diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-20 22:09:37 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-20 22:09:37 +0000 |
| commit | 66f07a10beb3f62257d859ccad367902c93785d5 (patch) | |
| tree | fb7b7f4ec3ee340e8e787b2c4447531929bae939 /src | |
| parent | ec5ecd1c63d0e09792127705b8806a0931350471 (diff) | |
| parent | 09d4b8f2d79166e39df7e2edf69780b064d8aa6f (diff) | |
| download | gnutls-66f07a10beb3f62257d859ccad367902c93785d5.tar.gz | |
Merge branch 'tmp-check-same-certs' into 'master'
_gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements
Closes #877
See merge request gnutls/gnutls!1140
Diffstat (limited to 'src')
| -rw-r--r-- | src/certtool-args.def | 11 | ||||
| -rw-r--r-- | src/certtool-common.h | 2 | ||||
| -rw-r--r-- | src/certtool.c | 15 |
3 files changed, 28 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 915598d446..f10f57bdbb 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -355,6 +355,17 @@ flag = { doc = "This can be combined with --p7-verify, --verify or --verify-chain."; }; +flag = { + name = verify-profile; + descrip = "Specify a security level profile to be used for verification"; + arg-type = string; + doc = "This option can be used to specify a certificate verification profile. Certificate + verification profiles correspond to the security level. This should be one of + 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra', + 'future'. Note that by default no profile is applied, unless one is set + as minimum in the gnutls configuration file."; +}; + //---------------------------------------- flag = { name = pkcs7_options; diff --git a/src/certtool-common.h b/src/certtool-common.h index 7217e69dec..bfeb66b2da 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -80,6 +80,8 @@ typedef struct common_info { unsigned rsa_pss_sign; unsigned sort_chain; + + gnutls_sec_param_t verification_profile; } common_info_st; static inline diff --git a/src/certtool.c b/src/certtool.c index 34188f4c6d..447f02f765 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1422,6 +1422,20 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(VERIFY_PROFILE)) { + if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { + cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + } else { + cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + } + } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { + fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + } + /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ + } + if (HAVE_OPT(SIGN_PARAMS)) sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); @@ -2395,6 +2409,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME; + vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile); if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; |