| blob | 87d031064b477a7505a784b38f1e5026cac78bb1 |
1 /*
2 * Copyright (C) 2001,2002 Nikos Mavroyanopoulos <nmav@hellug.gr>
3 *
4 * This file is part of GNUTLS.
5 *
6 * GNUTLS is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * GNUTLS is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19 */
28 #include <gnutls_sig.h>
29 #include <gnutls_str.h>
32 /* Return 0 or INVALID, if the issuer is a CA,
33 * or not.
34 */
37 {
40 /* Check if the issuer is the same with the
41 * certificate. This is added in order for trusted
42 * certificates to be able to verify themselves.
43 */
49 }
50 }
58 }
64 #define MAX_DN_ELEM 1024
66 /* This function checks if 'certs' issuer is 'issuer_cert'.
67 * This does a straight (DER) compare of the issuer/subject fields in
68 * the given certificates.
69 *
70 * FIXME: use a real DN comparison algorithm.
71 */
72 static
74 {
81 /* get the issuer of 'cert'
82 */
88 }
92 /* couldn't decode DER */
96 }
100 /* get the 'subject' info of 'issuer_cert'
101 */
108 }
110 result =
113 /* couldn't decode DER */
117 }
122 result =
131 }
137 result =
146 }
150 /* The error code returned does not really matter
151 * here.
152 */
156 }
161 }
163 /* they match */
166 }
170 {
173 /* this is serial search.
174 */
179 }
183 }
185 /* ret_trust is the value to return when the certificate chain is ok
186 * ret_else is the value to return otherwise.
187 */
192 {
193 /* CRL is ignored for now */
203 }
205 /* issuer is not in trusted certificate
206 * authorities.
207 */
211 }
217 }
223 }
225 /* FIXME: Check CRL --not done yet.
226 */
230 }
232 /* The algorithm used is:
233 * 1. Check the certificate chain given by the peer, if it is ok.
234 * 2. If any certificate in the chain are revoked, not
235 * valid, or they are not CAs then the certificate is invalid.
236 * 3. If 1 is ok, then find a certificate in the trusted CAs file
237 * that has the DN of the issuer field in the last certificate
238 * in the peer's certificate chain.
239 * 4. If it does exist then verify it. If verification is ok then
240 * it is trusted. Otherwise it is just valid (but not trusted).
241 */
242 /* This function verifies a X.509 certificate list. The certificate list should
243 * lead to a trusted CA in order to be trusted.
244 */
250 {
256 }
258 /* Verify the certificate path */
267 GNUTLS_CERT_INVALID)) !=
269 /*
270 * We only accept the first certificate to be
271 * expired, revoked etc. If any of the certificates in the
272 * certificate chain is expired then the certificate
273 * is not valid.
274 */
281 }
282 }
283 }
286 * certificate chain then mark as not trusted
287 * and return immediately.
288 */
290 }
292 /* Now verify the last certificate in the certificate path
293 * against the trusted CA certificate list.
294 *
295 * If no CAs are present returns NOT_TRUSTED. Thus works
296 * in self signed etc certificates.
297 */
298 ret =
301 GNUTLS_CERT_NOT_TRUSTED);
304 /* if the last certificate in the certificate
305 * list is invalid, then the certificate is not
306 * trusted.
307 */
310 }
315 }
317 /* if we got here, then it's trusted.
318 */
320 }