/**
* gnutls_openpgp_crt_print:
* @cert: The structure to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print an OpenPGP certificate, suitable
* for display to a human.
*
* The format should be (0) for future compatibility.
*
* The output @out needs to be deallocate using gnutls_free().
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_openpgp_crt_print(gnutls_openpgp_crt_t cert,
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out)
{
gnutls_buffer_st str;
int ret;
_gnutls_buffer_init(&str);
if (format == GNUTLS_CRT_PRINT_ONELINE)
print_oneline(&str, cert);
else if (format == GNUTLS_CRT_PRINT_COMPACT) {
print_oneline(&str, cert);
_gnutls_buffer_append_data(&str, "\n", 1);
print_key_fingerprint(&str, cert);
} else {
_gnutls_buffer_append_str(&str,
_
("OpenPGP Certificate Information:\n"));
print_cert(&str, cert);
}
_gnutls_buffer_append_data(&str, "\0", 1);
ret = _gnutls_buffer_to_datum(&str, out);
if (out->size > 0)
out->size--;
return ret;
}
/**
* gnutls_openpgp_crt_print:
* @cert: The structure to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with zero terminated string.
*
* This function will pretty print an OpenPGP certificate, suitable
* for display to a human.
*
* The format should be zero for future compatibility.
*
* The output @out needs to be deallocate using gnutls_free().
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_openpgp_crt_print (gnutls_openpgp_crt_t cert,
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out)
{
gnutls_buffer_st str;
_gnutls_buffer_init (&str);
if (format == GNUTLS_CRT_PRINT_ONELINE)
print_oneline (&str, cert);
else
{
_gnutls_buffer_append_str (&str,
_("OpenPGP Certificate Information:\n"));
print_cert (&str, cert);
}
_gnutls_buffer_append_data (&str, "\0", 1);
out->data = str.data;
out->size = strlen (str.data);
return 0;
}
static void tests(void)
{
SecTrustRef trust;
SecCertificateRef leaf, wwdr_intermediate;
SecPolicyRef policy;
isnt(wwdr_intermediate = SecCertificateCreateWithBytes(kCFAllocatorDefault,
wwdr_intermediate_cert, sizeof(wwdr_intermediate_cert)), NULL, "create WWDR intermediate");
isnt(leaf = SecCertificateCreateWithBytes(kCFAllocatorDefault,
codesigning_certificate, sizeof(codesigning_certificate)), NULL, "create leaf");
const void *vcerts[] = { leaf, wwdr_intermediate };
CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, vcerts, 2, NULL);
isnt(policy = SecPolicyCreateiPhoneProfileApplicationSigning(), NULL,
"create iPhoneProfileApplicationSigning policy instance");
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust for leaf");
CFDateRef verifyDate = CFDateCreate(kCFAllocatorDefault, 228244066);
ok_status(SecTrustSetVerifyDate(trust, verifyDate), "set verify date");
CFReleaseNull(verifyDate);
SecTrustResultType trustResult;
CFArrayRef properties = NULL;
properties = SecTrustCopyProperties(trust);
is(properties, NULL, "no properties returned before eval");
CFReleaseNull(properties);
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
properties = SecTrustCopyProperties(trust);
if (properties) {
print_plist(properties);
print_cert(leaf, true);
print_cert(wwdr_intermediate, false);
}
CFReleaseNull(properties);
CFReleaseNull(trust);
CFReleaseNull(wwdr_intermediate);
CFReleaseNull(leaf);
CFReleaseNull(certs);
CFReleaseNull(policy);
CFReleaseNull(trust);
}
/*
* Get SSL/TLS certificate check it, maybe ask user about it and act
* accordingly.
*/
int
get_cert(session *ssn)
{
X509 *cert;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
mdlen = 0;
if (!(cert = SSL_get_peer_certificate(ssn->sslconn)))
return -1;
if (!(X509_digest(cert, EVP_md5(), md, &mdlen)))
return -1;
switch (check_cert(cert, md, &mdlen)) {
case 0:
if (isatty(STDIN_FILENO) == 0)
fatal(ERROR_CERTIFICATE, "%s\n",
"can't accept certificate in non-interactive mode");
print_cert(cert, md, &mdlen);
if (write_cert(cert) == -1)
goto fail;
break;
case -1:
if (isatty(STDIN_FILENO) == 0)
fatal(ERROR_CERTIFICATE, "%s\n",
"certificate mismatch in non-interactive mode");
print_cert(cert, md, &mdlen);
if (mismatch_cert() == -1)
goto fail;
break;
}
X509_free(cert);
return 0;
fail:
X509_free(cert);
return -1;
}
/*
* Get SSL/TLS certificate check it, maybe ask user about it and act
* accordingly.
*/
int
get_cert(session *ssn)
{
X509 *cert;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
long verify;
mdlen = 0;
if (!(cert = SSL_get_peer_certificate(ssn->sslconn)))
return -1;
verify = SSL_get_verify_result(ssn->sslconn);
if (!((verify == X509_V_OK) ||
(verify == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
(verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY))) {
error("certificate verification failed; %d\n", verify);
goto fail;
}
if (verify != X509_V_OK) {
if (!(X509_digest(cert, EVP_md5(), md, &mdlen)))
return -1;
switch (check_cert(cert, md, &mdlen)) {
case 0:
if (isatty(STDIN_FILENO) == 0)
fatal(ERROR_CERTIFICATE, "%s\n",
"can't accept certificate in "
"non-interactive mode");
print_cert(cert, md, &mdlen);
if (store_cert(cert) == -1)
goto fail;
break;
case -1:
error("certificate mismatch occured\n");
goto fail;
}
}
X509_free(cert);
return 0;
fail:
X509_free(cert);
return -1;
}
static void showPeerCerts(
CFArrayRef peerCerts,
bool verbose)
{
CFIndex numCerts;
SecCertificateRef certRef;
CFIndex i;
if(peerCerts == NULL) {
return;
}
numCerts = CFArrayGetCount(peerCerts);
for(i=0; i<numCerts; i++) {
certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
printf("\n================== Server Cert %lu ===================\n\n", i);
print_cert(certRef, verbose);
printf("\n=============== End of Server Cert %lu ===============\n", i);
}
}
/* Asks user to verify certificate data before proceeding */
static VerifyStatus verify_trust(X509 *cert)
{
char vfy_trust = 'y';
VerifyStatus ret = Accept;
PKG_ERR *err;
UI *ui = NULL;
err = pkgerr_new();
/* print cert data */
if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT,
get_subject_display_name(cert), B_TRUE, stdout) != 0) {
log_pkgerr(LOG_MSG_ERR, err);
ret = VerifyFailed;
goto cleanup;
}
if ((ui = UI_new()) == NULL) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
/*
* The prompt is internationalized, but the valid
* response values are fixed, to avoid any complex
* multibyte processing that results in bugs
*/
if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST,
"",
"yY", "nN",
UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (UI_process(ui) != 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (vfy_trust != 'y') {
ret = Reject;
goto cleanup;
}
/*
* if the cert does not appear to be a CA cert
* r is not self-signed, verify that as well
*/
if (!is_ca_cert(cert)) {
UI_free(ui);
if ((ui = UI_new()) == NULL) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (UI_add_input_boolean(ui,
MSG_VERIFY_NOT_CA,
"",
"yY", "nN",
UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
ret = VerifyFailed;
goto cleanup;
}
if (UI_process(ui) != 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (vfy_trust != 'y') {
ret = Reject;
goto cleanup;
}
}
cleanup:
if (ui != NULL)
UI_free(ui);
if (err != NULL)
pkgerr_free(err);
return (ret);
}
