byte> auth_key_id = cert.subject_key_id(); - for(size_t i = 0; i != certstores.size(); ++i) { - if(const X509_CRL* crl = certstores[i]->find_crl(cert)) + if(const X509_CRL* crl = certstores[i]->find_crl_for(cert)) return crl; } @@ -152,12 +149,12 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa } } - const X509_CRL* crl_p = find_crls_from(ca, certstores); + const X509_CRL* crl_p = find_crls_for(subject, certstores); if(!crl_p) { if(restrictions.require_revocation_information()) - return Certificate_Status_Code::NO_REVOCATION_DATA; + return Certificate_Status_Code::CRL_NOT_FOUND; continue; } @@ -173,7 +170,7 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa return Certificate_Status_Code::CRL_HAS_EXPIRED; if(crl.check_signature(ca.subject_public_key()) == false) - return Certificate_Status_Code::SIGNATURE_ERROR; + return Certificate_Status_Code::CRL_BAD_SIGNATURE; if(crl.is_revoked(subject)) return Certificate_Status_Code::CERT_IS_REVOKED; @@ -333,6 +330,8 @@ std::string Path_Validation_Result::status_string(Certificate_Status_Code code) return "CRL has expired"; case CRL_NOT_FOUND: return "CRL not found"; + case CRL_BAD_SIGNATURE: + return "CRL has invalid signature"; case CA_CERT_CANNOT_SIGN: return "CA certificate cannot sign"; case CA_CERT_NOT_FOR_CERT_ISSUER: |