/* Appends the value of RDN with given oid from certitifcate x5
* subject (if subject is non-zero), or issuer DN to buffer 'buf': */
static void append_rdn(ne_buffer *buf, gnutls_x509_crt x5, int subject, const char *oid)
{
int idx, top, ret;
char rdn[50];
top = oid_find_highest_index(x5, subject, oid);
for (idx = top; idx >= 0; idx--) {
size_t rdnlen = sizeof rdn;
if (subject)
ret = gnutls_x509_crt_get_dn_by_oid(x5, oid, idx, 0, rdn, &rdnlen);
else
ret = gnutls_x509_crt_get_issuer_dn_by_oid(x5, oid, idx, 0, rdn, &rdnlen);
if (ret < 0)
return;
if (buf->used > 1) {
ne_buffer_append(buf, ", ", 2);
}
ne_buffer_append(buf, rdn, rdnlen);
}
}
static int cmp_certificate_dn(gnutls_x509_crt crt, uint64_t wanted_dn, uint64_t wanted_issuer_dn)
{
int ret;
char buf[128];
size_t size = sizeof(buf);
ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_DN_QUALIFIER, 0, 0, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "couldn't get certificate issue dn: %s.\n", gnutls_strerror(ret));
return -1;
}
if ( strtoull(buf, NULL, 10) != wanted_dn )
return -1;
size = sizeof(buf);
ret = gnutls_x509_crt_get_issuer_dn_by_oid(crt, GNUTLS_OID_X520_DN_QUALIFIER, 0, 0, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "couldn't get certificate issue dn: %s.\n", gnutls_strerror(ret));
return -1;
}
if ( strtoull(buf, NULL, 10) != wanted_issuer_dn )
return -1;
return 0;
}
/*-
* gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
* @cert: should contain an X.509 DER encoded certificate
* @ret: a pointer to a structure to hold the issuer's name
*
* This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
* is a obtained by the peer's certificate. If the certificate send by the
* peer is invalid, or in any other failure this function returns error.
* Returns a negative error code in case of an error.
*
-*/
int
gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
gnutls_x509_dn * ret)
{
gnutls_x509_crt_t xcert;
int result;
size_t len;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
len = sizeof (ret->country);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COUNTRY_NAME, 0,
0, ret->country, &len);
len = sizeof (ret->organization);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATION_NAME,
0, 0, ret->organization, &len);
len = sizeof (ret->organizational_unit_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, 0,
ret->organizational_unit_name, &len);
len = sizeof (ret->common_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
ret->common_name, &len);
len = sizeof (ret->locality_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_LOCALITY_NAME, 0,
0, ret->locality_name, &len);
len = sizeof (ret->state_or_province_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
0, 0, ret->state_or_province_name,
&len);
len = sizeof (ret->email);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
0, ret->email, &len);
gnutls_x509_crt_deinit (xcert);
return 0;
}
std::string
Certificate::getIssuerUID() const
{
std::string uid;
uid.resize(512);
size_t uid_sz = uid.size();
int ret = gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_LDAP_UID, 0, 0, &(*uid.begin()), &uid_sz);
if (ret != GNUTLS_E_SUCCESS)
return {};
uid.resize(uid_sz);
return uid;
}
/* Returns the highest used index in subject (or issuer) DN of
* certificate CERT for OID, or -1 if no RDNs are present in the DN
* using that OID. */
static int oid_find_highest_index(gnutls_x509_crt cert, int subject, const char *oid)
{
int ret, idx = -1;
do {
size_t len = 0;
if (subject)
ret = gnutls_x509_crt_get_dn_by_oid(cert, oid, ++idx, 0,
NULL, &len);
else
ret = gnutls_x509_crt_get_issuer_dn_by_oid(cert, oid, ++idx, 0,
NULL, &len);
} while (ret == GNUTLS_E_SHORT_MEMORY_BUFFER);
return idx - 1;
}
static int remove_old(const char *filename, unsigned char *buf, size_t size)
{
int ret;
char out[512];
gnutls_datum data;
gnutls_x509_crt crt;
uint64_t dn, issuer_dn;
data.size = size;
data.data = buf;
gnutls_x509_crt_init(&crt);
ret = gnutls_x509_crt_import(crt, &data, GNUTLS_X509_FMT_PEM);
if ( ret < 0 ) {
fprintf(stderr, "error importing certificate: %s.\n", gnutls_strerror(ret));
goto err;
}
size = sizeof(out);
ret = gnutls_x509_crt_get_issuer_dn_by_oid(crt, GNUTLS_OID_X520_DN_QUALIFIER, 0, 0, out, &size);
if ( ret < 0 ) {
fprintf(stderr, "error reading issuer dn: %s.\n", gnutls_strerror(ret));
goto err;
}
issuer_dn = strtoull(out, NULL, 10);
size = sizeof(out);
ret = gnutls_x509_crt_get_dn_by_oid(crt, GNUTLS_OID_X520_DN_QUALIFIER, 0, 0, out, &size);
if ( ret < 0 ) {
fprintf(stderr, "error reading issuer dn: %s.\n", gnutls_strerror(ret));
goto err;
}
dn = strtoull(out, NULL, 10);
ret = remove_old_certificate(filename, dn, issuer_dn);
if ( ret < 0 )
return ret;
err:
gnutls_x509_crt_deinit(crt);
return ret;
}
static int tls_check_one_certificate (const gnutls_datum_t *certdata,
gnutls_certificate_status certstat,
const char* hostname, int idx, int len)
{
int certerr, savedcert;
gnutls_x509_crt cert;
char buf[SHORT_STRING];
char fpbuf[SHORT_STRING];
size_t buflen;
char dn_common_name[SHORT_STRING];
char dn_email[SHORT_STRING];
char dn_organization[SHORT_STRING];
char dn_organizational_unit[SHORT_STRING];
char dn_locality[SHORT_STRING];
char dn_province[SHORT_STRING];
char dn_country[SHORT_STRING];
time_t t;
char datestr[30];
MUTTMENU *menu;
char helpstr[LONG_STRING];
char title[STRING];
FILE *fp;
gnutls_datum pemdata;
int i, row, done, ret;
if (!tls_check_preauth (certdata, certstat, hostname, idx, &certerr,
&savedcert))
return 1;
/* skip signers if insecure algorithm was used */
if (idx && (certerr & CERTERR_INSECUREALG))
{
if (idx == 1)
{
mutt_error (_("Warning: Server certificate was signed using an insecure algorithm"));
mutt_sleep (2);
}
return 0;
}
/* interactive check from user */
if (gnutls_x509_crt_init (&cert) < 0)
{
mutt_error (_("Error initialising gnutls certificate data"));
mutt_sleep (2);
return 0;
}
if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
{
mutt_error (_("Error processing certificate data"));
mutt_sleep (2);
gnutls_x509_crt_deinit (cert);
return -1;
}
menu = mutt_new_menu (-1);
menu->max = 25;
menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
for (i = 0; i < menu->max; i++)
menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
row = 0;
strfcpy (menu->dialog[row], _("This certificate belongs to:"), SHORT_STRING);
row++;
buflen = sizeof (dn_common_name);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
dn_common_name, &buflen) != 0)
dn_common_name[0] = '\0';
buflen = sizeof (dn_email);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0,
dn_email, &buflen) != 0)
dn_email[0] = '\0';
buflen = sizeof (dn_organization);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0,
dn_organization, &buflen) != 0)
dn_organization[0] = '\0';
buflen = sizeof (dn_organizational_unit);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0,
dn_organizational_unit, &buflen) != 0)
dn_organizational_unit[0] = '\0';
buflen = sizeof (dn_locality);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0,
dn_locality, &buflen) != 0)
dn_locality[0] = '\0';
buflen = sizeof (dn_province);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0,
dn_province, &buflen) != 0)
dn_province[0] = '\0';
buflen = sizeof (dn_country);
if (gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
dn_country, &buflen) != 0)
dn_country[0] = '\0';
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s", dn_common_name, dn_email);
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization);
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit);
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s",
dn_locality, dn_province, dn_country);
row++;
strfcpy (menu->dialog[row], _("This certificate was issued by:"), SHORT_STRING);
row++;
buflen = sizeof (dn_common_name);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
dn_common_name, &buflen) != 0)
dn_common_name[0] = '\0';
buflen = sizeof (dn_email);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0,
dn_email, &buflen) != 0)
dn_email[0] = '\0';
buflen = sizeof (dn_organization);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0,
dn_organization, &buflen) != 0)
dn_organization[0] = '\0';
buflen = sizeof (dn_organizational_unit);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0,
dn_organizational_unit, &buflen) != 0)
dn_organizational_unit[0] = '\0';
buflen = sizeof (dn_locality);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0,
dn_locality, &buflen) != 0)
dn_locality[0] = '\0';
buflen = sizeof (dn_province);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0,
dn_province, &buflen) != 0)
dn_province[0] = '\0';
buflen = sizeof (dn_country);
if (gnutls_x509_crt_get_issuer_dn_by_oid (cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
dn_country, &buflen) != 0)
dn_country[0] = '\0';
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s", dn_common_name, dn_email);
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organization);
snprintf (menu->dialog[row++], SHORT_STRING, " %s", dn_organizational_unit);
snprintf (menu->dialog[row++], SHORT_STRING, " %s %s %s",
dn_locality, dn_province, dn_country);
row++;
snprintf (menu->dialog[row++], SHORT_STRING, _("This certificate is valid"));
t = gnutls_x509_crt_get_activation_time (cert);
snprintf (menu->dialog[row++], SHORT_STRING, _(" from %s"),
tls_make_date (t, datestr, 30));
t = gnutls_x509_crt_get_expiration_time (cert);
snprintf (menu->dialog[row++], SHORT_STRING, _(" to %s"),
tls_make_date (t, datestr, 30));
fpbuf[0] = '\0';
tls_fingerprint (GNUTLS_DIG_SHA, fpbuf, sizeof (fpbuf), certdata);
snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), fpbuf);
fpbuf[0] = '\0';
tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf);
if (certerr & CERTERR_NOTYETVALID)
{
row++;
strfcpy (menu->dialog[row], _("WARNING: Server certificate is not yet valid"), SHORT_STRING);
}
if (certerr & CERTERR_EXPIRED)
{
row++;
strfcpy (menu->dialog[row], _("WARNING: Server certificate has expired"), SHORT_STRING);
}
if (certerr & CERTERR_REVOKED)
{
row++;
strfcpy (menu->dialog[row], _("WARNING: Server certificate has been revoked"), SHORT_STRING);
}
if (certerr & CERTERR_HOSTNAME)
{
row++;
strfcpy (menu->dialog[row], _("WARNING: Server hostname does not match certificate"), SHORT_STRING);
}
if (certerr & CERTERR_SIGNERNOTCA)
{
row++;
strfcpy (menu->dialog[row], _("WARNING: Signer of server certificate is not a CA"), SHORT_STRING);
}
snprintf (title, sizeof (title),
_("SSL Certificate check (certificate %d of %d in chain)"),
len - idx, len);
menu->title = title;
/* certificates with bad dates, or that are revoked, must be
accepted manually each and every time */
if (SslCertFile && !savedcert
&& !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
| CERTERR_REVOKED)))
{
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
menu->keys = _("roa");
}
else
{
menu->prompt = _("(r)eject, accept (o)nce");
menu->keys = _("ro");
}
helpstr[0] = '\0';
mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT);
safe_strcat (helpstr, sizeof (helpstr), buf);
mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP);
safe_strcat (helpstr, sizeof (helpstr), buf);
menu->help = helpstr;
done = 0;
set_option (OPTUNBUFFEREDINPUT);
while (!done)
{
switch (mutt_menuLoop (menu))
{
case -1: /* abort */
case OP_MAX + 1: /* reject */
case OP_EXIT:
done = 1;
break;
case OP_MAX + 3: /* accept always */
done = 0;
if ((fp = fopen (SslCertFile, "a")))
{
/* save hostname if necessary */
if (certerr & CERTERR_HOSTNAME)
{
fprintf(fp, "#H %s %s\n", hostname, fpbuf);
done = 1;
}
if (certerr & CERTERR_NOTTRUSTED)
{
done = 0;
ret = gnutls_pem_base64_encode_alloc ("CERTIFICATE", certdata,
&pemdata);
if (ret == 0)
{
if (fwrite (pemdata.data, pemdata.size, 1, fp) == 1)
{
done = 1;
}
gnutls_free (pemdata.data);
}
}
safe_fclose (&fp);
}
if (!done)
{
mutt_error (_("Warning: Couldn't save certificate"));
mutt_sleep (2);
}
else
{
mutt_message (_("Certificate saved"));
mutt_sleep (0);
}
/* fall through */
case OP_MAX + 2: /* accept once */
done = 2;
break;
}
}
unset_option (OPTUNBUFFEREDINPUT);
mutt_menuDestroy (&menu);
gnutls_x509_crt_deinit (cert);
return (done == 2);
}
static GtkWidget *cert_presenter(SSLCertificate *cert)
{
GtkWidget *vbox = NULL;
GtkWidget *hbox = NULL;
GtkWidget *frame_owner = NULL;
GtkWidget *frame_signer = NULL;
GtkWidget *frame_status = NULL;
GtkTable *owner_table = NULL;
GtkTable *signer_table = NULL;
GtkTable *status_table = NULL;
GtkWidget *label = NULL;
char *issuer_commonname, *issuer_location, *issuer_organization;
char *subject_commonname, *subject_location, *subject_organization;
char *sig_status, *exp_date;
char *md5_fingerprint, *sha1_fingerprint, *fingerprint;
size_t n;
char buf[100];
unsigned char md[128];
char *tmp;
time_t exp_time_t;
struct tm lt;
/* issuer */
issuer_commonname = g_malloc(BUFFSIZE);
issuer_location = g_malloc(BUFFSIZE);
issuer_organization = g_malloc(BUFFSIZE);
subject_commonname = g_malloc(BUFFSIZE);
subject_location = g_malloc(BUFFSIZE);
subject_organization = g_malloc(BUFFSIZE);
n = BUFFSIZE;
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0, issuer_commonname, &n))
strncpy(issuer_commonname, _("<not in certificate>"), BUFFSIZE);
n = BUFFSIZE;
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, issuer_location, &n)) {
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, issuer_location, &n)) {
strncpy(issuer_location, _("<not in certificate>"), BUFFSIZE);
}
} else {
tmp = g_malloc(BUFFSIZE);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
strncat(issuer_location, ", ", BUFFSIZE-strlen(issuer_location)-1);
strncat(issuer_location, tmp, BUFFSIZE-strlen(issuer_location)-1);
}
g_free(tmp);
}
n = BUFFSIZE;
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer_organization, &n))
strncpy(issuer_organization, _("<not in certificate>"), BUFFSIZE);
n = BUFFSIZE;
if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_commonname, &n))
strncpy(subject_commonname, _("<not in certificate>"), BUFFSIZE);
n = BUFFSIZE;
if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, subject_location, &n)) {
if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, subject_location, &n)) {
strncpy(subject_location, _("<not in certificate>"), BUFFSIZE);
}
} else {
tmp = g_malloc(BUFFSIZE);
if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
strncat(subject_location, ", ", BUFFSIZE-strlen(subject_location)-1);
strncat(subject_location, tmp, BUFFSIZE-strlen(subject_location)-1);
}
g_free(tmp);
}
n = BUFFSIZE;
if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, subject_organization, &n))
strncpy(subject_organization, _("<not in certificate>"), BUFFSIZE);
exp_time_t = gnutls_x509_crt_get_expiration_time(cert->x509_cert);
memset(buf, 0, sizeof(buf));
if (exp_time_t > 0) {
fast_strftime(buf, sizeof(buf)-1, prefs_common.date_format, localtime_r(&exp_time_t, <));
exp_date = (*buf) ? g_strdup(buf):g_strdup("?");
} else
exp_date = g_strdup("");
/* fingerprint */
n = 128;
gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
md5_fingerprint = readable_fingerprint(md, (int)n);
n = 128;
gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
sha1_fingerprint = readable_fingerprint(md, (int)n);
/* signature */
sig_status = ssl_certificate_check_signer(cert->x509_cert, cert->status);
if (sig_status==NULL)
sig_status = g_strdup(_("Correct"));
vbox = gtk_vbox_new(FALSE, 5);
hbox = gtk_hbox_new(FALSE, 5);
frame_owner = gtk_frame_new(_("Owner"));
frame_signer = gtk_frame_new(_("Signer"));
frame_status = gtk_frame_new(_("Status"));
owner_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
signer_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
status_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
label = gtk_label_new(_("Name: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(owner_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(subject_commonname);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(owner_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Organization: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(owner_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(subject_organization);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(owner_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Location: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(owner_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(subject_location);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(owner_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Name: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(signer_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(issuer_commonname);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(signer_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Organization: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(signer_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(issuer_organization);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(signer_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Location: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(signer_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(issuer_location);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(signer_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Fingerprint: \n"));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(status_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
fingerprint = g_strdup_printf("MD5: %s\nSHA1: %s",
md5_fingerprint, sha1_fingerprint);
label = gtk_label_new(fingerprint);
g_free(fingerprint);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(status_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Signature status: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(status_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(sig_status);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(status_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(_("Expires on: "));
gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
gtk_table_attach(status_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
label = gtk_label_new(exp_date);
gtk_label_set_selectable(GTK_LABEL(label), TRUE);
gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
gtk_table_attach(status_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
gtk_container_add(GTK_CONTAINER(frame_owner), GTK_WIDGET(owner_table));
gtk_container_add(GTK_CONTAINER(frame_signer), GTK_WIDGET(signer_table));
gtk_container_add(GTK_CONTAINER(frame_status), GTK_WIDGET(status_table));
gtk_box_pack_end(GTK_BOX(hbox), frame_signer, TRUE, TRUE, 0);
gtk_box_pack_end(GTK_BOX(hbox), frame_owner, TRUE, TRUE, 0);
gtk_box_pack_end(GTK_BOX(vbox), frame_status, TRUE, TRUE, 0);
gtk_box_pack_end(GTK_BOX(vbox), hbox, TRUE, TRUE, 0);
gtk_widget_show_all(vbox);
g_free(issuer_commonname);
g_free(issuer_location);
g_free(issuer_organization);
g_free(subject_commonname);
g_free(subject_location);
g_free(subject_organization);
g_free(md5_fingerprint);
g_free(sha1_fingerprint);
g_free(sig_status);
g_free(exp_date);
return vbox;
}
/**
* tls_check_one_certificate - Check a GnuTLS certificate
* @param certdata List of GnuTLS certificates
* @param certstat GnuTLS certificate status
* @param hostname Hostname
* @param idx Index into certificate list
* @param len Length of certificate list
* @retval 0 Failure
* @retval >0 Success
*/
static int tls_check_one_certificate(const gnutls_datum_t *certdata,
gnutls_certificate_status_t certstat,
const char *hostname, int idx, size_t len)
{
int certerr, savedcert;
gnutls_x509_crt_t cert;
char buf[128];
char fpbuf[128];
size_t buflen;
char dn_common_name[128];
char dn_email[128];
char dn_organization[128];
char dn_organizational_unit[128];
char dn_locality[128];
char dn_province[128];
char dn_country[128];
time_t t;
char datestr[30];
struct Menu *menu = NULL;
char helpstr[1024];
char title[256];
FILE *fp = NULL;
gnutls_datum_t pemdata;
int row, done, ret;
if (tls_check_preauth(certdata, certstat, hostname, idx, &certerr, &savedcert) == 0)
return 1;
/* interactive check from user */
if (gnutls_x509_crt_init(&cert) < 0)
{
mutt_error(_("Error initialising gnutls certificate data"));
return 0;
}
if (gnutls_x509_crt_import(cert, certdata, GNUTLS_X509_FMT_DER) < 0)
{
mutt_error(_("Error processing certificate data"));
gnutls_x509_crt_deinit(cert);
return 0;
}
menu = mutt_menu_new(MENU_GENERIC);
menu->max = 27;
menu->dialog = mutt_mem_calloc(1, menu->max * sizeof(char *));
for (int i = 0; i < menu->max; i++)
menu->dialog[i] = mutt_mem_calloc(1, dialog_row_len * sizeof(char));
mutt_menu_push_current(menu);
row = 0;
mutt_str_strfcpy(menu->dialog[row], _("This certificate belongs to:"), dialog_row_len);
row++;
buflen = sizeof(dn_common_name);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
dn_common_name, &buflen) != 0)
{
dn_common_name[0] = '\0';
}
buflen = sizeof(dn_email);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, dn_email, &buflen) != 0)
dn_email[0] = '\0';
buflen = sizeof(dn_organization);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
0, dn_organization, &buflen) != 0)
{
dn_organization[0] = '\0';
}
buflen = sizeof(dn_organizational_unit);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, 0, dn_organizational_unit, &buflen) != 0)
{
dn_organizational_unit[0] = '\0';
}
buflen = sizeof(dn_locality);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0,
dn_locality, &buflen) != 0)
{
dn_locality[0] = '\0';
}
buflen = sizeof(dn_province);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
0, 0, dn_province, &buflen) != 0)
{
dn_province[0] = '\0';
}
buflen = sizeof(dn_country);
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
dn_country, &buflen) != 0)
{
dn_country[0] = '\0';
}
snprintf(menu->dialog[row++], dialog_row_len, " %s %s", dn_common_name, dn_email);
snprintf(menu->dialog[row++], dialog_row_len, " %s", dn_organization);
snprintf(menu->dialog[row++], dialog_row_len, " %s", dn_organizational_unit);
snprintf(menu->dialog[row++], dialog_row_len, " %s %s %s", dn_locality,
dn_province, dn_country);
row++;
mutt_str_strfcpy(menu->dialog[row], _("This certificate was issued by:"), dialog_row_len);
row++;
buflen = sizeof(dn_common_name);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0,
0, dn_common_name, &buflen) != 0)
{
dn_common_name[0] = '\0';
}
buflen = sizeof(dn_email);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL, 0, 0,
dn_email, &buflen) != 0)
{
dn_email[0] = '\0';
}
buflen = sizeof(dn_organization);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME,
0, 0, dn_organization, &buflen) != 0)
{
dn_organization[0] = '\0';
}
buflen = sizeof(dn_organizational_unit);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, 0, dn_organizational_unit, &buflen) != 0)
{
dn_organizational_unit[0] = '\0';
}
buflen = sizeof(dn_locality);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME,
0, 0, dn_locality, &buflen) != 0)
{
dn_locality[0] = '\0';
}
buflen = sizeof(dn_province);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
0, 0, dn_province, &buflen) != 0)
{
dn_province[0] = '\0';
}
buflen = sizeof(dn_country);
if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME,
0, 0, dn_country, &buflen) != 0)
{
dn_country[0] = '\0';
}
snprintf(menu->dialog[row++], dialog_row_len, " %s %s", dn_common_name, dn_email);
snprintf(menu->dialog[row++], dialog_row_len, " %s", dn_organization);
snprintf(menu->dialog[row++], dialog_row_len, " %s", dn_organizational_unit);
snprintf(menu->dialog[row++], dialog_row_len, " %s %s %s", dn_locality,
dn_province, dn_country);
row++;
snprintf(menu->dialog[row++], dialog_row_len, _("This certificate is valid"));
t = gnutls_x509_crt_get_activation_time(cert);
mutt_date_make_tls(datestr, sizeof(datestr), t);
snprintf(menu->dialog[row++], dialog_row_len, _(" from %s"), datestr);
t = gnutls_x509_crt_get_expiration_time(cert);
mutt_date_make_tls(datestr, sizeof(datestr), t);
snprintf(menu->dialog[row++], dialog_row_len, _(" to %s"), datestr);
fpbuf[0] = '\0';
tls_fingerprint(GNUTLS_DIG_SHA, fpbuf, sizeof(fpbuf), certdata);
snprintf(menu->dialog[row++], dialog_row_len, _("SHA1 Fingerprint: %s"), fpbuf);
fpbuf[0] = '\0';
fpbuf[40] = '\0'; /* Ensure the second printed line is null terminated */
tls_fingerprint(GNUTLS_DIG_SHA256, fpbuf, sizeof(fpbuf), certdata);
fpbuf[39] = '\0'; /* Divide into two lines of output */
snprintf(menu->dialog[row++], dialog_row_len, "%s%s", _("SHA256 Fingerprint: "), fpbuf);
snprintf(menu->dialog[row++], dialog_row_len, "%*s%s",
(int) mutt_str_strlen(_("SHA256 Fingerprint: ")), "", fpbuf + 40);
if (certerr & CERTERR_NOTYETVALID)
{
row++;
mutt_str_strfcpy(menu->dialog[row],
_("WARNING: Server certificate is not yet valid"), dialog_row_len);
}
if (certerr & CERTERR_EXPIRED)
{
row++;
mutt_str_strfcpy(menu->dialog[row],
_("WARNING: Server certificate has expired"), dialog_row_len);
}
if (certerr & CERTERR_REVOKED)
{
row++;
mutt_str_strfcpy(menu->dialog[row],
_("WARNING: Server certificate has been revoked"), dialog_row_len);
}
if (certerr & CERTERR_HOSTNAME)
{
row++;
mutt_str_strfcpy(menu->dialog[row],
_("WARNING: Server hostname does not match certificate"),
dialog_row_len);
}
if (certerr & CERTERR_SIGNERNOTCA)
{
row++;
mutt_str_strfcpy(menu->dialog[row],
_("WARNING: Signer of server certificate is not a CA"), dialog_row_len);
}
snprintf(title, sizeof(title),
_("SSL Certificate check (certificate %zu of %zu in chain)"), len - idx, len);
menu->title = title;
/* certificates with bad dates, or that are revoked, must be
* accepted manually each and every time */
if (C_CertificateFile && !savedcert &&
!(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID | CERTERR_REVOKED)))
{
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
/* L10N: These three letters correspond to the choices in the string:
(r)eject, accept (o)nce, (a)ccept always.
This is an interactive certificate confirmation prompt for
a GNUTLS connection. */
menu->keys = _("roa");
}
else
{
menu->prompt = _("(r)eject, accept (o)nce");
/* L10N: These two letters correspond to the choices in the string:
(r)eject, accept (o)nce.
These is an interactive certificate confirmation prompt for
a GNUTLS connection. */
menu->keys = _("ro");
}
helpstr[0] = '\0';
mutt_make_help(buf, sizeof(buf), _("Exit "), MENU_GENERIC, OP_EXIT);
mutt_str_strcat(helpstr, sizeof(helpstr), buf);
mutt_make_help(buf, sizeof(buf), _("Help"), MENU_GENERIC, OP_HELP);
mutt_str_strcat(helpstr, sizeof(helpstr), buf);
menu->help = helpstr;
done = 0;
OptIgnoreMacroEvents = true;
while (done == 0)
{
switch (mutt_menu_loop(menu))
{
case -1: /* abort */
case OP_MAX + 1: /* reject */
case OP_EXIT:
done = 1;
break;
case OP_MAX + 3: /* accept always */
done = 0;
fp = mutt_file_fopen(C_CertificateFile, "a");
if (fp)
{
/* save hostname if necessary */
if (certerr & CERTERR_HOSTNAME)
{
fpbuf[0] = '\0';
tls_fingerprint(GNUTLS_DIG_MD5, fpbuf, sizeof(fpbuf), certdata);
fprintf(fp, "#H %s %s\n", hostname, fpbuf);
done = 1;
}
/* Save the cert for all other errors */
if (certerr ^ CERTERR_HOSTNAME)
{
done = 0;
ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", certdata, &pemdata);
if (ret == 0)
{
if (fwrite(pemdata.data, pemdata.size, 1, fp) == 1)
{
done = 1;
}
gnutls_free(pemdata.data);
}
}
mutt_file_fclose(&fp);
}
if (done == 0)
{
mutt_error(_("Warning: Couldn't save certificate"));
}
else
{
mutt_message(_("Certificate saved"));
mutt_sleep(0);
}
/* fallthrough */
case OP_MAX + 2: /* accept once */
done = 2;
break;
}
}
OptIgnoreMacroEvents = false;
mutt_menu_pop_current(menu);
mutt_menu_destroy(&menu);
gnutls_x509_crt_deinit(cert);
return done == 2;
}
int tls_cert_info_get(tls_t *tls, tls_cert_info_t *tci, char **errstr)
{
#ifdef HAVE_LIBGNUTLS
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
gnutls_x509_crt_t cert;
size_t size;
const char *oid[6] = { GNUTLS_OID_X520_COMMON_NAME,
GNUTLS_OID_X520_ORGANIZATION_NAME,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
GNUTLS_OID_X520_LOCALITY_NAME,
GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
GNUTLS_OID_X520_COUNTRY_NAME };
int i;
int e;
char *p;
const char *errmsg;
errmsg = _("cannot get TLS certificate info");
if (!(cert_list =
gnutls_certificate_get_peers(tls->session, &cert_list_size))
|| cert_list_size == 0)
{
*errstr = xasprintf(_("%s: no certificate was found"), errmsg);
return TLS_ECERT;
}
if (gnutls_x509_crt_init(&cert) != 0)
{
*errstr = xasprintf(_("%s: cannot initialize certificate structure"),
errmsg);
return TLS_ECERT;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) != 0)
{
*errstr = xasprintf(_("%s: error parsing certificate"), errmsg);
gnutls_x509_crt_deinit(cert);
return TLS_ECERT;
}
/* certificate information */
size = 20;
if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA,
tci->sha1_fingerprint, &size) != 0)
{
*errstr = xasprintf(_("%s: error getting SHA1 fingerprint"), errmsg);
gnutls_x509_crt_deinit(cert);
return TLS_ECERT;
}
size = 16;
if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5,
tci->md5_fingerprint, &size) != 0)
{
*errstr = xasprintf(_("%s: error getting MD5 fingerprint"), errmsg);
gnutls_x509_crt_deinit(cert);
return TLS_ECERT;
}
if ((tci->activation_time = gnutls_x509_crt_get_activation_time(cert)) < 0)
{
*errstr = xasprintf(_("%s: cannot get activation time"), errmsg);
gnutls_x509_crt_deinit(cert);
return TLS_ECERT;
}
if ((tci->expiration_time = gnutls_x509_crt_get_expiration_time(cert)) < 0)
{
*errstr = xasprintf(_("%s: cannot get expiration time"), errmsg);
gnutls_x509_crt_deinit(cert);
return TLS_ECERT;
}
/* owner information */
for (i = 0; i < 6; i++)
{
size = 0;
e = gnutls_x509_crt_get_dn_by_oid(cert, oid[i], 0, 0, NULL, &size);
if (e == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
p = xmalloc(size);
e = gnutls_x509_crt_get_dn_by_oid(cert, oid[i], 0, 0, p, &size);
if (e == 0)
{
tci->owner_info[i] = p;
}
else
{
free(p);
}
}
}
/* issuer information */
for (i = 0; i < 6; i++)
{
size = 0;
e = gnutls_x509_crt_get_issuer_dn_by_oid(
cert, oid[i], 0, 0, NULL, &size);
if (e == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
p = xmalloc(size);
e = gnutls_x509_crt_get_issuer_dn_by_oid(
cert, oid[i], 0, 0, p, &size);
if (e == 0)
{
tci->issuer_info[i] = p;
}
else
{
free(p);
}
}
}
gnutls_x509_crt_deinit(cert);
return TLS_EOK;
#endif /* HAVE_LIBGNUTLS */
#ifdef HAVE_LIBSSL
X509 *x509cert;
X509_NAME *x509_subject;
X509_NAME *x509_issuer;
ASN1_TIME *asn1time;
int nid[6] = { NID_commonName,
NID_organizationName,
NID_organizationalUnitName,
NID_localityName,
NID_stateOrProvinceName,
NID_countryName };
int size;
unsigned int usize;
char *p;
int i;
const char *errmsg;
errmsg = _("cannot get TLS certificate info");
if (!(x509cert = SSL_get_peer_certificate(tls->ssl)))
{
*errstr = xasprintf(_("%s: no certificate was found"), errmsg);
return TLS_ECERT;
}
if (!(x509_subject = X509_get_subject_name(x509cert)))
{
*errstr = xasprintf(_("%s: cannot get certificate subject"), errmsg);
X509_free(x509cert);
return TLS_ECERT;
}
if (!(x509_issuer = X509_get_issuer_name(x509cert)))
{
*errstr = xasprintf(_("%s: cannot get certificate issuer"), errmsg);
X509_free(x509cert);
return TLS_ECERT;
}
/* certificate information */
usize = 20;
if (!X509_digest(x509cert, EVP_sha1(), tci->sha1_fingerprint, &usize))
{
*errstr = xasprintf(_("%s: error getting SHA1 fingerprint"), errmsg);
return TLS_ECERT;
}
usize = 16;
if (!X509_digest(x509cert, EVP_md5(), tci->md5_fingerprint, &usize))
{
*errstr = xasprintf(_("%s: error getting MD5 fingerprint"), errmsg);
return TLS_ECERT;
}
asn1time = X509_get_notBefore(x509cert);
if (asn1time_to_time_t((char *)asn1time->data,
(asn1time->type != V_ASN1_GENERALIZEDTIME),
&(tci->activation_time)) != 0)
{
*errstr = xasprintf(_("%s: cannot get activation time"), errmsg);
X509_free(x509cert);
tls_cert_info_free(tci);
return TLS_ECERT;
}
asn1time = X509_get_notAfter(x509cert);
if (asn1time_to_time_t((char *)asn1time->data,
(asn1time->type != V_ASN1_GENERALIZEDTIME),
&(tci->expiration_time)) != 0)
{
*errstr = xasprintf(_("%s: cannot get expiration time"), errmsg);
X509_free(x509cert);
tls_cert_info_free(tci);
return TLS_ECERT;
}
/* owner information */
for (i = 0; i < 6; i++)
{
size = X509_NAME_get_text_by_NID(x509_subject, nid[i], NULL, 0);
size++;
p = xmalloc((size_t)size);
if (X509_NAME_get_text_by_NID(x509_subject, nid[i], p, size) != -1)
{
tci->owner_info[i] = p;
}
else
{
free(p);
}
}
/* issuer information */
for (i = 0; i < 6; i++)
{
size = X509_NAME_get_text_by_NID(x509_issuer, nid[i], NULL, 0);
size++;
p = xmalloc((size_t)size);
if (X509_NAME_get_text_by_NID(x509_issuer, nid[i], p, size) != -1)
{
tci->issuer_info[i] = p;
}
else
{
free(p);
}
}
X509_free(x509cert);
return TLS_EOK;
#endif /* HAVE_LIBSSL */
}
