2 * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
3 * Copyright (C) 2010 Collabora Ltd.
4 * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23 #include <gnutls/gnutls.h>
24 #include <gnutls/x509.h>
26 #include <telepathy-glib/util.h>
28 #include "empathy-tls-verifier.h"
30 #define DEBUG_FLAG EMPATHY_DEBUG_TLS
31 #include "empathy-debug.h"
32 #include "empathy-utils.h"
34 G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
37 #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
40 PROP_TLS_CERTIFICATE = 1,
46 static const gchar* system_ca_paths[] = {
52 GPtrArray *cert_chain;
54 GPtrArray *trusted_ca_list;
55 GPtrArray *trusted_crl_list;
57 EmpathyTLSCertificate *certificate;
60 GSimpleAsyncResult *verify_result;
64 } EmpathyTLSVerifierPriv;
66 static gnutls_x509_crt_t *
67 ptr_array_to_x509_crt_list (GPtrArray *chain)
69 gnutls_x509_crt_t *retval;
72 retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
74 for (idx = 0; idx < (gint) chain->len; idx++)
75 retval[idx] = g_ptr_array_index (chain, idx);
81 verification_output_to_reason (gint res,
83 EmpTLSCertificateRejectReason *reason)
85 gboolean retval = TRUE;
87 g_assert (reason != NULL);
89 if (res != GNUTLS_E_SUCCESS)
93 /* the certificate is not structurally valid */
96 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
97 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
99 case GNUTLS_E_CONSTRAINT_ERROR:
100 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
103 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
110 /* the certificate is structurally valid, check for other errors. */
111 if (verify_output & GNUTLS_CERT_INVALID)
115 if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
116 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
117 else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
118 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
119 else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
120 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
121 else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
122 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
123 else if (verify_output & GNUTLS_CERT_EXPIRED)
124 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
126 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
136 verify_last_certificate (EmpathyTLSVerifier *self,
137 gnutls_x509_crt_t cert,
138 EmpTLSCertificateRejectReason *reason)
142 gnutls_x509_crt_t *trusted_ca_list;
143 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
145 if (priv->trusted_ca_list->len > 0)
147 trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
148 res = gnutls_x509_crt_verify (cert, trusted_ca_list,
149 priv->trusted_ca_list->len, 0, &verify_output);
151 DEBUG ("Checking last certificate %p against trusted CAs, output %u",
152 cert, verify_output);
154 g_free (trusted_ca_list);
158 /* check it against itself to see if it's structurally valid */
159 res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
161 DEBUG ("Checking last certificate %p against itself, output %u", cert,
164 /* if it's valid, return the SelfSigned error, so that we can add it
165 * later to our trusted CAs whitelist.
167 if (res == GNUTLS_E_SUCCESS)
169 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
174 return verification_output_to_reason (res, verify_output, reason);
178 verify_certificate (EmpathyTLSVerifier *self,
179 gnutls_x509_crt_t cert,
180 gnutls_x509_crt_t issuer,
181 EmpTLSCertificateRejectReason *reason)
186 res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
188 DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output);
190 return verification_output_to_reason (res, verify_output, reason);
194 complete_verification (EmpathyTLSVerifier *self)
196 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
198 DEBUG ("Verification successful, completing...");
200 g_simple_async_result_complete_in_idle (priv->verify_result);
202 tp_clear_object (&priv->verify_result);
206 abort_verification (EmpathyTLSVerifier *self,
207 EmpTLSCertificateRejectReason reason)
209 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
211 DEBUG ("Verification error %u, aborting...", reason);
213 g_simple_async_result_set_error (priv->verify_result,
214 G_IO_ERROR, reason, "TLS verification failed with reason %u",
216 g_simple_async_result_complete_in_idle (priv->verify_result);
218 tp_clear_object (&priv->verify_result);
222 real_start_verification (EmpathyTLSVerifier *self)
224 gnutls_x509_crt_t first_cert, last_cert;
226 gboolean res = FALSE;
228 EmpTLSCertificateRejectReason reason =
229 EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
230 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
232 DEBUG ("Starting verification");
234 /* check if the certificate matches the hostname first. */
235 first_cert = g_ptr_array_index (priv->cert_chain, 0);
236 if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0)
238 gchar *certified_hostname;
240 reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
241 certified_hostname = empathy_get_x509_certificate_hostname (first_cert);
242 tp_asv_set_string (priv->details,
243 "expected-hostname", priv->hostname);
244 tp_asv_set_string (priv->details,
245 "certificate-hostname", certified_hostname);
247 DEBUG ("Hostname mismatch: got %s but expected %s",
248 certified_hostname, priv->hostname);
250 g_free (certified_hostname);
254 DEBUG ("Hostname matched");
256 num_certs = priv->cert_chain->len;
258 if (priv->trusted_ca_list->len > 0)
260 /* if the last certificate is self-signed, and we have a list of
261 * trusted CAs, ignore it, as we want to check the chain against our
262 * trusted CAs list first.
263 * if we have only one certificate in the chain, don't ignore it though,
264 * as it's the CA certificate itself.
266 last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
268 if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0 &&
273 for (idx = 1; idx < num_certs; idx++)
275 res = verify_certificate (self,
276 g_ptr_array_index (priv->cert_chain, idx -1),
277 g_ptr_array_index (priv->cert_chain, idx),
280 DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
285 abort_verification (self, reason);
290 res = verify_last_certificate (self,
291 g_ptr_array_index (priv->cert_chain, num_certs - 1),
294 DEBUG ("Last verification gave result %d with reason %u", res, reason);
299 abort_verification (self, reason);
303 complete_verification (self);
307 start_verification (gpointer user_data)
309 EmpathyTLSVerifier *self = user_data;
311 real_start_verification (self);
317 build_gnutls_cert_list (EmpathyTLSVerifier *self)
321 GPtrArray *certificate_data = NULL;
322 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
324 g_object_get (priv->certificate,
325 "cert-data", &certificate_data,
327 num_certs = certificate_data->len;
329 priv->cert_chain = g_ptr_array_new_with_free_func (
330 (GDestroyNotify) gnutls_x509_crt_deinit);
332 for (idx = 0; idx < num_certs; idx++)
334 gnutls_x509_crt_t cert;
336 gnutls_datum_t datum = { NULL, 0 };
338 one_cert = g_ptr_array_index (certificate_data, idx);
339 datum.data = (guchar *) one_cert->data;
340 datum.size = one_cert->len;
342 gnutls_x509_crt_init (&cert);
343 gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
345 g_ptr_array_add (priv->cert_chain, cert);
350 get_number_and_type_of_certificates (gnutls_datum_t *datum,
351 gnutls_x509_crt_fmt_t *format)
353 gnutls_x509_crt_t fake;
357 res = gnutls_x509_crt_list_import (&fake, &retval, datum,
358 GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
360 if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
362 DEBUG ("Found PEM, with %u certificates", retval);
363 *format = GNUTLS_X509_FMT_PEM;
368 res = gnutls_x509_crt_list_import (&fake, &retval, datum,
369 GNUTLS_X509_FMT_DER, 0);
373 *format = GNUTLS_X509_FMT_DER;
381 build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
382 GCancellable *cancellable,
386 gchar *user_certs_dir;
388 GError *error = NULL;
389 EmpathyTLSVerifier *self = user_data;
390 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
392 priv->trusted_ca_list = g_ptr_array_new_with_free_func
393 ((GDestroyNotify) gnutls_x509_crt_deinit);
395 for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
398 gchar *contents = NULL;
401 gnutls_x509_crt_t *cert_list;
402 gnutls_datum_t datum = { NULL, 0 };
403 gnutls_x509_crt_fmt_t format = 0;
405 path = system_ca_paths[idx];
406 g_file_get_contents (path, &contents, &length, &error);
410 DEBUG ("Unable to read system CAs from path %s: %s", path,
412 g_clear_error (&error);
416 datum.data = (guchar *) contents;
418 n_certs = get_number_and_type_of_certificates (&datum, &format);
422 DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
423 "returned error %d", path, n_certs);
429 cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
430 res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
435 DEBUG ("Unable to import system CAs from path %s; "
436 "GnuTLS returned error %d", path, res);
442 DEBUG ("Successfully imported %d system CA certificates from path %s",
445 /* append the newly created cert structutes into the global GPtrArray */
446 for (idx = 0; idx < n_certs; idx++)
447 g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
454 user_certs_dir = g_build_filename (g_get_user_config_dir (),
455 "telepathy", "certs", NULL);
456 dir = g_dir_open (user_certs_dir, 0, &error);
460 DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir,
463 g_error_free (error);
467 const gchar *cert_name;
469 while ((cert_name = g_dir_read_name (dir)) != NULL)
471 gchar *contents = NULL, *cert_path = NULL;
474 gnutls_datum_t datum = { NULL, 0 };
475 gnutls_x509_crt_t cert;
477 cert_path = g_build_filename (user_certs_dir, cert_name, NULL);
479 g_file_get_contents (cert_path, &contents, &length, &error);
483 DEBUG ("Can't open the certificate file at path %s: %s",
484 cert_path, error->message);
486 g_clear_error (&error);
491 datum.data = (guchar *) contents;
494 gnutls_x509_crt_init (&cert);
495 res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM);
497 if (res != GNUTLS_E_SUCCESS)
499 DEBUG ("Can't import the certificate at path %s: "
500 "GnuTLS returned %d", cert_path, res);
504 g_ptr_array_add (priv->trusted_ca_list, cert);
514 g_free (user_certs_dir);
516 /* TODO: do the CRL too */
518 g_io_scheduler_job_send_to_mainloop_async (job,
519 start_verification, self, NULL);
525 empathy_tls_verifier_get_property (GObject *object,
530 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
534 case PROP_TLS_CERTIFICATE:
535 g_value_set_object (value, priv->certificate);
538 g_value_set_string (value, priv->hostname);
541 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
547 empathy_tls_verifier_set_property (GObject *object,
552 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
556 case PROP_TLS_CERTIFICATE:
557 priv->certificate = g_value_dup_object (value);
560 priv->hostname = g_value_dup_string (value);
563 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
569 empathy_tls_verifier_dispose (GObject *object)
571 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
573 if (priv->dispose_run)
576 priv->dispose_run = TRUE;
578 tp_clear_object (&priv->certificate);
580 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
584 empathy_tls_verifier_finalize (GObject *object)
586 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
588 DEBUG ("%p", object);
590 tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref);
591 tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref);
592 tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
593 g_free (priv->hostname);
595 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
599 empathy_tls_verifier_constructed (GObject *object)
601 EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
603 build_gnutls_cert_list (self);
605 if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
606 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
610 empathy_tls_verifier_init (EmpathyTLSVerifier *self)
612 EmpathyTLSVerifierPriv *priv;
614 priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
615 EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
616 priv->details = tp_asv_new (NULL, NULL);
620 empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
623 GObjectClass *oclass = G_OBJECT_CLASS (klass);
625 g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
627 oclass->set_property = empathy_tls_verifier_set_property;
628 oclass->get_property = empathy_tls_verifier_get_property;
629 oclass->finalize = empathy_tls_verifier_finalize;
630 oclass->dispose = empathy_tls_verifier_dispose;
631 oclass->constructed = empathy_tls_verifier_constructed;
633 pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
634 "The EmpathyTLSCertificate to be verified.",
635 EMPATHY_TYPE_TLS_CERTIFICATE,
636 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
637 g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
639 pspec = g_param_spec_string ("hostname", "The hostname",
640 "The hostname which should be certified by the certificate.",
642 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
643 g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
647 empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
648 const gchar *hostname)
650 g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
651 g_assert (hostname != NULL);
653 return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
654 "certificate", certificate,
655 "hostname", hostname,
660 empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
661 GAsyncReadyCallback callback,
664 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
666 g_return_if_fail (priv->verify_result == NULL);
668 priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
669 callback, user_data, NULL);
671 g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
672 self, NULL, G_PRIORITY_DEFAULT, NULL);
676 empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
678 EmpTLSCertificateRejectReason *reason,
679 GHashTable **details,
682 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
684 if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
688 *reason = (*error)->code;
692 *details = tp_asv_new (NULL, NULL);
693 tp_g_hash_table_update (*details, priv->details,
694 (GBoxedCopyFunc) g_strdup,
695 (GBoxedCopyFunc) tp_g_value_slice_dup);
702 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;