Commit b44f84d2 authored by Adrien Béraud's avatar Adrien Béraud Committed by Emmanuel Lepage Vallée

certstore: find issuer by name or UID

Refs #77556

Change-Id: I3cef9fa8fde04a313f17a1e4576ec1d3e59b9fc3
parent b830367b
......@@ -99,7 +99,7 @@ CertificateStore::getCertificate(const std::string& k) const
}
std::shared_ptr<crypto::Certificate>
CertificateStore::findCertificateByName(const std::string& name, crypto::Certificate::NameType type)
CertificateStore::findCertificateByName(const std::string& name, crypto::Certificate::NameType type) const
{
std::unique_lock<std::mutex> l(lock_);
for (auto& i : certs_) {
......@@ -114,6 +114,42 @@ CertificateStore::findCertificateByName(const std::string& name, crypto::Certifi
return {};
}
std::shared_ptr<crypto::Certificate>
CertificateStore::findCertificateByUID(const std::string& uid) const
{
std::unique_lock<std::mutex> l(lock_);
for (auto& i : certs_) {
if (i.second->getUID() == uid)
return i.second;
}
return {};
}
std::shared_ptr<crypto::Certificate>
CertificateStore::findIssuer(std::shared_ptr<crypto::Certificate> crt) const
{
std::shared_ptr<crypto::Certificate> ret {};
auto n = crt->getIssuerUID();
if (not n.empty())
ret = findCertificateByUID(n);
if (not ret) {
n = crt->getIssuerName();
if (not n.empty())
ret = findCertificateByName(n);
}
if (not ret)
return ret;
unsigned verify_out = 0;
int err = gnutls_x509_crt_verify(crt->cert, &ret->cert, 1, 0, &verify_out);
if (err != GNUTLS_E_SUCCESS) {
RING_WARN("gnutls_x509_crt_verify failed: %s", gnutls_strerror(err));
return {};
}
if (verify_out & GNUTLS_CERT_INVALID)
return {};
return ret;
}
static std::vector<crypto::Certificate>
readCertificates(const std::string& path)
{
......
......@@ -47,7 +47,9 @@ public:
std::vector<std::string> getPinnedCertificates() const;
std::shared_ptr<crypto::Certificate> getCertificate(const std::string& cert_id) const;
std::shared_ptr<crypto::Certificate> findCertificateByName(const std::string& name, crypto::Certificate::NameType type = crypto::Certificate::NameType::UNKNOWN);
std::shared_ptr<crypto::Certificate> findCertificateByName(const std::string& name, crypto::Certificate::NameType type = crypto::Certificate::NameType::UNKNOWN) const;
std::shared_ptr<crypto::Certificate> findCertificateByUID(const std::string& uid) const;
std::shared_ptr<crypto::Certificate> findIssuer(std::shared_ptr<crypto::Certificate> crt) const;
std::vector<std::string> pinCertificate(const std::vector<uint8_t>& crt, bool local = true) noexcept;
std::vector<std::string> pinCertificate(crypto::Certificate&& crt, bool local = true);
......
......@@ -1067,7 +1067,7 @@ TlsValidator::CheckResult TlsValidator::getSerialNumber()
TlsValidator::CheckResult TlsValidator::getIssuer()
{
if (not x509crt_->issuer) {
auto icrt = CertificateStore::instance().findCertificateByName(x509crt_->getIssuerName());
auto icrt = CertificateStore::instance().findIssuer(x509crt_);
if (icrt)
return TlsValidator::CheckResult(CheckValues::CUSTOM, icrt->getId().toString());
return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment