diff options
Diffstat (limited to 'src/gnutls/x509vfy.c')
-rw-r--r-- | src/gnutls/x509vfy.c | 802 |
1 files changed, 0 insertions, 802 deletions
diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c deleted file mode 100644 index fd15c5ac..00000000 --- a/src/gnutls/x509vfy.c +++ /dev/null @@ -1,802 +0,0 @@ -/** - * XMLSec library - * - * X509 support - * - * - * This is free software; see Copyright file in the source - * distribution for preciese wording. - * - * Copyright (C) 2010 Aleksey Sanin <aleksey@aleksey.com> - */ -#include "globals.h" - -#ifndef XMLSEC_NO_X509 - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <ctype.h> -#include <errno.h> - -#include <libxml/tree.h> - -#include <xmlsec/xmlsec.h> -#include <xmlsec/xmltree.h> -#include <xmlsec/keys.h> -#include <xmlsec/keyinfo.h> -#include <xmlsec/keysmngr.h> -#include <xmlsec/base64.h> -#include <xmlsec/errors.h> - -#include <xmlsec/gnutls/crypto.h> -#include <xmlsec/gnutls/x509.h> - -#include "x509utils.h" - -/************************************************************************** - * - * Internal GnuTLS X509 store CTX - * - *************************************************************************/ -typedef struct _xmlSecGnuTLSX509StoreCtx xmlSecGnuTLSX509StoreCtx, - *xmlSecGnuTLSX509StoreCtxPtr; -struct _xmlSecGnuTLSX509StoreCtx { - xmlSecPtrList certsTrusted; - xmlSecPtrList certsUntrusted; -}; - -/**************************************************************************** - * - * xmlSecGnuTLSKeyDataStoreX509Id: - * - * xmlSecGnuTLSX509StoreCtx is located after xmlSecTransform - * - ***************************************************************************/ -#define xmlSecGnuTLSX509StoreGetCtx(store) \ - ((xmlSecGnuTLSX509StoreCtxPtr)(((xmlSecByte*)(store)) + \ - sizeof(xmlSecKeyDataStoreKlass))) -#define xmlSecGnuTLSX509StoreSize \ - (sizeof(xmlSecKeyDataStoreKlass) + sizeof(xmlSecGnuTLSX509StoreCtx)) - -static int xmlSecGnuTLSX509StoreInitialize (xmlSecKeyDataStorePtr store); -static void xmlSecGnuTLSX509StoreFinalize (xmlSecKeyDataStorePtr store); - -static xmlSecKeyDataStoreKlass xmlSecGnuTLSX509StoreKlass = { - sizeof(xmlSecKeyDataStoreKlass), - xmlSecGnuTLSX509StoreSize, - - /* data */ - xmlSecNameX509Store, /* const xmlChar* name; */ - - /* constructors/destructor */ - xmlSecGnuTLSX509StoreInitialize, /* xmlSecKeyDataStoreInitializeMethod initialize; */ - xmlSecGnuTLSX509StoreFinalize, /* xmlSecKeyDataStoreFinalizeMethod finalize; */ - - /* reserved for the future */ - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -static gnutls_x509_crt_t xmlSecGnuTLSX509FindCert (xmlSecPtrListPtr certs, - const xmlChar *subjectName, - const xmlChar *issuerName, - const xmlChar *issuerSerial, - const xmlChar *ski); -static gnutls_x509_crt_t xmlSecGnuTLSX509FindSignedCert (xmlSecPtrListPtr certs, - gnutls_x509_crt_t cert); -static gnutls_x509_crt_t xmlSecGnuTLSX509FindSignerCert (xmlSecPtrListPtr certs, - gnutls_x509_crt_t cert); - - -/** - * xmlSecGnuTLSX509StoreGetKlass: - * - * The GnuTLS X509 certificates key data store klass. - * - * Returns: pointer to GnuTLS X509 certificates key data store klass. - */ -xmlSecKeyDataStoreId -xmlSecGnuTLSX509StoreGetKlass(void) { - return(&xmlSecGnuTLSX509StoreKlass); -} - -/** - * xmlSecGnuTLSX509StoreFindCert: - * @store: the pointer to X509 key data store klass. - * @subjectName: the desired certificate name. - * @issuerName: the desired certificate issuer name. - * @issuerSerial: the desired certificate issuer serial number. - * @ski: the desired certificate SKI. - * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. - * - * Searches @store for a certificate that matches given criteria. - * - * Returns: pointer to found certificate or NULL if certificate is not found - * or an error occurs. - */ -gnutls_x509_crt_t -xmlSecGnuTLSX509StoreFindCert(xmlSecKeyDataStorePtr store, - const xmlChar *subjectName, - const xmlChar *issuerName, - const xmlChar *issuerSerial, - const xmlChar *ski, - const xmlSecKeyInfoCtx* keyInfoCtx) { - xmlSecGnuTLSX509StoreCtxPtr ctx; - gnutls_x509_crt_t res = NULL; - - xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId), NULL); - xmlSecAssert2(keyInfoCtx != NULL, NULL); - - ctx = xmlSecGnuTLSX509StoreGetCtx(store); - xmlSecAssert2(ctx != NULL, NULL); - - if(res == NULL) { - res = xmlSecGnuTLSX509FindCert(&(ctx->certsTrusted), subjectName, issuerName, issuerSerial, ski); - } - if(res == NULL) { - res = xmlSecGnuTLSX509FindCert(&(ctx->certsUntrusted), subjectName, issuerName, issuerSerial, ski); - } - return(res); -} - -static int -xmlSecGnuTLSX509CheckTime(const gnutls_x509_crt_t * cert_list, - xmlSecSize cert_list_length, - time_t ts) -{ - time_t notValidBefore, notValidAfter; - xmlSecSize ii; - - xmlSecAssert2(cert_list != NULL, -1); - - for(ii = 0; ii < cert_list_length; ++ii) { - const gnutls_x509_crt_t cert = cert_list[ii]; - if(cert == NULL) { - continue; - } - - /* get expiration times */ - notValidBefore = gnutls_x509_crt_get_activation_time(cert); - if(notValidBefore == (time_t)-1) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "gnutls_x509_crt_get_activation_time", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - notValidAfter = gnutls_x509_crt_get_expiration_time(cert); - if(notValidAfter == (time_t)-1) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "gnutls_x509_crt_get_expiration_time", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - /* check */ - if(ts < notValidBefore) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, - XMLSEC_ERRORS_NO_MESSAGE); - return(0); - } - if(ts > notValidAfter) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, - XMLSEC_ERRORS_NO_MESSAGE); - return(0); - } - } - - /* GOOD! */ - return(1); -} - -/** - * xmlSecGnuTLSX509StoreVerify: - * @store: the pointer to X509 key data store klass. - * @certs: the untrusted certificates. - * @crls: the crls. - * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. - * - * Verifies @certs list. - * - * Returns: pointer to the first verified certificate from @certs. - */ -gnutls_x509_crt_t -xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, - xmlSecPtrListPtr certs, - xmlSecPtrListPtr crls, - const xmlSecKeyInfoCtx* keyInfoCtx) { - xmlSecGnuTLSX509StoreCtxPtr ctx; - gnutls_x509_crt_t res = NULL; - xmlSecSize certs_size = 0; - gnutls_x509_crt_t * cert_list = NULL; - xmlSecSize cert_list_length; - gnutls_x509_crl_t * crl_list = NULL; - xmlSecSize crl_list_length; - gnutls_x509_crt_t * ca_list = NULL; - xmlSecSize ca_list_length; - time_t verification_time; - unsigned int flags = 0; - xmlSecSize ii; - int ret; - int err; - - xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId), NULL); - xmlSecAssert2(certs != NULL, NULL); - xmlSecAssert2(crls != NULL, NULL); - xmlSecAssert2(keyInfoCtx != NULL, NULL); - - certs_size = xmlSecPtrListGetSize(certs); - if(certs_size <= 0) { - /* nothing to do */ - return(NULL); - } - - ctx = xmlSecGnuTLSX509StoreGetCtx(store); - xmlSecAssert2(ctx != NULL, NULL); - - /* Prepare */ - cert_list_length = certs_size + xmlSecPtrListGetSize(&(ctx->certsUntrusted)); - if(cert_list_length > 0) { - cert_list = (gnutls_x509_crt_t *)xmlMalloc(sizeof(gnutls_x509_crt_t) * cert_list_length); - if(cert_list == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlMalloc", - XMLSEC_ERRORS_R_MALLOC_FAILED, - "size=%d", (int)(sizeof(gnutls_x509_crt_t) * cert_list_length)); - goto done; - } - } - crl_list_length = xmlSecPtrListGetSize(crls); - if(crl_list_length > 0) { - crl_list = (gnutls_x509_crl_t *)xmlMalloc(sizeof(gnutls_x509_crl_t) * crl_list_length); - if(crl_list == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlMalloc", - XMLSEC_ERRORS_R_MALLOC_FAILED, - "size=%d", (int)(sizeof(gnutls_x509_crl_t) * crl_list_length)); - goto done; - } - for(ii = 0; ii < crl_list_length; ++ii) { - crl_list[ii] = xmlSecPtrListGetItem(crls, ii); - if(crl_list[ii] == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListGetItem(crls)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } - } - - ca_list_length = xmlSecPtrListGetSize(&(ctx->certsTrusted)); - if(ca_list_length > 0) { - ca_list = (gnutls_x509_crt_t *)xmlMalloc(sizeof(gnutls_x509_crt_t) * ca_list_length); - if(ca_list == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlMalloc", - XMLSEC_ERRORS_R_MALLOC_FAILED, - "size=%d", (int)(sizeof(gnutls_x509_crt_t) * ca_list_length)); - goto done; - } - for(ii = 0; ii < ca_list_length; ++ii) { - ca_list[ii] = xmlSecPtrListGetItem(&(ctx->certsTrusted), ii); - if(ca_list[ii] == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListGetItem(certsTrusted)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } - } - - /* gnutls doesn't allow to specify "verification" timestamp so - we have to do it ourselves */ - verification_time = (keyInfoCtx->certsVerificationTime > 0) ? - keyInfoCtx->certsVerificationTime : - time(0); - flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS; - - if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { - flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; - flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; - } - - /* We are going to build all possible cert chains and try to verify them */ - for(ii = 0; (ii < certs_size) && (res == NULL); ++ii) { - gnutls_x509_crt_t cert, cert2; - xmlSecSize cert_list_cur_length = 0; - unsigned int verify = 0; - - cert = xmlSecPtrListGetItem(certs, ii); - if(cert == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListGetItem(certs)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - /* check if we are the "leaf" node in the certs chain */ - if(xmlSecGnuTLSX509FindSignedCert(certs, cert) != NULL) { - continue; - } - - /* build the chain */ - for(cert2 = cert, cert_list_cur_length = 0; - (cert2 != NULL) && (cert_list_cur_length < cert_list_length); - ++cert_list_cur_length) - { - gnutls_x509_crt_t tmp; - - /* store */ - cert_list[cert_list_cur_length] = cert2; - - /* find next */ - tmp = xmlSecGnuTLSX509FindSignerCert(certs, cert2); - if(tmp == NULL) { - tmp = xmlSecGnuTLSX509FindSignerCert(&(ctx->certsUntrusted), cert2); - } - cert2 = tmp; - } - - /* try to verify */ - err = gnutls_x509_crt_list_verify( - cert_list, (int)cert_list_cur_length, /* certs chain */ - ca_list, (int)ca_list_length, /* trusted cas */ - crl_list, (int)crl_list_length, /* crls */ - flags, /* flags */ - &verify); - if(err != GNUTLS_E_SUCCESS) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "gnutls_x509_crt_list_verify", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_GNUTLS_REPORT_ERROR(err)); - /* don't stop, continue! */ - continue; - } else if(verify != 0){ - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "gnutls_x509_crt_list_verify", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "Verification failed: verify=%u", verify); - /* don't stop, continue! */ - continue; - } - - /* gnutls doesn't allow to specify "verification" timestamp so - we have to do it ourselves */ - ret = xmlSecGnuTLSX509CheckTime(cert_list, cert_list_cur_length, verification_time); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "Time verification failed"); - /* don't stop, continue! */ - continue; - } - - /* DONE! */ - res = cert; - } - -done: - /* cleanup */ - if(ca_list != NULL) { - xmlFree(ca_list); - } - if(crl_list != NULL) { - xmlFree(crl_list); - } - if(cert_list != NULL) { - xmlFree(cert_list); - } - - return(res); -} - -/** - * xmlSecGnuTLSX509StoreAdoptCert: - * @store: the pointer to X509 key data store klass. - * @cert: the pointer to GnuTLS X509 certificate. - * @type: the certificate type (trusted/untrusted). - * - * Adds trusted (root) or untrusted certificate to the store. - * - * Returns: 0 on success or a negative value if an error occurs. - */ -int -xmlSecGnuTLSX509StoreAdoptCert(xmlSecKeyDataStorePtr store, gnutls_x509_crt_t cert, xmlSecKeyDataType type) { - xmlSecGnuTLSX509StoreCtxPtr ctx; - int ret; - - xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId), -1); - xmlSecAssert2(cert != NULL, -1); - - ctx = xmlSecGnuTLSX509StoreGetCtx(store); - xmlSecAssert2(ctx != NULL, -1); - - if((type & xmlSecKeyDataTypeTrusted) != 0) { - ret = xmlSecPtrListAdd(&(ctx->certsTrusted), cert); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListAdd(trusted)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - } else { - ret = xmlSecPtrListAdd(&(ctx->certsUntrusted), cert); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListAdd(untrusted)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - } - - /* done */ - return(0); -} - -static int -xmlSecGnuTLSX509StoreInitialize(xmlSecKeyDataStorePtr store) { - xmlSecGnuTLSX509StoreCtxPtr ctx; - int ret; - - xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId), -1); - - ctx = xmlSecGnuTLSX509StoreGetCtx(store); - xmlSecAssert2(ctx != NULL, -1); - - memset(ctx, 0, sizeof(xmlSecGnuTLSX509StoreCtx)); - - ret = xmlSecPtrListInitialize(&(ctx->certsTrusted), xmlSecGnuTLSX509CrtListId); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListInitialize(trusted)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - ret = xmlSecPtrListInitialize(&(ctx->certsUntrusted), xmlSecGnuTLSX509CrtListId); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecPtrListInitialize(untrusted)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - return(0); -} - -static void -xmlSecGnuTLSX509StoreFinalize(xmlSecKeyDataStorePtr store) { - xmlSecGnuTLSX509StoreCtxPtr ctx; - xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId)); - - ctx = xmlSecGnuTLSX509StoreGetCtx(store); - xmlSecAssert(ctx != NULL); - - xmlSecPtrListFinalize(&(ctx->certsTrusted)); - xmlSecPtrListFinalize(&(ctx->certsUntrusted)); - - memset(ctx, 0, sizeof(xmlSecGnuTLSX509StoreCtx)); -} - - -/***************************************************************************** - * - * Low-level x509 functions - * - *****************************************************************************/ -#define XMLSEC_GNUTLS_DN_ATTRS_SIZE 1024 -static int -xmlSecGnuTLSX509DnsEqual(const xmlChar * ll, const xmlChar * rr) { - xmlSecGnuTLSDnAttr ll_attrs[XMLSEC_GNUTLS_DN_ATTRS_SIZE]; - xmlSecGnuTLSDnAttr rr_attrs[XMLSEC_GNUTLS_DN_ATTRS_SIZE]; - int ret; - int res = -1; - - xmlSecAssert2(ll != NULL, -1); - xmlSecAssert2(rr != NULL, -1); - - /* fast version first */ - if(xmlStrEqual(ll, rr)) { - return(1); - } - - /* prepare */ - xmlSecGnuTLSDnAttrsInitialize(ll_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - xmlSecGnuTLSDnAttrsInitialize(rr_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - - /* parse */ - ret = xmlSecGnuTLSDnAttrsParse(ll, ll_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSDnAttrsParse(ll)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - ret = xmlSecGnuTLSDnAttrsParse(rr, rr_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSDnAttrsParse(rr)", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - /* compare */ - ret = xmlSecGnuTLSDnAttrsEqual(ll_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE, - rr_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - if(ret == 1) { - res = 1; - } else if(ret == 0) { - res = 0; - } else { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSDnAttrsEqual", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - -done: - xmlSecGnuTLSDnAttrsDeinitialize(ll_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - xmlSecGnuTLSDnAttrsDeinitialize(rr_attrs, XMLSEC_GNUTLS_DN_ATTRS_SIZE); - return(res); -} - -static gnutls_x509_crt_t -xmlSecGnuTLSX509FindCert(xmlSecPtrListPtr certs, - const xmlChar *subjectName, - const xmlChar *issuerName, - const xmlChar *issuerSerial, - const xmlChar *ski) { - xmlSecSize ii, sz; - - xmlSecAssert2(certs != NULL, NULL); - - /* todo: this is not the fastest way to search certs */ - sz = xmlSecPtrListGetSize(certs); - for(ii = 0; (ii < sz); ++ii) { - gnutls_x509_crt_t cert = xmlSecPtrListGetItem(certs, ii); - if(cert == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecPtrListGetItem", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - return(NULL); - } - - if(subjectName != NULL) { - xmlChar * tmp; - - tmp = xmlSecGnuTLSX509CertGetSubjectDN(cert); - if(tmp == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetSubjectDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - return(NULL); - } - - if(xmlSecGnuTLSX509DnsEqual(subjectName, tmp) == 1) { - xmlFree(tmp); - return(cert); - } - xmlFree(tmp); - } else if((issuerName != NULL) && (issuerSerial != NULL)) { - xmlChar * tmp1; - xmlChar * tmp2; - - tmp1 = xmlSecGnuTLSX509CertGetIssuerDN(cert); - if(tmp1 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetIssuerDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - return(NULL); - } - - tmp2 = xmlSecGnuTLSX509CertGetIssuerSerial(cert); - if(tmp2 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetIssuerSerial", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - xmlFree(tmp1); - return(NULL); - } - - if((xmlSecGnuTLSX509DnsEqual(issuerName, tmp1) == 1) && xmlStrEqual(issuerSerial, tmp2)) { - xmlFree(tmp1); - xmlFree(tmp2); - return(cert); - } - xmlFree(tmp1); - xmlFree(tmp2); - } else if(ski != NULL) { - xmlChar * tmp; - - tmp = xmlSecGnuTLSX509CertGetSKI(cert); - if(tmp == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetSKI", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - return(NULL); - } - - if(xmlStrEqual(ski, tmp)) { - xmlFree(tmp); - return(cert); - } - xmlFree(tmp); - } - } - - return(NULL); -} - -/* signed cert has issuer dn equal to our's subject dn */ -static gnutls_x509_crt_t -xmlSecGnuTLSX509FindSignedCert(xmlSecPtrListPtr certs, gnutls_x509_crt_t cert) { - gnutls_x509_crt_t res = NULL; - xmlChar * subject = NULL; - xmlSecSize ii, sz; - - xmlSecAssert2(certs != NULL, NULL); - xmlSecAssert2(cert != NULL, NULL); - - /* get subject */ - subject = xmlSecGnuTLSX509CertGetSubjectDN(cert); - if(subject == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetSubjectDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - /* todo: this is not the fastest way to search certs */ - sz = xmlSecPtrListGetSize(certs); - for(ii = 0; (ii < sz) && (res == NULL); ++ii) { - gnutls_x509_crt_t tmp; - xmlChar * issuer; - - tmp = xmlSecPtrListGetItem(certs, ii); - if(tmp == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecPtrListGetItem", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - goto done; - } - - issuer = xmlSecGnuTLSX509CertGetIssuerDN(tmp); - if(issuer == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetIssuerDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - goto done; - } - - /* are we done? */ - if(xmlSecGnuTLSX509DnsEqual(subject, issuer) == 1) { - res = tmp; - } - xmlFree(issuer); - } - -done: - if(subject != NULL) { - xmlFree(subject); - } - return(res); -} - -/* signer cert has subject dn equal to our's issuer dn */ -static gnutls_x509_crt_t -xmlSecGnuTLSX509FindSignerCert(xmlSecPtrListPtr certs, gnutls_x509_crt_t cert) { - gnutls_x509_crt_t res = NULL; - xmlChar * issuer = NULL; - xmlSecSize ii, sz; - - xmlSecAssert2(certs != NULL, NULL); - xmlSecAssert2(cert != NULL, NULL); - - /* get issuer */ - issuer = xmlSecGnuTLSX509CertGetIssuerDN(cert); - if(issuer == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetIssuerDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - /* todo: this is not the fastest way to search certs */ - sz = xmlSecPtrListGetSize(certs); - for(ii = 0; (ii < sz) && (res == NULL); ++ii) { - gnutls_x509_crt_t tmp; - xmlChar * subject; - - tmp = xmlSecPtrListGetItem(certs, ii); - if(tmp == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecPtrListGetItem", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - goto done; - } - - subject = xmlSecGnuTLSX509CertGetSubjectDN(tmp); - if(subject == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecGnuTLSX509CertGetSubjectDN", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%i", (int)ii); - goto done; - } - - /* are we done? */ - if((xmlSecGnuTLSX509DnsEqual(issuer, subject) == 1)) { - res = tmp; - } - xmlFree(subject); - } - -done: - if(issuer != NULL) { - xmlFree(issuer); - } - return(res); -} - -#endif /* XMLSEC_NO_X509 */ - - |