certtool: added flag to allow verification using broken algorithms

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)
diff --git a/src/certtool-args.def b/src/certtool-args.def

index e9e253b989911c1be6049a70b3bdd936d1715ace..1f331911795aefe172d72b36ab04a7adec93ce63 100644 (file)
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -129,6 +129,12 @@ flag = {
      doc = "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.";
  };
  
+flag = {
+    name      = verify-allow-broken;
+    descrip   = "Allow broken algorithms, such as MD5 for verification";
+    doc = "This can be combined with --p7-verify, --verify or --verify-chain.";
+};
+
  flag = {
      name      = generate-dh-params;
      descrip   = "Generate PKCS #3 encoded Diffie-Hellman parameters";
diff --git a/src/certtool.c b/src/certtool.c

index 8cca98fa65fc6a9aea002811fb42016a1b26a576..18d272439bc8c110f1381396995b6ac15572bbe2 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2360,6 +2360,7 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
         unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
         gnutls_x509_trust_list_t list;
         unsigned int output;
+       unsigned vflags;
  
         ret = gnutls_x509_trust_list_init(&list, 0);
         if (ret < 0) {
@@ -2467,6 +2468,12 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
         fprintf(stdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
                 x509_ncerts, x509_ncas, x509_ncrls);
  
+       vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME;
+
+       if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
+               vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+
+
         if (purpose || hostname || email) {
                 gnutls_typed_vdata_st vdata[2];
                 unsigned vdata_size = 0;
@@ -2495,14 +2502,14 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
                                                        x509_ncerts,
                                                        vdata,
                                                        vdata_size,
-                                                      GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+                                                      vflags,
                                                        &output,
                                                        detailed_verification);
         } else { 
                 ret =
                     gnutls_x509_trust_list_verify_crt(list, x509_cert_list,
                                                       x509_ncerts,
-                                                     GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+                                                     vflags,
                                                       &output,
                                                       detailed_verification);
         }
@@ -2798,6 +2805,7 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
         gnutls_typed_vdata_st vdata[2];
         unsigned vdata_size = 0;
         gnutls_x509_crt_t signer = NULL;
+       unsigned flags = 0;
  
         ret = gnutls_pkcs7_init(&pkcs7);
         if (ret < 0) {
@@ -2886,10 +2894,13 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
  
                 gnutls_pkcs7_signature_info_deinit(&info);
  
+               if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
+                       flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+
                 if (signer)
-                       ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, 0);
+                       ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
                 else
-                       ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, 0);
+                       ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
                 if (ret < 0) {
                         fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
                         ecode = 1;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Thu, 31 Mar 2016 14:58:37 +0000 (16:58 +0200)
src/certtool-args.def		patch \| blob \| blame \| history
src/certtool.c		patch \| blob \| blame \| history