/* The same as above, but here we've got a CRL.
*/
static int
is_crl_issuer (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert)
{
gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
{
NULL, 0};
int ret;
ret = gnutls_x509_crl_get_raw_issuer_dn (crl, &dn1);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
cleanup:
_gnutls_free_datum (&dn1);
_gnutls_free_datum (&dn2);
return ret;
}
static
int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
const gnutls_datum_t *dn,
gnutls_x509_crt_t * issuer,
unsigned int flags)
{
int ret;
unsigned int i;
uint32_t hash;
hash =
hash_pjw_bare(dn->data,
dn->size);
hash %= list->size;
for (i = 0; i < list->node[hash].trusted_ca_size; i++) {
ret = _gnutls_x509_compare_raw_dn(dn, &list->node[hash].trusted_cas[i]->raw_dn);
if (ret != 0) {
*issuer = crt_cpy(list->node[hash].trusted_cas[i]);
return 0;
}
}
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
/* Checks if the DN of two certificates is the same.
* Returns 1 if they match and zero if they don't match. Otherwise
* a negative value is returned to indicate error.
*/
int
_gnutls_is_same_dn (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
{
gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
{
NULL, 0
};
int ret;
ret = gnutls_x509_crt_get_raw_dn (cert1, &dn1);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = gnutls_x509_crt_get_raw_dn (cert2, &dn2);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
cleanup:
_gnutls_free_datum (&dn1);
_gnutls_free_datum (&dn2);
return ret;
}
/* Checks if the DN of two certificates is the same.
* Returns 1 if they match and (0) if they don't match. Otherwise
* a negative error code is returned to indicate error.
*/
unsigned _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
{
if (_gnutls_x509_compare_raw_dn(&cert1->raw_dn, &cert2->raw_dn) !=
0)
return 1;
else
return 0;
}
/* Check if the given certificate is the issuer of the CRL.
* Returns 1 on success and 0 otherwise.
*/
static unsigned is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer)
{
if (_gnutls_x509_compare_raw_dn
(&crl->raw_issuer_dn, &issuer->raw_dn) != 0)
return 1;
else
return 0;
}
static
int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
const gnutls_datum_t *dn,
const gnutls_datum_t *spki,
gnutls_x509_crt_t * issuer,
unsigned int flags)
{
int ret;
unsigned int i, j;
uint32_t hash;
uint8_t tmp[256];
size_t tmp_size;
if (dn) {
hash =
hash_pjw_bare(dn->data,
dn->size);
hash %= list->size;
for (i = 0; i < list->node[hash].trusted_ca_size; i++) {
ret = _gnutls_x509_compare_raw_dn(dn, &list->node[hash].trusted_cas[i]->raw_dn);
if (ret != 0) {
if (spki && spki->size > 0) {
tmp_size = sizeof(tmp);
ret = gnutls_x509_crt_get_subject_key_id(list->node[hash].trusted_cas[i], tmp, &tmp_size, NULL);
if (ret < 0)
continue;
if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0)
continue;
}
*issuer = crt_cpy(list->node[hash].trusted_cas[i]);
return 0;
}
}
} else if (spki) {
/* search everything! */
for (i = 0; i < list->size; i++) {
for (j = 0; j < list->node[i].trusted_ca_size; j++) {
tmp_size = sizeof(tmp);
ret = gnutls_x509_crt_get_subject_key_id(list->node[i].trusted_cas[j], tmp, &tmp_size, NULL);
if (ret < 0)
continue;
if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0)
continue;
*issuer = crt_cpy(list->node[i].trusted_cas[j]);
return 0;
}
}
}
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
/* This function checks if cert's issuer is issuer.
* This does a straight (DER) compare of the issuer/subject DN fields in
* the given certificates, as well as check the authority key ID.
*
* Returns 1 if they match and (0) if they don't match.
*/
static unsigned is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
{
uint8_t id1[MAX_KEY_ID_SIZE];
uint8_t id2[MAX_KEY_ID_SIZE];
size_t id1_size;
size_t id2_size;
int ret;
unsigned result;
if (_gnutls_x509_compare_raw_dn
(&cert->raw_issuer_dn, &issuer->raw_dn) != 0)
result = 1;
else
result = 0;
if (result != 0) {
/* check if the authority key identifier matches the subject key identifier
* of the issuer */
id1_size = sizeof(id1);
ret =
gnutls_x509_crt_get_authority_key_id(cert, id1,
&id1_size, NULL);
if (ret < 0) {
/* If there is no authority key identifier in the
* certificate, assume they match */
result = 1;
goto cleanup;
}
id2_size = sizeof(id2);
ret =
gnutls_x509_crt_get_subject_key_id(issuer, id2,
&id2_size, NULL);
if (ret < 0) {
/* If there is no subject key identifier in the
* issuer certificate, assume they match */
result = 1;
gnutls_assert();
goto cleanup;
}
if (id1_size == id2_size
&& memcmp(id1, id2, id1_size) == 0)
result = 1;
else
result = 0;
}
cleanup:
return result;
}
/* This function checks if 'certs' issuer is 'issuer_cert'.
* This does a straight (DER) compare of the issuer/subject fields in
* the given certificates.
*
* Returns 1 if they match and (0) if they don't match. Otherwise
* a negative error code is returned to indicate error.
*/
static int
is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
{
gnutls_datum_t dn1 = { NULL, 0 },
dn2 = { NULL, 0};
uint8_t id1[512];
uint8_t id2[512];
size_t id1_size;
size_t id2_size;
int ret;
ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2);
if (ret != 0)
{
/* check if the authority key identifier matches the subject key identifier
* of the issuer */
id1_size = sizeof(id1);
ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);
if (ret < 0)
{
ret = 1;
goto cleanup;
}
id2_size = sizeof(id2);
ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size, NULL);
if (ret < 0)
{
ret = 1;
gnutls_assert();
goto cleanup;
}
if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0)
ret = 1;
else
ret = 0;
}
cleanup:
_gnutls_free_datum (&dn1);
_gnutls_free_datum (&dn2);
return ret;
}
