/* The same as above, but here we've got a CRL. */ static int is_crl_issuer (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer_cert) { gnutls_datum_t dn1 = { NULL, 0 }, dn2 = { NULL, 0}; int ret; ret = gnutls_x509_crl_get_raw_issuer_dn (crl, &dn1); if (ret < 0) { gnutls_assert (); goto cleanup; } ret = gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2); if (ret < 0) { gnutls_assert (); return ret; } ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); cleanup: _gnutls_free_datum (&dn1); _gnutls_free_datum (&dn2); return ret; }
static int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, const gnutls_datum_t *dn, gnutls_x509_crt_t * issuer, unsigned int flags) { int ret; unsigned int i; uint32_t hash; hash = hash_pjw_bare(dn->data, dn->size); hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { ret = _gnutls_x509_compare_raw_dn(dn, &list->node[hash].trusted_cas[i]->raw_dn); if (ret != 0) { *issuer = crt_cpy(list->node[hash].trusted_cas[i]); return 0; } } return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; }
/* Checks if the DN of two certificates is the same. * Returns 1 if they match and zero if they don't match. Otherwise * a negative value is returned to indicate error. */ int _gnutls_is_same_dn (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) { gnutls_datum_t dn1 = { NULL, 0 }, dn2 = { NULL, 0 }; int ret; ret = gnutls_x509_crt_get_raw_dn (cert1, &dn1); if (ret < 0) { gnutls_assert (); goto cleanup; } ret = gnutls_x509_crt_get_raw_dn (cert2, &dn2); if (ret < 0) { gnutls_assert (); goto cleanup; } ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); cleanup: _gnutls_free_datum (&dn1); _gnutls_free_datum (&dn2); return ret; }
/* Checks if the DN of two certificates is the same. * Returns 1 if they match and (0) if they don't match. Otherwise * a negative error code is returned to indicate error. */ unsigned _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) { if (_gnutls_x509_compare_raw_dn(&cert1->raw_dn, &cert2->raw_dn) != 0) return 1; else return 0; }
/* Check if the given certificate is the issuer of the CRL. * Returns 1 on success and 0 otherwise. */ static unsigned is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer) { if (_gnutls_x509_compare_raw_dn (&crl->raw_issuer_dn, &issuer->raw_dn) != 0) return 1; else return 0; }
static int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, const gnutls_datum_t *dn, const gnutls_datum_t *spki, gnutls_x509_crt_t * issuer, unsigned int flags) { int ret; unsigned int i, j; uint32_t hash; uint8_t tmp[256]; size_t tmp_size; if (dn) { hash = hash_pjw_bare(dn->data, dn->size); hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { ret = _gnutls_x509_compare_raw_dn(dn, &list->node[hash].trusted_cas[i]->raw_dn); if (ret != 0) { if (spki && spki->size > 0) { tmp_size = sizeof(tmp); ret = gnutls_x509_crt_get_subject_key_id(list->node[hash].trusted_cas[i], tmp, &tmp_size, NULL); if (ret < 0) continue; if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0) continue; } *issuer = crt_cpy(list->node[hash].trusted_cas[i]); return 0; } } } else if (spki) { /* search everything! */ for (i = 0; i < list->size; i++) { for (j = 0; j < list->node[i].trusted_ca_size; j++) { tmp_size = sizeof(tmp); ret = gnutls_x509_crt_get_subject_key_id(list->node[i].trusted_cas[j], tmp, &tmp_size, NULL); if (ret < 0) continue; if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0) continue; *issuer = crt_cpy(list->node[i].trusted_cas[j]); return 0; } } } return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; }
/* This function checks if cert's issuer is issuer. * This does a straight (DER) compare of the issuer/subject DN fields in * the given certificates, as well as check the authority key ID. * * Returns 1 if they match and (0) if they don't match. */ static unsigned is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer) { uint8_t id1[MAX_KEY_ID_SIZE]; uint8_t id2[MAX_KEY_ID_SIZE]; size_t id1_size; size_t id2_size; int ret; unsigned result; if (_gnutls_x509_compare_raw_dn (&cert->raw_issuer_dn, &issuer->raw_dn) != 0) result = 1; else result = 0; if (result != 0) { /* check if the authority key identifier matches the subject key identifier * of the issuer */ id1_size = sizeof(id1); ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL); if (ret < 0) { /* If there is no authority key identifier in the * certificate, assume they match */ result = 1; goto cleanup; } id2_size = sizeof(id2); ret = gnutls_x509_crt_get_subject_key_id(issuer, id2, &id2_size, NULL); if (ret < 0) { /* If there is no subject key identifier in the * issuer certificate, assume they match */ result = 1; gnutls_assert(); goto cleanup; } if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0) result = 1; else result = 0; } cleanup: return result; }
/* This function checks if 'certs' issuer is 'issuer_cert'. * This does a straight (DER) compare of the issuer/subject fields in * the given certificates. * * Returns 1 if they match and (0) if they don't match. Otherwise * a negative error code is returned to indicate error. */ static int is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert) { gnutls_datum_t dn1 = { NULL, 0 }, dn2 = { NULL, 0}; uint8_t id1[512]; uint8_t id2[512]; size_t id1_size; size_t id2_size; int ret; ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1); if (ret < 0) { gnutls_assert (); goto cleanup; } ret = gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2); if (ret < 0) { gnutls_assert (); goto cleanup; } ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); if (ret != 0) { /* check if the authority key identifier matches the subject key identifier * of the issuer */ id1_size = sizeof(id1); ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL); if (ret < 0) { ret = 1; goto cleanup; } id2_size = sizeof(id2); ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size, NULL); if (ret < 0) { ret = 1; gnutls_assert(); goto cleanup; } if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0) ret = 1; else ret = 0; } cleanup: _gnutls_free_datum (&dn1); _gnutls_free_datum (&dn2); return ret; }