pytest/dns_aging: use correct variable names
[Samba.git] / lib / mscat / mscat_pkcs7.c
blob5d882891313d4df61cf1e99e0a424332b1fe8c9b
1 /*
2 * Copyright (c) 2016 Andreas Schneider <asn@samba.org>
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, either version 3 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #include <errno.h>
19 #include <stdint.h>
20 #include <string.h>
21 #include <sys/types.h>
22 #include <sys/stat.h>
23 #include <unistd.h>
25 #include <util/debug.h>
26 #include <util/data_blob.h>
28 #include "mscat.h"
29 #include "mscat_private.h"
31 #define PKCS7_CTL_OBJID "1.3.6.1.4.1.311.10.1"
33 static int mscat_pkcs7_cleanup(struct mscat_pkcs7 *mp7)
35 if (mp7->c != NULL) {
36 gnutls_pkcs7_deinit(mp7->c);
39 return 0;
42 struct mscat_pkcs7 *mscat_pkcs7_init(TALLOC_CTX *mem_ctx)
44 struct mscat_pkcs7 *pkcs7;
45 int rc;
47 pkcs7 = talloc_zero(mem_ctx, struct mscat_pkcs7);
48 if (pkcs7 == NULL) {
49 return NULL;
51 talloc_set_destructor(pkcs7, mscat_pkcs7_cleanup);
53 rc = gnutls_pkcs7_init(&pkcs7->c);
54 if (rc != 0) {
55 talloc_free(pkcs7);
56 return NULL;
59 return pkcs7;
62 static int mscat_read_file(TALLOC_CTX *mem_ctx,
63 const char *filename,
64 DATA_BLOB *pblob)
66 struct stat sb = {0};
67 size_t alloc_size;
68 size_t count;
69 DATA_BLOB blob = data_blob_null;
70 FILE *fp;
71 int rc;
73 fp = fopen(filename, "r");
74 if (fp == NULL) {
75 return -1;
78 rc = fstat(fileno(fp), &sb);
79 if (rc != 0) {
80 goto error;
83 if (!S_ISREG(sb.st_mode)) {
84 errno = EINVAL;
85 rc = -1;
86 goto error;
88 if (SIZE_MAX - 1 < (unsigned long)sb.st_size) {
89 errno = ENOMEM;
90 rc = -1;
91 goto error;
93 alloc_size = sb.st_size + 1;
95 blob = data_blob_talloc_zero(mem_ctx, alloc_size);
96 if (blob.data == NULL) {
97 rc = -1;
98 goto error;
101 count = fread(blob.data, 1, blob.length, fp);
102 if (count != blob.length) {
103 if (ferror(fp)) {
104 rc = -1;
105 goto error;
108 blob.data[count] = '\0';
109 blob.length = count;
110 fclose(fp);
112 *pblob = blob;
114 return 0;
115 error:
116 data_blob_free(&blob);
117 fclose(fp);
118 return rc;
121 int mscat_pkcs7_import_catfile(struct mscat_pkcs7 *mp7,
122 const char *catfile)
124 TALLOC_CTX *tmp_ctx;
125 gnutls_datum_t mscat_data = {
126 .size = 0,
128 DATA_BLOB blob = {
129 .length = 0,
131 int rc;
133 tmp_ctx = talloc_new(mp7);
134 if (tmp_ctx == NULL) {
135 return -1;
138 rc = mscat_read_file(tmp_ctx,
139 catfile,
140 &blob);
141 if (rc == -1) {
142 DBG_ERR("Failed to read catalog file '%s' - %s",
143 catfile,
144 strerror(errno));
145 goto done;
148 mscat_data.data = blob.data;
149 mscat_data.size = blob.length;
151 rc = gnutls_pkcs7_import(mp7->c,
152 &mscat_data,
153 GNUTLS_X509_FMT_DER);
154 if (rc < 0) {
155 DBG_ERR("Failed to import PKCS7 from '%s' - %s",
156 catfile,
157 gnutls_strerror(rc));
158 goto done;
161 rc = 0;
162 done:
163 talloc_free(tmp_ctx);
164 return rc;
167 int mscat_pkcs7_verify(struct mscat_pkcs7 *mp7,
168 const char *ca_file)
170 TALLOC_CTX *tmp_ctx = NULL;
171 gnutls_x509_trust_list_t tl = NULL;
172 gnutls_datum_t ca_data;
173 DATA_BLOB blob = {
174 .length = 0,
176 uint32_t flags = 0;
177 const char *oid;
178 int count;
179 int cmp;
180 int rc;
181 int i;
183 oid = gnutls_pkcs7_get_embedded_data_oid(mp7->c);
184 if (oid == NULL) {
185 DBG_ERR("Failed to get oid - %s",
186 gnutls_strerror(errno));
187 return -1;
190 cmp = strcmp(oid, PKCS7_CTL_OBJID);
191 if (cmp != 0) {
192 DBG_ERR("Invalid oid in catalog file! oid: %s, expected: %s",
193 oid,
194 PKCS7_CTL_OBJID);
195 return -1;
198 tmp_ctx = talloc_new(mp7);
199 if (tmp_ctx == NULL) {
200 return -1;
203 rc = gnutls_x509_trust_list_init(&tl,
204 0); /* default size */
205 if (rc != 0) {
206 DBG_ERR("Failed to create trust list - %s",
207 gnutls_strerror(rc));
208 goto done;
212 /* Load the system trust list */
213 rc = gnutls_x509_trust_list_add_system_trust(tl, 0, 0);
214 if (rc < 0) {
215 DBG_ERR("Failed to add system trust list - %s",
216 gnutls_strerror(rc));
217 goto done;
219 DBG_INFO("Loaded %d CAs", rc);
221 if (ca_file != NULL) {
222 rc = mscat_read_file(tmp_ctx,
223 ca_file,
224 &blob);
225 if (rc != 0) {
226 DBG_ERR("Failed to read CA file '%s' - %s",
227 ca_file,
228 strerror(errno));
229 goto done;
232 ca_data.data = blob.data;
233 ca_data.size = blob.length;
235 rc = gnutls_x509_trust_list_add_trust_mem(tl,
236 &ca_data,
237 NULL, /* crls */
238 GNUTLS_X509_FMT_DER,
239 0, /* tl_flags */
240 0); /* tl_vflags */
241 if (rc < 0) {
242 DBG_ERR("Failed to add '%s' to trust list - %s (%d)",
243 ca_file,
244 gnutls_strerror(rc),
245 rc);
246 goto done;
248 DBG_INFO("Loaded %d additional CAs", rc);
252 * Drivers often exist for quite some time, so it is possible that one
253 * of the certificates in the trust list expired.
254 * This is not a big deal, but we need to disable the time checks
255 * or the verification will fail.
257 flags = GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS|
258 GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
260 #if GNUTLS_VERSION_NUMBER >= 0x030600
261 /* The "Microsoft Root Authority" certificate uses SHA1 */
262 flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
263 #endif
265 count = gnutls_pkcs7_get_signature_count(mp7->c);
266 if (count == 0) {
267 DBG_ERR("Failed to verify catalog file, no signatures found");
268 goto done;
271 for (i = 0; i < count; i++) {
272 rc = gnutls_pkcs7_verify(mp7->c,
274 NULL, /* vdata */
275 0, /* vdata_size */
276 i, /* index */
277 NULL, /* data */
278 flags); /* flags */
279 if (rc < 0) {
280 DBG_ERR("Failed to verify catalog file - %s (%d)",
281 gnutls_strerror(rc),
282 rc);
283 goto done;
287 rc = 0;
288 done:
289 gnutls_x509_trust_list_deinit(tl, 1);
290 talloc_free(tmp_ctx);
291 return rc;