| blob | ffc97303671db426b3492abd94c3a67f186e95ed |
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
25 #include <libtasn1.h>
26 #include <gnutls_global.h>
28 #include <gnutls_sig.h>
29 #include <gnutls_str.h>
30 #include <gnutls_datum.h>
31 #include <hash-pjw-bare.h>
33 #include <common.h>
37 gnutls_x509_crt_t cert;
40 };
43 /* The trusted certificates */
50 /* The trusted CRLs */
53 };
58 };
60 #define DEFAULT_SIZE 503
62 /**
63 * gnutls_x509_trust_list_init:
64 * @list: The structure to be initialized
65 * @size: The size of the internal hash table. Use (0) for default size.
66 *
67 * This function will initialize an X.509 trust list structure.
68 *
69 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
70 * negative error value.
71 *
72 * Since: 3.0
73 **/
74 int
77 {
78 gnutls_x509_trust_list_t tmp =
93 }
98 }
100 /**
101 * gnutls_x509_trust_list_deinit:
102 * @list: The structure to be deinitialized
103 * @all: if non-(0) it will deinitialize all the certificates and CRLs contained in the structure.
104 *
105 * This function will deinitialize a trust list.
106 *
107 * Since: 3.0
108 **/
109 void
112 {
122 }
128 }
134 }
136 }
140 }
142 /**
143 * gnutls_x509_trust_list_add_cas:
144 * @list: The structure of the list
145 * @clist: A list of CAs
146 * @clist_size: The length of the CA list
147 * @flags: should be 0.
148 *
149 * This function will add the given certificate authorities
150 * to the trusted list. The list of CAs must not be deinitialized
151 * during this structure's lifetime.
152 *
153 * Returns: The number of added elements is returned.
154 *
155 * Since: 3.0
156 **/
157 int
161 {
162 gnutls_datum_t dn;
171 }
185 }
190 }
193 }
195 /**
196 * gnutls_x509_trust_list_add_named_crt:
197 * @list: The structure of the list
198 * @cert: A certificate
199 * @name: An identifier for the certificate
200 * @name_size: The size of the identifier
201 * @flags: should be 0.
202 *
203 * This function will add the given certificate to the trusted
204 * list and associate it with a name. The certificate will not be
205 * be used for verification with gnutls_x509_trust_list_verify_crt()
206 * but only with gnutls_x509_trust_list_verify_named_crt().
207 *
208 * In principle this function can be used to set individual "server"
209 * certificates that are trusted by the user for that specific server
210 * but for no other purposes.
211 *
212 * The certificate must not be deinitialized during the lifetime
213 * of the trusted list.
214 *
215 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
216 * negative error value.
217 *
218 * Since: 3.0
219 **/
220 int
222 gnutls_x509_crt_t cert,
225 {
226 gnutls_datum_t dn;
237 }
252 cert;
261 }
263 /**
264 * gnutls_x509_trust_list_add_crls:
265 * @list: The structure of the list
266 * @crl_list: A list of CRLs
267 * @crl_size: The length of the CRL list
268 * @flags: if GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified before being added.
269 * @verification_flags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
270 *
271 * This function will add the given certificate revocation lists
272 * to the trusted list. The list of CRLs must not be deinitialized
273 * during this structure's lifetime.
274 *
275 * This function must be called after gnutls_x509_trust_list_add_cas()
276 * to allow verifying the CRLs for validity.
277 *
278 * Returns: The number of added elements is returned.
279 *
280 * Since: 3.0
281 **/
282 int
287 {
289 gnutls_datum_t dn;
293 /* Probably we can optimize things such as removing duplicates
294 * etc.
295 */
305 }
314 ret =
321 }
331 }
335 j++;
336 }
339 }
341 /* Takes a certificate list and shortens it if there are
342 * intermedia certificates already trusted by us.
343 *
344 * FIXME: This is very similar to _gnutls_x509_verify_certificate().
345 *
346 * Returns the new size of the list or a negative number on error.
347 */
351 {
355 gnutls_datum_t dn;
358 /* Check if the last certificate in the path is self signed.
359 * In that case ignore it (a certificate is trusted only if it
360 * leads to a trusted party by us, not the server's).
361 *
362 * This prevents from verifying self signed certificates against
363 * themselves. This (although not bad) caused verification
364 * failures on some root self signed certificates that use the
365 * MD2 algorithm.
366 */
370 clist_size--;
371 }
372 }
374 /* We want to shorten the chain by removing the cert that matches
375 * one of the certs we trust and all the certs after that i.e. if
376 * cert chain is A signed-by B signed-by C signed-by D (signed-by
377 * self-signed E but already removed above), and we trust B, remove
378 * B, C and D. */
384 }
395 /* cut the list at the point of first the trusted certificate */
398 }
399 }
400 /* clist_size may have been changed which gets out of loop */
401 }
404 }
406 /* Takes a certificate list and orders it with subject, issuer order.
407 *
408 * *clist_size contains the size of the ordered list (which is always less or
409 * equal to the original).
410 *
411 * Returns the sorted list which may be the original clist.
412 */
416 {
421 /* Do not bother sorting if too many certificates are given.
422 * Prevent any DoS attacks.
423 */
430 /* Find the issuer of each certificate and store it
431 * in issuer array.
432 */
434 {
436 {
441 {
444 }
445 }
446 }
449 {
452 }
457 {
460 {
463 }
465 }
468 }
470 /**
471 * gnutls_x509_trust_list_get_issuer:
472 * @list: The structure of the list
473 * @cert: is the certificate to find issuer for
474 * @issuer: Will hold the issuer if any. Should be treated as constant.
475 * @flags: Use (0).
476 *
477 * This function will attempt to find the issuer of the
478 * given certificate.
479 *
480 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
481 * negative error value.
482 *
483 * Since: 3.0
484 **/
486 gnutls_x509_crt_t cert,
489 {
490 gnutls_datum_t dn;
499 }
507 ret =
513 }
514 }
517 }
519 /**
520 * gnutls_x509_trust_list_verify_crt:
521 * @list: The structure of the list
522 * @cert_list: is the certificate list to be verified
523 * @cert_list_size: is the certificate list size
524 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
525 * @verify: will hold the certificate verification output.
526 * @func: If non-null will be called on each chain element verification with the output.
527 *
528 * This function will try to verify the given certificate and return
529 * its status. The @verify parameter will hold an OR'ed sequence of
530 * %gnutls_certificate_status_t flags.
531 *
532 * Limitation: Pathlen constraints or key usage flags are not consulted.
533 *
534 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
535 * negative error value.
536 *
537 * Since: 3.0
538 **/
539 int
545 gnutls_verify_output_function func)
546 {
547 gnutls_datum_t dn;
563 ret =
569 }
580 func);
585 /* Check revocation of individual certificates.
586 * start with the last one that we already have its hash
587 */
591 func);
596 }
603 }
613 func);
618 }
619 }
622 }
624 /**
625 * gnutls_x509_trust_list_verify_named_crt:
626 * @list: The structure of the list
627 * @cert: is the certificate to be verified
628 * @name: is the certificate's name
629 * @name_size: is the certificate's name size
630 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
631 * @verify: will hold the certificate verification output.
632 * @func: If non-null will be called on each chain element verification with the output.
633 *
634 * This function will try to find a certificate that is associated with the provided
635 * name --see gnutls_x509_trust_list_add_named_crt(). If a match is found the certificate is considered valid. In addition to that
636 * this function will also check CRLs. The @verify parameter will hold an OR'ed sequence of
637 * %gnutls_certificate_status_t flags.
638 *
639 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
640 * negative error value.
641 *
642 * Since: 3.0
643 **/
644 int
646 gnutls_x509_crt_t cert,
651 gnutls_verify_output_function func)
652 {
653 gnutls_datum_t dn;
662 }
672 if (check_if_same_cert(cert, list->node[hash].named_certs[i].cert) == 0) { /* check if name matches */
678 }
679 }
680 }
685 /* Check revocation of individual certificates.
686 * start with the last one that we already have its hash
687 */
691 func);
696 }
699 }
701 /* return 0 if @cert is in @list, 1 if not, or < 0 on error. */
702 int
704 gnutls_x509_crt_t cert)
705 {
706 gnutls_datum_t dn;
713 {
716 }
724 {
727 {
730 }
734 }
737 }