p11_child: more than one CRL PEM file

Enable support for more than one CRL PEM file. p11_child parses the crl_file list passed as argument, and makes the verification using all the files. Moreover, add a new test case in the unit tests to check that the p11_child crl_file argument has been parsed correctly. Resolves: SSSD#6086 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
ikerexxe · Apr 8, 2022 · 20944e5 · 20944e5
1 parent 30831cc
commit 20944e5
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 26 deletions.
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
@@ -38,7 +38,8 @@ struct cert_verify_opts {
     bool verification_partial_chain;
     char *ocsp_default_responder;
     char *ocsp_default_responder_signing_cert;
-    char *crl_file;
+    char **crl_files;
+    int num_files;
     CK_MECHANISM_TYPE ocsp_dgst;
     bool soft_ocsp;
     bool soft_crl;

diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
     cert_verify_opts->verification_partial_chain = false;
     cert_verify_opts->ocsp_default_responder = NULL;
     cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
-    cert_verify_opts->crl_file = NULL;
+    cert_verify_opts->crl_files = NULL;
     cert_verify_opts->ocsp_dgst = CKM_SHA_1;
     cert_verify_opts->soft_ocsp = false;
     cert_verify_opts->soft_crl = false;
@@ -64,6 +64,38 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
 #define OCSP_DGST "ocsp_dgst="
 #define OCSP_DGST_LEN (sizeof(OCSP_DGST) -1)
 
+static errno_t parse_crl_files(char **opts, size_t c, struct cert_verify_opts *_opts)
+{
+    int ret;
+
+    if (_opts->num_files == 0) {
+        _opts->crl_files = talloc_array(_opts, char *, 1);
+    } else {
+        _opts->crl_files = talloc_realloc(_opts, _opts->crl_files,
+                                          char *, _opts->num_files + 1);
+    }
+    if (_opts->crl_files == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    _opts->crl_files[_opts->num_files] = talloc_strdup(_opts,
+                                                       &opts[c][CRL_FILE_LEN]);
+    if (_opts->crl_files[_opts->num_files] == NULL
+            || *_opts->crl_files[_opts->num_files] == '\0') {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+                "Failed to parse crl_file option [%s].\n", opts[c]);
+        ret = EINVAL;
+        goto done;
+    }
+
+    _opts->num_files++;
+    ret = EOK;
+
+done:
+    return ret;
+}
+
 errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
                                struct cert_verify_opts **_cert_verify_opts)
 {
@@ -155,13 +187,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
                   "Using OCSP default responder signing cert nickname [%s]\n",
                   cert_verify_opts->ocsp_default_responder_signing_cert);
         } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
-            cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
-                                                       &opts[c][CRL_FILE_LEN]);
-            if (cert_verify_opts->crl_file == NULL
-                    || *cert_verify_opts->crl_file == '\0') {
-                DEBUG(SSSDBG_CRIT_FAILURE,
-                      "Failed to parse crl_file option [%s].\n", opts[c]);
-                ret = EINVAL;
+            ret = parse_crl_files(opts, c, cert_verify_opts);
+            if (ret != EOK) {
                 goto done;
             }
         } else if (strncasecmp(opts[c], OCSP_DGST, OCSP_DGST_LEN) == 0) {

diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
@@ -645,6 +645,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
     int ret;
     X509_STORE *store = NULL;
     unsigned long err;
+    int file_index = 0;
     X509_LOOKUP *lookup = NULL;
     X509_VERIFY_PARAM *verify_param = NULL;
 
@@ -688,22 +689,29 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
         X509_VERIFY_PARAM_set_flags(verify_param, X509_V_FLAG_PARTIAL_CHAIN);
     }
 
-    if (cert_verify_opts->crl_file != NULL) {
+    if (cert_verify_opts->crl_files != NULL) {
         if ((ret = ensure_verify_param (&verify_param)) != EOK) {
             goto done;
         }
 
         X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
                                                   | X509_V_FLAG_CRL_CHECK_ALL));
 
-        ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
-                                 X509_FILETYPE_PEM);
-        if (ret == 0) {
-            err = ERR_get_error();
-            DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
-                                     err, ERR_error_string(err, NULL));
-            ret = EIO;
-            goto done;
+        while (file_index < cert_verify_opts->num_files) {
+            ret = X509_load_crl_file(lookup,
+                                     cert_verify_opts->crl_files[file_index],
+                                     X509_FILETYPE_PEM);
+            if (ret == 0) {
+                err = ERR_get_error();
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "X509_load_crl_file for [%s] failed [%lu][%s].\n",
+                      cert_verify_opts->crl_files[file_index],
+                      err, ERR_error_string(err, NULL));
+                ret = EIO;
+                goto done;
+            }
+
+            file_index++;
         }
     }
 

diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
@@ -1764,7 +1764,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
@@ -1774,7 +1774,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
@@ -1784,7 +1784,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_false(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
@@ -1795,7 +1795,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context,
@@ -1806,7 +1806,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_false(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context,
@@ -1828,7 +1828,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_string_equal(cv_opts->ocsp_default_responder, "abc");
     assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
@@ -1839,7 +1839,20 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_string_equal(cv_opts->crl_file, "hij");
+    assert_string_equal(cv_opts->crl_files[0], "hij");
+    talloc_free(cv_opts);
+
+    ret = parse_cert_verify_opts(global_talloc_context,
+                                 "crl_file=file1.pem,crl_file=file2.pem",
+                                 &cv_opts);
+    assert_int_equal(ret, EOK);
+    assert_true(cv_opts->do_verification);
+    assert_false(cv_opts->verification_partial_chain);
+    assert_true(cv_opts->do_ocsp);
+    assert_null(cv_opts->ocsp_default_responder);
+    assert_null(cv_opts->ocsp_default_responder_signing_cert);
+    assert_string_equal(cv_opts->crl_files[0], "file1.pem");
+    assert_string_equal(cv_opts->crl_files[1], "file2.pem");
     talloc_free(cv_opts);
 
     ret = parse_cert_verify_opts(global_talloc_context, "partial_chain", &cv_opts);
@@ -1849,7 +1862,7 @@ static void test_parse_cert_verify_opts(void **state)
     assert_true(cv_opts->do_ocsp);
     assert_null(cv_opts->ocsp_default_responder);
     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-    assert_null(cv_opts->crl_file);
+    assert_null(cv_opts->crl_files);
     talloc_free(cv_opts);
 }