diff options
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/POW.c | 91 |
1 files changed, 7 insertions, 84 deletions
@@ -1177,82 +1177,6 @@ _record_validation_status(PyObject *status, const char *code) return result == 0; } -/* - * Validation callback code for use with x509_verify_cert(). - * - * There's no direct way to handle exceptions here, so we're depending - * on x509_store_object_verify() calling PyErr_Occurred() to check - * (which it has to do anyway to handle exceptions generated by Python - * callback handlers. - */ - -#warning Probably most of this callback handler should become Python code - -static int -validation_status_x509_verify_cert_cb(int ok, X509_STORE_CTX *ctx, PyObject *status) -{ - switch (ctx->error) { - case X509_V_OK: - return ok; - - case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: - /* - * Informational events, not really errors. ctx->check_issued() - * is called in many places where failure to find an issuer is not - * a failure for the calling function. Just leave these alone. - */ -#warning Could be done in Python - return ok; - - case X509_V_ERR_CRL_HAS_EXPIRED: - /* - * This isn't really an error, because CRLs don't really - * "expire". - */ - -#warning Could be done in Python - return 1; - - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - /* - * This is another error that's only an error in the strange world - * of OpenSSL, but a more serious one. By default, OpenSSL - * expects all trust anchors to be self-signed. This is not a - * PKIX requirement, it's just an OpenSSL thing, but one violates - * it at one's peril, because the only way to convince OpenSSL to - * allow a non-self-signed trust anchor is to intercept this - * "error" in the verify callback handler. - * - * So this program supports non-self-signed trust anchors, but be - * warned that enabling this feature may cause this program's - * output not to work with other OpenSSL-based applications. - */ -#warning Could be done in Python -#if 0 - if (allow_non_self_signed_trust_anchor) - ok = 1; -#endif - record_validation_status(status, TRUST_ANCHOR_NOT_SELF_SIGNED); - return ok; - - /* - * Handle all other OpenSSL verify errors by stuffing an integer - * into the status set. - */ -#warning Could be done in Python - default: - if (status != Py_None) { - PyObject *value = PyInt_FromLong(ctx->error); - PySet_Add(status, value); - Py_XDECREF(value); - } - return ok; - } - - error: - return ok; -} - /* @@ -1425,7 +1349,7 @@ static int check_x509(X509 *x, ok = sk_ACCESS_DESCRIPTION_num(aia) > 0; for (i = 0; ok && i < sk_ACCESS_DESCRIPTION_num(aia); i++) { ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(aia, i); - ok = (a != NULL && a->location->type == GEN_URI || + ok = (a != NULL && a->location->type == GEN_URI && OBJ_obj2nid(a->method) == NID_ad_ca_issuers); } if (!ok) @@ -4958,13 +4882,6 @@ x509_store_ctx_object_verify_cb(int ok, X509_STORE_CTX *ctx) if (self == NULL) return ok; - /* - * This is where we'd extract flags (allow_*, etc) to pass to the callback handler. - */ - - if (self->status != NULL && self->status != Py_None) - ok = validation_status_x509_verify_cert_cb(ok, ctx, self->status); - if (!PyObject_HasAttrString((PyObject *) self, method_name)) return ok; @@ -7834,6 +7751,9 @@ manifest_object_verify(manifest_object *self, PyObject *args, PyObject *kwds) lose_openssl_error("Couldn't decode manifest"); } + if (status != Py_None && !check_cms(self->cms.cms, status)) + goto error; + if (status != Py_None && !check_manifest(self->cms.cms, self->manifest, status)) goto error; @@ -8515,6 +8435,9 @@ roa_object_verify(roa_object *self, PyObject *args, PyObject *kwds) lose_openssl_error("Couldn't decode ROA"); } + if (status != Py_None && !check_cms(self->cms.cms, status)) + goto error; + if (status != Py_None && !check_roa(self->cms.cms, self->roa, status)) goto error; |