From: Nikos Mavrogiannopoulos Date: Tue, 16 Mar 2010 22:07:46 +0000 (+0100) Subject: gnutls_x509_crt_verify() and gnutls_x509_crt_list_verify() behave identically. X-Git-Tag: gnutls_2_9_10~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=65f77ad16aa4fbc3db0ef50c01eec467592711d6;p=thirdparty%2Fgnutls.git gnutls_x509_crt_verify() and gnutls_x509_crt_list_verify() behave identically. That means that gnutls_x509_crt_verify() will now check dates as well. Certool --verify-chain will use the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flag to gnutls_x509_crt_verify() to force verification even if certificates are the same. The only exception is at the final certificate (self-checking) where the extra flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is specified to allow for v1 CA certificates. --- diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 5bb20bc95c..88b6911a73 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1035,8 +1035,7 @@ gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate and return - * its status. The verification output in this functions cannot be - * GNUTLS_CERT_NOT_VALID. + * its status. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. @@ -1047,18 +1046,12 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert, int CA_list_length, unsigned int flags, unsigned int *verify) { - int ret; /* Verify certificate */ - ret = - _gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags, - verify, NULL); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - + *verify = + _gnutls_x509_verify_certificate (&cert, 1, + CA_list, CA_list_length, NULL, + 0, flags); return 0; } diff --git a/src/certtool.c b/src/certtool.c index 96e2642c41..78445ed946 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2006,7 +2006,7 @@ generate_request (void) static void print_verification_res (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, gnutls_x509_crl_t * crl_list, - int crl_list_size); + int crl_list_size, unsigned int flags); #define CERT_SEP "-----BEGIN CERT" #define CRL_SEP "-----BEGIN X509 CRL" @@ -2150,7 +2150,7 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[i - 2], x509_cert_list[i - 1], x509_crl_list, - x509_ncrls); + x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME); fprintf (outfile, ".\n\n"); } @@ -2196,7 +2196,9 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[x509_ncerts - 1], x509_cert_list[x509_ncerts - 1], x509_crl_list, - x509_ncrls); + /* we add GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT since it is + * self signed. */ + x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); fprintf (outfile, ".\n\n"); @@ -2208,7 +2210,7 @@ _verify_x509_mem (const void *cert, int cert_size) &x509_cert_list[x509_ncerts - 1], 1, x509_crl_list, x509_ncrls, - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT|GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, &verify_status); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s", @@ -2258,14 +2260,13 @@ _verify_x509_mem (const void *cert, int cert_size) static void print_verification_res (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_crl_t * crl_list, int crl_list_size) + gnutls_x509_crl_t * crl_list, int crl_list_size, unsigned int flags) { unsigned int output; int comma = 0; int ret; - time_t now = time (0); - ret = gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output); + ret = gnutls_x509_crt_verify (crt, &issuer, 1, flags , &output); if (ret < 0) error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret)); @@ -2296,23 +2297,20 @@ print_verification_res (gnutls_x509_crt_t crt, comma = 1; } - /* Check expiration dates. - */ - - if (gnutls_x509_crt_get_activation_time (crt) > now) + if (output & GNUTLS_CERT_NOT_ACTIVATED) { if (comma) fprintf (outfile, ", "); - comma = 1; fprintf (outfile, "Not activated"); + comma = 1; } - if (gnutls_x509_crt_get_expiration_time (crt) < now) + if (output & GNUTLS_CERT_EXPIRED) { if (comma) fprintf (outfile, ", "); - comma = 1; fprintf (outfile, "Expired"); + comma = 1; } ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);