diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-10-30 15:09:38 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-10-30 15:09:38 +0000 |
| commit | 602377951c230c2d6ca05f88c6445ee2d12ecd26 (patch) | |
| tree | f381ab53e59a7f1f12047be63fd4d604585fb0d1 | |
| parent | 2b3d7c7e1455b8b02f02be382fa82c44f2790243 (diff) | |
| download | gnutls-602377951c230c2d6ca05f88c6445ee2d12ecd26.tar.gz | |
introduced gnutls_const_datum for gnutls_pkcs12_bag_get_data(). Some other cleanups in the verification functions.
| -rw-r--r-- | includes/gnutls/pkcs12.h | 2 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 5 | ||||
| -rw-r--r-- | lib/x509/pkcs12_bag.c | 2 | ||||
| -rw-r--r-- | lib/x509/verify.c | 33 | ||||
| -rw-r--r-- | src/certtool.c | 12 |
5 files changed, 42 insertions, 12 deletions
diff --git a/includes/gnutls/pkcs12.h b/includes/gnutls/pkcs12.h index 84b312a153..49617c81be 100644 --- a/includes/gnutls/pkcs12.h +++ b/includes/gnutls/pkcs12.h @@ -65,7 +65,7 @@ typedef enum gnutls_pkcs12_bag_type { } gnutls_pkcs12_bag_type; gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx); -int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum* data); +int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_const_datum* data); int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, gnutls_pkcs12_bag_type type, const gnutls_datum* data); diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index a36629c6a7..94966e3656 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -153,6 +153,11 @@ typedef struct { unsigned int size; } gnutls_datum; +typedef struct { + const unsigned char * data; + unsigned int size; +} gnutls_const_datum; + /* internal functions */ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end); diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index 2193dd987c..2617c56700 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -123,7 +123,7 @@ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag) * This function will return the bag's data. * **/ -int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum* data) +int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_const_datum* data) { if (indx >= bag->bag_elements) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index f102f372c3..e6f1ecf937 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -48,7 +48,7 @@ static int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert); static int _gnutls_verify_crl2(gnutls_x509_crl crl, gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags); + unsigned int flags, unsigned int *output); /* Checks if the issuer of a certificate is a @@ -593,9 +593,14 @@ int gnutls_x509_crt_verify( gnutls_x509_crt cert, gnutls_x509_crt *CA_list, int CA_list_length, unsigned int flags, unsigned int *verify) { +int ret; /* Verify certificate */ - _gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify); + ret = _gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } return 0; } @@ -658,10 +663,14 @@ int gnutls_x509_crl_verify( gnutls_x509_crl crl, gnutls_x509_crt *CA_list, int CA_list_length, unsigned int flags, unsigned int *verify) { +int ret; /* Verify crl */ - *verify = - _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags); + ret = _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags, verify); + if (ret < 0) { + gnutls_assert(); + return ret; + } return 0; } @@ -719,10 +728,13 @@ gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl, * was successfuly verified. * * 'flags': an OR of the gnutls_certificate_verify_flags enumeration. + * + * Output will hold information about the verification + * procedure. */ static int _gnutls_verify_crl2(gnutls_x509_crl crl, gnutls_x509_crt *trusted_cas, int tcas_size, - unsigned int flags) + unsigned int flags, unsigned int* output) { /* CRL is ignored for now */ gnutls_datum crl_signed_data = { NULL, 0 }; @@ -730,10 +742,13 @@ gnutls_datum crl_signature = { NULL, 0 }; gnutls_x509_crt issuer; int ret, result; + if (output) *output = 0; + if (tcas_size >= 1) issuer = find_crl_issuer(crl, trusted_cas, tcas_size); else { gnutls_assert(); + if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; return 0; } @@ -742,6 +757,7 @@ int ret, result; */ if (issuer == NULL) { gnutls_assert(); + if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED; return 0; } @@ -749,6 +765,7 @@ int ret, result; if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { gnutls_assert(); + if (output) *output |= GNUTLS_CERT_ISSUER_NOT_CA | GNUTLS_CERT_NOT_TRUSTED; return 0; } } @@ -765,11 +782,13 @@ int ret, result; goto cleanup; } - ret = _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, issuer); - if (ret <= 0) { + if (ret < 0) { + gnutls_assert(); + } else if (ret == 0) { gnutls_assert(); /* error. ignore it */ + if (output) *output |= GNUTLS_CERT_NOT_TRUSTED; ret = 0; } diff --git a/src/certtool.c b/src/certtool.c index 9b98d5c0b5..686d935088 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1562,9 +1562,9 @@ void print_bag_data(gnutls_pkcs12_bag bag) { int result; int count, i, type; -gnutls_datum data; +gnutls_const_datum cdata; const char* str; -gnutls_datum out; +gnutls_datum out, data; count = gnutls_pkcs12_bag_get_count( bag); if (count < 0) { @@ -1583,7 +1583,7 @@ gnutls_datum out; fprintf( outfile, "\tType: %s\n", BAGTYPE( type)); - result = gnutls_pkcs12_bag_get_data( bag, i, &data); + result = gnutls_pkcs12_bag_get_data( bag, i, &cdata); if (result < 0) { fprintf(stderr, "get_data: %s\n", gnutls_strerror(result)); exit(1); @@ -1608,6 +1608,12 @@ gnutls_datum out; str = NULL; } + /* we have to cast gnutls_const_datum to a + * plain datum. + */ + data.data = (unsigned char*)cdata.data; + data.size = cdata.size; + if (str != NULL) { gnutls_pem_base64_encode_alloc( str, &data, &out); fprintf( outfile, "%s\n", out.data); |