1 /* certpath.c - path validation
2 * Copyright (C) 2001 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
38 unknown_criticals (KsbaCert cert)
40 static const char *known[] = {
41 "2.5.29.15", /* keyUsage */
42 "2.5.29.19", /* basic Constraints */
43 "2.5.29.32", /* certificatePolicies */
46 int rc = 0, i, idx, crit;
50 for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
51 &oid, &crit, NULL, NULL));idx++)
55 for (i=0; known[i] && strcmp (known[i],oid); i++)
59 log_error (_("critical certificate extension %s is not supported\n"),
61 rc = GNUPG_Unsupported_Certificate;
65 rc = map_ksba_err (err);
71 allowed_ca (KsbaCert cert, int *pathlen)
76 err = ksba_cert_is_ca (cert, &flag, pathlen);
78 return map_ksba_err (err);
81 log_error (_("issuer certificate is not marked as a CA\n"));
82 return GNUPG_Bad_CA_Certificate;
89 check_cert_policy (KsbaCert cert)
96 err = ksba_cert_get_cert_policies (cert, &policies);
97 if (err == KSBA_No_Data)
98 return 0; /* no policy given */
100 return map_ksba_err (err);
102 /* STRING is a line delimited list of certifiate policies as stored
103 in the certificate. The line itself is colon delimited where the
104 first field is the OID of the policy and the second field either
105 N or C for normal or critical extension */
108 log_info ("certificate's policy list: %s\n", policies);
110 /* The check is very minimal but won't give false positives */
111 any_critical = !!strstr (policies, ":C");
113 if (!opt.policy_file)
118 log_error ("critical marked policy without configured policies\n");
119 return GNUPG_No_Policy_Match;
124 fp = fopen (opt.policy_file, "r");
127 log_error ("failed to open `%s': %s\n",
128 opt.policy_file, strerror (errno));
130 return GNUPG_Configuration_Error;
137 char *haystack, *allowed;
142 if (!fgets (line, DIM(line)-1, fp) )
148 log_error (_("certificate policy not allowed\n"));
149 /* with no critical policies this is only a warning */
150 return any_critical? GNUPG_No_Policy_Match : 0;
153 return GNUPG_Read_Error;
156 if (!*line || line[strlen(line)-1] != '\n')
158 /* eat until end of line */
159 while ( (c=getc (fp)) != EOF && c != '\n')
163 return *line? GNUPG_Line_Too_Long: GNUPG_Incomplete_Line;
166 /* Allow for empty lines and spaces */
167 for (p=line; spacep (p); p++)
170 while (!*p || *p == '\n' || *p == '#');
173 for (allowed=line; spacep (allowed); allowed++)
175 p = strpbrk (allowed, " :\n");
176 if (!*p || p == allowed)
180 return GNUPG_Configuration_Error;
182 *p = 0; /* strip the rest of the line */
183 /* See whether we find ALLOWED (which is an OID) in POLICIES */
184 for (haystack=policies; (p=strstr (haystack, allowed)); haystack = p+1)
186 if ( !(p == policies || p[-1] == '\n') )
187 continue; /* does not match the begin of a line */
188 if (p[strlen (allowed)] != ':')
189 continue; /* the length does not match */
190 /* Yep - it does match so return okay */
200 find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer)
206 if (!ksba_cert_get_auth_key_id (cert, NULL, &authid, &authidno))
208 const char *s = ksba_name_enum (authid, 0);
211 rc = keydb_search_issuer_sn (kh, s, authidno);
213 keydb_search_reset (kh);
215 ksba_name_release (authid);
220 rc = keydb_search_subject (kh, issuer);
225 /* Return the next certificate up in the chain starting at START.
226 Returns -1 when there are no more certificates. */
228 gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next)
232 char *subject = NULL;
233 KEYDB_HANDLE kh = keydb_new (0);
238 log_error (_("failed to allocated keyDB handle\n"));
239 rc = GNUPG_General_Error;
243 issuer = ksba_cert_get_issuer (start, 0);
244 subject = ksba_cert_get_subject (start, 0);
247 log_error ("no issuer found in certificate\n");
248 rc = GNUPG_Bad_Certificate;
253 log_error ("no subject found in certificate\n");
254 rc = GNUPG_Bad_Certificate;
258 if (!strcmp (issuer, subject))
260 rc = -1; /* we are at the root */
264 rc = find_up (kh, start, issuer);
267 /* it is quite common not to have a certificate, so better don't
268 print an error here */
269 if (rc != -1 && opt.verbose > 1)
270 log_error ("failed to find issuer's certificate: rc=%d\n", rc);
271 rc = GNUPG_Missing_Certificate;
275 rc = keydb_get_cert (kh, r_next);
278 log_error ("failed to get cert: rc=%d\n", rc);
279 rc = GNUPG_General_Error;
290 /* Check whether the CERT is a root certificate. Returns True if this
293 gpgsm_is_root_cert (KsbaCert cert)
299 issuer = ksba_cert_get_issuer (cert, 0);
300 subject = ksba_cert_get_subject (cert, 0);
301 yes = (issuer && subject && !strcmp (issuer, subject));
308 /* Validate a path and optionally return the nearest expiration time
311 gpgsm_validate_path (KsbaCert cert, time_t *r_exptime)
313 int rc = 0, depth = 0, maxdepth;
315 char *subject = NULL;
316 KEYDB_HANDLE kh = keydb_new (0);
317 KsbaCert subject_cert = NULL, issuer_cert = NULL;
318 time_t current_time = time (NULL);
324 if ((opt.debug & 4096))
326 log_info ("WARNING: bypassing path validation\n");
332 log_error (_("failed to allocated keyDB handle\n"));
333 rc = GNUPG_General_Error;
338 gpgsm_dump_cert ("subject", cert);
347 issuer = ksba_cert_get_issuer (subject_cert, 0);
348 subject = ksba_cert_get_subject (subject_cert, 0);
352 log_error ("no issuer found in certificate\n");
353 rc = GNUPG_Bad_Certificate;
358 time_t not_before, not_after;
360 not_before = ksba_cert_get_validity (subject_cert, 0);
361 not_after = ksba_cert_get_validity (subject_cert, 1);
362 if (not_before == (time_t)(-1) || not_after == (time_t)(-1))
364 log_error ("certificate with invalid validity\n");
365 rc = GNUPG_Bad_Certificate;
373 else if (not_after < exptime)
377 if (not_before && current_time < not_before)
379 log_error ("certificate to young; valid from ");
380 gpgsm_dump_time (not_before);
382 rc = GNUPG_Certificate_Too_Young;
385 if (not_after && current_time > not_after)
387 log_error ("certificate has expired at ");
388 gpgsm_dump_time (not_after);
390 rc = GNUPG_Certificate_Expired;
395 rc = unknown_criticals (subject_cert);
399 if (!opt.no_policy_check)
401 rc = check_cert_policy (subject_cert);
406 if (!opt.no_crl_check)
408 rc = gpgsm_dirmngr_isvalid (subject_cert);
413 case GNUPG_Certificate_Revoked:
414 log_error (_("the certificate has been revoked\n"));
416 case GNUPG_No_CRL_Known:
417 log_error (_("no CRL found for certificate\n"));
419 case GNUPG_CRL_Too_Old:
420 log_error (_("the available CRL is too old\n"));
421 log_info (_("please make sure that the "
422 "\"dirmngr\" is properly installed\n"));
425 log_error (_("checking the CRL failed: %s\n"),
426 gnupg_strerror (rc));
433 if (subject && !strcmp (issuer, subject))
435 if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
437 log_error ("selfsigned certificate has a BAD signatures\n");
438 rc = depth? GNUPG_Bad_Certificate_Path : GNUPG_Bad_Certificate;
441 rc = allowed_ca (subject_cert, NULL);
445 rc = gpgsm_agent_istrusted (subject_cert);
448 else if (rc == GNUPG_Not_Trusted)
452 char *fpr = gpgsm_get_fingerprint_string (subject_cert,
454 log_info (_("root certificate is not marked trusted\n"));
455 log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
457 rc2 = gpgsm_agent_marktrusted (subject_cert);
460 log_info (_("root certificate has now"
461 " been marked as trusted\n"));
466 gpgsm_dump_cert ("issuer", subject_cert);
467 log_info ("after checking the fingerprint, you may want "
468 "to enter it manually into "
469 "\"~/.gnupg-test/trustlist.txt\"\n");
474 log_error (_("checking the trust list failed: %s\n"),
475 gnupg_strerror (rc));
478 break; /* okay, a self-signed certicate is an end-point */
482 if (depth > maxdepth)
484 log_error (_("certificate path too long\n"));
485 rc = GNUPG_Bad_Certificate_Path;
489 /* find the next cert up the tree */
490 keydb_search_reset (kh);
491 rc = find_up (kh, subject_cert, issuer);
496 log_info ("issuer certificate (");
497 gpgsm_dump_string (issuer);
498 log_printf (") not found\n");
501 log_error ("failed to find issuer's certificate: rc=%d\n", rc);
502 rc = GNUPG_Missing_Certificate;
506 ksba_cert_release (issuer_cert); issuer_cert = NULL;
507 rc = keydb_get_cert (kh, &issuer_cert);
510 log_error ("failed to get cert: rc=%d\n", rc);
511 rc = GNUPG_General_Error;
517 log_debug ("got issuer's certificate:\n");
518 gpgsm_dump_cert ("issuer", issuer_cert);
521 if (gpgsm_check_cert_sig (issuer_cert, subject_cert) )
523 log_error ("certificate has a BAD signatures\n");
524 rc = GNUPG_Bad_Certificate_Path;
530 rc = allowed_ca (issuer_cert, &pathlen);
533 if (pathlen >= 0 && (depth - 1) > pathlen)
535 log_error (_("certificate path longer than allowed by CA (%d)\n"),
537 rc = GNUPG_Bad_Certificate_Path;
543 log_info ("certificate is good\n");
545 keydb_search_reset (kh);
546 subject_cert = issuer_cert;
550 if (opt.no_policy_check)
551 log_info ("policies not checked due to --disable-policy-checks option\n");
552 if (opt.no_crl_check)
553 log_info ("CRLs not checked due to --disable-crl-checks option\n");
557 *r_exptime = exptime;
560 ksba_cert_release (issuer_cert);
561 if (subject_cert != cert)
562 ksba_cert_release (subject_cert);
567 /* Check that the given certificate is valid but DO NOT check any
568 constraints. We assume that the issuers certificate is already in
569 the DB and that this one is valid; which it should be because it
570 has been checked using this function. */
572 gpgsm_basic_cert_check (KsbaCert cert)
576 char *subject = NULL;
577 KEYDB_HANDLE kh = keydb_new (0);
578 KsbaCert issuer_cert = NULL;
580 if ((opt.debug & 4096))
582 log_info ("WARNING: bypassing basic certificate checks\n");
588 log_error (_("failed to allocated keyDB handle\n"));
589 rc = GNUPG_General_Error;
593 issuer = ksba_cert_get_issuer (cert, 0);
594 subject = ksba_cert_get_subject (cert, 0);
597 log_error ("no issuer found in certificate\n");
598 rc = GNUPG_Bad_Certificate;
602 if (subject && !strcmp (issuer, subject))
604 if (gpgsm_check_cert_sig (cert, cert) )
606 log_error ("selfsigned certificate has a BAD signatures\n");
607 rc = GNUPG_Bad_Certificate;
613 /* find the next cert up the tree */
614 keydb_search_reset (kh);
615 rc = find_up (kh, cert, issuer);
620 log_info ("issuer certificate (");
621 gpgsm_dump_string (issuer);
622 log_printf (") not found\n");
625 log_error ("failed to find issuer's certificate: rc=%d\n", rc);
626 rc = GNUPG_Missing_Certificate;
630 ksba_cert_release (issuer_cert); issuer_cert = NULL;
631 rc = keydb_get_cert (kh, &issuer_cert);
634 log_error ("failed to get cert: rc=%d\n", rc);
635 rc = GNUPG_General_Error;
639 if (gpgsm_check_cert_sig (issuer_cert, cert) )
641 log_error ("certificate has a BAD signatures\n");
642 rc = GNUPG_Bad_Certificate;
646 log_info ("certificate is good\n");
652 ksba_cert_release (issuer_cert);
projects / gnupg.git / blob