diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp index e58b288d16ab4b0df901d10c54aa8c3fed1f39b6..a3d72c9a285ea1bc2980ef6431675b94ee4e7ab4 100644 --- a/src/security/certstore.cpp +++ b/src/security/certstore.cpp @@ -600,14 +600,36 @@ TrustStore::PermissionStatus TrustStore::getCertificateStatus(const std::string& cert_id) const { std::lock_guard<std::recursive_mutex> lk(mutex_); - auto s = certStatus_.find(cert_id); - if (s == std::end(certStatus_)) { - auto us = unknownCertStatus_.find(cert_id); - if (us == std::end(unknownCertStatus_)) - return PermissionStatus::UNDEFINED; - return us->second.allowed ? PermissionStatus::ALLOWED : PermissionStatus::BANNED; + auto cert = certStore_.getCertificate(cert_id); + if (!cert) + return PermissionStatus::UNDEFINED; + auto allowed = false; auto found = false; + while (cert) { + auto s = certStatus_.find(cert->getId().toString()); + if (s != std::end(certStatus_)) { + if (!found) { + found = true; allowed = true; // we need to find at least a certificate + } + allowed &= s->second.second.allowed; + if (!allowed) + return PermissionStatus::BANNED; + } else { + auto us = unknownCertStatus_.find(cert->getId().toString()); + if (us != std::end(unknownCertStatus_)) { + if (!found) { + found = true; allowed = true; // we need to find at least a certificate + } + allowed &= s->second.second.allowed; + if (!us->second.allowed) + return PermissionStatus::BANNED; + } + } + if (cert->getUID() == cert->getIssuerUID()) + break; + cert = cert->issuer? cert->issuer : certStore_.getCertificate(cert->getIssuerUID()); } - return s->second.second.allowed ? PermissionStatus::ALLOWED : PermissionStatus::BANNED; + + return allowed? PermissionStatus::ALLOWED : PermissionStatus::UNDEFINED; } std::vector<std::string> diff --git a/tests/certstore.cpp b/tests/certstore.cpp index 0bc7722cc1921f5597218f9b82515da3f51b9f36..9f4fc81db2db8c157e5627e14c325fa327505de8 100644 --- a/tests/certstore.cpp +++ b/tests/certstore.cpp @@ -41,10 +41,12 @@ public: private: void trustStoreTest(); void getCertificateWithSplitted(); + void testBannedParent(); CPPUNIT_TEST_SUITE(CertStoreTest); CPPUNIT_TEST(trustStoreTest); CPPUNIT_TEST(getCertificateWithSplitted); + CPPUNIT_TEST(testBannedParent); CPPUNIT_TEST_SUITE_END(); }; @@ -199,6 +201,30 @@ CertStoreTest::getCertificateWithSplitted() && fullCert->issuer->issuer->getUID() == caCert->getUID());*/ } +void +CertStoreTest::testBannedParent() +{ + /*auto aliceAccount = Manager::instance().getAccount<JamiAccount>(aliceId); + + auto ca = dht::crypto::generateIdentity("test CA"); + auto account = dht::crypto::generateIdentity("test account", ca, 4096, true); + auto device = dht::crypto::generateIdentity("test device", account); + auto device2 = dht::crypto::generateIdentity("test device 2", account); + auto id = ca.second->getId().toString(); + auto pinned = aliceAccount->certStore().getPinnedCertificates(); + CPPUNIT_ASSERT(std::find_if(pinned.begin(), pinned.end(), [&](auto v) { return v == id; }) + == pinned.end()); + + // Ban account + aliceAccount->setCertificateStatus(account.second, dhtnet::tls::TrustStore::PermissionStatus::BANNED); + CPPUNIT_ASSERT(aliceAccount->accountManager()->getCertificateStatus(account.second->getId().toString()) + == dhtnet::tls::TrustStore::PermissionStatus::BANNED); + CPPUNIT_ASSERT(not aliceAccount->accountManager()->isAllowed(*account.second)); + CPPUNIT_ASSERT(not aliceAccount->accountManager()->isAllowed(*device2.second)); + CPPUNIT_ASSERT(not aliceAccount->accountManager()->isAllowed(*device.second));*/ +} + + } // namespace test } // namespace dhtnet