** libgnutls: Added support for extension to establish keys
for SRTP.
+** libgnutls: gnutls_x509_crl_verify() includes the time
+checks.
+
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
_gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
- _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are too old. "));
+ _gnutls_buffer_append_str (&str, _("The revocation data are too old. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
- _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are invalid. "));
+ _gnutls_buffer_append_str (&str, _("The revocation data are invalid. "));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
+ _gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
_gnutls_buffer_append_str (&str, _("Peer's certificate issuer is unknown. "));
* @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
* @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
* @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
+ * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
*
* Enumeration of certificate status codes. Note that the status
* bits may have different meanings in OpenPGP keys and X.509
*/
typedef enum
{
- GNUTLS_CERT_INVALID = 2,
- GNUTLS_CERT_REVOKED = 32,
- GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
- GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256,
- GNUTLS_CERT_NOT_ACTIVATED = 512,
- GNUTLS_CERT_EXPIRED = 1024,
- GNUTLS_CERT_SIGNATURE_FAILURE = 2048,
- GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 4096,
- GNUTLS_CERT_REVOCATION_DATA_INVALID = 8192,
- GNUTLS_CERT_UNEXPECTED_OWNER = 16384,
+ GNUTLS_CERT_INVALID = 1<<1,
+ GNUTLS_CERT_REVOKED = 1<<6,
+ GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<7,
+ GNUTLS_CERT_SIGNER_NOT_CA = 1<<8,
+ GNUTLS_CERT_INSECURE_ALGORITHM = 1<<9,
+ GNUTLS_CERT_NOT_ACTIVATED = 1<<10,
+ GNUTLS_CERT_EXPIRED = 1<<11,
+ GNUTLS_CERT_SIGNATURE_FAILURE = 1<<12,
+ GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<13,
+ GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<14,
+ GNUTLS_CERT_UNEXPECTED_OWNER = 1<<15,
+ GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<16,
} gnutls_certificate_status_t;
/**
*
* This function will try to verify the given crl and return its status.
* See gnutls_x509_crt_list_verify() for a detailed description of
- * return values.
+ * return values. Note that since GnuTLS 3.1.4 this function includes
+ * the time checks.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
gnutls_datum_t crl_signature = { NULL, 0 };
gnutls_x509_crt_t issuer;
int result, hash_algo;
+ time_t now = gnutls_time(0);
if (output)
*output = 0;
gnutls_assert ();
/* error. ignore it */
if (output)
- *output |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE;
+ *output |= GNUTLS_CERT_SIGNATURE_FAILURE;
result = 0;
}
else if (result < 0)
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
{
if (output)
- *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+ *output |= GNUTLS_CERT_INSECURE_ALGORITHM;
result = 0;
}
}
+
+ if (gnutls_x509_crl_get_this_update (crl) > now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
+
+ if (gnutls_x509_crl_get_next_update (crl) < now)
+ *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+
cleanup:
+ if (*output) *output |= GNUTLS_CERT_INVALID;
+
_gnutls_free_datum (&crl_signed_data);
_gnutls_free_datum (&crl_signature);
static void
print_verification_res (FILE* outfile, unsigned int output)
{
- int comma = 0;
+ gnutls_datum_t pout;
+ int ret;
- if (output & GNUTLS_CERT_INVALID)
+ if (output)
{
- fprintf (outfile, "Not verified");
- comma = 1;
+ fprintf (outfile, "Not verified.");
}
else
{
fprintf (outfile, "Verified");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_SIGNER_NOT_CA)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Issuer is not a CA");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Insecure algorithm");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_NOT_ACTIVATED)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Not activated");
- comma = 1;
}
- if (output & GNUTLS_CERT_EXPIRED)
+ ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
+ if (ret < 0)
{
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Expired");
- comma = 1;
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret);
+ exit(EXIT_FAILURE);
}
- if (output & GNUTLS_CERT_REVOKED)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Revoked");
- comma = 1;
- }
+ fprintf (outfile, " %s", pout.data);
+ gnutls_free(pout.data);
}
static void
unsigned int output;
int comma = 0;
int ret;
- gnutls_datum_t pem;
+ gnutls_datum_t pem, pout;
gnutls_x509_crl_t crl;
time_t now = time (0);
gnutls_x509_crt_t issuer;
if (ret < 0)
error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
- if (output & GNUTLS_CERT_INVALID)
+ if (output)
{
- fprintf (outfile, "Not verified");
- comma = 1;
+ fprintf (outfile, "Not verified. ");
}
else
{
- fprintf (outfile, "Verified");
- comma = 1;
+ fprintf (outfile, "Verified.");
}
- if (output & GNUTLS_CERT_SIGNER_NOT_CA)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Issuer is not a CA");
- comma = 1;
- }
-
- if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
- {
- if (comma)
- fprintf (outfile, ", ");
- fprintf (outfile, "Insecure algorithm");
- comma = 1;
- }
-
- /* Check expiration dates.
- */
-
- if (gnutls_x509_crl_get_this_update (crl) > now)
+ ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
+ if (ret < 0)
{
- if (comma)
- fprintf (outfile, ", ");
- comma = 1;
- fprintf (outfile, "Issued in the future!");
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret);
+ exit(EXIT_FAILURE);
}
- if (gnutls_x509_crl_get_next_update (crl) < now)
- {
- if (comma)
- fprintf (outfile, ", ");
- comma = 1;
- fprintf (outfile, "CRL is not up to date");
- }
+ fprintf (outfile, " %s", pout.data);
+ gnutls_free(pout.data);
fprintf (outfile, "\n");
}