diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-12-18 14:38:32 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-19 20:13:39 +0100 |
| commit | 88b3fb2978558eb319eebdf776ac60884359a573 (patch) | |
| tree | b5c536b3fffa54c4b9108792303bcddb3bd487de /src | |
| parent | 9c3d0063689702d3f91db346247f28ce93a1c637 (diff) | |
| download | gnutls-88b3fb2978558eb319eebdf776ac60884359a573.tar.gz | |
certtool: added option to apply a certificate verification profile
This applies to the --verify and --verify-chain commands.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/certtool-args.def | 11 | ||||
| -rw-r--r-- | src/certtool-common.h | 2 | ||||
| -rw-r--r-- | src/certtool.c | 15 |
3 files changed, 28 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 915598d446..f10f57bdbb 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -355,6 +355,17 @@ flag = { doc = "This can be combined with --p7-verify, --verify or --verify-chain."; }; +flag = { + name = verify-profile; + descrip = "Specify a security level profile to be used for verification"; + arg-type = string; + doc = "This option can be used to specify a certificate verification profile. Certificate + verification profiles correspond to the security level. This should be one of + 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra', + 'future'. Note that by default no profile is applied, unless one is set + as minimum in the gnutls configuration file."; +}; + //---------------------------------------- flag = { name = pkcs7_options; diff --git a/src/certtool-common.h b/src/certtool-common.h index 7217e69dec..bfeb66b2da 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -80,6 +80,8 @@ typedef struct common_info { unsigned rsa_pss_sign; unsigned sort_chain; + + gnutls_sec_param_t verification_profile; } common_info_st; static inline diff --git a/src/certtool.c b/src/certtool.c index 34188f4c6d..447f02f765 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1422,6 +1422,20 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(VERIFY_PROFILE)) { + if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { + cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + } else { + cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + } + } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { + fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + } + /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ + } + if (HAVE_OPT(SIGN_PARAMS)) sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); @@ -2395,6 +2409,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME; + vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile); if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; |