From d4a55a39ea022a12e12c51f217a590642277af76 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 17 Feb 2017 15:26:56 +0100 Subject: Added gnutls_x509_crt_set_flags() This functions allows specifying flags to the certificate object. In particular it allows the single flag GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which allows to ignore sanity checks at the import of the certificate. Signed-off-by: Nikos Mavrogiannopoulos --- doc/Makefile.am | 1 + doc/manpages/Makefile.am | 1 + lib/includes/gnutls/x509.h | 13 +++++++++++++ lib/libgnutls.map | 1 + lib/x509/x509.c | 20 ++++++++++++++++++++ lib/x509/x509_int.h | 1 + 6 files changed, 37 insertions(+) diff --git a/doc/Makefile.am b/doc/Makefile.am index b5573918dc..44fa0d2651 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -580,6 +580,7 @@ ENUMS += enums/gnutls_supplemental_data_format_type_t ENUMS += enums/gnutls_tpmkey_fmt_t ENUMS += enums/gnutls_vdata_types_t ENUMS += enums/gnutls_x509_crl_reason_t +ENUMS += enums/gnutls_x509_crt_flags ENUMS += enums/gnutls_x509_crt_fmt_t ENUMS += enums/gnutls_x509_subject_alt_name_t diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 6bacdaad35..ffc6c11318 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -979,6 +979,7 @@ APIMANS += gnutls_x509_crt_set_dn.3 APIMANS += gnutls_x509_crt_set_dn_by_oid.3 APIMANS += gnutls_x509_crt_set_expiration_time.3 APIMANS += gnutls_x509_crt_set_extension_by_oid.3 +APIMANS += gnutls_x509_crt_set_flags.3 APIMANS += gnutls_x509_crt_set_issuer_alt_name.3 APIMANS += gnutls_x509_crt_set_issuer_alt_othername.3 APIMANS += gnutls_x509_crt_set_issuer_dn.3 diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index a4389156f2..c47fad1c8c 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -131,6 +131,19 @@ typedef enum gnutls_certificate_import_flags { int gnutls_x509_crt_init(gnutls_x509_crt_t * cert); void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert); +/** + * gnutls_certificate_import_flags: + * @GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Ignore any sanity checks at the + * import of the certificate; i.e., ignore checks such as version/field + * matching and strict time field checks. Intended to be used for debugging. + * + * Enumeration of different certificate flags. + */ +typedef enum gnutls_x509_crt_flags { + GNUTLS_X509_CRT_FLAG_IGNORE_SANITY = 1 +} gnutls_x509_crt_flags; +void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, unsigned flags); + unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, gnutls_datum_t * der); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 7ccb18d0a6..80d5bbf33b 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1134,6 +1134,7 @@ GNUTLS_3_4 gnutls_utf8_password_normalize; gnutls_idna_map; gnutls_idna_reverse_map; + gnutls_x509_crt_set_flags; local: *; }; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 9b97137e20..46b657284c 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -399,6 +399,9 @@ int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert) int result = 0, version; gnutls_datum_t exts; + if (cert->flags & GNUTLS_X509_CRT_FLAG_IGNORE_SANITY) + return 0; + /* enforce the rule that only version 3 certificates carry extensions */ result = gnutls_x509_crt_get_version(cert); if (result < 0) { @@ -4176,3 +4179,20 @@ gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt, data, signature, flags); } +/** + * gnutls_x509_crt_set_flags: + * @cert: A type #gnutls_x509_crt_t + * @flags: flags from the %gnutls_x509_crt_flags + * + * This function will set flags for the specified certificate. + * Currently this is useful for the %GNUTLS_X509_CRT_FLAG_IGNORE_SANITY + * which allows importing certificates even if they have known issues. + * + * Since: 3.6.0 + * + **/ +void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, + unsigned int flags) +{ + cert->flags = flags; +} diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 5f5c180028..09b169afc3 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -74,6 +74,7 @@ typedef struct gnutls_x509_crt_int { int use_extensions; unsigned expanded; /* a certificate has been expanded */ unsigned modified; /* the cached values below may no longer be valid */ + unsigned flags; struct pin_info_st pin; -- cgit v1.2.1