diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-22 18:31:05 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-22 18:31:05 +0000 |
commit | 687ee1abc1b7d50d2e15f21e835dc1737120efb1 (patch) | |
tree | a1602c3c541bd3a7baeaf3b339c091c2233e431a | |
parent | f251995312be18c752f69801d3f037cac5c024fc (diff) | |
download | gnutls-687ee1abc1b7d50d2e15f21e835dc1737120efb1.tar.gz |
Changed certificate verification functions.
-rw-r--r-- | doc/tex/ex3.tex | 41 | ||||
-rw-r--r-- | lib/auth_cert.c | 7 | ||||
-rw-r--r-- | lib/auth_dhe.c | 4 | ||||
-rw-r--r-- | lib/auth_rsa.c | 4 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 13 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 17 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 12 | ||||
-rw-r--r-- | lib/x509_sig_check.c | 4 | ||||
-rw-r--r-- | lib/x509_verify.c | 45 | ||||
-rw-r--r-- | src/common.c | 31 | ||||
-rw-r--r-- | src/serv.c | 7 |
11 files changed, 88 insertions, 97 deletions
diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index 513f6d95d5..4c60e4255a 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -18,7 +18,7 @@ int print_info(GNUTLS_STATE state) GNUTLS_CredType cred; gnutls_x509_dn dn; const gnutls_datum *cert_list; - GNUTLS_CertificateStatus status; + int status; int cert_list_size = 0; GNUTLS_KXAlgorithm kx; @@ -40,24 +40,27 @@ int print_info(GNUTLS_STATE state) */ cert_list = gnutls_certificate_get_peers(state, &cert_list_size); status = gnutls_certificate_verify_peers(state); - - switch (status) { - case GNUTLS_CERT_VALID: - case GNUTLS_CERT_INVALID: - printf("- Peer's certificate is NOT trusted\n"); - break; - case GNUTLS_CERT_EXPIRED: - printf("- Peer's certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: - printf("- Peer's certificate is trusted\n"); - break; - case GNUTLS_CERT_NONE: - printf("- Peer did not send any X509 Certificate.\n"); - break; - case GNUTLS_CERT_REVOKED: - printf("- Peer's certificate was revoked\n"); - break; + + if ( status < 0) { + printf("- Could not verify certificate\n"); + else { + if ( status == GNUTLS_CERT_NONE) + printf("- Peer did not send any X509 Certificate.\n"); + + if ( status & GNUTLS_CERT_VALID) + printf("- Peer's certificate is valid\n"); + if ( status & GNUTLS_CERT_INVALID) + printf("- Peer's certificate is invalid\n"); + if ( status & GNUTLS_CERT_EXPIRED) + printf("- Peer's certificate is expired\n"); + if ( status & GNUTLS_CERT_TRUSTED) + printf("- Peer's certificate is trusted\n"); + if ( status & GNUTLS_CERT_NOT_TRUSTED) + printf("- Peer's certificate is not trusted\n"); + if ( status & GNUTLS_CERT_CORRUPTED) + printf("- Peer's certificate is corrupted.\n"); + if ( status & GNUTLS_CERT_REVOKED) + printf("- Peer's certificate is revoked\n"); } /* Check if we have been using ephemeral Diffie Hellman. diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 8b1e515521..4edae862a9 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -859,8 +859,6 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, return 0; } -#ifdef HAVE_LIBOPENCDK - #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) gnutls_free_cert(peer_certificate_list[x]) int _gnutls_proc_openpgp_server_certificate(GNUTLS_STATE state, opaque * data, int data_size) @@ -1014,17 +1012,14 @@ int _gnutls_proc_openpgp_server_certificate(GNUTLS_STATE state, return 0; } -#endif /* HAVE_LIBOPENCDK */ int _gnutls_proc_cert_server_certificate(GNUTLS_STATE state, opaque * data, int data_size) { switch (state->security_parameters.cert_type) { -#ifdef HAVE_LIBOPENCDK case GNUTLS_CRT_OPENPGP: return _gnutls_proc_openpgp_server_certificate(state, data, data_size); -#endif /* HAVE_LIBOPENCDK */ case GNUTLS_CRT_X509: return _gnutls_proc_x509_server_certificate(state, data, data_size); @@ -1217,7 +1212,6 @@ int _gnutls_proc_cert_client_cert_vrfy(GNUTLS_STATE state, opaque * data, info-> raw_certificate_list[0]); break; -#ifdef HAVE_LIBOPENCDK case GNUTLS_CRT_OPENPGP: ret = _gnutls_openpgp_cert2gnutls_cert(&peer_cert, @@ -1225,7 +1219,6 @@ int _gnutls_proc_cert_client_cert_vrfy(GNUTLS_STATE state, opaque * data, raw_certificate_list [0]); break; -#endif /* HAVE_LIBOPENCDK */ default: gnutls_assert(); return GNUTLS_E_UNKNOWN_ERROR; diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 4253ddddf8..bb08245117 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -387,7 +387,7 @@ static int proc_dhe_server_kx(GNUTLS_STATE state, opaque * data, return ret; } break; -#ifdef HAVE_LIBOPENCDK + case GNUTLS_CRT_OPENPGP: if ((ret = _gnutls_openpgp_cert2gnutls_cert( &peer_cert, @@ -396,7 +396,7 @@ static int proc_dhe_server_kx(GNUTLS_STATE state, opaque * data, return ret; } break; -#endif /* HAVE_LIBOPENCDK */ + default: gnutls_assert(); return GNUTLS_E_UNKNOWN_ERROR; diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index b718c566ab..6b3c77d84e 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -86,7 +86,7 @@ gnutls_cert peer_cert; return ret; } break; -#ifdef HAVE_LIBOPENCDK + case GNUTLS_CRT_OPENPGP: if ((ret = _gnutls_openpgp_cert2gnutls_cert( &peer_cert, @@ -95,7 +95,7 @@ gnutls_cert peer_cert; return ret; } break; -#endif /* HAVE_LIBOPENCDK */ + default: gnutls_assert(); return GNUTLS_E_UNKNOWN_ERROR; diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 98533a4beb..483d7dbab6 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -56,13 +56,12 @@ typedef enum GNUTLS_AlertDescription { GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTE GNUTLS_A_NO_RENEGOTIATION=100 } GNUTLS_AlertDescription; -/* Currently the VALID flag is not used. It indicates a certificate - * which is not trusted, but it is neither expired nor revoked, - * and the signatures in the chain were verified. - */ -typedef enum GNUTLS_CertificateStatus { GNUTLS_CERT_TRUSTED=1, - GNUTLS_CERT_VALID, GNUTLS_CERT_INVALID, GNUTLS_CERT_EXPIRED, - GNUTLS_CERT_REVOKED, GNUTLS_CERT_NONE +typedef enum GNUTLS_CertificateStatus { + GNUTLS_CERT_NONE = 0, GNUTLS_CERT_TRUSTED=1, + GNUTLS_CERT_NOT_TRUSTED=2, + GNUTLS_CERT_VALID=4, GNUTLS_CERT_INVALID=8, /* for openpgp use */ + GNUTLS_CERT_EXPIRED=16, GNUTLS_CERT_CORRUPTED=32, + GNUTLS_CERT_REVOKED=64 } GNUTLS_CertificateStatus; typedef enum GNUTLS_CertificateRequest { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } GNUTLS_CertificateRequest; diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index a0b5891b2c..1c80811c0b 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -297,7 +297,6 @@ void gnutls_certificate_server_set_select_func(GNUTLS_STATE state, state->gnutls_internals.server_cert_callback = func; } -#ifdef HAVE_LIBOPENCDK /*- * _gnutls_openpgp_cert_verify_peers - This function returns the peer's certificate status * @state: is a gnutls state @@ -344,7 +343,7 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) /* Verify certificate */ - verify = gnutls_openpgp_verify_key( &cred->trustdb, &cred->keyring, &info->raw_certificate_list[0], + verify = gnutls_openpgp_verify_key( cred->pgp_trustdb, &cred->keyring, &info->raw_certificate_list[0], peer_certificate_list_size); if (verify < 0) { @@ -355,7 +354,6 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) return verify; } -#endif /* HAVE_LIBOPENCDK */ /** * gnutls_certificate_verify_peers - This function returns the peer's certificate verification status @@ -366,17 +364,18 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) * However you must also check the peer's name in order to check if the verified certificate belongs to the * actual peer. * - * The return values are: + * The return value (status) should be one or more of the CertificateStatus + * enumerated elements bitwise or'd. * * GNUTLS_CERT_NONE: No certificate was sent by the peer. * GNUTLS_CERT_TRUSTED: the peer's certificate is trusted. - * GNUTLS_CERT_VALID: the certificate is not trusted, - * but the certificate chain is ok. - * GNUTLS_CERT_INVALID: the certificate is not trusted, and - * the certificate chain is broken.. + * GNUTLS_CERT_NOT_TRUSTED: the peer's certificate is not trusted. + * GNUTLS_CERT_VALID: the certificate chain is ok. + * GNUTLS_CERT_INVALID: the certificate chain is broken. * GNUTLS_CERT_REVOKED: the certificate has been revoked * (not implemented yet). * GNUTLS_CERT_EXPIRED: the certificate has expired. + * GNUTLS_CERT_CORRUPTED: the certificate is corrupted. * * A negative error code is returned in case of an error. * @@ -400,10 +399,8 @@ int gnutls_certificate_verify_peers(GNUTLS_STATE state) switch( gnutls_cert_type_get( state)) { case GNUTLS_CRT_X509: return _gnutls_x509_cert_verify_peers( state); -#ifdef HAVE_LIBOPENCDK case GNUTLS_CRT_OPENPGP: return _gnutls_openpgp_cert_verify_peers( state); -#endif /* HAVE_LIBOPENCDK */ default: return GNUTLS_E_INVALID_REQUEST; } diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 6cb3634220..327502579e 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -762,7 +762,7 @@ int _gnutls_x509_cert_verify_peers(GNUTLS_STATE state) if (verify < 0) { gnutls_assert(); - return GNUTLS_CERT_INVALID; + return verify; } @@ -781,9 +781,13 @@ int _gnutls_x509_cert_verify_peers(GNUTLS_STATE state) * @CRL_list_length: not used * * This function will try to verify the given certificate list and return it's status (TRUSTED, EXPIRED etc.). - * The return value (status) should be one of the CertificateStatus enumerated elements. + * The return value (status) should be one or more of the CertificateStatus + * enumerated elements bitwise or'd. + * * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. Returns a negative error code in case of an error. + * actual peer. + * + * Returns a negative error code in case of an error. * **/ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length) @@ -861,7 +865,7 @@ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list if (verify < 0) { gnutls_assert(); - return GNUTLS_CERT_INVALID; + return verify; } return verify; diff --git a/lib/x509_sig_check.c b/lib/x509_sig_check.c index 188a01d950..fc518f4c65 100644 --- a/lib/x509_sig_check.c +++ b/lib/x509_sig_check.c @@ -211,7 +211,7 @@ gnutls_datum tbs; } gnutls_free_datum(&tbs); - return GNUTLS_CERT_TRUSTED; + return GNUTLS_CERT_VALID; break; case GNUTLS_PK_DSA: @@ -222,7 +222,7 @@ gnutls_datum tbs; } gnutls_free_datum(&tbs); - return GNUTLS_CERT_TRUSTED; + return GNUTLS_CERT_VALID; break; } diff --git a/lib/x509_verify.c b/lib/x509_verify.c index 5ab80b427a..5f27b3990b 100644 --- a/lib/x509_verify.c +++ b/lib/x509_verify.c @@ -326,7 +326,7 @@ int gnutls_verify_certificate2(gnutls_cert * cert, gnutls_cert * trusted_cas, in } ret = gnutls_x509_verify_signature(cert, issuer); - if (ret != GNUTLS_CERT_TRUSTED) { + if (ret != GNUTLS_CERT_VALID) { gnutls_assert(); return ret; } @@ -340,7 +340,7 @@ int gnutls_verify_certificate2(gnutls_cert * cert, gnutls_cert * trusted_cas, in return ret; } - return GNUTLS_CERT_TRUSTED; + return GNUTLS_CERT_VALID; } /* The algorithm used is: @@ -360,12 +360,11 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, int clist_size, gnutls_cert * trusted_cas, int tcas_size, void *CRLs, int crls_size) { - int i = 0; - int expired = 0; - CertificateStatus ret=GNUTLS_CERT_INVALID; + int i = 0, ret; + CertificateStatus status=GNUTLS_CERT_NONE; if (tcas_size == 0 || clist_size == 0) { - return ret; + return status; } /* Verify the certificate path */ @@ -373,17 +372,16 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, if (i + 1 >= clist_size) break; - if ((ret = gnutls_verify_certificate2(&certificate_list[i], &certificate_list[i + 1], 1, NULL, 0)) != GNUTLS_CERT_TRUSTED) { + if ((ret = gnutls_verify_certificate2(&certificate_list[i], &certificate_list[i + 1], 1, NULL, 0)) != GNUTLS_CERT_VALID) { /* * We only accept the first certificate to be - * expired. If any of the certificates in the + * expired, revoked etc. If any of the certificates in the * certificate chain is expired then the certificate * is not valid. */ - if (ret == GNUTLS_CERT_EXPIRED) { + if (ret >= 0 && i==0) { gnutls_assert(); - if (i==0) expired = 1; - else return GNUTLS_CERT_INVALID; + status |= ret; } else { gnutls_assert(); return GNUTLS_CERT_INVALID; @@ -396,23 +394,26 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, */ ret = gnutls_verify_certificate2(&certificate_list[i], trusted_cas, tcas_size, CRLs, crls_size); - if (ret==GNUTLS_CERT_EXPIRED) { + if (ret >=0 && ret != GNUTLS_CERT_VALID) { /* if the last certificate in the certificate * list is expired, then the certificate is not * trusted. */ gnutls_assert(); - return GNUTLS_CERT_INVALID; - } else { - if (ret == GNUTLS_CERT_REVOKED) { - gnutls_assert(); - return ret; - } + status |= ret; + return (status | GNUTLS_CERT_NOT_TRUSTED); + } + if (ret < 0) { + gnutls_assert(); + return ret; } - if (expired != 0) - return GNUTLS_CERT_EXPIRED; - - return ret; + status |= ret; + + /* if we got here, then it's trusted. + */ + status |= GNUTLS_CERT_TRUSTED; + + return status; } diff --git a/src/common.c b/src/common.c index ffc71f83fd..c8adfe9567 100644 --- a/src/common.c +++ b/src/common.c @@ -114,31 +114,30 @@ void print_openpgp_info(GNUTLS_STATE state) void print_cert_vrfy(GNUTLS_STATE state) { - GNUTLS_CertificateStatus status; + int status; status = gnutls_certificate_verify_peers(state); printf("\n"); - switch (status) { - case GNUTLS_CERT_VALID: + if (status < 0) { + printf("- Could not verify certificate (err %d)\n", status); + return; + } + + if (status & GNUTLS_CERT_VALID) printf("- Peer's certificate is NOT trusted but valid\n"); - break; - case GNUTLS_CERT_INVALID: + if (status & GNUTLS_CERT_INVALID) printf("- Peer's certificate is invalid\n"); - break; - case GNUTLS_CERT_EXPIRED: + if (status & GNUTLS_CERT_EXPIRED) printf ("- Peer's certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: + if (status & GNUTLS_CERT_TRUSTED) printf("- Peer's certificate is trusted\n"); - break; - case GNUTLS_CERT_NONE: + if (status & GNUTLS_CERT_NOT_TRUSTED) + printf("- Peer's certificate is NOT trusted\n"); + if (status & GNUTLS_CERT_CORRUPTED) + printf("- Peer's certificate is corrupted\n"); + if (status & GNUTLS_CERT_NONE) printf("- Peer did not send any certificate.\n"); - break; - default: - printf("- Invalid status of peer's certificate.\n"); - break; - } } diff --git a/src/serv.c b/src/serv.c index 0cac483406..fbde73fc5d 100644 --- a/src/serv.c +++ b/src/serv.c @@ -352,12 +352,7 @@ int main(int argc, char **argv) exit(1); } - if (gnutls_certificate_set_openpgp_keyserver - (cert_cred, "wwwkeys.pgp.net", 0) < 0) { - fprintf(stderr, - "PGP ERROR\n"); - exit(1); - } + gnutls_certificate_set_openpgp_keyserver(cert_cred, "wwwkeys.pgp.net", 0); if (gnutls_certificate_set_x509_key_file (cert_cred, CERTFILE1, KEYFILE1) < 0) { |