/** * gnutls_x509_crt_verify: * @cert: is the certificate to be verified * @CA_list: is one certificate that is considered to be trusted one * @CA_list_length: holds the number of CA certificate in CA_list * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate and return * its status. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. **/ int gnutls_x509_crt_verify (gnutls_x509_crt_t cert, const gnutls_x509_crt_t * CA_list, int CA_list_length, unsigned int flags, unsigned int *verify) { /* Verify certificate */ *verify = _gnutls_x509_verify_certificate (&cert, 1, CA_list, CA_list_length, NULL, 0, flags); return 0; }
/** * gnutls_x509_crt_list_verify: * @cert_list: is the certificate list to be verified * @cert_list_length: holds the number of certificate in cert_list * @CA_list: is the CA list which will be used in verification * @CA_list_length: holds the number of CA certificate in CA_list * @CRL_list: holds a list of CRLs. * @CRL_list_length: the length of CRL list. * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate list and * return its status. If no flags are specified (0), this function * will use the basicConstraints (2.5.29.19) PKIX extension. This * means that only a certificate authority is allowed to sign a * certificate. * * You must also check the peer's name in order to check if the verified * certificate belongs to the actual peer. * * The certificate verification output will be put in @verify and will * be one or more of the gnutls_certificate_status_t enumerated * elements bitwise or'd. For a more detailed verification status use * gnutls_x509_crt_verify() per list element. * * GNUTLS_CERT_INVALID: the certificate chain is not valid. * * GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. **/ int gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, int cert_list_length, const gnutls_x509_crt_t * CA_list, int CA_list_length, const gnutls_x509_crl_t * CRL_list, int CRL_list_length, unsigned int flags, unsigned int *verify) { if (cert_list == NULL || cert_list_length == 0) return GNUTLS_E_NO_CERTIFICATE_FOUND; /* Verify certificate */ *verify = _gnutls_x509_verify_certificate (cert_list, cert_list_length, CA_list, CA_list_length, CRL_list, CRL_list_length, flags); return 0; }
/** * gnutls_x509_crt_list_verify: * @cert_list: is the certificate list to be verified * @cert_list_length: holds the number of certificate in cert_list * @CA_list: is the CA list which will be used in verification * @CA_list_length: holds the number of CA certificate in CA_list * @CRL_list: holds a list of CRLs. * @CRL_list_length: the length of CRL list. * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate list and * return its status. If no flags are specified (0), this function * will use the basicConstraints (2.5.29.19) PKIX extension. This * means that only a certificate authority is allowed to sign a * certificate. * * You must also check the peer's name in order to check if the verified * certificate belongs to the actual peer. * * The certificate verification output will be put in @verify and will * be one or more of the gnutls_certificate_status_t enumerated * elements bitwise or'd. For a more detailed verification status use * gnutls_x509_crt_verify() per list element. * * GNUTLS_CERT_INVALID: the certificate chain is not valid. * * GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. **/ int gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, int cert_list_length, const gnutls_x509_crt_t * CA_list, int CA_list_length, const gnutls_x509_crl_t * CRL_list, int CRL_list_length, unsigned int flags, unsigned int *verify) { int i, ret; if (cert_list == NULL || cert_list_length == 0) return GNUTLS_E_NO_CERTIFICATE_FOUND; /* Verify certificate */ *verify = _gnutls_x509_verify_certificate (cert_list, cert_list_length, CA_list, CA_list_length, flags, NULL); /* Check for revoked certificates in the chain. */ #ifdef ENABLE_PKI for (i = 0; i < cert_list_length; i++) { ret = gnutls_x509_crt_check_revocation (cert_list[i], CRL_list, CRL_list_length); if (ret == 1) { /* revoked */ *verify |= GNUTLS_CERT_REVOKED; *verify |= GNUTLS_CERT_INVALID; } } #endif return 0; }
/** * gnutls_x509_trust_list_verify_crt: * @list: The structure of the list * @cert_list: is the certificate list to be verified * @cert_list_size: is the certificate list size * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * @func: If non-null will be called on each chain element verification with the output. * * This function will try to verify the given certificate and return * its status. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since: 3.0.0 **/ int gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, gnutls_x509_crt_t * cert_list, unsigned int cert_list_size, unsigned int flags, unsigned int *verify, gnutls_verify_output_function func) { gnutls_datum_t dn; int ret, i; uint32_t hash; if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); cert_list_size = shorten_clist(list, cert_list, cert_list_size); if (cert_list_size <= 0) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size - 1], &dn); if (ret < 0) { gnutls_assert(); return ret; } hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); hash %= list->size; _gnutls_free_datum(&dn); *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, list->node[hash].trusted_cas, list->node[hash]. trusted_ca_size, flags, func); if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; /* Check revocation of individual certificates. * start with the last one that we already have its hash */ ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1], list->node[hash].crls, list->node[hash].crl_size, func); if (ret == 1) { /* revoked */ *verify |= GNUTLS_CERT_REVOKED; *verify |= GNUTLS_CERT_INVALID; return 0; } for (i = 0; i < cert_list_size - 1; i++) { ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn); if (ret < 0) { gnutls_assert(); return ret; } hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); hash %= list->size; _gnutls_free_datum(&dn); ret = _gnutls_x509_crt_check_revocation(cert_list[i], list->node[hash].crls, list->node[hash].crl_size, func); if (ret == 1) { /* revoked */ *verify |= GNUTLS_CERT_REVOKED; *verify |= GNUTLS_CERT_INVALID; return 0; } } return 0; }