aboutsummaryrefslogtreecommitdiffstats
path: root/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch
blob: 13d002a106807f6facb1324ed694d8ca9756381c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 31 May 2020 12:39:14 +0200
Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against
 system cert

To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.

However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store.  That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.

This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/pkcs11.c      | 98 +++++++++++++++++++++++++++++++++--------------
 lib/pkcs11_int.h  |  5 +++
 lib/x509/verify.c |  7 +++-
 3 files changed, 80 insertions(+), 30 deletions(-)

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index fad16aaf4f..d8d4a65114 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
 	return ret;
 }
 
-/**
- * gnutls_pkcs11_crt_is_known:
- * @url: A PKCS 11 url identifying a token
- * @cert: is the certificate to find issuer for
- * @issuer: Will hold the issuer if any in an allocated buffer.
- * @fmt: The format of the exported issuer.
- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
- *
- * This function will check whether the provided certificate is stored
- * in the specified token. This is useful in combination with 
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
- * to check whether a CA is present or a certificate is blacklisted in
- * a trust PKCS #11 module.
- *
- * This function can be used with a @url of "pkcs11:", and in that case all modules
- * will be searched. To restrict the modules to the marked as trusted in p11-kit
- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
- *
- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
- * specific to p11-kit trust modules.
- *
- * Returns: If the certificate exists non-zero is returned, otherwise zero.
- *
- * Since: 3.3.0
- **/
-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-				 unsigned int flags)
+unsigned
+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+			    unsigned int flags,
+			    gnutls_x509_crt_t *trusted_cert)
 {
 	int ret;
 	struct find_cert_st priv;
@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 
 	memset(&priv, 0, sizeof(priv));
 
+	if (trusted_cert) {
+		ret = gnutls_pkcs11_obj_init(&priv.obj);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+		priv.need_import = 1;
+	}
+
 	if (url == NULL || url[0] == 0) {
 		url = "pkcs11:";
 	}
@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 		_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
 		/* attempt searching with the subject DN only */
 		gnutls_assert();
+		if (priv.obj)
+			gnutls_pkcs11_obj_deinit(priv.obj);
 		gnutls_free(priv.serial.data);
 		memset(&priv, 0, sizeof(priv));
+		if (trusted_cert) {
+			ret = gnutls_pkcs11_obj_init(&priv.obj);
+			if (ret < 0) {
+				gnutls_assert();
+				goto cleanup;
+			}
+			priv.need_import = 1;
+		}
 		priv.crt = cert;
 		priv.flags = flags;
 
@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 		goto cleanup;
 	}
 
+	if (trusted_cert) {
+		ret = gnutls_x509_crt_init(trusted_cert);
+		if (ret < 0) {
+			gnutls_assert();
+			ret = 0;
+			goto cleanup;
+		}
+		ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
+		if (ret < 0) {
+			gnutls_assert();
+			gnutls_x509_crt_deinit(*trusted_cert);
+			ret = 0;
+			goto cleanup;
+		}
+	}
 	ret = 1;
 
       cleanup:
+	if (priv.obj)
+		gnutls_pkcs11_obj_deinit(priv.obj);
 	if (info)
 		p11_kit_uri_free(info);
 	gnutls_free(priv.serial.data);
@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 	return ret;
 }
 
+/**
+ * gnutls_pkcs11_crt_is_known:
+ * @url: A PKCS 11 url identifying a token
+ * @cert: is the certificate to find issuer for
+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
+ *
+ * This function will check whether the provided certificate is stored
+ * in the specified token. This is useful in combination with 
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
+ * to check whether a CA is present or a certificate is blacklisted in
+ * a trust PKCS #11 module.
+ *
+ * This function can be used with a @url of "pkcs11:", and in that case all modules
+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
+ *
+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
+ * specific to p11-kit trust modules.
+ *
+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
+ *
+ * Since: 3.3.0
+ **/
+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+				 unsigned int flags)
+{
+	return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
+}
+
 /**
  * gnutls_pkcs11_obj_get_flags:
  * @obj: The pkcs11 object
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 9d88807098..86cce0dee5 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
 	return 0;
 }
 
+unsigned
+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+			    unsigned int flags,
+			    gnutls_x509_crt_t *trusted_cert);
+
 #endif				/* ENABLE_PKCS11 */
 
 #endif /* GNUTLS_LIB_PKCS11_INT_H */
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index d202670198..fd7c6a1642 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -34,6 +34,7 @@
 #include <tls-sig.h>
 #include <str.h>
 #include <datum.h>
+#include <pkcs11_int.h>
 #include <x509_int.h>
 #include <common.h>
 #include <pk.h>
@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
 
 	for (; i < clist_size; i++) {
 		unsigned vflags;
+		gnutls_x509_crt_t trusted_cert;
 
 		if (i == 0) /* in the end certificate do full comparison */
 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
 				GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
 
-		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
+		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
 
-			status |= check_ca_sanity(certificate_list[i], now, flags);
+			status |= check_ca_sanity(trusted_cert, now, flags);
+			gnutls_x509_crt_deinit(trusted_cert);
 
 			if (func)
 				func(certificate_list[i],
-- 
2.26.2