From 12f135e099a570991ace460a83a291a136604c71 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 3 Mar 2003 16:02:19 +0000
Subject: Added a flag to allow signing by v1 X.509 certificates. Also added a
 function to allow setting the verification flags in the credentials
 structure.

---
 includes/gnutls/x509.h |  6 +++++-
 lib/auth_cert.h        |  4 ++++
 lib/gnutls.h.in.in     |  5 +++--
 lib/gnutls_ui.c        | 21 +++++++++++++++++----
 lib/gnutls_x509.c      |  3 ++-
 lib/x509/verify.c      | 12 +++++++++---
 lib/x509/verify.h      |  3 ++-
 src/cli.c              |  4 ++++
 src/common.c           |  2 +-
 9 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index 16b4fefd27..ecc2cc6254 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -157,9 +157,13 @@ int gnutls_pkcs7_get_certificate(gnutls_pkcs7 pkcs7, int indx,
  */
 
 typedef enum gnutls_certificate_verify_flags {
-	GNUTLS_VERIFY_DISABLE_CA_SIGN=1 /* if set a signer does not have to be
+	GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be
 					 * a certificate authority.
 					 */
+	GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 /* Allow CA certificates that have version 1.
+					      * This might be dangerous since those haven't
+					      * the basicConstraints extension.
+					      */
 } gnutls_certificate_verify_flags;
 
 int gnutls_x509_crt_check_issuer( gnutls_x509_crt cert,
diff --git a/lib/auth_cert.h b/lib/auth_cert.h
index f0d28cd605..05165ebc4e 100644
--- a/lib/auth_cert.h
+++ b/lib/auth_cert.h
@@ -48,6 +48,10 @@ typedef struct {
 	gnutls_x509_crl * x509_crl_list;
 	uint x509_ncrls;/* number of CRLs in the crl_list 
 			 */
+			 
+	unsigned int    verify_flags; /* flags to be used at 
+				       * certificate verification.
+				       */
 
 			/* holds a sequence of the
 			 * RDNs of the CAs above.
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 28a453bcea..43ad152d41 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -301,8 +301,9 @@ int gnutls_anon_allocate_client_credentials( gnutls_anon_server_credentials *sc)
 void gnutls_certificate_free_credentials( gnutls_certificate_credentials sc);
 int gnutls_certificate_allocate_credentials( gnutls_certificate_credentials *sc);
 
-int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params);
-int gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params);
+void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params);
+void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params);
+void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags);
 
 int gnutls_certificate_set_x509_trust_file( gnutls_certificate_credentials res, const char* CAFILE, 
 	gnutls_x509_crt_fmt);
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 8a36d11d70..36b21eb33b 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -334,9 +334,22 @@ void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutl
   * cipher suites.
   *
   **/
-int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) {
+void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params dh_params) {
 	res->dh_params = dh_params;
-	return 0;
+}
+
+/**
+  * gnutls_certificate_set_verify_flags - This function will set the flags to be used at certificate verification
+  * @res: is a gnutls_certificate_credentials structure
+  * @flags: are the flagsis a structure that holds diffie hellman parameters.
+  *
+  * This function will set the flags to be used at verification of the certificates.
+  * Flags must be OR of the gnutls_certificate_verify_flags enumerations.
+  *
+  **/
+void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags) 
+{
+	res->verify_flags = flags;
 }
 
 /**
@@ -349,7 +362,7 @@ int gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_
   * cipher suites.
   *
   **/
-int gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) {
+void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params) 
+{
 	res->rsa_params = rsa_params;
-	return 0;
 }
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 668094d79d..971d16e72e 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -131,7 +131,8 @@ int _gnutls_x509_cert_verify_peers(gnutls_session session)
 	    gnutls_x509_crt_list_verify(peer_certificate_list,
 				      peer_certificate_list_size,
 				      cred->x509_ca_list, cred->x509_ncas, 
-				      cred->x509_crl_list, cred->x509_ncrls, 0, &verify);
+				      cred->x509_crl_list, cred->x509_ncrls, 
+				      cred->verify_flags, &verify);
 
 	CLEAR_CERTS;
 
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 562bf0ac17..e0cfaedf0b 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -185,7 +185,7 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt cert,
 /* CRL is ignored for now */
 
 	gnutls_x509_crt issuer;
-	int ret;
+	int ret, issuer_version;
 
 	if (tcas_size >= 1)
 		issuer = find_issuer(cert, trusted_cas, tcas_size);
@@ -202,7 +202,14 @@ static int _gnutls_verify_certificate2(gnutls_x509_crt cert,
 		return 0;
 	}
 
-	if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) {
+	issuer_version = gnutls_x509_crt_get_version( issuer);
+	if (issuer_version < 0) {
+		gnutls_assert();
+		return issuer_version;
+	}
+
+	if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+		!((flags & GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT) && issuer_version == 1)) {
 		if (check_if_ca(cert, issuer)==0) {
 			gnutls_assert();
 			return 0;
@@ -569,7 +576,6 @@ int ret, issuer_params_size, i;
   *
   * GNUTLS_CERT_CORRUPTED\: the certificate is corrupted.
   *
-  *
   * Returns 0 on success and a negative value in case of an error.
   *
   **/
diff --git a/lib/x509/verify.h b/lib/x509/verify.h
index d73e842e26..c8c677bac0 100644
--- a/lib/x509/verify.h
+++ b/lib/x509/verify.h
@@ -1,7 +1,8 @@
 #include "x509.h"
 
 typedef enum gnutls_certificate_verify_flags {
-	GNUTLS_VERIFY_DISABLE_CA_SIGN=1
+	GNUTLS_VERIFY_DISABLE_CA_SIGN=1,
+	GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2
 } gnutls_certificate_verify_flags;
 
 int gnutls_x509_crt_is_issuer( gnutls_x509_crt cert,
diff --git a/src/cli.c b/src/cli.c
index 878cb30c4b..ae1fcd3166 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -585,6 +585,10 @@ int ret;
       exit(1);
    }
 
+   /* there are some intermediate CAs that have a v1 certificate *%&@#*%&
+    */
+   gnutls_certificate_set_verify_flags( xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
    if (x509_cafile != NULL) {
       ret =
 	  gnutls_certificate_set_x509_trust_file(xcred,
diff --git a/src/common.c b/src/common.c
index 9a3985e57b..0e36521430 100644
--- a/src/common.c
+++ b/src/common.c
@@ -241,7 +241,7 @@ void print_cert_vrfy(gnutls_session session)
 	}
 
 	if (status & GNUTLS_CERT_INVALID)
-		printf("- Peer's certificate is invalid\n");
+		printf("- Peer's certificate chain is broken\n");
 	if (status & GNUTLS_CERT_NOT_TRUSTED)
 		printf("- Peer's certificate is NOT trusted\n");
 	else
-- 
cgit v1.2.1