/**
* gnutls_x509_crt_verify:
* @cert: is the certificate to be verified
* @CA_list: is one certificate that is considered to be trusted one
* @CA_list_length: holds the number of CA certificate in CA_list
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate and return
* its status.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
const gnutls_x509_crt_t * CA_list,
int CA_list_length, unsigned int flags,
unsigned int *verify)
{
/* Verify certificate
*/
*verify =
_gnutls_x509_verify_certificate (&cert, 1,
CA_list, CA_list_length, NULL, 0, flags);
return 0;
}
/**
* gnutls_x509_crt_list_verify:
* @cert_list: is the certificate list to be verified
* @cert_list_length: holds the number of certificate in cert_list
* @CA_list: is the CA list which will be used in verification
* @CA_list_length: holds the number of CA certificate in CA_list
* @CRL_list: holds a list of CRLs.
* @CRL_list_length: the length of CRL list.
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate list and
* return its status. If no flags are specified (0), this function
* will use the basicConstraints (2.5.29.19) PKIX extension. This
* means that only a certificate authority is allowed to sign a
* certificate.
*
* You must also check the peer's name in order to check if the verified
* certificate belongs to the actual peer.
*
* The certificate verification output will be put in @verify and will
* be one or more of the gnutls_certificate_status_t enumerated
* elements bitwise or'd. For a more detailed verification status use
* gnutls_x509_crt_verify() per list element.
*
* GNUTLS_CERT_INVALID: the certificate chain is not valid.
*
* GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list,
int cert_list_length,
const gnutls_x509_crt_t * CA_list,
int CA_list_length,
const gnutls_x509_crl_t * CRL_list,
int CRL_list_length, unsigned int flags,
unsigned int *verify)
{
if (cert_list == NULL || cert_list_length == 0)
return GNUTLS_E_NO_CERTIFICATE_FOUND;
/* Verify certificate
*/
*verify =
_gnutls_x509_verify_certificate (cert_list, cert_list_length,
CA_list, CA_list_length, CRL_list,
CRL_list_length, flags);
return 0;
}
/**
* gnutls_x509_crt_list_verify:
* @cert_list: is the certificate list to be verified
* @cert_list_length: holds the number of certificate in cert_list
* @CA_list: is the CA list which will be used in verification
* @CA_list_length: holds the number of CA certificate in CA_list
* @CRL_list: holds a list of CRLs.
* @CRL_list_length: the length of CRL list.
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate list and
* return its status. If no flags are specified (0), this function
* will use the basicConstraints (2.5.29.19) PKIX extension. This
* means that only a certificate authority is allowed to sign a
* certificate.
*
* You must also check the peer's name in order to check if the verified
* certificate belongs to the actual peer.
*
* The certificate verification output will be put in @verify and will
* be one or more of the gnutls_certificate_status_t enumerated
* elements bitwise or'd. For a more detailed verification status use
* gnutls_x509_crt_verify() per list element.
*
* GNUTLS_CERT_INVALID: the certificate chain is not valid.
*
* GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list,
int cert_list_length,
const gnutls_x509_crt_t * CA_list,
int CA_list_length,
const gnutls_x509_crl_t * CRL_list,
int CRL_list_length, unsigned int flags,
unsigned int *verify)
{
int i, ret;
if (cert_list == NULL || cert_list_length == 0)
return GNUTLS_E_NO_CERTIFICATE_FOUND;
/* Verify certificate
*/
*verify =
_gnutls_x509_verify_certificate (cert_list, cert_list_length,
CA_list, CA_list_length,
flags, NULL);
/* Check for revoked certificates in the chain.
*/
#ifdef ENABLE_PKI
for (i = 0; i < cert_list_length; i++)
{
ret = gnutls_x509_crt_check_revocation (cert_list[i],
CRL_list, CRL_list_length);
if (ret == 1)
{ /* revoked */
*verify |= GNUTLS_CERT_REVOKED;
*verify |= GNUTLS_CERT_INVALID;
}
}
#endif
return 0;
}
/**
* gnutls_x509_trust_list_verify_crt:
* @list: The structure of the list
* @cert_list: is the certificate list to be verified
* @cert_list_size: is the certificate list size
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @verify: will hold the certificate verification output.
* @func: If non-null will be called on each chain element verification with the output.
*
* This function will try to verify the given certificate and return
* its status.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.0.0
**/
int
gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * cert_list,
unsigned int cert_list_size,
unsigned int flags,
unsigned int *verify,
gnutls_verify_output_function func)
{
gnutls_datum_t dn;
int ret, i;
uint32_t hash;
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
cert_list_size = shorten_clist(list, cert_list, cert_list_size);
if (cert_list_size <= 0)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
ret =
gnutls_x509_crt_get_raw_issuer_dn(cert_list[cert_list_size - 1],
&dn);
if (ret < 0) {
gnutls_assert();
return ret;
}
hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
hash %= list->size;
_gnutls_free_datum(&dn);
*verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size,
list->node[hash].trusted_cas,
list->node[hash].
trusted_ca_size, flags,
func);
if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
return 0;
/* Check revocation of individual certificates.
* start with the last one that we already have its hash
*/
ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1],
list->node[hash].crls,
list->node[hash].crl_size,
func);
if (ret == 1) { /* revoked */
*verify |= GNUTLS_CERT_REVOKED;
*verify |= GNUTLS_CERT_INVALID;
return 0;
}
for (i = 0; i < cert_list_size - 1; i++) {
ret = gnutls_x509_crt_get_raw_issuer_dn(cert_list[i], &dn);
if (ret < 0) {
gnutls_assert();
return ret;
}
hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH);
hash %= list->size;
_gnutls_free_datum(&dn);
ret = _gnutls_x509_crt_check_revocation(cert_list[i],
list->node[hash].crls,
list->node[hash].crl_size,
func);
if (ret == 1) { /* revoked */
*verify |= GNUTLS_CERT_REVOKED;
*verify |= GNUTLS_CERT_INVALID;
return 0;
}
}
return 0;
}
