GNOME.org
 

[empathy: 23/65] Correctly treat the last certificate in the chain

commit dd4b301661b2516731027eebbf3147692292d749
Author: Cosimo Cecchi <cosimoc gnome org>
Date:   Thu Aug 12 18:46:08 2010 +0200

    Correctly treat the last certificate in the chain
    
    I.e. emit SelfSigned if we don't have any trusted CAs in our cache.

 libempathy/empathy-tls-verifier.c |   43 ++++++++++++++++++++++++++++--------
 1 files changed, 33 insertions(+), 10 deletions(-)
---
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
index 1ed9ede..f279efb 100644
--- a/libempathy/empathy-tls-verifier.c
+++ b/libempathy/empathy-tls-verifier.c
@@ -139,11 +139,34 @@ verify_last_certificate (EmpathyTLSVerifier *self,
   gnutls_x509_crt_t *trusted_ca_list;
   EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
 
-  trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
-  res = gnutls_x509_crt_verify (cert, trusted_ca_list,
-      priv->trusted_ca_list->len, 0, &verify_output);
+  if (priv->trusted_ca_list->len > 0)
+    {
+      trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
+      res = gnutls_x509_crt_verify (cert, trusted_ca_list,
+          priv->trusted_ca_list->len, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against trusted CAs, output %u",
+          cert, verify_output);
 
-  g_free (trusted_ca_list);
+      g_free (trusted_ca_list);
+    }
+  else
+    {
+      /* check it against itself to see if it's structurally valid */
+      res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against itself, output %u", cert,
+          verify_output);
+
+      /* if it's valid, return the SelfSigned error, so that we can add it
+       * later to our trusted CAs whitelist.
+       */
+      if (res == GNUTLS_E_SUCCESS)
+        {
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+          return FALSE;
+        }
+    }
 
   return verification_output_to_reason (res, verify_output, reason);
 }
@@ -233,13 +256,13 @@ real_start_verification (EmpathyTLSVerifier *self)
         }
     }
 
-  if (priv->trusted_ca_list->len > 0)
-    {
-      res = verify_last_certificate (self,
-          g_ptr_array_index (priv->cert_chain, num_certs - 1),
-          &reason);
-    }
+  res = verify_last_certificate (self,
+      g_ptr_array_index (priv->cert_chain, num_certs - 1),
+      &reason);
 
+  DEBUG ("Last verification gave result %d with reason %u", res, reason);
+
+ out:
   if (!res)
     {
       abort_verification (self, reason);
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]