gnustep/libs-base
0
0
Fork 0
mirror of https://github.com/gnustep/libs-base.git synced 2025-05-31 00:30:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

add warning about loading invalid certificates

Browse source 
git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@36009 72102866-910b-0410-8b05-ffd578937521
This commit is contained in:
Richard Frith-MacDonald 2013-01-21 12:27:07 +00:00
parent 5702ee1e43
commit abb9304bbd
2 changed files with 117 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -8,6 +8,8 @@
* Source/NSURLConnection.m: a synchronous download with no response * Source/NSURLConnection.m: a synchronous download with no response
body should return an empty data item rather than nil ... fix for body should return an empty data item rather than nil ... fix for
bug #38043 bug #38043
* Source/GSTLS.m: Log a warning message if we load a certificate
which has expired or is not yet valid.
2013-01-14 Richard Frith-Macdonald <rfm@gnu.org> 2013-01-14 Richard Frith-Macdonald <rfm@gnu.org>

191
Source/GSTLS.m
View file

@ -486,6 +486,88 @@ static GSTLSDHParams *paramsCurrent = nil;
static NSLock *certificateListLock = nil; static NSLock *certificateListLock = nil;
static NSMutableDictionary *certificateListCache = nil; static NSMutableDictionary *certificateListCache = nil;
+ (void) certInfo: (gnutls_x509_crt_t)cert to: (NSMutableString*)str
{
char dn[1024];
size_t dn_size = sizeof(dn);
char serial[40];
size_t serial_size = sizeof(serial);
time_t expiret;
time_t activet;
int algo;
unsigned int bits;
int i;
[str appendString: @"\n"];
[str appendFormat: _(@"- Certificate info:\n")];
expiret = gnutls_x509_crt_get_expiration_time(cert);
activet = gnutls_x509_crt_get_activation_time(cert);
[str appendFormat: _(@"- Certificate is valid since: %s"),
ctime(&activet)];
[str appendFormat: _(@"- Certificate expires: %s"),
ctime (&expiret)];
#if 0
{
char digest[20];
size_t digest_size = sizeof(digest);
if (gnutls_x509_fingerprint(GNUTLS_DIG_MD5,
&cert_list[0], digest, &digest_size) >= 0)
{
[str appendString: _(@"- Certificate fingerprint: ")];
for (i = 0; i < digest_size; i++)
{
[str appendFormat: @"%.2x ", (unsigned char)digest[i]];
}
[str appendString: @"\n"];
}
}
#endif
if (gnutls_x509_crt_get_serial(cert, serial, &serial_size) >= 0)
{
[str appendString: _(@"- Certificate serial number: ")];
for (i = 0; i < serial_size; i++)
{
[str appendFormat: @"%.2x ", (unsigned char)serial[i]];
}
[str appendString: @"\n"];
}
[str appendString: _(@"- Certificate public key: ")];
algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits);
if (GNUTLS_PK_RSA == algo)
{
[str appendString: _(@"RSA\n")];
[str appendFormat: _(@"- Modulus: %d bits\n"), bits];
}
else if (GNUTLS_PK_DSA == algo)
{
[str appendString: _(@"DSA\n")];
[str appendFormat: _(@"- Exponent: %d bits\n"), bits];
}
else
{
[str appendString: _(@"UNKNOWN\n")];
}
[str appendFormat: _(@"- Certificate version: #%d\n"),
gnutls_x509_crt_get_version(cert)];
dn_size = sizeof(dn);
gnutls_x509_crt_get_dn(cert, dn, &dn_size);
dn[dn_size - 1] = '\0';
[str appendFormat: @"- Certificate DN: %@\n",
[NSString stringWithUTF8String: dn]];
dn_size = sizeof(dn);
gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
dn[dn_size - 1] = '\0';
[str appendFormat: _(@"- Certificate Issuer's DN: %@\n"),
[NSString stringWithUTF8String: dn]];
}
/* Method to purge older lists from cache. /* Method to purge older lists from cache.
*/ */
+ (void) housekeeping: (NSNotification*)n + (void) housekeeping: (NSNotification*)n
@ -571,6 +653,37 @@ static NSMutableDictionary *certificateListCache = nil;
memcpy(l->crts, crts, sizeof(gnutls_x509_crt_t) * count); memcpy(l->crts, crts, sizeof(gnutls_x509_crt_t) * count);
l->count = count; l->count = count;
if (count > 0)
{
time_t now = (time_t)[[NSDate date] timeIntervalSince1970];
unsigned int i;
for (i = 0; i < count; i++)
{
time_t expiret = gnutls_x509_crt_get_expiration_time(crts[i]);
time_t activet = gnutls_x509_crt_get_activation_time(crts[i]);
if (expiret <= now)
{
NSLog(@"WARNING: at index %u in %@ ... expired at %s",
i, l->path, ctime(&activet));
}
if (activet > now)
{
NSLog(@"WARNING: at index %u in %@ ... not valid until %s",
i, l->path, ctime(&activet));
}
if (expiret <= now || activet > now)
{
NSMutableString *m;
m = [NSMutableString stringWithCapacity: 2000];
[self certInfo: crts[i] to: m];
NSLog(@"%@", m);
}
}
}
[certificateListLock lock]; [certificateListLock lock];
[certificateListCache setObject: l forKey: l->path]; [certificateListCache setObject: l forKey: l->path];
[certificateListLock unlock]; [certificateListLock unlock];
@ -1558,20 +1671,10 @@ static NSMutableDictionary *credentialsCache = nil;
if (cert_list_size > 0 if (cert_list_size > 0
&& gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509)
{ {
int cert_num; int cert_num;
for (cert_num = 0; cert_num < cert_list_size; cert_num++) for (cert_num = 0; cert_num < cert_list_size; cert_num++)
{ {
char dn[1024];
size_t dn_size = sizeof(dn);
char serial[40];
size_t serial_size = sizeof(serial);
time_t expiret;
time_t activet;
int algo;
unsigned int bits;
int i;
gnutls_x509_crt_init(&cert); gnutls_x509_crt_init(&cert);
/* NB. the list of peer certificate is in memory in native /* NB. the list of peer certificate is in memory in native
* format (DER) rather than the normal file format (PEM). * format (DER) rather than the normal file format (PEM).
@ -1582,71 +1685,7 @@ static NSMutableDictionary *credentialsCache = nil;
[str appendString: @"\n"]; [str appendString: @"\n"];
[str appendFormat: _(@"- Certificate %d info:\n"), cert_num]; [str appendFormat: _(@"- Certificate %d info:\n"), cert_num];
expiret = gnutls_x509_crt_get_expiration_time(cert); [GSTLSCertificateList certInfo: cert to: str];
activet = gnutls_x509_crt_get_activation_time(cert);
[str appendFormat: _(@"- Certificate is valid since: %s"),
ctime(&activet)];
[str appendFormat: _(@"- Certificate expires: %s"),
ctime (&expiret)];
#if 0
{
char digest[20];
size_t digest_size = sizeof(digest);
if (gnutls_x509_fingerprint(GNUTLS_DIG_MD5,
&cert_list[0], digest, &digest_size) >= 0)
{
[str appendString: _(@"- Certificate fingerprint: ")];
for (i = 0; i < digest_size; i++)
{
[str appendFormat: @"%.2x ", (unsigned char)digest[i]];
}
[str appendString: @"\n"];
}
}
#endif
if (gnutls_x509_crt_get_serial(cert, serial, &serial_size) >= 0)
{
[str appendString: _(@"- Certificate serial number: ")];
for (i = 0; i < serial_size; i++)
{
[str appendFormat: @"%.2x ", (unsigned char)serial[i]];
}
[str appendString: @"\n"];
}
[str appendString: _(@"- Certificate public key: ")];
algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits);
if (GNUTLS_PK_RSA == algo)
{
[str appendString: _(@"RSA\n")];
[str appendFormat: _(@"- Modulus: %d bits\n"), bits];
}
else if (GNUTLS_PK_DSA == algo)
{
[str appendString: _(@"DSA\n")];
[str appendFormat: _(@"- Exponent: %d bits\n"), bits];
}
else
{
[str appendString: _(@"UNKNOWN\n")];
}
[str appendFormat: _(@"- Certificate version: #%d\n"),
gnutls_x509_crt_get_version(cert)];
dn_size = sizeof(dn);
gnutls_x509_crt_get_dn(cert, dn, &dn_size);
dn[dn_size - 1] = '\0';
[str appendFormat: @"- Certificate DN: %@\n",
[NSString stringWithUTF8String: dn]];
dn_size = sizeof(dn);
gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
dn[dn_size - 1] = '\0';
[str appendFormat: _(@"- Certificate Issuer's DN: %@\n"),
[NSString stringWithUTF8String: dn]];
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
} }