Check CRL Distribution Points through proxy when verifying

mtrojnar · Feb 16, 2024 · ce07c82 · ce07c82
1 parent 7a02d51
commit ce07c82
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -13,6 +13,8 @@
 - PKCS9_SEQUENCE_NUMBER authenticated attribute support
 - added the "-ignore-cdp" option to disable CRL Distribution Points
   online verification
+- added the "-p" option to check CRL Distribution Points through proxy
+  when verifying
 
 ### 2.7 (2023.09.19)
 

diff --git a/osslsigncode.c b/osslsigncode.c
@@ -227,6 +227,25 @@ static PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
 
 static int blob_has_nl = 0;
 
+static void print_proxy(char *proxy)
+{
+    if (proxy) {
+        printf ("Proxy settings: %s\n", proxy);
+    } else {
+        char *http_proxy, *https_proxy;
+
+        http_proxy = getenv("http_proxy");
+        https_proxy = getenv("https_proxy");
+        if (!http_proxy)
+            http_proxy = getenv(OPENSSL_HTTP_PROXY);
+        if (!https_proxy)
+            https_proxy = getenv(OPENSSL_HTTPS_PROXY);
+        if ((http_proxy && *http_proxy != '\0') || (https_proxy && *https_proxy != '\0'))
+            printf ("Proxy settings: %s %s\n",
+            http_proxy ? http_proxy : "", https_proxy ? https_proxy : "");
+    }
+}
+
 /*
  * Callback for writing received data
  */
@@ -527,6 +546,7 @@ static BIO *bio_get_http(long *http_code, char *url, BIO *bout, char *proxy,
     if (!url) {
         return NULL; /* FAILED */
     }
+    print_proxy(proxy);
     /* Start a libcurl easy session and set options for a curl easy handle */
     printf("Connecting to %s\n", url);
     curl = curl_easy_init();
@@ -1591,16 +1611,17 @@ static char *clrdp_url_get_x509(X509 *cert)
 /*
  * Get Certificate Revocation List from a CRL distribution point
  * and write it into the X509_CRL structure.
+ * [in] proxy: proxy to getting CRL through
  * [in] url: URL of the CRL distribution point server
  * [returns] X509 Certificate Revocation List
  */
-static X509_CRL *x509_crl_get(char *url)
+static X509_CRL *x509_crl_get(char *proxy, char *url)
 {
     X509_CRL *crl;
     BIO *bio;
     long http_code = -1;
 
-    bio = bio_get_http(&http_code, url, NULL, NULL, 0, 1, 0);
+    bio = bio_get_http(&http_code, url, NULL, proxy, 0, 1, 0);
     if (!bio) {
         printf("Warning: Faild to get CRL from %s\n\n", url);
         return NULL; /* FAILED */
@@ -1798,7 +1819,7 @@ static int verify_timestamp(FILE_FORMAT_CTX *ctx, PKCS7 *p7, CMS_ContentInfo *ti
             printf("Ignored TSA's CRL distribution point: %s\n", url);
         } else {
             printf("TSA's CRL distribution point: %s\n", url);
-            crl = x509_crl_get(url);
+            crl = x509_crl_get(ctx->options->proxy, url);
             OPENSSL_free(url);
         }
         if (!crl && !ctx->options->tsa_crlfile) {
@@ -1923,7 +1944,7 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
             printf("Ignored CRL distribution point: %s\n", url);
         } else {
             printf("CRL distribution point: %s\n", url);
-            crl = x509_crl_get(url);
+            crl = x509_crl_get(ctx->options->proxy, url);
             OPENSSL_free(url);
         }
         if (!crl && !ctx->options->crlfile) {
@@ -3037,6 +3058,7 @@ static void usage(const char *argv0, const char *cmd)
         printf("%12s[ -CRLfile <infile> ]\n", "");
         printf("%12s[ -TSA-CAfile <infile> ]\n", "");
         printf("%12s[ -TSA-CRLfile <infile> ]\n", "");
+        printf("%12s[ -p <proxy> ]\n", "");
         printf("%12s[ -index <index> ]\n", "");
         printf("%12s[ -ignore-timestamp ]\n", "");
         printf("%12s[ -time <unix-time> ]\n", "");
@@ -3089,7 +3111,7 @@ static void help_for(const char *argv0, const char *cmd)
     const char *cmds_out[] = {"add", "attach-signature", "extract-signature",
         "remove-signature", "sign", "extract-data", NULL};
 #ifdef ENABLE_CURL
-    const char *cmds_p[] = {"add", "sign", NULL};
+    const char *cmds_p[] = {"add", "sign", "verify", NULL};
 #endif /* ENABLE_CURL */
     const char *cmds_pass[] = {"sign", NULL};
     const char *cmds_pem[] = {"sign", "extract-data", "extract-signature", NULL};
@@ -3222,7 +3244,7 @@ static void help_for(const char *argv0, const char *cmd)
         printf("%-24s= output file\n", "-out");
 #ifdef ENABLE_CURL
     if (on_list(cmd, cmds_p))
-        printf("%-24s= proxy to connect to the desired Time-Stamp Authority server\n", "-p");
+        printf("%-24s= proxy to connect to the desired Time-Stamp Authority server or CRL distribution point\n", "-p");
 #endif /* ENABLE_CURL */
     if (on_list(cmd, cmds_pass))
         printf("%-24s= the private key password\n", "-pass");
@@ -4128,7 +4150,7 @@ static int main_configure(int argc, char **argv, GLOBAL_OPTIONS *options)
                 return 0; /* FAILED */
             }
             options->tsurl[options->ntsurl++] = *(++argv);
-        } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
+        } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-p")) {
             if (--argc < 1) {
                 usage(argv0, "all");
                 return 0; /* FAILED */