diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 15:26:56 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 17:26:38 +0100 |
commit | d4a55a39ea022a12e12c51f217a590642277af76 (patch) | |
tree | 6ba8609d35cfd1c710c38a0bec1e429988dc3de7 | |
parent | 1f6aaca690a569ab9bd0222217ea225007bc0e32 (diff) | |
download | gnutls-d4a55a39ea022a12e12c51f217a590642277af76.tar.gz |
Added gnutls_x509_crt_set_flags()
This functions allows specifying flags to the certificate object.
In particular it allows the single flag GNUTLS_X509_CRT_FLAG_IGNORE_SANITY
which allows to ignore sanity checks at the import of the certificate.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | doc/Makefile.am | 1 | ||||
-rw-r--r-- | doc/manpages/Makefile.am | 1 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 13 | ||||
-rw-r--r-- | lib/libgnutls.map | 1 | ||||
-rw-r--r-- | lib/x509/x509.c | 20 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 1 |
6 files changed, 37 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index b5573918dc..44fa0d2651 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -580,6 +580,7 @@ ENUMS += enums/gnutls_supplemental_data_format_type_t ENUMS += enums/gnutls_tpmkey_fmt_t ENUMS += enums/gnutls_vdata_types_t ENUMS += enums/gnutls_x509_crl_reason_t +ENUMS += enums/gnutls_x509_crt_flags ENUMS += enums/gnutls_x509_crt_fmt_t ENUMS += enums/gnutls_x509_subject_alt_name_t diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 6bacdaad35..ffc6c11318 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -979,6 +979,7 @@ APIMANS += gnutls_x509_crt_set_dn.3 APIMANS += gnutls_x509_crt_set_dn_by_oid.3 APIMANS += gnutls_x509_crt_set_expiration_time.3 APIMANS += gnutls_x509_crt_set_extension_by_oid.3 +APIMANS += gnutls_x509_crt_set_flags.3 APIMANS += gnutls_x509_crt_set_issuer_alt_name.3 APIMANS += gnutls_x509_crt_set_issuer_alt_othername.3 APIMANS += gnutls_x509_crt_set_issuer_dn.3 diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index a4389156f2..c47fad1c8c 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -131,6 +131,19 @@ typedef enum gnutls_certificate_import_flags { int gnutls_x509_crt_init(gnutls_x509_crt_t * cert); void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert); +/** + * gnutls_certificate_import_flags: + * @GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Ignore any sanity checks at the + * import of the certificate; i.e., ignore checks such as version/field + * matching and strict time field checks. Intended to be used for debugging. + * + * Enumeration of different certificate flags. + */ +typedef enum gnutls_x509_crt_flags { + GNUTLS_X509_CRT_FLAG_IGNORE_SANITY = 1 +} gnutls_x509_crt_flags; +void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, unsigned flags); + unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, gnutls_datum_t * der); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 7ccb18d0a6..80d5bbf33b 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1134,6 +1134,7 @@ GNUTLS_3_4 gnutls_utf8_password_normalize; gnutls_idna_map; gnutls_idna_reverse_map; + gnutls_x509_crt_set_flags; local: *; }; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 9b97137e20..46b657284c 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -399,6 +399,9 @@ int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert) int result = 0, version; gnutls_datum_t exts; + if (cert->flags & GNUTLS_X509_CRT_FLAG_IGNORE_SANITY) + return 0; + /* enforce the rule that only version 3 certificates carry extensions */ result = gnutls_x509_crt_get_version(cert); if (result < 0) { @@ -4176,3 +4179,20 @@ gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt, data, signature, flags); } +/** + * gnutls_x509_crt_set_flags: + * @cert: A type #gnutls_x509_crt_t + * @flags: flags from the %gnutls_x509_crt_flags + * + * This function will set flags for the specified certificate. + * Currently this is useful for the %GNUTLS_X509_CRT_FLAG_IGNORE_SANITY + * which allows importing certificates even if they have known issues. + * + * Since: 3.6.0 + * + **/ +void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, + unsigned int flags) +{ + cert->flags = flags; +} diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 5f5c180028..09b169afc3 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -74,6 +74,7 @@ typedef struct gnutls_x509_crt_int { int use_extensions; unsigned expanded; /* a certificate has been expanded */ unsigned modified; /* the cached values below may no longer be valid */ + unsigned flags; struct pin_info_st pin; |