return clist_size;
}
-static
-int trust_list_get_issuer(gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert,
- gnutls_x509_crt_t * issuer,
- unsigned int flags)
+int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert,
+ gnutls_x509_crt_t * issuer,
+ unsigned int flags)
{
int ret;
unsigned int i;
{
int ret;
- ret = trust_list_get_issuer(list, cert, issuer, flags);
+ ret = _gnutls_trust_list_get_issuer(list, cert, issuer, flags);
if (ret == 0) {
return 0;
}
}
*voutput =
- _gnutls_verify_crt_status(cert_list, cert_list_size,
- list->node[hash].trusted_cas,
- list->
- node[hash].trusted_ca_size,
- flags, purpose, func);
+ _gnutls_verify_crt_status(list, cert_list, cert_list_size,
+ list->node[hash].trusted_cas,
+ list->node[hash].trusted_ca_size,
+ flags, purpose, func);
saved_output = *voutput;
if (SIGNER_OLD_OR_UNKNOWN(*voutput) &&
_gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n");
*voutput =
- _gnutls_verify_crt_status(cert_list, cert_list_size,
- list->node[hash].trusted_cas,
- list->
- node[hash].trusted_ca_size,
- flags, purpose, func);
+ _gnutls_verify_crt_status(list, cert_list, cert_list_size,
+ list->node[hash].trusted_cas,
+ list->node[hash].trusted_ca_size,
+ flags, purpose, func);
if (*voutput != 0) {
if (SIGNER_WAS_KNOWN(saved_output))
*voutput = saved_output;
if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) {
/* use the token for verification */
- *voutput = _gnutls_pkcs11_verify_crt_status(list->pkcs11_token,
- cert_list, cert_list_size,
- purpose,
- flags, func);
+ *voutput = _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token,
+ cert_list, cert_list_size,
+ purpose,
+ flags, func);
if (*voutput != 0) {
if (SIGNER_WAS_KNOWN(saved_output))
*voutput = saved_output;
#include <x509_int.h>
#include <common.h>
#include <pk.h>
+#include <x509/verify-high.h>
#include "supported_exts.h"
#include "profiles.h"
gnutls_x509_crt_t issuer,
unsigned vflags);
-/*
+/*
* Verifies the given certificate against a certificate list of
* trusted CAs.
*
- * Returns only 0 or 1. If 1 it means that the certificate
+ * Returns only 0 or 1. If 1 it means that the certificate
* was successfully verified.
*
* 'flags': an OR of the gnutls_certificate_verify_flags enumeration.
* Output will hold some extra information about the verification
* procedure.
*/
-static unsigned
-verify_crt(gnutls_x509_crt_t cert,
- const gnutls_x509_crt_t * trusted_cas,
- int tcas_size, unsigned int flags,
- unsigned int *output,
- verify_state_st *vparams,
- unsigned end_cert)
+static unsigned verify_crt(gnutls_x509_trust_list_t tlist,
+ gnutls_x509_crt_t cert,
+ const gnutls_x509_crt_t * trusted_cas,
+ int tcas_size, unsigned int flags,
+ unsigned int *output,
+ verify_state_st *vparams,
+ unsigned end_cert)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
if (tcas_size >= 1)
issuer = find_issuer(cert, trusted_cas, tcas_size);
+ if (issuer == NULL && tlist != NULL && tlist->issuer_callback != NULL) {
+ _gnutls_debug_log("Missing issuer callback set.\n");
+
+ /* missing issuer is populated by the callback */
+ ret = tlist->issuer_callback(tlist, cert);
+ if (ret < 0) {
+ /* if the callback fails, continue as though the callback
+ * wasn't invoked i.e issuer remains NULL */
+ gnutls_assert();
+ issuer = NULL;
+ }
+
+ ret = _gnutls_trust_list_get_issuer(tlist, cert, &issuer, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ issuer = NULL;
+ }
+ }
+
ret =
_gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
&cert_signed_data);
} else {
if (vparams->nc != NULL) {
/* append the issuer's constraints */
- ret = gnutls_x509_crt_get_name_constraints(issuer, vparams->nc,
+ ret = gnutls_x509_crt_get_name_constraints(issuer, vparams->nc,
GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND, NULL);
if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
MARK_INVALID(GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE);
* list should lead to a trusted certificate in order to be trusted.
*/
unsigned int
-_gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
- int clist_size,
- const gnutls_x509_crt_t * trusted_cas,
- int tcas_size,
- unsigned int flags,
- const char *purpose,
- gnutls_verify_output_function func)
+_gnutls_verify_crt_status(gnutls_x509_trust_list_t tlist,
+ const gnutls_x509_crt_t * certificate_list,
+ int clist_size,
+ const gnutls_x509_crt_t * trusted_cas,
+ int tcas_size,
+ unsigned int flags,
+ const char *purpose,
+ gnutls_verify_output_function func)
{
int i = 0, ret;
unsigned int status = 0, output;
*/
output = 0;
- ret = verify_crt(certificate_list[clist_size - 1],
- trusted_cas, tcas_size, flags,
- &output,
- &vparams,
- clist_size==1?1:0);
+ ret = verify_crt(tlist,
+ certificate_list[clist_size - 1],
+ trusted_cas, tcas_size, flags,
+ &output,
+ &vparams,
+ clist_size==1?1:0);
if (ret != 1) {
/* if the last certificate in the certificate
* list is invalid, then the certificate is not
}
if ((ret =
- verify_crt(certificate_list[i - 1],
- &certificate_list[i], 1,
- flags, &output,
- &vparams,
- i==1?1:0)) != 1) {
+ verify_crt(tlist,
+ certificate_list[i - 1],
+ &certificate_list[i], 1,
+ flags, &output,
+ &vparams,
+ i==1?1:0)) != 1) {
gnutls_assert();
status |= output;
status |= GNUTLS_CERT_INVALID;
* list should lead to a trusted certificate in order to be trusted.
*/
unsigned int
-_gnutls_pkcs11_verify_crt_status(const char* url,
- const gnutls_x509_crt_t * certificate_list,
- unsigned clist_size,
- const char *purpose,
- unsigned int flags,
- gnutls_verify_output_function func)
+_gnutls_pkcs11_verify_crt_status(gnutls_x509_trust_list_t tlist,
+ const char* url,
+ const gnutls_x509_crt_t * certificate_list,
+ unsigned clist_size,
+ const char *purpose,
+ unsigned int flags,
+ gnutls_verify_output_function func)
{
int ret;
unsigned int status = 0, i;
ret = gnutls_pkcs11_crt_is_known(url, certificate_list[clist_size - 1],
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_COMPARE);
if (ret != 0) {
- return _gnutls_verify_crt_status(certificate_list, clist_size,
- &certificate_list[clist_size - 1], 1, flags,
- purpose, func);
+ return _gnutls_verify_crt_status(tlist,
+ certificate_list, clist_size,
+ &certificate_list[clist_size - 1],
+ 1, flags, purpose, func);
}
}
/* verify the certificate list against 0 trusted CAs in order
* to get, any additional flags from the certificate list (e.g.,
* insecure algorithms or expired */
- status |= _gnutls_verify_crt_status(certificate_list, clist_size,
+ status |= _gnutls_verify_crt_status(tlist, certificate_list, clist_size,
NULL, 0, flags, purpose, func);
goto cleanup;
}
goto cleanup;
}
- status = _gnutls_verify_crt_status(certificate_list, clist_size,
- &issuer, 1, flags, purpose, func);
+ status = _gnutls_verify_crt_status(tlist, certificate_list, clist_size,
+ &issuer, 1, flags, purpose, func);
cleanup:
gnutls_free(raw_issuer.data);
{
unsigned i;
int ret;
+ gnutls_x509_trust_list_t tlist;
if (cert_list == NULL || cert_list_length == 0)
return GNUTLS_E_NO_CERTIFICATE_FOUND;
- /* Verify certificate
+ gnutls_x509_trust_list_init(&tlist, 0);
+
+ /* Verify certificate
*/
- *verify =
- _gnutls_verify_crt_status(cert_list, cert_list_length,
+ *verify = _gnutls_verify_crt_status(tlist, cert_list, cert_list_length,
CA_list, CA_list_length,
flags, NULL, NULL);
- /* Check for revoked certificates in the chain.
+ /* Check for revoked certificates in the chain.
*/
for (i = 0; i < cert_list_length; i++) {
ret = gnutls_x509_crt_check_revocation(cert_list[i],
}
}
+ gnutls_x509_trust_list_deinit(tlist, 0);
return 0;
}
unsigned CA_list_length, unsigned int flags,
unsigned int *verify)
{
- /* Verify certificate
+ gnutls_x509_trust_list_t tlist;
+
+ gnutls_x509_trust_list_init(&tlist, 0);
+
+ /* Verify certificate
*/
- *verify =
- _gnutls_verify_crt_status(&cert, 1,
+ *verify = _gnutls_verify_crt_status(tlist, &cert, 1,
CA_list, CA_list_length,
flags, NULL, NULL);
+
+ gnutls_x509_trust_list_deinit(tlist, 0);
return 0;
}
* @issuer: is the certificate of a possible issuer
*
* This function will check if the given CRL was issued by the given
- * issuer certificate.
+ * issuer certificate.
*
- * Returns: true (1) if the given CRL was issued by the given issuer,
+ * Returns: true (1) if the given CRL was issued by the given issuer,
* and false (0) if not.
**/
unsigned
projects / thirdparty / gnutls.git / commitdiff
