Added gnutls_x509_crt_set_flags()

This functions allows specifying flags to the certificate object.
In particular it allows the single flag GNUTLS_X509_CRT_FLAG_IGNORE_SANITY
which allows to ignore sanity checks at the import of the certificate.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

6 files changed, 37 insertions, 0 deletions

diff --git a/doc/Makefile.am b/doc/Makefile.am
index b5573918dc..44fa0d2651 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -580,6 +580,7 @@ ENUMS += enums/gnutls_supplemental_data_format_type_t
 ENUMS += enums/gnutls_tpmkey_fmt_t
 ENUMS += enums/gnutls_vdata_types_t
 ENUMS += enums/gnutls_x509_crl_reason_t
+ENUMS += enums/gnutls_x509_crt_flags
 ENUMS += enums/gnutls_x509_crt_fmt_t
 ENUMS += enums/gnutls_x509_subject_alt_name_t
 
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 6bacdaad35..ffc6c11318 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -979,6 +979,7 @@ APIMANS += gnutls_x509_crt_set_dn.3
 APIMANS += gnutls_x509_crt_set_dn_by_oid.3
 APIMANS += gnutls_x509_crt_set_expiration_time.3
 APIMANS += gnutls_x509_crt_set_extension_by_oid.3
+APIMANS += gnutls_x509_crt_set_flags.3
 APIMANS += gnutls_x509_crt_set_issuer_alt_name.3
 APIMANS += gnutls_x509_crt_set_issuer_alt_othername.3
 APIMANS += gnutls_x509_crt_set_issuer_dn.3
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index a4389156f2..c47fad1c8c 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -131,6 +131,19 @@ typedef enum gnutls_certificate_import_flags {
 int gnutls_x509_crt_init(gnutls_x509_crt_t * cert);
 void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert);
 
+/**
+ * gnutls_certificate_import_flags:
+ * @GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Ignore any sanity checks at the
+ *   import of the certificate; i.e., ignore checks such as version/field
+ *   matching and strict time field checks. Intended to be used for debugging.
+ *
+ * Enumeration of different certificate flags.
+ */
+typedef enum gnutls_x509_crt_flags {
+	GNUTLS_X509_CRT_FLAG_IGNORE_SANITY = 1
+} gnutls_x509_crt_flags;
+void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, unsigned flags);
+
 unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2);
 unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, gnutls_datum_t * der);
 
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 7ccb18d0a6..80d5bbf33b 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1134,6 +1134,7 @@ GNUTLS_3_4
 	gnutls_utf8_password_normalize;
 	gnutls_idna_map;
 	gnutls_idna_reverse_map;
+	gnutls_x509_crt_set_flags;
  local:
 	*;
 };
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 9b97137e20..46b657284c 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -399,6 +399,9 @@ int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert)
 	int result = 0, version;
 	gnutls_datum_t exts;
 
+	if (cert->flags & GNUTLS_X509_CRT_FLAG_IGNORE_SANITY)
+		return 0;
+
 	/* enforce the rule that only version 3 certificates carry extensions */
 	result = gnutls_x509_crt_get_version(cert);
 	if (result < 0) {
@@ -4176,3 +4179,20 @@ gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
 				data, signature, flags);
 }
 
+/**
+ * gnutls_x509_crt_set_flags:
+ * @cert: A type #gnutls_x509_crt_t
+ * @flags: flags from the %gnutls_x509_crt_flags
+ *
+ * This function will set flags for the specified certificate.
+ * Currently this is useful for the %GNUTLS_X509_CRT_FLAG_IGNORE_SANITY
+ * which allows importing certificates even if they have known issues.
+ *
+ * Since: 3.6.0
+ *
+ **/
+void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert,
+				   unsigned int flags)
+{
+	cert->flags = flags;
+}
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 5f5c180028..09b169afc3 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -74,6 +74,7 @@ typedef struct gnutls_x509_crt_int {
 	int use_extensions;
 	unsigned expanded; /* a certificate has been expanded */
 	unsigned modified; /* the cached values below may no longer be valid */
+	unsigned flags;
 
 	struct pin_info_st pin;