40
40
#include <common.h>
42
42
static int _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
43
const gnutls_x509_crt_t * trusted_cas,
44
int tcas_size, unsigned int flags,
46
gnutls_x509_crt_t * issuer);
43
const gnutls_x509_crt_t * trusted_cas,
44
int tcas_size, unsigned int flags,
46
gnutls_x509_crt_t * issuer);
48
48
static int is_crl_issuer (gnutls_x509_crl_t crl,
49
gnutls_x509_crt_t issuer_cert);
49
gnutls_x509_crt_t issuer_cert);
51
51
static int _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
52
const gnutls_x509_crt_t * trusted_cas,
53
int tcas_size, unsigned int flags,
54
unsigned int *output);
52
const gnutls_x509_crt_t * trusted_cas,
53
int tcas_size, unsigned int flags,
54
unsigned int *output);
56
/* Checks if two certs are identical. Return 0 onn match. */
56
/* Checks if two certs are identical. Return 0 on match. */
58
58
check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
64
opaque serial1[128], serial2[128];
65
size_t serial1_size, serial2_size;
67
serial1_size = sizeof (serial1);
68
result = gnutls_x509_crt_get_serial (cert1, serial1, &serial1_size);
75
serial2_size = sizeof (serial2);
76
result = gnutls_x509_crt_get_serial (cert2, serial2, &serial2_size);
83
if (serial2_size != serial1_size
84
|| memcmp (serial1, serial2, serial1_size) != 0)
65
90
result = _gnutls_x509_der_encode (cert1->cert, "", &cert1bin, 0);
150
175
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
151
176
if (cert_signed_data.size == issuer_signed_data.size)
153
if ((memcmp (cert_signed_data.data, issuer_signed_data.data,
154
cert_signed_data.size) == 0) &&
155
(cert_signature.size == issuer_signature.size) &&
156
(memcmp (cert_signature.data, issuer_signature.data,
157
cert_signature.size) == 0))
178
if ((memcmp (cert_signed_data.data, issuer_signed_data.data,
179
cert_signed_data.size) == 0) &&
180
(cert_signature.size == issuer_signature.size) &&
181
(memcmp (cert_signature.data, issuer_signature.data,
182
cert_signature.size) == 0))
164
189
result = gnutls_x509_crt_get_ca_status (issuer, NULL);
170
195
/* Handle V1 CAs that do not have a basicConstraint, but accept
171
196
these certs only if the appropriate flags are set. */
172
197
else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
173
((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) ||
174
(!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) &&
175
(gnutls_x509_crt_check_issuer (issuer, issuer) == 1))))
198
((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) ||
199
(!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) &&
200
(gnutls_x509_crt_check_issuer (issuer, issuer) == 1))))
177
202
gnutls_assert ();
268
293
_gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
269
const gnutls_x509_crt_t * trusted_cas,
270
int tcas_size, unsigned int flags,
271
unsigned int *output,
272
gnutls_x509_crt_t * _issuer)
294
const gnutls_x509_crt_t * trusted_cas,
295
int tcas_size, unsigned int flags,
296
unsigned int *output,
297
gnutls_x509_crt_t * _issuer)
274
299
gnutls_datum_t cert_signed_data = { NULL, 0 };
275
300
gnutls_datum_t cert_signature = { NULL, 0 };
276
301
gnutls_x509_crt_t issuer = NULL;
277
int ret, issuer_version, result;
302
int issuer_version, result;
313
338
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
314
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version != 1))
339
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
340
|| issuer_version != 1))
316
342
if (check_if_ca (cert, issuer, flags) == 0)
320
*output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
346
*output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
326
352
_gnutls_x509_get_signed_data (cert->cert, "tbsCertificate",
330
356
gnutls_assert ();
366
393
sigalg = gnutls_x509_crt_get_signature_algorithm (cert);
368
395
if (((sigalg == GNUTLS_SIGN_RSA_MD2) &&
369
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
370
((sigalg == GNUTLS_SIGN_RSA_MD5) &&
371
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
374
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
396
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
397
((sigalg == GNUTLS_SIGN_RSA_MD5) &&
398
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
401
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
382
407
_gnutls_free_datum (&cert_signed_data);
383
408
_gnutls_free_datum (&cert_signature);
439
464
static unsigned int
440
465
_gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
442
const gnutls_x509_crt_t * trusted_cas,
444
const gnutls_x509_crl_t * CRLs,
445
int crls_size, unsigned int flags)
467
const gnutls_x509_crt_t * trusted_cas,
469
const gnutls_x509_crl_t * CRLs,
470
int crls_size, unsigned int flags)
448
473
unsigned int status = 0, output;
449
time_t now = time (0);
474
time_t now = gnutls_time (0);
450
475
gnutls_x509_crt_t issuer = NULL;
452
477
if (clist_size > 1)
473
498
* self-signed E but already removed above), and we trust B, remove
475
500
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
501
i = 0; /* also replace the first one */
503
i = 1; /* do not replace the first one */
505
for (; i < clist_size; i++)
477
for (i = 0; i < clist_size; i++)
481
for (j = 0; j < tcas_size; j++)
483
if (check_if_same_cert (certificate_list[i],
484
trusted_cas[j]) == 0)
486
/* explicity time check for trusted CA that we remove from
487
* list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
489
if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)
490
&& !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
492
status |= check_time (trusted_cas[j], now);
502
/* clist_size may have been changed which gets out of loop */
509
for (j = 0; j < tcas_size; j++)
511
if (check_if_same_cert (certificate_list[i], trusted_cas[j]) == 0)
513
/* explicity time check for trusted CA that we remove from
514
* list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
516
if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)
517
&& !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
519
status |= check_time (trusted_cas[j], now);
529
/* clist_size may have been changed which gets out of loop */
506
532
if (clist_size == 0)
515
541
* in self signed etc certificates.
517
543
ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
518
trusted_cas, tcas_size, flags, &output,
544
trusted_cas, tcas_size, flags, &output,
522
548
/* if the last certificate in the certificate
553
579
/* check the time of the issuer first */
554
580
if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS))
559
return GNUTLS_E_INTERNAL_ERROR;
585
return GNUTLS_E_INTERNAL_ERROR;
562
status |= check_time (issuer, now);
588
status |= check_time (issuer, now);
569
595
for (i = 0; i < clist_size; i++)
571
status |= check_time (certificate_list[i], now);
597
status |= check_time (certificate_list[i], now);
579
605
/* Verify the certificate path (chain)
581
607
for (i = clist_size - 1; i > 0; i--)
586
612
/* note that here we disable this V1 CA flag. So that no version 1
587
613
* certificates can exist in a supplied chain.
589
615
if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
590
flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
616
flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
592
_gnutls_verify_certificate2 (certificate_list[i - 1],
593
&certificate_list[i], 1, flags,
596
status |= GNUTLS_CERT_INVALID;
618
_gnutls_verify_certificate2 (certificate_list[i - 1],
619
&certificate_list[i], 1, flags,
622
status |= GNUTLS_CERT_INVALID;
610
636
decode_ber_digest_info (const gnutls_datum_t * info,
611
gnutls_mac_algorithm_t * hash,
612
opaque * digest, int *digest_size)
637
gnutls_mac_algorithm_t * hash,
638
opaque * digest, int *digest_size)
614
640
ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
658
684
/* To avoid permitting garbage in the parameters field, either the
659
685
parameters field is not present, or it contains 0x05 0x00. */
660
686
if (!(result == ASN1_ELEMENT_NOT_FOUND ||
661
(result == ASN1_SUCCESS && len == 2 &&
662
str[0] == 0x05 && str[1] == 0x00)))
687
(result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
688
memcmp (str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
664
690
gnutls_assert ();
665
691
asn1_delete_structure (&dinfo);
688
714
_pkcs1_rsa_verify_sig (const gnutls_datum_t * text,
689
const gnutls_datum_t * prehash,
690
const gnutls_datum_t * signature, bigint_t * params,
715
const gnutls_datum_t * prehash,
716
const gnutls_datum_t * signature, bigint_t * params,
693
719
gnutls_mac_algorithm_t hash = GNUTLS_MAC_UNKNOWN;
765
791
dsa_verify_sig (const gnutls_datum_t * text,
766
const gnutls_datum_t * hash,
767
const gnutls_datum_t * signature, bigint_t * params,
792
const gnutls_datum_t * hash,
793
const gnutls_datum_t * signature, bigint_t * params,
771
797
opaque _digest[MAX_HASH_SIZE];
772
798
gnutls_datum_t digest;
800
gnutls_digest_algorithm_t algo;
801
unsigned int hash_len;
775
if (hash && hash->data && hash->size == 20)
803
algo = _gnutls_dsa_q_to_hash (params[1], &hash_len);
806
/* SHA1 or better allowed */
807
if (!hash->data || hash->size < hash_len)
810
_gnutls_debug_log("Hash size (%d) does not correspond to hash %s", (int)hash->size, gnutls_mac_get_name(algo));
812
if (hash->size != 20)
813
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
781
ret = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1);
820
ret = _gnutls_hash_init (&hd, algo);
788
827
_gnutls_hash (&hd, text->data, text->size);
789
828
_gnutls_hash_deinit (&hd, _digest);
791
830
digest.data = _digest;
831
digest.size = _gnutls_hash_get_algo_len(algo);
795
834
ret = _gnutls_dsa_verify (&digest, signature, params, params_len);
800
/* Verifies the signature data, and returns 0 if not verified,
839
/* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
840
* not verified, or 1 otherwise.
804
verify_sig (const gnutls_datum_t * tbs,
805
const gnutls_datum_t * hash,
806
const gnutls_datum_t * signature,
807
gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
808
int issuer_params_size)
843
pubkey_verify_sig (const gnutls_datum_t * tbs,
844
const gnutls_datum_t * hash,
845
const gnutls_datum_t * signature,
846
gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
847
int issuer_params_size)
813
852
case GNUTLS_PK_RSA:
815
854
if (_pkcs1_rsa_verify_sig
816
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
855
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
858
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
825
864
case GNUTLS_PK_DSA:
826
865
if (dsa_verify_sig
827
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
866
(tbs, hash, signature, issuer_params, issuer_params_size) != 0)
869
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
842
881
gnutls_digest_algorithm_t
843
_gnutls_dsa_q_to_hash (bigint_t q)
882
_gnutls_dsa_q_to_hash (bigint_t q, unsigned int* hash_len)
845
884
int bits = _gnutls_mpi_get_nbits (q);
888
if (hash_len) *hash_len = 20;
849
889
return GNUTLS_DIG_SHA1;
851
891
else if (bits <= 224)
853
return GNUTLS_DIG_SHA224;
893
if (hash_len) *hash_len = 28;
894
return GNUTLS_DIG_SHA256;
898
if (hash_len) *hash_len = 32;
857
899
return GNUTLS_DIG_SHA256;
903
/* This will return the appropriate hash to verify the given signature.
904
* If signature is NULL it will return an (or the) appropriate hash for
905
* the given parameters.
862
908
_gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash,
863
const gnutls_datum_t * signature,
864
const gnutls_x509_crt_t issuer)
909
const gnutls_datum_t * signature,
910
gnutls_pk_algorithm pk,
911
bigint_t * issuer_params,
912
unsigned int issuer_params_size)
866
bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
867
914
opaque digest[MAX_HASH_SIZE];
868
915
gnutls_datum_t decrypted;
869
int issuer_params_size;
873
issuer_params_size = MAX_PUBLIC_PARAMS_SIZE;
875
_gnutls_x509_crt_get_mpis (issuer, issuer_params, &issuer_params_size);
882
switch (gnutls_x509_crt_get_pk_algorithm (issuer, NULL))
884
921
case GNUTLS_PK_DSA:
887
*hash = _gnutls_dsa_q_to_hash (issuer_params[1]);
924
*hash = _gnutls_dsa_q_to_hash (issuer_params[1], NULL);
892
928
case GNUTLS_PK_RSA:
929
if (signature == NULL)
930
{ /* return a sensible algorithm */
932
*hash = GNUTLS_DIG_SHA256;
895
_gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
896
issuer_params, issuer_params_size, 1);
937
_gnutls_pkcs1_rsa_decrypt (&decrypted, signature,
938
issuer_params, issuer_params_size, 1);
905
947
digest_size = sizeof (digest);
907
decode_ber_digest_info (&decrypted, hash, digest,
911
_gnutls_free_datum (&decrypted);
949
decode_ber_digest_info (&decrypted, hash, digest,
953
_gnutls_free_datum (&decrypted);
915
957
_gnutls_free_datum (&decrypted);
916
958
if (digest_size != _gnutls_hash_get_algo_len (*hash))
919
ret = GNUTLS_E_ASN1_GENERIC_ERROR;
961
ret = GNUTLS_E_ASN1_GENERIC_ERROR;
932
/* release allocated mpis */
933
for (i = 0; i < issuer_params_size; i++)
935
_gnutls_mpi_release (&issuer_params[i]);
942
979
/* verifies if the certificate is properly signed.
943
* returns 0 on failure and 1 on success.
980
* returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
945
982
* 'tbs' is the signed data
946
983
* 'signature' is the signature!
949
986
_gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
950
const gnutls_datum_t * hash,
951
const gnutls_datum_t * signature,
952
gnutls_x509_crt_t issuer)
987
const gnutls_datum_t * hash,
988
const gnutls_datum_t * signature,
989
gnutls_x509_crt_t issuer)
954
991
bigint_t issuer_params[MAX_PUBLIC_PARAMS_SIZE];
955
992
int ret, issuer_params_size, i;
969
verify_sig (tbs, hash, signature,
970
gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
971
issuer_params, issuer_params_size);
1006
pubkey_verify_sig (tbs, hash, signature,
1007
gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
1008
issuer_params, issuer_params_size);
974
1011
gnutls_assert ();
987
1024
/* verifies if the certificate is properly signed.
988
* returns 0 on failure and 1 on success.
1025
* returns GNUTLS_E_PK_VERIFY_SIG_FAILED on failure and 1 on success.
990
1027
* 'tbs' is the signed data
991
1028
* 'signature' is the signature!
994
1031
_gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs,
995
const gnutls_datum_t * signature,
996
gnutls_x509_privkey_t issuer)
1032
const gnutls_datum_t * signature,
1033
gnutls_x509_privkey_t issuer)
1000
ret = verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
1001
issuer->params, issuer->params_size);
1037
ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
1038
issuer->params, issuer->params_size);
1004
1041
gnutls_assert ();
1043
1080
gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list,
1044
int cert_list_length,
1045
const gnutls_x509_crt_t * CA_list,
1047
const gnutls_x509_crl_t * CRL_list,
1048
int CRL_list_length, unsigned int flags,
1049
unsigned int *verify)
1081
int cert_list_length,
1082
const gnutls_x509_crt_t * CA_list,
1084
const gnutls_x509_crl_t * CRL_list,
1085
int CRL_list_length, unsigned int flags,
1086
unsigned int *verify)
1051
1088
if (cert_list == NULL || cert_list_length == 0)
1052
1089
return GNUTLS_E_NO_CERTIFICATE_FOUND;
1079
1116
gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
1080
const gnutls_x509_crt_t * CA_list,
1081
int CA_list_length, unsigned int flags,
1082
unsigned int *verify)
1117
const gnutls_x509_crt_t * CA_list,
1118
int CA_list_length, unsigned int flags,
1119
unsigned int *verify)
1084
1121
/* Verify certificate
1087
1124
_gnutls_x509_verify_certificate (&cert, 1,
1088
CA_list, CA_list_length, NULL, 0, flags);
1125
CA_list, CA_list_length, NULL, 0, flags);
1131
1168
gnutls_x509_crl_verify (gnutls_x509_crl_t crl,
1132
const gnutls_x509_crt_t * CA_list,
1133
int CA_list_length, unsigned int flags,
1134
unsigned int *verify)
1169
const gnutls_x509_crt_t * CA_list,
1170
int CA_list_length, unsigned int flags,
1171
unsigned int *verify)
1212
1249
_gnutls_verify_crl2 (gnutls_x509_crl_t crl,
1213
const gnutls_x509_crt_t * trusted_cas,
1214
int tcas_size, unsigned int flags, unsigned int *output)
1250
const gnutls_x509_crt_t * trusted_cas,
1251
int tcas_size, unsigned int flags, unsigned int *output)
1216
1253
/* CRL is ignored for now */
1217
1254
gnutls_datum_t crl_signed_data = { NULL, 0 };
1218
1255
gnutls_datum_t crl_signature = { NULL, 0 };
1219
1256
gnutls_x509_crt_t issuer;
1240
1277
gnutls_assert ();
1242
*output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
1279
*output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;
1246
1283
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN))
1248
1285
if (gnutls_x509_crt_get_ca_status (issuer, NULL) != 1)
1252
*output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
1289
*output |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
1291
1329
sigalg = gnutls_x509_crl_get_signature_algorithm (crl);
1293
1331
if (((sigalg == GNUTLS_SIGN_RSA_MD2) &&
1294
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
1295
((sigalg == GNUTLS_SIGN_RSA_MD5) &&
1296
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
1332
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
1333
((sigalg == GNUTLS_SIGN_RSA_MD5) &&
1334
!(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)))
1299
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
1337
*output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
1307
1343
_gnutls_free_datum (&crl_signed_data);
1308
1344
_gnutls_free_datum (&crl_signature);