| blob | 9e69f8312f902af28c15ce77204ae0c16d45cfe4 |
1 /*
2 * Copyright (C) 2001,2002 Nikos Mavroyanopoulos <nmav@hellug.gr>
3 *
4 * This file is part of GNUTLS.
5 *
6 * The GNUTLS library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
29 #include <gnutls_sig.h>
30 #include <gnutls_str.h>
33 /* Return 0 or INVALID, if the issuer is a CA,
34 * or not.
35 */
38 {
41 /* Check if the issuer is the same with the
42 * certificate. This is added in order for trusted
43 * certificates to be able to verify themselves.
44 */
50 }
51 }
59 }
65 #define MAX_DN_ELEM 1024
67 /* This function checks if 'certs' issuer is 'issuer_cert'.
68 * This does a straight (DER) compare of the issuer/subject fields in
69 * the given certificates.
70 *
71 * FIXME: use a real DN comparison algorithm.
72 */
73 static
75 {
82 /* get the issuer of 'cert'
83 */
89 }
93 /* couldn't decode DER */
97 }
101 /* get the 'subject' info of 'issuer_cert'
102 */
109 }
111 result =
114 /* couldn't decode DER */
118 }
123 result =
132 }
138 result =
147 }
151 /* The error code returned does not really matter
152 * here.
153 */
157 }
162 }
164 /* they match */
167 }
171 {
174 /* this is serial search.
175 */
180 }
184 }
186 /* ret_trust is the value to return when the certificate chain is ok
187 * ret_else is the value to return otherwise.
188 */
193 {
194 /* CRL is ignored for now */
204 }
206 /* issuer is not in trusted certificate
207 * authorities.
208 */
212 }
218 }
224 }
226 /* FIXME: Check CRL --not done yet.
227 */
231 }
233 /* The algorithm used is:
234 * 1. Check the certificate chain given by the peer, if it is ok.
235 * 2. If any certificate in the chain are revoked, not
236 * valid, or they are not CAs then the certificate is invalid.
237 * 3. If 1 is ok, then find a certificate in the trusted CAs file
238 * that has the DN of the issuer field in the last certificate
239 * in the peer's certificate chain.
240 * 4. If it does exist then verify it. If verification is ok then
241 * it is trusted. Otherwise it is just valid (but not trusted).
242 */
243 /* This function verifies a X.509 certificate list. The certificate list should
244 * lead to a trusted CA in order to be trusted.
245 */
251 {
257 }
259 /* Verify the certificate path */
268 GNUTLS_CERT_INVALID)) !=
270 /*
271 * We only accept the first certificate to be
272 * expired, revoked etc. If any of the certificates in the
273 * certificate chain is expired then the certificate
274 * is not valid.
275 */
282 }
283 }
284 }
287 * certificate chain then mark as not trusted
288 * and return immediately.
289 */
291 }
293 /* Now verify the last certificate in the certificate path
294 * against the trusted CA certificate list.
295 *
296 * If no CAs are present returns NOT_TRUSTED. Thus works
297 * in self signed etc certificates.
298 */
299 ret =
302 GNUTLS_CERT_NOT_TRUSTED);
305 /* if the last certificate in the certificate
306 * list is invalid, then the certificate is not
307 * trusted.
308 */
311 }
316 }
318 /* if we got here, then it's trusted.
319 */
321 }