Factor common parent checking code

2024-11-22 12:05:36 +01:00 · 2014-04-09 14:30:11 +02:00 · 2014-04-09 14:30:11 +02:00 · 312010e6e9
commit 312010e6e9
parent f93a3c4335
1 changed files with 37 additions and 40 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1539,36 +1539,27 @@ static int x509_wildcard_verify( const char *cn, x509_buf *name )
 }

 /*
- * Iterate upwards in the given cert chain to find our parent.
- *
- * Ignore any upper cert that can't be used to sign other certificates
- * (basic constraints CA=true for now, keyUsage soon).
+ * Check if 'parent' is a suitable parent (signing CA) for 'child'.
+ * Return 0 if yes, -1 if not.
 */
-static x509_crt *x509_crt_find_parent( x509_crt *crt )
+static int x509_crt_check_parent( const x509_crt *child,
+                                  const x509_crt *parent )
 {
-    x509_crt *parent;
-
-    for( parent = crt->next; parent != NULL; parent = parent->next )
+    if( parent->version == 0 ||
+        parent->ca_istrue == 0 ||
+        child->issuer_raw.len != parent->subject_raw.len ||
+        memcmp( child->issuer_raw.p, parent->subject_raw.p,
+                child->issuer_raw.len ) != 0 )
    {
-        if( parent->version == 0 ||
-            parent->ca_istrue == 0 ||
-            crt->issuer_raw.len != parent->subject_raw.len ||
-            memcmp( crt->issuer_raw.p, parent->subject_raw.p,
-                    crt->issuer_raw.len ) != 0 )
-        {
-            continue;
-        }
-
-#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
-        if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
-            continue;
-#endif
-
-        /* If we get there, we found a suitable parent */
-        break;
+        return( -1 );
    }

-    return( parent );
+#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
+    if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
+        return( -1 );
+#endif
+
+    return( 0 );
 }

 static int x509_crt_verify_top(
@ -1606,24 +1597,12 @@ static int x509_crt_verify_top(

    while( trust_ca != NULL )
    {
-        if( trust_ca->version == 0 ||
-            trust_ca->ca_istrue == 0 ||
-            child->issuer_raw.len != trust_ca->subject_raw.len ||
-            memcmp( child->issuer_raw.p, trust_ca->subject_raw.p,
-                    child->issuer_raw.len ) != 0 )
+        if( x509_crt_check_parent( child, trust_ca ) != 0 )
        {
            trust_ca = trust_ca->next;
            continue;
        }

-#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
-        if( x509_crt_check_key_usage( trust_ca, KU_KEY_CERT_SIGN ) != 0 )
-        {
-            trust_ca = trust_ca->next;
-            continue;
-        }
-#endif
-
        /*
         * Reduce path_len to check against if top of the chain is
         * the same as the trusted CA
@ -1742,7 +1721,17 @@ static int x509_crt_verify_child(
    *flags |= x509_crt_verifycrl(child, parent, ca_crl);
 #endif

-    if( ( grandparent = x509_crt_find_parent( parent) ) != NULL )
+    /* Look for a grandparent upwards the chain */
+    for( grandparent = parent->next;
+         grandparent != NULL;
+         grandparent = grandparent->next )
+    {
+        if( x509_crt_check_parent( parent, grandparent ) == 0 )
+            break;
+    }
+
+    /* Is our parent part of the chain or at the top? */
+    if( grandparent != NULL )
    {
        /*
         * Part of the chain
@ -1837,7 +1826,15 @@ int x509_crt_verify( x509_crt *crt,
        }
    }

-    if( ( parent = x509_crt_find_parent( crt ) ) != NULL )
+    /* Look for a parent upwards the chain */
+    for( parent = crt->next; parent != NULL; parent = parent->next )
+    {
+        if( x509_crt_check_parent( crt, parent ) == 0 )
+            break;
+    }
+
+    /* Are we part of the chain or at the top? */
+    if( parent != NULL )
    {
        /*
         * Part of the chain