From: Nikos Mavrogiannopoulos Date: Sat, 4 Jun 2011 18:58:50 +0000 (+0200) Subject: Added gnutls_x509_trust_list_add_named_crt() and X-Git-Tag: gnutls_2_99_3~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7af8e49ad43d5550c1cdf4fa5426c4e7034f08eb;p=thirdparty%2Fgnutls.git Added gnutls_x509_trust_list_add_named_crt() and gnutls_x509_trust_list_verify_named_crt() that allow having a list of certificates in the trusted list that will be associated with a name (e.g. server name) and will not be used as CAs. --- diff --git a/NEWS b/NEWS index 3562b9b9fe..be3e7ff7e5 100644 --- a/NEWS +++ b/NEWS @@ -20,11 +20,18 @@ simplifies code. ** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ instruction. Uses Andy Polyakov's assembly code. +** libgnutls: Added gnutls_x509_trust_list_add_named_crt() and +gnutls_x509_trust_list_verify_named_crt() that allow having a +list of certificates in the trusted list that will be associated +with a name (e.g. server name) and will not be used as CAs. + ** libgnutls: Added ECDHE-PSK ciphersuites for TLS (RFC 5489). ** API and ABI modifications: gnutls_pubkey_verify_data2: ADDED gnutls_ecc_curve_get: ADDED +gnutls_x509_trust_list_add_named_crt: ADDED +gnutls_x509_trust_list_verify_named_crt: ADDED gnutls_x509_privkey_verify_data: REMOVED gnutls_crypto_bigint_register: REMOVED gnutls_crypto_cipher_register: REMOVED @@ -36,7 +43,7 @@ gnutls_crypto_single_cipher_register: REMOVED gnutls_crypto_single_digest_register: REMOVED gnutls_crypto_single_mac_register: REMOVED GNUTLS_KX_ECDHE_PSK: New key exchange method - +GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag. * Version 2.99.2 (released 2011-05-26) diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index c64e61bcdd..a913233b30 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -147,6 +147,10 @@ Deinitializes the list. @item @ref{gnutls_x509_trust_list_add_cas}: Adds certificate authorities to the list. +@item @ref{gnutls_x509_trust_list_add_named_crt}: +Adds trusted certificates for an entity identified +by a name. + @item @ref{gnutls_x509_trust_list_add_crls}: Adds certificate revocation lists. @@ -155,15 +159,24 @@ Verifies a certificate chain using the previously setup trusted list. A callback can be specified that will provide information about the verification procedure (and detailed reasons of failure). +@item @ref{gnutls_x509_trust_list_verify_named_crt}: +Does verification of the certificate by looking for a matching one +in the named certificates. A callback can be specified that will provide information +about the verification procedure (and detailed reasons of failure). + @end table The verification function will verify a given certificate chain against a list of certificate authorities and certificate revocation lists, and output a bitwise OR of elements of the @code{gnutls_certificate_status_t} -enumeration. A detailed description of these elements can be found -in figure below. An example of these functions in use can be found +enumeration. It is also possible to have a set of certificates that +are trusted for a particular server but not to authorize other certificates. +This purpose is served by the functions @ref{gnutls_x509_trust_list_add_named_crt} and @ref{gnutls_x509_trust_list_verify_named_crt}. +A detailed description of these elements can be found +in figure below. An example of these functions in use can be found in @ref{ex:verify2}. + When operating in the context of a TLS session, the trusted certificate authority list has been set via the @ref{gnutls_certificate_set_x509_trust_file} and @ref{gnutls_certificate_set_x509_crl_file}, @@ -217,7 +230,11 @@ flag should normaly be disabled, unless you know what this means. Allow only trusted CA certificates that have version 1. This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used instead. That way only signers in your trusted list will be -allowed to have certificates of version 1. +allowed to have certificates of version 1. This is the default. + +@item GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: +Do not allow trusted version 1 CA certificates. This option is to be used +in order consider all V1 certificates as deprecated. @item GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that have version 1 (both root and @@ -234,6 +251,14 @@ Allow certificates to be signed using the old MD2 algorithm. @item GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: Allow certificates to be signed using the broken MD5 algorithm. + +@item GNUTLS_VERIFY_DISABLE_TIME_CHECKS: +Disable checking of activation +and expiration validity periods of certificate chains. Don't set +this unless you understand the security implications. + +@item GNUTLS_VERIFY_DISABLE_CRL_CHECKS: +Disables checking for validity using certificate revocation lists. @end table Although the verification of a certificate path indicates that the diff --git a/doc/examples/ex-verify.c b/doc/examples/ex-verify.c index 1cc4f3cb3c..5d349216d7 100644 --- a/doc/examples/ex-verify.c +++ b/doc/examples/ex-verify.c @@ -6,6 +6,7 @@ #include #include +#include #include #include @@ -60,8 +61,16 @@ verify_certificate_chain (const char *hostname, gnutls_x509_crt_import (cert[i], &cert_chain[i], GNUTLS_X509_FMT_DER); } - gnutls_x509_trust_list_verify_crt(tlist, cert, cert_chain_length, 0, - &output, print_details_func); + gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname, strlen(hostname), + GNUTLS_VERIFY_DISABLE_CRL_CHECKS, &output, print_details_func); + + /* if this certificate is not explicitly trusted verify against CAs + */ + if (output != 0) + { + gnutls_x509_trust_list_verify_crt(tlist, cert, cert_chain_length, 0, + &output, print_details_func); + } if (output & GNUTLS_CERT_INVALID) { diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 9cb6685904..418d8d89a8 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -117,7 +117,7 @@ int gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc, gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) { - return gnutls_trust_list_get_issuer(sc->tlist, cert, issuer, flags); + return gnutls_x509_trust_list_get_issuer(sc->tlist, cert, issuer, flags); } /** diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 0ee291811c..f6bfdd8e78 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -541,6 +541,8 @@ extern "C" * @GNUTLS_VERIFY_DISABLE_TIME_CHECKS: Disable checking of activation * and expiration validity periods of certificate chains. Don't set * this unless you understand the security implications. + * @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity + * using certificate revocation lists. * * Enumeration of different certificate verify flags. */ @@ -554,7 +556,8 @@ extern "C" GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64, GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128, - GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256 + GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256, + GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 512, } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, @@ -847,13 +850,16 @@ extern "C" void gnutls_x509_trust_list_deinit (gnutls_x509_trust_list_t list, unsigned int all); - int gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, + int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags); int gnutls_x509_trust_list_add_cas (gnutls_x509_trust_list_t list, const gnutls_x509_crt_t * clist, int clist_size, unsigned int flags); + int gnutls_x509_trust_list_add_named_crt (gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, const void* name, size_t name_size, unsigned int flags); + #define GNUTLS_TL_VERIFY_CRL 1 int gnutls_x509_trust_list_add_crls (gnutls_x509_trust_list_t list, @@ -870,6 +876,14 @@ extern "C" */ unsigned int verification_output); + int gnutls_x509_trust_list_verify_named_crt ( + gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void * name, size_t name_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func); + int gnutls_x509_trust_list_verify_crt ( gnutls_x509_trust_list_t list, diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 6290a14799..bd3a4dbdf4 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -711,6 +711,8 @@ GNUTLS_3_0_0 { gnutls_x509_privkey_export_ecc_raw; gnutls_x509_privkey_import_ecc_raw; gnutls_pubkey_verify_data2; + gnutls_x509_trust_list_verify_named_crt; + gnutls_x509_trust_list_add_named_crt; } GNUTLS_2_12; GNUTLS_PRIVATE { diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 0b062df826..c106ffe508 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -37,10 +37,20 @@ #define DEFAULT_SIZE 503 #define INIT_HASH 0x33a1 + +struct named_cert_st { + gnutls_x509_crt_t cert; + uint8_t name[MAX_NAME_SIZE]; + unsigned int name_size; +}; + struct node_st { /* The trusted certificates */ - gnutls_x509_crt_t * trusted_crts; - unsigned int trusted_crt_size; + gnutls_x509_crt_t * trusted_cas; + unsigned int trusted_ca_size; + + struct named_cert_st *named_certs; + unsigned int named_cert_size; /* The trusted CRLs */ gnutls_x509_crl_t * crls; @@ -105,11 +115,11 @@ int i, j; { for (i=0;isize;i++) { - for (j=0;jnode[i].trusted_crt_size;j++) + for (j=0;jnode[i].trusted_ca_size;j++) { - gnutls_x509_crt_deinit(list->node[i].trusted_crts[j]); + gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]); } - gnutls_free(list->node[i].trusted_crts); + gnutls_free(list->node[i].trusted_cas); for (j=0;jnode[i].crl_size;j++) { gnutls_x509_crl_deinit(list->node[i].crls[j]); @@ -156,22 +166,82 @@ uint32_t hash; hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); hash %= list->size; - list->node[hash].trusted_crts = gnutls_realloc_fast( list->node[hash].trusted_crts, (list->node[hash].trusted_crt_size+1)*sizeof(list->node[hash].trusted_crts[0])); - if (list->node[hash].trusted_crts == NULL) + _gnutls_free_datum(&dn); + + list->node[hash].trusted_cas = gnutls_realloc_fast( list->node[hash].trusted_cas, (list->node[hash].trusted_ca_size+1)*sizeof(list->node[hash].trusted_cas[0])); + if (list->node[hash].trusted_cas == NULL) { gnutls_assert(); return i; } - list->node[hash].trusted_crts[list->node[hash].trusted_crt_size] = clist[i]; - list->node[hash].trusted_crt_size++; - - _gnutls_free_datum(&dn); + list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = clist[i]; + list->node[hash].trusted_ca_size++; } return i; } +/** + * gnutls_x509_trust_list_add_named_crt: + * @list: The structure of the list + * @cert: A certificate + * @name: An identifier for the certificate + * @name_size: The size of the identifier + * @flags: should be 0. + * + * This function will add the given certificate to the trusted + * list and associate it with a name. The certificate will not be + * be used for verification with gnutls_x509_trust_list_verify_crt() + * but only with gnutls_x509_trust_list_verify_named_crt(). + * + * In principle this function can be used to set individual "server" + * certificates that are trusted by the user for that specific server + * but for no other purposes. + * + * The certificate must not be deinitialized during the lifetime + * of the trusted list. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + * + **/ +int +gnutls_x509_trust_list_add_named_crt (gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, const void* name, size_t name_size, unsigned int flags) +{ +gnutls_datum_t dn; +int ret; +uint32_t hash; + + if (name_size >= MAX_NAME_SIZE) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) + { + gnutls_assert(); + return ret; + } + + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; + + _gnutls_free_datum(&dn); + + list->node[hash].named_certs = gnutls_realloc_fast( list->node[hash].named_certs, (list->node[hash].named_cert_size+1)*sizeof(list->node[hash].named_certs[0])); + if (list->node[hash].named_certs == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + list->node[hash].named_certs[list->node[hash].named_cert_size].cert = cert; + memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size].name, name, name_size); + list->node[hash].named_certs[list->node[hash].named_cert_size].name_size = name_size; + + list->node[hash].named_cert_size++; + + return 0; +} + /** * gnutls_x509_trust_list_add_crls: * @list: The structure of the list @@ -225,13 +295,13 @@ uint32_t hash; if (flags & GNUTLS_TL_VERIFY_CRL) { - ret = gnutls_x509_crl_verify(crl_list[i], list->node[hash].trusted_crts, - list->node[hash].trusted_crt_size, verification_flags, &vret); + ret = gnutls_x509_crl_verify(crl_list[i], list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size, verification_flags, &vret); if (ret < 0 || vret != 0) continue; } - list->node[hash].crls = gnutls_realloc_fast( list->node[hash].crls, (list->node[hash].crl_size+1)*sizeof(list->node[hash].trusted_crts[0])); + list->node[hash].crls = gnutls_realloc_fast( list->node[hash].crls, (list->node[hash].crl_size+1)*sizeof(list->node[hash].trusted_cas[0])); if (list->node[hash].crls == NULL) { gnutls_assert(); @@ -299,9 +369,9 @@ gnutls_datum_t dn; _gnutls_free_datum(&dn); - for (j = 0; j < list->node[hash].trusted_crt_size; j++) + for (j = 0; j < list->node[hash].trusted_ca_size; j++) { - if (check_if_same_cert (certificate_list[i], list->node[hash].trusted_crts[j]) == 0) + if (check_if_same_cert (certificate_list[i], list->node[hash].trusted_cas[j]) == 0) { /* cut the list at the point of first the trusted certificate */ clist_size = i+1; @@ -327,7 +397,7 @@ gnutls_datum_t dn; * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. **/ -int gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, +int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) { gnutls_datum_t dn; @@ -346,12 +416,12 @@ uint32_t hash; _gnutls_free_datum(&dn); - for (i=0;inode[hash].trusted_crt_size;i++) + for (i=0;inode[hash].trusted_ca_size;i++) { - ret = gnutls_x509_crt_check_issuer (cert, list->node[hash].trusted_crts[i]); + ret = gnutls_x509_crt_check_issuer (cert, list->node[hash].trusted_cas[i]); if (ret > 0) { - *issuer = list->node[hash].trusted_crts[i]; + *issuer = list->node[hash].trusted_cas[i]; return 0; } } @@ -407,10 +477,10 @@ uint32_t hash; _gnutls_free_datum(&dn); *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, - list->node[hash].trusted_crts, list->node[hash].trusted_crt_size, + list->node[hash].trusted_cas, list->node[hash].trusted_ca_size, flags, func); - if (*verify != 0) return 0; + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; /* Check revocation of individual certificates. * start with the last one that we already have its hash @@ -452,3 +522,79 @@ uint32_t hash; return 0; } + +/** + * gnutls_x509_trust_list_verify_named_crt: + * @list: The structure of the list + * @cert: is the certificate to be verified + * @name: is the certificate's name + * @name_size: is the certificate's name size + * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. + * @verify: will hold the certificate verification output. + * @func: If non-null will be called on each chain element verification with the output. + * + * This function will try to find a matching named certificate. If a + * match is found the certificate is considered valid. In addition to that + * this function will also check CRLs. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ +int +gnutls_x509_trust_list_verify_named_crt ( + gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, + const void * name, + size_t name_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func) +{ +gnutls_datum_t dn; +int ret, i; +uint32_t hash; + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) + { + gnutls_assert(); + return ret; + } + + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; + + _gnutls_free_datum(&dn); + + *verify = GNUTLS_CERT_INVALID; + + for (i=0;inode[hash].named_cert_size;i++) + { + if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert)==0) + { /* check if name matches */ + if (list->node[hash].named_certs[i].name_size==name_size && + memcmp(list->node[hash].named_certs[i].name, name, name_size) == 0) + { + *verify = 0; + break; + } + } + } + + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; + + /* Check revocation of individual certificates. + * start with the last one that we already have its hash + */ + ret = _gnutls_x509_crt_check_revocation (cert, + list->node[hash].crls, + list->node[hash].crl_size, func); + if (ret == 1) + { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; + } + + return 0; +} diff --git a/tests/Makefile.am b/tests/Makefile.am index bd259311f7..efca9b260c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -65,7 +65,7 @@ ctests = simple gc set_pkcs12_cred certder certuniqueid mpi \ crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \ nul-in-x509-names x509_altname pkcs12_encode mini-x509 \ mini-x509-rehandshake rng-fork mini-eagain-dtls cipher-test \ - x509cert #gendh + x509cert x509cert-tl #gendh if ENABLE_OPENSSL ctests += openssl diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c new file mode 100644 index 0000000000..b6ee2e662e --- /dev/null +++ b/tests/x509cert-tl.c @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2011 Free Software Foundation, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" + +/* gnutls_trust_list_*(). + */ + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "<%d>| %s", level, str); +} + +static unsigned char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" + "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" + "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" + "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" + "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" + "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" + "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" + "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" + "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" + "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t ca = { ca_pem, sizeof (ca_pem) }; + +static unsigned char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t cert = { cert_pem, sizeof (cert_pem) }; + +static unsigned char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" + "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" + "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" + "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" + "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" + "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" + "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" + "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" + "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" + "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +const gnutls_datum_t key = { key_pem, sizeof (key_pem) }; + +static unsigned char server_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" + "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" + "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" + "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" + "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" + "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" + "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" + "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" + "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" + "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" + "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" + "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_cert = { server_cert_pem, + sizeof (server_cert_pem) +}; + +static unsigned char server_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" + "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" + "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" + "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" + "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" + "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" + "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" + "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" + "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" + "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" + "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" + "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" + "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t server_key = { server_key_pem, + sizeof (server_key_pem) +}; + +static time_t mytime (time_t * t) +{ + time_t then = 1207000800; + + if (t) + *t = then; + + return then; +} + +#define NAME "localhost" +#define NAME_SIZE (sizeof(NAME)-1) +void +doit (void) +{ + int ret; + gnutls_x509_crt_t server_crt, ca_crt; + gnutls_x509_trust_list_t tl; + unsigned int status; + + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_time_function (mytime); + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (6); + + /* test for gnutls_certificate_get_issuer() */ + gnutls_x509_trust_list_init(&tl, 0); + gnutls_x509_crt_init(&server_crt); + gnutls_x509_crt_init(&ca_crt); + + ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0); + if (ret < 0) + fail("gnutls_x509_trust_list_add_cas"); + + ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0); + if (ret < 0) + fail("gnutls_x509_trust_list_add_named_crt"); + + ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL); + if (ret < 0 || status != 0) + fail("gnutls_x509_trust_list_verify_crt\n"); + + ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL); + if (ret < 0 || status != 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); + + ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL); + if (ret < 0 || status == 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); + + ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL); + if (ret < 0 || status == 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); + + gnutls_x509_crt_deinit(ca_crt); + gnutls_x509_crt_deinit(server_crt); + gnutls_x509_trust_list_deinit(tl, 0); + + success("success"); +}