From 7fec961893adf880d4acc3da171031829f93af86 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 2 Jul 2010 15:15:52 +0200 Subject: Depend on libgnutls for the activation and expiration time checks. --- src/gnutls_hooks.c | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index 032e6f3..3ce8188 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c @@ -1043,14 +1043,14 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) { const gnutls_datum_t *cert_list; - unsigned int cert_list_size, status, expired; + unsigned int cert_list_size, status; int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; unsigned int ch_size = 0; union { gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; gnutls_openpgp_crt_t pgp; } cert; - apr_time_t activation_time, expiration_time, cur_time; + apr_time_t expiration_time, cur_time; _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); cert_list = @@ -1116,8 +1116,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { apr_time_ansi_put(&expiration_time, gnutls_x509_crt_get_expiration_time(cert.x509[0])); - apr_time_ansi_put(&activation_time, - gnutls_x509_crt_get_activation_time(cert.x509[0])); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "GnuTLS: Verifying list of %d certificate(s)", ch_size); @@ -1127,8 +1125,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) } else { apr_time_ansi_put(&expiration_time, gnutls_openpgp_crt_get_expiration_time(cert.pgp)); - apr_time_ansi_put(&activation_time, - gnutls_openpgp_crt_get_creation_time(cert.pgp)); rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list, 0, &status); @@ -1150,23 +1146,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) */ /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */ - expired = 0; cur_time = apr_time_now(); - if (activation_time > cur_time) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: Failed to Verify Peer: " - "Peer Certificate is not yet activated."); - expired = 1; - } - - if (gnutls_certificate_type_get( ctxt->session) != GNUTLS_CRT_OPENPGP || expiration_time != 0) { - if (expiration_time < cur_time) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: Failed to Verify Peer: " - "Peer Certificate is expired."); - expired = 1; - } - } if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, @@ -1178,6 +1158,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) "GnuTLS: Peer's Certificate signer is not a CA"); } + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "GnuTLS: Peer's Certificate is using insecure algorithms"); + } + + if (status & GNUTLS_CERT_EXPIRED || status & GNUTLS_CERT_NOT_ACTIVATED) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "GnuTLS: Peer's Certificate signer is expired or not yet activated"); + } + if (status & GNUTLS_CERT_INVALID) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "GnuTLS: Peer Certificate is invalid."); @@ -1202,7 +1192,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) apr_psprintf(r->pool, "%lu", remain)); } - if (status == 0 && expired == 0) { + if (status == 0) { apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS"); ret = OK; } else { -- cgit