** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on
the available revocation data validity.
+** libgnutls: Added gnutls_certificate_verification_status_print(),
+a function to print the verification status code in human
+readable text.
+
** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.
** libgnutls: Simplified certificate verification by adding
for SRTP.
** libgnutls: The X.509 verification functions check the key
-usage bits and output @GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
-if check fails.
+usage bits and pathlen constraints and on failure output
+GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
** libgnutls: gnutls_x509_crl_verify() includes the time
checks.
_gnutls_buffer_init (&str);
if (status == 0)
- _gnutls_buffer_append_str (&str, _("Peer's certificate is trusted. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is trusted. "));
else
- _gnutls_buffer_append_str (&str, _("Peer's certificate is NOT trusted. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is NOT trusted. "));
if (type == GNUTLS_CRT_X509)
{
if (status & GNUTLS_CERT_REVOKED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain revoked. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
_gnutls_buffer_append_str (&str, _("The revocation data are too old. "));
_gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is unknown. "));
+ _gnutls_buffer_append_str (&str, _("The certificate issuer is unknown. "));
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
- _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is not a CA. "));
+ _gnutls_buffer_append_str (&str, _("The certificate issuer is not a CA. "));
}
else if (type == GNUTLS_CRT_OPENPGP)
{
- _gnutls_buffer_append_str (&str, _("Peer's certificate is not trusted. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is not trusted. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- _gnutls_buffer_append_str (&str, _("Could not find a signer of the peer's certificate. "));
+ _gnutls_buffer_append_str (&str, _("Could not find a signer of the certificate. "));
if (status & GNUTLS_CERT_REVOKED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate is revoked. "));
+ _gnutls_buffer_append_str (&str, _("The certificate is revoked. "));
}
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses insecure algorithm. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses insecure algorithm. "));
+
+ if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
+ _gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. "));
if (status & GNUTLS_CERT_NOT_ACTIVATED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses not yet valid certificate. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses not yet valid certificate. "));
if (status & GNUTLS_CERT_EXPIRED)
- _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses expired certificate. "));
+ _gnutls_buffer_append_str (&str, _("The certificate chain uses expired certificate. "));
if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
_gnutls_buffer_append_str (&str, _("The signature in the certificate is invalid. "));
*/
#define DEFAULT_MAX_VERIFY_DEPTH 16
#define DEFAULT_MAX_VERIFY_BITS 16*1024
+#define MAX_VERIFY_DEPTH 4096
#include <gnutls_mem.h>
*/
static int
check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ unsigned int *max_path,
unsigned int flags)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t issuer_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_datum_t issuer_signature = { NULL, 0 };
- int result;
+ int pathlen, result;
+ unsigned int ca_status;
/* Check if the issuer is the same with the
* certificate. This is added in order for trusted
goto cleanup;
}
}
+
+ result = gnutls_x509_crt_get_basic_constraints( issuer, NULL, &ca_status, &pathlen);
+ if (result < 0)
+ {
+ ca_status = 0;
+ pathlen = -1;
+ }
+
+ if (ca_status != 0 && pathlen != -1)
+ {
+ if ((unsigned)pathlen < *max_path)
+ *max_path = pathlen;
+ }
- result = gnutls_x509_crt_get_ca_status (issuer, NULL);
- if (result == 1)
+ if (ca_status != 0)
{
result = 1;
goto cleanup;
unsigned int *output,
gnutls_x509_crt_t * _issuer,
time_t now,
+ unsigned int *max_path,
gnutls_verify_output_function func)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
if (output)
*output = 0;
-
- if (tcas_size >= 1)
- issuer = find_issuer (cert, trusted_cas, tcas_size);
- else
+
+ if (*max_path == 0)
{
- gnutls_assert ();
- out = GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
+ out = GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | GNUTLS_CERT_INVALID;
if (output)
*output |= out;
+ gnutls_assert ();
result = 0;
goto cleanup;
}
+ (*max_path)--;
+
+ if (tcas_size >= 1)
+ issuer = find_issuer (cert, trusted_cas, tcas_size);
/* issuer is not in trusted certificate
* authorities.
gnutls_assert ();
return issuer_version;
}
-
+
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
|| issuer_version != 1))
{
- if (check_if_ca (cert, issuer, flags) == 0)
+ if (check_if_ca (cert, issuer, max_path, flags) == 0)
{
gnutls_assert ();
out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
unsigned int status = 0, output;
time_t now = gnutls_time (0);
gnutls_x509_crt_t issuer = NULL;
+ unsigned int max_path;
if (clist_size > 1)
{
* in self signed etc certificates.
*/
output = 0;
+ max_path = MAX_VERIFY_DEPTH;
ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
trusted_cas, tcas_size, flags, &output,
- &issuer, now, func);
+ &issuer, now, &max_path, func);
if (ret == 0)
{
/* if the last certificate in the certificate
if ((ret =
_gnutls_verify_certificate2 (certificate_list[i - 1],
&certificate_list[i], 1, flags,
- &output, NULL, now, func)) == 0)
+ &output, NULL, now, &max_path, func)) == 0)
{
status |= output;
status |= GNUTLS_CERT_INVALID;
SUCCESS=" 1 4 7 12 15 16 17 18 24 26 27 30 33 56 57 62 63 "
FAILURE=" 2 3 5 6 8 9 10 11 13 14 19 20 21 22 23 25 28 29 31 32 54 55 58 59 60 61 "
-KNOWN_BUGS=" 15 16 17 18 19 31 32 54 55 58 59 60 61 "
+KNOWN_BUGS=" 15 16 17 18 19 31 32 "
cd x509paths
CRLs that are being added are typically of an intermediate CA which
is not in the trust list to verify them)
-Chain 54-55,58-61: We don't check path length constraints properly. XXX