]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls_x509_crt_verify() and gnutls_x509_crt_list_verify() behave identically.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Tue, 16 Mar 2010 22:07:46 +0000 (23:07 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Tue, 16 Mar 2010 22:45:22 +0000 (23:45 +0100)
That means that gnutls_x509_crt_verify() will now check dates as well.

Certool --verify-chain will use the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flag to
gnutls_x509_crt_verify() to force verification even if certificates are the same.
The only exception is at the final certificate (self-checking) where the extra
flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is specified to allow for v1 CA certificates.

lib/x509/verify.c
src/certtool.c

index 5bb20bc95c8c0c9b192b00a92b25cfb6a95b1609..88b6911a73b96e85be77245a3bd9955bd94596f9 100644 (file)
@@ -1035,8 +1035,7 @@ gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list,
  * @verify: will hold the certificate verification output.
  *
  * This function will try to verify the given certificate and return
- * its status.  The verification output in this functions cannot be
- * GNUTLS_CERT_NOT_VALID.
+ * its status.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
  *   negative error value.
@@ -1047,18 +1046,12 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
                        int CA_list_length, unsigned int flags,
                        unsigned int *verify)
 {
-  int ret;
   /* Verify certificate 
    */
-  ret =
-    _gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags,
-                                verify, NULL);
-  if (ret < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
-
+  *verify =
+    _gnutls_x509_verify_certificate (&cert, 1,
+                                    CA_list, CA_list_length, NULL,
+                                    0, flags);
   return 0;
 }
 
index 96e2642c41d09ffd30bd5af22e28041c5301d520..78445ed946556d6a0b61e85a36a1486be7b6bfa0 100644 (file)
@@ -2006,7 +2006,7 @@ generate_request (void)
 static void print_verification_res (gnutls_x509_crt_t crt,
                                    gnutls_x509_crt_t issuer,
                                    gnutls_x509_crl_t * crl_list,
-                                   int crl_list_size);
+                                   int crl_list_size, unsigned int flags);
 
 #define CERT_SEP "-----BEGIN CERT"
 #define CRL_SEP "-----BEGIN X509 CRL"
@@ -2150,7 +2150,7 @@ _verify_x509_mem (const void *cert, int cert_size)
          fprintf (outfile, "\tVerification output: ");
          print_verification_res (x509_cert_list[i - 2],
                                  x509_cert_list[i - 1], x509_crl_list,
-                                 x509_ncrls);
+                                 x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME);
          fprintf (outfile, ".\n\n");
 
        }
@@ -2196,7 +2196,9 @@ _verify_x509_mem (const void *cert, int cert_size)
   fprintf (outfile, "\tVerification output: ");
   print_verification_res (x509_cert_list[x509_ncerts - 1],
                          x509_cert_list[x509_ncerts - 1], x509_crl_list,
-                         x509_ncrls);
+                         /* we add GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT since it is
+                          * self signed. */
+                         x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 
   fprintf (outfile, ".\n\n");
 
@@ -2208,7 +2210,7 @@ _verify_x509_mem (const void *cert, int cert_size)
                                       &x509_cert_list[x509_ncerts - 1], 1,
                                       x509_crl_list,
                                       x509_ncrls,
-                                      GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                                      GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT|GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
                                       &verify_status);
     if (ret < 0)
       error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s",
@@ -2258,14 +2260,13 @@ _verify_x509_mem (const void *cert, int cert_size)
 static void
 print_verification_res (gnutls_x509_crt_t crt,
                        gnutls_x509_crt_t issuer,
-                       gnutls_x509_crl_t * crl_list, int crl_list_size)
+                       gnutls_x509_crl_t * crl_list, int crl_list_size, unsigned int flags)
 {
   unsigned int output;
   int comma = 0;
   int ret;
-  time_t now = time (0);
 
-  ret = gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);
+  ret = gnutls_x509_crt_verify (crt, &issuer, 1, flags , &output);
   if (ret < 0)
     error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
 
@@ -2296,23 +2297,20 @@ print_verification_res (gnutls_x509_crt_t crt,
       comma = 1;
     }
 
-  /* Check expiration dates.
-   */
-
-  if (gnutls_x509_crt_get_activation_time (crt) > now)
+  if (output & GNUTLS_CERT_NOT_ACTIVATED)
     {
       if (comma)
        fprintf (outfile, ", ");
-      comma = 1;
       fprintf (outfile, "Not activated");
+      comma = 1;
     }
 
-  if (gnutls_x509_crt_get_expiration_time (crt) < now)
+  if (output & GNUTLS_CERT_EXPIRED)
     {
       if (comma)
        fprintf (outfile, ", ");
-      comma = 1;
       fprintf (outfile, "Expired");
+      comma = 1;
     }
 
   ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);