* @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
+ * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
+ * if unsorted (the case with many TLS servers out there).
* @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
* have version 1 (both root and intermediate). This might be
* dangerous since those haven't the basicConstraints
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256,
GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512,
+ GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1024,
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
gnutls_x509_crt_t *crts;
unsigned int crts_size, i;
gnutls_x509_trust_list_t tl;
- unsigned int status;
+ unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
/* this must be called once in the program
*/
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
if (ret < 0 || status != 0)
{
fail("gnutls_x509_trust_list_verify_crt - 1\n");
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
if (ret < 0 || status != 0)
{
- fail("gnutls_x509_trust_list_verify_crt - 1\n");
+ fail("gnutls_x509_trust_list_verify_crt - 2\n");
exit(1);
}
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
if (ret < 0 || status != 0)
{
- fail("gnutls_x509_trust_list_verify_crt - 1\n");
+ fail("gnutls_x509_trust_list_verify_crt - 3\n");
exit(1);
}
exit(1);
}
- ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags, &status, NULL);
if (ret < 0 || status != 0)
{
- fail("gnutls_x509_trust_list_verify_crt - 1\n");
+ fail("gnutls_x509_trust_list_verify_crt - 4\n");
+ exit(1);
+ }
+
+ for (i=0;i<crts_size;i++)
+ gnutls_x509_crt_deinit(crts[i]);
+ gnutls_free(crts);
+
+ /* Check if an unsorted list would fail if the unsorted flag is not given */
+ data.data = (void*) chain2;
+ data.size = sizeof(chain2);
+ ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0)
+ {
+ fail("gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ ret = gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, 0, &status, NULL);
+ if (ret < 0 || status == 0)
+ {
+ fail("gnutls_x509_trust_list_verify_crt - 5\n");
exit(1);
}