Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
gnutls.27026
0002-_gnutls_pkcs11_verify_crt_status-check-val...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch of Package gnutls.27026
From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno@gnu.org> Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against system cert To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno <ueno@gnu.org> --- lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- 3 files changed, 80 insertions(+), 30 deletions(-) Index: gnutls-3.6.7/lib/pkcs11.c =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11.c 2020-06-05 11:46:56.276188039 +0200 +++ gnutls-3.6.7/lib/pkcs11.c 2020-06-05 11:46:57.408195852 +0200 @@ -4509,34 +4509,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subj return ret; } -/** - * gnutls_pkcs11_crt_is_known: - * @url: A PKCS 11 url identifying a token - * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any in an allocated buffer. - * @fmt: The format of the exported issuer. - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. - * - * This function will check whether the provided certificate is stored - * in the specified token. This is useful in combination with - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, - * to check whether a CA is present or a certificate is blacklisted in - * a trust PKCS #11 module. - * - * This function can be used with a @url of "pkcs11:", and in that case all modules - * will be searched. To restrict the modules to the marked as trusted in p11-kit - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. - * - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is - * specific to p11-kit trust modules. - * - * Returns: If the certificate exists non-zero is returned, otherwise zero. - * - * Since: 3.3.0 - **/ -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - unsigned int flags) +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert) { int ret; struct find_cert_st priv; @@ -4548,6 +4524,15 @@ unsigned gnutls_pkcs11_crt_is_known(cons memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } + if (url == NULL || url[0] == 0) { url = "pkcs11:"; } @@ -4594,8 +4579,18 @@ unsigned gnutls_pkcs11_crt_is_known(cons _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } priv.crt = cert; priv.flags = flags; @@ -4612,9 +4607,26 @@ unsigned gnutls_pkcs11_crt_is_known(cons goto cleanup; } + if (trusted_cert) { + ret = gnutls_x509_crt_init(trusted_cert); + if (ret < 0) { + gnutls_assert(); + ret = 0; + goto cleanup; + } + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(*trusted_cert); + ret = 0; + goto cleanup; + } + } ret = 1; cleanup: + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); @@ -4623,6 +4635,36 @@ unsigned gnutls_pkcs11_crt_is_known(cons } /** + * gnutls_pkcs11_crt_is_known: + * @url: A PKCS 11 url identifying a token + * @cert: is the certificate to find issuer for + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. + * + * This function will check whether the provided certificate is stored + * in the specified token. This is useful in combination with + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, + * to check whether a CA is present or a certificate is blacklisted in + * a trust PKCS #11 module. + * + * This function can be used with a @url of "pkcs11:", and in that case all modules + * will be searched. To restrict the modules to the marked as trusted in p11-kit + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. + * + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is + * specific to p11-kit trust modules. + * + * Returns: If the certificate exists non-zero is returned, otherwise zero. + * + * Since: 3.3.0 + **/ +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags) +{ + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); +} + +/** * gnutls_pkcs11_obj_get_flags: * @obj: The pkcs11 object * @oflags: Will hold the output flags Index: gnutls-3.6.7/lib/pkcs11_int.h =================================================================== --- gnutls-3.6.7.orig/lib/pkcs11_int.h 2020-06-05 11:46:57.408195852 +0200 +++ gnutls-3.6.7/lib/pkcs11_int.h 2020-06-05 11:47:51.656570223 +0200 @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object( return 0; } +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert); + #endif /* ENABLE_PKCS11 */ #endif Index: gnutls-3.6.7/lib/x509/verify.c =================================================================== --- gnutls-3.6.7.orig/lib/x509/verify.c 2020-06-05 11:46:56.280188067 +0200 +++ gnutls-3.6.7/lib/x509/verify.c 2020-06-05 11:46:57.408195852 +0200 @@ -34,6 +34,7 @@ #include <tls-sig.h> #include <str.h> #include <datum.h> +#include <pkcs11_int.h> #include <x509_int.h> #include <common.h> #include <pk.h> @@ -1173,6 +1174,7 @@ _gnutls_pkcs11_verify_crt_status(const c for (; i < clist_size; i++) { unsigned vflags; + gnutls_x509_crt_t trusted_cert; if (i == 0) /* in the end certificate do full comparison */ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| @@ -1181,9 +1183,10 @@ _gnutls_pkcs11_verify_crt_status(const c vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - status |= check_ca_sanity(certificate_list[i], now, flags); + status |= check_ca_sanity(trusted_cert, now, flags); + gnutls_x509_crt_deinit(trusted_cert); if (func) func(certificate_list[i],
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor