2 * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
3 * Copyright (C) 2010 Collabora Ltd.
4 * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23 #include <gnutls/gnutls.h>
24 #include <gnutls/x509.h>
26 #include <telepathy-glib/util.h>
28 #include "empathy-tls-verifier.h"
30 #define DEBUG_FLAG EMPATHY_DEBUG_TLS
31 #include "empathy-debug.h"
32 #include "empathy-utils.h"
34 G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
37 #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
40 PROP_TLS_CERTIFICATE = 1,
46 static const gchar* system_ca_paths[] = {
47 "/etc/ssl/certs/ca-certificates.crt",
52 GPtrArray *cert_chain;
54 GPtrArray *trusted_ca_list;
55 GPtrArray *trusted_crl_list;
57 EmpathyTLSCertificate *certificate;
60 GSimpleAsyncResult *verify_result;
64 } EmpathyTLSVerifierPriv;
66 static gnutls_x509_crt_t *
67 ptr_array_to_x509_crt_list (GPtrArray *chain)
69 gnutls_x509_crt_t *retval;
72 retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
74 for (idx = 0; idx < (gint) chain->len; idx++)
75 retval[idx] = g_ptr_array_index (chain, idx);
81 verification_output_to_reason (gint res,
83 EmpTLSCertificateRejectReason *reason)
85 gboolean retval = TRUE;
87 g_assert (reason != NULL);
89 if (res != GNUTLS_E_SUCCESS)
93 /* the certificate is not structurally valid */
96 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
97 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
99 case GNUTLS_E_CONSTRAINT_ERROR:
100 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
103 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
110 /* the certificate is structurally valid, check for other errors. */
111 if (verify_output & GNUTLS_CERT_INVALID)
115 if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
116 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
117 else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
118 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
119 else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
120 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
121 else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
122 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
123 else if (verify_output & GNUTLS_CERT_EXPIRED)
124 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
126 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
136 verify_last_certificate (EmpathyTLSVerifier *self,
137 gnutls_x509_crt_t cert,
138 EmpTLSCertificateRejectReason *reason)
142 gnutls_x509_crt_t *trusted_ca_list;
143 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
145 if (priv->trusted_ca_list->len > 0)
147 trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
148 res = gnutls_x509_crt_verify (cert, trusted_ca_list,
149 priv->trusted_ca_list->len, 0, &verify_output);
151 DEBUG ("Checking last certificate %p against trusted CAs, output %u",
152 cert, verify_output);
154 g_free (trusted_ca_list);
158 /* check it against itself to see if it's structurally valid */
159 res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
161 DEBUG ("Checking last certificate %p against itself, output %u", cert,
164 /* if it's valid, return the SelfSigned error, so that we can add it
165 * later to our trusted CAs whitelist.
167 if (res == GNUTLS_E_SUCCESS)
169 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
174 return verification_output_to_reason (res, verify_output, reason);
178 verify_certificate (EmpathyTLSVerifier *self,
179 gnutls_x509_crt_t cert,
180 gnutls_x509_crt_t issuer,
181 EmpTLSCertificateRejectReason *reason)
186 res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
188 DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output);
190 return verification_output_to_reason (res, verify_output, reason);
194 complete_verification (EmpathyTLSVerifier *self)
196 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
198 DEBUG ("Verification successful, completing...");
200 g_simple_async_result_complete_in_idle (priv->verify_result);
202 tp_clear_object (&priv->verify_result);
206 abort_verification (EmpathyTLSVerifier *self,
207 EmpTLSCertificateRejectReason reason)
209 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
211 DEBUG ("Verification error %u, aborting...", reason);
213 g_simple_async_result_set_error (priv->verify_result,
214 G_IO_ERROR, reason, "TLS verification failed with reason %u",
216 g_simple_async_result_complete_in_idle (priv->verify_result);
218 tp_clear_object (&priv->verify_result);
222 real_start_verification (EmpathyTLSVerifier *self)
224 gnutls_x509_crt_t first_cert, last_cert;
226 gboolean res = FALSE;
228 EmpTLSCertificateRejectReason reason =
229 EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
230 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
232 DEBUG ("Starting verification");
234 /* check if the certificate matches the hostname first. */
235 first_cert = g_ptr_array_index (priv->cert_chain, 0);
236 if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0)
238 gchar *certified_hostname;
240 reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
241 certified_hostname = empathy_get_x509_certificate_hostname (first_cert);
242 tp_asv_set_string (priv->details,
243 "expected-hostname", priv->hostname);
244 tp_asv_set_string (priv->details,
245 "certificate-hostname", certified_hostname);
247 DEBUG ("Hostname mismatch: got %s but expected %s",
248 certified_hostname, priv->hostname);
250 g_free (certified_hostname);
254 DEBUG ("Hostname matched");
256 num_certs = priv->cert_chain->len;
258 if (priv->trusted_ca_list->len > 0)
260 /* if the last certificate is self-signed, and we have a list of
261 * trusted CAs, ignore it, as we want to check the chain against our
262 * trusted CAs list first.
264 last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
266 if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
270 for (idx = 1; idx < num_certs; idx++)
272 res = verify_certificate (self,
273 g_ptr_array_index (priv->cert_chain, idx -1),
274 g_ptr_array_index (priv->cert_chain, idx),
277 DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
282 abort_verification (self, reason);
287 res = verify_last_certificate (self,
288 g_ptr_array_index (priv->cert_chain, num_certs - 1),
291 DEBUG ("Last verification gave result %d with reason %u", res, reason);
296 abort_verification (self, reason);
300 complete_verification (self);
304 start_verification (gpointer user_data)
306 EmpathyTLSVerifier *self = user_data;
308 real_start_verification (self);
314 build_gnutls_cert_list (EmpathyTLSVerifier *self)
318 GPtrArray *certificate_data = NULL;
319 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
321 g_object_get (priv->certificate,
322 "cert-data", &certificate_data,
324 num_certs = certificate_data->len;
326 priv->cert_chain = g_ptr_array_new_with_free_func (
327 (GDestroyNotify) gnutls_x509_crt_deinit);
329 for (idx = 0; idx < num_certs; idx++)
331 gnutls_x509_crt_t cert;
333 gnutls_datum_t datum = { NULL, 0 };
335 one_cert = g_ptr_array_index (certificate_data, idx);
336 datum.data = (guchar *) one_cert->data;
337 datum.size = one_cert->len;
339 gnutls_x509_crt_init (&cert);
340 gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
342 g_ptr_array_add (priv->cert_chain, cert);
347 get_number_and_type_of_certificates (gnutls_datum_t *datum,
348 gnutls_x509_crt_fmt_t *format)
350 gnutls_x509_crt_t fake;
354 res = gnutls_x509_crt_list_import (&fake, &retval, datum,
355 GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
357 if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
359 DEBUG ("Found PEM, with %u certificates", retval);
360 *format = GNUTLS_X509_FMT_PEM;
365 res = gnutls_x509_crt_list_import (&fake, &retval, datum,
366 GNUTLS_X509_FMT_DER, 0);
370 *format = GNUTLS_X509_FMT_DER;
378 build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
379 GCancellable *cancellable,
383 gchar *user_certs_dir;
385 GError *error = NULL;
386 EmpathyTLSVerifier *self = user_data;
387 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
389 priv->trusted_ca_list = g_ptr_array_new_with_free_func
390 ((GDestroyNotify) gnutls_x509_crt_deinit);
392 for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
395 gchar *contents = NULL;
398 gnutls_x509_crt_t *cert_list;
399 gnutls_datum_t datum = { NULL, 0 };
400 gnutls_x509_crt_fmt_t format = 0;
402 path = system_ca_paths[idx];
403 g_file_get_contents (path, &contents, &length, &error);
407 DEBUG ("Unable to read system CAs from path %s: %s", path,
409 g_clear_error (&error);
413 datum.data = (guchar *) contents;
415 n_certs = get_number_and_type_of_certificates (&datum, &format);
419 DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
420 "returned error %d", path, n_certs);
426 cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
427 res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
432 DEBUG ("Unable to import system CAs from path %s; "
433 "GnuTLS returned error %d", path, res);
439 DEBUG ("Successfully imported %d system CA certificates from path %s",
442 /* append the newly created cert structutes into the global GPtrArray */
443 for (idx = 0; idx < n_certs; idx++)
444 g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
451 user_certs_dir = g_build_filename (g_get_user_config_dir (),
452 "telepathy", "certs", NULL);
453 dir = g_dir_open (user_certs_dir, 0, &error);
457 DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir,
460 g_error_free (error);
464 const gchar *cert_name;
466 while ((cert_name = g_dir_read_name (dir)) != NULL)
468 gchar *contents = NULL, *cert_path = NULL;
471 gnutls_datum_t datum = { NULL, 0 };
472 gnutls_x509_crt_t cert;
474 cert_path = g_build_filename (user_certs_dir, cert_name, NULL);
476 g_file_get_contents (cert_path, &contents, &length, &error);
480 DEBUG ("Can't open the certificate file at path %s: %s",
481 cert_path, error->message);
483 g_clear_error (&error);
488 datum.data = (guchar *) contents;
491 gnutls_x509_crt_init (&cert);
492 res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM);
494 if (res != GNUTLS_E_SUCCESS)
496 DEBUG ("Can't import the certificate at path %s: "
497 "GnuTLS returned %d", cert_path, res);
501 g_ptr_array_add (priv->trusted_ca_list, cert);
511 g_free (user_certs_dir);
513 /* TODO: do the CRL too */
515 g_io_scheduler_job_send_to_mainloop_async (job,
516 start_verification, self, NULL);
522 empathy_tls_verifier_get_property (GObject *object,
527 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
531 case PROP_TLS_CERTIFICATE:
532 g_value_set_object (value, priv->certificate);
535 g_value_set_string (value, priv->hostname);
538 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
544 empathy_tls_verifier_set_property (GObject *object,
549 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
553 case PROP_TLS_CERTIFICATE:
554 priv->certificate = g_value_dup_object (value);
557 priv->hostname = g_value_dup_string (value);
560 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
566 empathy_tls_verifier_dispose (GObject *object)
568 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
570 if (priv->dispose_run)
573 priv->dispose_run = TRUE;
575 tp_clear_object (&priv->certificate);
577 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
581 empathy_tls_verifier_finalize (GObject *object)
583 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
585 DEBUG ("%p", object);
587 tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref);
588 tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref);
589 tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
590 g_free (priv->hostname);
592 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
596 empathy_tls_verifier_constructed (GObject *object)
598 EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
600 build_gnutls_cert_list (self);
602 if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
603 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
607 empathy_tls_verifier_init (EmpathyTLSVerifier *self)
609 EmpathyTLSVerifierPriv *priv;
611 priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
612 EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
613 priv->details = tp_asv_new (NULL, NULL);
617 empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
620 GObjectClass *oclass = G_OBJECT_CLASS (klass);
622 g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
624 oclass->set_property = empathy_tls_verifier_set_property;
625 oclass->get_property = empathy_tls_verifier_get_property;
626 oclass->finalize = empathy_tls_verifier_finalize;
627 oclass->dispose = empathy_tls_verifier_dispose;
628 oclass->constructed = empathy_tls_verifier_constructed;
630 pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
631 "The EmpathyTLSCertificate to be verified.",
632 EMPATHY_TYPE_TLS_CERTIFICATE,
633 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
634 g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
636 pspec = g_param_spec_string ("hostname", "The hostname",
637 "The hostname which should be certified by the certificate.",
639 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
640 g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
644 empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
645 const gchar *hostname)
647 g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
648 g_assert (hostname != NULL);
650 return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
651 "certificate", certificate,
652 "hostname", hostname,
657 empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
658 GAsyncReadyCallback callback,
661 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
663 g_return_if_fail (priv->verify_result == NULL);
665 priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
666 callback, user_data, NULL);
668 g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
669 self, NULL, G_PRIORITY_DEFAULT, NULL);
673 empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
675 EmpTLSCertificateRejectReason *reason,
676 GHashTable **details,
679 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
681 if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
685 *reason = (*error)->code;
689 *details = tp_asv_new (NULL, NULL);
690 tp_g_hash_table_update (*details, priv->details,
691 (GBoxedCopyFunc) g_strdup,
692 (GBoxedCopyFunc) tp_g_value_slice_dup);
699 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;