static int verify_last(gnutls_x509_crt_t crt,
gnutls_x509_crt_t *ca_list,
size_t ca_list_size,
crypto_error **error)
{
unsigned int output;
time_t now = time (0);
if (gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
&output) < 0) {
crypto_error_set(error, 1, 0, "failed to verify against CA list");
return 1;
}
if (output & GNUTLS_CERT_INVALID) {
if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
crypto_error_set(error, 1, 0, "certificate signer not a CA");
return 1;
}
}
if (gnutls_x509_crt_get_activation_time(crt) > now) {
crypto_error_set(error, 1, 0, "certificate activation in the future");
return 1;
}
if (gnutls_x509_crt_get_expiration_time(crt) < now) {
crypto_error_set(error, 1, 0, "certificate expired");
return 1;
}
return 0;
}
static int verify_issuer(gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
crypto_error **error)
{
unsigned int output;
time_t now = time (0);
if (gnutls_x509_crt_verify(crt, &issuer, 1, 0, &output) < 0) {
crypto_error_set(error, 1, 0, "failed to verify against issuer");
return 1;
}
if (output & GNUTLS_CERT_INVALID) {
if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) {
crypto_error_set(error, 1, 0, "certificate signer not found");
return 1;
}
if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
crypto_error_set(error, 1, 0, "certificate signer not a CA");
return 1;
}
}
if (gnutls_x509_crt_get_activation_time(crt) > now) {
crypto_error_set(error, 1, 0, "certificate activation in the future");
return 1;
}
if (gnutls_x509_crt_get_expiration_time(crt) < now) {
crypto_error_set(error, 1, 0, "certificate expired");
return 1;
}
return 0;
}
RD_BOOL
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
/* FIXME: check more here ... */
unsigned int verify; /* What is this? */
return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) &&
gnutls_x509_crt_verify(server_cert->cert, &cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS;
}
/* Verifies a certificate against our trusted CA list.
* Also checks the crl_list if the certificate is revoked.
*/
static void
verify_last_cert (gnutls_x509_crt_t crt,
gnutls_x509_crt_t * ca_list, int ca_list_size,
gnutls_x509_crl_t * crl_list, int crl_list_size)
{
unsigned int output;
int ret;
time_t now = time (0);
size_t name_size;
char name[64];
/* Print information about the certificates to
* be checked.
*/
name_size = sizeof (name);
gnutls_x509_crt_get_dn (crt, name, &name_size);
fprintf (stderr, "\nCertificate: %s\n", name);
name_size = sizeof (name);
gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);
fprintf (stderr, "Issued by: %s\n", name);
/* Do the actual verification.
*/
gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output);
if (output & GNUTLS_CERT_INVALID)
{
fprintf (stderr, "Not trusted");
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf (stderr, ": Issuer is not a CA\n");
else
fprintf (stderr, "\n");
}
else
fprintf (stderr, "Trusted\n");
/* Now check the expiration dates.
*/
if (gnutls_x509_crt_get_activation_time (crt) > now)
fprintf (stderr, "Not yet activated\n");
if (gnutls_x509_crt_get_expiration_time (crt) < now)
fprintf (stderr, "Expired\n");
/* Check if the certificate is revoked.
*/
ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
if (ret == 1)
{ /* revoked */
fprintf (stderr, "Revoked\n");
}
}
bool X509Certificate::verify(ref <const X509Certificate> caCert) const
{
unsigned int verify = 0;
const int res = gnutls_x509_crt_verify
(m_data->cert, &(caCert->m_data->cert), 1,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
&verify);
return (res == 0 && verify == 0);
}
static gboolean verify_certificate(HevImpathyTLSVerifier *self,
gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
TpTLSCertificateRejectReason *reason)
{
guint verify_output = 0;
gint res = 0;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
res = gnutls_x509_crt_verify(cert, &issuer, 1, 0, &verify_output);
return verification_output_to_reason(res, verify_output, reason);
}
bool X509Certificate_GnuTLS::verify(shared_ptr <const X509Certificate> caCert_) const
{
shared_ptr <const X509Certificate_GnuTLS> caCert =
dynamicCast <const X509Certificate_GnuTLS>(caCert_);
unsigned int verify = 0;
const int res = gnutls_x509_crt_verify
(m_data->cert, &(caCert->m_data->cert), 1,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
&verify);
return (res == 0 && verify == 0);
}
static gboolean verify_last_certificate(HevImpathyTLSVerifier *self,
gnutls_x509_crt_t cert, TpTLSCertificateRejectReason *reason)
{
guint verify_output = 0;
gint res = 0;
gnutls_x509_crt_t *trusted_ca_list = NULL;
HevImpathyTLSVerifierPrivate *priv =
HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
if(0 < priv->trusted_ca_list->len)
{
trusted_ca_list = ptr_array_to_x509_crt_list(priv->trusted_ca_list);
res = gnutls_x509_crt_verify(cert, trusted_ca_list,
priv->trusted_ca_list->len, 0, &verify_output);
g_free(trusted_ca_list);
}
else
{
/* check it against itself to see if it's structurally valid */
res = gnutls_x509_crt_verify(cert, &cert, 1, 0, &verify_output);
/* if it's valid, return the SelfSigned error, so that we can add it
* later to our trusted CAs whitelist.
*/
if(GNUTLS_E_SUCCESS == res)
{
*reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
return FALSE;
}
}
return verification_output_to_reason (res, verify_output, reason);
}
/** Determines whether one certificate has been issued and signed by another
*
* @param crt Certificate to check the signature of
* @param issuer Issuer's certificate
*
* @return TRUE if crt was signed and issued by issuer, otherwise FALSE
* @TODO Modify this function to return a reason for invalidity?
*/
static gboolean
x509_certificate_signed_by(PurpleCertificate * crt,
PurpleCertificate * issuer)
{
gnutls_x509_crt_t crt_dat;
gnutls_x509_crt_t issuer_dat;
unsigned int verify; /* used to store result from GnuTLS verifier */
int ret;
gchar *crt_id = NULL;
gchar *issuer_id = NULL;
g_return_val_if_fail(crt, FALSE);
g_return_val_if_fail(issuer, FALSE);
/* Verify that both certs are the correct scheme */
g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE);
g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE);
/* TODO: check for more nullness? */
crt_dat = X509_GET_GNUTLS_DATA(crt);
issuer_dat = X509_GET_GNUTLS_DATA(issuer);
/* Ensure crt issuer matches the name on the issuer cert. */
ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat);
if (ret <= 0) {
if (ret < 0) {
purple_debug_error("gnutls/x509",
"GnuTLS error %d while checking certificate issuer match.",
ret);
} else {
gchar *crt_id, *issuer_id, *crt_issuer_id;
crt_id = purple_certificate_get_unique_id(crt);
issuer_id = purple_certificate_get_unique_id(issuer);
crt_issuer_id =
purple_certificate_get_issuer_unique_id(crt);
purple_debug_info("gnutls/x509",
"Certificate %s is issued by "
"%s, which does not match %s.\n",
crt_id ? crt_id : "(null)",
crt_issuer_id ? crt_issuer_id : "(null)",
issuer_id ? issuer_id : "(null)");
g_free(crt_id);
g_free(issuer_id);
g_free(crt_issuer_id);
}
/* The issuer is not correct, or there were errors */
return FALSE;
}
/* Check basic constraints extension (if it exists then the CA flag must
be set to true, and it must exist for certs with version 3 or higher. */
ret = gnutls_x509_crt_get_basic_constraints(issuer_dat, NULL, NULL, NULL);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
if (gnutls_x509_crt_get_version(issuer_dat) >= 3) {
/* Reject cert (no basic constraints and cert version is >= 3). */
gchar *issuer_id = purple_certificate_get_unique_id(issuer);
purple_debug_info("gnutls/x509", "Rejecting cert because the "
"basic constraints extension is missing from issuer cert "
"for %s. The basic constraints extension is required on "
"all version 3 or higher certs (this cert is version %d).",
issuer_id ? issuer_id : "(null)",
gnutls_x509_crt_get_version(issuer_dat));
g_free(issuer_id);
return FALSE;
} else {
/* Allow cert (no basic constraints and cert version is < 3). */
purple_debug_info("gnutls/x509", "Basic constraint extension is "
"missing from issuer cert for %s. Allowing this because "
"the cert is version %d and the basic constraints "
"extension is only required for version 3 or higher "
"certs.", issuer_id ? issuer_id : "(null)",
gnutls_x509_crt_get_version(issuer_dat));
}
} else if (ret <= 0) {
/* Reject cert (CA flag is false in basic constraints). */
gchar *issuer_id = purple_certificate_get_unique_id(issuer);
purple_debug_info("gnutls/x509", "Rejecting cert because the CA flag "
"is set to false in the basic constraints extension for "
"issuer cert %s. ret=%d\n",
issuer_id ? issuer_id : "(null)", ret);
g_free(issuer_id);
return FALSE;
}
/* Now, check the signature */
/* The second argument is a ptr to an array of "trusted" issuer certs,
but we're only using one trusted one */
ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1,
/* Permit signings by X.509v1 certs
(Verisign and possibly others have
root certificates that predate the
current standard) */
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
&verify);
if (ret != 0) {
purple_debug_error("gnutls/x509",
"Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret);
return FALSE;
}
#ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM
if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) {
/*
* A certificate in the chain is signed with an insecure
* algorithm. Put a warning into the log to make this error
* perfectly clear as soon as someone looks at the debug log is
* generated.
*/
crt_id = purple_certificate_get_unique_id(crt);
issuer_id = purple_certificate_get_issuer_unique_id(crt);
purple_debug_warning("gnutls/x509",
"Insecure hash algorithm used by %s to sign %s\n",
issuer_id, crt_id);
}
#endif
if (verify & GNUTLS_CERT_INVALID) {
/* Signature didn't check out, but at least
there were no errors*/
if (!crt_id)
crt_id = purple_certificate_get_unique_id(crt);
if (!issuer_id)
issuer_id = purple_certificate_get_issuer_unique_id(crt);
purple_debug_error("gnutls/x509",
"Bad signature from %s on %s\n",
issuer_id, crt_id);
g_free(crt_id);
g_free(issuer_id);
return FALSE;
} /* if (ret, etc.) */
/* If we got here, the signature is good */
return TRUE;
}
/** Determines whether one certificate has been issued and signed by another
*
* @param crt Certificate to check the signature of
* @param issuer Issuer's certificate
*
* @return TRUE if crt was signed and issued by issuer, otherwise FALSE
* @TODO Modify this function to return a reason for invalidity?
*/
static gboolean
x509_certificate_signed_by(PurpleCertificate * crt,
PurpleCertificate * issuer)
{
gnutls_x509_crt crt_dat;
gnutls_x509_crt issuer_dat;
unsigned int verify; /* used to store result from GnuTLS verifier */
int ret;
gchar *crt_id = NULL;
gchar *issuer_id = NULL;
g_return_val_if_fail(crt, FALSE);
g_return_val_if_fail(issuer, FALSE);
/* Verify that both certs are the correct scheme */
g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE);
g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE);
/* TODO: check for more nullness? */
crt_dat = X509_GET_GNUTLS_DATA(crt);
issuer_dat = X509_GET_GNUTLS_DATA(issuer);
/* First, let's check that crt.issuer is actually issuer */
ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat);
if (ret <= 0) {
if (ret < 0) {
purple_debug_error("gnutls/x509",
"GnuTLS error %d while checking certificate issuer match.",
ret);
} else {
gchar *crt_id, *issuer_id, *crt_issuer_id;
crt_id = purple_certificate_get_unique_id(crt);
issuer_id = purple_certificate_get_unique_id(issuer);
crt_issuer_id =
purple_certificate_get_issuer_unique_id(crt);
purple_debug_info("gnutls/x509",
"Certificate %s is issued by "
"%s, which does not match %s.\n",
crt_id ? crt_id : "(null)",
crt_issuer_id ? crt_issuer_id : "(null)",
issuer_id ? issuer_id : "(null)");
g_free(crt_id);
g_free(issuer_id);
g_free(crt_issuer_id);
}
/* The issuer is not correct, or there were errors */
return FALSE;
}
/* Now, check the signature */
/* The second argument is a ptr to an array of "trusted" issuer certs,
but we're only using one trusted one */
ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1,
/* Permit signings by X.509v1 certs
(Verisign and possibly others have
root certificates that predate the
current standard) */
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
&verify);
if (ret != 0) {
purple_debug_error("gnutls/x509",
"Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret);
return FALSE;
}
#ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM
if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) {
/*
* A certificate in the chain is signed with an insecure
* algorithm. Put a warning into the log to make this error
* perfectly clear as soon as someone looks at the debug log is
* generated.
*/
crt_id = purple_certificate_get_unique_id(crt);
issuer_id = purple_certificate_get_issuer_unique_id(crt);
purple_debug_warning("gnutls/x509",
"Insecure hash algorithm used by %s to sign %s\n",
issuer_id, crt_id);
}
#endif
if (verify & GNUTLS_CERT_INVALID) {
/* Signature didn't check out, but at least
there were no errors*/
if (!crt_id)
crt_id = purple_certificate_get_unique_id(crt);
if (!issuer_id)
issuer_id = purple_certificate_get_issuer_unique_id(crt);
purple_debug_error("gnutls/x509",
"Bad signature from %s on %s\n",
issuer_id, crt_id);
g_free(crt_id);
g_free(issuer_id);
return FALSE;
} /* if (ret, etc.) */
/* If we got here, the signature is good */
return TRUE;
}
/* Verifies a certificate against an other certificate
* which is supposed to be it's issuer. Also checks the
* crl_list if the certificate is revoked.
*/
static void
verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
gnutls_x509_crl_t * crl_list, int crl_list_size)
{
unsigned int output;
int ret;
time_t now = time (0);
size_t name_size;
char name[64];
/* Print information about the certificates to
* be checked.
*/
name_size = sizeof (name);
gnutls_x509_crt_get_dn (crt, name, &name_size);
fprintf (stderr, "\nCertificate: %s\n", name);
name_size = sizeof (name);
gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);
fprintf (stderr, "Issued by: %s\n", name);
/* Get the DN of the issuer cert.
*/
name_size = sizeof (name);
gnutls_x509_crt_get_dn (issuer, name, &name_size);
fprintf (stderr, "Checking against: %s\n", name);
/* Do the actual verification.
*/
gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);
if (output & GNUTLS_CERT_INVALID)
{
fprintf (stderr, "Not trusted");
if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
fprintf (stderr, ": no issuer was found");
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf (stderr, ": issuer is not a CA");
fprintf (stderr, "\n");
}
else
fprintf (stderr, "Trusted\n");
/* Now check the expiration dates.
*/
if (gnutls_x509_crt_get_activation_time (crt) > now)
fprintf (stderr, "Not yet activated\n");
if (gnutls_x509_crt_get_expiration_time (crt) < now)
fprintf (stderr, "Expired\n");
/* Check if the certificate is revoked.
*/
ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
if (ret == 1)
{ /* revoked */
fprintf (stderr, "Revoked\n");
}
}
static
int
__pkcs11h_crypto_gnutls_certificate_is_issuer (
IN void * const global_data,
IN const unsigned char * const issuer_blob,
IN const size_t issuer_blob_size,
IN const unsigned char * const cert_blob,
IN const size_t cert_blob_size
) {
gnutls_x509_crt_t cert_issuer = NULL;
gnutls_x509_crt_t cert_cert = NULL;
gnutls_datum_t datum;
PKCS11H_BOOL is_issuer = FALSE;
unsigned int result = 0;
(void)global_data;
/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
_PKCS11H_ASSERT (issuer_blob!=NULL);
_PKCS11H_ASSERT (cert_blob!=NULL);
if (gnutls_x509_crt_init (&cert_issuer) != GNUTLS_E_SUCCESS) {
/* gnutls sets output */
cert_issuer = NULL;
goto cleanup;
}
if (gnutls_x509_crt_init (&cert_cert) != GNUTLS_E_SUCCESS) {
/* gnutls sets output */
cert_cert = NULL;
goto cleanup;
}
datum.data = (unsigned char *)issuer_blob;
datum.size = issuer_blob_size;
if (
gnutls_x509_crt_import (
cert_issuer,
&datum,
GNUTLS_X509_FMT_DER
) != GNUTLS_E_SUCCESS
) {
goto cleanup;
}
datum.data = (unsigned char *)cert_blob;
datum.size = cert_blob_size;
if (
gnutls_x509_crt_import (
cert_cert,
&datum,
GNUTLS_X509_FMT_DER
) != GNUTLS_E_SUCCESS
) {
goto cleanup;
}
if (
gnutls_x509_crt_verify (
cert_cert,
&cert_issuer,
1,
0,
&result
) &&
(result & GNUTLS_CERT_INVALID) == 0
) {
is_issuer = TRUE;
}
cleanup:
if (cert_cert != NULL) {
gnutls_x509_crt_deinit (cert_cert);
cert_cert = NULL;
}
if (cert_issuer != NULL) {
gnutls_x509_crt_deinit (cert_issuer);
cert_issuer = NULL;
}
return is_issuer;
}