/src/gnutls/lib/x509/verify.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2014 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 Nikos Mavrogiannopoulos |
4 | | * Copyright (C) 2014 Red Hat |
5 | | * |
6 | | * Author: Nikos Mavrogiannopoulos |
7 | | * |
8 | | * This file is part of GnuTLS. |
9 | | * |
10 | | * The GnuTLS is free software; you can redistribute it and/or |
11 | | * modify it under the terms of the GNU Lesser General Public License |
12 | | * as published by the Free Software Foundation; either version 2.1 of |
13 | | * the License, or (at your option) any later version. |
14 | | * |
15 | | * This library is distributed in the hope that it will be useful, but |
16 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 | | * Lesser General Public License for more details. |
19 | | * |
20 | | * You should have received a copy of the GNU Lesser General Public License |
21 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
22 | | * |
23 | | */ |
24 | | |
25 | | /* All functions which relate to X.509 certificate verification stuff are |
26 | | * included here |
27 | | */ |
28 | | |
29 | | #include "gnutls_int.h" |
30 | | #include "errors.h" |
31 | | #include <libtasn1.h> |
32 | | #include "global.h" |
33 | | #include "num.h" /* MAX */ |
34 | | #include "tls-sig.h" |
35 | | #include "str.h" |
36 | | #include "datum.h" |
37 | | #include "pkcs11_int.h" |
38 | | #include "x509_int.h" |
39 | | #include "common.h" |
40 | | #include "pk.h" |
41 | | #include "x509/verify-high.h" |
42 | | #include "supported_exts.h" |
43 | | #include "profiles.h" |
44 | | |
45 | | /* Checks if two certs have the same name and the same key. Return 1 on match. |
46 | | * If @is_ca is zero then this function is identical to gnutls_x509_crt_equals() |
47 | | */ |
48 | | unsigned _gnutls_check_if_same_key(gnutls_x509_crt_t cert1, |
49 | | gnutls_x509_crt_t cert2, unsigned is_ca) |
50 | 0 | { |
51 | 0 | int ret; |
52 | 0 | unsigned result; |
53 | |
|
54 | 0 | if (is_ca == 0) |
55 | 0 | return gnutls_x509_crt_equals(cert1, cert2); |
56 | | |
57 | 0 | ret = _gnutls_is_same_dn(cert1, cert2); |
58 | 0 | if (ret == 0) |
59 | 0 | return 0; |
60 | | |
61 | 0 | if (cert1->raw_spki.size > 0 && |
62 | 0 | (cert1->raw_spki.size == cert2->raw_spki.size) && |
63 | 0 | (memcmp(cert1->raw_spki.data, cert2->raw_spki.data, |
64 | 0 | cert1->raw_spki.size) == 0)) |
65 | 0 | result = 1; |
66 | 0 | else |
67 | 0 | result = 0; |
68 | |
|
69 | 0 | return result; |
70 | 0 | } |
71 | | |
72 | | unsigned _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, |
73 | | gnutls_datum_t *cert2bin) |
74 | 0 | { |
75 | 0 | int ret; |
76 | 0 | gnutls_x509_crt_t cert2; |
77 | |
|
78 | 0 | ret = gnutls_x509_crt_init(&cert2); |
79 | 0 | if (ret < 0) |
80 | 0 | return gnutls_assert_val(0); |
81 | | |
82 | 0 | ret = gnutls_x509_crt_import(cert2, cert2bin, GNUTLS_X509_FMT_DER); |
83 | 0 | if (ret < 0) { |
84 | 0 | gnutls_x509_crt_deinit(cert2); |
85 | 0 | return gnutls_assert_val(0); |
86 | 0 | } |
87 | | |
88 | 0 | ret = _gnutls_check_if_same_key(cert1, cert2, 1); |
89 | |
|
90 | 0 | gnutls_x509_crt_deinit(cert2); |
91 | 0 | return ret; |
92 | 0 | } |
93 | | |
94 | | /* checks whether there are present unknown/unsupported critical extensions. |
95 | | * |
96 | | * Returns true if they are present. |
97 | | */ |
98 | | static unsigned check_for_unknown_exts(gnutls_x509_crt_t cert) |
99 | 0 | { |
100 | 0 | unsigned i; |
101 | 0 | char oid[MAX_OID_SIZE]; |
102 | 0 | size_t oid_size; |
103 | 0 | unsigned critical; |
104 | 0 | int ret; |
105 | |
|
106 | 0 | for (i = 0;; i++) { |
107 | 0 | oid_size = sizeof(oid); |
108 | 0 | oid[0] = 0; |
109 | 0 | critical = 0; |
110 | |
|
111 | 0 | ret = gnutls_x509_crt_get_extension_info(cert, i, oid, |
112 | 0 | &oid_size, &critical); |
113 | 0 | if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
114 | 0 | return 0; |
115 | 0 | } else if (ret < 0) { |
116 | 0 | gnutls_assert(); |
117 | | /* could not decode? */ |
118 | 0 | _gnutls_debug_log("Could not decode extension %d\n", i); |
119 | 0 | return 1; |
120 | 0 | } |
121 | | |
122 | 0 | if (critical == 0) |
123 | 0 | continue; |
124 | | |
125 | 0 | if (is_ext_oid_supported(oid, oid_size) == NULL) { |
126 | 0 | gnutls_assert(); |
127 | 0 | _gnutls_debug_log( |
128 | 0 | "Unsupported critical extension: %s\n", oid); |
129 | 0 | return 1; |
130 | 0 | } |
131 | 0 | } |
132 | | |
133 | 0 | return 0; |
134 | 0 | } |
135 | | |
136 | | /* Checks if the issuer of a certificate is a |
137 | | * Certificate Authority, or if the certificate is the same |
138 | | * as the issuer (and therefore it doesn't need to be a CA). |
139 | | * |
140 | | * Returns true or false, if the issuer is a CA, |
141 | | * or not. |
142 | | */ |
143 | | static unsigned check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, |
144 | | unsigned int *max_path, unsigned int flags) |
145 | 0 | { |
146 | 0 | gnutls_datum_t cert_signed_data = { NULL, 0 }; |
147 | 0 | gnutls_datum_t issuer_signed_data = { NULL, 0 }; |
148 | 0 | gnutls_datum_t cert_signature = { NULL, 0 }; |
149 | 0 | gnutls_datum_t issuer_signature = { NULL, 0 }; |
150 | 0 | int pathlen = -1, ret; |
151 | 0 | unsigned result; |
152 | 0 | unsigned int ca_status = 0; |
153 | | |
154 | | /* Check if the issuer is the same with the |
155 | | * certificate. This is added in order for trusted |
156 | | * certificates to be able to verify themselves. |
157 | | */ |
158 | |
|
159 | 0 | ret = _gnutls_x509_get_signed_data(issuer->cert, &issuer->der, |
160 | 0 | "tbsCertificate", |
161 | 0 | &issuer_signed_data); |
162 | 0 | if (ret < 0) { |
163 | 0 | gnutls_assert(); |
164 | 0 | goto fail; |
165 | 0 | } |
166 | | |
167 | 0 | ret = _gnutls_x509_get_signed_data(cert->cert, &cert->der, |
168 | 0 | "tbsCertificate", &cert_signed_data); |
169 | 0 | if (ret < 0) { |
170 | 0 | gnutls_assert(); |
171 | 0 | goto fail; |
172 | 0 | } |
173 | | |
174 | 0 | ret = _gnutls_x509_get_signature(issuer->cert, "signature", |
175 | 0 | &issuer_signature); |
176 | 0 | if (ret < 0) { |
177 | 0 | gnutls_assert(); |
178 | 0 | goto fail; |
179 | 0 | } |
180 | | |
181 | 0 | ret = _gnutls_x509_get_signature(cert->cert, "signature", |
182 | 0 | &cert_signature); |
183 | 0 | if (ret < 0) { |
184 | 0 | gnutls_assert(); |
185 | 0 | goto fail; |
186 | 0 | } |
187 | | |
188 | | /* If the subject certificate is the same as the issuer |
189 | | * return true. |
190 | | */ |
191 | 0 | if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) |
192 | 0 | if (cert_signed_data.size == issuer_signed_data.size) { |
193 | 0 | if ((memcmp(cert_signed_data.data, |
194 | 0 | issuer_signed_data.data, |
195 | 0 | cert_signed_data.size) == 0) && |
196 | 0 | (cert_signature.size == issuer_signature.size) && |
197 | 0 | (memcmp(cert_signature.data, issuer_signature.data, |
198 | 0 | cert_signature.size) == 0)) { |
199 | 0 | result = 1; |
200 | 0 | goto cleanup; |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | 0 | ret = gnutls_x509_crt_get_basic_constraints(issuer, NULL, &ca_status, |
205 | 0 | &pathlen); |
206 | 0 | if (ret < 0) { |
207 | 0 | ca_status = 0; |
208 | 0 | pathlen = -1; |
209 | 0 | } |
210 | |
|
211 | 0 | if (ca_status != 0 && pathlen != -1) { |
212 | 0 | if ((unsigned)pathlen < *max_path) |
213 | 0 | *max_path = pathlen; |
214 | 0 | } |
215 | |
|
216 | 0 | if (ca_status != 0) { |
217 | 0 | result = 1; |
218 | 0 | goto cleanup; |
219 | 0 | } |
220 | | /* Handle V1 CAs that do not have a basicConstraint, but accept |
221 | | these certs only if the appropriate flags are set. */ |
222 | 0 | else if ((ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && |
223 | 0 | ((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) || |
224 | 0 | (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) && |
225 | 0 | (gnutls_x509_crt_check_issuer(issuer, issuer) != 0)))) { |
226 | 0 | gnutls_assert(); |
227 | 0 | result = 1; |
228 | 0 | goto cleanup; |
229 | 0 | } else { |
230 | 0 | gnutls_assert(); |
231 | 0 | } |
232 | | |
233 | 0 | fail: |
234 | 0 | result = 0; |
235 | |
|
236 | 0 | cleanup: |
237 | 0 | _gnutls_free_datum(&cert_signed_data); |
238 | 0 | _gnutls_free_datum(&issuer_signed_data); |
239 | 0 | _gnutls_free_datum(&cert_signature); |
240 | 0 | _gnutls_free_datum(&issuer_signature); |
241 | 0 | return result; |
242 | 0 | } |
243 | | |
244 | | /* This function checks if cert's issuer is issuer. |
245 | | * This does a straight (DER) compare of the issuer/subject DN fields in |
246 | | * the given certificates, as well as check the authority key ID. |
247 | | * |
248 | | * Returns 1 if they match and (0) if they don't match. |
249 | | */ |
250 | | static unsigned is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer) |
251 | 0 | { |
252 | 0 | uint8_t id1[MAX_KEY_ID_SIZE]; |
253 | 0 | uint8_t id2[MAX_KEY_ID_SIZE]; |
254 | 0 | size_t id1_size; |
255 | 0 | size_t id2_size; |
256 | 0 | int ret; |
257 | 0 | unsigned result; |
258 | |
|
259 | 0 | if (_gnutls_x509_compare_raw_dn(&cert->raw_issuer_dn, |
260 | 0 | &issuer->raw_dn) != 0) |
261 | 0 | result = 1; |
262 | 0 | else |
263 | 0 | result = 0; |
264 | |
|
265 | 0 | if (result != 0) { |
266 | | /* check if the authority key identifier matches the subject key identifier |
267 | | * of the issuer */ |
268 | 0 | id1_size = sizeof(id1); |
269 | |
|
270 | 0 | ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, |
271 | 0 | NULL); |
272 | 0 | if (ret < 0) { |
273 | | /* If there is no authority key identifier in the |
274 | | * certificate, assume they match */ |
275 | 0 | result = 1; |
276 | 0 | goto cleanup; |
277 | 0 | } |
278 | | |
279 | 0 | id2_size = sizeof(id2); |
280 | 0 | ret = gnutls_x509_crt_get_subject_key_id(issuer, id2, &id2_size, |
281 | 0 | NULL); |
282 | 0 | if (ret < 0) { |
283 | | /* If there is no subject key identifier in the |
284 | | * issuer certificate, assume they match */ |
285 | 0 | result = 1; |
286 | 0 | gnutls_assert(); |
287 | 0 | goto cleanup; |
288 | 0 | } |
289 | | |
290 | 0 | if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0) |
291 | 0 | result = 1; |
292 | 0 | else |
293 | 0 | result = 0; |
294 | 0 | } |
295 | | |
296 | 0 | cleanup: |
297 | 0 | return result; |
298 | 0 | } |
299 | | |
300 | | /* Check if the given certificate is the issuer of the CRL. |
301 | | * Returns 1 on success and 0 otherwise. |
302 | | */ |
303 | | static unsigned is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer) |
304 | 0 | { |
305 | 0 | if (_gnutls_x509_compare_raw_dn(&crl->raw_issuer_dn, &issuer->raw_dn) != |
306 | 0 | 0) |
307 | 0 | return 1; |
308 | 0 | else |
309 | 0 | return 0; |
310 | 0 | } |
311 | | |
312 | | /* Checks if the DN of two certificates is the same. |
313 | | * Returns 1 if they match and (0) if they don't match. Otherwise |
314 | | * a negative error code is returned to indicate error. |
315 | | */ |
316 | | unsigned _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) |
317 | 0 | { |
318 | 0 | if (_gnutls_x509_compare_raw_dn(&cert1->raw_dn, &cert2->raw_dn) != 0) |
319 | 0 | return 1; |
320 | 0 | else |
321 | 0 | return 0; |
322 | 0 | } |
323 | | |
324 | | /* Finds an issuer of the certificate. If multiple issuers |
325 | | * are present, returns one that is activated and not expired. |
326 | | */ |
327 | | static inline gnutls_x509_crt_t |
328 | | find_issuer(gnutls_x509_crt_t cert, const gnutls_x509_crt_t *trusted_cas, |
329 | | int tcas_size) |
330 | 0 | { |
331 | 0 | int i; |
332 | 0 | gnutls_x509_crt_t issuer = NULL; |
333 | | |
334 | | /* this is serial search. |
335 | | */ |
336 | 0 | for (i = 0; i < tcas_size; i++) { |
337 | 0 | if (is_issuer(cert, trusted_cas[i]) != 0) { |
338 | 0 | if (issuer == NULL) { |
339 | 0 | issuer = trusted_cas[i]; |
340 | 0 | } else { |
341 | 0 | time_t now = gnutls_time(0); |
342 | |
|
343 | 0 | if (now < gnutls_x509_crt_get_expiration_time( |
344 | 0 | trusted_cas[i]) && |
345 | 0 | now >= gnutls_x509_crt_get_activation_time( |
346 | 0 | trusted_cas[i])) { |
347 | 0 | issuer = trusted_cas[i]; |
348 | 0 | } |
349 | 0 | } |
350 | 0 | } |
351 | 0 | } |
352 | |
|
353 | 0 | return issuer; |
354 | 0 | } |
355 | | |
356 | | static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now) |
357 | 0 | { |
358 | 0 | int status = 0; |
359 | 0 | time_t t; |
360 | |
|
361 | 0 | t = gnutls_x509_crt_get_activation_time(crt); |
362 | 0 | if (t == (time_t)-1 || now < t) { |
363 | 0 | status |= GNUTLS_CERT_NOT_ACTIVATED; |
364 | 0 | status |= GNUTLS_CERT_INVALID; |
365 | 0 | return status; |
366 | 0 | } |
367 | | |
368 | 0 | t = gnutls_x509_crt_get_expiration_time(crt); |
369 | 0 | if (t == (time_t)-1 || now > t) { |
370 | 0 | status |= GNUTLS_CERT_EXPIRED; |
371 | 0 | status |= GNUTLS_CERT_INVALID; |
372 | 0 | return status; |
373 | 0 | } |
374 | | |
375 | 0 | return 0; |
376 | 0 | } |
377 | | |
378 | | unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, |
379 | | unsigned int flags) |
380 | 0 | { |
381 | 0 | gnutls_digest_algorithm_t hash; |
382 | | |
383 | | /* we have a catch all */ |
384 | 0 | if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN) |
385 | 0 | return 1; |
386 | | |
387 | | /* the first two are for backwards compatibility */ |
388 | 0 | if ((se->id == GNUTLS_SIGN_RSA_MD2) && |
389 | 0 | (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) |
390 | 0 | return 1; |
391 | 0 | if ((se->id == GNUTLS_SIGN_RSA_MD5) && |
392 | 0 | (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)) |
393 | 0 | return 1; |
394 | | |
395 | 0 | hash = se->hash; |
396 | 0 | if (hash == GNUTLS_DIG_SHA1 && |
397 | 0 | (flags & GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1)) |
398 | 0 | return 1; |
399 | | |
400 | 0 | return 0; |
401 | 0 | } |
402 | | |
403 | | #define CASE_SEC_PARAM(profile, level) \ |
404 | 0 | case profile: \ |
405 | 0 | sym_bits = gnutls_sec_param_to_symmetric_bits(level); \ |
406 | 0 | se = _gnutls_sign_to_entry(sigalg); \ |
407 | 0 | if (unlikely(se == NULL)) { \ |
408 | 0 | _gnutls_cert_log("cert", crt); \ |
409 | 0 | _gnutls_debug_log( \ |
410 | 0 | #level \ |
411 | 0 | ": certificate's signature algorithm is unknown\n"); \ |
412 | 0 | return gnutls_assert_val(0); \ |
413 | 0 | } \ |
414 | 0 | if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) { \ |
415 | 0 | _gnutls_cert_log("cert", crt); \ |
416 | 0 | _gnutls_debug_log( \ |
417 | 0 | #level \ |
418 | 0 | ": certificate's signature hash is unknown\n"); \ |
419 | 0 | return gnutls_assert_val(0); \ |
420 | 0 | } \ |
421 | 0 | if (!trusted && \ |
422 | 0 | _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \ |
423 | 0 | _gnutls_cert_log("cert", crt); \ |
424 | 0 | _gnutls_debug_log( \ |
425 | 0 | #level \ |
426 | 0 | ": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", \ |
427 | 0 | _gnutls_sign_get_hash_strength(sigalg), \ |
428 | 0 | sym_bits); \ |
429 | 0 | return gnutls_assert_val(0); \ |
430 | 0 | } \ |
431 | 0 | sp = gnutls_pk_bits_to_sec_param(pkalg, bits); \ |
432 | 0 | if (sp < level) { \ |
433 | 0 | _gnutls_cert_log("cert", crt); \ |
434 | 0 | _gnutls_debug_log( \ |
435 | 0 | #level \ |
436 | 0 | ": certificate's security level is unacceptable\n"); \ |
437 | 0 | return gnutls_assert_val(0); \ |
438 | 0 | } \ |
439 | 0 | if (issuer) { \ |
440 | 0 | sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, \ |
441 | 0 | issuer_bits); \ |
442 | 0 | if (sp < level) { \ |
443 | 0 | _gnutls_cert_log("issuer", issuer); \ |
444 | 0 | _gnutls_debug_log( \ |
445 | 0 | #level \ |
446 | 0 | ": certificate's issuer security level is unacceptable\n"); \ |
447 | 0 | return gnutls_assert_val(0); \ |
448 | 0 | } \ |
449 | 0 | } \ |
450 | 0 | break; |
451 | | |
452 | | /* Checks whether the provided certificates are acceptable |
453 | | * according to verification profile specified. |
454 | | * |
455 | | * @crt: a certificate |
456 | | * @issuer: the certificates issuer (allowed to be NULL) |
457 | | * @sigalg: the signature algorithm used |
458 | | * @trusted: whether @crt is treated as trusted (e.g., present in the system |
459 | | * trust list); if it is true, the check on signature algorithm will |
460 | | * be skipped |
461 | | * @flags: the specified verification flags |
462 | | */ |
463 | | static unsigned is_level_acceptable(gnutls_x509_crt_t crt, |
464 | | gnutls_x509_crt_t issuer, |
465 | | gnutls_sign_algorithm_t sigalg, |
466 | | bool trusted, unsigned flags) |
467 | 0 | { |
468 | 0 | gnutls_certificate_verification_profiles_t profile = |
469 | 0 | GNUTLS_VFLAGS_TO_PROFILE(flags); |
470 | 0 | int issuer_pkalg = 0, pkalg, ret; |
471 | 0 | unsigned bits = 0, issuer_bits = 0, sym_bits = 0; |
472 | 0 | gnutls_pk_params_st params; |
473 | 0 | gnutls_sec_param_t sp; |
474 | 0 | const gnutls_sign_entry_st *se; |
475 | 0 | gnutls_certificate_verification_profiles_t min_profile; |
476 | |
|
477 | 0 | min_profile = _gnutls_get_system_wide_verification_profile(); |
478 | |
|
479 | 0 | if (min_profile) { |
480 | 0 | if (profile < min_profile) { |
481 | 0 | gnutls_assert(); |
482 | 0 | profile = min_profile; |
483 | 0 | } |
484 | 0 | } |
485 | |
|
486 | 0 | if (profile == GNUTLS_PROFILE_UNKNOWN) { |
487 | 0 | return 1; |
488 | 0 | } |
489 | | |
490 | 0 | pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &bits); |
491 | 0 | if (pkalg < 0) |
492 | 0 | return gnutls_assert_val(0); |
493 | | |
494 | 0 | if (issuer) { |
495 | 0 | issuer_pkalg = |
496 | 0 | gnutls_x509_crt_get_pk_algorithm(issuer, &issuer_bits); |
497 | 0 | if (issuer_pkalg < 0) |
498 | 0 | return gnutls_assert_val(0); |
499 | 0 | } |
500 | | |
501 | 0 | switch (profile) { |
502 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, |
503 | 0 | GNUTLS_SEC_PARAM_VERY_WEAK); |
504 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW); |
505 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY); |
506 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); |
507 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_HIGH, GNUTLS_SEC_PARAM_HIGH); |
508 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_ULTRA, GNUTLS_SEC_PARAM_ULTRA); |
509 | 0 | CASE_SEC_PARAM(GNUTLS_PROFILE_FUTURE, GNUTLS_SEC_PARAM_FUTURE); |
510 | 0 | case GNUTLS_PROFILE_SUITEB128: |
511 | 0 | case GNUTLS_PROFILE_SUITEB192: { |
512 | 0 | unsigned curve, issuer_curve; |
513 | | |
514 | | /* check suiteB params validity: rfc5759 */ |
515 | |
|
516 | 0 | if (gnutls_x509_crt_get_version(crt) != 3) { |
517 | 0 | _gnutls_debug_log( |
518 | 0 | "SUITEB: certificate uses an unacceptable version number\n"); |
519 | 0 | return gnutls_assert_val(0); |
520 | 0 | } |
521 | | |
522 | 0 | if (sigalg != GNUTLS_SIGN_ECDSA_SHA256 && |
523 | 0 | sigalg != GNUTLS_SIGN_ECDSA_SHA384) { |
524 | 0 | _gnutls_debug_log( |
525 | 0 | "SUITEB: certificate is not signed using ECDSA-SHA256 or ECDSA-SHA384\n"); |
526 | 0 | return gnutls_assert_val(0); |
527 | 0 | } |
528 | | |
529 | 0 | if (pkalg != GNUTLS_PK_EC) { |
530 | 0 | _gnutls_debug_log( |
531 | 0 | "SUITEB: certificate does not contain ECC parameters\n"); |
532 | 0 | return gnutls_assert_val(0); |
533 | 0 | } |
534 | | |
535 | 0 | if (issuer_pkalg != GNUTLS_PK_EC) { |
536 | 0 | _gnutls_debug_log( |
537 | 0 | "SUITEB: certificate's issuer does not have ECC parameters\n"); |
538 | 0 | return gnutls_assert_val(0); |
539 | 0 | } |
540 | | |
541 | 0 | ret = _gnutls_x509_crt_get_mpis(crt, ¶ms); |
542 | 0 | if (ret < 0) { |
543 | 0 | _gnutls_debug_log( |
544 | 0 | "SUITEB: cannot read certificate params\n"); |
545 | 0 | return gnutls_assert_val(0); |
546 | 0 | } |
547 | | |
548 | 0 | curve = params.curve; |
549 | 0 | gnutls_pk_params_release(¶ms); |
550 | |
|
551 | 0 | if (curve != GNUTLS_ECC_CURVE_SECP256R1 && |
552 | 0 | curve != GNUTLS_ECC_CURVE_SECP384R1) { |
553 | 0 | _gnutls_debug_log( |
554 | 0 | "SUITEB: certificate's ECC params do not contain SECP256R1 or SECP384R1\n"); |
555 | 0 | return gnutls_assert_val(0); |
556 | 0 | } |
557 | | |
558 | 0 | if (profile == GNUTLS_PROFILE_SUITEB192) { |
559 | 0 | if (curve != GNUTLS_ECC_CURVE_SECP384R1) { |
560 | 0 | _gnutls_debug_log( |
561 | 0 | "SUITEB192: certificate does not use SECP384R1\n"); |
562 | 0 | return gnutls_assert_val(0); |
563 | 0 | } |
564 | 0 | } |
565 | | |
566 | 0 | if (issuer != NULL) { |
567 | 0 | if (gnutls_x509_crt_get_version(issuer) != 3) { |
568 | 0 | _gnutls_debug_log( |
569 | 0 | "SUITEB: certificate's issuer uses an unacceptable version number\n"); |
570 | 0 | return gnutls_assert_val(0); |
571 | 0 | } |
572 | | |
573 | 0 | ret = _gnutls_x509_crt_get_mpis(issuer, ¶ms); |
574 | 0 | if (ret < 0) { |
575 | 0 | _gnutls_debug_log( |
576 | 0 | "SUITEB: cannot read certificate params\n"); |
577 | 0 | return gnutls_assert_val(0); |
578 | 0 | } |
579 | | |
580 | 0 | issuer_curve = params.curve; |
581 | 0 | gnutls_pk_params_release(¶ms); |
582 | |
|
583 | 0 | if (issuer_curve != GNUTLS_ECC_CURVE_SECP256R1 && |
584 | 0 | issuer_curve != GNUTLS_ECC_CURVE_SECP384R1) { |
585 | 0 | _gnutls_debug_log( |
586 | 0 | "SUITEB: certificate's issuer ECC params do not contain SECP256R1 or SECP384R1\n"); |
587 | 0 | return gnutls_assert_val(0); |
588 | 0 | } |
589 | | |
590 | 0 | if (issuer_curve < curve) { |
591 | 0 | _gnutls_debug_log( |
592 | 0 | "SUITEB: certificate's issuer ECC params are weaker than the certificate's\n"); |
593 | 0 | return gnutls_assert_val(0); |
594 | 0 | } |
595 | | |
596 | 0 | if (sigalg == GNUTLS_SIGN_ECDSA_SHA256 && |
597 | 0 | issuer_curve == GNUTLS_ECC_CURVE_SECP384R1) { |
598 | 0 | _gnutls_debug_log( |
599 | 0 | "SUITEB: certificate is signed with ECDSA-SHA256 when using SECP384R1\n"); |
600 | 0 | return gnutls_assert_val(0); |
601 | 0 | } |
602 | 0 | } |
603 | | |
604 | 0 | break; |
605 | 0 | case GNUTLS_PROFILE_UNKNOWN: /* already checked; avoid compiler warnings */ |
606 | 0 | _gnutls_debug_log("An unknown profile (%d) was encountered\n", |
607 | 0 | (int)profile); |
608 | 0 | } |
609 | 0 | } |
610 | | |
611 | 0 | return 1; |
612 | 0 | } |
613 | | |
614 | | typedef struct verify_state_st { |
615 | | time_t now; |
616 | | unsigned int max_path; |
617 | | gnutls_x509_name_constraints_t nc; |
618 | | gnutls_x509_tlsfeatures_t tls_feat; |
619 | | gnutls_verify_output_function *func; |
620 | | } verify_state_st; |
621 | | |
622 | | #define MARK_INVALID(x) \ |
623 | 0 | { \ |
624 | 0 | gnutls_assert(); \ |
625 | 0 | out |= (x | GNUTLS_CERT_INVALID); \ |
626 | 0 | result = 0; \ |
627 | 0 | } |
628 | | |
629 | | static int _gnutls_x509_verify_data(gnutls_sign_algorithm_t sign, |
630 | | const gnutls_datum_t *data, |
631 | | const gnutls_datum_t *signature, |
632 | | gnutls_x509_crt_t cert, |
633 | | gnutls_x509_crt_t issuer, unsigned vflags); |
634 | | |
635 | | /* |
636 | | * Verifies the given certificate against a certificate list of |
637 | | * trusted CAs. |
638 | | * |
639 | | * Returns only 0 or 1. If 1 it means that the certificate |
640 | | * was successfully verified. |
641 | | * |
642 | | * 'flags': an OR of the gnutls_certificate_verify_flags enumeration. |
643 | | * |
644 | | * Output will hold some extra information about the verification |
645 | | * procedure. |
646 | | */ |
647 | | static unsigned verify_crt(gnutls_x509_trust_list_t tlist, |
648 | | gnutls_x509_crt_t cert, |
649 | | const gnutls_x509_crt_t *trusted_cas, int tcas_size, |
650 | | unsigned int flags, unsigned int *output, |
651 | | verify_state_st *vparams, unsigned end_cert) |
652 | 0 | { |
653 | 0 | gnutls_datum_t cert_signed_data = { NULL, 0 }; |
654 | 0 | gnutls_datum_t cert_signature = { NULL, 0 }; |
655 | 0 | gnutls_x509_crt_t issuer = NULL; |
656 | 0 | int issuer_version; |
657 | 0 | unsigned result = 1; |
658 | 0 | unsigned int out = 0, usage; |
659 | 0 | int sigalg, ret; |
660 | 0 | const gnutls_sign_entry_st *se; |
661 | |
|
662 | 0 | if (output) |
663 | 0 | *output = 0; |
664 | |
|
665 | 0 | if (vparams->max_path == 0) { |
666 | 0 | MARK_INVALID(GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
667 | | /* bail immediately, to avoid inconsistency */ |
668 | 0 | goto cleanup; |
669 | 0 | } |
670 | 0 | vparams->max_path--; |
671 | |
|
672 | 0 | if (tcas_size >= 1) |
673 | 0 | issuer = find_issuer(cert, trusted_cas, tcas_size); |
674 | |
|
675 | 0 | ret = _gnutls_x509_get_signed_data(cert->cert, &cert->der, |
676 | 0 | "tbsCertificate", &cert_signed_data); |
677 | 0 | if (ret < 0) { |
678 | 0 | MARK_INVALID(0); |
679 | 0 | cert_signed_data.data = NULL; |
680 | 0 | } |
681 | |
|
682 | 0 | ret = _gnutls_x509_get_signature(cert->cert, "signature", |
683 | 0 | &cert_signature); |
684 | 0 | if (ret < 0) { |
685 | 0 | MARK_INVALID(0); |
686 | 0 | cert_signature.data = NULL; |
687 | 0 | } |
688 | |
|
689 | 0 | ret = _gnutls_x509_get_signature_algorithm(cert->cert, |
690 | 0 | "signatureAlgorithm"); |
691 | 0 | if (ret < 0) { |
692 | 0 | MARK_INVALID(0); |
693 | 0 | } |
694 | 0 | sigalg = ret; |
695 | |
|
696 | 0 | se = _gnutls_sign_to_entry(sigalg); |
697 | | |
698 | | /* issuer is not in trusted certificate |
699 | | * authorities. |
700 | | */ |
701 | 0 | if (issuer == NULL) { |
702 | 0 | MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_FOUND); |
703 | 0 | } else { |
704 | 0 | if (vparams->nc != NULL) { |
705 | | /* append the issuer's constraints */ |
706 | 0 | ret = gnutls_x509_crt_get_name_constraints( |
707 | 0 | issuer, vparams->nc, |
708 | 0 | GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND, NULL); |
709 | 0 | if (ret < 0 && |
710 | 0 | ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
711 | 0 | MARK_INVALID( |
712 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
713 | 0 | goto nc_done; |
714 | 0 | } |
715 | | |
716 | | /* only check name constraints in server certificates, not CAs */ |
717 | 0 | if (end_cert != 0) { |
718 | 0 | ret = gnutls_x509_name_constraints_check_crt( |
719 | 0 | vparams->nc, GNUTLS_SAN_DNSNAME, cert); |
720 | 0 | if (ret == 0) { |
721 | 0 | MARK_INVALID( |
722 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
723 | 0 | goto nc_done; |
724 | 0 | } |
725 | | |
726 | 0 | ret = gnutls_x509_name_constraints_check_crt( |
727 | 0 | vparams->nc, GNUTLS_SAN_RFC822NAME, |
728 | 0 | cert); |
729 | 0 | if (ret == 0) { |
730 | 0 | MARK_INVALID( |
731 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
732 | 0 | goto nc_done; |
733 | 0 | } |
734 | | |
735 | 0 | ret = gnutls_x509_name_constraints_check_crt( |
736 | 0 | vparams->nc, GNUTLS_SAN_DN, cert); |
737 | 0 | if (ret == 0) { |
738 | 0 | MARK_INVALID( |
739 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
740 | 0 | goto nc_done; |
741 | 0 | } |
742 | | |
743 | 0 | ret = gnutls_x509_name_constraints_check_crt( |
744 | 0 | vparams->nc, GNUTLS_SAN_URI, cert); |
745 | 0 | if (ret == 0) { |
746 | 0 | MARK_INVALID( |
747 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
748 | 0 | goto nc_done; |
749 | 0 | } |
750 | | |
751 | 0 | ret = gnutls_x509_name_constraints_check_crt( |
752 | 0 | vparams->nc, GNUTLS_SAN_IPADDRESS, |
753 | 0 | cert); |
754 | 0 | if (ret == 0) { |
755 | 0 | MARK_INVALID( |
756 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
757 | 0 | goto nc_done; |
758 | 0 | } |
759 | 0 | } |
760 | 0 | } |
761 | | |
762 | 0 | nc_done: |
763 | 0 | if (vparams->tls_feat != NULL) { |
764 | | /* append the issuer's constraints */ |
765 | 0 | ret = gnutls_x509_crt_get_tlsfeatures( |
766 | 0 | issuer, vparams->tls_feat, |
767 | 0 | GNUTLS_EXT_FLAG_APPEND, NULL); |
768 | 0 | if (ret < 0 && |
769 | 0 | ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
770 | 0 | MARK_INVALID( |
771 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
772 | 0 | goto feat_done; |
773 | 0 | } |
774 | | |
775 | 0 | ret = gnutls_x509_tlsfeatures_check_crt( |
776 | 0 | vparams->tls_feat, cert); |
777 | 0 | if (ret == 0) { |
778 | 0 | MARK_INVALID( |
779 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
780 | 0 | goto feat_done; |
781 | 0 | } |
782 | 0 | } |
783 | | |
784 | 0 | feat_done: |
785 | 0 | issuer_version = gnutls_x509_crt_get_version(issuer); |
786 | |
|
787 | 0 | if (issuer_version < 0) { |
788 | 0 | MARK_INVALID(0); |
789 | 0 | } else if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && |
790 | 0 | ((flags & |
791 | 0 | GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || |
792 | 0 | issuer_version != 1)) { |
793 | 0 | if (check_if_ca(cert, issuer, &vparams->max_path, |
794 | 0 | flags) != 1) { |
795 | 0 | MARK_INVALID(GNUTLS_CERT_SIGNER_NOT_CA); |
796 | 0 | } |
797 | |
|
798 | 0 | ret = gnutls_x509_crt_get_key_usage(issuer, &usage, |
799 | 0 | NULL); |
800 | 0 | if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
801 | 0 | if (ret < 0) { |
802 | 0 | MARK_INVALID(0); |
803 | 0 | } else if (!(usage & |
804 | 0 | GNUTLS_KEY_KEY_CERT_SIGN)) { |
805 | 0 | MARK_INVALID( |
806 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
807 | 0 | } |
808 | 0 | } |
809 | 0 | } |
810 | |
|
811 | 0 | if (sigalg < 0) { |
812 | 0 | MARK_INVALID(0); |
813 | 0 | } else if (cert_signed_data.data != NULL && |
814 | 0 | cert_signature.data != NULL) { |
815 | 0 | ret = _gnutls_x509_verify_data(sigalg, |
816 | 0 | &cert_signed_data, |
817 | 0 | &cert_signature, cert, |
818 | 0 | issuer, flags); |
819 | |
|
820 | 0 | if (ret == GNUTLS_E_PK_SIG_VERIFY_FAILED) { |
821 | 0 | MARK_INVALID(GNUTLS_CERT_SIGNATURE_FAILURE); |
822 | 0 | } else if (ret == GNUTLS_E_CONSTRAINT_ERROR) { |
823 | 0 | MARK_INVALID( |
824 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE); |
825 | 0 | } else if (ret < 0) { |
826 | 0 | MARK_INVALID(0); |
827 | 0 | } |
828 | 0 | } |
829 | 0 | } |
830 | | |
831 | | /* we always check the issuer for unsupported critical extensions */ |
832 | 0 | if (issuer && check_for_unknown_exts(issuer) != 0) { |
833 | 0 | if (!(flags & GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS)) { |
834 | 0 | MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); |
835 | 0 | } |
836 | 0 | } |
837 | | |
838 | | /* we only check the end-certificate for critical extensions; that |
839 | | * way do not perform this check twice on the certificates when |
840 | | * verifying a large list */ |
841 | 0 | if (end_cert && check_for_unknown_exts(cert) != 0) { |
842 | 0 | if (!(flags & GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS)) { |
843 | 0 | MARK_INVALID(GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS); |
844 | 0 | } |
845 | 0 | } |
846 | |
|
847 | 0 | if (sigalg >= 0 && se) { |
848 | 0 | if (is_level_acceptable(cert, issuer, sigalg, false, flags) == |
849 | 0 | 0) { |
850 | 0 | MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM); |
851 | 0 | } |
852 | | |
853 | | /* If the certificate is not self signed check if the algorithms |
854 | | * used are secure. If the certificate is self signed it doesn't |
855 | | * really matter. |
856 | | */ |
857 | 0 | if (_gnutls_sign_is_secure2( |
858 | 0 | se, GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0 && |
859 | 0 | _gnutls_is_broken_sig_allowed(se, flags) == 0 && |
860 | 0 | is_issuer(cert, cert) == 0) { |
861 | 0 | MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM); |
862 | 0 | } |
863 | 0 | } |
864 | | |
865 | | /* Check activation/expiration times |
866 | | */ |
867 | 0 | if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { |
868 | | /* check the time of the issuer first */ |
869 | 0 | if (issuer != NULL && |
870 | 0 | !(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)) { |
871 | 0 | out |= check_time_status(issuer, vparams->now); |
872 | 0 | if (out != 0) { |
873 | 0 | gnutls_assert(); |
874 | 0 | result = 0; |
875 | 0 | } |
876 | 0 | } |
877 | |
|
878 | 0 | out |= check_time_status(cert, vparams->now); |
879 | 0 | if (out != 0) { |
880 | 0 | gnutls_assert(); |
881 | 0 | result = 0; |
882 | 0 | } |
883 | 0 | } |
884 | |
|
885 | 0 | cleanup: |
886 | 0 | if (output) |
887 | 0 | *output |= out; |
888 | |
|
889 | 0 | if (vparams->func) { |
890 | 0 | if (result == 0) { |
891 | 0 | out |= GNUTLS_CERT_INVALID; |
892 | 0 | } |
893 | 0 | vparams->func(cert, issuer, NULL, out); |
894 | 0 | } |
895 | 0 | _gnutls_free_datum(&cert_signed_data); |
896 | 0 | _gnutls_free_datum(&cert_signature); |
897 | |
|
898 | 0 | return result; |
899 | 0 | } |
900 | | |
901 | | /** |
902 | | * gnutls_x509_crt_check_issuer: |
903 | | * @cert: is the certificate to be checked |
904 | | * @issuer: is the certificate of a possible issuer |
905 | | * |
906 | | * This function will check if the given certificate was issued by the |
907 | | * given issuer. It checks the DN fields and the authority |
908 | | * key identifier and subject key identifier fields match. |
909 | | * |
910 | | * If the same certificate is provided at the @cert and @issuer fields, |
911 | | * it will check whether the certificate is self-signed. |
912 | | * |
913 | | * Returns: It will return true (1) if the given certificate is issued |
914 | | * by the given issuer, and false (0) if not. |
915 | | **/ |
916 | | unsigned gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert, |
917 | | gnutls_x509_crt_t issuer) |
918 | 0 | { |
919 | 0 | return is_issuer(cert, issuer); |
920 | 0 | } |
921 | | |
922 | | static unsigned check_ca_sanity(const gnutls_x509_crt_t issuer, time_t now, |
923 | | unsigned int flags) |
924 | 0 | { |
925 | 0 | unsigned int status = 0; |
926 | 0 | unsigned sigalg; |
927 | 0 | int ret; |
928 | | |
929 | | /* explicit time check for trusted CA that we remove from |
930 | | * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS |
931 | | */ |
932 | 0 | if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && |
933 | 0 | !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { |
934 | 0 | status |= check_time_status(issuer, now); |
935 | 0 | } |
936 | |
|
937 | 0 | ret = _gnutls_x509_get_signature_algorithm(issuer->cert, |
938 | 0 | "signatureAlgorithm"); |
939 | 0 | sigalg = ret; |
940 | | |
941 | | /* we explicitly allow CAs which we do not support their self-algorithms |
942 | | * to pass. */ |
943 | 0 | if (ret >= 0 && |
944 | 0 | !is_level_acceptable(issuer, NULL, sigalg, true, flags)) { |
945 | 0 | status |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; |
946 | 0 | } |
947 | |
|
948 | 0 | return status; |
949 | 0 | } |
950 | | |
951 | | /* Verify X.509 certificate chain. |
952 | | * |
953 | | * Note that the return value is an OR of GNUTLS_CERT_* elements. |
954 | | * |
955 | | * This function verifies a X.509 certificate list. The certificate |
956 | | * list should lead to a trusted certificate in order to be trusted. |
957 | | */ |
958 | | unsigned int _gnutls_verify_crt_status( |
959 | | gnutls_x509_trust_list_t tlist, |
960 | | const gnutls_x509_crt_t *certificate_list, int clist_size, |
961 | | const gnutls_x509_crt_t *trusted_cas, int tcas_size, unsigned int flags, |
962 | | const char *purpose, gnutls_verify_output_function func) |
963 | 0 | { |
964 | 0 | int i = 0, ret; |
965 | 0 | unsigned int status = 0, output; |
966 | 0 | time_t now = gnutls_time(0); |
967 | 0 | verify_state_st vparams; |
968 | |
|
969 | 0 | if (clist_size > 1) { |
970 | | /* Check if the last certificate in the path is self signed. |
971 | | * In that case ignore it (a certificate is trusted only if it |
972 | | * leads to a trusted party by us, not the server's). |
973 | | * |
974 | | * This prevents from verifying self signed certificates against |
975 | | * themselves. This (although not bad) caused verification |
976 | | * failures on some root self signed certificates that use the |
977 | | * MD2 algorithm. |
978 | | */ |
979 | 0 | if (gnutls_x509_crt_check_issuer( |
980 | 0 | certificate_list[clist_size - 1], |
981 | 0 | certificate_list[clist_size - 1]) != 0) { |
982 | 0 | clist_size--; |
983 | 0 | } |
984 | 0 | } |
985 | | |
986 | | /* We want to shorten the chain by removing the cert that matches |
987 | | * one of the certs we trust and all the certs after that i.e. if |
988 | | * cert chain is A signed-by B signed-by C signed-by D (signed-by |
989 | | * self-signed E but already removed above), and we trust B, remove |
990 | | * B, C and D. */ |
991 | 0 | if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) |
992 | 0 | i = 0; /* also replace the first one */ |
993 | 0 | else |
994 | 0 | i = 1; /* do not replace the first one */ |
995 | |
|
996 | 0 | for (; i < clist_size; i++) { |
997 | 0 | int j; |
998 | |
|
999 | 0 | for (j = 0; j < tcas_size; j++) { |
1000 | | /* we check for a certificate that may not be identical with the one |
1001 | | * sent by the client, but will have the same name and key. That is |
1002 | | * because it can happen that a CA certificate is upgraded from intermediate |
1003 | | * CA to self-signed CA at some point. */ |
1004 | 0 | if (_gnutls_check_if_same_key(certificate_list[i], |
1005 | 0 | trusted_cas[j], i) != 0) { |
1006 | 0 | status |= check_ca_sanity(trusted_cas[j], now, |
1007 | 0 | flags); |
1008 | |
|
1009 | 0 | if (func) |
1010 | 0 | func(certificate_list[i], |
1011 | 0 | trusted_cas[j], NULL, status); |
1012 | |
|
1013 | 0 | if (status != 0) { |
1014 | 0 | return gnutls_assert_val(status); |
1015 | 0 | } |
1016 | | |
1017 | 0 | clist_size = i; |
1018 | 0 | break; |
1019 | 0 | } |
1020 | 0 | } |
1021 | | /* clist_size may have been changed which gets out of loop */ |
1022 | 0 | } |
1023 | | |
1024 | 0 | if (clist_size == 0) { |
1025 | | /* The certificate is already present in the trusted certificate list. |
1026 | | * Nothing to verify. */ |
1027 | 0 | return status; |
1028 | 0 | } |
1029 | | |
1030 | 0 | memset(&vparams, 0, sizeof(vparams)); |
1031 | 0 | vparams.now = now; |
1032 | 0 | vparams.max_path = MAX_VERIFY_DEPTH; |
1033 | 0 | vparams.func = func; |
1034 | |
|
1035 | 0 | ret = gnutls_x509_name_constraints_init(&vparams.nc); |
1036 | 0 | if (ret < 0) { |
1037 | 0 | gnutls_assert(); |
1038 | 0 | status |= GNUTLS_CERT_INVALID; |
1039 | 0 | return status; |
1040 | 0 | } |
1041 | | |
1042 | 0 | ret = gnutls_x509_tlsfeatures_init(&vparams.tls_feat); |
1043 | 0 | if (ret < 0) { |
1044 | 0 | gnutls_assert(); |
1045 | 0 | status |= GNUTLS_CERT_INVALID; |
1046 | 0 | goto cleanup; |
1047 | 0 | } |
1048 | | |
1049 | | /* Verify the last certificate in the certificate path |
1050 | | * against the trusted CA certificate list. |
1051 | | * |
1052 | | * If no CAs are present returns CERT_INVALID. Thus works |
1053 | | * in self signed etc certificates. |
1054 | | */ |
1055 | 0 | output = 0; |
1056 | |
|
1057 | 0 | ret = verify_crt(tlist, certificate_list[clist_size - 1], trusted_cas, |
1058 | 0 | tcas_size, flags, &output, &vparams, |
1059 | 0 | clist_size == 1 ? 1 : 0); |
1060 | 0 | if (ret != 1) { |
1061 | | /* if the last certificate in the certificate |
1062 | | * list is invalid, then the certificate is not |
1063 | | * trusted. |
1064 | | */ |
1065 | 0 | gnutls_assert(); |
1066 | 0 | status |= output; |
1067 | 0 | status |= GNUTLS_CERT_INVALID; |
1068 | 0 | goto cleanup; |
1069 | 0 | } |
1070 | | |
1071 | | /* Verify the certificate path (chain) |
1072 | | */ |
1073 | 0 | for (i = clist_size - 1; i > 0; i--) { |
1074 | 0 | output = 0; |
1075 | |
|
1076 | 0 | if (purpose != NULL) { |
1077 | 0 | ret = _gnutls_check_key_purpose(certificate_list[i], |
1078 | 0 | purpose, 1); |
1079 | 0 | if (ret != 1) { |
1080 | 0 | gnutls_assert(); |
1081 | 0 | status |= GNUTLS_CERT_INVALID; |
1082 | 0 | status |= GNUTLS_CERT_PURPOSE_MISMATCH; |
1083 | |
|
1084 | 0 | if (func) |
1085 | 0 | func(certificate_list[i - 1], |
1086 | 0 | certificate_list[i], NULL, status); |
1087 | 0 | goto cleanup; |
1088 | 0 | } |
1089 | 0 | } |
1090 | | |
1091 | | /* note that here we disable this V1 CA flag. So that no version 1 |
1092 | | * certificates can exist in a supplied chain. |
1093 | | */ |
1094 | 0 | if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { |
1095 | 0 | flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; |
1096 | 0 | } |
1097 | |
|
1098 | 0 | if (!verify_crt(tlist, certificate_list[i - 1], |
1099 | 0 | &certificate_list[i], 1, flags, &output, |
1100 | 0 | &vparams, i == 1 ? 1 : 0)) { |
1101 | 0 | gnutls_assert(); |
1102 | 0 | status |= output; |
1103 | 0 | status |= GNUTLS_CERT_INVALID; |
1104 | 0 | goto cleanup; |
1105 | 0 | } |
1106 | 0 | } |
1107 | | |
1108 | 0 | cleanup: |
1109 | 0 | gnutls_x509_name_constraints_deinit(vparams.nc); |
1110 | 0 | gnutls_x509_tlsfeatures_deinit(vparams.tls_feat); |
1111 | 0 | return status; |
1112 | 0 | } |
1113 | | |
1114 | 0 | #define PURPOSE_NSSGC "2.16.840.1.113730.4.1" |
1115 | 0 | #define PURPOSE_VSGC "2.16.840.1.113733.1.8.1" |
1116 | | |
1117 | | /* Returns true if the provided purpose is in accordance with the certificate. |
1118 | | */ |
1119 | | unsigned _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose, |
1120 | | unsigned no_any) |
1121 | 0 | { |
1122 | 0 | char oid[MAX_OID_SIZE]; |
1123 | 0 | size_t oid_size; |
1124 | 0 | int ret; |
1125 | 0 | unsigned critical = 0; |
1126 | 0 | unsigned check_obsolete_oids = 0; |
1127 | 0 | unsigned i; |
1128 | | |
1129 | | /* The check_obsolete_oids hack is because of certain very old CA certificates |
1130 | | * around which instead of having the GNUTLS_KP_TLS_WWW_SERVER have some old |
1131 | | * OIDs for that purpose. Assume these OIDs equal GNUTLS_KP_TLS_WWW_SERVER in |
1132 | | * CA certs */ |
1133 | 0 | if (strcmp(purpose, GNUTLS_KP_TLS_WWW_SERVER) == 0) { |
1134 | 0 | unsigned ca_status; |
1135 | 0 | ret = gnutls_x509_crt_get_basic_constraints(cert, NULL, |
1136 | 0 | &ca_status, NULL); |
1137 | 0 | if (ret < 0) |
1138 | 0 | ca_status = 0; |
1139 | |
|
1140 | 0 | if (ca_status) |
1141 | 0 | check_obsolete_oids = 1; |
1142 | 0 | } |
1143 | |
|
1144 | 0 | for (i = 0;; i++) { |
1145 | 0 | oid_size = sizeof(oid); |
1146 | 0 | ret = gnutls_x509_crt_get_key_purpose_oid(cert, i, oid, |
1147 | 0 | &oid_size, &critical); |
1148 | 0 | if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
1149 | 0 | if (i == 0) { |
1150 | | /* no key purpose in certificate, assume ANY */ |
1151 | 0 | return 1; |
1152 | 0 | } else { |
1153 | 0 | gnutls_assert(); |
1154 | 0 | break; |
1155 | 0 | } |
1156 | 0 | } else if (ret < 0) { |
1157 | 0 | gnutls_assert(); |
1158 | 0 | break; |
1159 | 0 | } |
1160 | | |
1161 | 0 | if (check_obsolete_oids) { |
1162 | 0 | if (strcmp(oid, PURPOSE_NSSGC) == 0) { |
1163 | 0 | return 1; |
1164 | 0 | } else if (strcmp(oid, PURPOSE_VSGC) == 0) { |
1165 | 0 | return 1; |
1166 | 0 | } |
1167 | 0 | } |
1168 | | |
1169 | 0 | if (strcmp(oid, purpose) == 0 || |
1170 | 0 | (no_any == 0 && strcmp(oid, GNUTLS_KP_ANY) == 0)) { |
1171 | 0 | return 1; |
1172 | 0 | } |
1173 | 0 | _gnutls_debug_log( |
1174 | 0 | "looking for key purpose '%s', but have '%s'\n", |
1175 | 0 | purpose, oid); |
1176 | 0 | } |
1177 | 0 | return 0; |
1178 | 0 | } |
1179 | | |
1180 | | #ifdef ENABLE_PKCS11 |
1181 | | /* Verify X.509 certificate chain using a PKCS #11 token. |
1182 | | * |
1183 | | * Note that the return value is an OR of GNUTLS_CERT_* elements. |
1184 | | * |
1185 | | * Unlike the non-PKCS#11 version, this function accepts a key purpose |
1186 | | * (from GNUTLS_KP_...). That is because in the p11-kit trust modules |
1187 | | * anchors are mixed and get assigned a purpose. |
1188 | | * |
1189 | | * This function verifies a X.509 certificate list. The certificate |
1190 | | * list should lead to a trusted certificate in order to be trusted. |
1191 | | */ |
1192 | | unsigned int _gnutls_pkcs11_verify_crt_status( |
1193 | | gnutls_x509_trust_list_t tlist, const char *url, |
1194 | | const gnutls_x509_crt_t *certificate_list, unsigned clist_size, |
1195 | | const char *purpose, unsigned int flags, |
1196 | | gnutls_verify_output_function func) |
1197 | | { |
1198 | | int ret; |
1199 | | unsigned int status = 0, i; |
1200 | | gnutls_x509_crt_t issuer = NULL; |
1201 | | gnutls_datum_t raw_issuer = { NULL, 0 }; |
1202 | | time_t now = gnutls_time(0); |
1203 | | time_t distrust_after; |
1204 | | |
1205 | | if (clist_size > 1) { |
1206 | | /* Check if the last certificate in the path is self signed. |
1207 | | * In that case ignore it (a certificate is trusted only if it |
1208 | | * leads to a trusted party by us, not the server's). |
1209 | | * |
1210 | | * This prevents from verifying self signed certificates against |
1211 | | * themselves. This (although not bad) caused verification |
1212 | | * failures on some root self signed certificates that use the |
1213 | | * MD2 algorithm. |
1214 | | */ |
1215 | | if (gnutls_x509_crt_check_issuer( |
1216 | | certificate_list[clist_size - 1], |
1217 | | certificate_list[clist_size - 1]) != 0) { |
1218 | | clist_size--; |
1219 | | } |
1220 | | } |
1221 | | |
1222 | | /* We want to shorten the chain by removing the cert that matches |
1223 | | * one of the certs we trust and all the certs after that i.e. if |
1224 | | * cert chain is A signed-by B signed-by C signed-by D (signed-by |
1225 | | * self-signed E but already removed above), and we trust B, remove |
1226 | | * B, C and D. */ |
1227 | | if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) |
1228 | | i = 0; /* also replace the first one */ |
1229 | | else |
1230 | | i = 1; /* do not replace the first one */ |
1231 | | |
1232 | | for (; i < clist_size; i++) { |
1233 | | unsigned vflags; |
1234 | | gnutls_x509_crt_t trusted_cert; |
1235 | | |
1236 | | if (i == 0) /* in the end certificate do full comparison */ |
1237 | | vflags = |
1238 | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE | |
1239 | | GNUTLS_PKCS11_OBJ_FLAG_COMPARE | |
1240 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; |
1241 | | else |
1242 | | vflags = |
1243 | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE | |
1244 | | GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY | |
1245 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; |
1246 | | |
1247 | | if (_gnutls_pkcs11_crt_is_known(url, certificate_list[i], |
1248 | | vflags, &trusted_cert) != 0) { |
1249 | | status |= check_ca_sanity(trusted_cert, now, flags); |
1250 | | |
1251 | | if (func) |
1252 | | func(trusted_cert, certificate_list[i], NULL, |
1253 | | status); |
1254 | | |
1255 | | gnutls_x509_crt_deinit(trusted_cert); |
1256 | | |
1257 | | if (status != 0) { |
1258 | | return gnutls_assert_val(status); |
1259 | | } |
1260 | | |
1261 | | clist_size = i; |
1262 | | break; |
1263 | | } |
1264 | | /* clist_size may have been changed which gets out of loop */ |
1265 | | } |
1266 | | |
1267 | | if (clist_size == 0) { |
1268 | | /* The certificate is already present in the trusted certificate list. |
1269 | | * Nothing to verify. */ |
1270 | | return status; |
1271 | | } |
1272 | | |
1273 | | /* check for blocklists */ |
1274 | | for (i = 0; i < clist_size; i++) { |
1275 | | if (gnutls_pkcs11_crt_is_known( |
1276 | | url, certificate_list[i], |
1277 | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE | |
1278 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != |
1279 | | 0) { |
1280 | | status |= GNUTLS_CERT_INVALID; |
1281 | | status |= GNUTLS_CERT_REVOKED; |
1282 | | if (func) |
1283 | | func(certificate_list[i], certificate_list[i], |
1284 | | NULL, status); |
1285 | | goto cleanup; |
1286 | | } |
1287 | | } |
1288 | | |
1289 | | /* check against issuer */ |
1290 | | ret = gnutls_pkcs11_get_raw_issuer( |
1291 | | url, certificate_list[clist_size - 1], &raw_issuer, |
1292 | | GNUTLS_X509_FMT_DER, |
1293 | | GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT | |
1294 | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); |
1295 | | if (ret < 0) { |
1296 | | gnutls_assert(); |
1297 | | if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && |
1298 | | clist_size > 2) { |
1299 | | /* check if the last certificate in the chain is present |
1300 | | * in our trusted list, and if yes, verify against it. */ |
1301 | | ret = gnutls_pkcs11_crt_is_known( |
1302 | | url, certificate_list[clist_size - 1], |
1303 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED | |
1304 | | GNUTLS_PKCS11_OBJ_FLAG_COMPARE); |
1305 | | if (ret != 0) { |
1306 | | return _gnutls_verify_crt_status( |
1307 | | tlist, certificate_list, clist_size, |
1308 | | &certificate_list[clist_size - 1], 1, |
1309 | | flags, purpose, func); |
1310 | | } |
1311 | | } |
1312 | | |
1313 | | status |= GNUTLS_CERT_INVALID; |
1314 | | status |= GNUTLS_CERT_SIGNER_NOT_FOUND; |
1315 | | /* verify the certificate list against 0 trusted CAs in order |
1316 | | * to get, any additional flags from the certificate list (e.g., |
1317 | | * insecure algorithms or expired */ |
1318 | | status |= _gnutls_verify_crt_status(tlist, certificate_list, |
1319 | | clist_size, NULL, 0, flags, |
1320 | | purpose, func); |
1321 | | goto cleanup; |
1322 | | } |
1323 | | |
1324 | | ret = gnutls_x509_crt_init(&issuer); |
1325 | | if (ret < 0) { |
1326 | | gnutls_assert(); |
1327 | | status |= GNUTLS_CERT_INVALID; |
1328 | | status |= GNUTLS_CERT_SIGNER_NOT_FOUND; |
1329 | | goto cleanup; |
1330 | | } |
1331 | | |
1332 | | ret = gnutls_x509_crt_import(issuer, &raw_issuer, GNUTLS_X509_FMT_DER); |
1333 | | if (ret < 0) { |
1334 | | gnutls_assert(); |
1335 | | status |= GNUTLS_CERT_INVALID; |
1336 | | status |= GNUTLS_CERT_SIGNER_NOT_FOUND; |
1337 | | goto cleanup; |
1338 | | } |
1339 | | |
1340 | | /* check if the raw issuer is assigned with a time-based |
1341 | | * distrust and the certificate is issued after that period |
1342 | | */ |
1343 | | distrust_after = _gnutls_pkcs11_get_distrust_after( |
1344 | | url, issuer, |
1345 | | purpose == NULL ? GNUTLS_KP_TLS_WWW_SERVER : purpose, |
1346 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); |
1347 | | if (distrust_after != (time_t)-1 && |
1348 | | distrust_after < gnutls_x509_crt_get_activation_time( |
1349 | | certificate_list[clist_size - 1])) { |
1350 | | gnutls_assert(); |
1351 | | status |= GNUTLS_CERT_INVALID; |
1352 | | status |= GNUTLS_CERT_SIGNER_NOT_FOUND; |
1353 | | goto cleanup; |
1354 | | } |
1355 | | |
1356 | | /* check if the raw issuer is distrusted (it can happen if |
1357 | | * the issuer is both in the trusted list and the distrusted) |
1358 | | */ |
1359 | | if (gnutls_pkcs11_crt_is_known( |
1360 | | url, issuer, |
1361 | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE | |
1362 | | GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) { |
1363 | | status |= GNUTLS_CERT_INVALID; |
1364 | | status |= |
1365 | | GNUTLS_CERT_SIGNER_NOT_FOUND; /* if the signer is revoked - it is as if it doesn't exist */ |
1366 | | goto cleanup; |
1367 | | } |
1368 | | |
1369 | | /* security modules that provide trust, bundle all certificates (of all purposes) |
1370 | | * together. In software that doesn't specify any purpose assume the default to |
1371 | | * be www-server. */ |
1372 | | ret = _gnutls_check_key_purpose( |
1373 | | issuer, purpose == NULL ? GNUTLS_KP_TLS_WWW_SERVER : purpose, |
1374 | | 0); |
1375 | | if (ret != 1) { |
1376 | | gnutls_assert(); |
1377 | | status |= GNUTLS_CERT_INVALID; |
1378 | | status |= GNUTLS_CERT_SIGNER_NOT_FOUND; |
1379 | | goto cleanup; |
1380 | | } |
1381 | | |
1382 | | status = _gnutls_verify_crt_status(tlist, certificate_list, clist_size, |
1383 | | &issuer, 1, flags, purpose, func); |
1384 | | |
1385 | | cleanup: |
1386 | | gnutls_free(raw_issuer.data); |
1387 | | if (issuer != NULL) |
1388 | | gnutls_x509_crt_deinit(issuer); |
1389 | | |
1390 | | return status; |
1391 | | } |
1392 | | #endif |
1393 | | |
1394 | | static int _gnutls_x509_validate_sign_params(gnutls_pk_algorithm_t pk_algorithm, |
1395 | | asn1_node cert, const char *name, |
1396 | | gnutls_x509_spki_st *sig_params) |
1397 | 0 | { |
1398 | | /* The signature parameter validation is only needed for RSA-PSS */ |
1399 | 0 | if (pk_algorithm == GNUTLS_PK_RSA_PSS) { |
1400 | 0 | int result; |
1401 | 0 | gnutls_x509_spki_st params; |
1402 | |
|
1403 | 0 | result = _gnutls_x509_read_sign_params(cert, name, ¶ms); |
1404 | 0 | if (result < 0) { |
1405 | | /* If parameters field is absent, no parameter |
1406 | | * validation is needed */ |
1407 | 0 | if (result != GNUTLS_E_ASN1_ELEMENT_NOT_FOUND && |
1408 | 0 | result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { |
1409 | 0 | gnutls_assert(); |
1410 | 0 | return result; |
1411 | 0 | } |
1412 | 0 | } else { |
1413 | | /* Check if the underlying hash algorithms are same. */ |
1414 | 0 | if (sig_params->rsa_pss_dig != params.rsa_pss_dig) { |
1415 | 0 | gnutls_assert(); |
1416 | 0 | return GNUTLS_E_CONSTRAINT_ERROR; |
1417 | 0 | } |
1418 | | |
1419 | | /* The salt length used to generate the |
1420 | | * signature must be equal to or larger than |
1421 | | * the one in the key parameter. */ |
1422 | 0 | if (sig_params->salt_size < params.salt_size) { |
1423 | 0 | gnutls_assert(); |
1424 | 0 | return GNUTLS_E_CONSTRAINT_ERROR; |
1425 | 0 | } |
1426 | 0 | } |
1427 | 0 | } |
1428 | 0 | return 0; |
1429 | 0 | } |
1430 | | |
1431 | | /* verifies if the certificate is properly signed. |
1432 | | * returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success. |
1433 | | * |
1434 | | * 'data' is the signed data |
1435 | | * 'signature' is the signature! |
1436 | | */ |
1437 | | static int _gnutls_x509_verify_data(gnutls_sign_algorithm_t sign, |
1438 | | const gnutls_datum_t *data, |
1439 | | const gnutls_datum_t *signature, |
1440 | | gnutls_x509_crt_t cert, |
1441 | | gnutls_x509_crt_t issuer, unsigned vflags) |
1442 | 0 | { |
1443 | 0 | gnutls_pk_params_st params; |
1444 | 0 | gnutls_pk_algorithm_t issuer_pk; |
1445 | 0 | int ret; |
1446 | 0 | gnutls_x509_spki_st sign_params; |
1447 | 0 | const gnutls_sign_entry_st *se; |
1448 | |
|
1449 | 0 | memset(&sign_params, 0, sizeof(sign_params)); |
1450 | | /* Read the MPI parameters from the issuer's certificate. |
1451 | | */ |
1452 | 0 | ret = _gnutls_x509_crt_get_mpis(issuer, ¶ms); |
1453 | 0 | if (ret < 0) { |
1454 | 0 | gnutls_assert(); |
1455 | 0 | return ret; |
1456 | 0 | } |
1457 | | |
1458 | 0 | issuer_pk = gnutls_x509_crt_get_pk_algorithm(issuer, NULL); |
1459 | |
|
1460 | 0 | se = _gnutls_sign_to_entry(sign); |
1461 | 0 | if (se == NULL) |
1462 | 0 | return gnutls_assert_val( |
1463 | 0 | GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); |
1464 | | |
1465 | 0 | if (cert != NULL) { |
1466 | 0 | ret = _gnutls_x509_read_sign_params( |
1467 | 0 | cert->cert, "signatureAlgorithm", &sign_params); |
1468 | 0 | if (ret < 0) { |
1469 | 0 | gnutls_assert(); |
1470 | 0 | goto cleanup; |
1471 | 0 | } |
1472 | | |
1473 | 0 | ret = _gnutls_x509_validate_sign_params(issuer_pk, issuer->cert, |
1474 | 0 | "tbsCertificate." |
1475 | 0 | "subjectPublicKeyInfo." |
1476 | 0 | "algorithm", |
1477 | 0 | &sign_params); |
1478 | 0 | if (ret < 0) { |
1479 | 0 | gnutls_assert(); |
1480 | 0 | goto cleanup; |
1481 | 0 | } |
1482 | 0 | } else { |
1483 | 0 | ret = _gnutls_x509_spki_copy(&sign_params, ¶ms.spki); |
1484 | 0 | if (ret < 0) { |
1485 | 0 | gnutls_assert(); |
1486 | 0 | goto cleanup; |
1487 | 0 | } |
1488 | | |
1489 | 0 | sign_params.pk = se->pk; |
1490 | 0 | if (sign_params.pk == GNUTLS_PK_RSA_PSS) |
1491 | 0 | sign_params.rsa_pss_dig = se->hash; |
1492 | 0 | } |
1493 | | |
1494 | 0 | ret = pubkey_verify_data(se, hash_to_entry(se->hash), data, signature, |
1495 | 0 | ¶ms, &sign_params, vflags); |
1496 | 0 | if (ret < 0) { |
1497 | 0 | gnutls_assert(); |
1498 | 0 | } |
1499 | |
|
1500 | 0 | cleanup: |
1501 | | /* release all allocated MPIs |
1502 | | */ |
1503 | 0 | gnutls_pk_params_release(¶ms); |
1504 | 0 | _gnutls_x509_spki_clear(&sign_params); |
1505 | |
|
1506 | 0 | return ret; |
1507 | 0 | } |
1508 | | |
1509 | | /** |
1510 | | * gnutls_x509_crt_list_verify: |
1511 | | * @cert_list: is the certificate list to be verified |
1512 | | * @cert_list_length: holds the number of certificate in cert_list |
1513 | | * @CA_list: is the CA list which will be used in verification |
1514 | | * @CA_list_length: holds the number of CA certificate in CA_list |
1515 | | * @CRL_list: holds a list of CRLs. |
1516 | | * @CRL_list_length: the length of CRL list. |
1517 | | * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. |
1518 | | * @verify: will hold the certificate verification output. |
1519 | | * |
1520 | | * |
1521 | | * This function will try to verify the given certificate list and |
1522 | | * return its status. The details of the verification are the same |
1523 | | * as in gnutls_x509_trust_list_verify_crt2(). |
1524 | | * |
1525 | | * You must check the peer's name in order to check if the verified |
1526 | | * certificate belongs to the actual peer. |
1527 | | * |
1528 | | * The certificate verification output will be put in @verify and will |
1529 | | * be one or more of the gnutls_certificate_status_t enumerated |
1530 | | * elements bitwise or'd. For a more detailed verification status use |
1531 | | * gnutls_x509_crt_verify() per list element. |
1532 | | * |
1533 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
1534 | | * negative error value. |
1535 | | **/ |
1536 | | int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t *cert_list, |
1537 | | unsigned cert_list_length, |
1538 | | const gnutls_x509_crt_t *CA_list, |
1539 | | unsigned CA_list_length, |
1540 | | const gnutls_x509_crl_t *CRL_list, |
1541 | | unsigned CRL_list_length, unsigned int flags, |
1542 | | unsigned int *verify) |
1543 | 0 | { |
1544 | 0 | unsigned i; |
1545 | 0 | int ret; |
1546 | 0 | gnutls_x509_trust_list_t tlist; |
1547 | |
|
1548 | 0 | if (cert_list == NULL || cert_list_length == 0) |
1549 | 0 | return GNUTLS_E_NO_CERTIFICATE_FOUND; |
1550 | | |
1551 | 0 | gnutls_x509_trust_list_init(&tlist, 0); |
1552 | | |
1553 | | /* Verify certificate |
1554 | | */ |
1555 | 0 | *verify = _gnutls_verify_crt_status(tlist, cert_list, cert_list_length, |
1556 | 0 | CA_list, CA_list_length, flags, |
1557 | 0 | NULL, NULL); |
1558 | | |
1559 | | /* Check for revoked certificates in the chain. |
1560 | | */ |
1561 | 0 | for (i = 0; i < cert_list_length; i++) { |
1562 | 0 | ret = gnutls_x509_crt_check_revocation(cert_list[i], CRL_list, |
1563 | 0 | CRL_list_length); |
1564 | 0 | if (ret == 1) { /* revoked */ |
1565 | 0 | *verify |= GNUTLS_CERT_REVOKED; |
1566 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1567 | 0 | } |
1568 | 0 | } |
1569 | |
|
1570 | 0 | gnutls_x509_trust_list_deinit(tlist, 0); |
1571 | 0 | return 0; |
1572 | 0 | } |
1573 | | |
1574 | | /** |
1575 | | * gnutls_x509_crt_verify: |
1576 | | * @cert: is the certificate to be verified |
1577 | | * @CA_list: is one certificate that is considered to be trusted one |
1578 | | * @CA_list_length: holds the number of CA certificate in CA_list |
1579 | | * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. |
1580 | | * @verify: will hold the certificate verification output. |
1581 | | * |
1582 | | * This function will try to verify the given certificate and return |
1583 | | * its status. Note that a verification error does not imply a negative |
1584 | | * return status. In that case the @verify status is set. |
1585 | | * |
1586 | | * The details of the verification are the same |
1587 | | * as in gnutls_x509_trust_list_verify_crt2(). |
1588 | | * |
1589 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
1590 | | * negative error value. |
1591 | | **/ |
1592 | | int gnutls_x509_crt_verify(gnutls_x509_crt_t cert, |
1593 | | const gnutls_x509_crt_t *CA_list, |
1594 | | unsigned CA_list_length, unsigned int flags, |
1595 | | unsigned int *verify) |
1596 | 0 | { |
1597 | 0 | gnutls_x509_trust_list_t tlist; |
1598 | |
|
1599 | 0 | gnutls_x509_trust_list_init(&tlist, 0); |
1600 | | |
1601 | | /* Verify certificate |
1602 | | */ |
1603 | 0 | *verify = _gnutls_verify_crt_status(tlist, &cert, 1, CA_list, |
1604 | 0 | CA_list_length, flags, NULL, NULL); |
1605 | |
|
1606 | 0 | gnutls_x509_trust_list_deinit(tlist, 0); |
1607 | 0 | return 0; |
1608 | 0 | } |
1609 | | |
1610 | | /** |
1611 | | * gnutls_x509_crl_check_issuer: |
1612 | | * @crl: is the CRL to be checked |
1613 | | * @issuer: is the certificate of a possible issuer |
1614 | | * |
1615 | | * This function will check if the given CRL was issued by the given |
1616 | | * issuer certificate. |
1617 | | * |
1618 | | * Returns: true (1) if the given CRL was issued by the given issuer, |
1619 | | * and false (0) if not. |
1620 | | **/ |
1621 | | unsigned gnutls_x509_crl_check_issuer(gnutls_x509_crl_t crl, |
1622 | | gnutls_x509_crt_t issuer) |
1623 | 0 | { |
1624 | 0 | return is_crl_issuer(crl, issuer); |
1625 | 0 | } |
1626 | | |
1627 | | static inline gnutls_x509_crt_t |
1628 | | find_crl_issuer(gnutls_x509_crl_t crl, const gnutls_x509_crt_t *trusted_cas, |
1629 | | int tcas_size) |
1630 | 0 | { |
1631 | 0 | int i; |
1632 | | |
1633 | | /* this is serial search. |
1634 | | */ |
1635 | |
|
1636 | 0 | for (i = 0; i < tcas_size; i++) { |
1637 | 0 | if (is_crl_issuer(crl, trusted_cas[i]) != 0) |
1638 | 0 | return trusted_cas[i]; |
1639 | 0 | } |
1640 | | |
1641 | 0 | gnutls_assert(); |
1642 | 0 | return NULL; |
1643 | 0 | } |
1644 | | |
1645 | | /** |
1646 | | * gnutls_x509_crl_verify: |
1647 | | * @crl: is the crl to be verified |
1648 | | * @trusted_cas: is a certificate list that is considered to be trusted one |
1649 | | * @tcas_size: holds the number of CA certificates in CA_list |
1650 | | * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. |
1651 | | * @verify: will hold the crl verification output. |
1652 | | * |
1653 | | * This function will try to verify the given crl and return its verification status. |
1654 | | * See gnutls_x509_crt_list_verify() for a detailed description of |
1655 | | * return values. Note that since GnuTLS 3.1.4 this function includes |
1656 | | * the time checks. |
1657 | | * |
1658 | | * Note that value in @verify is set only when the return value of this |
1659 | | * function is success (i.e, failure to trust a CRL a certificate does not imply |
1660 | | * a negative return value). |
1661 | | * |
1662 | | * Before GnuTLS 3.5.7 this function would return zero or a positive |
1663 | | * number on success. |
1664 | | * |
1665 | | * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a |
1666 | | * negative error value. |
1667 | | **/ |
1668 | | int gnutls_x509_crl_verify(gnutls_x509_crl_t crl, |
1669 | | const gnutls_x509_crt_t *trusted_cas, |
1670 | | unsigned tcas_size, unsigned int flags, |
1671 | | unsigned int *verify) |
1672 | 0 | { |
1673 | | /* CRL is ignored for now */ |
1674 | 0 | gnutls_datum_t crl_signed_data = { NULL, 0 }; |
1675 | 0 | gnutls_datum_t crl_signature = { NULL, 0 }; |
1676 | 0 | gnutls_x509_crt_t issuer = NULL; |
1677 | 0 | int result, sigalg; |
1678 | 0 | time_t now = gnutls_time(0); |
1679 | 0 | time_t nextu; |
1680 | 0 | unsigned int usage; |
1681 | |
|
1682 | 0 | if (verify) |
1683 | 0 | *verify = 0; |
1684 | |
|
1685 | 0 | if (tcas_size >= 1) |
1686 | 0 | issuer = find_crl_issuer(crl, trusted_cas, tcas_size); |
1687 | |
|
1688 | 0 | result = _gnutls_x509_get_signed_data(crl->crl, &crl->der, |
1689 | 0 | "tbsCertList", &crl_signed_data); |
1690 | 0 | if (result < 0) { |
1691 | 0 | gnutls_assert(); |
1692 | 0 | if (verify) |
1693 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1694 | 0 | goto cleanup; |
1695 | 0 | } |
1696 | | |
1697 | 0 | result = _gnutls_x509_get_signature(crl->crl, "signature", |
1698 | 0 | &crl_signature); |
1699 | 0 | if (result < 0) { |
1700 | 0 | gnutls_assert(); |
1701 | 0 | if (verify) |
1702 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1703 | 0 | goto cleanup; |
1704 | 0 | } |
1705 | | |
1706 | 0 | sigalg = _gnutls_x509_get_signature_algorithm(crl->crl, |
1707 | 0 | "signatureAlgorithm"); |
1708 | 0 | if (sigalg < 0) { |
1709 | 0 | gnutls_assert(); |
1710 | 0 | if (verify) |
1711 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1712 | 0 | goto cleanup; |
1713 | 0 | } |
1714 | | |
1715 | | /* issuer is not in trusted certificate |
1716 | | * authorities. |
1717 | | */ |
1718 | 0 | if (issuer == NULL) { |
1719 | 0 | gnutls_assert(); |
1720 | 0 | if (verify) |
1721 | 0 | *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND | |
1722 | 0 | GNUTLS_CERT_INVALID; |
1723 | 0 | } else { |
1724 | 0 | if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { |
1725 | 0 | if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { |
1726 | 0 | gnutls_assert(); |
1727 | 0 | if (verify) |
1728 | 0 | *verify |= GNUTLS_CERT_SIGNER_NOT_CA | |
1729 | 0 | GNUTLS_CERT_INVALID; |
1730 | 0 | } |
1731 | |
|
1732 | 0 | result = gnutls_x509_crt_get_key_usage(issuer, &usage, |
1733 | 0 | NULL); |
1734 | 0 | if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
1735 | 0 | if (result < 0) { |
1736 | 0 | gnutls_assert(); |
1737 | 0 | if (verify) |
1738 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1739 | 0 | } else if (!(usage & GNUTLS_KEY_CRL_SIGN)) { |
1740 | 0 | gnutls_assert(); |
1741 | 0 | if (verify) |
1742 | 0 | *verify |= |
1743 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | |
1744 | 0 | GNUTLS_CERT_INVALID; |
1745 | 0 | } |
1746 | 0 | } |
1747 | 0 | } |
1748 | |
|
1749 | 0 | result = _gnutls_x509_verify_data(sigalg, &crl_signed_data, |
1750 | 0 | &crl_signature, NULL, issuer, |
1751 | 0 | flags); |
1752 | 0 | if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { |
1753 | 0 | gnutls_assert(); |
1754 | | /* error. ignore it */ |
1755 | 0 | if (verify) |
1756 | 0 | *verify |= GNUTLS_CERT_SIGNATURE_FAILURE; |
1757 | 0 | result = 0; |
1758 | 0 | } else if (result == GNUTLS_E_CONSTRAINT_ERROR) { |
1759 | 0 | if (verify) |
1760 | 0 | *verify |= |
1761 | 0 | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE; |
1762 | 0 | result = 0; |
1763 | 0 | } else if (result < 0) { |
1764 | 0 | gnutls_assert(); |
1765 | 0 | if (verify) |
1766 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1767 | 0 | goto cleanup; |
1768 | 0 | } else { |
1769 | 0 | result = 0; /* everything ok */ |
1770 | 0 | } |
1771 | 0 | } |
1772 | | |
1773 | 0 | { |
1774 | 0 | sigalg = gnutls_x509_crl_get_signature_algorithm(crl); |
1775 | |
|
1776 | 0 | if (((sigalg == GNUTLS_SIGN_RSA_MD2) && |
1777 | 0 | !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || |
1778 | 0 | ((sigalg == GNUTLS_SIGN_RSA_MD5) && |
1779 | 0 | !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) { |
1780 | 0 | if (verify) |
1781 | 0 | *verify |= GNUTLS_CERT_INSECURE_ALGORITHM; |
1782 | 0 | result = 0; |
1783 | 0 | } |
1784 | 0 | } |
1785 | |
|
1786 | 0 | if (gnutls_x509_crl_get_this_update(crl) > now && verify) |
1787 | 0 | *verify |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE; |
1788 | |
|
1789 | 0 | nextu = gnutls_x509_crl_get_next_update(crl); |
1790 | 0 | if (nextu != -1 && nextu < now && verify) |
1791 | 0 | *verify |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; |
1792 | |
|
1793 | 0 | cleanup: |
1794 | 0 | if (verify && *verify != 0) |
1795 | 0 | *verify |= GNUTLS_CERT_INVALID; |
1796 | |
|
1797 | 0 | _gnutls_free_datum(&crl_signed_data); |
1798 | 0 | _gnutls_free_datum(&crl_signature); |
1799 | |
|
1800 | 0 | return result; |
1801 | 0 | } |