2 * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
3 * Copyright (C) 2010 Collabora Ltd.
4 * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
5 * @author Stef Walter <stefw@collabora.co.uk>
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
27 #include <telepathy-glib/util.h>
29 #include "empathy-tls-verifier.h"
33 #define DEBUG_FLAG EMPATHY_DEBUG_TLS
34 #include "empathy-debug.h"
35 #include "empathy-utils.h"
37 G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
40 #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
43 PROP_TLS_CERTIFICATE = 1,
50 EmpathyTLSCertificate *certificate;
53 GSimpleAsyncResult *verify_result;
57 } EmpathyTLSVerifierPriv;
60 verification_output_to_reason (gint res,
62 EmpTLSCertificateRejectReason *reason)
64 gboolean retval = TRUE;
66 g_assert (reason != NULL);
68 if (res != GNUTLS_E_SUCCESS)
72 /* the certificate is not structurally valid */
75 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
76 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
78 case GNUTLS_E_CONSTRAINT_ERROR:
79 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
82 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
89 /* the certificate is structurally valid, check for other errors. */
90 if (verify_output & GNUTLS_CERT_INVALID)
94 if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
95 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
96 else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
97 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
98 else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
99 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
100 else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
101 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
102 else if (verify_output & GNUTLS_CERT_EXPIRED)
103 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
105 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
115 build_certificate_list_for_gnutls (GcrCertificateChain *chain,
116 gnutls_x509_crt_t **list,
118 gnutls_x509_crt_t **anchors,
121 GcrCertificate *cert;
123 gnutls_x509_crt_t *retval;
124 gnutls_x509_crt_t gcert;
125 gnutls_datum_t datum;
131 g_assert (n_anchors);
133 *list = *anchors = NULL;
134 *n_list = *n_anchors = 0;
136 length = gcr_certificate_chain_get_length (chain);
137 retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * length);
139 /* Convert the main body of the chain to gnutls */
140 for (idx = 0; idx < length; ++idx)
142 cert = gcr_certificate_chain_get_certificate (chain, idx);
143 datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);
146 gnutls_x509_crt_init (&gcert);
147 if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)
148 g_return_if_reached ();
156 /* See if we have an anchor */
157 if (gcr_certificate_chain_get_status (chain) ==
158 GCR_CERTIFICATE_CHAIN_ANCHORED)
160 cert = gcr_certificate_chain_get_anchor (chain);
161 g_return_if_fail (cert);
163 datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);
166 gnutls_x509_crt_init (&gcert);
167 if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)
168 g_return_if_reached ();
170 retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * 1);
178 free_certificate_list_for_gnutls (gnutls_x509_crt_t *list,
183 for (idx = 0; idx < n_list; idx++)
184 gnutls_x509_crt_deinit (list[idx]);
189 complete_verification (EmpathyTLSVerifier *self)
191 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
193 DEBUG ("Verification successful, completing...");
195 g_simple_async_result_complete_in_idle (priv->verify_result);
197 tp_clear_object (&priv->verify_result);
201 abort_verification (EmpathyTLSVerifier *self,
202 EmpTLSCertificateRejectReason reason)
204 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
206 DEBUG ("Verification error %u, aborting...", reason);
208 g_simple_async_result_set_error (priv->verify_result,
209 G_IO_ERROR, reason, "TLS verification failed with reason %u",
211 g_simple_async_result_complete_in_idle (priv->verify_result);
213 tp_clear_object (&priv->verify_result);
217 debug_certificate (GcrCertificate *cert)
219 gchar *subject = gcr_certificate_get_subject_dn (cert);
220 DEBUG ("Certificate: %s", subject);
225 debug_certificate_chain (GcrCertificateChain *chain)
227 GEnumClass *enum_class;
228 GEnumValue *enum_value;
230 GcrCertificate *cert;
232 enum_class = G_ENUM_CLASS
233 (g_type_class_peek (GCR_TYPE_CERTIFICATE_CHAIN_STATUS));
234 enum_value = g_enum_get_value (enum_class,
235 gcr_certificate_chain_get_status (chain));
236 length = gcr_certificate_chain_get_length (chain);
237 DEBUG ("Certificate chain: length %u status %s",
238 length, enum_value ? enum_value->value_nick : "XXX");
240 for (idx = 0; idx < length; ++idx)
242 cert = gcr_certificate_chain_get_certificate (chain, idx);
243 debug_certificate (cert);
248 perform_verification (EmpathyTLSVerifier *self,
249 GcrCertificateChain *chain)
251 gboolean ret = FALSE;
252 EmpTLSCertificateRejectReason reason =
253 EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
254 gnutls_x509_crt_t *list, *anchors;
255 guint n_list, n_anchors;
258 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
260 DEBUG ("Performing verification");
261 debug_certificate_chain (chain);
263 list = anchors = NULL;
264 n_list = n_anchors = 0;
267 * If the first certificate is an pinned certificate then we completely
268 * ignore the rest of the verification process.
270 if (gcr_certificate_chain_get_status (chain) == GCR_CERTIFICATE_CHAIN_PINNED)
272 DEBUG ("Found pinned certificate for %s", priv->hostname);
273 complete_verification (self);
277 build_certificate_list_for_gnutls (chain, &list, &n_list,
278 &anchors, &n_anchors);
279 if (list == NULL || n_list == 0) {
280 g_warn_if_reached ();
281 abort_verification (self, EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);
286 res = gnutls_x509_crt_list_verify (list, n_list, anchors, n_anchors,
287 NULL, 0, 0, &verify_output);
288 ret = verification_output_to_reason (res, verify_output, &reason);
290 DEBUG ("Certificate verification gave result %d with reason %u", ret,
294 abort_verification (self, reason);
298 /* now check if the certificate matches the hostname. */
299 if (gnutls_x509_crt_check_hostname (list[0], priv->hostname) == 0)
301 gchar *certified_hostname;
303 certified_hostname = empathy_get_x509_certificate_hostname (list[0]);
304 tp_asv_set_string (priv->details,
305 "expected-hostname", priv->hostname);
306 tp_asv_set_string (priv->details,
307 "certificate-hostname", certified_hostname);
309 DEBUG ("Hostname mismatch: got %s but expected %s",
310 certified_hostname, priv->hostname);
312 g_free (certified_hostname);
313 abort_verification (self,
314 EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
318 DEBUG ("Hostname matched");
319 complete_verification (self);
322 free_certificate_list_for_gnutls (list, n_list);
323 free_certificate_list_for_gnutls (anchors, n_anchors);
327 perform_verification_cb (GObject *object,
331 GError *error = NULL;
333 GcrCertificateChain *chain = GCR_CERTIFICATE_CHAIN (object);
334 EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (user_data);
336 /* Even if building the chain fails, try verifying what we have */
337 if (!gcr_certificate_chain_build_finish (chain, res, &error))
339 DEBUG ("Building of certificate chain failed: %s", error->message);
340 g_clear_error (&error);
343 perform_verification (self, chain);
345 /* Matches ref when staring chain build */
346 g_object_unref (self);
350 empathy_tls_verifier_get_property (GObject *object,
355 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
359 case PROP_TLS_CERTIFICATE:
360 g_value_set_object (value, priv->certificate);
363 g_value_set_string (value, priv->hostname);
366 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
372 empathy_tls_verifier_set_property (GObject *object,
377 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
381 case PROP_TLS_CERTIFICATE:
382 priv->certificate = g_value_dup_object (value);
385 priv->hostname = g_value_dup_string (value);
388 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
394 empathy_tls_verifier_dispose (GObject *object)
396 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
398 if (priv->dispose_run)
401 priv->dispose_run = TRUE;
403 tp_clear_object (&priv->certificate);
405 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
409 empathy_tls_verifier_finalize (GObject *object)
411 EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
413 DEBUG ("%p", object);
415 tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
416 g_free (priv->hostname);
418 G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
422 empathy_tls_verifier_init (EmpathyTLSVerifier *self)
424 EmpathyTLSVerifierPriv *priv;
426 priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
427 EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
428 priv->details = tp_asv_new (NULL, NULL);
432 empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
435 GObjectClass *oclass = G_OBJECT_CLASS (klass);
437 g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
439 oclass->set_property = empathy_tls_verifier_set_property;
440 oclass->get_property = empathy_tls_verifier_get_property;
441 oclass->finalize = empathy_tls_verifier_finalize;
442 oclass->dispose = empathy_tls_verifier_dispose;
444 pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
445 "The EmpathyTLSCertificate to be verified.",
446 EMPATHY_TYPE_TLS_CERTIFICATE,
447 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
448 g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
450 pspec = g_param_spec_string ("hostname", "The hostname",
451 "The hostname which should be certified by the certificate.",
453 G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
454 g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
458 empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
459 const gchar *hostname)
461 g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
462 g_assert (hostname != NULL);
464 return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
465 "certificate", certificate,
466 "hostname", hostname,
471 empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
472 GAsyncReadyCallback callback,
475 GcrCertificateChain *chain;
476 GcrCertificate *cert;
477 GPtrArray *cert_data = NULL;
480 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
482 DEBUG ("Starting verification");
484 g_return_if_fail (priv->verify_result == NULL);
486 g_object_get (priv->certificate, "cert-data", &cert_data, NULL);
487 g_return_if_fail (cert_data);
489 priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
490 callback, user_data, NULL);
492 /* Create a certificate chain */
493 chain = gcr_certificate_chain_new ();
494 for (idx = 0; idx < cert_data->len; ++idx) {
495 data = g_ptr_array_index (cert_data, idx);
496 cert = gcr_simple_certificate_new (data->data, data->len);
497 gcr_certificate_chain_add (chain, cert);
498 g_object_unref (cert);
501 gcr_certificate_chain_build_async (chain, GCR_PURPOSE_CLIENT_AUTH, priv->hostname, 0,
502 NULL, perform_verification_cb, g_object_ref (self));
504 g_object_unref (chain);
505 g_boxed_free (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST, cert_data);
509 empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
511 EmpTLSCertificateRejectReason *reason,
512 GHashTable **details,
515 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
517 if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
521 *reason = (*error)->code;
525 *details = tp_asv_new (NULL, NULL);
526 tp_g_hash_table_update (*details, priv->details,
527 (GBoxedCopyFunc) g_strdup,
528 (GBoxedCopyFunc) tp_g_value_slice_dup);
535 *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
541 empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self)
544 GcrCertificate *cert;
545 GPtrArray *cert_data = NULL;
546 GError *error = NULL;
547 EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
549 g_object_get (priv->certificate, "cert-data", &cert_data, NULL);
550 g_return_if_fail (cert_data);
554 DEBUG ("No certificate to pin.");
558 /* The first certificate in the chain is for the host */
559 data = g_ptr_array_index (cert_data, 0);
560 cert = gcr_simple_certificate_new ((gpointer)data->data, data->len);
562 DEBUG ("Storing pinned certificate:");
563 debug_certificate (cert);
565 if (!gcr_trust_add_pinned_certificate (cert, GCR_PURPOSE_CLIENT_AUTH,
566 priv->hostname, NULL, &error))
567 DEBUG ("Can't store the pinned certificate: %s", error->message);
569 g_object_unref (cert);
570 g_boxed_free (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST, cert_data);