[rt-commit] r153 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h redwax_openssl.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Tue Aug 29 14:45:15 CEST 2023
Author: minfrin at redwax.eu
Date: Tue Aug 29 14:45:14 2023
New Revision: 153
Log:
Add the --filter-expiry option to allow acceptance
of expired leaf and chain certificates.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_openssl.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Tue Aug 29 14:45:14 2023
@@ -1,5 +1,9 @@
Changes with v0.9.3
+
+ *) Add the --filter-expiry option to allow acceptance
+ of expired leaf and chain certificates. [Graham
+ Leggett]
*) Silence the search filter message to stderr when the
quiet flag is set. [Graham Leggett]
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Tue Aug 29 14:45:14 2023
@@ -52,6 +52,7 @@
APR_HOOK_LINK(set_verify_param);
APR_HOOK_LINK(complete_verify_param);
APR_HOOK_LINK(set_verify_date);
+ APR_HOOK_LINK(set_verify_expiry);
APR_HOOK_LINK(process_pem_in);
APR_HOOK_LINK(complete_pkcs11_in);
APR_HOOK_LINK(process_pkcs11_in);
@@ -94,6 +95,8 @@
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_verify_param,
(redwax_tool_t * r, apr_hash_t *params), (r, params), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_date,
+ (redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_expiry,
(redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pem_in,
(redwax_tool_t * r, const char *arg, const char *secret), (r, arg, secret), DECLINED);
@@ -173,53 +176,54 @@
#define REDWAX_TOOL_FILTER_IP 263
#define REDWAX_TOOL_FILTER_CURRENT 264
#define REDWAX_TOOL_FILTER_DATE 265
-#define REDWAX_TOOL_CERT_OUT 266
-#define REDWAX_TOOL_NO_CERT_OUT 267
-#define REDWAX_TOOL_CHAIN_OUT 268
-#define REDWAX_TOOL_NO_CHAIN_OUT 269
-#define REDWAX_TOOL_ROOT_OUT 270
-#define REDWAX_TOOL_NO_ROOT_OUT 271
-#define REDWAX_TOOL_TRUST_OUT 272
-#define REDWAX_TOOL_NO_TRUST_OUT 273
-#define REDWAX_TOOL_CRL_OUT 274
-#define REDWAX_TOOL_NO_CRL_OUT 275
-#define REDWAX_TOOL_PARAM_OUT 276
-#define REDWAX_TOOL_NO_PARAM_OUT 277
-#define REDWAX_TOOL_KEY_IN 278
-#define REDWAX_TOOL_NO_KEY_IN 279
-#define REDWAX_TOOL_KEY_OUT 280
-#define REDWAX_TOOL_NO_KEY_OUT 281
-#define REDWAX_TOOL_AUTO_OUT 282
-#define REDWAX_TOOL_NO_AUTO_OUT 283
-#define REDWAX_TOOL_FILTER_VERIFY_PARAM 284
-#define REDWAX_TOOL_SECRET_SUFFIX_IN 285
-#define REDWAX_TOOL_SECRET_SUFFIX_OUT 286
-#define REDWAX_TOOL_SECRET_TOKEN_IN 287
-#define REDWAX_TOOL_SECRET_TOKEN_OUT 288
-#define REDWAX_TOOL_LABEL_OUT 289
-#define REDWAX_TOOL_NSS_OUT 290
-#define REDWAX_TOOL_NSS_SLOT_OUT 291
-#define REDWAX_TOOL_DER_OUT 292
-#define REDWAX_TOOL_PEM_OUT 293
-#define REDWAX_TOOL_PKCS12_OUT 294
-#define REDWAX_TOOL_PKCS11_OUT 295
-#define REDWAX_TOOL_PKCS11_MODULE_OUT 296
-#define REDWAX_TOOL_METADATA_OUT 297
-#define REDWAX_TOOL_METADATA_THRESHOLD 298
-#define REDWAX_TOOL_FORMAT_OUT 299
-#define REDWAX_TOOL_JWKS_OUT 300
-#define REDWAX_TOOL_TEXT_OUT 301
-#define REDWAX_TOOL_NO_TEXT_OUT 302
-#define REDWAX_TOOL_SSH_PRIVATE_OUT 303
-#define REDWAX_TOOL_SSH_PUBLIC_OUT 304
-#define REDWAX_TOOL_SMIMEA_OUT 305
-#define REDWAX_TOOL_SSHFP_OUT 306
-#define REDWAX_TOOL_TLSA_OUT 307
-#define REDWAX_TOOL_USER_IN 308
-#define REDWAX_TOOL_USER_OUT 309
-#define REDWAX_TOOL_GROUP_IN 310
-#define REDWAX_TOOL_GROUP_OUT 311
-#define REDWAX_TOOL_ORDER_OUT 312
+#define REDWAX_TOOL_FILTER_EXPIRY 266
+#define REDWAX_TOOL_CERT_OUT 267
+#define REDWAX_TOOL_NO_CERT_OUT 268
+#define REDWAX_TOOL_CHAIN_OUT 269
+#define REDWAX_TOOL_NO_CHAIN_OUT 270
+#define REDWAX_TOOL_ROOT_OUT 271
+#define REDWAX_TOOL_NO_ROOT_OUT 272
+#define REDWAX_TOOL_TRUST_OUT 273
+#define REDWAX_TOOL_NO_TRUST_OUT 274
+#define REDWAX_TOOL_CRL_OUT 275
+#define REDWAX_TOOL_NO_CRL_OUT 276
+#define REDWAX_TOOL_PARAM_OUT 277
+#define REDWAX_TOOL_NO_PARAM_OUT 278
+#define REDWAX_TOOL_KEY_IN 279
+#define REDWAX_TOOL_NO_KEY_IN 280
+#define REDWAX_TOOL_KEY_OUT 281
+#define REDWAX_TOOL_NO_KEY_OUT 282
+#define REDWAX_TOOL_AUTO_OUT 283
+#define REDWAX_TOOL_NO_AUTO_OUT 284
+#define REDWAX_TOOL_FILTER_VERIFY_PARAM 285
+#define REDWAX_TOOL_SECRET_SUFFIX_IN 286
+#define REDWAX_TOOL_SECRET_SUFFIX_OUT 287
+#define REDWAX_TOOL_SECRET_TOKEN_IN 288
+#define REDWAX_TOOL_SECRET_TOKEN_OUT 289
+#define REDWAX_TOOL_LABEL_OUT 290
+#define REDWAX_TOOL_NSS_OUT 291
+#define REDWAX_TOOL_NSS_SLOT_OUT 292
+#define REDWAX_TOOL_DER_OUT 293
+#define REDWAX_TOOL_PEM_OUT 294
+#define REDWAX_TOOL_PKCS12_OUT 295
+#define REDWAX_TOOL_PKCS11_OUT 296
+#define REDWAX_TOOL_PKCS11_MODULE_OUT 297
+#define REDWAX_TOOL_METADATA_OUT 298
+#define REDWAX_TOOL_METADATA_THRESHOLD 299
+#define REDWAX_TOOL_FORMAT_OUT 300
+#define REDWAX_TOOL_JWKS_OUT 301
+#define REDWAX_TOOL_TEXT_OUT 302
+#define REDWAX_TOOL_NO_TEXT_OUT 303
+#define REDWAX_TOOL_SSH_PRIVATE_OUT 304
+#define REDWAX_TOOL_SSH_PUBLIC_OUT 305
+#define REDWAX_TOOL_SMIMEA_OUT 306
+#define REDWAX_TOOL_SSHFP_OUT 307
+#define REDWAX_TOOL_TLSA_OUT 308
+#define REDWAX_TOOL_USER_IN 309
+#define REDWAX_TOOL_USER_OUT 310
+#define REDWAX_TOOL_GROUP_IN 311
+#define REDWAX_TOOL_GROUP_OUT 312
+#define REDWAX_TOOL_ORDER_OUT 313
#define REDWAX_EXIT_OK 0
#define REDWAX_EXIT_INIT 1
@@ -259,6 +263,7 @@
{ "filter-verify-params", REDWAX_TOOL_FILTER_VERIFY_PARAM, 1,
" --filter-verify-params=name\tSpecify the name of the set of parameters used\n\t\t\t\tfor verification. If unspecified, set to\n\t\t\t\t'default'." },
{ "filter-date", REDWAX_TOOL_FILTER_DATE, 1, " --filter-date=date\t\tSet the date to be used for certificate\n\t\t\t\tverification. If unset, it will default to the\n\t\t\t\tcurrent time. Date format is generalized time\n\t\t\t\tsyntax as defined in RFC 4517 section 3.3.13." },
+ { "filter-expiry", REDWAX_TOOL_FILTER_EXPIRY, 1, " --filter-expiry=[option]\tVerify certificate expiry. 'check' does expiry\n\t\t\t\tverification. 'ignore' allows expired\n\t\t\t\tcertificates. 'ignore-leaf' allows expired leaf\n\t\t\t\tcertificates. 'ignore-chain' allows expired\n\t\t\t\tchain certificates. Default is 'check'." },
{ "text-out", REDWAX_TOOL_TEXT_OUT, 0,
" --text-out\t\t\tInclude additional text in certificate PEM and\n\t\t\t\tmetadata output." },
{ "no-text-out", REDWAX_TOOL_NO_TEXT_OUT, 0,
@@ -2187,6 +2192,17 @@
return status;
}
+static apr_status_t redwax_set_verify_expiry(redwax_tool_t *r, const char *arg)
+{
+ apr_status_t status = rt_run_set_verify_expiry(r, arg);
+
+ if (status) {
+ r->rc = REDWAX_EXIT_OPTIONS;
+ }
+
+ return status;
+}
+
static apr_status_t redwax_set_threshold(redwax_tool_t *r, const char *arg)
{
r->threshold = atoi(arg) * 86400;
@@ -2499,6 +2515,12 @@
}
case REDWAX_TOOL_FILTER_DATE: {
if (redwax_set_verify_date(r, optarg)) {
+ return REDWAX_EXIT_OPTIONS;
+ }
+ break;
+ }
+ case REDWAX_TOOL_FILTER_EXPIRY: {
+ if (redwax_set_verify_expiry(r, optarg)) {
return REDWAX_EXIT_OPTIONS;
}
break;
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Tue Aug 29 14:45:14 2023
@@ -58,6 +58,13 @@
REDWAX_ORDER_KEY_FIRST,
REDWAX_ORDER_KEY_LAST,
} redwax_order_e;
+
+typedef enum redwax_expiry_e {
+ REDWAX_EXPIRY_CHECK = 0,
+ REDWAX_EXPIRY_IGNORE,
+ REDWAX_EXPIRY_IGNORE_LEAF,
+ REDWAX_EXPIRY_IGNORE_CHAIN
+} redwax_expiry_e;
typedef struct redwax_tool_t {
apr_pool_t *pool;
@@ -106,6 +113,7 @@
apr_time_t *now;
redwax_format_e format;
redwax_order_e order;
+ redwax_expiry_e expiry;
int current;
int cert_out;
int chain_out;
@@ -612,6 +620,14 @@
(redwax_tool_t *r, const char *arg));
/**
+ * Hook to set the verification expiry.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, set_verify_expiry,
+ (redwax_tool_t *r, const char *arg));
+
+/**
* Hook to search for intermediate and root certificates.
*
* @param r The redwax-tool context.
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Tue Aug 29 14:45:14 2023
@@ -1397,6 +1397,30 @@
return APR_SUCCESS;
}
+static apr_status_t redwax_openssl_set_verify_expiry(redwax_tool_t *r, const char *arg)
+{
+
+ if (!strcmp(arg, "check")) {
+ r->expiry = REDWAX_EXPIRY_CHECK;
+ }
+ else if (!strcmp(arg, "ignore")) {
+ r->expiry = REDWAX_EXPIRY_IGNORE;
+ }
+ else if (!strcmp(arg, "ignore-leaf")) {
+ r->expiry = REDWAX_EXPIRY_IGNORE_LEAF;
+ }
+ else if (!strcmp(arg, "ignore-chain")) {
+ r->expiry = REDWAX_EXPIRY_IGNORE_CHAIN;
+ }
+ else {
+ redwax_print_error(r,
+ "Verify expiry not one of 'check', 'ignore', 'ignore-leaf' or 'ignore-chain': %s\n", arg);
+ return APR_EINVAL;
+ }
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_openssl_complete_filter_search(redwax_tool_t *r,
apr_hash_t *filters)
{
@@ -1567,6 +1591,7 @@
X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
char *buf = NULL;
int len = 0;
+ int depth = X509_STORE_CTX_get_error_depth(ctx);
redwax_tool_t *r =
X509_STORE_CTX_get_ex_data(ctx,
@@ -1583,7 +1608,17 @@
len = BIO_get_mem_data(bio, &buf);
}
- if (!ok) {
+ if ((r->expiry == REDWAX_EXPIRY_IGNORE
+ || (r->expiry == REDWAX_EXPIRY_IGNORE_LEAF && depth == 0)
+ || (r->expiry == REDWAX_EXPIRY_IGNORE_CHAIN && depth > 0))
+ && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) {
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
+ ok = 1;
+ redwax_print_error(r,
+ "verify-filter: %d: %.*s: certificate expired, accepting anyway\n",
+ X509_STORE_CTX_get_error_depth(ctx), len, buf);
+ }
+ else if (!ok) {
redwax_print_error(r,
"verify-filter: %d: %.*s: verify failed: %s\n",
X509_STORE_CTX_get_error_depth(ctx), len, buf,
@@ -5669,6 +5704,7 @@
rt_hook_complete_verify_param(redwax_openssl_complete_verify_param, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_verify_param(redwax_openssl_set_verify_param, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_verify_date(redwax_openssl_set_verify_date, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_set_verify_expiry(redwax_openssl_set_verify_expiry, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_pem_in(redwax_openssl_process_pem_in, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_pkcs12_in(redwax_openssl_process_pkcs12_in, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_complete_filter(redwax_openssl_complete_filter_verify, NULL, NULL, APR_HOOK_MIDDLE);
More information about the rt-commit
mailing list