aboutsummaryrefslogtreecommitdiff
path: root/src/daemon/https/x509/x509_verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/daemon/https/x509/x509_verify.c')
-rw-r--r--src/daemon/https/x509/x509_verify.c245
1 files changed, 0 insertions, 245 deletions
diff --git a/src/daemon/https/x509/x509_verify.c b/src/daemon/https/x509/x509_verify.c
index 35513810..3dc4c9f7 100644
--- a/src/daemon/https/x509/x509_verify.c
+++ b/src/daemon/https/x509/x509_verify.c
@@ -50,14 +50,6 @@ int MHD__gnutls_x509_verify_signature (const MHD_gnutls_datum_t * signed_data,
50 const MHD_gnutls_datum_t * signature, 50 const MHD_gnutls_datum_t * signature,
51 MHD_gnutls_x509_crt_t issuer); 51 MHD_gnutls_x509_crt_t issuer);
52 52
53static
54 int is_crl_issuer (MHD_gnutls_x509_crl_t crl,
55 MHD_gnutls_x509_crt_t issuer_cert);
56static int MHD__gnutls_verify_crl2 (MHD_gnutls_x509_crl_t crl,
57 const MHD_gnutls_x509_crt_t * trusted_cas,
58 int tcas_size, unsigned int flags,
59 unsigned int *output);
60
61/* Checks if the issuer of a certificate is a 53/* Checks if the issuer of a certificate is a
62 * Certificate Authority, or if the certificate is the same 54 * Certificate Authority, or if the certificate is the same
63 * as the issuer (and therefore it doesn't need to be a CA). 55 * as the issuer (and therefore it doesn't need to be a CA).
@@ -410,22 +402,6 @@ MHD__gnutls_x509_verify_certificate (const MHD_gnutls_x509_crt_t *
410 return status; 402 return status;
411 } 403 }
412 404
413 /* Check for revoked certificates in the chain
414 */
415#ifdef ENABLE_PKI
416 for (i = 0; i < clist_size; i++)
417 {
418 ret = MHD_gnutls_x509_crt_check_revocation (certificate_list[i],
419 CRLs, crls_size);
420 if (ret == 1)
421 { /* revoked */
422 status |= GNUTLS_CERT_REVOKED;
423 status |= GNUTLS_CERT_INVALID;
424 return status;
425 }
426 }
427#endif
428
429 /* Check if the last certificate in the path is self signed. 405 /* Check if the last certificate in the path is self signed.
430 * In that case ignore it (a certificate is trusted only if it 406 * In that case ignore it (a certificate is trusted only if it
431 * leads to a trusted party by us, not the server's). 407 * leads to a trusted party by us, not the server's).
@@ -795,224 +771,3 @@ MHD_gnutls_x509_crt_verify (MHD_gnutls_x509_crt_t cert,
795 return 0; 771 return 0;
796} 772}
797 773
798#ifdef ENABLE_PKI
799
800/**
801 * MHD_gnutls_x509_crl_check_issuer - This function checks if the CRL given has the given issuer
802 * @crl: is the CRL to be checked
803 * @issuer: is the certificate of a possible issuer
804 *
805 * This function will check if the given CRL was issued by the
806 * given issuer certificate. It will return true (1) if the given CRL was issued
807 * by the given issuer, and false (0) if not.
808 *
809 * A negative value is returned in case of an error.
810 *
811 **/
812int
813MHD_gnutls_x509_crl_check_issuer (MHD_gnutls_x509_crl_t cert,
814 MHD_gnutls_x509_crt_t issuer)
815{
816 return is_crl_issuer (cert, issuer);
817}
818
819/**
820 * MHD_gnutls_x509_crl_verify - This function verifies the given crl against a given trusted one
821 * @crl: is the crl to be verified
822 * @CA_list: is a certificate list that is considered to be trusted one
823 * @CA_list_length: holds the number of CA certificates in CA_list
824 * @flags: Flags that may be used to change the verification algorithm. Use OR of the MHD_gnutls_certificate_verify_flags enumerations.
825 * @verify: will hold the crl verification output.
826 *
827 * This function will try to verify the given crl and return its status.
828 * See MHD_gnutls_x509_crt_list_verify() for a detailed description of
829 * return values.
830 *
831 * Returns 0 on success and a negative value in case of an error.
832 *
833 **/
834int
835MHD_gnutls_x509_crl_verify (MHD_gnutls_x509_crl_t crl,
836 const MHD_gnutls_x509_crt_t * CA_list,
837 int CA_list_length, unsigned int flags,
838 unsigned int *verify)
839{
840 int ret;
841 /* Verify crl
842 */
843 ret = MHD__gnutls_verify_crl2 (crl, CA_list, CA_list_length, flags, verify);
844 if (ret < 0)
845 {
846 MHD_gnutls_assert ();
847 return ret;
848 }
849
850 return 0;
851}
852
853/* The same as above, but here we've got a CRL.
854 */
855static int
856is_crl_issuer (MHD_gnutls_x509_crl_t crl, MHD_gnutls_x509_crt_t issuer_cert)
857{
858 MHD_gnutls_datum_t dn1 = { NULL, 0 }, dn2 =
859 {
860 NULL, 0};
861 int ret;
862
863 ret = MHD__gnutls_x509_crl_get_raw_issuer_dn (crl, &dn1);
864 if (ret < 0)
865 {
866 MHD_gnutls_assert ();
867 goto cleanup;
868 }
869
870 ret = MHD_gnutls_x509_crt_get_raw_dn (issuer_cert, &dn2);
871 if (ret < 0)
872 {
873 MHD_gnutls_assert ();
874 return ret;
875 }
876
877 ret = MHD__gnutls_x509_compare_raw_dn (&dn1, &dn2);
878
879cleanup:
880 MHD__gnutls_free_datum (&dn1);
881 MHD__gnutls_free_datum (&dn2);
882
883 return ret;
884}
885
886static inline MHD_gnutls_x509_crt_t
887find_crl_issuer (MHD_gnutls_x509_crl_t crl,
888 const MHD_gnutls_x509_crt_t * trusted_cas, int tcas_size)
889{
890 int i;
891
892 /* this is serial search.
893 */
894
895 for (i = 0; i < tcas_size; i++)
896 {
897 if (is_crl_issuer (crl, trusted_cas[i]) == 1)
898 return trusted_cas[i];
899 }
900
901 MHD_gnutls_assert ();
902 return NULL;
903}
904
905/*
906 * Returns only 0 or 1. If 1 it means that the CRL
907 * was successfuly verified.
908 *
909 * 'flags': an OR of the MHD_gnutls_certificate_verify_flags enumeration.
910 *
911 * Output will hold information about the verification
912 * procedure.
913 */
914static int
915MHD__gnutls_verify_crl2 (MHD_gnutls_x509_crl_t crl,
916 const MHD_gnutls_x509_crt_t * trusted_cas,
917 int tcas_size, unsigned int flags,
918 unsigned int *output)
919{
920 /* CRL is ignored for now */
921 MHD_gnutls_datum_t crl_signed_data = { NULL, 0 };
922 MHD_gnutls_datum_t crl_signature = { NULL, 0 };
923 MHD_gnutls_x509_crt_t issuer;
924 int ret, result;
925
926 if (output)
927 *output = 0;
928
929 if (tcas_size >= 1)
930 issuer = find_crl_issuer (crl, trusted_cas, tcas_size);
931 else
932 {
933 MHD_gnutls_assert ();
934 if (output)
935 *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
936 return 0;
937 }
938
939 /* issuer is not in trusted certificate
940 * authorities.
941 */
942 if (issuer == NULL)
943 {
944 MHD_gnutls_assert ();
945 if (output)
946 *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
947 return 0;
948 }
949
950 if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN))
951 {
952 if (MHD_gnutls_x509_crt_get_ca_status (issuer, NULL) != 1)
953 {
954 MHD_gnutls_assert ();
955 if (output)
956 *output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
957 return 0;
958 }
959 }
960
961 result =
962 MHD__gnutls_x509_get_signed_data (crl->crl, "tbsCertList",
963 &crl_signed_data);
964 if (result < 0)
965 {
966 MHD_gnutls_assert ();
967 goto cleanup;
968 }
969
970 result =
971 MHD__gnutls_x509_get_signature (crl->crl, "signature", &crl_signature);
972 if (result < 0)
973 {
974 MHD_gnutls_assert ();
975 goto cleanup;
976 }
977
978 ret =
979 MHD__gnutls_x509_verify_signature (&crl_signed_data, &crl_signature,
980 issuer);
981 if (ret < 0)
982 {
983 MHD_gnutls_assert ();
984 }
985 else if (ret == 0)
986 {
987 MHD_gnutls_assert ();
988 /* error. ignore it */
989 if (output)
990 *output |= GNUTLS_CERT_INVALID;
991 ret = 0;
992 }
993
994 {
995 int sigalg;
996
997 sigalg = MHD_gnutls_x509_crl_get_signature_algorithm (crl);
998
999 if (((sigalg == GNUTLS_SIGN_RSA_MD2) &&
1000 !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
1001 ((sigalg == GNUTLS_SIGN_RSA_MD5) &&
1002 !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
1003 {
1004 if (output)
1005 *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
1006 }
1007 }
1008
1009 result = ret;
1010
1011cleanup:
1012 MHD__gnutls_free_datum (&crl_signed_data);
1013 MHD__gnutls_free_datum (&crl_signature);
1014
1015 return result;
1016}
1017
1018#endif