From 1bc7fc36b8e61759b914a8d5b4a503aa2c4cd8d2 Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Fri, 16 Feb 2024 14:09:27 +0100
Subject: [PATCH] Connect to CRL Distribution Points through the configured
proxy when verifying
---
NEWS.md | 6 ++++--
osslsigncode.c | 38 +++++++++++++++++++++++++++++++-------
2 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/NEWS.md b/NEWS.md
index 5d26d40..800e36b 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -11,8 +11,10 @@
by using the "-verbose" option
- added new command "extract-data" to extract a PKCS#7 data content to be signed
- PKCS9_SEQUENCE_NUMBER authenticated attribute support
-- added the "-ignore-cdp" option to disable CRL Distribution Points
- online verification
+- added the "-ignore-cdp" option to disable CRL Distribution Points (CDP)
+ online verification, inability to retrieve CRL from CDP is a critical error
+- modified the "-p" option to also connect to CRL Distribution Points
+ through the configured proxy when verifying
### 2.7 (2023.09.19)
diff --git a/osslsigncode.c b/osslsigncode.c
index 500746f..8f0df52 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -227,6 +227,26 @@ static PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
static int blob_has_nl = 0;
+static void print_proxy(char *proxy)
+{
+ if (proxy) {
+ printf ("Using configured proxy: %s\n", proxy);
+ } else {
+ char *http_proxy, *https_proxy;
+
+ http_proxy = getenv("http_proxy");
+ if (!http_proxy)
+ http_proxy = getenv("HTTP_PROXY");
+ if (http_proxy && *http_proxy != '\0')
+ printf ("Using environmental HTTP proxy: %s\n", http_proxy);
+ https_proxy = getenv("https_proxy");
+ if (!https_proxy)
+ https_proxy = getenv("HTTPS_PROXY");
+ if (https_proxy && *https_proxy != '\0')
+ printf ("Using environmental HTTPS proxy: %s\n", https_proxy);
+ }
+}
+
/*
* Callback for writing received data
*/
@@ -527,6 +547,7 @@ static BIO *bio_get_http(long *http_code, char *url, BIO *bout, char *proxy,
if (!url) {
return NULL; /* FAILED */
}
+ print_proxy(proxy);
/* Start a libcurl easy session and set options for a curl easy handle */
printf("Connecting to %s\n", url);
curl = curl_easy_init();
@@ -1591,16 +1612,17 @@ out:
/*
* Get Certificate Revocation List from a CRL distribution point
* and write it into the X509_CRL structure.
+ * [in] proxy: proxy to getting CRL through
* [in] url: URL of the CRL distribution point server
* [returns] X509 Certificate Revocation List
*/
-static X509_CRL *x509_crl_get(char *url)
+static X509_CRL *x509_crl_get(char *proxy, char *url)
{
X509_CRL *crl;
BIO *bio;
long http_code = -1;
- bio = bio_get_http(&http_code, url, NULL, NULL, 0, 1, 0);
+ bio = bio_get_http(&http_code, url, NULL, proxy, 0, 1, 0);
if (!bio) {
printf("Warning: Faild to get CRL from %s\n\n", url);
return NULL; /* FAILED */
@@ -1798,11 +1820,12 @@ static int verify_timestamp(FILE_FORMAT_CTX *ctx, PKCS7 *p7, CMS_ContentInfo *ti
printf("Ignored TSA's CRL distribution point: %s\n", url);
} else {
printf("TSA's CRL distribution point: %s\n", url);
- crl = x509_crl_get(url);
+ crl = x509_crl_get(ctx->options->proxy, url);
}
OPENSSL_free(url);
if (!crl && !ctx->options->tsa_crlfile) {
printf("Use the \"-TSA-CRLfile\" option to add one or more Time-Stamp Authority CRLs in PEM format.\n");
+ goto out;
}
}
#endif /* ENABLE_CURL */
@@ -1923,7 +1946,7 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
printf("Ignored CRL distribution point: %s\n", url);
} else {
printf("CRL distribution point: %s\n", url);
- crl = x509_crl_get(url);
+ crl = x509_crl_get(ctx->options->proxy, url);
}
OPENSSL_free(url);
if (!crl && !ctx->options->crlfile) {
@@ -3037,6 +3060,7 @@ static void usage(const char *argv0, const char *cmd)
printf("%12s[ -CRLfile <infile> ]\n", "");
printf("%12s[ -TSA-CAfile <infile> ]\n", "");
printf("%12s[ -TSA-CRLfile <infile> ]\n", "");
+ printf("%12s[ -p <proxy> ]\n", "");
printf("%12s[ -index <index> ]\n", "");
printf("%12s[ -ignore-timestamp ]\n", "");
printf("%12s[ -ignore-cdp ]\n", "");
@@ -3090,7 +3114,7 @@ static void help_for(const char *argv0, const char *cmd)
const char *cmds_out[] = {"add", "attach-signature", "extract-signature",
"remove-signature", "sign", "extract-data", NULL};
#ifdef ENABLE_CURL
- const char *cmds_p[] = {"add", "sign", NULL};
+ const char *cmds_p[] = {"add", "sign", "verify", NULL};
#endif /* ENABLE_CURL */
const char *cmds_pass[] = {"sign", NULL};
const char *cmds_pem[] = {"sign", "extract-data", "extract-signature", NULL};
@@ -3223,7 +3247,7 @@ static void help_for(const char *argv0, const char *cmd)
printf("%-24s= output file\n", "-out");
#ifdef ENABLE_CURL
if (on_list(cmd, cmds_p))
- printf("%-24s= proxy to connect to the desired Time-Stamp Authority server\n", "-p");
+ printf("%-24s= proxy to connect to the desired Time-Stamp Authority server or CRL distribution point\n", "-p");
#endif /* ENABLE_CURL */
if (on_list(cmd, cmds_pass))
printf("%-24s= the private key password\n", "-pass");
@@ -4129,7 +4153,7 @@ static int main_configure(int argc, char **argv, GLOBAL_OPTIONS *options)
return 0; /* FAILED */
}
options->tsurl[options->ntsurl++] = *(++argv);
- } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-p")) {
if (--argc < 1) {
usage(argv0, "all");
return 0; /* FAILED */