diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-03 16:02:19 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-03 16:02:19 +0000 |
| commit | 12f135e099a570991ace460a83a291a136604c71 (patch) | |
| tree | 85c5692f7f936b22fa9718a94dfe1eed4d5e90b8 | |
| parent | 4b8dd2d4c4098cfde70a70326ae5035eb53214b3 (diff) | |
| download | gnutls-12f135e099a570991ace460a83a291a136604c71.tar.gz | |
Added a flag to allow signing by v1 X.509 certificates. Also added a function to allow setting the verification flags in the credentials structure.
| -rw-r--r-- | includes/gnutls/x509.h | 6 | ||||
| -rw-r--r-- | lib/auth_cert.h | 4 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 5 | ||||
| -rw-r--r-- | lib/gnutls_ui.c | 21 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 3 | ||||
| -rw-r--r-- | lib/x509/verify.c | 12 | ||||
| -rw-r--r-- | lib/x509/verify.h | 3 | ||||
| -rw-r--r-- | src/cli.c | 4 | ||||
| -rw-r--r-- | src/common.c | 2 |
9 files changed, 47 insertions, 13 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 16b4fefd27..ecc2cc6254 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -157,9 +157,13 @@ int gnutls_pkcs7_get_certificate(gnutls_pkcs7 pkcs7, int indx, */ typedef enum gnutls_certificate_verify_flags { - GNUTLS_VERIFY_DISABLE_CA_SIGN=1 /* if set a signer does not have to be + GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be * a certificate authority. */ + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 /* Allow CA certificates that have version 1. + * This might be dangerous since those haven't + * the basicConstraints extension. + */ } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert, diff --git a/lib/auth_cert.h b/lib/auth_cert.h index f0d28cd605..05165ebc4e 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -48,6 +48,10 @@ typedef struct { gnutls_x509_crl * x509_crl_list; uint x509_ncrls;/* number of CRLs in the crl_list */ + + unsigned int verify_flags; /* flags to be used at + * certificate verification. + */ /* holds a sequence of the * RDNs of the CAs above. diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 28a453bcea..43ad152d41 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -301,8 +301,9 @@ int gnutls_anon_allocate_client_credentials( gnutls_anon_server_credentials *sc) void gnutls_certificate_free_credentials( gnutls_certificate_credentials sc); int gnutls_certificate_allocate_credentials( gnutls_certificate_credentials *sc); -int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params); -int gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params); +void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params); +void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params); +void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags); int gnutls_certificate_set_x509_trust_file( gnutls_certificate_credentials res, const char* CAFILE, gnutls_x509_crt_fmt); diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 8a36d11d70..36b21eb33b 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -334,9 +334,22 @@ void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutl * cipher suites. * **/ -int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) { +void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) { res->dh_params = dh_params; - return 0; +} + +/** + * gnutls_certificate_set_verify_flags - This function will set the flags to be used at certificate verification + * @res: is a gnutls_certificate_credentials structure + * @flags: are the flagsis a structure that holds diffie hellman parameters. + * + * This function will set the flags to be used at verification of the certificates. + * Flags must be OR of the gnutls_certificate_verify_flags enumerations. + * + **/ +void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags) +{ + res->verify_flags = flags; } /** @@ -349,7 +362,7 @@ int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_ * cipher suites. * **/ -int gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) { +void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) +{ res->rsa_params = rsa_params; - return 0; } diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 668094d79d..971d16e72e 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -131,7 +131,8 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session) gnutls_x509_crt_list_verify(peer_certificate_list, peer_certificate_list_size, cred->x509_ca_list, cred->x509_ncas, - cred->x509_crl_list, cred->x509_ncrls, 0, &verify); + cred->x509_crl_list, cred->x509_ncrls, + cred->verify_flags, &verify); CLEAR_CERTS; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 562bf0ac17..e0cfaedf0b 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -185,7 +185,7 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt cert, /* CRL is ignored for now */ gnutls_x509_crt issuer; - int ret; + int ret, issuer_version; if (tcas_size >= 1) issuer = find_issuer(cert, trusted_cas, tcas_size); @@ -202,7 +202,14 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt cert, return 0; } - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { + issuer_version = gnutls_x509_crt_get_version( issuer); + if (issuer_version < 0) { + gnutls_assert(); + return issuer_version; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + !((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) { if (check_if_ca(cert, issuer)==0) { gnutls_assert(); return 0; @@ -569,7 +576,6 @@ int ret, issuer_params_size, i; * * GNUTLS_CERT_CORRUPTED\: the certificate is corrupted. * - * * Returns 0 on success and a negative value in case of an error. * **/ diff --git a/lib/x509/verify.h b/lib/x509/verify.h index d73e842e26..c8c677bac0 100644 --- a/lib/x509/verify.h +++ b/lib/x509/verify.h @@ -1,7 +1,8 @@ #include "x509.h" typedef enum gnutls_certificate_verify_flags { - GNUTLS_VERIFY_DISABLE_CA_SIGN=1 + GNUTLS_VERIFY_DISABLE_CA_SIGN=1, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 } gnutls_certificate_verify_flags; int gnutls_x509_crt_is_issuer( gnutls_x509_crt cert, @@ -585,6 +585,10 @@ int ret; exit(1); } + /* there are some intermediate CAs that have a v1 certificate *%&@#*%& + */ + gnutls_certificate_set_verify_flags( xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + if (x509_cafile != NULL) { ret = gnutls_certificate_set_x509_trust_file(xcred, diff --git a/src/common.c b/src/common.c index 9a3985e57b..0e36521430 100644 --- a/src/common.c +++ b/src/common.c @@ -241,7 +241,7 @@ void print_cert_vrfy(gnutls_session session) } if (status & GNUTLS_CERT_INVALID) - printf("- Peer's certificate is invalid\n"); + printf("- Peer's certificate chain is broken\n"); if (status & GNUTLS_CERT_NOT_TRUSTED) printf("- Peer's certificate is NOT trusted\n"); else |