2 * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
3 * Copyright (C) 2010 Collabora Ltd.
4 * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23 #include <gnutls/gnutls.h>
24 #include <gnutls/x509.h>
26 #include <telepathy-glib/util.h>
28 #include "empathy-tls-verifier.h"
30 #define DEBUG_FLAG EMPATHY_DEBUG_TLS
31 #include "empathy-debug.h"
32 #include "empathy-utils.h"
34 G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
37 #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
40 PROP_TLS_CERTIFICATE = 1,
46 static const gchar* system_ca_paths[] = {
47 "/etc/ssl/certs/ca-certificates.crt",
52 GPtrArray *cert_chain;
54 GPtrArray *trusted_ca_list;
55 GPtrArray *trusted_crl_list;
57 EmpathyTLSCertificate *certificate;
60 GSimpleAsyncResult *verify_result;
63 } EmpathyTLSVerifierPriv;
65 static gnutls_x509_crt_t *
66 ptr_array_to_x509_crt_list (GPtrArray *chain)
68 gnutls_x509_crt_t *retval;
71 retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
73 for (idx = 0; idx < (gint) chain->len; idx++)
74 retval[idx] = g_ptr_array_index (chain, idx);
80 verification_output_to_reason (gint res,
82 EmpTLSCertificateRejectReason *reason)
84 gboolean retval = TRUE;
86 if (res != GNUTLS_E_SUCCESS)
90 /* the certificate is not structurally valid */
93 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
94 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
96 case GNUTLS_E_CONSTRAINT_ERROR:
97 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
100 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
107 /* the certificate is structurally valid, check for other errors. */
108 if (verify_output & GNUTLS_CERT_INVALID)
112 if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
113 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
114 else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
115 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
116 else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
117 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
118 else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
119 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
120 else if (verify_output & GNUTLS_CERT_EXPIRED)
121 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
123 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
133 verify_last_certificate (EmpathyTLSVerifier *self,
134 gnutls_x509_crt_t cert,
135 EmpTLSCertificateRejectReason *reason)
139 gnutls_x509_crt_t *trusted_ca_list;
140 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
142 if (priv->trusted_ca_list->len > 0)
144 trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
145 res = gnutls_x509_crt_verify (cert, trusted_ca_list,
146 priv->trusted_ca_list->len, 0, &verify_output);
148 DEBUG ("Checking last certificate %p against trusted CAs, output %u",
149 cert, verify_output);
151 g_free (trusted_ca_list);
155 /* check it against itself to see if it's structurally valid */
156 res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
158 DEBUG ("Checking last certificate %p against itself, output %u", cert,
161 /* if it's valid, return the SelfSigned error, so that we can add it
162 * later to our trusted CAs whitelist.
164 if (res == GNUTLS_E_SUCCESS)
166 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
171 return verification_output_to_reason (res, verify_output, reason);
175 verify_certificate (EmpathyTLSVerifier *self,
176 gnutls_x509_crt_t cert,
177 gnutls_x509_crt_t issuer,
178 EmpTLSCertificateRejectReason *reason)
183 res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
185 return verification_output_to_reason (res, verify_output, reason);
189 complete_verification (EmpathyTLSVerifier *self)
191 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
193 DEBUG ("Verification successful, completing...");
195 g_simple_async_result_complete_in_idle (priv->verify_result);
197 tp_clear_object (&priv->verify_result);
201 abort_verification (EmpathyTLSVerifier *self,
202 EmpTLSCertificateRejectReason reason)
204 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
206 DEBUG ("Verification error %u, aborting...", reason);
208 g_simple_async_result_set_error (priv->verify_result,
209 G_IO_ERROR, reason, "TLS verification failed with reason %u",
211 g_simple_async_result_complete_in_idle (priv->verify_result);
213 tp_clear_object (&priv->verify_result);
217 real_start_verification (EmpathyTLSVerifier *self)
219 gnutls_x509_crt_t last_cert;
221 gboolean res = FALSE;
223 EmpTLSCertificateRejectReason reason =
224 EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
225 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
227 num_certs = priv->cert_chain->len;
229 DEBUG ("Starting verification");
231 if (priv->trusted_ca_list->len > 0)
233 /* if the last certificate is self-signed, ignore it, as we want to check
234 * the chain against our trusted CA list first.
236 last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
238 if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
242 for (idx = 1; idx < num_certs; idx++)
244 res = verify_certificate (self,
245 g_ptr_array_index (priv->cert_chain, idx -1),
246 g_ptr_array_index (priv->cert_chain, idx),
249 DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
254 abort_verification (self, reason);
259 res = verify_last_certificate (self,
260 g_ptr_array_index (priv->cert_chain, num_certs - 1),
263 DEBUG ("Last verification gave result %d with reason %u", res, reason);
268 abort_verification (self, reason);
272 complete_verification (self);
276 start_verification (gpointer user_data)
278 EmpathyTLSVerifier *self = user_data;
280 real_start_verification (self);
286 build_gnutls_cert_list (EmpathyTLSVerifier *self)
290 GPtrArray *certificate_data = NULL;
291 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
293 g_object_get (priv->certificate,
294 "cert-data", &certificate_data,
296 num_certs = certificate_data->len;
298 priv->cert_chain = g_ptr_array_sized_new (num_certs);
300 for (idx = 0; idx < num_certs; idx++)
302 gnutls_x509_crt_t cert;
304 gnutls_datum_t datum = { NULL, 0 };
306 one_cert = g_ptr_array_index (certificate_data, idx);
307 datum.data = (guchar *) one_cert->data;
308 datum.size = one_cert->len;
310 gnutls_x509_crt_init (&cert);
311 gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
313 g_ptr_array_add (priv->cert_chain, cert);
318 get_number_and_type_of_certificates (gnutls_datum_t *datum,
319 gnutls_x509_crt_fmt_t *format)
321 gnutls_x509_crt_t fake;
325 res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum,
326 GNUTLS_X509_FMT_PEM, 0);
328 if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
330 *format = GNUTLS_X509_FMT_PEM;
335 res = gnutls_x509_crt_list_import (&fake, (guint *) &retval, datum,
336 GNUTLS_X509_FMT_DER, 0);
340 *format = GNUTLS_X509_FMT_DER;
348 build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
349 GCancellable *cancellable,
353 EmpathyTLSVerifier *self = user_data;
354 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
356 priv->trusted_ca_list = g_ptr_array_new ();
358 for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
361 gchar *contents = NULL;
364 gnutls_x509_crt_t *cert_list;
365 gnutls_datum_t datum = { NULL, 0 };
366 gnutls_x509_crt_fmt_t format = 0;
367 GError *error = NULL;
369 path = system_ca_paths[idx];
370 g_file_get_contents (path, &contents, &length, &error);
374 DEBUG ("Unable to read system CAs from path %s", path);
375 g_error_free (error);
379 datum.data = (guchar *) contents;
381 n_certs = get_number_and_type_of_certificates (&datum, &format);
385 DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
386 "returned error %d", path, n_certs);
392 cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
393 res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
398 DEBUG ("Unable to import system CAs from path %s; "
399 "GnuTLS returned error %d", path, res);
405 DEBUG ("Successfully imported %d system CA certificates from path %s",
408 /* append the newly created cert structutes into the global GPtrArray */
409 for (idx = 0; idx < n_certs; idx++)
410 g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
415 /* TODO: do the CRL too */
417 g_io_scheduler_job_send_to_mainloop_async (job,
418 start_verification, self, NULL);
424 empathy_tls_verifier_get_property (GObject *object,
429 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
433 case PROP_TLS_CERTIFICATE:
434 g_value_set_object (value, priv->certificate);
437 g_value_set_string (value, priv->hostname);
440 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
446 empathy_tls_verifier_set_property (GObject *object,
451 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
455 case PROP_TLS_CERTIFICATE:
456 priv->certificate = g_value_dup_object (value);
459 priv->hostname = g_value_dup_string (value);
462 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
468 empathy_tls_verifier_dispose (GObject *object)
470 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
472 if (priv->dispose_run)
475 priv->dispose_run = TRUE;
477 tp_clear_object (&priv->certificate);
479 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
483 empathy_tls_verifier_finalize (GObject *object)
485 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
487 DEBUG ("%p", object);
489 g_free (priv->hostname);
491 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
495 empathy_tls_verifier_constructed (GObject *object)
497 EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
499 build_gnutls_cert_list (self);
501 if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
502 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
506 empathy_tls_verifier_init (EmpathyTLSVerifier *self)
508 self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
509 EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
513 empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
516 GObjectClass *oclass = G_OBJECT_CLASS (klass);
518 g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
520 oclass->set_property = empathy_tls_verifier_set_property;
521 oclass->get_property = empathy_tls_verifier_get_property;
522 oclass->finalize = empathy_tls_verifier_finalize;
523 oclass->dispose = empathy_tls_verifier_dispose;
524 oclass->constructed = empathy_tls_verifier_constructed;
526 pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
527 "The EmpathyTLSCertificate to be verified.",
528 EMPATHY_TYPE_TLS_CERTIFICATE,
529 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
530 g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
532 pspec = g_param_spec_string ("hostname", "The hostname",
533 "The hostname which should be certified by the certificate.",
535 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
536 g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
540 empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
541 const gchar *hostname)
543 g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
544 g_assert (hostname != NULL);
546 return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
547 "certificate", certificate,
548 "hostname", hostname,
553 empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
554 GAsyncReadyCallback callback,
557 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
559 priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
560 callback, user_data, NULL);
562 g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
563 self, NULL, G_PRIORITY_DEFAULT, NULL);
567 empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
569 EmpTLSCertificateRejectReason *reason,
572 if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
575 *reason = (*error)->code;
579 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;