/**
* gnutls_x509_trust_list_verify_crt2:
* @list: The structure of the list
* @cert_list: is the certificate list to be verified
* @cert_list_size: is the certificate list size
* @data: an array of typed data
* @elements: the number of data elements
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @voutput: will hold the certificate verification output.
* @func: If non-null will be called on each chain element verification with the output.
*
* This function will attempt to verify the given certificate and return
* its status. The @voutput parameter will hold an OR'ed sequence of
* %gnutls_certificate_status_t flags. When a chain of @cert_list_size with
* more than one certificates is provided, the verification status will apply
* to the first certificate in the chain that failed verification. The
* verification process starts from the end of the chain (from CA to end
* certificate).
*
* Additionally a certificate verification profile can be specified
* from the ones in %gnutls_certificate_verification_profiles_t by
* ORing the result of GNUTLS_PROFILE_TO_VFLAGS() to the verification
* flags.
*
* The acceptable @data types are %GNUTLS_DT_DNS_HOSTNAME and %GNUTLS_DT_KEY_PURPOSE_OID.
* The former accepts as data a null-terminated hostname, and the latter a null-terminated
* object identifier (e.g., %GNUTLS_KP_TLS_WWW_SERVER).
* If a DNS hostname is provided then this function will compare
* the hostname in the certificate against the given. If names do not match the
* %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set. In addition it
* will consider certificates provided with gnutls_x509_trust_list_add_named_crt().
*
* If a key purpose OID is provided and the end-certificate contains the extended key
* usage PKIX extension, it will be required to match the provided OID
* or be marked for any purpose, otherwise verification will fail with
* %GNUTLS_CERT_PURPOSE_MISMATCH status.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. Note that verification failure will not result to an
* error code, only @voutput will be updated.
*
* Since: 3.3.8
**/
int
gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * cert_list,
unsigned int cert_list_size,
gnutls_typed_vdata_st *data,
unsigned int elements,
unsigned int flags,
unsigned int *voutput,
gnutls_verify_output_function func)
{
int ret;
unsigned int i;
uint32_t hash;
gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
const char *hostname = NULL, *purpose = NULL;
unsigned hostname_size = 0;
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
for (i=0;i<elements;i++) {
if (data[i].type == GNUTLS_DT_DNS_HOSTNAME) {
hostname = (void*)data[i].data;
if (data[i].size > 0) {
hostname_size = data[i].size;
}
} else if (data[i].type == GNUTLS_DT_KEY_PURPOSE_OID) {
purpose = (void*)data[i].data;
}
}
if (hostname) { /* shortcut using the named certs - if any */
unsigned vtmp = 0;
if (hostname_size == 0)
hostname_size = strlen(hostname);
ret = gnutls_x509_trust_list_verify_named_crt(list,
cert_list[0], hostname, hostname_size,
flags, &vtmp, func);
if (ret == 0 && vtmp == 0) {
*voutput = vtmp;
return 0;
}
}
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN))
cert_list = _gnutls_sort_clist(sorted, cert_list, &cert_list_size, NULL);
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
if (cert_list_size <= 0)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
hash =
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
data,
cert_list[cert_list_size -
1]->raw_issuer_dn.size);
hash %= list->size;
ret = check_if_in_blacklist(cert_list, cert_list_size,
list->blacklisted, list->blacklisted_size);
if (ret != 0) {
*voutput = 0;
*voutput |= GNUTLS_CERT_REVOKED;
*voutput |= GNUTLS_CERT_INVALID;
return 0;
}
*voutput =
_gnutls_verify_crt_status(cert_list, cert_list_size,
list->node[hash].trusted_cas,
list->
node[hash].trusted_ca_size,
flags, purpose, func);
#define LAST_DN cert_list[cert_list_size-1]->raw_dn
#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND &&
(LAST_DN.size != LAST_IDN.size ||
memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) {
/* if we couldn't find the issuer, try to see if the last
* certificate is in the trusted list and try to verify against
* (if it is not self signed) */
hash =
hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.
data, cert_list[cert_list_size - 1]->raw_dn.size);
hash %= list->size;
*voutput =
_gnutls_verify_crt_status(cert_list, cert_list_size,
list->node[hash].trusted_cas,
list->
node[hash].trusted_ca_size,
flags, purpose, func);
}
#ifdef ENABLE_PKCS11
if ((*voutput & GNUTLS_CERT_SIGNER_NOT_FOUND) && list->pkcs11_token) {
/* use the token for verification */
*voutput = _gnutls_pkcs11_verify_crt_status(list->pkcs11_token,
cert_list, cert_list_size,
purpose,
flags, func);
if (*voutput != 0) {
gnutls_assert();
}
}
#endif
/* End-certificate, key purpose and hostname checks. */
if (purpose) {
ret = _gnutls_check_key_purpose(cert_list[0], purpose, 0);
if (ret != 1) {
gnutls_assert();
*voutput |= GNUTLS_CERT_PURPOSE_MISMATCH|GNUTLS_CERT_INVALID;
}
}
if (hostname) {
ret =
gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags);
if (ret == 0)
*voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID;
}
/* CRL checks follow */
if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
return 0;
/* Check revocation of individual certificates.
* start with the last one that we already have its hash
*/
ret =
_gnutls_x509_crt_check_revocation(cert_list
[cert_list_size - 1],
list->node[hash].crls,
list->node[hash].crl_size,
func);
if (ret == 1) { /* revoked */
*voutput |= GNUTLS_CERT_REVOKED;
*voutput |= GNUTLS_CERT_INVALID;
return 0;
}
for (i = 0; i < cert_list_size - 1; i++) {
hash =
hash_pjw_bare(cert_list[i]->raw_issuer_dn.data,
cert_list[i]->raw_issuer_dn.size);
hash %= list->size;
ret = _gnutls_x509_crt_check_revocation(cert_list[i],
list->node[hash].
crls,
list->node[hash].
crl_size, func);
if (ret < 0) {
gnutls_assert();
} else if (ret == 1) { /* revoked */
*voutput |= GNUTLS_CERT_REVOKED;
*voutput |= GNUTLS_CERT_INVALID;
return 0;
}
}
return 0;
}
/* This function will try to verify the peer's certificate chain, and
* also check if the hostname matches.
*/
void
verify_certificate_chain(const char *hostname,
const gnutls_datum_t * cert_chain,
int cert_chain_length)
{
int i;
gnutls_x509_trust_list_t tlist;
gnutls_x509_crt_t *cert;
unsigned int output;
/* Initialize the trusted certificate list. This should be done
* once on initialization. gnutls_x509_crt_list_import2() and
* gnutls_x509_crl_list_import2() can be used to load them.
*/
gnutls_x509_trust_list_init(&tlist, 0);
gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0);
gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size,
GNUTLS_TL_VERIFY_CRL, 0);
cert = malloc(sizeof(*cert) * cert_chain_length);
/* Import all the certificates in the chain to
* native certificate format.
*/
for (i = 0; i < cert_chain_length; i++) {
gnutls_x509_crt_init(&cert[i]);
gnutls_x509_crt_import(cert[i], &cert_chain[i],
GNUTLS_X509_FMT_DER);
}
gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname,
strlen(hostname),
GNUTLS_VERIFY_DISABLE_CRL_CHECKS,
&output,
print_details_func);
/* if this certificate is not explicitly trusted verify against CAs
*/
if (output != 0) {
gnutls_x509_trust_list_verify_crt(tlist, cert,
cert_chain_length, 0,
&output,
print_details_func);
}
if (output & GNUTLS_CERT_INVALID) {
fprintf(stderr, "Not trusted");
if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
fprintf(stderr, ": no issuer was found");
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf(stderr, ": issuer is not a CA");
if (output & GNUTLS_CERT_NOT_ACTIVATED)
fprintf(stderr, ": not yet activated\n");
if (output & GNUTLS_CERT_EXPIRED)
fprintf(stderr, ": expired\n");
fprintf(stderr, "\n");
} else
fprintf(stderr, "Trusted\n");
/* Check if the name in the first certificate matches our destination!
*/
if (!gnutls_x509_crt_check_hostname(cert[0], hostname)) {
printf
("The certificate's owner does not match hostname '%s'\n",
hostname);
}
gnutls_x509_trust_list_deinit(tlist, 1);
return;
}
void
doit (void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t server_crt, ca_crt;
gnutls_x509_trust_list_t tl;
unsigned int status;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_time_function (mytime);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
gnutls_x509_crt_init(&server_crt);
gnutls_x509_crt_init(&ca_crt);
ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_cas");
ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_named_crt");
ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_crt\n");
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
/* test convenience functions in verify-high2.c */
data.data = cert_pem;
data.size = strlen((char*)cert_pem);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
data.data = cert_der;
data.size = sizeof(cert_der);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug) success("success");
}
