2 * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
3 * Copyright (C) 2010 Collabora Ltd.
4 * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
5 * @author Stef Walter <stefw@collabora.co.uk>
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
27 #include <telepathy-glib/util.h>
29 #include "empathy-tls-verifier.h"
33 #define DEBUG_FLAG EMPATHY_DEBUG_TLS
34 #include "empathy-debug.h"
35 #include "empathy-utils.h"
37 G_DEFINE_TYPE (EmpathyTLSVerifier
, empathy_tls_verifier
,
40 #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
43 PROP_TLS_CERTIFICATE
= 1,
45 PROP_REFERENCE_IDENTITIES
,
51 EmpathyTLSCertificate
*certificate
;
53 gchar
**reference_identities
;
55 GSimpleAsyncResult
*verify_result
;
59 } EmpathyTLSVerifierPriv
;
62 verification_output_to_reason (gint res
,
64 EmpTLSCertificateRejectReason
*reason
)
66 gboolean retval
= TRUE
;
68 g_assert (reason
!= NULL
);
70 if (res
!= GNUTLS_E_SUCCESS
)
74 /* the certificate is not structurally valid */
77 case GNUTLS_E_INSUFFICIENT_CREDENTIALS
:
78 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED
;
80 case GNUTLS_E_CONSTRAINT_ERROR
:
81 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED
;
84 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN
;
91 /* the certificate is structurally valid, check for other errors. */
92 if (verify_output
& GNUTLS_CERT_INVALID
)
96 if (verify_output
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
97 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED
;
98 else if (verify_output
& GNUTLS_CERT_SIGNER_NOT_CA
)
99 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED
;
100 else if (verify_output
& GNUTLS_CERT_INSECURE_ALGORITHM
)
101 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE
;
102 else if (verify_output
& GNUTLS_CERT_NOT_ACTIVATED
)
103 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED
;
104 else if (verify_output
& GNUTLS_CERT_EXPIRED
)
105 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED
;
107 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN
;
117 build_certificate_list_for_gnutls (GcrCertificateChain
*chain
,
118 gnutls_x509_crt_t
**list
,
120 gnutls_x509_crt_t
**anchors
,
123 GcrCertificate
*cert
;
125 gnutls_x509_crt_t
*retval
;
126 gnutls_x509_crt_t gcert
;
127 gnutls_datum_t datum
;
133 g_assert (n_anchors
);
135 *list
= *anchors
= NULL
;
136 *n_list
= *n_anchors
= 0;
138 length
= gcr_certificate_chain_get_length (chain
);
139 retval
= g_malloc0 (sizeof (gnutls_x509_crt_t
) * length
);
141 /* Convert the main body of the chain to gnutls */
142 for (idx
= 0; idx
< length
; ++idx
)
144 cert
= gcr_certificate_chain_get_certificate (chain
, idx
);
145 datum
.data
= (gpointer
)gcr_certificate_get_der_data (cert
, &n_data
);
148 gnutls_x509_crt_init (&gcert
);
149 if (gnutls_x509_crt_import (gcert
, &datum
, GNUTLS_X509_FMT_DER
) < 0)
150 g_return_if_reached ();
158 /* See if we have an anchor */
159 if (gcr_certificate_chain_get_status (chain
) ==
160 GCR_CERTIFICATE_CHAIN_ANCHORED
)
162 cert
= gcr_certificate_chain_get_anchor (chain
);
163 g_return_if_fail (cert
);
165 datum
.data
= (gpointer
)gcr_certificate_get_der_data (cert
, &n_data
);
168 gnutls_x509_crt_init (&gcert
);
169 if (gnutls_x509_crt_import (gcert
, &datum
, GNUTLS_X509_FMT_DER
) < 0)
170 g_return_if_reached ();
172 retval
= g_malloc0 (sizeof (gnutls_x509_crt_t
) * 1);
180 free_certificate_list_for_gnutls (gnutls_x509_crt_t
*list
,
185 for (idx
= 0; idx
< n_list
; idx
++)
186 gnutls_x509_crt_deinit (list
[idx
]);
191 complete_verification (EmpathyTLSVerifier
*self
)
193 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
195 DEBUG ("Verification successful, completing...");
197 g_simple_async_result_complete_in_idle (priv
->verify_result
);
199 tp_clear_object (&priv
->verify_result
);
203 abort_verification (EmpathyTLSVerifier
*self
,
204 EmpTLSCertificateRejectReason reason
)
206 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
208 DEBUG ("Verification error %u, aborting...", reason
);
210 g_simple_async_result_set_error (priv
->verify_result
,
211 G_IO_ERROR
, reason
, "TLS verification failed with reason %u",
213 g_simple_async_result_complete_in_idle (priv
->verify_result
);
215 tp_clear_object (&priv
->verify_result
);
219 debug_certificate (GcrCertificate
*cert
)
221 gchar
*subject
= gcr_certificate_get_subject_dn (cert
);
222 DEBUG ("Certificate: %s", subject
);
227 debug_certificate_chain (GcrCertificateChain
*chain
)
229 GEnumClass
*enum_class
;
230 GEnumValue
*enum_value
;
232 GcrCertificate
*cert
;
234 enum_class
= G_ENUM_CLASS
235 (g_type_class_peek (GCR_TYPE_CERTIFICATE_CHAIN_STATUS
));
236 enum_value
= g_enum_get_value (enum_class
,
237 gcr_certificate_chain_get_status (chain
));
238 length
= gcr_certificate_chain_get_length (chain
);
239 DEBUG ("Certificate chain: length %u status %s",
240 length
, enum_value
? enum_value
->value_nick
: "XXX");
242 for (idx
= 0; idx
< length
; ++idx
)
244 cert
= gcr_certificate_chain_get_certificate (chain
, idx
);
245 debug_certificate (cert
);
250 perform_verification (EmpathyTLSVerifier
*self
,
251 GcrCertificateChain
*chain
)
253 gboolean ret
= FALSE
;
254 EmpTLSCertificateRejectReason reason
=
255 EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN
;
256 gnutls_x509_crt_t
*list
, *anchors
;
257 guint n_list
, n_anchors
;
262 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
264 DEBUG ("Performing verification");
265 debug_certificate_chain (chain
);
267 list
= anchors
= NULL
;
268 n_list
= n_anchors
= 0;
271 * If the first certificate is an pinned certificate then we completely
272 * ignore the rest of the verification process.
274 if (gcr_certificate_chain_get_status (chain
) == GCR_CERTIFICATE_CHAIN_PINNED
)
276 DEBUG ("Found pinned certificate for %s", priv
->hostname
);
277 complete_verification (self
);
281 build_certificate_list_for_gnutls (chain
, &list
, &n_list
,
282 &anchors
, &n_anchors
);
283 if (list
== NULL
|| n_list
== 0) {
284 g_warn_if_reached ();
285 abort_verification (self
, EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN
);
290 res
= gnutls_x509_crt_list_verify (list
, n_list
, anchors
, n_anchors
,
291 NULL
, 0, 0, &verify_output
);
292 ret
= verification_output_to_reason (res
, verify_output
, &reason
);
294 DEBUG ("Certificate verification gave result %d with reason %u", ret
,
298 abort_verification (self
, reason
);
302 /* now check if the certificate matches one of the reference identities. */
303 for (i
= priv
->reference_identities
, matched
= FALSE
; i
&& *i
; ++i
)
305 const gchar
*identity
= *i
;
306 if (gnutls_x509_crt_check_hostname (list
[0], identity
) == 1)
315 gchar
*certified_hostname
;
317 certified_hostname
= empathy_get_x509_certificate_hostname (list
[0]);
318 tp_asv_set_string (priv
->details
,
319 "expected-hostname", priv
->hostname
);
320 tp_asv_set_string (priv
->details
,
321 "certificate-hostname", certified_hostname
);
323 DEBUG ("Hostname mismatch: got %s but expected %s",
324 certified_hostname
, priv
->hostname
);
326 g_free (certified_hostname
);
327 abort_verification (self
,
328 EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH
);
332 DEBUG ("Hostname matched");
333 complete_verification (self
);
336 free_certificate_list_for_gnutls (list
, n_list
);
337 free_certificate_list_for_gnutls (anchors
, n_anchors
);
341 perform_verification_cb (GObject
*object
,
345 GError
*error
= NULL
;
347 GcrCertificateChain
*chain
= GCR_CERTIFICATE_CHAIN (object
);
348 EmpathyTLSVerifier
*self
= EMPATHY_TLS_VERIFIER (user_data
);
350 /* Even if building the chain fails, try verifying what we have */
351 if (!gcr_certificate_chain_build_finish (chain
, res
, &error
))
353 DEBUG ("Building of certificate chain failed: %s", error
->message
);
354 g_clear_error (&error
);
357 perform_verification (self
, chain
);
359 /* Matches ref when staring chain build */
360 g_object_unref (self
);
364 empathy_tls_verifier_get_property (GObject
*object
,
369 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (object
);
373 case PROP_TLS_CERTIFICATE
:
374 g_value_set_object (value
, priv
->certificate
);
377 g_value_set_string (value
, priv
->hostname
);
379 case PROP_REFERENCE_IDENTITIES
:
380 g_value_set_boxed (value
, priv
->reference_identities
);
383 G_OBJECT_WARN_INVALID_PROPERTY_ID (object
, property_id
, pspec
);
389 empathy_tls_verifier_set_property (GObject
*object
,
394 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (object
);
398 case PROP_TLS_CERTIFICATE
:
399 priv
->certificate
= g_value_dup_object (value
);
402 priv
->hostname
= g_value_dup_string (value
);
404 case PROP_REFERENCE_IDENTITIES
:
405 priv
->reference_identities
= g_value_dup_boxed (value
);
408 G_OBJECT_WARN_INVALID_PROPERTY_ID (object
, property_id
, pspec
);
414 empathy_tls_verifier_dispose (GObject
*object
)
416 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (object
);
418 if (priv
->dispose_run
)
421 priv
->dispose_run
= TRUE
;
423 tp_clear_object (&priv
->certificate
);
425 G_OBJECT_CLASS (empathy_tls_verifier_parent_class
)->dispose (object
);
429 empathy_tls_verifier_finalize (GObject
*object
)
431 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (object
);
433 DEBUG ("%p", object
);
435 tp_clear_boxed (G_TYPE_HASH_TABLE
, &priv
->details
);
436 g_free (priv
->hostname
);
437 g_strfreev (priv
->reference_identities
);
439 G_OBJECT_CLASS (empathy_tls_verifier_parent_class
)->finalize (object
);
443 empathy_tls_verifier_init (EmpathyTLSVerifier
*self
)
445 EmpathyTLSVerifierPriv
*priv
;
447 priv
= self
->priv
= G_TYPE_INSTANCE_GET_PRIVATE (self
,
448 EMPATHY_TYPE_TLS_VERIFIER
, EmpathyTLSVerifierPriv
);
449 priv
->details
= tp_asv_new (NULL
, NULL
);
453 empathy_tls_verifier_class_init (EmpathyTLSVerifierClass
*klass
)
456 GObjectClass
*oclass
= G_OBJECT_CLASS (klass
);
458 g_type_class_add_private (klass
, sizeof (EmpathyTLSVerifierPriv
));
460 oclass
->set_property
= empathy_tls_verifier_set_property
;
461 oclass
->get_property
= empathy_tls_verifier_get_property
;
462 oclass
->finalize
= empathy_tls_verifier_finalize
;
463 oclass
->dispose
= empathy_tls_verifier_dispose
;
465 pspec
= g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
466 "The EmpathyTLSCertificate to be verified.",
467 EMPATHY_TYPE_TLS_CERTIFICATE
,
468 G_PARAM_CONSTRUCT_ONLY
| G_PARAM_READWRITE
| G_PARAM_STATIC_STRINGS
);
469 g_object_class_install_property (oclass
, PROP_TLS_CERTIFICATE
, pspec
);
471 pspec
= g_param_spec_string ("hostname", "The hostname",
472 "The hostname which is certified by the certificate.",
474 G_PARAM_CONSTRUCT_ONLY
| G_PARAM_READWRITE
| G_PARAM_STATIC_STRINGS
);
475 g_object_class_install_property (oclass
, PROP_HOSTNAME
, pspec
);
477 pspec
= g_param_spec_boxed ("reference-identities",
478 "The reference identities",
479 "The certificate should certify one of these identities.",
481 G_PARAM_CONSTRUCT_ONLY
| G_PARAM_READWRITE
| G_PARAM_STATIC_STRINGS
);
482 g_object_class_install_property (oclass
, PROP_REFERENCE_IDENTITIES
, pspec
);
486 empathy_tls_verifier_new (EmpathyTLSCertificate
*certificate
,
487 const gchar
*hostname
, const gchar
**reference_identities
)
489 g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate
));
490 g_assert (hostname
!= NULL
);
491 g_assert (reference_identities
!= NULL
);
493 return g_object_new (EMPATHY_TYPE_TLS_VERIFIER
,
494 "certificate", certificate
,
495 "hostname", hostname
,
496 "reference-identities", reference_identities
,
501 empathy_tls_verifier_verify_async (EmpathyTLSVerifier
*self
,
502 GAsyncReadyCallback callback
,
505 GcrCertificateChain
*chain
;
506 GcrCertificate
*cert
;
507 GPtrArray
*cert_data
= NULL
;
510 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
512 DEBUG ("Starting verification");
514 g_return_if_fail (priv
->verify_result
== NULL
);
516 g_object_get (priv
->certificate
, "cert-data", &cert_data
, NULL
);
517 g_return_if_fail (cert_data
);
519 priv
->verify_result
= g_simple_async_result_new (G_OBJECT (self
),
520 callback
, user_data
, NULL
);
522 /* Create a certificate chain */
523 chain
= gcr_certificate_chain_new ();
524 for (idx
= 0; idx
< cert_data
->len
; ++idx
) {
525 data
= g_ptr_array_index (cert_data
, idx
);
526 cert
= gcr_simple_certificate_new (data
->data
, data
->len
);
527 gcr_certificate_chain_add (chain
, cert
);
528 g_object_unref (cert
);
531 gcr_certificate_chain_build_async (chain
, GCR_PURPOSE_CLIENT_AUTH
, priv
->hostname
, 0,
532 NULL
, perform_verification_cb
, g_object_ref (self
));
534 g_object_unref (chain
);
535 g_boxed_free (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST
, cert_data
);
539 empathy_tls_verifier_verify_finish (EmpathyTLSVerifier
*self
,
541 EmpTLSCertificateRejectReason
*reason
,
542 GHashTable
**details
,
545 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
547 if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res
),
551 *reason
= (*error
)->code
;
555 *details
= tp_asv_new (NULL
, NULL
);
556 tp_g_hash_table_update (*details
, priv
->details
,
557 (GBoxedCopyFunc
) g_strdup
,
558 (GBoxedCopyFunc
) tp_g_value_slice_dup
);
565 *reason
= EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN
;
571 empathy_tls_verifier_store_exception (EmpathyTLSVerifier
*self
)
574 GcrCertificate
*cert
;
575 GPtrArray
*cert_data
= NULL
;
576 GError
*error
= NULL
;
577 EmpathyTLSVerifierPriv
*priv
= GET_PRIV (self
);
579 g_object_get (priv
->certificate
, "cert-data", &cert_data
, NULL
);
580 g_return_if_fail (cert_data
);
584 DEBUG ("No certificate to pin.");
588 /* The first certificate in the chain is for the host */
589 data
= g_ptr_array_index (cert_data
, 0);
590 cert
= gcr_simple_certificate_new ((gpointer
)data
->data
, data
->len
);
592 DEBUG ("Storing pinned certificate:");
593 debug_certificate (cert
);
595 if (!gcr_trust_add_pinned_certificate (cert
, GCR_PURPOSE_CLIENT_AUTH
,
596 priv
->hostname
, NULL
, &error
))
597 DEBUG ("Can't store the pinned certificate: %s", error
->message
);
599 g_object_unref (cert
);
600 g_boxed_free (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST
, cert_data
);