diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-03-16 23:07:46 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-03-16 23:45:22 +0100 |
commit | 65f77ad16aa4fbc3db0ef50c01eec467592711d6 (patch) | |
tree | 072eceadcd82123b297773264d7510cd09d5edc3 | |
parent | 8a5918561dea2e7f831b1515294fa2ab0b7ddab3 (diff) | |
download | gnutls-65f77ad16aa4fbc3db0ef50c01eec467592711d6.tar.gz |
gnutls_x509_crt_verify() and gnutls_x509_crt_list_verify() behave identically.
That means that gnutls_x509_crt_verify() will now check dates as well.
Certool --verify-chain will use the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flag to
gnutls_x509_crt_verify() to force verification even if certificates are the same.
The only exception is at the final certificate (self-checking) where the extra
flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is specified to allow for v1 CA certificates.
-rw-r--r-- | lib/x509/verify.c | 17 | ||||
-rw-r--r-- | src/certtool.c | 26 |
2 files changed, 17 insertions, 26 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 5bb20bc95c..88b6911a73 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1035,8 +1035,7 @@ gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate and return - * its status. The verification output in this functions cannot be - * GNUTLS_CERT_NOT_VALID. + * its status. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. @@ -1047,18 +1046,12 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert, int CA_list_length, unsigned int flags, unsigned int *verify) { - int ret; /* Verify certificate */ - ret = - _gnutls_verify_certificate2 (cert, CA_list, CA_list_length, flags, - verify, NULL); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - + *verify = + _gnutls_x509_verify_certificate (&cert, 1, + CA_list, CA_list_length, NULL, + 0, flags); return 0; } diff --git a/src/certtool.c b/src/certtool.c index 96e2642c41..78445ed946 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2006,7 +2006,7 @@ generate_request (void) static void print_verification_res (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, gnutls_x509_crl_t * crl_list, - int crl_list_size); + int crl_list_size, unsigned int flags); #define CERT_SEP "-----BEGIN CERT" #define CRL_SEP "-----BEGIN X509 CRL" @@ -2150,7 +2150,7 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[i - 2], x509_cert_list[i - 1], x509_crl_list, - x509_ncrls); + x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME); fprintf (outfile, ".\n\n"); } @@ -2196,7 +2196,9 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[x509_ncerts - 1], x509_cert_list[x509_ncerts - 1], x509_crl_list, - x509_ncrls); + /* we add GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT since it is + * self signed. */ + x509_ncrls, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); fprintf (outfile, ".\n\n"); @@ -2208,7 +2210,7 @@ _verify_x509_mem (const void *cert, int cert_size) &x509_cert_list[x509_ncerts - 1], 1, x509_crl_list, x509_ncrls, - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT|GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, &verify_status); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s", @@ -2258,14 +2260,13 @@ _verify_x509_mem (const void *cert, int cert_size) static void print_verification_res (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_crl_t * crl_list, int crl_list_size) + gnutls_x509_crl_t * crl_list, int crl_list_size, unsigned int flags) { unsigned int output; int comma = 0; int ret; - time_t now = time (0); - ret = gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output); + ret = gnutls_x509_crt_verify (crt, &issuer, 1, flags , &output); if (ret < 0) error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret)); @@ -2296,23 +2297,20 @@ print_verification_res (gnutls_x509_crt_t crt, comma = 1; } - /* Check expiration dates. - */ - - if (gnutls_x509_crt_get_activation_time (crt) > now) + if (output & GNUTLS_CERT_NOT_ACTIVATED) { if (comma) fprintf (outfile, ", "); - comma = 1; fprintf (outfile, "Not activated"); + comma = 1; } - if (gnutls_x509_crt_get_expiration_time (crt) < now) + if (output & GNUTLS_CERT_EXPIRED) { if (comma) fprintf (outfile, ", "); - comma = 1; fprintf (outfile, "Expired"); + comma = 1; } ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size); |