diff options
Diffstat (limited to 'main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch')
-rw-r--r-- | main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch | 219 |
1 files changed, 0 insertions, 219 deletions
diff --git a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch b/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch deleted file mode 100644 index 13d002a106..0000000000 --- a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch +++ /dev/null | |||
@@ -1,219 +0,0 @@ | |||
1 | From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sun, 31 May 2020 12:39:14 +0200 | ||
4 | Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against | ||
5 | system cert | ||
6 | |||
7 | To verify a certificate chain, this function replaces known | ||
8 | certificates with the ones in the system trust store if possible. | ||
9 | |||
10 | However, if it is found, the function checks the validity of the | ||
11 | original certificate rather than the certificate found in the trust | ||
12 | store. That reveals a problem in a scenario that (1) a certificate is | ||
13 | signed by multiple issuers and (2) one of the issuers' certificate has | ||
14 | expired and included in the input chain. | ||
15 | |||
16 | This patch makes it a little robuster by actually retrieving the | ||
17 | certificate from the trust store and perform check against it. | ||
18 | |||
19 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
20 | --- | ||
21 | lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- | ||
22 | lib/pkcs11_int.h | 5 +++ | ||
23 | lib/x509/verify.c | 7 +++- | ||
24 | 3 files changed, 80 insertions(+), 30 deletions(-) | ||
25 | |||
26 | diff --git a/lib/pkcs11.c b/lib/pkcs11.c | ||
27 | index fad16aaf4f..d8d4a65114 100644 | ||
28 | --- a/lib/pkcs11.c | ||
29 | +++ b/lib/pkcs11.c | ||
30 | @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, | ||
31 | return ret; | ||
32 | } | ||
33 | |||
34 | -/** | ||
35 | - * gnutls_pkcs11_crt_is_known: | ||
36 | - * @url: A PKCS 11 url identifying a token | ||
37 | - * @cert: is the certificate to find issuer for | ||
38 | - * @issuer: Will hold the issuer if any in an allocated buffer. | ||
39 | - * @fmt: The format of the exported issuer. | ||
40 | - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
41 | - * | ||
42 | - * This function will check whether the provided certificate is stored | ||
43 | - * in the specified token. This is useful in combination with | ||
44 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
45 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
46 | - * to check whether a CA is present or a certificate is blacklisted in | ||
47 | - * a trust PKCS #11 module. | ||
48 | - * | ||
49 | - * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
50 | - * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
51 | - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
52 | - * | ||
53 | - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
54 | - * specific to p11-kit trust modules. | ||
55 | - * | ||
56 | - * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
57 | - * | ||
58 | - * Since: 3.3.0 | ||
59 | - **/ | ||
60 | -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
61 | - unsigned int flags) | ||
62 | +unsigned | ||
63 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
64 | + unsigned int flags, | ||
65 | + gnutls_x509_crt_t *trusted_cert) | ||
66 | { | ||
67 | int ret; | ||
68 | struct find_cert_st priv; | ||
69 | @@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
70 | |||
71 | memset(&priv, 0, sizeof(priv)); | ||
72 | |||
73 | + if (trusted_cert) { | ||
74 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
75 | + if (ret < 0) { | ||
76 | + gnutls_assert(); | ||
77 | + goto cleanup; | ||
78 | + } | ||
79 | + priv.need_import = 1; | ||
80 | + } | ||
81 | + | ||
82 | if (url == NULL || url[0] == 0) { | ||
83 | url = "pkcs11:"; | ||
84 | } | ||
85 | @@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
86 | _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); | ||
87 | /* attempt searching with the subject DN only */ | ||
88 | gnutls_assert(); | ||
89 | + if (priv.obj) | ||
90 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
91 | gnutls_free(priv.serial.data); | ||
92 | memset(&priv, 0, sizeof(priv)); | ||
93 | + if (trusted_cert) { | ||
94 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
95 | + if (ret < 0) { | ||
96 | + gnutls_assert(); | ||
97 | + goto cleanup; | ||
98 | + } | ||
99 | + priv.need_import = 1; | ||
100 | + } | ||
101 | priv.crt = cert; | ||
102 | priv.flags = flags; | ||
103 | |||
104 | @@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
105 | goto cleanup; | ||
106 | } | ||
107 | |||
108 | + if (trusted_cert) { | ||
109 | + ret = gnutls_x509_crt_init(trusted_cert); | ||
110 | + if (ret < 0) { | ||
111 | + gnutls_assert(); | ||
112 | + ret = 0; | ||
113 | + goto cleanup; | ||
114 | + } | ||
115 | + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); | ||
116 | + if (ret < 0) { | ||
117 | + gnutls_assert(); | ||
118 | + gnutls_x509_crt_deinit(*trusted_cert); | ||
119 | + ret = 0; | ||
120 | + goto cleanup; | ||
121 | + } | ||
122 | + } | ||
123 | ret = 1; | ||
124 | |||
125 | cleanup: | ||
126 | + if (priv.obj) | ||
127 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
128 | if (info) | ||
129 | p11_kit_uri_free(info); | ||
130 | gnutls_free(priv.serial.data); | ||
131 | @@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
132 | return ret; | ||
133 | } | ||
134 | |||
135 | +/** | ||
136 | + * gnutls_pkcs11_crt_is_known: | ||
137 | + * @url: A PKCS 11 url identifying a token | ||
138 | + * @cert: is the certificate to find issuer for | ||
139 | + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
140 | + * | ||
141 | + * This function will check whether the provided certificate is stored | ||
142 | + * in the specified token. This is useful in combination with | ||
143 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
144 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
145 | + * to check whether a CA is present or a certificate is blacklisted in | ||
146 | + * a trust PKCS #11 module. | ||
147 | + * | ||
148 | + * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
149 | + * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
150 | + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
151 | + * | ||
152 | + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
153 | + * specific to p11-kit trust modules. | ||
154 | + * | ||
155 | + * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
156 | + * | ||
157 | + * Since: 3.3.0 | ||
158 | + **/ | ||
159 | +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
160 | + unsigned int flags) | ||
161 | +{ | ||
162 | + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); | ||
163 | +} | ||
164 | + | ||
165 | /** | ||
166 | * gnutls_pkcs11_obj_get_flags: | ||
167 | * @obj: The pkcs11 object | ||
168 | diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h | ||
169 | index 9d88807098..86cce0dee5 100644 | ||
170 | --- a/lib/pkcs11_int.h | ||
171 | +++ b/lib/pkcs11_int.h | ||
172 | @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) | ||
173 | return 0; | ||
174 | } | ||
175 | |||
176 | +unsigned | ||
177 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
178 | + unsigned int flags, | ||
179 | + gnutls_x509_crt_t *trusted_cert); | ||
180 | + | ||
181 | #endif /* ENABLE_PKCS11 */ | ||
182 | |||
183 | #endif /* GNUTLS_LIB_PKCS11_INT_H */ | ||
184 | diff --git a/lib/x509/verify.c b/lib/x509/verify.c | ||
185 | index d202670198..fd7c6a1642 100644 | ||
186 | --- a/lib/x509/verify.c | ||
187 | +++ b/lib/x509/verify.c | ||
188 | @@ -34,6 +34,7 @@ | ||
189 | #include <tls-sig.h> | ||
190 | #include <str.h> | ||
191 | #include <datum.h> | ||
192 | +#include <pkcs11_int.h> | ||
193 | #include <x509_int.h> | ||
194 | #include <common.h> | ||
195 | #include <pk.h> | ||
196 | @@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
197 | |||
198 | for (; i < clist_size; i++) { | ||
199 | unsigned vflags; | ||
200 | + gnutls_x509_crt_t trusted_cert; | ||
201 | |||
202 | if (i == 0) /* in the end certificate do full comparison */ | ||
203 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
204 | @@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
205 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
206 | GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; | ||
207 | |||
208 | - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { | ||
209 | + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { | ||
210 | |||
211 | - status |= check_ca_sanity(certificate_list[i], now, flags); | ||
212 | + status |= check_ca_sanity(trusted_cert, now, flags); | ||
213 | + gnutls_x509_crt_deinit(trusted_cert); | ||
214 | |||
215 | if (func) | ||
216 | func(certificate_list[i], | ||
217 | -- | ||
218 | 2.26.2 | ||
219 | |||