static int verify_last(gnutls_x509_crt_t crt, gnutls_x509_crt_t *ca_list, size_t ca_list_size, crypto_error **error) { unsigned int output; time_t now = time (0); if (gnutls_x509_crt_verify (crt, ca_list, ca_list_size, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output) < 0) { crypto_error_set(error, 1, 0, "failed to verify against CA list"); return 1; } if (output & GNUTLS_CERT_INVALID) { if (output & GNUTLS_CERT_SIGNER_NOT_CA) { crypto_error_set(error, 1, 0, "certificate signer not a CA"); return 1; } } if (gnutls_x509_crt_get_activation_time(crt) > now) { crypto_error_set(error, 1, 0, "certificate activation in the future"); return 1; } if (gnutls_x509_crt_get_expiration_time(crt) < now) { crypto_error_set(error, 1, 0, "certificate expired"); return 1; } return 0; }
static int verify_issuer(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, crypto_error **error) { unsigned int output; time_t now = time (0); if (gnutls_x509_crt_verify(crt, &issuer, 1, 0, &output) < 0) { crypto_error_set(error, 1, 0, "failed to verify against issuer"); return 1; } if (output & GNUTLS_CERT_INVALID) { if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) { crypto_error_set(error, 1, 0, "certificate signer not found"); return 1; } if (output & GNUTLS_CERT_SIGNER_NOT_CA) { crypto_error_set(error, 1, 0, "certificate signer not a CA"); return 1; } } if (gnutls_x509_crt_get_activation_time(crt) > now) { crypto_error_set(error, 1, 0, "certificate activation in the future"); return 1; } if (gnutls_x509_crt_get_expiration_time(crt) < now) { crypto_error_set(error, 1, 0, "certificate expired"); return 1; } return 0; }
RD_BOOL crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert) { /* FIXME: check more here ... */ unsigned int verify; /* What is this? */ return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) && gnutls_x509_crt_verify(server_cert->cert, &cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS; }
/* Verifies a certificate against our trusted CA list. * Also checks the crl_list if the certificate is revoked. */ static void verify_last_cert (gnutls_x509_crt_t crt, gnutls_x509_crt_t * ca_list, int ca_list_size, gnutls_x509_crl_t * crl_list, int crl_list_size) { unsigned int output; int ret; time_t now = time (0); size_t name_size; char name[64]; /* Print information about the certificates to * be checked. */ name_size = sizeof (name); gnutls_x509_crt_get_dn (crt, name, &name_size); fprintf (stderr, "\nCertificate: %s\n", name); name_size = sizeof (name); gnutls_x509_crt_get_issuer_dn (crt, name, &name_size); fprintf (stderr, "Issued by: %s\n", name); /* Do the actual verification. */ gnutls_x509_crt_verify (crt, ca_list, ca_list_size, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output); if (output & GNUTLS_CERT_INVALID) { fprintf (stderr, "Not trusted"); if (output & GNUTLS_CERT_SIGNER_NOT_CA) fprintf (stderr, ": Issuer is not a CA\n"); else fprintf (stderr, "\n"); } else fprintf (stderr, "Trusted\n"); /* Now check the expiration dates. */ if (gnutls_x509_crt_get_activation_time (crt) > now) fprintf (stderr, "Not yet activated\n"); if (gnutls_x509_crt_get_expiration_time (crt) < now) fprintf (stderr, "Expired\n"); /* Check if the certificate is revoked. */ ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size); if (ret == 1) { /* revoked */ fprintf (stderr, "Revoked\n"); } }
bool X509Certificate::verify(ref <const X509Certificate> caCert) const { unsigned int verify = 0; const int res = gnutls_x509_crt_verify (m_data->cert, &(caCert->m_data->cert), 1, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &verify); return (res == 0 && verify == 0); }
static gboolean verify_certificate(HevImpathyTLSVerifier *self, gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, TpTLSCertificateRejectReason *reason) { guint verify_output = 0; gint res = 0; g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__); res = gnutls_x509_crt_verify(cert, &issuer, 1, 0, &verify_output); return verification_output_to_reason(res, verify_output, reason); }
bool X509Certificate_GnuTLS::verify(shared_ptr <const X509Certificate> caCert_) const { shared_ptr <const X509Certificate_GnuTLS> caCert = dynamicCast <const X509Certificate_GnuTLS>(caCert_); unsigned int verify = 0; const int res = gnutls_x509_crt_verify (m_data->cert, &(caCert->m_data->cert), 1, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &verify); return (res == 0 && verify == 0); }
static gboolean verify_last_certificate(HevImpathyTLSVerifier *self, gnutls_x509_crt_t cert, TpTLSCertificateRejectReason *reason) { guint verify_output = 0; gint res = 0; gnutls_x509_crt_t *trusted_ca_list = NULL; HevImpathyTLSVerifierPrivate *priv = HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self); g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__); if(0 < priv->trusted_ca_list->len) { trusted_ca_list = ptr_array_to_x509_crt_list(priv->trusted_ca_list); res = gnutls_x509_crt_verify(cert, trusted_ca_list, priv->trusted_ca_list->len, 0, &verify_output); g_free(trusted_ca_list); } else { /* check it against itself to see if it's structurally valid */ res = gnutls_x509_crt_verify(cert, &cert, 1, 0, &verify_output); /* if it's valid, return the SelfSigned error, so that we can add it * later to our trusted CAs whitelist. */ if(GNUTLS_E_SUCCESS == res) { *reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED; return FALSE; } } return verification_output_to_reason (res, verify_output, reason); }
/** Determines whether one certificate has been issued and signed by another * * @param crt Certificate to check the signature of * @param issuer Issuer's certificate * * @return TRUE if crt was signed and issued by issuer, otherwise FALSE * @TODO Modify this function to return a reason for invalidity? */ static gboolean x509_certificate_signed_by(PurpleCertificate * crt, PurpleCertificate * issuer) { gnutls_x509_crt_t crt_dat; gnutls_x509_crt_t issuer_dat; unsigned int verify; /* used to store result from GnuTLS verifier */ int ret; gchar *crt_id = NULL; gchar *issuer_id = NULL; g_return_val_if_fail(crt, FALSE); g_return_val_if_fail(issuer, FALSE); /* Verify that both certs are the correct scheme */ g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE); g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE); /* TODO: check for more nullness? */ crt_dat = X509_GET_GNUTLS_DATA(crt); issuer_dat = X509_GET_GNUTLS_DATA(issuer); /* Ensure crt issuer matches the name on the issuer cert. */ ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat); if (ret <= 0) { if (ret < 0) { purple_debug_error("gnutls/x509", "GnuTLS error %d while checking certificate issuer match.", ret); } else { gchar *crt_id, *issuer_id, *crt_issuer_id; crt_id = purple_certificate_get_unique_id(crt); issuer_id = purple_certificate_get_unique_id(issuer); crt_issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_info("gnutls/x509", "Certificate %s is issued by " "%s, which does not match %s.\n", crt_id ? crt_id : "(null)", crt_issuer_id ? crt_issuer_id : "(null)", issuer_id ? issuer_id : "(null)"); g_free(crt_id); g_free(issuer_id); g_free(crt_issuer_id); } /* The issuer is not correct, or there were errors */ return FALSE; } /* Check basic constraints extension (if it exists then the CA flag must be set to true, and it must exist for certs with version 3 or higher. */ ret = gnutls_x509_crt_get_basic_constraints(issuer_dat, NULL, NULL, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (gnutls_x509_crt_get_version(issuer_dat) >= 3) { /* Reject cert (no basic constraints and cert version is >= 3). */ gchar *issuer_id = purple_certificate_get_unique_id(issuer); purple_debug_info("gnutls/x509", "Rejecting cert because the " "basic constraints extension is missing from issuer cert " "for %s. The basic constraints extension is required on " "all version 3 or higher certs (this cert is version %d).", issuer_id ? issuer_id : "(null)", gnutls_x509_crt_get_version(issuer_dat)); g_free(issuer_id); return FALSE; } else { /* Allow cert (no basic constraints and cert version is < 3). */ purple_debug_info("gnutls/x509", "Basic constraint extension is " "missing from issuer cert for %s. Allowing this because " "the cert is version %d and the basic constraints " "extension is only required for version 3 or higher " "certs.", issuer_id ? issuer_id : "(null)", gnutls_x509_crt_get_version(issuer_dat)); } } else if (ret <= 0) { /* Reject cert (CA flag is false in basic constraints). */ gchar *issuer_id = purple_certificate_get_unique_id(issuer); purple_debug_info("gnutls/x509", "Rejecting cert because the CA flag " "is set to false in the basic constraints extension for " "issuer cert %s. ret=%d\n", issuer_id ? issuer_id : "(null)", ret); g_free(issuer_id); return FALSE; } /* Now, check the signature */ /* The second argument is a ptr to an array of "trusted" issuer certs, but we're only using one trusted one */ ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1, /* Permit signings by X.509v1 certs (Verisign and possibly others have root certificates that predate the current standard) */ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &verify); if (ret != 0) { purple_debug_error("gnutls/x509", "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); return FALSE; } #ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { /* * A certificate in the chain is signed with an insecure * algorithm. Put a warning into the log to make this error * perfectly clear as soon as someone looks at the debug log is * generated. */ crt_id = purple_certificate_get_unique_id(crt); issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_warning("gnutls/x509", "Insecure hash algorithm used by %s to sign %s\n", issuer_id, crt_id); } #endif if (verify & GNUTLS_CERT_INVALID) { /* Signature didn't check out, but at least there were no errors*/ if (!crt_id) crt_id = purple_certificate_get_unique_id(crt); if (!issuer_id) issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_error("gnutls/x509", "Bad signature from %s on %s\n", issuer_id, crt_id); g_free(crt_id); g_free(issuer_id); return FALSE; } /* if (ret, etc.) */ /* If we got here, the signature is good */ return TRUE; }
/** Determines whether one certificate has been issued and signed by another * * @param crt Certificate to check the signature of * @param issuer Issuer's certificate * * @return TRUE if crt was signed and issued by issuer, otherwise FALSE * @TODO Modify this function to return a reason for invalidity? */ static gboolean x509_certificate_signed_by(PurpleCertificate * crt, PurpleCertificate * issuer) { gnutls_x509_crt crt_dat; gnutls_x509_crt issuer_dat; unsigned int verify; /* used to store result from GnuTLS verifier */ int ret; gchar *crt_id = NULL; gchar *issuer_id = NULL; g_return_val_if_fail(crt, FALSE); g_return_val_if_fail(issuer, FALSE); /* Verify that both certs are the correct scheme */ g_return_val_if_fail(crt->scheme == &x509_gnutls, FALSE); g_return_val_if_fail(issuer->scheme == &x509_gnutls, FALSE); /* TODO: check for more nullness? */ crt_dat = X509_GET_GNUTLS_DATA(crt); issuer_dat = X509_GET_GNUTLS_DATA(issuer); /* First, let's check that crt.issuer is actually issuer */ ret = gnutls_x509_crt_check_issuer(crt_dat, issuer_dat); if (ret <= 0) { if (ret < 0) { purple_debug_error("gnutls/x509", "GnuTLS error %d while checking certificate issuer match.", ret); } else { gchar *crt_id, *issuer_id, *crt_issuer_id; crt_id = purple_certificate_get_unique_id(crt); issuer_id = purple_certificate_get_unique_id(issuer); crt_issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_info("gnutls/x509", "Certificate %s is issued by " "%s, which does not match %s.\n", crt_id ? crt_id : "(null)", crt_issuer_id ? crt_issuer_id : "(null)", issuer_id ? issuer_id : "(null)"); g_free(crt_id); g_free(issuer_id); g_free(crt_issuer_id); } /* The issuer is not correct, or there were errors */ return FALSE; } /* Now, check the signature */ /* The second argument is a ptr to an array of "trusted" issuer certs, but we're only using one trusted one */ ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1, /* Permit signings by X.509v1 certs (Verisign and possibly others have root certificates that predate the current standard) */ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &verify); if (ret != 0) { purple_debug_error("gnutls/x509", "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); return FALSE; } #ifdef HAVE_GNUTLS_CERT_INSECURE_ALGORITHM if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { /* * A certificate in the chain is signed with an insecure * algorithm. Put a warning into the log to make this error * perfectly clear as soon as someone looks at the debug log is * generated. */ crt_id = purple_certificate_get_unique_id(crt); issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_warning("gnutls/x509", "Insecure hash algorithm used by %s to sign %s\n", issuer_id, crt_id); } #endif if (verify & GNUTLS_CERT_INVALID) { /* Signature didn't check out, but at least there were no errors*/ if (!crt_id) crt_id = purple_certificate_get_unique_id(crt); if (!issuer_id) issuer_id = purple_certificate_get_issuer_unique_id(crt); purple_debug_error("gnutls/x509", "Bad signature from %s on %s\n", issuer_id, crt_id); g_free(crt_id); g_free(issuer_id); return FALSE; } /* if (ret, etc.) */ /* If we got here, the signature is good */ return TRUE; }
/* Verifies a certificate against an other certificate * which is supposed to be it's issuer. Also checks the * crl_list if the certificate is revoked. */ static void verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, gnutls_x509_crl_t * crl_list, int crl_list_size) { unsigned int output; int ret; time_t now = time (0); size_t name_size; char name[64]; /* Print information about the certificates to * be checked. */ name_size = sizeof (name); gnutls_x509_crt_get_dn (crt, name, &name_size); fprintf (stderr, "\nCertificate: %s\n", name); name_size = sizeof (name); gnutls_x509_crt_get_issuer_dn (crt, name, &name_size); fprintf (stderr, "Issued by: %s\n", name); /* Get the DN of the issuer cert. */ name_size = sizeof (name); gnutls_x509_crt_get_dn (issuer, name, &name_size); fprintf (stderr, "Checking against: %s\n", name); /* Do the actual verification. */ gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output); if (output & GNUTLS_CERT_INVALID) { fprintf (stderr, "Not trusted"); if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) fprintf (stderr, ": no issuer was found"); if (output & GNUTLS_CERT_SIGNER_NOT_CA) fprintf (stderr, ": issuer is not a CA"); fprintf (stderr, "\n"); } else fprintf (stderr, "Trusted\n"); /* Now check the expiration dates. */ if (gnutls_x509_crt_get_activation_time (crt) > now) fprintf (stderr, "Not yet activated\n"); if (gnutls_x509_crt_get_expiration_time (crt) < now) fprintf (stderr, "Expired\n"); /* Check if the certificate is revoked. */ ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size); if (ret == 1) { /* revoked */ fprintf (stderr, "Revoked\n"); } }
static int __pkcs11h_crypto_gnutls_certificate_is_issuer ( IN void * const global_data, IN const unsigned char * const issuer_blob, IN const size_t issuer_blob_size, IN const unsigned char * const cert_blob, IN const size_t cert_blob_size ) { gnutls_x509_crt_t cert_issuer = NULL; gnutls_x509_crt_t cert_cert = NULL; gnutls_datum_t datum; PKCS11H_BOOL is_issuer = FALSE; unsigned int result = 0; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (issuer_blob!=NULL); _PKCS11H_ASSERT (cert_blob!=NULL); if (gnutls_x509_crt_init (&cert_issuer) != GNUTLS_E_SUCCESS) { /* gnutls sets output */ cert_issuer = NULL; goto cleanup; } if (gnutls_x509_crt_init (&cert_cert) != GNUTLS_E_SUCCESS) { /* gnutls sets output */ cert_cert = NULL; goto cleanup; } datum.data = (unsigned char *)issuer_blob; datum.size = issuer_blob_size; if ( gnutls_x509_crt_import ( cert_issuer, &datum, GNUTLS_X509_FMT_DER ) != GNUTLS_E_SUCCESS ) { goto cleanup; } datum.data = (unsigned char *)cert_blob; datum.size = cert_blob_size; if ( gnutls_x509_crt_import ( cert_cert, &datum, GNUTLS_X509_FMT_DER ) != GNUTLS_E_SUCCESS ) { goto cleanup; } if ( gnutls_x509_crt_verify ( cert_cert, &cert_issuer, 1, 0, &result ) && (result & GNUTLS_CERT_INVALID) == 0 ) { is_issuer = TRUE; } cleanup: if (cert_cert != NULL) { gnutls_x509_crt_deinit (cert_cert); cert_cert = NULL; } if (cert_issuer != NULL) { gnutls_x509_crt_deinit (cert_issuer); cert_issuer = NULL; } return is_issuer; }