| blob | 5dafd6308a436483cc7f1b2f7c7023efe836c7fc |
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
25 #include <libtasn1.h>
26 #include <gnutls_global.h>
28 #include <gnutls_sig.h>
29 #include <gnutls_str.h>
30 #include <gnutls_datum.h>
31 #include <hash-pjw-bare.h>
33 #include <common.h>
37 gnutls_x509_crt_t cert;
40 };
43 /* The trusted certificates */
50 /* The trusted CRLs */
53 };
58 };
60 #define DEFAULT_SIZE 503
62 /**
63 * gnutls_x509_trust_list_init:
64 * @list: The structure to be initialized
65 * @size: The size of the internal hash table. Use (0) for default size.
66 *
67 * This function will initialize an X.509 trust list structure.
68 *
69 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
70 * negative error value.
71 *
72 * Since: 3.0
73 **/
74 int
77 {
78 gnutls_x509_trust_list_t tmp =
93 }
98 }
100 /**
101 * gnutls_x509_trust_list_deinit:
102 * @list: The structure to be deinitialized
103 * @all: if non-(0) it will deinitialize all the certificates and CRLs contained in the structure.
104 *
105 * This function will deinitialize a trust list.
106 *
107 * Since: 3.0
108 **/
109 void
112 {
122 }
128 }
134 }
136 }
140 }
142 /**
143 * gnutls_x509_trust_list_add_cas:
144 * @list: The structure of the list
145 * @clist: A list of CAs
146 * @clist_size: The length of the CA list
147 * @flags: should be 0.
148 *
149 * This function will add the given certificate authorities
150 * to the trusted list. The list of CAs must not be deinitialized
151 * during this structure's lifetime.
152 *
153 * Returns: The number of added elements is returned.
154 *
155 * Since: 3.0
156 **/
157 int
161 {
162 gnutls_datum_t dn;
171 }
185 }
190 }
193 }
195 /**
196 * gnutls_x509_trust_list_add_named_crt:
197 * @list: The structure of the list
198 * @cert: A certificate
199 * @name: An identifier for the certificate
200 * @name_size: The size of the identifier
201 * @flags: should be 0.
202 *
203 * This function will add the given certificate to the trusted
204 * list and associate it with a name. The certificate will not be
205 * be used for verification with gnutls_x509_trust_list_verify_crt()
206 * but only with gnutls_x509_trust_list_verify_named_crt().
207 *
208 * In principle this function can be used to set individual "server"
209 * certificates that are trusted by the user for that specific server
210 * but for no other purposes.
211 *
212 * The certificate must not be deinitialized during the lifetime
213 * of the trusted list.
214 *
215 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
216 * negative error value.
217 *
218 * Since: 3.0
219 **/
220 int
222 gnutls_x509_crt_t cert,
225 {
226 gnutls_datum_t dn;
237 }
252 cert;
261 }
263 /**
264 * gnutls_x509_trust_list_add_crls:
265 * @list: The structure of the list
266 * @crl_list: A list of CRLs
267 * @crl_size: The length of the CRL list
268 * @flags: if GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified before being added.
269 * @verification_flags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
270 *
271 * This function will add the given certificate revocation lists
272 * to the trusted list. The list of CRLs must not be deinitialized
273 * during this structure's lifetime.
274 *
275 * This function must be called after gnutls_x509_trust_list_add_cas()
276 * to allow verifying the CRLs for validity.
277 *
278 * Returns: The number of added elements is returned.
279 *
280 * Since: 3.0
281 **/
282 int
287 {
289 gnutls_datum_t dn;
293 /* Probably we can optimize things such as removing duplicates
294 * etc.
295 */
305 }
314 ret =
321 }
331 }
335 j++;
336 }
339 }
341 /* Takes a certificate list and shortens it if there are
342 * intermedia certificates already trusted by us.
343 *
344 * FIXME: This is very similar to _gnutls_x509_verify_certificate().
345 *
346 * Returns the new size of the list or a negative number on error.
347 */
351 {
355 gnutls_datum_t dn;
358 /* Check if the last certificate in the path is self signed.
359 * In that case ignore it (a certificate is trusted only if it
360 * leads to a trusted party by us, not the server's).
361 *
362 * This prevents from verifying self signed certificates against
363 * themselves. This (although not bad) caused verification
364 * failures on some root self signed certificates that use the
365 * MD2 algorithm.
366 */
370 clist_size--;
371 }
372 }
374 /* We want to shorten the chain by removing the cert that matches
375 * one of the certs we trust and all the certs after that i.e. if
376 * cert chain is A signed-by B signed-by C signed-by D (signed-by
377 * self-signed E but already removed above), and we trust B, remove
378 * B, C and D. */
384 }
395 /* cut the list at the point of first the trusted certificate */
398 }
399 }
400 /* clist_size may have been changed which gets out of loop */
401 }
404 }
406 /* Takes a certificate list and orders it with subject, issuer order.
407 *
408 * *clist_size contains the size of the ordered list (which is always less or
409 * equal to the original).
410 *
411 * Returns the sorted list which may be the original clist.
412 */
416 {
421 /* Do not bother sorting if too many certificates are given.
422 * Prevent any DoS attacks.
423 */
430 /* Find the issuer of each certificate and store it
431 * in issuer array.
432 */
434 {
436 {
441 {
444 }
445 }
446 }
449 {
452 }
457 {
460 {
463 }
465 }
468 }
470 /**
471 * gnutls_x509_trust_list_get_issuer:
472 * @list: The structure of the list
473 * @cert: is the certificate to find issuer for
474 * @issuer: Will hold the issuer if any. Should be treated as constant.
475 * @flags: Use (0).
476 *
477 * This function will attempt to find the issuer of the
478 * given certificate.
479 *
480 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
481 * negative error value.
482 *
483 * Since: 3.0
484 **/
486 gnutls_x509_crt_t cert,
489 {
490 gnutls_datum_t dn;
499 }
507 ret =
513 }
514 }
517 }
519 /**
520 * gnutls_x509_trust_list_verify_crt:
521 * @list: The structure of the list
522 * @cert_list: is the certificate list to be verified
523 * @cert_list_size: is the certificate list size
524 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
525 * @verify: will hold the certificate verification output.
526 * @func: If non-null will be called on each chain element verification with the output.
527 *
528 * This function will try to verify the given certificate and return
529 * its status.
530 *
531 * Limitation: Pathlen constraints or key usage flags are not consulted.
532 *
533 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
534 * negative error value.
535 *
536 * Since: 3.0
537 **/
538 int
544 gnutls_verify_output_function func)
545 {
546 gnutls_datum_t dn;
562 ret =
568 }
579 func);
584 /* Check revocation of individual certificates.
585 * start with the last one that we already have its hash
586 */
590 func);
595 }
602 }
612 func);
617 }
618 }
621 }
623 /**
624 * gnutls_x509_trust_list_verify_named_crt:
625 * @list: The structure of the list
626 * @cert: is the certificate to be verified
627 * @name: is the certificate's name
628 * @name_size: is the certificate's name size
629 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
630 * @verify: will hold the certificate verification output.
631 * @func: If non-null will be called on each chain element verification with the output.
632 *
633 * This function will try to find a matching named certificate. If a
634 * match is found the certificate is considered valid. In addition to that
635 * this function will also check CRLs.
636 *
637 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
638 * negative error value.
639 *
640 * Since: 3.0
641 **/
642 int
644 gnutls_x509_crt_t cert,
649 gnutls_verify_output_function func)
650 {
651 gnutls_datum_t dn;
660 }
670 if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert) == 0) { /* check if name matches */
676 }
677 }
678 }
683 /* Check revocation of individual certificates.
684 * start with the last one that we already have its hash
685 */
689 func);
694 }
697 }
699 /* return 0 if @cert is in @list, 1 if not, or < 0 on error. */
700 int
702 gnutls_x509_crt_t cert)
703 {
704 gnutls_datum_t dn;
711 {
714 }
722 {
725 {
728 }
732 }
735 }