From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 31 Mar 2016 14:58:37 +0000 (+0200)
Subject: certtool: added flag to allow verification using broken algorithms
X-Git-Tag: gnutls_3_5_0~215
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8ee8a53bef77be018c4eeb261309846f261a35c8;p=thirdparty%2Fgnutls.git

certtool: added flag to allow verification using broken algorithms
---

diff --git a/src/certtool-args.def b/src/certtool-args.def
index e9e253b989..1f33191179 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -129,6 +129,12 @@ flag = {
     doc = "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.";
 };
 
+flag = {
+    name      = verify-allow-broken;
+    descrip   = "Allow broken algorithms, such as MD5 for verification";
+    doc = "This can be combined with --p7-verify, --verify or --verify-chain.";
+};
+
 flag = {
     name      = generate-dh-params;
     descrip   = "Generate PKCS #3 encoded Diffie-Hellman parameters";
diff --git a/src/certtool.c b/src/certtool.c
index 8cca98fa65..18d272439b 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2360,6 +2360,7 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
 	unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
 	gnutls_x509_trust_list_t list;
 	unsigned int output;
+	unsigned vflags;
 
 	ret = gnutls_x509_trust_list_init(&list, 0);
 	if (ret < 0) {
@@ -2467,6 +2468,12 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
 	fprintf(stdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
 		x509_ncerts, x509_ncas, x509_ncrls);
 
+	vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME;
+
+	if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
+		vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+
+
 	if (purpose || hostname || email) {
 		gnutls_typed_vdata_st vdata[2];
 		unsigned vdata_size = 0;
@@ -2495,14 +2502,14 @@ _verify_x509_mem(const void *cert, int cert_size, const void *ca,
 						       x509_ncerts,
 						       vdata,
 						       vdata_size,
-						       GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+						       vflags,
 						       &output,
 						       detailed_verification);
 	} else { 
 		ret =
 		    gnutls_x509_trust_list_verify_crt(list, x509_cert_list,
 						      x509_ncerts,
-						      GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+						      vflags,
 						      &output,
 						      detailed_verification);
 	}
@@ -2798,6 +2805,7 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
 	gnutls_typed_vdata_st vdata[2];
 	unsigned vdata_size = 0;
 	gnutls_x509_crt_t signer = NULL;
+	unsigned flags = 0;
 
 	ret = gnutls_pkcs7_init(&pkcs7);
 	if (ret < 0) {
@@ -2886,10 +2894,13 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
 
 		gnutls_pkcs7_signature_info_deinit(&info);
 
+		if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
+			flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+
 		if (signer)
-			ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, 0);
+			ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
 		else
-			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, 0);
+			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
 		if (ret < 0) {
 			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
 			ecode = 1;