]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
CRL verification includes the time checks.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 2 Nov 2012 09:24:16 +0000 (10:24 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 2 Nov 2012 09:24:16 +0000 (10:24 +0100)
NEWS
lib/gnutls_cert.c
lib/includes/gnutls/gnutls.h.in
lib/x509/verify.c
src/certtool.c

diff --git a/NEWS b/NEWS
index 6be38907947049415042aba79499356b6c727c09..d18b7e89d214bd909e8372f29f277563a0efc0f0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ gnutls_certificate_verify_peers3().
 ** libgnutls: Added support for extension to establish keys
 for SRTP.
 
+** libgnutls: gnutls_x509_crl_verify() includes the time
+checks.
+
 ** gnutls-cli: Added --local-dns option.
 
 ** danetool: Corrected bug that prevented loading PEM files.
index 9e73d9194241dc33d07da9be4a4908d5e2d2526e..21a3a5d860dbf472709b14b96f5c306296f1c824 100644 (file)
@@ -945,10 +945,13 @@ gnutls_certificate_verification_status_print (unsigned int status,
         _gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked. "));
 
       if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
-         _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are too old. "));
+         _gnutls_buffer_append_str (&str, _("The revocation data are too old. "));
 
       if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
-         _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are invalid. "));
+         _gnutls_buffer_append_str (&str, _("The revocation data are invalid. "));
+
+      if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
+         _gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. "));
 
       if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
          _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is unknown. "));
index a64db31fe3af388d24940095f80a5e1ad7c33772..61421b635e4f54a72b3f2a3c9c8c2042e0ba629f 100644 (file)
@@ -448,6 +448,7 @@ extern "C"
  * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
  * @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
  * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
+ * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
  *
  * Enumeration of certificate status codes.  Note that the status
  * bits may have different meanings in OpenPGP keys and X.509
@@ -455,17 +456,18 @@ extern "C"
  */
   typedef enum
   {
-    GNUTLS_CERT_INVALID = 2,
-    GNUTLS_CERT_REVOKED = 32,
-    GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
-    GNUTLS_CERT_SIGNER_NOT_CA = 128,
-    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
-    GNUTLS_CERT_NOT_ACTIVATED = 512,
-    GNUTLS_CERT_EXPIRED = 1024,
-    GNUTLS_CERT_SIGNATURE_FAILURE = 2048,
-    GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 4096,
-    GNUTLS_CERT_REVOCATION_DATA_INVALID = 8192,
-    GNUTLS_CERT_UNEXPECTED_OWNER = 16384,
+    GNUTLS_CERT_INVALID = 1<<1,
+    GNUTLS_CERT_REVOKED = 1<<6,
+    GNUTLS_CERT_SIGNER_NOT_FOUND = 1<<7,
+    GNUTLS_CERT_SIGNER_NOT_CA = 1<<8,
+    GNUTLS_CERT_INSECURE_ALGORITHM = 1<<9,
+    GNUTLS_CERT_NOT_ACTIVATED = 1<<10,
+    GNUTLS_CERT_EXPIRED = 1<<11,
+    GNUTLS_CERT_SIGNATURE_FAILURE = 1<<12,
+    GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<13,
+    GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<14,
+    GNUTLS_CERT_UNEXPECTED_OWNER = 1<<15,
+    GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<16,
   } gnutls_certificate_status_t;
 
 /**
index 7f39fd8f359b23d22f174eedda4dbf3c9bbdcec6..6ff9258f219a348c88dff68bf2983357a1220768 100644 (file)
@@ -880,7 +880,8 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
  *
  * This function will try to verify the given crl and return its status.
  * See gnutls_x509_crt_list_verify() for a detailed description of
- * return values.
+ * return values. Note that since GnuTLS 3.1.4 this function includes
+ * the time checks.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
@@ -976,6 +977,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
   gnutls_datum_t crl_signature = { NULL, 0 };
   gnutls_x509_crt_t issuer;
   int result, hash_algo;
+  time_t now = gnutls_time(0);
 
   if (output)
     *output = 0;
@@ -1044,7 +1046,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
       gnutls_assert ();
       /* error. ignore it */
       if (output)
-        *output |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE;
+        *output |= GNUTLS_CERT_SIGNATURE_FAILURE;
       result = 0;
     }
   else if (result < 0)
@@ -1064,12 +1066,21 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
          !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
       {
         if (output)
-          *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
+          *output |= GNUTLS_CERT_INSECURE_ALGORITHM;
         result = 0;
       }
   }
+  
+  if (gnutls_x509_crl_get_this_update (crl) > now)
+    *output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
+    
+  if (gnutls_x509_crl_get_next_update (crl) < now)
+    *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+
 
 cleanup:
+  if (*output) *output |= GNUTLS_CERT_INVALID;
+
   _gnutls_free_datum (&crl_signed_data);
   _gnutls_free_datum (&crl_signature);
 
index 81ec1425a229dfa70f29f8e7eef22eab22fdefd5..826e879f03935676510b2bb2c46f08206ca4ccb8 100644 (file)
@@ -2089,58 +2089,27 @@ _verify_x509_mem (const void *cert, int cert_size, const void* ca, int ca_size)
 static void
 print_verification_res (FILE* outfile, unsigned int output)
 {
-  int comma = 0;
+  gnutls_datum_t pout;
+  int ret;
 
-  if (output & GNUTLS_CERT_INVALID)
+  if (output)
     {
-      fprintf (outfile, "Not verified");
-      comma = 1;
+      fprintf (outfile, "Not verified.");
     }
   else
     {
       fprintf (outfile, "Verified");
-      comma = 1;
-    }
-
-  if (output & GNUTLS_CERT_SIGNER_NOT_CA)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Issuer is not a CA");
-      comma = 1;
-    }
-
-  if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Insecure algorithm");
-      comma = 1;
-    }
-
-  if (output & GNUTLS_CERT_NOT_ACTIVATED)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Not activated");
-      comma = 1;
     }
 
-  if (output & GNUTLS_CERT_EXPIRED)
+  ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
+  if (ret < 0)
     {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Expired");
-      comma = 1;
+      fprintf(stderr, "error: %s\n", gnutls_strerror(ret);
+      exit(EXIT_FAILURE);
     }
 
-  if (output & GNUTLS_CERT_REVOKED)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Revoked");
-      comma = 1;
-    }
+  fprintf (outfile, " %s", pout.data);
+  gnutls_free(pout.data);
 }
 
 static void
@@ -2196,7 +2165,7 @@ verify_crl (common_info_st * cinfo)
   unsigned int output;
   int comma = 0;
   int ret;
-  gnutls_datum_t pem;
+  gnutls_datum_t pem, pout;
   gnutls_x509_crl_t crl;
   time_t now = time (0);
   gnutls_x509_crt_t issuer;
@@ -2231,51 +2200,24 @@ verify_crl (common_info_st * cinfo)
   if (ret < 0)
     error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
 
-  if (output & GNUTLS_CERT_INVALID)
+  if (output)
     {
-      fprintf (outfile, "Not verified");
-      comma = 1;
+      fprintf (outfile, "Not verified. ");
     }
   else
     {
-      fprintf (outfile, "Verified");
-      comma = 1;
+      fprintf (outfile, "Verified.");
     }
 
-  if (output & GNUTLS_CERT_SIGNER_NOT_CA)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Issuer is not a CA");
-      comma = 1;
-    }
-
-  if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      fprintf (outfile, "Insecure algorithm");
-      comma = 1;
-    }
-
-  /* Check expiration dates.
-   */
-
-  if (gnutls_x509_crl_get_this_update (crl) > now)
+  ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
+  if (ret < 0)
     {
-      if (comma)
-        fprintf (outfile, ", ");
-      comma = 1;
-      fprintf (outfile, "Issued in the future!");
+      fprintf(stderr, "error: %s\n", gnutls_strerror(ret);
+      exit(EXIT_FAILURE);
     }
 
-  if (gnutls_x509_crl_get_next_update (crl) < now)
-    {
-      if (comma)
-        fprintf (outfile, ", ");
-      comma = 1;
-      fprintf (outfile, "CRL is not up to date");
-    }
+  fprintf (outfile, " %s", pout.data);
+  gnutls_free(pout.data);
 
   fprintf (outfile, "\n");
 }