version 1.46, 2005/02/23 19:34:37
|
version 1.47, 2005/03/01 22:50:14
|
|
|
// Callback function that is called by the OpenSSL library. This function | // Callback function that is called by the OpenSSL library. This function |
// checks whether the certificate is listed in any of the CRL's | // checks whether the certificate is listed in any of the CRL's |
// | // |
|
// return 1 if revoked, 0 otherwise |
|
// |
int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore) | int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore) |
{ | { |
PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback"); | PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback"); |
|
|
if (sslCRLStore == NULL) | if (sslCRLStore == NULL) |
{ | { |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is NULL"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is NULL"); |
return ok; |
return 0; |
} | } |
| |
//get the current certificate info | //get the current certificate info |
|
|
| |
//initialize the CRL store | //initialize the CRL store |
X509_STORE_CTX crlStoreCtx; | X509_STORE_CTX crlStoreCtx; |
if (!X509_STORE_CTX_init(&crlStoreCtx, sslCRLStore, NULL, NULL)) |
X509_STORE_CTX_init(&crlStoreCtx, sslCRLStore, NULL, NULL); |
{ |
|
//fail if a CRL store was specified but we cannot open it |
|
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Error: Could not initialize CRL store context"); |
|
return 0; |
|
} |
|
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Initialized CRL store"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Initialized CRL store"); |
| |
|
|
if (X509_STORE_get_by_subject(&crlStoreCtx, X509_LU_CRL, issuerName, &obj) <= 0) | if (X509_STORE_get_by_subject(&crlStoreCtx, X509_LU_CRL, issuerName, &obj) <= 0) |
{ | { |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: No CRL by that issuer"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: No CRL by that issuer"); |
return ok; |
return 0; |
} | } |
X509_STORE_CTX_cleanup(&crlStoreCtx); | X509_STORE_CTX_cleanup(&crlStoreCtx); |
| |
|
|
if (crl == NULL) | if (crl == NULL) |
{ | { |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL is null"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL is null"); |
return ok; |
return 0; |
} else | } else |
{ | { |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Found CRL by that issuer"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Found CRL by that issuer"); |
|
|
{ | { |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Certificate is revoked"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Certificate is revoked"); |
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); | X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); |
return 0; |
return 1; |
} | } |
} | } |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate is not revoked at this level"); | PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate is not revoked at this level"); |
| |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
return ok; |
return 0; |
} | } |
| |
// | // |
|
|
Tracer::trace(TRC_SSL, Tracer::LEVEL4, | Tracer::trace(TRC_SSL, Tracer::LEVEL4, |
"--->SSL: No verification callback specified"); | "--->SSL: No verification callback specified"); |
| |
if (exData->_crlStore == NULL) |
if (exData->_crlStore != NULL) |
{ |
|
PEG_METHOD_EXIT(); |
|
return (preVerifyOk); |
|
} else |
|
{ | { |
revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); | revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); |
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); | Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
| |
if (revoked == 0) //with the SSL callbacks '0' indicates failure |
if (revoked) //with the SSL callbacks '0' indicates failure |
{ | { |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
return 0; | return 0; |
|
|
// | // |
// Check to see if a CRL path is defined | // Check to see if a CRL path is defined |
// | // |
if (exData->_crlStore) |
if (exData->_crlStore != NULL) |
{ | { |
revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); | revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); |
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); | Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
| |
if (revoked == 0) //with the SSL callbacks '0' indicates failure |
if (revoked) //with the SSL callbacks '0' indicates failure |
{ | { |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
return 0; | return 0; |
} | } |
} | } |
| |
|
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
|
|
// | // |
// get the current certificate | // get the current certificate |
// | // |