示例#1
0
static int verify_last(gnutls_x509_crt_t crt,
                       gnutls_x509_crt_t *ca_list,
                       size_t ca_list_size,
                       crypto_error **error)
{
    unsigned int output;
    time_t now = time (0);

    if (gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
                                GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
                                &output) < 0) {
        crypto_error_set(error, 1, 0, "failed to verify against CA list");
        return 1;
    }

    if (output & GNUTLS_CERT_INVALID) {
        if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
            crypto_error_set(error, 1, 0, "certificate signer not a CA");
            return 1;
        }
    }

    if (gnutls_x509_crt_get_activation_time(crt) > now) {
        crypto_error_set(error, 1, 0, "certificate activation in the future");
        return 1;
    }

    if (gnutls_x509_crt_get_expiration_time(crt) < now) {
        crypto_error_set(error, 1, 0, "certificate expired");
        return 1;
    }

    return 0;
}
示例#2
0
static int verify_issuer(gnutls_x509_crt_t crt,
                         gnutls_x509_crt_t issuer,
                         crypto_error **error)
{
    unsigned int output;
    time_t now = time (0);

    if (gnutls_x509_crt_verify(crt, &issuer, 1, 0, &output) < 0) {
        crypto_error_set(error, 1, 0, "failed to verify against issuer");
        return 1;
    }

    if (output & GNUTLS_CERT_INVALID) {
        if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) {
            crypto_error_set(error, 1, 0, "certificate signer not found");
            return 1;
        }
        if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
            crypto_error_set(error, 1, 0, "certificate signer not a CA");
            return 1;
        }
    }

    if (gnutls_x509_crt_get_activation_time(crt) > now) {
        crypto_error_set(error, 1, 0, "certificate activation in the future");
        return 1;
    }

    if (gnutls_x509_crt_get_expiration_time(crt) < now) {
        crypto_error_set(error, 1, 0, "certificate expired");
        return 1;
    }

    return 0;
}
示例#3
0
文件: gnutls.c 项目: tenchman/FreeRDP 
RD_BOOL
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
	/* FIXME: check more here ... */
	unsigned int verify;	/* What is this? */
	return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) &&
			gnutls_x509_crt_verify(server_cert->cert, &cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS;
}
示例#4
0
/* Verifies a certificate against our trusted CA list.
 * Also checks the crl_list if the certificate is revoked.
 */
static void
verify_last_cert (gnutls_x509_crt_t crt,
		  gnutls_x509_crt_t * ca_list, int ca_list_size,
		  gnutls_x509_crl_t * crl_list, int crl_list_size)
{
  unsigned int output;
  int ret;
  time_t now = time (0);
  size_t name_size;
  char name[64];

  /* Print information about the certificates to
   * be checked.
   */
  name_size = sizeof (name);
  gnutls_x509_crt_get_dn (crt, name, &name_size);

  fprintf (stderr, "\nCertificate: %s\n", name);

  name_size = sizeof (name);
  gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);

  fprintf (stderr, "Issued by: %s\n", name);

  /* Do the actual verification.
   */
  gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
			  GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output);

  if (output & GNUTLS_CERT_INVALID)
    {
      fprintf (stderr, "Not trusted");

      if (output & GNUTLS_CERT_SIGNER_NOT_CA)
	fprintf (stderr, ": Issuer is not a CA\n");
      else
	fprintf (stderr, "\n");
    }
  else
    fprintf (stderr, "Trusted\n");


  /* Now check the expiration dates.
   */
  if (gnutls_x509_crt_get_activation_time (crt) > now)
    fprintf (stderr, "Not yet activated\n");

  if (gnutls_x509_crt_get_expiration_time (crt) < now)
    fprintf (stderr, "Expired\n");

  /* Check if the certificate is revoked.
   */
  ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
  if (ret == 1)
    {				/* revoked */
      fprintf (stderr, "Revoked\n");
    }
}
示例#5
0
bool X509Certificate::verify(ref <const X509Certificate> caCert) const
{
	unsigned int verify = 0;

	const int res = gnutls_x509_crt_verify
		(m_data->cert, &(caCert->m_data->cert), 1,
		 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
		 &verify);

	return (res == 0 && verify == 0);
}
示例#6
0
static gboolean verify_certificate(HevImpathyTLSVerifier *self,
			gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
			TpTLSCertificateRejectReason *reason)
{
	guint verify_output = 0;
	gint res = 0;

	g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);

	res = gnutls_x509_crt_verify(cert, &issuer, 1, 0, &verify_output);

	return verification_output_to_reason(res, verify_output, reason);
}
示例#7
0
bool X509Certificate_GnuTLS::verify(shared_ptr <const X509Certificate> caCert_) const
{
	shared_ptr <const X509Certificate_GnuTLS> caCert =
		dynamicCast <const X509Certificate_GnuTLS>(caCert_);

	unsigned int verify = 0;

	const int res = gnutls_x509_crt_verify
		(m_data->cert, &(caCert->m_data->cert), 1,
		 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
		 &verify);

	return (res == 0 && verify == 0);
}
示例#8
0
static gboolean verify_last_certificate(HevImpathyTLSVerifier *self,
			gnutls_x509_crt_t cert, TpTLSCertificateRejectReason *reason)
{
	guint verify_output = 0;
	gint res = 0;
	gnutls_x509_crt_t *trusted_ca_list = NULL;
	HevImpathyTLSVerifierPrivate *priv =
		HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);

	g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);

	if(0 < priv->trusted_ca_list->len)
	{
		trusted_ca_list = ptr_array_to_x509_crt_list(priv->trusted_ca_list);
		res = gnutls_x509_crt_verify(cert, trusted_ca_list,
					priv->trusted_ca_list->len, 0, &verify_output);

		g_free(trusted_ca_list);
	}
	else
	{
		/* check it against itself to see if it's structurally valid */
		res = gnutls_x509_crt_verify(cert, &cert, 1, 0, &verify_output);

		/* if it's valid, return the SelfSigned error, so that we can add it
		* later to our trusted CAs whitelist.
		*/
		if(GNUTLS_E_SUCCESS == res)
		{
			*reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
			return FALSE;
		}
	}

	return verification_output_to_reason (res, verify_output, reason);
}
示例#9
0
/** Determines whether one certificate has been issued and signed by another
 *
 * @param crt       Certificate to check the signature of
 * @param issuer    Issuer's certificate
 *
 * @return TRUE if crt was signed and issued by issuer, otherwise FALSE
 * @TODO  Modify this function to return a reason for invalidity?
 */
static gboolean
x509_certificate_signed_by(PurpleCertificate * crt,
			   PurpleCertificate * issuer)
{
	gnutls_x509_crt_t crt_dat;
	gnutls_x509_crt_t issuer_dat;
	unsigned int verify; /* used to store result from GnuTLS verifier */
	int ret;
	gchar *crt_id = NULL;
	gchar *issuer_id = NULL;

	g_return_val_if_fail(crt, FALSE);
	g_return_val_if_fail(issuer, FALSE);

	/* Verify that both certs are the correct scheme */
	g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE);
	g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE);

	/* TODO: check for more nullness? */

	crt_dat = X509_GET_GNUTLS_DATA(crt);
	issuer_dat = X509_GET_GNUTLS_DATA(issuer);

	/* Ensure crt issuer matches the name on the issuer cert. */
	ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat);
	if (ret <= 0) {

		if (ret < 0) {
			purple_debug_error("gnutls/x509",
					   "GnuTLS error %d while checking certificate issuer match.",
					   ret);
		} else {
			gchar *crt_id, *issuer_id, *crt_issuer_id;
			crt_id = purple_certificate_get_unique_id(crt);
			issuer_id = purple_certificate_get_unique_id(issuer);
			crt_issuer_id =
				purple_certificate_get_issuer_unique_id(crt);
			purple_debug_info("gnutls/x509",
					  "Certificate %s is issued by "
					  "%s, which does not match %s.\n",
					  crt_id ? crt_id : "(null)",
					  crt_issuer_id ? crt_issuer_id : "(null)",
					  issuer_id ? issuer_id : "(null)");
			g_free(crt_id);
			g_free(issuer_id);
			g_free(crt_issuer_id);
		}

		/* The issuer is not correct, or there were errors */
		return FALSE;
	}

	/* Check basic constraints extension (if it exists then the CA flag must
	   be set to true, and it must exist for certs with version 3 or higher. */
	ret = gnutls_x509_crt_get_basic_constraints(issuer_dat, NULL, NULL, NULL);
	if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		if (gnutls_x509_crt_get_version(issuer_dat) >= 3) {
			/* Reject cert (no basic constraints and cert version is >= 3). */
			gchar *issuer_id = purple_certificate_get_unique_id(issuer);
			purple_debug_info("gnutls/x509", "Rejecting cert because the "
					"basic constraints extension is missing from issuer cert "
					"for %s. The basic constraints extension is required on "
					"all version 3 or higher certs (this cert is version %d).",
					issuer_id ? issuer_id : "(null)",
					gnutls_x509_crt_get_version(issuer_dat));
			g_free(issuer_id);
			return FALSE;
		} else {
			/* Allow cert (no basic constraints and cert version is < 3). */
			purple_debug_info("gnutls/x509", "Basic constraint extension is "
					"missing from issuer cert for %s. Allowing this because "
					"the cert is version %d and the basic constraints "
					"extension is only required for version 3 or higher "
					"certs.", issuer_id ? issuer_id : "(null)",
					gnutls_x509_crt_get_version(issuer_dat));
		}
	} else if (ret <= 0) {
		/* Reject cert (CA flag is false in basic constraints). */
		gchar *issuer_id = purple_certificate_get_unique_id(issuer);
		purple_debug_info("gnutls/x509", "Rejecting cert because the CA flag "
				"is set to false in the basic constraints extension for "
				"issuer cert %s. ret=%d\n",
				issuer_id ? issuer_id : "(null)", ret);
		g_free(issuer_id);
		return FALSE;
	}

	/* Now, check the signature */
	/* The second argument is a ptr to an array of "trusted" issuer certs,
	   but we're only using one trusted one */
	ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1,
				     /* Permit signings by X.509v1 certs
					(Verisign and possibly others have
					root certificates that predate the
					current standard) */
				     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
				     &verify);

	if (ret != 0) {
		purple_debug_error("gnutls/x509",
				   "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret);
		return FALSE;
	}

#ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM
	if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) {
		/*
		 * A certificate in the chain is signed with an insecure
		 * algorithm. Put a warning into the log to make this error
		 * perfectly clear as soon as someone looks at the debug log is
		 * generated.
		 */
		crt_id = purple_certificate_get_unique_id(crt);
		issuer_id = purple_certificate_get_issuer_unique_id(crt);
		purple_debug_warning("gnutls/x509",
				"Insecure hash algorithm used by %s to sign %s\n",
				issuer_id, crt_id);
	}
#endif

	if (verify & GNUTLS_CERT_INVALID) {
		/* Signature didn't check out, but at least
		   there were no errors*/
		if (!crt_id)
			crt_id = purple_certificate_get_unique_id(crt);
		if (!issuer_id)
			issuer_id = purple_certificate_get_issuer_unique_id(crt);
		purple_debug_error("gnutls/x509",
				  "Bad signature from %s on %s\n",
				  issuer_id, crt_id);
		g_free(crt_id);
		g_free(issuer_id);

		return FALSE;
	} /* if (ret, etc.) */

	/* If we got here, the signature is good */
	return TRUE;
}
示例#10
0
/** Determines whether one certificate has been issued and signed by another
 *
 * @param crt       Certificate to check the signature of
 * @param issuer    Issuer's certificate
 *
 * @return TRUE if crt was signed and issued by issuer, otherwise FALSE
 * @TODO  Modify this function to return a reason for invalidity?
 */
static gboolean
x509_certificate_signed_by(PurpleCertificate * crt,
			   PurpleCertificate * issuer)
{
	gnutls_x509_crt crt_dat;
	gnutls_x509_crt issuer_dat;
	unsigned int verify; /* used to store result from GnuTLS verifier */
	int ret;
	gchar *crt_id = NULL;
	gchar *issuer_id = NULL;

	g_return_val_if_fail(crt, FALSE);
	g_return_val_if_fail(issuer, FALSE);

	/* Verify that both certs are the correct scheme */
	g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE);
	g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE);

	/* TODO: check for more nullness? */

	crt_dat = X509_GET_GNUTLS_DATA(crt);
	issuer_dat = X509_GET_GNUTLS_DATA(issuer);

	/* First, let's check that crt.issuer is actually issuer */
	ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat);
	if (ret <= 0) {

		if (ret < 0) {
			purple_debug_error("gnutls/x509",
					   "GnuTLS error %d while checking certificate issuer match.",
					   ret);
		} else {
			gchar *crt_id, *issuer_id, *crt_issuer_id;
			crt_id = purple_certificate_get_unique_id(crt);
			issuer_id = purple_certificate_get_unique_id(issuer);
			crt_issuer_id =
				purple_certificate_get_issuer_unique_id(crt);
			purple_debug_info("gnutls/x509",
					  "Certificate %s is issued by "
					  "%s, which does not match %s.\n",
					  crt_id ? crt_id : "(null)",
					  crt_issuer_id ? crt_issuer_id : "(null)",
					  issuer_id ? issuer_id : "(null)");
			g_free(crt_id);
			g_free(issuer_id);
			g_free(crt_issuer_id);
		}

		/* The issuer is not correct, or there were errors */
		return FALSE;
	}

	/* Now, check the signature */
	/* The second argument is a ptr to an array of "trusted" issuer certs,
	   but we're only using one trusted one */
	ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1,
				     /* Permit signings by X.509v1 certs
					(Verisign and possibly others have
					root certificates that predate the
					current standard) */
				     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
				     &verify);

	if (ret != 0) {
		purple_debug_error("gnutls/x509",
				   "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret);
		return FALSE;
	}

#ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM
	if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) {
		/*
		 * A certificate in the chain is signed with an insecure
		 * algorithm. Put a warning into the log to make this error
		 * perfectly clear as soon as someone looks at the debug log is
		 * generated.
		 */
		crt_id = purple_certificate_get_unique_id(crt);
		issuer_id = purple_certificate_get_issuer_unique_id(crt);
		purple_debug_warning("gnutls/x509",
				"Insecure hash algorithm used by %s to sign %s\n",
				issuer_id, crt_id);
	}
#endif

	if (verify & GNUTLS_CERT_INVALID) {
		/* Signature didn't check out, but at least
		   there were no errors*/
		if (!crt_id)
			crt_id = purple_certificate_get_unique_id(crt);
		if (!issuer_id)
			issuer_id = purple_certificate_get_issuer_unique_id(crt);
		purple_debug_error("gnutls/x509",
				  "Bad signature from %s on %s\n",
				  issuer_id, crt_id);
		g_free(crt_id);
		g_free(issuer_id);

		return FALSE;
	} /* if (ret, etc.) */

	/* If we got here, the signature is good */
	return TRUE;
}
示例#11
0
/* Verifies a certificate against an other certificate
 * which is supposed to be it's issuer. Also checks the
 * crl_list if the certificate is revoked.
 */
static void
verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
	      gnutls_x509_crl_t * crl_list, int crl_list_size)
{
  unsigned int output;
  int ret;
  time_t now = time (0);
  size_t name_size;
  char name[64];

  /* Print information about the certificates to
   * be checked.
   */
  name_size = sizeof (name);
  gnutls_x509_crt_get_dn (crt, name, &name_size);

  fprintf (stderr, "\nCertificate: %s\n", name);

  name_size = sizeof (name);
  gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);

  fprintf (stderr, "Issued by: %s\n", name);

  /* Get the DN of the issuer cert.
   */
  name_size = sizeof (name);
  gnutls_x509_crt_get_dn (issuer, name, &name_size);

  fprintf (stderr, "Checking against: %s\n", name);

  /* Do the actual verification.
   */
  gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);

  if (output & GNUTLS_CERT_INVALID)
    {
      fprintf (stderr, "Not trusted");

      if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
	fprintf (stderr, ": no issuer was found");
      if (output & GNUTLS_CERT_SIGNER_NOT_CA)
	fprintf (stderr, ": issuer is not a CA");

      fprintf (stderr, "\n");
    }
  else
    fprintf (stderr, "Trusted\n");


  /* Now check the expiration dates.
   */
  if (gnutls_x509_crt_get_activation_time (crt) > now)
    fprintf (stderr, "Not yet activated\n");

  if (gnutls_x509_crt_get_expiration_time (crt) < now)
    fprintf (stderr, "Expired\n");

  /* Check if the certificate is revoked.
   */
  ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
  if (ret == 1)
    {				/* revoked */
      fprintf (stderr, "Revoked\n");
    }
}
示例#12
0
static
int
__pkcs11h_crypto_gnutls_certificate_is_issuer (
	IN void * const global_data,
	IN const unsigned char * const issuer_blob,
	IN const size_t issuer_blob_size,
	IN const unsigned char * const cert_blob,
	IN const size_t cert_blob_size
) {
	gnutls_x509_crt_t cert_issuer = NULL;
	gnutls_x509_crt_t cert_cert = NULL;
	gnutls_datum_t datum;
	PKCS11H_BOOL is_issuer = FALSE;
	unsigned int result = 0;

	(void)global_data;

	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
	_PKCS11H_ASSERT (issuer_blob!=NULL);
	_PKCS11H_ASSERT (cert_blob!=NULL);

	if (gnutls_x509_crt_init (&cert_issuer) != GNUTLS_E_SUCCESS) {
		/* gnutls sets output */
		cert_issuer = NULL;
		goto cleanup;
	}
	if (gnutls_x509_crt_init (&cert_cert) != GNUTLS_E_SUCCESS) {
		/* gnutls sets output */
		cert_cert = NULL;
		goto cleanup;
	}

	datum.data = (unsigned char *)issuer_blob;
	datum.size = issuer_blob_size;

	if (
		gnutls_x509_crt_import (
			cert_issuer,
			&datum,
			GNUTLS_X509_FMT_DER
		) != GNUTLS_E_SUCCESS
	) {
		goto cleanup;
	}

	datum.data = (unsigned char *)cert_blob;
	datum.size = cert_blob_size;

	if (
		gnutls_x509_crt_import (
			cert_cert,
			&datum,
			GNUTLS_X509_FMT_DER
		) != GNUTLS_E_SUCCESS
	) {
		goto cleanup;
	}

	if (
		gnutls_x509_crt_verify (
			cert_cert,
			&cert_issuer,
			1,
			0,
			&result
		) &&
		(result & GNUTLS_CERT_INVALID) == 0
	) {
		is_issuer = TRUE;
	}

cleanup:

	if (cert_cert != NULL) {
		gnutls_x509_crt_deinit (cert_cert);
		cert_cert = NULL;
	}

	if (cert_issuer != NULL) {
		gnutls_x509_crt_deinit (cert_issuer);
		cert_issuer = NULL;
	}

	return is_issuer;
}