2003-08-05 19:11:04 +02:00
|
|
|
|
/* certchain.c - certificate chain validation
|
2006-03-21 10:56:47 +01:00
|
|
|
|
* Copyright (C) 2001, 2002, 2003, 2004, 2005,
|
2011-12-07 16:15:15 +01:00
|
|
|
|
* 2006, 2007, 2008, 2011 Free Software Foundation, Inc.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*
|
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
2007-07-04 21:49:40 +02:00
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
2003-08-05 19:11:04 +02:00
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <errno.h>
|
2011-02-04 12:57:53 +01:00
|
|
|
|
#include <unistd.h>
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#include <time.h>
|
2004-02-17 16:05:04 +01:00
|
|
|
|
#include <stdarg.h>
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
|
|
#include "gpgsm.h"
|
|
|
|
|
#include <gcrypt.h>
|
|
|
|
|
#include <ksba.h>
|
|
|
|
|
|
|
|
|
|
#include "keydb.h"
|
2004-02-02 18:09:35 +01:00
|
|
|
|
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
|
2017-03-07 12:21:23 +01:00
|
|
|
|
#include "../common/i18n.h"
|
|
|
|
|
#include "../common/tlv.h"
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
|
2020-04-16 18:01:37 +02:00
|
|
|
|
/* The OID for the authorityInfoAccess's caIssuers. */
|
|
|
|
|
static const char oidstr_caIssuers[] = "1.3.6.1.5.5.7.48.2";
|
|
|
|
|
|
|
|
|
|
|
2006-10-16 19:33:03 +02:00
|
|
|
|
/* Object to keep track of certain root certificates. */
|
|
|
|
|
struct marktrusted_info_s
|
|
|
|
|
{
|
|
|
|
|
struct marktrusted_info_s *next;
|
|
|
|
|
unsigned char fpr[20];
|
|
|
|
|
};
|
|
|
|
|
static struct marktrusted_info_s *marktrusted_info;
|
|
|
|
|
|
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* While running the validation function we want to keep track of the
|
|
|
|
|
certificates in the chain. This type is used for that. */
|
|
|
|
|
struct chain_item_s
|
|
|
|
|
{
|
|
|
|
|
struct chain_item_s *next;
|
|
|
|
|
ksba_cert_t cert; /* The certificate. */
|
|
|
|
|
int is_root; /* The certificate is the root certificate. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct chain_item_s *chain_item_t;
|
|
|
|
|
|
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
static int is_root_cert (ksba_cert_t cert,
|
|
|
|
|
const char *issuerdn, const char *subjectdn);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen);
|
2006-03-21 10:56:47 +01:00
|
|
|
|
|
|
|
|
|
|
2006-10-16 19:33:03 +02:00
|
|
|
|
/* This function returns true if we already asked during this session
|
|
|
|
|
whether the root certificate CERT shall be marked as trusted. */
|
|
|
|
|
static int
|
|
|
|
|
already_asked_marktrusted (ksba_cert_t cert)
|
|
|
|
|
{
|
|
|
|
|
unsigned char fpr[20];
|
|
|
|
|
struct marktrusted_info_s *r;
|
|
|
|
|
|
|
|
|
|
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
|
|
|
|
|
/* No context switches in the loop! */
|
|
|
|
|
for (r=marktrusted_info; r; r= r->next)
|
|
|
|
|
if (!memcmp (r->fpr, fpr, 20))
|
|
|
|
|
return 1;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Flag certificate CERT as already asked whether it shall be marked
|
|
|
|
|
as trusted. */
|
|
|
|
|
static void
|
|
|
|
|
set_already_asked_marktrusted (ksba_cert_t cert)
|
|
|
|
|
{
|
|
|
|
|
unsigned char fpr[20];
|
|
|
|
|
struct marktrusted_info_s *r;
|
|
|
|
|
|
|
|
|
|
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
|
|
|
|
|
for (r=marktrusted_info; r; r= r->next)
|
|
|
|
|
if (!memcmp (r->fpr, fpr, 20))
|
|
|
|
|
return; /* Already marked. */
|
|
|
|
|
r = xtrycalloc (1, sizeof *r);
|
|
|
|
|
if (!r)
|
|
|
|
|
return;
|
|
|
|
|
memcpy (r->fpr, fpr, 20);
|
|
|
|
|
r->next = marktrusted_info;
|
|
|
|
|
marktrusted_info = r;
|
|
|
|
|
}
|
2006-03-21 10:56:47 +01:00
|
|
|
|
|
2004-08-17 17:26:22 +02:00
|
|
|
|
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
|
2004-02-17 16:05:04 +01:00
|
|
|
|
LISTMODE is false, use the string to print an log_info or, if
|
2004-08-17 17:26:22 +02:00
|
|
|
|
IS_ERROR is true, and log_error. */
|
2004-02-17 16:05:04 +01:00
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
do_list (int is_error, int listmode, estream_t fp, const char *format, ...)
|
2004-02-17 16:05:04 +01:00
|
|
|
|
{
|
|
|
|
|
va_list arg_ptr;
|
|
|
|
|
|
|
|
|
|
va_start (arg_ptr, format) ;
|
|
|
|
|
if (listmode)
|
|
|
|
|
{
|
|
|
|
|
if (fp)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" [", fp);
|
|
|
|
|
es_vfprintf (fp, format, arg_ptr);
|
|
|
|
|
es_fputs ("]\n", fp);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2015-04-24 15:49:18 +02:00
|
|
|
|
log_logv (is_error? GPGRT_LOG_ERROR: GPGRT_LOG_INFO, format, arg_ptr);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
log_printf ("\n");
|
|
|
|
|
}
|
|
|
|
|
va_end (arg_ptr);
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-26 23:08:58 +01:00
|
|
|
|
/* Return 0 if A and B are equal. */
|
|
|
|
|
static int
|
|
|
|
|
compare_certs (ksba_cert_t a, ksba_cert_t b)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *img_a, *img_b;
|
|
|
|
|
size_t len_a, len_b;
|
|
|
|
|
|
|
|
|
|
img_a = ksba_cert_get_image (a, &len_a);
|
|
|
|
|
if (!img_a)
|
|
|
|
|
return 1;
|
|
|
|
|
img_b = ksba_cert_get_image (b, &len_b);
|
|
|
|
|
if (!img_b)
|
|
|
|
|
return 1;
|
|
|
|
|
return !(len_a == len_b && !memcmp (img_a, img_b, len_a));
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
/* Return true if CERT has the validityModel extensions and defines
|
|
|
|
|
the use of the chain model. */
|
|
|
|
|
static int
|
|
|
|
|
has_validation_model_chain (ksba_cert_t cert, int listmode, estream_t listfp)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
int idx, yes;
|
|
|
|
|
const char *oid;
|
|
|
|
|
size_t off, derlen, objlen, hdrlen;
|
|
|
|
|
const unsigned char *der;
|
|
|
|
|
int class, tag, constructed, ndef;
|
|
|
|
|
char *oidbuf;
|
|
|
|
|
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
|
|
|
|
|
&oid, NULL, &off, &derlen));idx++)
|
|
|
|
|
if (!strcmp (oid, "1.3.6.1.4.1.8301.3.5") )
|
|
|
|
|
break;
|
|
|
|
|
if (err)
|
|
|
|
|
return 0; /* Not found. */
|
|
|
|
|
der = ksba_cert_get_image (cert, NULL);
|
|
|
|
|
if (!der)
|
|
|
|
|
{
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ); /* Oops */
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
der += off;
|
|
|
|
|
|
|
|
|
|
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
|
|
|
|
|
&ndef, &objlen, &hdrlen);
|
|
|
|
|
if (!err && (objlen > derlen || tag != TAG_SEQUENCE))
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
|
|
|
if (err)
|
|
|
|
|
goto leave;
|
|
|
|
|
derlen = objlen;
|
|
|
|
|
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
|
|
|
|
|
&ndef, &objlen, &hdrlen);
|
|
|
|
|
if (!err && (objlen > derlen || tag != TAG_OBJECT_ID))
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
|
|
|
if (err)
|
|
|
|
|
goto leave;
|
|
|
|
|
oidbuf = ksba_oid_to_str (der, objlen);
|
|
|
|
|
if (!oidbuf)
|
|
|
|
|
{
|
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
|
|
|
|
do_list (0, listmode, listfp,
|
2011-02-04 12:57:53 +01:00
|
|
|
|
_("validation model requested by certificate: %s"),
|
2007-08-10 18:52:05 +02:00
|
|
|
|
!strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.1")? _("chain") :
|
|
|
|
|
!strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.2")? _("shell") :
|
|
|
|
|
/* */ oidbuf);
|
|
|
|
|
yes = !strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.1");
|
|
|
|
|
ksba_free (oidbuf);
|
|
|
|
|
return yes;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
log_error ("error parsing validityModel: %s\n", gpg_strerror (err));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static int
|
2007-03-19 15:35:04 +01:00
|
|
|
|
unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
static const char *known[] = {
|
|
|
|
|
"2.5.29.15", /* keyUsage */
|
2007-01-05 12:49:19 +01:00
|
|
|
|
"2.5.29.17", /* subjectAltName
|
|
|
|
|
Japanese DoCoMo certs mark them as critical. PKIX
|
|
|
|
|
only requires them as critical if subjectName is
|
|
|
|
|
empty. I don't know whether our code gracefully
|
|
|
|
|
handles such empry subjectNames but that is
|
|
|
|
|
another story. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
"2.5.29.19", /* basic Constraints */
|
|
|
|
|
"2.5.29.32", /* certificatePolicies */
|
2004-02-20 14:46:21 +01:00
|
|
|
|
"2.5.29.37", /* extendedKeyUsage - handled by certlist.c */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
"1.3.6.1.4.1.8301.3.5", /* validityModel - handled here. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
NULL
|
|
|
|
|
};
|
|
|
|
|
int rc = 0, i, idx, crit;
|
|
|
|
|
const char *oid;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
gpg_error_t err;
|
2009-12-10 14:00:30 +01:00
|
|
|
|
int unsupported;
|
|
|
|
|
strlist_t sl;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
|
|
|
|
|
&oid, &crit, NULL, NULL));idx++)
|
|
|
|
|
{
|
|
|
|
|
if (!crit)
|
|
|
|
|
continue;
|
|
|
|
|
for (i=0; known[i] && strcmp (known[i],oid); i++)
|
|
|
|
|
;
|
2009-12-10 14:00:30 +01:00
|
|
|
|
unsupported = !known[i];
|
|
|
|
|
|
2009-12-17 18:25:26 +01:00
|
|
|
|
/* If this critical extension is not supported. Check the list
|
|
|
|
|
of to be ignored extensions to see whether we claim that it
|
|
|
|
|
is supported. */
|
2009-12-10 14:00:30 +01:00
|
|
|
|
if (unsupported && opt.ignored_cert_extensions)
|
|
|
|
|
{
|
|
|
|
|
for (sl=opt.ignored_cert_extensions;
|
|
|
|
|
sl && strcmp (sl->d, oid); sl = sl->next)
|
|
|
|
|
;
|
|
|
|
|
if (sl)
|
|
|
|
|
unsupported = 0;
|
|
|
|
|
}
|
|
|
|
|
if (unsupported)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (1, listmode, fp,
|
|
|
|
|
_("critical certificate extension %s is not supported"),
|
|
|
|
|
oid);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_UNSUPPORTED_CERT);
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-09-25 20:29:20 +02:00
|
|
|
|
/* We ignore the error codes EOF as well as no-value. The later will
|
|
|
|
|
occur for certificates with no extensions at all. */
|
|
|
|
|
if (err
|
|
|
|
|
&& gpg_err_code (err) != GPG_ERR_EOF
|
|
|
|
|
&& gpg_err_code (err) != GPG_ERR_NO_VALUE)
|
2003-11-12 16:17:44 +01:00
|
|
|
|
rc = err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-25 20:29:20 +02:00
|
|
|
|
|
|
|
|
|
/* Check whether CERT is an allowed certificate. This requires that
|
|
|
|
|
CERT matches all requirements for such a CA, i.e. the
|
|
|
|
|
BasicConstraints extension. The function returns 0 on success and
|
2010-10-05 21:05:43 +02:00
|
|
|
|
the allowed length of the chain at CHAINLEN. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static int
|
2011-02-04 12:57:53 +01:00
|
|
|
|
allowed_ca (ctrl_t ctrl,
|
2008-02-13 17:47:14 +01:00
|
|
|
|
ksba_cert_t cert, int *chainlen, int listmode, estream_t fp)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
gpg_error_t err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int flag;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_is_ca (cert, &flag, chainlen);
|
|
|
|
|
if (err)
|
2003-11-12 16:17:44 +01:00
|
|
|
|
return err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!flag)
|
|
|
|
|
{
|
2008-02-13 17:47:14 +01:00
|
|
|
|
if (get_regtp_ca_info (ctrl, cert, chainlen))
|
2006-03-21 10:56:47 +01:00
|
|
|
|
{
|
2006-09-06 13:53:24 +02:00
|
|
|
|
/* Note that dirmngr takes a different way to cope with such
|
|
|
|
|
certs. */
|
2006-03-21 10:56:47 +01:00
|
|
|
|
return 0; /* RegTP issued certificate. */
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (1, listmode, fp,_("issuer certificate is not marked as a CA"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return gpg_error (GPG_ERR_BAD_CA_CERT);
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2007-03-19 15:35:04 +01:00
|
|
|
|
check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
gpg_error_t err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *policies;
|
2020-10-20 11:52:16 +02:00
|
|
|
|
estream_t fp;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int any_critical;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_cert_policies (cert, &policies);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
2006-10-18 19:19:08 +02:00
|
|
|
|
return 0; /* No policy given. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (err)
|
2003-11-12 16:17:44 +01:00
|
|
|
|
return err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* STRING is a line delimited list of certificate policies as stored
|
2003-08-05 19:11:04 +02:00
|
|
|
|
in the certificate. The line itself is colon delimited where the
|
|
|
|
|
first field is the OID of the policy and the second field either
|
|
|
|
|
N or C for normal or critical extension */
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (opt.verbose > 1 && !listmode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_info ("certificate's policy list: %s\n", policies);
|
|
|
|
|
|
|
|
|
|
/* The check is very minimal but won't give false positives */
|
|
|
|
|
any_critical = !!strstr (policies, ":C");
|
|
|
|
|
|
|
|
|
|
if (!opt.policy_file)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (policies);
|
|
|
|
|
if (any_critical)
|
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (1, listmode, fplist,
|
|
|
|
|
_("critical marked policy without configured policies"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return gpg_error (GPG_ERR_NO_POLICY_MATCH);
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-20 11:52:16 +02:00
|
|
|
|
fp = es_fopen (opt.policy_file, "r");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!fp)
|
|
|
|
|
{
|
2005-04-21 09:16:41 +02:00
|
|
|
|
if (opt.verbose || errno != ENOENT)
|
2012-06-05 19:29:22 +02:00
|
|
|
|
log_info (_("failed to open '%s': %s\n"),
|
2005-04-21 09:16:41 +02:00
|
|
|
|
opt.policy_file, strerror (errno));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (policies);
|
2004-01-30 10:47:28 +01:00
|
|
|
|
/* With no critical policies this is only a warning */
|
|
|
|
|
if (!any_critical)
|
|
|
|
|
{
|
2008-02-19 11:33:35 +01:00
|
|
|
|
if (!opt.quiet)
|
|
|
|
|
do_list (0, listmode, fplist,
|
2014-10-10 15:29:42 +02:00
|
|
|
|
_("Note: non-critical certificate policy not allowed"));
|
2004-01-30 10:47:28 +01:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (1, listmode, fplist,
|
|
|
|
|
_("certificate policy not allowed"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return gpg_error (GPG_ERR_NO_POLICY_MATCH);
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
for (;;)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int c;
|
|
|
|
|
char *p, line[256];
|
|
|
|
|
char *haystack, *allowed;
|
|
|
|
|
|
|
|
|
|
/* read line */
|
|
|
|
|
do
|
|
|
|
|
{
|
2020-10-20 11:52:16 +02:00
|
|
|
|
if (!es_fgets (line, DIM(line)-1, fp) )
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2020-10-20 11:52:16 +02:00
|
|
|
|
gpg_error_t tmperr = gpg_error_from_syserror ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
xfree (policies);
|
2020-10-20 11:52:16 +02:00
|
|
|
|
if (es_feof (fp))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2020-10-20 11:52:16 +02:00
|
|
|
|
es_fclose (fp);
|
2004-01-30 10:47:28 +01:00
|
|
|
|
/* With no critical policies this is only a warning */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!any_critical)
|
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (0, listmode, fplist,
|
2014-10-10 15:29:42 +02:00
|
|
|
|
_("Note: non-critical certificate policy not allowed"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
2004-02-17 16:05:04 +01:00
|
|
|
|
do_list (1, listmode, fplist,
|
|
|
|
|
_("certificate policy not allowed"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return gpg_error (GPG_ERR_NO_POLICY_MATCH);
|
|
|
|
|
}
|
2020-10-20 11:52:16 +02:00
|
|
|
|
es_fclose (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return tmperr;
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!*line || line[strlen(line)-1] != '\n')
|
|
|
|
|
{
|
|
|
|
|
/* eat until end of line */
|
2020-10-20 11:52:16 +02:00
|
|
|
|
while ((c = es_getc (fp)) != EOF && c != '\n')
|
2003-08-05 19:11:04 +02:00
|
|
|
|
;
|
2020-10-20 11:52:16 +02:00
|
|
|
|
es_fclose (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (policies);
|
|
|
|
|
return gpg_error (*line? GPG_ERR_LINE_TOO_LONG
|
|
|
|
|
: GPG_ERR_INCOMPLETE_LINE);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Allow for empty lines and spaces */
|
|
|
|
|
for (p=line; spacep (p); p++)
|
|
|
|
|
;
|
|
|
|
|
}
|
|
|
|
|
while (!*p || *p == '\n' || *p == '#');
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2016-01-06 17:51:58 +01:00
|
|
|
|
/* Parse line. Note that the line has always a LF and spacep
|
|
|
|
|
does not consider a LF a space. Thus strpbrk will always
|
|
|
|
|
succeed. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (allowed=line; spacep (allowed); allowed++)
|
|
|
|
|
;
|
|
|
|
|
p = strpbrk (allowed, " :\n");
|
|
|
|
|
if (!*p || p == allowed)
|
|
|
|
|
{
|
2020-10-20 11:52:16 +02:00
|
|
|
|
es_fclose (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (policies);
|
|
|
|
|
return gpg_error (GPG_ERR_CONFIGURATION);
|
|
|
|
|
}
|
|
|
|
|
*p = 0; /* strip the rest of the line */
|
|
|
|
|
/* See whether we find ALLOWED (which is an OID) in POLICIES */
|
|
|
|
|
for (haystack=policies; (p=strstr (haystack, allowed)); haystack = p+1)
|
|
|
|
|
{
|
|
|
|
|
if ( !(p == policies || p[-1] == '\n') )
|
2004-01-30 10:47:28 +01:00
|
|
|
|
continue; /* Does not match the begin of a line. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (p[strlen (allowed)] != ':')
|
2004-01-30 10:47:28 +01:00
|
|
|
|
continue; /* The length does not match. */
|
|
|
|
|
/* Yep - it does match so return okay. */
|
2020-10-20 11:52:16 +02:00
|
|
|
|
es_fclose (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (policies);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-03-21 10:56:47 +01:00
|
|
|
|
/* Helper function for find_up. This resets the key handle and search
|
2005-04-18 12:44:46 +02:00
|
|
|
|
for an issuer ISSUER with a subjectKeyIdentifier of KEYID. Returns
|
2008-02-13 17:47:14 +01:00
|
|
|
|
0 on success or -1 when not found. */
|
2005-04-18 12:44:46 +02:00
|
|
|
|
static int
|
2016-11-10 17:01:19 +01:00
|
|
|
|
find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
|
2005-04-18 12:44:46 +02:00
|
|
|
|
const char *issuer, ksba_sexp_t keyid)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
ksba_cert_t cert = NULL;
|
|
|
|
|
ksba_sexp_t subj = NULL;
|
2019-12-06 20:12:22 +01:00
|
|
|
|
ksba_isotime_t not_before, not_after, last_not_before, ne_last_not_before;
|
|
|
|
|
ksba_cert_t found_cert = NULL;
|
|
|
|
|
ksba_cert_t ne_found_cert = NULL;
|
2005-04-18 12:44:46 +02:00
|
|
|
|
|
|
|
|
|
keydb_search_reset (kh);
|
2016-11-10 17:01:19 +01:00
|
|
|
|
while (!(rc = keydb_search_subject (ctrl, kh, issuer)))
|
2005-04-18 12:44:46 +02:00
|
|
|
|
{
|
|
|
|
|
ksba_cert_release (cert); cert = NULL;
|
|
|
|
|
rc = keydb_get_cert (kh, &cert);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_get_cert() failed: rc=%d\n", rc);
|
|
|
|
|
rc = -1;
|
2019-12-06 20:12:22 +01:00
|
|
|
|
goto leave;
|
2005-04-18 12:44:46 +02:00
|
|
|
|
}
|
|
|
|
|
xfree (subj);
|
|
|
|
|
if (!ksba_cert_get_subj_key_id (cert, NULL, &subj))
|
|
|
|
|
{
|
|
|
|
|
if (!cmp_simple_canon_sexp (keyid, subj))
|
2014-06-02 16:02:30 +02:00
|
|
|
|
{
|
|
|
|
|
/* Found matching cert. */
|
|
|
|
|
rc = ksba_cert_get_validity (cert, 0, not_before);
|
2019-12-06 20:12:22 +01:00
|
|
|
|
if (!rc)
|
|
|
|
|
rc = ksba_cert_get_validity (cert, 1, not_after);
|
2014-06-02 16:02:30 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_get_validity() failed: rc=%d\n", rc);
|
|
|
|
|
rc = -1;
|
2019-12-06 20:12:22 +01:00
|
|
|
|
goto leave;
|
2014-06-02 16:02:30 +02:00
|
|
|
|
}
|
|
|
|
|
|
2019-12-06 20:12:22 +01:00
|
|
|
|
if (!found_cert
|
|
|
|
|
|| strcmp (last_not_before, not_before) < 0)
|
2014-06-02 16:02:30 +02:00
|
|
|
|
{
|
|
|
|
|
/* This certificate is the first one found or newer
|
2019-12-06 20:12:22 +01:00
|
|
|
|
* than the previous one. This copes with
|
|
|
|
|
* re-issuing CA certificates while keeping the same
|
|
|
|
|
* key information. */
|
2014-06-02 16:02:30 +02:00
|
|
|
|
gnupg_copy_time (last_not_before, not_before);
|
2019-12-06 20:12:22 +01:00
|
|
|
|
ksba_cert_release (found_cert);
|
|
|
|
|
ksba_cert_ref ((found_cert = cert));
|
2014-06-02 16:02:30 +02:00
|
|
|
|
keydb_push_found_state (kh);
|
|
|
|
|
}
|
2019-12-06 20:12:22 +01:00
|
|
|
|
|
|
|
|
|
if (*not_after && strcmp (ctrl->current_time, not_after) > 0 )
|
|
|
|
|
; /* CERT has expired - don't consider it. */
|
|
|
|
|
else if (!ne_found_cert
|
|
|
|
|
|| strcmp (ne_last_not_before, not_before) < 0)
|
|
|
|
|
{
|
|
|
|
|
/* This certificate is the first non-expired one
|
|
|
|
|
* found or newer than the previous non-expired one. */
|
|
|
|
|
gnupg_copy_time (ne_last_not_before, not_before);
|
|
|
|
|
ksba_cert_release (ne_found_cert);
|
|
|
|
|
ksba_cert_ref ((ne_found_cert = cert));
|
|
|
|
|
}
|
2014-06-02 16:02:30 +02:00
|
|
|
|
}
|
2005-04-18 12:44:46 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2019-12-06 20:12:22 +01:00
|
|
|
|
if (!found_cert)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
/* Take the last saved one. Note that push/pop_found_state are
|
|
|
|
|
* misnomers because there is no stack of states. Renaming them to
|
|
|
|
|
* save/restore_found_state would be better. */
|
|
|
|
|
keydb_pop_found_state (kh);
|
|
|
|
|
rc = 0; /* Ignore EOF or other error after the first cert. */
|
|
|
|
|
|
|
|
|
|
/* We need to consider some corner cases. It is possible that we
|
|
|
|
|
* have a long term certificate (e.g. valid from 2008 to 2033) as
|
|
|
|
|
* well as a re-issued (i.e. using the same key material) short term
|
|
|
|
|
* certificate (say from 2016 to 2019). Using the short term
|
|
|
|
|
* certificate is the proper solution. But we need to take care if
|
|
|
|
|
* there is no re-issued new short term certificate (e.g. from 2020
|
|
|
|
|
* to 2023) available. In that case it is better to use the long
|
|
|
|
|
* term certificate which is still valid. The code may run into
|
|
|
|
|
* minor problems in the case of the chain validation mode. Given
|
|
|
|
|
* that this corner case is due to non-diligent PKI management we
|
|
|
|
|
* ignore this problem. */
|
|
|
|
|
|
|
|
|
|
/* The most common case is that the found certificate is not expired
|
|
|
|
|
* and thus identical to the one found from the list of non-expired
|
|
|
|
|
* certs. We can stop here. */
|
|
|
|
|
if (found_cert == ne_found_cert)
|
|
|
|
|
goto leave;
|
|
|
|
|
/* If we do not have a non expired certificate the actual cert is
|
|
|
|
|
* expired and we can also stop here. */
|
|
|
|
|
if (!ne_found_cert)
|
|
|
|
|
goto leave;
|
|
|
|
|
/* Now we need to see whether the found certificate is expired and
|
|
|
|
|
* only in this case we return the certificate found in the list of
|
|
|
|
|
* non-expired certs. */
|
|
|
|
|
rc = ksba_cert_get_validity (found_cert, 1, not_after);
|
|
|
|
|
if (rc)
|
2014-06-02 16:02:30 +02:00
|
|
|
|
{
|
2019-12-06 20:12:22 +01:00
|
|
|
|
log_error ("keydb_get_validity() failed: rc=%d\n", rc);
|
|
|
|
|
rc = -1;
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
if (*not_after && strcmp (ctrl->current_time, not_after) > 0 )
|
|
|
|
|
{ /* CERT has expired. Use the NE_FOUND_CERT. Because we have no
|
|
|
|
|
* found state for this we need to search for it again. */
|
|
|
|
|
unsigned char fpr[20];
|
|
|
|
|
|
|
|
|
|
gpgsm_get_fingerprint (ne_found_cert, GCRY_MD_SHA1, fpr, NULL);
|
|
|
|
|
keydb_search_reset (kh);
|
|
|
|
|
rc = keydb_search_fpr (ctrl, kh, fpr);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_search_fpr() failed: rc=%d\n", rc);
|
|
|
|
|
rc = -1;
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
/* Ready. The NE_FOUND_CERT is availabale via keydb_get_cert. */
|
2014-06-02 16:02:30 +02:00
|
|
|
|
}
|
|
|
|
|
|
2019-12-06 20:12:22 +01:00
|
|
|
|
leave:
|
|
|
|
|
ksba_cert_release (found_cert);
|
|
|
|
|
ksba_cert_release (ne_found_cert);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
xfree (subj);
|
|
|
|
|
return rc? -1:0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
struct find_up_store_certs_s
|
|
|
|
|
{
|
|
|
|
|
ctrl_t ctrl;
|
|
|
|
|
int count;
|
2020-04-16 18:01:37 +02:00
|
|
|
|
unsigned int want_fpr:1;
|
|
|
|
|
unsigned int got_fpr:1;
|
|
|
|
|
unsigned char fpr[20];
|
2016-11-10 17:01:19 +01:00
|
|
|
|
};
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static void
|
2003-12-17 13:28:24 +01:00
|
|
|
|
find_up_store_certs_cb (void *cb_value, ksba_cert_t cert)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2016-11-10 17:01:19 +01:00
|
|
|
|
struct find_up_store_certs_s *parm = cb_value;
|
|
|
|
|
|
|
|
|
|
if (keydb_store_cert (parm->ctrl, cert, 1, NULL))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error ("error storing issuer certificate as ephemeral\n");
|
2020-04-16 18:01:37 +02:00
|
|
|
|
else if (parm->want_fpr && !parm->got_fpr)
|
|
|
|
|
{
|
|
|
|
|
if (!gpgsm_get_fingerprint (cert, 0, parm->fpr, NULL))
|
|
|
|
|
log_error (_("failed to get the fingerprint\n"));
|
|
|
|
|
else
|
|
|
|
|
parm->got_fpr = 1;
|
|
|
|
|
}
|
2016-11-10 17:01:19 +01:00
|
|
|
|
parm->count++;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-03-17 20:10:37 +01:00
|
|
|
|
/* Helper for find_up(). Locate the certificate for ISSUER using an
|
|
|
|
|
external lookup. KH is the keydb context we are currently using.
|
|
|
|
|
On success 0 is returned and the certificate may be retrieved from
|
2005-04-18 12:44:46 +02:00
|
|
|
|
the keydb using keydb_get_cert(). KEYID is the keyIdentifier from
|
2008-02-13 17:47:14 +01:00
|
|
|
|
the AKI or NULL. */
|
2005-03-17 20:10:37 +01:00
|
|
|
|
static int
|
2008-02-13 17:47:14 +01:00
|
|
|
|
find_up_external (ctrl_t ctrl, KEYDB_HANDLE kh,
|
|
|
|
|
const char *issuer, ksba_sexp_t keyid)
|
2005-03-17 20:10:37 +01:00
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
strlist_t names = NULL;
|
2016-11-10 17:01:19 +01:00
|
|
|
|
struct find_up_store_certs_s find_up_store_certs_parm;
|
2005-03-17 20:10:37 +01:00
|
|
|
|
char *pattern;
|
|
|
|
|
const char *s;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
find_up_store_certs_parm.ctrl = ctrl;
|
2020-04-16 18:01:37 +02:00
|
|
|
|
find_up_store_certs_parm.want_fpr = 0;
|
|
|
|
|
find_up_store_certs_parm.got_fpr = 0;
|
2016-11-10 17:01:19 +01:00
|
|
|
|
find_up_store_certs_parm.count = 0;
|
|
|
|
|
|
2005-03-17 20:10:37 +01:00
|
|
|
|
if (opt.verbose)
|
|
|
|
|
log_info (_("looking up issuer at external location\n"));
|
2008-02-13 17:47:14 +01:00
|
|
|
|
/* The Dirmngr process is confused about unknown attributes. As a
|
2005-03-17 20:10:37 +01:00
|
|
|
|
quick and ugly hack we locate the CN and use the issuer string
|
|
|
|
|
starting at this attribite. Fixme: we should have far better
|
2008-02-13 17:47:14 +01:00
|
|
|
|
parsing for external lookups in the Dirmngr. */
|
2005-03-17 20:10:37 +01:00
|
|
|
|
s = strstr (issuer, "CN=");
|
|
|
|
|
if (!s || s == issuer || s[-1] != ',')
|
|
|
|
|
s = issuer;
|
|
|
|
|
pattern = xtrymalloc (strlen (s)+2);
|
|
|
|
|
if (!pattern)
|
2006-09-14 18:50:33 +02:00
|
|
|
|
return gpg_error_from_syserror ();
|
2005-03-17 20:10:37 +01:00
|
|
|
|
strcpy (stpcpy (pattern, "/"), s);
|
|
|
|
|
add_to_strlist (&names, pattern);
|
|
|
|
|
xfree (pattern);
|
|
|
|
|
|
2020-04-16 18:01:37 +02:00
|
|
|
|
rc = gpgsm_dirmngr_lookup (ctrl, names, NULL, 0, find_up_store_certs_cb,
|
2016-11-10 17:01:19 +01:00
|
|
|
|
&find_up_store_certs_parm);
|
2005-03-17 20:10:37 +01:00
|
|
|
|
free_strlist (names);
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
2016-11-10 17:01:19 +01:00
|
|
|
|
log_info (_("number of issuers matching: %d\n"),
|
|
|
|
|
find_up_store_certs_parm.count);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc)
|
2005-03-17 20:10:37 +01:00
|
|
|
|
{
|
|
|
|
|
log_error ("external key lookup failed: %s\n", gpg_strerror (rc));
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
2016-11-10 17:01:19 +01:00
|
|
|
|
else if (!find_up_store_certs_parm.count)
|
2005-03-17 20:10:37 +01:00
|
|
|
|
rc = -1;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
int old;
|
|
|
|
|
/* The issuers are currently stored in the ephemeral key DB, so
|
|
|
|
|
we temporary switch to ephemeral mode. */
|
|
|
|
|
old = keydb_set_ephemeral (kh, 1);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
if (keyid)
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
keydb_search_reset (kh);
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_subject (ctrl, kh, issuer);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
}
|
2005-03-17 20:10:37 +01:00
|
|
|
|
keydb_set_ephemeral (kh, old);
|
|
|
|
|
}
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2020-04-16 18:01:37 +02:00
|
|
|
|
/* Helper for find_up(). Locate the certificate for CERT using the
|
|
|
|
|
* caIssuer from the authorityInfoAccess. KH is the keydb context we
|
|
|
|
|
* are currently using. On success 0 is returned and the certificate
|
|
|
|
|
* may be retrieved from the keydb using keydb_get_cert(). If no
|
|
|
|
|
* suitable authorityInfoAccess is encoded in the certificate
|
|
|
|
|
* GPG_ERR_NOT_FOUND is returned. */
|
|
|
|
|
static gpg_error_t
|
|
|
|
|
find_up_via_auth_info_access (ctrl_t ctrl, KEYDB_HANDLE kh, ksba_cert_t cert)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
struct find_up_store_certs_s find_up_store_certs_parm;
|
|
|
|
|
char *url, *ldapurl;
|
|
|
|
|
int idx, i;
|
|
|
|
|
char *oid;
|
|
|
|
|
ksba_name_t name;
|
|
|
|
|
|
|
|
|
|
find_up_store_certs_parm.ctrl = ctrl;
|
|
|
|
|
find_up_store_certs_parm.want_fpr = 1;
|
|
|
|
|
find_up_store_certs_parm.got_fpr = 0;
|
|
|
|
|
find_up_store_certs_parm.count = 0;
|
|
|
|
|
|
|
|
|
|
/* Find suitable URLs; if there is a http scheme we prefer that. */
|
|
|
|
|
url = ldapurl = NULL;
|
|
|
|
|
for (idx=0;
|
|
|
|
|
!url && !(err = ksba_cert_get_authority_info_access (cert, idx,
|
|
|
|
|
&oid, &name));
|
|
|
|
|
idx++)
|
|
|
|
|
{
|
|
|
|
|
if (!strcmp (oid, oidstr_caIssuers))
|
|
|
|
|
{
|
|
|
|
|
for (i=0; !url && ksba_name_enum (name, i); i++)
|
|
|
|
|
{
|
|
|
|
|
char *p = ksba_name_get_uri (name, i);
|
|
|
|
|
if (p)
|
|
|
|
|
{
|
|
|
|
|
if (!strncmp (p, "http:", 5) || !strncmp (p, "https:", 6))
|
|
|
|
|
url = p;
|
|
|
|
|
else if (ldapurl)
|
|
|
|
|
xfree (p); /* We already got one. */
|
|
|
|
|
else if (!strncmp (p, "ldap:",5) || !strncmp (p, "ldaps:",6))
|
|
|
|
|
ldapurl = p;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ksba_name_release (name);
|
|
|
|
|
ksba_free (oid);
|
|
|
|
|
}
|
|
|
|
|
if (err && gpg_err_code (err) != GPG_ERR_EOF)
|
|
|
|
|
{
|
|
|
|
|
log_error (_("can't get authorityInfoAccess: %s\n"), gpg_strerror (err));
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
if (!url && ldapurl)
|
|
|
|
|
{
|
|
|
|
|
/* No HTTP scheme; fallback to LDAP if available. */
|
|
|
|
|
url = ldapurl;
|
|
|
|
|
ldapurl = NULL;
|
|
|
|
|
}
|
|
|
|
|
xfree (ldapurl);
|
|
|
|
|
if (!url)
|
|
|
|
|
return gpg_error (GPG_ERR_NOT_FOUND);
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
|
|
|
|
log_info ("looking up issuer via authorityInfoAccess.caIssuers\n");
|
|
|
|
|
|
|
|
|
|
err = gpgsm_dirmngr_lookup (ctrl, NULL, url, 0, find_up_store_certs_cb,
|
|
|
|
|
&find_up_store_certs_parm);
|
|
|
|
|
|
|
|
|
|
/* Although we might receive several certificates we use only the
|
|
|
|
|
* first one. Or more exacty the first one for which we retrieved
|
|
|
|
|
* the fingerprint. */
|
|
|
|
|
if (opt.verbose)
|
|
|
|
|
log_info ("number of caIssuers found: %d\n",
|
|
|
|
|
find_up_store_certs_parm.count);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
log_error ("external URL lookup failed: %s\n", gpg_strerror (err));
|
|
|
|
|
err = gpg_error (GPG_ERR_NOT_FOUND);
|
|
|
|
|
}
|
|
|
|
|
else if (!find_up_store_certs_parm.got_fpr)
|
|
|
|
|
err = gpg_error (GPG_ERR_NOT_FOUND);
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
int old;
|
|
|
|
|
/* The retrieved certificates are currently stored in the
|
|
|
|
|
* ephemeral key DB, so we temporary switch to ephemeral
|
|
|
|
|
* mode. */
|
|
|
|
|
old = keydb_set_ephemeral (kh, 1);
|
|
|
|
|
keydb_search_reset (kh);
|
|
|
|
|
err = keydb_search_fpr (ctrl, kh, find_up_store_certs_parm.fpr);
|
|
|
|
|
keydb_set_ephemeral (kh, old);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
/* Helper for find_up(). Ask the dirmngr for the certificate for
|
|
|
|
|
ISSUER with optional SERIALNO. KH is the keydb context we are
|
|
|
|
|
currently using. With SUBJECT_MODE set, ISSUER is searched as the
|
|
|
|
|
subject. On success 0 is returned and the certificate is available
|
|
|
|
|
in the ephemeral DB. */
|
|
|
|
|
static int
|
|
|
|
|
find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
|
|
|
|
|
ksba_sexp_t serialno, const char *issuer, int subject_mode)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
strlist_t names = NULL;
|
2016-11-10 17:01:19 +01:00
|
|
|
|
struct find_up_store_certs_s find_up_store_certs_parm;
|
2008-02-13 17:47:14 +01:00
|
|
|
|
char *pattern;
|
2008-10-20 15:53:23 +02:00
|
|
|
|
|
|
|
|
|
(void)kh;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
find_up_store_certs_parm.ctrl = ctrl;
|
|
|
|
|
find_up_store_certs_parm.count = 0;
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
if (opt.verbose)
|
|
|
|
|
log_info (_("looking up issuer from the Dirmngr cache\n"));
|
|
|
|
|
if (subject_mode)
|
|
|
|
|
{
|
|
|
|
|
pattern = xtrymalloc (strlen (issuer)+2);
|
|
|
|
|
if (pattern)
|
|
|
|
|
strcpy (stpcpy (pattern, "/"), issuer);
|
|
|
|
|
}
|
|
|
|
|
else if (serialno)
|
|
|
|
|
pattern = gpgsm_format_sn_issuer (serialno, issuer);
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
pattern = xtrymalloc (strlen (issuer)+3);
|
|
|
|
|
if (pattern)
|
|
|
|
|
strcpy (stpcpy (pattern, "#/"), issuer);
|
|
|
|
|
}
|
|
|
|
|
if (!pattern)
|
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
add_to_strlist (&names, pattern);
|
|
|
|
|
xfree (pattern);
|
|
|
|
|
|
2020-04-16 18:01:37 +02:00
|
|
|
|
rc = gpgsm_dirmngr_lookup (ctrl, names, NULL, 1, find_up_store_certs_cb,
|
2016-11-10 17:01:19 +01:00
|
|
|
|
&find_up_store_certs_parm);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
free_strlist (names);
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
2016-11-10 17:01:19 +01:00
|
|
|
|
log_info (_("number of matching certificates: %d\n"),
|
|
|
|
|
find_up_store_certs_parm.count);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc && !opt.quiet)
|
2008-02-13 17:47:14 +01:00
|
|
|
|
log_info (_("dirmngr cache-only key lookup failed: %s\n"),
|
|
|
|
|
gpg_strerror (rc));
|
2016-11-10 17:01:19 +01:00
|
|
|
|
return (!rc && find_up_store_certs_parm.count)? 0 : -1;
|
2008-02-13 17:47:14 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2005-03-17 20:10:37 +01:00
|
|
|
|
/* Locate issuing certificate for CERT. ISSUER is the name of the
|
|
|
|
|
issuer used as a fallback if the other methods don't work. If
|
|
|
|
|
FIND_NEXT is true, the function shall return the next possible
|
|
|
|
|
issuer. The certificate itself is not directly returned but a
|
2019-12-06 20:12:22 +01:00
|
|
|
|
keydb_get_cert on the keydb context KH will return it. Returns 0
|
2005-03-17 20:10:37 +01:00
|
|
|
|
on success, -1 if not found or an error code. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static int
|
2011-02-04 12:57:53 +01:00
|
|
|
|
find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
|
2008-02-13 17:47:14 +01:00
|
|
|
|
ksba_cert_t cert, const char *issuer, int find_next)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_name_t authid;
|
|
|
|
|
ksba_sexp_t authidno;
|
2005-04-18 12:44:46 +02:00
|
|
|
|
ksba_sexp_t keyid;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int rc = -1;
|
|
|
|
|
|
2014-06-02 16:02:30 +02:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
log_debug ("looking for parent certificate\n");
|
2005-04-18 12:44:46 +02:00
|
|
|
|
if (!ksba_cert_get_auth_key_id (cert, &keyid, &authid, &authidno))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
const char *s = ksba_name_enum (authid, 0);
|
|
|
|
|
if (s && *authidno)
|
|
|
|
|
{
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_issuer_sn (ctrl, kh, s, authidno);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
2008-04-01 17:08:57 +02:00
|
|
|
|
keydb_search_reset (kh);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2014-06-02 16:02:30 +02:00
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and sn+issuer\n");
|
|
|
|
|
|
2008-04-01 17:08:57 +02:00
|
|
|
|
/* In case of an error, try to get the certificate from the
|
2008-02-13 17:47:14 +01:00
|
|
|
|
dirmngr. That is done by trying to put that certifcate
|
|
|
|
|
into the ephemeral DB and let the code below do the
|
|
|
|
|
actual retrieve. Thus there is no error checking.
|
|
|
|
|
Skipped in find_next mode as usual. */
|
|
|
|
|
if (rc == -1 && !find_next)
|
|
|
|
|
find_up_dirmngr (ctrl, kh, authidno, s, 0);
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
/* In case of an error try the ephemeral DB. We can't do
|
2005-03-17 20:10:37 +01:00
|
|
|
|
that in find_next mode because we can't keep the search
|
2004-02-17 16:05:04 +01:00
|
|
|
|
state then. */
|
|
|
|
|
if (rc == -1 && !find_next)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int old = keydb_set_ephemeral (kh, 1);
|
|
|
|
|
if (!old)
|
|
|
|
|
{
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_issuer_sn (ctrl, kh, s, authidno);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
keydb_search_reset (kh);
|
2014-06-02 16:02:30 +02:00
|
|
|
|
|
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and sn+issuer (ephem)\n");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
keydb_set_ephemeral (kh, old);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc)
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = -1; /* Need to make sure to have this error code. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2005-03-17 20:10:37 +01:00
|
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
|
if (rc == -1 && keyid && !find_next)
|
|
|
|
|
{
|
2019-12-06 20:12:22 +01:00
|
|
|
|
/* Not found by AKI.issuer_sn. Lets try the AKI.ki
|
2005-04-18 12:44:46 +02:00
|
|
|
|
instead. Loop over all certificates with that issuer as
|
|
|
|
|
subject and stop for the one with a matching
|
|
|
|
|
subjectKeyIdentifier. */
|
2008-02-13 17:47:14 +01:00
|
|
|
|
/* Fixme: Should we also search in the dirmngr? */
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
|
2014-06-02 16:02:30 +02:00
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and keyid\n");
|
2005-04-18 12:44:46 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
int old = keydb_set_ephemeral (kh, 1);
|
|
|
|
|
if (!old)
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
|
2014-06-02 16:02:30 +02:00
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and keyid (ephem)\n");
|
2005-04-18 12:44:46 +02:00
|
|
|
|
keydb_set_ephemeral (kh, old);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc)
|
2005-04-18 12:44:46 +02:00
|
|
|
|
rc = -1; /* Need to make sure to have this error code. */
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
/* If we still didn't found it, try to find it via the subject
|
|
|
|
|
from the dirmngr-cache. */
|
|
|
|
|
if (rc == -1 && !find_next)
|
|
|
|
|
{
|
|
|
|
|
if (!find_up_dirmngr (ctrl, kh, NULL, issuer, 1))
|
|
|
|
|
{
|
|
|
|
|
int old = keydb_set_ephemeral (kh, 1);
|
|
|
|
|
if (keyid)
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
keydb_search_reset (kh);
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_subject (ctrl, kh, issuer);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
}
|
|
|
|
|
keydb_set_ephemeral (kh, old);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc)
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = -1; /* Need to make sure to have this error code. */
|
2014-06-02 16:02:30 +02:00
|
|
|
|
|
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and issuer from dirmngr cache\n");
|
2008-02-13 17:47:14 +01:00
|
|
|
|
}
|
|
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
|
/* If we still didn't found it, try an external lookup. */
|
2020-04-16 19:05:49 +02:00
|
|
|
|
if (rc == -1 && !find_next && !ctrl->offline)
|
2014-06-02 16:02:30 +02:00
|
|
|
|
{
|
2020-04-16 19:05:49 +02:00
|
|
|
|
/* We allow AIA also if CRLs are enabled; both can be used
|
|
|
|
|
* as a web bug so it does not make sense to not use AIA if
|
|
|
|
|
* CRL checks are enabled. */
|
|
|
|
|
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
|
|
|
|
|
&& !find_up_via_auth_info_access (ctrl, kh, cert))
|
2020-04-16 18:01:37 +02:00
|
|
|
|
{
|
|
|
|
|
if (DBG_X509)
|
|
|
|
|
log_debug (" found via authorityInfoAccess.caIssuers\n");
|
|
|
|
|
rc = 0;
|
|
|
|
|
}
|
2020-04-16 19:05:49 +02:00
|
|
|
|
else if (opt.auto_issuer_key_retrieve)
|
2020-04-16 18:01:37 +02:00
|
|
|
|
{
|
|
|
|
|
rc = find_up_external (ctrl, kh, issuer, keyid);
|
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via authid and external lookup\n");
|
|
|
|
|
}
|
2014-06-02 16:02:30 +02:00
|
|
|
|
}
|
|
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
/* Print a note so that the user does not feel too helpless when
|
2003-08-05 19:11:04 +02:00
|
|
|
|
an issuer certificate was found and gpgsm prints BAD
|
2004-02-17 16:05:04 +01:00
|
|
|
|
signature because it is not the correct one. */
|
2008-02-19 11:33:35 +01:00
|
|
|
|
if (rc == -1 && opt.quiet)
|
|
|
|
|
;
|
|
|
|
|
else if (rc == -1)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2005-04-18 12:44:46 +02:00
|
|
|
|
log_info ("%sissuer certificate ", find_next?"next ":"");
|
|
|
|
|
if (keyid)
|
|
|
|
|
{
|
|
|
|
|
log_printf ("{");
|
|
|
|
|
gpgsm_dump_serial (keyid);
|
|
|
|
|
log_printf ("} ");
|
|
|
|
|
}
|
|
|
|
|
if (authidno)
|
|
|
|
|
{
|
|
|
|
|
log_printf ("(#");
|
|
|
|
|
gpgsm_dump_serial (authidno);
|
|
|
|
|
log_printf ("/");
|
|
|
|
|
gpgsm_dump_string (s);
|
|
|
|
|
log_printf (") ");
|
|
|
|
|
}
|
|
|
|
|
log_printf ("not found using authorityKeyIdentifier\n");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
else if (rc)
|
|
|
|
|
log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
xfree (keyid);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_name_release (authid);
|
|
|
|
|
xfree (authidno);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2005-03-17 20:10:37 +01:00
|
|
|
|
if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_subject (ctrl, kh, issuer);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (rc == -1 && !find_next)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2008-04-23 19:23:04 +02:00
|
|
|
|
int old;
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
/* Also try to get it from the Dirmngr cache. The function
|
|
|
|
|
merely puts it into the ephemeral database. */
|
|
|
|
|
find_up_dirmngr (ctrl, kh, NULL, issuer, 0);
|
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* Not found, let us see whether we have one in the ephemeral key DB. */
|
2008-04-23 19:23:04 +02:00
|
|
|
|
old = keydb_set_ephemeral (kh, 1);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!old)
|
|
|
|
|
{
|
|
|
|
|
keydb_search_reset (kh);
|
2016-11-10 17:01:19 +01:00
|
|
|
|
rc = keydb_search_subject (ctrl, kh, issuer);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
keydb_set_ephemeral (kh, old);
|
2014-06-02 16:02:30 +02:00
|
|
|
|
|
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via issuer\n");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2005-03-17 20:10:37 +01:00
|
|
|
|
/* Still not found. If enabled, try an external lookup. */
|
2020-04-16 19:05:49 +02:00
|
|
|
|
if (rc == -1 && !find_next && !ctrl->offline)
|
2014-06-02 16:02:30 +02:00
|
|
|
|
{
|
2020-04-16 19:05:49 +02:00
|
|
|
|
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
|
|
|
|
|
&& !find_up_via_auth_info_access (ctrl, kh, cert))
|
2020-04-16 18:01:37 +02:00
|
|
|
|
{
|
|
|
|
|
if (DBG_X509)
|
|
|
|
|
log_debug (" found via authorityInfoAccess.caIssuers\n");
|
|
|
|
|
rc = 0;
|
|
|
|
|
}
|
2020-04-16 19:05:49 +02:00
|
|
|
|
else if (opt.auto_issuer_key_retrieve)
|
2020-04-16 18:01:37 +02:00
|
|
|
|
{
|
|
|
|
|
rc = find_up_external (ctrl, kh, issuer, NULL);
|
|
|
|
|
if (!rc && DBG_X509)
|
|
|
|
|
log_debug (" found via issuer and external lookup\n");
|
|
|
|
|
}
|
2014-06-02 16:02:30 +02:00
|
|
|
|
}
|
2005-03-17 20:10:37 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Return the next certificate up in the chain starting at START.
|
|
|
|
|
Returns -1 when there are no more certificates. */
|
|
|
|
|
int
|
2008-02-13 17:47:14 +01:00
|
|
|
|
gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
int rc = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *issuer = NULL;
|
|
|
|
|
char *subject = NULL;
|
2016-11-10 15:38:14 +01:00
|
|
|
|
KEYDB_HANDLE kh = keydb_new ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
*r_next = NULL;
|
|
|
|
|
if (!kh)
|
|
|
|
|
{
|
2012-08-22 18:54:38 +02:00
|
|
|
|
log_error (_("failed to allocate keyDB handle\n"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
issuer = ksba_cert_get_issuer (start, 0);
|
|
|
|
|
subject = ksba_cert_get_subject (start, 0);
|
|
|
|
|
if (!issuer)
|
|
|
|
|
{
|
|
|
|
|
log_error ("no issuer found in certificate\n");
|
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
if (!subject)
|
|
|
|
|
{
|
|
|
|
|
log_error ("no subject found in certificate\n");
|
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
if (is_root_cert (start, issuer, subject))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
rc = -1; /* we are at the root */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
goto leave;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = find_up (ctrl, kh, start, issuer, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* It is quite common not to have a certificate, so better don't
|
|
|
|
|
print an error here. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc != -1 && opt.verbose > 1)
|
|
|
|
|
log_error ("failed to find issuer's certificate: rc=%d\n", rc);
|
2010-10-01 22:33:53 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = keydb_get_cert (kh, r_next);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
2005-04-18 12:44:46 +02:00
|
|
|
|
log_error ("keydb_get_cert() failed: rc=%d\n", rc);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
xfree (issuer);
|
|
|
|
|
xfree (subject);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
keydb_release (kh);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
/* Helper for gpgsm_is_root_cert. This one is used if the subject and
|
|
|
|
|
issuer DNs are already known. */
|
|
|
|
|
static int
|
|
|
|
|
is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
int result = 0;
|
|
|
|
|
ksba_sexp_t serialno;
|
|
|
|
|
ksba_sexp_t ak_keyid;
|
|
|
|
|
ksba_name_t ak_name;
|
|
|
|
|
ksba_sexp_t ak_sn;
|
|
|
|
|
const char *ak_name_str;
|
|
|
|
|
ksba_sexp_t subj_keyid = NULL;
|
|
|
|
|
|
|
|
|
|
if (!issuerdn || !subjectdn)
|
|
|
|
|
return 0; /* No. */
|
|
|
|
|
|
|
|
|
|
if (strcmp (issuerdn, subjectdn))
|
|
|
|
|
return 0; /* No. */
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_auth_key_id (cert, &ak_keyid, &ak_name, &ak_sn);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
|
|
|
|
return 1; /* Yes. Without a authorityKeyIdentifier this needs
|
|
|
|
|
to be the Root certifcate (our trust anchor). */
|
|
|
|
|
log_error ("error getting authorityKeyIdentifier: %s\n",
|
|
|
|
|
gpg_strerror (err));
|
|
|
|
|
return 0; /* Well, it is broken anyway. Return No. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serialno = ksba_cert_get_serial (cert);
|
|
|
|
|
if (!serialno)
|
|
|
|
|
{
|
|
|
|
|
log_error ("error getting serialno: %s\n", gpg_strerror (err));
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check whether the auth name's matches the issuer name+sn. If
|
|
|
|
|
that is the case this is a root certificate. */
|
|
|
|
|
ak_name_str = ksba_name_enum (ak_name, 0);
|
|
|
|
|
if (ak_name_str
|
2011-02-04 12:57:53 +01:00
|
|
|
|
&& !strcmp (ak_name_str, issuerdn)
|
2008-02-19 11:33:35 +01:00
|
|
|
|
&& !cmp_simple_canon_sexp (ak_sn, serialno))
|
|
|
|
|
{
|
|
|
|
|
result = 1; /* Right, CERT is self-signed. */
|
|
|
|
|
goto leave;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
/* Similar for the ak_keyid. */
|
|
|
|
|
if (ak_keyid && !ksba_cert_get_subj_key_id (cert, NULL, &subj_keyid)
|
|
|
|
|
&& !cmp_simple_canon_sexp (ak_keyid, subj_keyid))
|
|
|
|
|
{
|
|
|
|
|
result = 1; /* Right, CERT is self-signed. */
|
|
|
|
|
goto leave;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2008-02-19 11:33:35 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
ksba_free (subj_keyid);
|
|
|
|
|
ksba_free (ak_keyid);
|
|
|
|
|
ksba_name_release (ak_name);
|
|
|
|
|
ksba_free (ak_sn);
|
|
|
|
|
ksba_free (serialno);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
return result;
|
2008-02-19 11:33:35 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Check whether the CERT is a root certificate. Returns True if this
|
|
|
|
|
is the case. */
|
|
|
|
|
int
|
2003-12-17 13:28:24 +01:00
|
|
|
|
gpgsm_is_root_cert (ksba_cert_t cert)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
char *issuer;
|
|
|
|
|
char *subject;
|
|
|
|
|
int yes;
|
|
|
|
|
|
|
|
|
|
issuer = ksba_cert_get_issuer (cert, 0);
|
|
|
|
|
subject = ksba_cert_get_subject (cert, 0);
|
2008-02-19 11:33:35 +01:00
|
|
|
|
yes = is_root_cert (cert, issuer, subject);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (issuer);
|
|
|
|
|
xfree (subject);
|
|
|
|
|
return yes;
|
|
|
|
|
}
|
|
|
|
|
|
2004-03-06 21:11:19 +01:00
|
|
|
|
|
|
|
|
|
/* This is a helper for gpgsm_validate_chain. */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
static gpg_error_t
|
2007-08-10 18:52:05 +02:00
|
|
|
|
is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
|
2004-03-06 21:11:19 +01:00
|
|
|
|
ksba_cert_t subject_cert, ksba_cert_t issuer_cert,
|
|
|
|
|
int *any_revoked, int *any_no_crl, int *any_crl_too_old)
|
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
gpg_error_t err;
|
|
|
|
|
|
2015-06-29 11:03:58 +02:00
|
|
|
|
if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
|
2009-07-23 17:18:58 +02:00
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK,
|
2009-07-23 17:18:58 +02:00
|
|
|
|
gpg_error (GPG_ERR_NOT_ENABLED));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2004-03-06 21:11:19 +01:00
|
|
|
|
|
2020-03-27 21:11:25 +01:00
|
|
|
|
|
|
|
|
|
if (!(force_ocsp || ctrl->use_ocsp)
|
|
|
|
|
&& !opt.enable_issuer_based_crl_check)
|
|
|
|
|
{
|
|
|
|
|
err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL);
|
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_EOF)
|
|
|
|
|
{
|
|
|
|
|
/* No DP specified in the certificate. Thus the CA does not
|
|
|
|
|
* consider a CRL useful and the user of the certificate
|
|
|
|
|
* also does not consider this to be a critical thing. In
|
|
|
|
|
* this case we can conclude that the certificate shall not
|
|
|
|
|
* be revocable. Note that we reach this point here only if
|
|
|
|
|
* no OCSP responder shall be used. */
|
|
|
|
|
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
err = gpgsm_dirmngr_isvalid (ctrl,
|
2011-02-04 12:57:53 +01:00
|
|
|
|
subject_cert, issuer_cert,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
force_ocsp? 2 : !!ctrl->use_ocsp);
|
2009-07-23 17:18:58 +02:00
|
|
|
|
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err);
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
if (!lm)
|
|
|
|
|
gpgsm_cert_log_name (NULL, subject_cert);
|
|
|
|
|
switch (gpg_err_code (err))
|
2004-03-06 21:11:19 +01:00
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
case GPG_ERR_CERT_REVOKED:
|
|
|
|
|
do_list (1, lm, fp, _("certificate has been revoked"));
|
|
|
|
|
*any_revoked = 1;
|
|
|
|
|
/* Store that in the keybox so that key listings are able to
|
|
|
|
|
return the revoked flag. We don't care about error,
|
|
|
|
|
though. */
|
2016-11-10 17:01:19 +01:00
|
|
|
|
keydb_set_cert_flags (ctrl, subject_cert, 1, KEYBOX_FLAG_VALIDITY, 0,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
~0, VALIDITY_REVOKED);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case GPG_ERR_NO_CRL_KNOWN:
|
|
|
|
|
do_list (1, lm, fp, _("no CRL found for certificate"));
|
|
|
|
|
*any_no_crl = 1;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case GPG_ERR_NO_DATA:
|
|
|
|
|
do_list (1, lm, fp, _("the status of the certificate is unknown"));
|
|
|
|
|
*any_no_crl = 1;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case GPG_ERR_CRL_TOO_OLD:
|
|
|
|
|
do_list (1, lm, fp, _("the available CRL is too old"));
|
2006-06-27 16:32:34 +02:00
|
|
|
|
if (!lm)
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_info (_("please make sure that the "
|
|
|
|
|
"\"dirmngr\" is properly installed\n"));
|
|
|
|
|
*any_crl_too_old = 1;
|
|
|
|
|
break;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
default:
|
|
|
|
|
do_list (1, lm, fp, _("checking the CRL failed: %s"),
|
|
|
|
|
gpg_strerror (err));
|
|
|
|
|
return err;
|
2004-03-06 21:11:19 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
/* Helper for gpgsm_validate_chain to check the validity period of
|
|
|
|
|
SUBJECT_CERT. The caller needs to pass EXPTIME which will be
|
|
|
|
|
updated to the nearest expiration time seen. A DEPTH of 0 indicates
|
2019-12-06 20:12:22 +01:00
|
|
|
|
the target certificate, -1 the final root certificate and other
|
2011-02-04 12:57:53 +01:00
|
|
|
|
values intermediate certificates. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
static gpg_error_t
|
|
|
|
|
check_validity_period (ksba_isotime_t current_time,
|
|
|
|
|
ksba_cert_t subject_cert,
|
|
|
|
|
ksba_isotime_t exptime,
|
|
|
|
|
int listmode, estream_t listfp, int depth)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
ksba_isotime_t not_before, not_after;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_validity (subject_cert, 0, not_before);
|
|
|
|
|
if (!err)
|
|
|
|
|
err = ksba_cert_get_validity (subject_cert, 1, not_after);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
do_list (1, listmode, listfp,
|
|
|
|
|
_("certificate with invalid validity: %s"), gpg_strerror (err));
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*not_after)
|
|
|
|
|
{
|
|
|
|
|
if (!*exptime)
|
|
|
|
|
gnupg_copy_time (exptime, not_after);
|
|
|
|
|
else if (strcmp (not_after, exptime) < 0 )
|
|
|
|
|
gnupg_copy_time (exptime, not_after);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*not_before && strcmp (current_time, not_before) < 0 )
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do_list (1, listmode, listfp,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
depth == 0 ? _("certificate not yet valid") :
|
|
|
|
|
depth == -1 ? _("root certificate not yet valid") :
|
|
|
|
|
/* other */ _("intermediate certificate not yet valid"));
|
|
|
|
|
if (!listmode)
|
|
|
|
|
{
|
|
|
|
|
log_info (" (valid from ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_before);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
}
|
|
|
|
|
return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (*not_after && strcmp (current_time, not_after) > 0 )
|
|
|
|
|
{
|
|
|
|
|
do_list (opt.ignore_expiration?0:1, listmode, listfp,
|
|
|
|
|
depth == 0 ? _("certificate has expired") :
|
|
|
|
|
depth == -1 ? _("root certificate has expired") :
|
|
|
|
|
/* other */ _("intermediate certificate has expired"));
|
|
|
|
|
if (!listmode)
|
|
|
|
|
{
|
|
|
|
|
log_info (" (expired at ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_after);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
}
|
|
|
|
|
if (opt.ignore_expiration)
|
|
|
|
|
log_info ("WARNING: ignoring expiration\n");
|
|
|
|
|
else
|
|
|
|
|
return gpg_error (GPG_ERR_CERT_EXPIRED);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* This is a variant of check_validity_period used with the chain
|
|
|
|
|
model. The dextra contraint here is that notBefore and notAfter
|
|
|
|
|
must exists and if the additional argument CHECK_TIME is given this
|
|
|
|
|
time is used to check the validity period of SUBJECT_CERT. */
|
|
|
|
|
static gpg_error_t
|
|
|
|
|
check_validity_period_cm (ksba_isotime_t current_time,
|
|
|
|
|
ksba_isotime_t check_time,
|
|
|
|
|
ksba_cert_t subject_cert,
|
|
|
|
|
ksba_isotime_t exptime,
|
|
|
|
|
int listmode, estream_t listfp, int depth)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
ksba_isotime_t not_before, not_after;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_validity (subject_cert, 0, not_before);
|
|
|
|
|
if (!err)
|
|
|
|
|
err = ksba_cert_get_validity (subject_cert, 1, not_after);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
do_list (1, listmode, listfp,
|
|
|
|
|
_("certificate with invalid validity: %s"), gpg_strerror (err));
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
}
|
|
|
|
|
if (!*not_before || !*not_after)
|
|
|
|
|
{
|
|
|
|
|
do_list (1, listmode, listfp,
|
|
|
|
|
_("required certificate attributes missing: %s%s%s"),
|
|
|
|
|
!*not_before? "notBefore":"",
|
|
|
|
|
(!*not_before && !*not_after)? ", ":"",
|
|
|
|
|
!*not_before? "notAfter":"");
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
}
|
|
|
|
|
if (strcmp (not_before, not_after) > 0 )
|
|
|
|
|
{
|
|
|
|
|
do_list (1, listmode, listfp,
|
|
|
|
|
_("certificate with invalid validity"));
|
|
|
|
|
log_info (" (valid from ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_before);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (" expired at ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_after);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
return gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (!*exptime)
|
|
|
|
|
gnupg_copy_time (exptime, not_after);
|
|
|
|
|
else if (strcmp (not_after, exptime) < 0 )
|
|
|
|
|
gnupg_copy_time (exptime, not_after);
|
|
|
|
|
|
|
|
|
|
if (strcmp (current_time, not_before) < 0 )
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do_list (1, listmode, listfp,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
depth == 0 ? _("certificate not yet valid") :
|
|
|
|
|
depth == -1 ? _("root certificate not yet valid") :
|
|
|
|
|
/* other */ _("intermediate certificate not yet valid"));
|
|
|
|
|
if (!listmode)
|
|
|
|
|
{
|
|
|
|
|
log_info (" (valid from ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_before);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
}
|
|
|
|
|
return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
|
|
|
|
if (*check_time
|
2011-02-04 12:57:53 +01:00
|
|
|
|
&& (strcmp (check_time, not_before) < 0
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|| strcmp (check_time, not_after) > 0))
|
|
|
|
|
{
|
|
|
|
|
/* Note that we don't need a case for the root certificate
|
|
|
|
|
because its own consitency has already been checked. */
|
|
|
|
|
do_list(opt.ignore_expiration?0:1, listmode, listfp,
|
2011-02-04 12:57:53 +01:00
|
|
|
|
depth == 0 ?
|
2007-08-10 18:52:05 +02:00
|
|
|
|
_("signature not created during lifetime of certificate") :
|
|
|
|
|
depth == 1 ?
|
|
|
|
|
_("certificate not created during lifetime of issuer") :
|
|
|
|
|
_("intermediate certificate not created during lifetime "
|
|
|
|
|
"of issuer"));
|
|
|
|
|
if (!listmode)
|
|
|
|
|
{
|
|
|
|
|
log_info (depth== 0? _(" ( signature created at ") :
|
|
|
|
|
/* */ _(" (certificate created at ") );
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (check_time);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
log_info (depth==0? _(" (certificate valid from ") :
|
|
|
|
|
/* */ _(" ( issuer valid from ") );
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_before);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_info (" to ");
|
2009-03-16 10:44:44 +01:00
|
|
|
|
dump_isotime (not_after);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_printf (")\n");
|
|
|
|
|
}
|
|
|
|
|
if (opt.ignore_expiration)
|
|
|
|
|
log_info ("WARNING: ignoring expiration\n");
|
|
|
|
|
else
|
|
|
|
|
return gpg_error (GPG_ERR_CERT_EXPIRED);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Ask the user whether he wants to mark the certificate CERT trusted.
|
|
|
|
|
Returns true if the CERT is the trusted. We also check whether the
|
|
|
|
|
agent is at all enabled to allow marktrusted and don't call it in
|
|
|
|
|
this session again if it is not. */
|
|
|
|
|
static int
|
|
|
|
|
ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode)
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
static int no_more_questions;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
int rc;
|
|
|
|
|
char *fpr;
|
|
|
|
|
int success = 0;
|
|
|
|
|
|
|
|
|
|
fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
|
|
|
|
|
log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
|
|
|
|
|
xfree (fpr);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (no_more_questions)
|
|
|
|
|
rc = gpg_error (GPG_ERR_NOT_SUPPORTED);
|
|
|
|
|
else
|
|
|
|
|
rc = gpgsm_agent_marktrusted (ctrl, cert);
|
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
|
|
|
|
log_info (_("root certificate has now been marked as trusted\n"));
|
|
|
|
|
success = 1;
|
|
|
|
|
}
|
|
|
|
|
else if (!listmode)
|
|
|
|
|
{
|
|
|
|
|
gpgsm_dump_cert ("issuer", cert);
|
|
|
|
|
log_info ("after checking the fingerprint, you may want "
|
|
|
|
|
"to add it manually to the list of trusted certificates.\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_NOT_SUPPORTED)
|
|
|
|
|
{
|
|
|
|
|
if (!no_more_questions)
|
|
|
|
|
log_info (_("interactive marking as trusted "
|
|
|
|
|
"not enabled in gpg-agent\n"));
|
|
|
|
|
no_more_questions = 1;
|
|
|
|
|
}
|
|
|
|
|
else if (gpg_err_code (rc) == GPG_ERR_CANCELED)
|
|
|
|
|
{
|
|
|
|
|
log_info (_("interactive marking as trusted "
|
|
|
|
|
"disabled for this session\n"));
|
|
|
|
|
no_more_questions = 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
set_already_asked_marktrusted (cert);
|
|
|
|
|
|
|
|
|
|
return success;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
/* Validate a chain and optionally return the nearest expiration time
|
2004-02-17 16:05:04 +01:00
|
|
|
|
in R_EXPTIME. With LISTMODE set to 1 a special listmode is
|
|
|
|
|
activated where only information about the certificate is printed
|
2007-08-10 18:52:05 +02:00
|
|
|
|
to LISTFP and no output is send to the usual log stream. If
|
|
|
|
|
CHECKTIME_ARG is set, it is used only in the chain model instead of the
|
|
|
|
|
current time.
|
|
|
|
|
|
|
|
|
|
Defined flag bits
|
2004-04-05 19:25:21 +02:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
VALIDATE_FLAG_NO_DIRMNGR - Do not do any dirmngr isvalid checks.
|
|
|
|
|
VALIDATE_FLAG_CHAIN_MODEL - Check according to chain model.
|
2011-12-07 16:15:15 +01:00
|
|
|
|
VALIDATE_FLAG_STEED - Check according to the STEED model.
|
2004-04-05 19:25:21 +02:00
|
|
|
|
*/
|
2007-08-10 18:52:05 +02:00
|
|
|
|
static int
|
|
|
|
|
do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
|
|
|
|
|
ksba_isotime_t r_exptime,
|
|
|
|
|
int listmode, estream_t listfp, unsigned int flags,
|
|
|
|
|
struct rootca_flags_s *rootca_flags)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
int rc = 0, depth, maxdepth;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *issuer = NULL;
|
|
|
|
|
char *subject = NULL;
|
2004-10-08 13:10:47 +02:00
|
|
|
|
KEYDB_HANDLE kh = NULL;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_cert_t subject_cert = NULL, issuer_cert = NULL;
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_isotime_t current_time;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
ksba_isotime_t check_time;
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_isotime_t exptime;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int any_expired = 0;
|
|
|
|
|
int any_revoked = 0;
|
|
|
|
|
int any_no_crl = 0;
|
|
|
|
|
int any_crl_too_old = 0;
|
|
|
|
|
int any_no_policy_match = 0;
|
2005-11-13 20:07:06 +01:00
|
|
|
|
int is_qualified = -1; /* Indicates whether the certificate stems
|
|
|
|
|
from a qualified root certificate.
|
|
|
|
|
-1 = unknown, 0 = no, 1 = yes. */
|
2007-03-20 17:57:40 +01:00
|
|
|
|
chain_item_t chain = NULL; /* A list of all certificates in the chain. */
|
|
|
|
|
|
2003-10-31 13:12:47 +01:00
|
|
|
|
|
|
|
|
|
gnupg_get_isotime (current_time);
|
2019-12-06 20:12:22 +01:00
|
|
|
|
gnupg_copy_time (ctrl->current_time, current_time);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
|
|
|
|
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
|
|
|
|
|
{
|
|
|
|
|
if (!strcmp (checktime_arg, "19700101T000000"))
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do_list (1, listmode, listfp,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
_("WARNING: creation time of signature not known - "
|
|
|
|
|
"assuming current time"));
|
|
|
|
|
gnupg_copy_time (check_time, current_time);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
gnupg_copy_time (check_time, checktime_arg);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
*check_time = 0;
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (r_exptime)
|
|
|
|
|
*r_exptime = 0;
|
2003-10-31 13:12:47 +01:00
|
|
|
|
*exptime = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (opt.no_chain_validation && !listmode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
log_info ("WARNING: bypassing certificate chain validation\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2004-10-08 13:10:47 +02:00
|
|
|
|
|
2016-11-10 15:38:14 +01:00
|
|
|
|
kh = keydb_new ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!kh)
|
|
|
|
|
{
|
2012-08-22 18:54:38 +02:00
|
|
|
|
log_error (_("failed to allocate keyDB handle\n"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (DBG_X509 && !listmode)
|
2004-12-03 18:44:57 +01:00
|
|
|
|
gpgsm_dump_cert ("target", cert);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
subject_cert = cert;
|
2006-09-26 12:00:12 +02:00
|
|
|
|
ksba_cert_ref (subject_cert);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
maxdepth = 50;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
depth = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
2006-09-26 12:00:12 +02:00
|
|
|
|
int is_root;
|
2006-10-02 13:54:35 +02:00
|
|
|
|
gpg_error_t istrusted_rc = -1;
|
2006-09-26 12:00:12 +02:00
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* Put the certificate on our list. */
|
|
|
|
|
{
|
|
|
|
|
chain_item_t ci;
|
|
|
|
|
|
|
|
|
|
ci = xtrycalloc (1, sizeof *ci);
|
|
|
|
|
if (!ci)
|
|
|
|
|
{
|
|
|
|
|
rc = gpg_error_from_syserror ();
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
ksba_cert_ref (subject_cert);
|
|
|
|
|
ci->cert = subject_cert;
|
|
|
|
|
ci->next = chain;
|
|
|
|
|
chain = ci;
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (issuer);
|
|
|
|
|
xfree (subject);
|
|
|
|
|
issuer = ksba_cert_get_issuer (subject_cert, 0);
|
|
|
|
|
subject = ksba_cert_get_subject (subject_cert, 0);
|
|
|
|
|
|
|
|
|
|
if (!issuer)
|
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (1, listmode, listfp, _("no issuer found in certificate"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
/* Is this a self-issued certificate (i.e. the root certificate)? */
|
|
|
|
|
is_root = is_root_cert (subject_cert, issuer, subject);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
if (is_root)
|
|
|
|
|
{
|
2007-03-20 17:57:40 +01:00
|
|
|
|
chain->is_root = 1;
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Check early whether the certificate is listed as trusted.
|
|
|
|
|
We used to do this only later but changed it to call the
|
|
|
|
|
check right here so that we can access special flags
|
|
|
|
|
associated with that specific root certificate. */
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (gpgsm_cert_has_well_known_private_key (subject_cert))
|
|
|
|
|
{
|
|
|
|
|
memset (rootca_flags, 0, sizeof *rootca_flags);
|
|
|
|
|
istrusted_rc = ((flags & VALIDATE_FLAG_STEED)
|
|
|
|
|
? 0 : gpg_error (GPG_ERR_NOT_TRUSTED));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL,
|
|
|
|
|
rootca_flags);
|
2007-12-12 11:28:30 +01:00
|
|
|
|
audit_log_cert (ctrl->audit, AUDIT_ROOT_TRUSTED,
|
|
|
|
|
subject_cert, istrusted_rc);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
/* If the chain model extended attribute is used, make sure
|
|
|
|
|
that our chain model flag is set. */
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (!(flags & VALIDATE_FLAG_STEED)
|
|
|
|
|
&& has_validation_model_chain (subject_cert, listmode, listfp))
|
2007-08-10 18:52:05 +02:00
|
|
|
|
rootca_flags->chain_model = 1;
|
2006-09-26 12:00:12 +02:00
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
|
|
|
|
|
/* Check the validity period. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
|
|
|
|
|
rc = check_validity_period_cm (current_time, check_time, subject_cert,
|
|
|
|
|
exptime, listmode, listfp,
|
|
|
|
|
(depth && is_root)? -1: depth);
|
|
|
|
|
else
|
|
|
|
|
rc = check_validity_period (current_time, subject_cert,
|
|
|
|
|
exptime, listmode, listfp,
|
|
|
|
|
(depth && is_root)? -1: depth);
|
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
|
2016-01-06 17:51:58 +01:00
|
|
|
|
any_expired = 1;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
else if (rc)
|
|
|
|
|
goto leave;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Assert that we understand all critical extensions. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
rc = unknown_criticals (subject_cert, listmode, listfp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Do a policy check. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!opt.no_policy_check)
|
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
rc = check_cert_policy (subject_cert, listmode, listfp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_NO_POLICY_MATCH)
|
|
|
|
|
{
|
|
|
|
|
any_no_policy_match = 1;
|
2016-01-06 17:51:58 +01:00
|
|
|
|
rc = 1; /* Be on the safe side and set RC. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
else if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
/* If this is the root certificate we are at the end of the chain. */
|
2006-09-26 12:00:12 +02:00
|
|
|
|
if (is_root)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2006-09-26 12:00:12 +02:00
|
|
|
|
if (!istrusted_rc)
|
|
|
|
|
; /* No need to check the certificate for a trusted one. */
|
|
|
|
|
else if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* We only check the signature if the certificate is not
|
|
|
|
|
trusted for better diagnostics. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (1, listmode, listfp,
|
2005-04-21 11:33:07 +02:00
|
|
|
|
_("self-signed certificate has a BAD signature"));
|
2004-12-03 18:44:57 +01:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
{
|
|
|
|
|
gpgsm_dump_cert ("self-signing cert", subject_cert);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN
|
|
|
|
|
: GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (!rootca_flags->relax)
|
2006-09-25 20:29:20 +02:00
|
|
|
|
{
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = allowed_ca (ctrl, subject_cert, NULL, listmode, listfp);
|
2006-09-25 20:29:20 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
|
|
|
|
|
2005-11-13 20:07:06 +01:00
|
|
|
|
/* Set the flag for qualified signatures. This flag is
|
|
|
|
|
deduced from a list of root certificates allowed for
|
|
|
|
|
qualified signatures. */
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (is_qualified == -1 && !(flags & VALIDATE_FLAG_STEED))
|
2005-11-13 20:07:06 +01:00
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
size_t buflen;
|
|
|
|
|
char buf[1];
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
|
|
|
|
if (!ksba_cert_get_user_data (cert, "is_qualified",
|
2005-11-13 20:07:06 +01:00
|
|
|
|
&buf, sizeof (buf),
|
|
|
|
|
&buflen) && buflen)
|
|
|
|
|
{
|
|
|
|
|
/* We already checked this for this certificate,
|
|
|
|
|
thus we simply take it from the user data. */
|
|
|
|
|
is_qualified = !!*buf;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2005-11-13 20:07:06 +01:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Need to consult the list of root certificates for
|
|
|
|
|
qualified signatures. */
|
2006-03-21 10:56:47 +01:00
|
|
|
|
err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
|
2005-11-13 20:07:06 +01:00
|
|
|
|
if (!err)
|
|
|
|
|
is_qualified = 1;
|
|
|
|
|
else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
|
|
|
|
|
is_qualified = 0;
|
|
|
|
|
else
|
|
|
|
|
log_error ("checking the list of qualified "
|
|
|
|
|
"root certificates failed: %s\n",
|
|
|
|
|
gpg_strerror (err));
|
|
|
|
|
if ( is_qualified != -1 )
|
|
|
|
|
{
|
2006-03-21 10:56:47 +01:00
|
|
|
|
/* Cache the result but don't care too much
|
|
|
|
|
about an error. */
|
2005-11-13 20:07:06 +01:00
|
|
|
|
buf[0] = !!is_qualified;
|
|
|
|
|
err = ksba_cert_set_user_data (subject_cert,
|
|
|
|
|
"is_qualified", buf, 1);
|
|
|
|
|
if (err)
|
|
|
|
|
log_error ("set_user_data(is_qualified) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (err));
|
2005-11-13 20:07:06 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-09-25 20:29:20 +02:00
|
|
|
|
/* Act on the check for a trusted root certificates. */
|
|
|
|
|
rc = istrusted_rc;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!rc)
|
|
|
|
|
;
|
|
|
|
|
else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do_list (0, listmode, listfp,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
_("root certificate is not marked trusted"));
|
2004-09-20 20:47:11 +02:00
|
|
|
|
/* If we already figured out that the certificate is
|
|
|
|
|
expired it does not make much sense to ask the user
|
2019-12-06 20:12:22 +01:00
|
|
|
|
whether they want to trust the root certificate. We
|
2004-09-20 20:47:11 +02:00
|
|
|
|
should do this only if the certificate under question
|
2011-12-07 16:15:15 +01:00
|
|
|
|
will then be usable. If the certificate has a well
|
|
|
|
|
known private key asking the user does not make any
|
|
|
|
|
sense. */
|
2006-10-16 19:33:03 +02:00
|
|
|
|
if ( !any_expired
|
2011-12-07 16:15:15 +01:00
|
|
|
|
&& !gpgsm_cert_has_well_known_private_key (subject_cert)
|
2007-08-10 18:52:05 +02:00
|
|
|
|
&& (!listmode || !already_asked_marktrusted (subject_cert))
|
|
|
|
|
&& ask_marktrusted (ctrl, subject_cert, listmode) )
|
|
|
|
|
rc = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
else
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
log_error (_("checking the trust list failed: %s\n"),
|
|
|
|
|
gpg_strerror (rc));
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-07-20 09:06:36 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
2004-03-06 21:11:19 +01:00
|
|
|
|
/* Check for revocations etc. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if ((flags & VALIDATE_FLAG_NO_DIRMNGR))
|
2005-04-21 11:33:07 +02:00
|
|
|
|
;
|
2011-12-07 16:15:15 +01:00
|
|
|
|
else if ((flags & VALIDATE_FLAG_STEED))
|
|
|
|
|
; /* Fixme: check revocations via DNS. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
else if (opt.no_trusted_cert_crl_check || rootca_flags->relax)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
;
|
2004-04-05 19:25:21 +02:00
|
|
|
|
else
|
2011-02-04 12:57:53 +01:00
|
|
|
|
rc = is_cert_still_valid (ctrl,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
(flags & VALIDATE_FLAG_CHAIN_MODEL),
|
|
|
|
|
listmode, listfp,
|
2004-04-05 19:25:21 +02:00
|
|
|
|
subject_cert, subject_cert,
|
|
|
|
|
&any_revoked, &any_no_crl,
|
|
|
|
|
&any_crl_too_old);
|
2004-03-06 21:11:19 +01:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
break; /* Okay: a self-signed certicate is an end-point. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
} /* End is_root. */
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Take care that the chain does not get too long. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if ((depth+1) > maxdepth)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (1, listmode, listfp, _("certificate chain too long\n"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT_CHAIN);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Find the next cert up the tree. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
keydb_search_reset (kh);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = find_up (ctrl, kh, subject_cert, issuer, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
if (rc == -1)
|
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (0, listmode, listfp, _("issuer certificate not found"));
|
|
|
|
|
if (!listmode)
|
2004-02-17 16:05:04 +01:00
|
|
|
|
{
|
|
|
|
|
log_info ("issuer certificate: #/");
|
|
|
|
|
gpgsm_dump_string (issuer);
|
|
|
|
|
log_printf ("\n");
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
log_error ("failed to find issuer's certificate: rc=%d\n", rc);
|
2010-10-01 22:33:53 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ksba_cert_release (issuer_cert); issuer_cert = NULL;
|
|
|
|
|
rc = keydb_get_cert (kh, &issuer_cert);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
2005-04-18 12:44:46 +02:00
|
|
|
|
log_error ("keydb_get_cert() failed: rc=%d\n", rc);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-26 23:08:58 +01:00
|
|
|
|
try_another_cert:
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
{
|
|
|
|
|
log_debug ("got issuer's certificate:\n");
|
|
|
|
|
gpgsm_dump_cert ("issuer", issuer_cert);
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
rc = gpgsm_check_cert_sig (issuer_cert, subject_cert);
|
|
|
|
|
if (rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (0, listmode, listfp, _("certificate has a BAD signature"));
|
2004-12-03 18:44:57 +01:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
{
|
|
|
|
|
gpgsm_dump_cert ("signing issuer", issuer_cert);
|
|
|
|
|
gpgsm_dump_cert ("signed subject", subject_cert);
|
|
|
|
|
}
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
|
|
|
|
|
{
|
2004-02-26 23:08:58 +01:00
|
|
|
|
/* We now try to find other issuer certificates which
|
2004-12-03 18:44:57 +01:00
|
|
|
|
might have been used. This is required because some
|
2004-02-26 23:08:58 +01:00
|
|
|
|
CAs are reusing the issuer and subject DN for new
|
|
|
|
|
root certificates. */
|
2005-04-18 12:44:46 +02:00
|
|
|
|
/* FIXME: Do this only if we don't have an
|
|
|
|
|
AKI.keyIdentifier */
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = find_up (ctrl, kh, subject_cert, issuer, 1);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (!rc)
|
|
|
|
|
{
|
2004-02-26 23:08:58 +01:00
|
|
|
|
ksba_cert_t tmp_cert;
|
|
|
|
|
|
|
|
|
|
rc = keydb_get_cert (kh, &tmp_cert);
|
|
|
|
|
if (rc || !compare_certs (issuer_cert, tmp_cert))
|
|
|
|
|
{
|
|
|
|
|
/* The find next did not work or returned an
|
|
|
|
|
identical certificate. We better stop here
|
|
|
|
|
to avoid infinite checks. */
|
2016-01-06 17:51:58 +01:00
|
|
|
|
/* No need to set RC because it is not used:
|
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_SIGNATURE); */
|
2004-02-26 23:08:58 +01:00
|
|
|
|
ksba_cert_release (tmp_cert);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (0, listmode, listfp,
|
|
|
|
|
_("found another possible matching "
|
|
|
|
|
"CA certificate - trying again"));
|
2011-02-04 12:57:53 +01:00
|
|
|
|
ksba_cert_release (issuer_cert);
|
2004-02-26 23:08:58 +01:00
|
|
|
|
issuer_cert = tmp_cert;
|
|
|
|
|
goto try_another_cert;
|
|
|
|
|
}
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We give a more descriptive error code than the one
|
|
|
|
|
returned from the signature checking. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT_CHAIN);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
is_root = gpgsm_is_root_cert (issuer_cert);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
istrusted_rc = -1;
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Check that a CA is allowed to issue certificates. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int chainlen;
|
2006-09-26 12:00:12 +02:00
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = allowed_ca (ctrl, issuer_cert, &chainlen, listmode, listfp);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
/* Not allowed. Check whether this is a trusted root
|
|
|
|
|
certificate and whether we allow special exceptions.
|
|
|
|
|
We could carry the result of the test over to the
|
|
|
|
|
regular root check at the top of the loop but for
|
|
|
|
|
clarity we won't do that. Given that the majority of
|
|
|
|
|
certificates carry proper BasicContraints our way of
|
|
|
|
|
overriding an error in the way is justified for
|
|
|
|
|
performance reasons. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (is_root)
|
2006-09-26 12:00:12 +02:00
|
|
|
|
{
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (gpgsm_cert_has_well_known_private_key (issuer_cert))
|
|
|
|
|
{
|
|
|
|
|
memset (rootca_flags, 0, sizeof *rootca_flags);
|
|
|
|
|
istrusted_rc = ((flags & VALIDATE_FLAG_STEED)
|
|
|
|
|
? 0 : gpg_error (GPG_ERR_NOT_TRUSTED));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
istrusted_rc = gpgsm_agent_istrusted
|
|
|
|
|
(ctrl, issuer_cert, NULL, rootca_flags);
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (!istrusted_rc && rootca_flags->relax)
|
2006-09-26 12:00:12 +02:00
|
|
|
|
{
|
|
|
|
|
/* Ignore the error due to the relax flag. */
|
|
|
|
|
rc = 0;
|
|
|
|
|
chainlen = -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (chainlen >= 0 && depth > chainlen)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_list (1, listmode, listfp,
|
2004-02-17 16:05:04 +01:00
|
|
|
|
_("certificate chain longer than allowed by CA (%d)"),
|
|
|
|
|
chainlen);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT_CHAIN);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-26 12:00:12 +02:00
|
|
|
|
/* Is the certificate allowed to sign other certificates. */
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (!listmode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
rc = gpgsm_cert_use_cert_p (issuer_cert);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
char numbuf[50];
|
|
|
|
|
sprintf (numbuf, "%d", rc);
|
|
|
|
|
gpgsm_status2 (ctrl, STATUS_ERROR, "certcert.issuer.keyusage",
|
|
|
|
|
numbuf, NULL);
|
2004-04-05 19:25:21 +02:00
|
|
|
|
goto leave;
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* Check for revocations etc. Note that for a root certificate
|
2006-09-26 12:00:12 +02:00
|
|
|
|
this test is done a second time later. This should eventually
|
|
|
|
|
be fixed. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if ((flags & VALIDATE_FLAG_NO_DIRMNGR))
|
2004-04-05 19:25:21 +02:00
|
|
|
|
rc = 0;
|
2011-12-07 16:15:15 +01:00
|
|
|
|
else if ((flags & VALIDATE_FLAG_STEED))
|
|
|
|
|
rc = 0; /* Fixme: XXX */
|
2006-09-26 12:00:12 +02:00
|
|
|
|
else if (is_root && (opt.no_trusted_cert_crl_check
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|| (!istrusted_rc && rootca_flags->relax)))
|
2011-02-04 12:57:53 +01:00
|
|
|
|
rc = 0;
|
2004-04-05 19:25:21 +02:00
|
|
|
|
else
|
2011-02-04 12:57:53 +01:00
|
|
|
|
rc = is_cert_still_valid (ctrl,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
(flags & VALIDATE_FLAG_CHAIN_MODEL),
|
|
|
|
|
listmode, listfp,
|
2004-04-05 19:25:21 +02:00
|
|
|
|
subject_cert, issuer_cert,
|
|
|
|
|
&any_revoked, &any_no_crl, &any_crl_too_old);
|
2004-03-06 21:11:19 +01:00
|
|
|
|
if (rc)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (opt.verbose && !listmode)
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_info (depth == 0 ? _("certificate is good\n") :
|
|
|
|
|
!is_root ? _("intermediate certificate is good\n") :
|
|
|
|
|
/* other */ _("root certificate is good\n"));
|
|
|
|
|
|
|
|
|
|
/* Under the chain model the next check time is the creation
|
|
|
|
|
time of the subject certificate. */
|
|
|
|
|
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
|
|
|
|
|
{
|
|
|
|
|
rc = ksba_cert_get_validity (subject_cert, 0, check_time);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
/* That will never happen as we have already checked
|
|
|
|
|
this above. */
|
|
|
|
|
BUG ();
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-09-26 12:00:12 +02:00
|
|
|
|
|
|
|
|
|
/* For the next round the current issuer becomes the new subject. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
keydb_search_reset (kh);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
ksba_cert_release (subject_cert);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
subject_cert = issuer_cert;
|
|
|
|
|
issuer_cert = NULL;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
depth++;
|
2005-11-13 20:07:06 +01:00
|
|
|
|
} /* End chain traversal. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
if (!listmode && !opt.quiet)
|
2004-02-17 16:05:04 +01:00
|
|
|
|
{
|
|
|
|
|
if (opt.no_policy_check)
|
|
|
|
|
log_info ("policies not checked due to %s option\n",
|
|
|
|
|
"--disable-policy-checks");
|
2015-06-29 11:03:58 +02:00
|
|
|
|
if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
|
2004-02-17 16:05:04 +01:00
|
|
|
|
log_info ("CRLs not checked due to %s option\n",
|
2015-06-29 11:03:58 +02:00
|
|
|
|
ctrl->offline ? "offline" : "--disable-crl-checks");
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
if (!rc)
|
|
|
|
|
{ /* If we encountered an error somewhere during the checks, set
|
|
|
|
|
the error code to the most critical one */
|
|
|
|
|
if (any_revoked)
|
|
|
|
|
rc = gpg_error (GPG_ERR_CERT_REVOKED);
|
2004-09-20 20:47:11 +02:00
|
|
|
|
else if (any_expired)
|
|
|
|
|
rc = gpg_error (GPG_ERR_CERT_EXPIRED);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else if (any_no_crl)
|
|
|
|
|
rc = gpg_error (GPG_ERR_NO_CRL_KNOWN);
|
|
|
|
|
else if (any_crl_too_old)
|
|
|
|
|
rc = gpg_error (GPG_ERR_CRL_TOO_OLD);
|
|
|
|
|
else if (any_no_policy_match)
|
|
|
|
|
rc = gpg_error (GPG_ERR_NO_POLICY_MATCH);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
leave:
|
2007-03-20 17:57:40 +01:00
|
|
|
|
/* If we have traversed a complete chain up to the root we will
|
2007-08-10 18:52:05 +02:00
|
|
|
|
reset the ephemeral flag for all these certificates. This is done
|
2007-03-20 17:57:40 +01:00
|
|
|
|
regardless of any error because those errors may only be
|
|
|
|
|
transient. */
|
|
|
|
|
if (chain && chain->is_root)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
chain_item_t ci;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
for (ci = chain; ci; ci = ci->next)
|
|
|
|
|
{
|
|
|
|
|
/* Note that it is possible for the last certificate in the
|
|
|
|
|
chain (i.e. our target certificate) that it has not yet
|
|
|
|
|
been stored in the keybox and thus the flag can't be set.
|
2015-11-16 12:41:46 +01:00
|
|
|
|
We ignore this error because it will later be stored
|
2007-03-20 17:57:40 +01:00
|
|
|
|
anyway. */
|
2016-11-10 17:01:19 +01:00
|
|
|
|
err = keydb_set_cert_flags (ctrl, ci->cert, 1, KEYBOX_FLAG_BLOB, 0,
|
2007-03-20 17:57:40 +01:00
|
|
|
|
KEYBOX_FLAG_BLOB_EPHEMERAL, 0);
|
|
|
|
|
if (!ci->next && gpg_err_code (err) == GPG_ERR_NOT_FOUND)
|
|
|
|
|
;
|
|
|
|
|
else if (err)
|
|
|
|
|
log_error ("clearing ephemeral flag failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (err));
|
2007-03-20 17:57:40 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If we have figured something about the qualified signature
|
|
|
|
|
capability of the certificate under question, store the result as
|
|
|
|
|
user data in all certificates of the chain. We do this even if the
|
|
|
|
|
validation itself failed. */
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (is_qualified != -1 && !(flags & VALIDATE_FLAG_STEED))
|
2005-11-13 20:07:06 +01:00
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
2007-03-20 17:57:40 +01:00
|
|
|
|
chain_item_t ci;
|
|
|
|
|
char buf[1];
|
2005-11-13 20:07:06 +01:00
|
|
|
|
|
|
|
|
|
buf[0] = !!is_qualified;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-03-20 17:57:40 +01:00
|
|
|
|
for (ci = chain; ci; ci = ci->next)
|
2005-11-13 20:07:06 +01:00
|
|
|
|
{
|
2007-03-20 17:57:40 +01:00
|
|
|
|
err = ksba_cert_set_user_data (ci->cert, "is_qualified", buf, 1);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
log_error ("set_user_data(is_qualified) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (err));
|
2007-03-20 17:57:40 +01:00
|
|
|
|
if (!rc)
|
|
|
|
|
rc = err;
|
|
|
|
|
}
|
2005-11-13 20:07:06 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
2007-03-20 17:57:40 +01:00
|
|
|
|
|
2007-11-19 17:03:50 +01:00
|
|
|
|
/* If auditing has been enabled, record what is in the chain. */
|
|
|
|
|
if (ctrl->audit)
|
|
|
|
|
{
|
|
|
|
|
chain_item_t ci;
|
|
|
|
|
|
|
|
|
|
audit_log (ctrl->audit, AUDIT_CHAIN_BEGIN);
|
|
|
|
|
for (ci = chain; ci; ci = ci->next)
|
|
|
|
|
{
|
|
|
|
|
audit_log_cert (ctrl->audit,
|
|
|
|
|
ci->is_root? AUDIT_CHAIN_ROOTCERT : AUDIT_CHAIN_CERT,
|
|
|
|
|
ci->cert, 0);
|
|
|
|
|
}
|
|
|
|
|
audit_log (ctrl->audit, AUDIT_CHAIN_END);
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (r_exptime)
|
2003-10-31 13:12:47 +01:00
|
|
|
|
gnupg_copy_time (r_exptime, exptime);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (issuer);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
xfree (subject);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
keydb_release (kh);
|
2007-03-20 17:57:40 +01:00
|
|
|
|
while (chain)
|
|
|
|
|
{
|
|
|
|
|
chain_item_t ci_next = chain->next;
|
|
|
|
|
ksba_cert_release (chain->cert);
|
|
|
|
|
xfree (chain);
|
|
|
|
|
chain = ci_next;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cert_release (issuer_cert);
|
2006-09-26 12:00:12 +02:00
|
|
|
|
ksba_cert_release (subject_cert);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-11-19 17:03:50 +01:00
|
|
|
|
/* Validate a certificate chain. For a description see
|
2007-08-10 18:52:05 +02:00
|
|
|
|
do_validate_chain. This function is a wrapper to handle a root
|
|
|
|
|
certificate with the chain_model flag set. If RETFLAGS is not
|
|
|
|
|
NULL, flags indicating now the verification was done are stored
|
2011-12-07 16:15:15 +01:00
|
|
|
|
there. The only defined vits for RETFLAGS are
|
|
|
|
|
VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
|
|
|
|
If you are verifying a signature you should set CHECKTIME to the
|
|
|
|
|
creation time of the signature. If your are verifying a
|
|
|
|
|
certificate, set it nil (i.e. the empty string). If the creation
|
|
|
|
|
date of the signature is not known use the special date
|
|
|
|
|
"19700101T000000" which is treated in a special way here. */
|
|
|
|
|
int
|
|
|
|
|
gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime,
|
|
|
|
|
ksba_isotime_t r_exptime,
|
|
|
|
|
int listmode, estream_t listfp, unsigned int flags,
|
|
|
|
|
unsigned int *retflags)
|
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
struct rootca_flags_s rootca_flags;
|
|
|
|
|
unsigned int dummy_retflags;
|
|
|
|
|
|
|
|
|
|
if (!retflags)
|
|
|
|
|
retflags = &dummy_retflags;
|
|
|
|
|
|
2011-12-07 16:15:15 +01:00
|
|
|
|
/* If the session requested a certain validation mode make sure the
|
|
|
|
|
corresponding flags are set. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
if (ctrl->validation_model == 1)
|
|
|
|
|
flags |= VALIDATE_FLAG_CHAIN_MODEL;
|
2011-12-07 16:15:15 +01:00
|
|
|
|
else if (ctrl->validation_model == 2)
|
|
|
|
|
flags |= VALIDATE_FLAG_STEED;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
2011-12-07 16:15:15 +01:00
|
|
|
|
/* If the chain model was forced, set this immediately into
|
|
|
|
|
RETFLAGS. */
|
2007-08-10 18:52:05 +02:00
|
|
|
|
*retflags = (flags & VALIDATE_FLAG_CHAIN_MODEL);
|
2011-12-07 16:15:15 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
memset (&rootca_flags, 0, sizeof rootca_flags);
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
rc = do_validate_chain (ctrl, cert, checktime,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
r_exptime, listmode, listfp, flags,
|
|
|
|
|
&rootca_flags);
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (!rc && (flags & VALIDATE_FLAG_STEED))
|
|
|
|
|
{
|
|
|
|
|
*retflags |= VALIDATE_FLAG_STEED;
|
|
|
|
|
}
|
|
|
|
|
else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED
|
2007-08-10 18:52:05 +02:00
|
|
|
|
&& !(flags & VALIDATE_FLAG_CHAIN_MODEL)
|
|
|
|
|
&& (rootca_flags.valid && rootca_flags.chain_model))
|
|
|
|
|
{
|
|
|
|
|
do_list (0, listmode, listfp, _("switching to chain model"));
|
|
|
|
|
rc = do_validate_chain (ctrl, cert, checktime,
|
2011-02-04 12:57:53 +01:00
|
|
|
|
r_exptime, listmode, listfp,
|
2007-08-10 18:52:05 +02:00
|
|
|
|
(flags |= VALIDATE_FLAG_CHAIN_MODEL),
|
|
|
|
|
&rootca_flags);
|
|
|
|
|
*retflags |= VALIDATE_FLAG_CHAIN_MODEL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (opt.verbose)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do_list (0, listmode, listfp, _("validation model used: %s"),
|
2011-12-07 16:15:15 +01:00
|
|
|
|
(*retflags & VALIDATE_FLAG_STEED)?
|
|
|
|
|
"steed" :
|
2007-08-10 18:52:05 +02:00
|
|
|
|
(*retflags & VALIDATE_FLAG_CHAIN_MODEL)?
|
2007-08-16 12:42:06 +02:00
|
|
|
|
_("chain"):_("shell"));
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Check that the given certificate is valid but DO NOT check any
|
|
|
|
|
constraints. We assume that the issuers certificate is already in
|
|
|
|
|
the DB and that this one is valid; which it should be because it
|
|
|
|
|
has been checked using this function. */
|
|
|
|
|
int
|
2008-02-13 17:47:14 +01:00
|
|
|
|
gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
char *issuer = NULL;
|
|
|
|
|
char *subject = NULL;
|
2005-11-13 20:07:06 +01:00
|
|
|
|
KEYDB_HANDLE kh;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_cert_t issuer_cert = NULL;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (opt.no_chain_validation)
|
|
|
|
|
{
|
|
|
|
|
log_info ("WARNING: bypassing basic certificate checks\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-10 15:38:14 +01:00
|
|
|
|
kh = keydb_new ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!kh)
|
|
|
|
|
{
|
2012-08-22 18:54:38 +02:00
|
|
|
|
log_error (_("failed to allocate keyDB handle\n"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
issuer = ksba_cert_get_issuer (cert, 0);
|
|
|
|
|
subject = ksba_cert_get_subject (cert, 0);
|
|
|
|
|
if (!issuer)
|
|
|
|
|
{
|
|
|
|
|
log_error ("no issuer found in certificate\n");
|
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-19 11:33:35 +01:00
|
|
|
|
if (is_root_cert (cert, issuer, subject))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-08-17 17:26:22 +02:00
|
|
|
|
rc = gpgsm_check_cert_sig (cert, cert);
|
|
|
|
|
if (rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2005-04-21 11:33:07 +02:00
|
|
|
|
log_error ("self-signed certificate has a BAD signature: %s\n",
|
2004-08-17 17:26:22 +02:00
|
|
|
|
gpg_strerror (rc));
|
2004-12-03 18:44:57 +01:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
{
|
|
|
|
|
gpgsm_dump_cert ("self-signing cert", cert);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2005-03-17 20:10:37 +01:00
|
|
|
|
/* Find the next cert up the tree. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
keydb_search_reset (kh);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = find_up (ctrl, kh, cert, issuer, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
if (rc == -1)
|
|
|
|
|
{
|
|
|
|
|
log_info ("issuer certificate (#/");
|
|
|
|
|
gpgsm_dump_string (issuer);
|
|
|
|
|
log_printf (") not found\n");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
log_error ("failed to find issuer's certificate: rc=%d\n", rc);
|
2010-10-01 22:33:53 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cert_release (issuer_cert); issuer_cert = NULL;
|
|
|
|
|
rc = keydb_get_cert (kh, &issuer_cert);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
2005-04-18 12:44:46 +02:00
|
|
|
|
log_error ("keydb_get_cert() failed: rc=%d\n", rc);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
2004-08-17 17:26:22 +02:00
|
|
|
|
rc = gpgsm_check_cert_sig (issuer_cert, cert);
|
|
|
|
|
if (rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-08-17 17:26:22 +02:00
|
|
|
|
log_error ("certificate has a BAD signature: %s\n",
|
|
|
|
|
gpg_strerror (rc));
|
2005-03-17 20:10:37 +01:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
{
|
|
|
|
|
gpgsm_dump_cert ("signing issuer", issuer_cert);
|
|
|
|
|
gpgsm_dump_cert ("signed subject", cert);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = gpg_error (GPG_ERR_BAD_CERT);
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
if (opt.verbose)
|
2007-08-10 18:52:05 +02:00
|
|
|
|
log_info (_("certificate is good\n"));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
xfree (issuer);
|
2006-12-21 02:30:18 +01:00
|
|
|
|
xfree (subject);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
keydb_release (kh);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cert_release (issuer_cert);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2006-03-21 10:56:47 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Check whether the certificate CERT has been issued by the German
|
|
|
|
|
authority for qualified signature. They do not set the
|
|
|
|
|
basicConstraints and thus we need this workaround. It works by
|
|
|
|
|
looking up the root certificate and checking whether that one is
|
2011-02-04 12:57:53 +01:00
|
|
|
|
listed as a qualified certificate for Germany.
|
2006-03-21 10:56:47 +01:00
|
|
|
|
|
|
|
|
|
We also try to cache this data but as long as don't keep a
|
|
|
|
|
reference to the certificate this won't be used.
|
|
|
|
|
|
|
|
|
|
Returns: True if CERT is a RegTP issued CA cert (i.e. the root
|
|
|
|
|
certificate itself or one of the CAs). In that case CHAINLEN will
|
|
|
|
|
receive the length of the chain which is either 0 or 1.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2008-02-13 17:47:14 +01:00
|
|
|
|
get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen)
|
2006-03-21 10:56:47 +01:00
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
ksba_cert_t next;
|
|
|
|
|
int rc = 0;
|
|
|
|
|
int i, depth;
|
|
|
|
|
char country[3];
|
|
|
|
|
ksba_cert_t array[4];
|
|
|
|
|
char buf[2];
|
|
|
|
|
size_t buflen;
|
|
|
|
|
int dummy_chainlen;
|
|
|
|
|
|
|
|
|
|
if (!chainlen)
|
|
|
|
|
chainlen = &dummy_chainlen;
|
|
|
|
|
|
|
|
|
|
*chainlen = 0;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
err = ksba_cert_get_user_data (cert, "regtp_ca_chainlen",
|
2006-03-21 10:56:47 +01:00
|
|
|
|
&buf, sizeof (buf), &buflen);
|
|
|
|
|
if (!err)
|
|
|
|
|
{
|
|
|
|
|
/* Got info. */
|
|
|
|
|
if (buflen < 2 || !*buf)
|
|
|
|
|
return 0; /* Nothing found. */
|
|
|
|
|
*chainlen = buf[1];
|
|
|
|
|
return 1; /* This is a regtp CA. */
|
|
|
|
|
}
|
|
|
|
|
else if (gpg_err_code (err) != GPG_ERR_NOT_FOUND)
|
|
|
|
|
{
|
|
|
|
|
log_error ("ksba_cert_get_user_data(%s) failed: %s\n",
|
|
|
|
|
"regtp_ca_chainlen", gpg_strerror (err));
|
|
|
|
|
return 0; /* Nothing found. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Need to gather the info. This requires to walk up the chain
|
|
|
|
|
until we have found the root. Because we are only interested in
|
|
|
|
|
German Bundesnetzagentur (former RegTP) derived certificates 3
|
|
|
|
|
levels are enough. (The German signature law demands a 3 tier
|
2015-11-16 12:41:46 +01:00
|
|
|
|
hierarchy; thus there is only one CA between the EE and the Root
|
2006-03-21 10:56:47 +01:00
|
|
|
|
CA.) */
|
|
|
|
|
memset (&array, 0, sizeof array);
|
|
|
|
|
|
|
|
|
|
depth = 0;
|
|
|
|
|
ksba_cert_ref (cert);
|
|
|
|
|
array[depth++] = cert;
|
|
|
|
|
ksba_cert_ref (cert);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
while (depth < DIM(array) && !(rc=gpgsm_walk_cert_chain (ctrl, cert, &next)))
|
2006-03-21 10:56:47 +01:00
|
|
|
|
{
|
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
ksba_cert_ref (next);
|
|
|
|
|
array[depth++] = next;
|
|
|
|
|
cert = next;
|
|
|
|
|
}
|
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
if (rc != -1 || !depth || depth == DIM(array) )
|
|
|
|
|
{
|
|
|
|
|
/* We did not reached the root. */
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* If this is a German signature law issued certificate, we store
|
2017-02-20 22:19:50 +01:00
|
|
|
|
additional information. */
|
2006-03-21 10:56:47 +01:00
|
|
|
|
if (!gpgsm_is_in_qualified_list (NULL, array[depth-1], country)
|
|
|
|
|
&& !strcmp (country, "de"))
|
|
|
|
|
{
|
|
|
|
|
/* Setting the pathlen for the root CA and the CA flag for the
|
|
|
|
|
next one is all what we need to do. */
|
|
|
|
|
err = ksba_cert_set_user_data (array[depth-1], "regtp_ca_chainlen",
|
|
|
|
|
"\x01\x01", 2);
|
|
|
|
|
if (!err && depth > 1)
|
|
|
|
|
err = ksba_cert_set_user_data (array[depth-2], "regtp_ca_chainlen",
|
|
|
|
|
"\x01\x00", 2);
|
|
|
|
|
if (err)
|
|
|
|
|
log_error ("ksba_set_user_data(%s) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
"regtp_ca_chainlen", gpg_strerror (err));
|
2006-03-21 10:56:47 +01:00
|
|
|
|
for (i=0; i < depth; i++)
|
|
|
|
|
ksba_cert_release (array[i]);
|
|
|
|
|
*chainlen = (depth>1? 0:1);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
/* Nothing special with this certificate. Mark the target
|
2011-02-04 12:57:53 +01:00
|
|
|
|
certificate anyway to avoid duplicate lookups. */
|
2006-03-21 10:56:47 +01:00
|
|
|
|
err = ksba_cert_set_user_data (cert, "regtp_ca_chainlen", "", 1);
|
|
|
|
|
if (err)
|
|
|
|
|
log_error ("ksba_set_user_data(%s) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
"regtp_ca_chainlen", gpg_strerror (err));
|
2006-03-21 10:56:47 +01:00
|
|
|
|
for (i=0; i < depth; i++)
|
|
|
|
|
ksba_cert_release (array[i]);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|