From 67101aa216e8d71e67681e75cda5c188b2597ded Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 20 Jul 2009 21:08:39 +0000 Subject: Applied patch of jmdesp that allows certificate lists by client. --- (limited to 'src') diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index ea59bbf..9ebf771 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c @@ -1028,8 +1028,9 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) const gnutls_datum_t *cert_list; unsigned int cert_list_size, status, expired; int rv, ret; + unsigned int ch_size = 0; union { - gnutls_x509_crt_t x509; + gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; gnutls_openpgp_crt_t pgp; } cert; apr_time_t activation_time, expiration_time, cur_time; @@ -1051,19 +1052,40 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) return HTTP_FORBIDDEN; } - if (cert_list_size > 1) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size); + + for (ch_size =0; ch_sizesession) == GNUTLS_CRT_OPENPGP) { + if (cert_list_size > 1) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "GnuTLS: Failed to Verify Peer: " "Chained Client Certificates are not supported."); - return HTTP_FORBIDDEN; - } + return HTTP_FORBIDDEN; + } - if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { - gnutls_x509_crt_init(&cert.x509); - rv = gnutls_x509_crt_import(cert.x509, &cert_list[0], GNUTLS_X509_FMT_DER); - } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) { gnutls_openpgp_crt_init(&cert.pgp); rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); + } else return HTTP_FORBIDDEN; if (rv < 0) { @@ -1076,12 +1098,15 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { apr_time_ansi_put(&expiration_time, - gnutls_x509_crt_get_expiration_time(cert.x509)); + gnutls_x509_crt_get_expiration_time(cert.x509[0])); apr_time_ansi_put(&activation_time, - gnutls_x509_crt_get_activation_time(cert.x509)); + gnutls_x509_crt_get_activation_time(cert.x509[0])); - rv = gnutls_x509_crt_verify(cert.x509, ctxt->sc->ca_list, - ctxt->sc->ca_list_size, 0, &status); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GnuTLS: Verifying list of %d certificate(s)", ch_size); + rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, + ctxt->sc->ca_list, ctxt->sc->ca_list_size, + NULL, 0, 0, &status); } else { apr_time_ansi_put(&expiration_time, gnutls_openpgp_crt_get_expiration_time(cert.pgp)); @@ -1145,7 +1170,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) } if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) - mgs_add_common_cert_vars(r, cert.x509, 1, + mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled); else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) mgs_add_common_pgpcert_vars(r, cert.pgp, 1, @@ -1172,9 +1197,12 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) } exit: - if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) - gnutls_x509_crt_deinit(cert.x509); - else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) + if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { + int i; + for (i=0; isession) == GNUTLS_CRT_OPENPGP) gnutls_openpgp_crt_deinit(cert.pgp); return ret; -- cgit v0.9.2