diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-11-11 19:15:13 +0100 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-11-19 15:38:02 +0100 |
commit | ebb19db9165fed30d73c83bab1b1b8740c132dfd (patch) | |
tree | 68938801d14b58d7b7fc30cff1b0d8b48a6bbc45 /src | |
parent | 79b8965b3392e8504ba48ee0fc28b1b8f23a8fcf (diff) | |
download | gnutls-ebb19db9165fed30d73c83bab1b1b8740c132dfd.tar.gz |
x509: rework issuer callback
The previous issuer callback API had a drawback: the callback is
supposed to add CA to the trust list by itself. This was error-prone,
because the callback must check the new CA is trusted by the already
added CA. This instead moves the responsibility to the library.
This also rewrites the chain amendment logic in a side-effect free
manner. The application can assume that the trust information stored
on gnutls_x509_trust_list_t shouldn't change after the verification.
The missingissuer test has been extended to cover all the possible
patterns exhaustively.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/cli.c | 17 |
1 files changed, 8 insertions, 9 deletions
@@ -126,7 +126,9 @@ static int cert_verify_ocsp(gnutls_session_t session); static const char *host_from_url(const char *url, unsigned int *port, const char **path); static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp); static int getissuer_callback(const gnutls_x509_trust_list_t tlist, - const gnutls_x509_crt_t cert); + const gnutls_x509_crt_t cert, + gnutls_x509_crt_t **issuers, + unsigned int *issuers_size); #define MAX_CRT 6 static unsigned int x509_crt_size; @@ -2240,7 +2242,9 @@ static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp) /* Returns 0 on ok, and -1 on error */ static int getissuer_callback(const gnutls_x509_trust_list_t tlist, - const gnutls_x509_crt_t cert) + const gnutls_x509_crt_t cert, + gnutls_x509_crt_t **issuers, + unsigned int *issuers_size) { gnutls_datum_t ud; int ret; @@ -2331,18 +2335,13 @@ getissuer_callback(const gnutls_x509_trust_list_t tlist, ret = -1; goto cleanup; } - ret = gnutls_x509_crt_import(issuer, &resp, GNUTLS_X509_FMT_DER); + ret = gnutls_x509_crt_list_import2(issuers, issuers_size, &resp, + GNUTLS_X509_FMT_DER, 0); if (ret < 0) { fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); ret = -1; goto cleanup; } - ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); - if (ret < 0) { - fprintf(stderr, "Memory error\n"); - ret = -1; - goto cleanup; - } ret = 0; |