From: Nikos Mavrogiannopoulos Date: Tue, 16 Sep 2014 09:08:37 +0000 (+0200) Subject: unified the key purpose checks functions X-Git-Tag: gnutls_3_4_0~930 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=42cbe8a074e972bd8ea8e5aa485b24d9b6fbd285;p=thirdparty%2Fgnutls.git unified the key purpose checks functions --- diff --git a/lib/x509/common.h b/lib/x509/common.h index cdcdf8224a..1ce72732b3 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -199,6 +199,8 @@ bool _gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1, gnutls_datum_t * cert2bin); +bool _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose); + time_t _gnutls_x509_generalTime2gtime(const char *ttime); int _gnutls_get_extension(ASN1_TYPE asn, const char *root, diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index ef744bcf81..d211b85b15 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -764,54 +764,6 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, NULL, 0, flags, voutput, func); } -static -int check_key_purpose(gnutls_x509_crt_t crt, const gnutls_datum_t *ext_data, unsigned *voutput, - const char *purpose) -{ - gnutls_datum_t coid = {NULL, 0}; - gnutls_x509_key_purposes_t p = NULL; - unsigned i; - int ret; - - ret = gnutls_x509_key_purpose_init(&p); - if (ret < 0) { - gnutls_assert(); - goto fail; - } - - ret = gnutls_x509_ext_import_key_purposes(ext_data, p, 0); - if (ret < 0) { - gnutls_assert(); - goto fail; - } - - for (i=0;;i++) { - ret = gnutls_x509_key_purpose_get(p, i, &coid); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - if (i==0) { - break; - } else { /* no acceptable purpose was found */ - gnutls_assert(); - goto fail; - } - } else if (ret < 0) { - gnutls_assert(); - goto fail; - } - - if (strcmp((char*)coid.data, purpose) == 0 || strcmp((char*)coid.data, GNUTLS_KP_ANY) == 0) - break; - } - - gnutls_x509_key_purpose_deinit(p); - return 0; - fail: - *voutput |= GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE|GNUTLS_CERT_INVALID; - if (p != NULL) - gnutls_x509_key_purpose_deinit(p); - return ret; -} - /** * gnutls_x509_trust_list_verify_crt2: * @list: The structure of the list @@ -941,23 +893,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } /* End-certificate, key purpose and hostname checks. */ - if (purpose) do { - gnutls_datum_t ext_data = {NULL, 0}; - - ret = gnutls_x509_crt_get_extension_by_oid2(cert_list[0], "2.5.29.37", 0, &ext_data, NULL); - if (ret < 0) { - /* it's not a fatal error if the extended key usage extension isn't there */ - gnutls_assert(); - break; - } - - ret = check_key_purpose(cert_list[0], &ext_data, voutput, purpose); - gnutls_free(ext_data.data); - - if (ret < 0) { + if (purpose) { + ret = _gnutls_check_key_purpose(cert_list[0], purpose); + if (ret != 1) { gnutls_assert(); + *voutput |= GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE|GNUTLS_CERT_INVALID; } - } while(0); + } if (hostname) { ret = diff --git a/lib/x509/verify.c b/lib/x509/verify.c index b515d17d5f..e71832d9ed 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -988,8 +988,9 @@ cleanup: return status; } -#ifdef ENABLE_PKCS11 -static bool check_key_purpose(gnutls_x509_crt_t issuer, const char *purpose) +/* Returns true if the provided purpose is in accordance with the certificate. + */ +bool _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose) { char oid[MAX_OID_SIZE]; size_t oid_size; @@ -998,7 +999,7 @@ static bool check_key_purpose(gnutls_x509_crt_t issuer, const char *purpose) for (i=0;;i++) { oid_size = sizeof(oid); - ret = gnutls_x509_crt_get_key_purpose_oid(issuer, i, oid, &oid_size, NULL); + ret = gnutls_x509_crt_get_key_purpose_oid(cert, i, oid, &oid_size, NULL); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (i==0) { /* no key purpose in certificate, assume ANY */ @@ -1019,6 +1020,7 @@ static bool check_key_purpose(gnutls_x509_crt_t issuer, const char *purpose) return 0; } +#ifdef ENABLE_PKCS11 /* Verify X.509 certificate chain using a PKCS #11 token. * * Note that the return value is an OR of GNUTLS_CERT_* elements. @@ -1162,7 +1164,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, } if (purpose != NULL) { - ret = check_key_purpose(issuer, purpose); + ret = _gnutls_check_key_purpose(issuer, purpose); if (ret != 1) { gnutls_assert(); status |= GNUTLS_CERT_INVALID;