\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
\r
-/**\r
- Verification callback function to override any existing callbacks in OpenSSL\r
- for intermediate certificate supports.\r
-\r
- @param[in] Status Original status before calling this callback.\r
- @param[in] Context X509 store context.\r
-\r
- @retval 1 Current X509 certificate is verified successfully.\r
- @retval 0 Verification failed.\r
-\r
-**/\r
-int\r
-X509VerifyCb (\r
- IN int Status,\r
- IN X509_STORE_CTX *Context\r
- )\r
-{\r
- X509_OBJECT *Obj;\r
- INTN Error;\r
- INTN Index;\r
- INTN Count;\r
-\r
- Obj = NULL;\r
- Error = (INTN) X509_STORE_CTX_get_error (Context);\r
-\r
- //\r
- // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
- // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
- // can not be found in X509_verify_cert of X509_vfy.c.\r
- // In order to support intermediate certificate node, we override the\r
- // errors if the certification is obtained from X509 store, i.e. it is\r
- // a trusted ceritifcate node that is enrolled by user.\r
- // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
- // are also ignored to enable such feature.\r
- //\r
- if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||\r
- (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
- Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
- if (Obj == NULL) {\r
- return 0;\r
- }\r
-\r
- Obj->type = X509_LU_X509;\r
- Obj->data.x509 = Context->current_cert;\r
-\r
- CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
-\r
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
- Status = 1;\r
- } else {\r
- //\r
- // If any certificate in the chain is enrolled as trusted certificate,\r
- // pass the certificate verification.\r
- //\r
- if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
- Count = (INTN) sk_X509_num (Context->chain);\r
- for (Index = 0; Index < Count; Index++) {\r
- Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
- Status = 1;\r
- break;\r
- }\r
- }\r
- }\r
- }\r
-\r
- CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
- }\r
-\r
- if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||\r
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
- Status = 1;\r
- }\r
-\r
- if (Obj != NULL) {\r
- OPENSSL_free (Obj);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
/**\r
Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
a new structure to wrap P7Data.\r
goto _Exit;\r
}\r
\r
- //\r
- // Register customized X509 verification callback function to support\r
- // trusted intermediate certificate anchor.\r
- //\r
- CertStore->verify_cb = X509VerifyCb;\r
-\r
//\r
// For generic PKCS#7 handling, InData may be NULL if the content is present\r
// in PKCS#7 structure. So ignore NULL checking here.\r
goto _Exit;\r
}\r
\r
+ //\r
+ // Allow partial certificate chains, terminated by a non-self-signed but\r
+ // still trusted intermediate certificate.\r
+ //\r
+ X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+\r
//\r
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
// doesn't support the extended key usage for Authenticode Code Signing.\r