(xmlsec-mscng, xmlsec-mscrypto, xmlsec-gnutls) Improve cert verificat…

…ion (#819)
lsh123 · Jul 18, 2024 · 9f76374 · 9f76374
1 parent c1f4524
commit 9f76374
Show file tree

Hide file tree

Showing 23 changed files with 499 additions and 150 deletions.
diff --git a/.github/workflows/make-check.yml b/.github/workflows/make-check.yml
@@ -11,7 +11,7 @@ on:
           - xmlsec-1_2_x
 
 jobs:
-  check-ubuntu-openssl300:
+  check-ubuntu:
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
@@ -48,7 +48,7 @@ jobs:
       run: |
           make install
 
-  check-ubuntu-openssl111:
+  check-ubuntu-openssl-111:
     runs-on: ubuntu-20.04
     strategy:
       fail-fast: false

diff --git a/config.h.in b/config.h.in
diff --git a/docs/index.html b/docs/index.html
@@ -72,8 +72,9 @@ <h1>XML Security Library</h1>
 		<br>
 		<br>
         <ul>
-            <li>
-                (xmlsec-core) Fix deprecated functions in LibXML2 2.13.1 including disabling HTTP support
+            <li>(xmlsec-mscng,xmlsec-mscrypto) Improved certificates verification.</li>
+            <li>(xmlsec-gnutls) Added support for self-signed certificates.</li>
+            <li>(xmlsec-core) Fix deprecated functions in LibXML2 2.13.1 including disabling HTTP support
                 by default (use ''--enable-http' option to re-enable it).</li>
             <li>Several other small fixes (see <a href="https://github.com/lsh123/xmlsec/commits/master">more details</a>).</li>
         </ul>

diff --git a/src/gnutls/private.h b/src/gnutls/private.h
@@ -66,6 +66,7 @@ xmlSecPtrListPtr        xmlSecGnuTLSKeyDataX509GetCrls          (xmlSecKeyDataPt
  *
  ************************************************************************/
 gnutls_x509_crt_t       xmlSecGnuTLSX509CertDup                 (gnutls_x509_crt_t src);
+int                     xmlSecGnuTLSX509CertIsSelfSigned        (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetSubjectDN        (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetIssuerDN         (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetIssuerSerial     (gnutls_x509_crt_t cert);

diff --git a/src/gnutls/x509utils.c b/src/gnutls/x509utils.c
@@ -197,6 +197,17 @@ xmlSecGnuTLSX509CertDup(gnutls_x509_crt_t src) {
     return (res);
 }
 
+
+/* returns 1 if self signed; 0 - if not; <0 on error*/
+int
+xmlSecGnuTLSX509CertIsSelfSigned(gnutls_x509_crt_t cert) {
+    unsigned ret;
+
+    xmlSecAssert2(cert != NULL, -1);
+    ret = gnutls_x509_crt_check_issuer(cert, cert);
+    return ((ret != 0) ? 1 : 0);
+}
+
 xmlChar *
 xmlSecGnuTLSX509CertGetSubjectDN(gnutls_x509_crt_t cert) {
     char* buf = NULL;

diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
@@ -655,18 +655,27 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
             goto done;
         }
 
-        /* check if we are the "leaf" node in the certs chain */
-        if(xmlSecGnuTLSX509FindSignedCert(certs, cert) != NULL) {
+        if(xmlSecGnuTLSX509CertIsSelfSigned(cert) != 1) {
+            /* check if we are the "leaf" node in the certs chain */
+            if(xmlSecGnuTLSX509FindSignedCert(certs, cert) != NULL) {
+                continue;
+            }
+
+            /* build the chain */
+            ret = xmlSecGnuTLSX509StoreGetCertsChain(ctx, cert, certs, certs_chain, certs_chain_size, &certs_chain_cur_size);
+            if(ret < 0) {
+                xmlSecInternalError("xmlSecPtrListGetItem(certs)", xmlSecKeyDataStoreGetName(store));
+                goto done;
+            }
+        } else if (certs_size == 1) {
+            /* only do self signed cert when it is the only cert */
+            /* chain for self signed cert is easy */
+            certs_chain[0] = cert;
+            certs_chain_cur_size = 1;
+        } else {
             continue;
         }
 
-        /* build the chain */
-        ret = xmlSecGnuTLSX509StoreGetCertsChain(ctx, cert, certs, certs_chain, certs_chain_size, &certs_chain_cur_size);
-        if(ret < 0) {
-            xmlSecInternalError("xmlSecPtrListGetItem(certs)", xmlSecKeyDataStoreGetName(store));
-            goto done;
-        }
-
         /* try to verify */
         ret = xmlSecGnuTLSX509StoreVerifyCert(ctx,
             certs_chain, certs_chain_cur_size,

diff --git a/src/mscng/certkeys.c b/src/mscng/certkeys.c
@@ -52,7 +52,7 @@ xmlSecMSCngKeyDataCertGetPubkey(PCCERT_CONTEXT cert, BCRYPT_KEY_HANDLE* key) {
     xmlSecAssert2(key != NULL, -1);
 
     if(!CryptImportPublicKeyInfoEx2(X509_ASN_ENCODING,
-            &cert->pCertInfo->SubjectPublicKeyInfo,
+            &(cert->pCertInfo->SubjectPublicKeyInfo),
             0,
             NULL,
             key)) {

diff --git a/src/mscng/x509vfy.c b/src/mscng/x509vfy.c
@@ -397,6 +397,42 @@ xmlSecMSCngCheckRevocation(HCERTSTORE store, PCCERT_CONTEXT cert) {
     return(0);
 }
 
+/* this function does NOT check for time validity (see xmlSecMSCngVerifyCertTime)
+*  returns <0 if there is an error; 0 if verification failed and >0 if verification succeeded */
+static int
+xmlSecMSCngX509StoreVerifySubject(PCCERT_CONTEXT cert, PCCERT_CONTEXT issuerCert) {
+    DWORD flags;
+    BOOL ret;
+
+    xmlSecAssert2(cert != NULL, -1);
+    xmlSecAssert2(issuerCert != NULL, -1);
+
+    flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
+    ret = CertVerifySubjectCertificateContext(cert, issuerCert, &flags);
+    if (!ret) {
+        xmlSecMSCngLastError("CertVerifySubjectCertificateContext", NULL);
+        return(-1);
+    }
+
+    /* parse returned flags: https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms883939(v=msdn.10) */
+    if ((flags & CERT_STORE_SIGNATURE_FLAG) != 0) {
+        xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+            NULL,
+            "CertVerifySubjectCertificateContext: CERT_STORE_SIGNATURE_FLAG");
+        return(0);
+    } else if (((flags & CERT_STORE_REVOCATION_FLAG) != 0) && ((flags & CERT_STORE_NO_CRL_FLAG) == 0)) {
+        /* If CERT_STORE_REVOCATION_FLAG is enabled and the issuer does not have a CRL in the store,
+        then CERT_STORE_NO_CRL_FLAG is set in addition to CERT_STORE_REVOCATION_FLAG. */
+        xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+            NULL,
+            "CertVerifySubjectCertificateContext: CERT_STORE_REVOCATION_FLAG");
+        return(0);
+    }
+
+    /* success */
+    return(1);
+}
+
 /**
  * xmlSecMSCngX509StoreContainsCert:
  * @store: the certificate store
@@ -412,37 +448,39 @@ static int
 xmlSecMSCngX509StoreContainsCert(HCERTSTORE store, CERT_NAME_BLOB* name,
         PCCERT_CONTEXT cert)
 {
-    PCCERT_CONTEXT issuerCert = NULL;
-    DWORD flags;
+    PCCERT_CONTEXT storeCert = NULL;
     int ret;
 
     xmlSecAssert2(store != NULL, -1);
     xmlSecAssert2(name != NULL, -1);
     xmlSecAssert2(cert != NULL, -1);
 
-    issuerCert = CertFindCertificateInStore(store,
+    storeCert = CertFindCertificateInStore(store,
         X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
         0,
         CERT_FIND_SUBJECT_NAME,
         name,
         NULL);
-    if(issuerCert != NULL) {
-        flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
-        ret = CertVerifySubjectCertificateContext(cert,
-            issuerCert,
-            &flags);
-        if(ret == 0) {
-            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-                NULL,
-                "CertVerifySubjectCertificateContext");
-            CertFreeCertificateContext(issuerCert);
-            return(-1);
-        }
-        CertFreeCertificateContext(issuerCert);
-        return(1);
+    if (storeCert == NULL) {
+        return (0);
     }
 
-    return(0);
+    ret = xmlSecMSCngX509StoreVerifySubject(cert, storeCert);
+    if (ret < 0) {
+        xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
+        CertFreeCertificateContext(storeCert);
+        return(-1);
+    } else if (ret == 0) {
+        xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+            NULL,
+            "xmlSecMSCngX509StoreVerifySubject");
+        CertFreeCertificateContext(storeCert);
+        return(-1);
+    }
+
+    /* success */
+    CertFreeCertificateContext(storeCert);
+    return(1);
 }
 
 static int
@@ -451,14 +489,14 @@ xmlSecMSCngVerifyCertTime(PCCERT_CONTEXT cert, LPFILETIME time) {
     xmlSecAssert2(cert->pCertInfo != NULL, -1);
     xmlSecAssert2(time != NULL, -1);
 
-    if(CompareFileTime(&cert->pCertInfo->NotBefore, time) == 1) {
+    if(CompareFileTime(&(cert->pCertInfo->NotBefore), time) == 1) {
         xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
             NULL,
             "CompareFileTime");
         return(-1);
     }
 
-    if(CompareFileTime(&cert->pCertInfo->NotAfter, time) == -1) {
+    if(CompareFileTime(&(cert->pCertInfo->NotAfter), time) == -1) {
         xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
             NULL,
             "CompareFileTime");
@@ -485,13 +523,13 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
     HCERTSTORE trustedStore, HCERTSTORE untrustedStore, HCERTSTORE certStore
 ) {
     PCCERT_CONTEXT issuerCert = NULL;
-    DWORD flags;
     int ret;
 
     xmlSecAssert2(cert != NULL, -1);
     xmlSecAssert2(trustedStore != NULL, -1);
     xmlSecAssert2(certStore != NULL, -1);
 
+    /* check certificate validity and revokation */
     ret = xmlSecMSCngVerifyCertTime(cert, time);
     if(ret < 0) {
         xmlSecInternalError("xmlSecMSCngVerifyCertTime", NULL);
@@ -506,19 +544,18 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
 
     /* does trustedStore contain cert directly? */
     ret = xmlSecMSCngX509StoreContainsCert(trustedStore,
-        &cert->pCertInfo->Subject, cert);
+        &(cert->pCertInfo->Subject), cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecMSCngX509StoreContainsCert", NULL);
         return(-1);
-    }
-    if(ret == 1) {
+    } else  if(ret == 1) {
         /* success */
         return(1);
     }
 
     /* does trustedStore contain the issuer cert? */
     ret = xmlSecMSCngX509StoreContainsCert(trustedStore,
-        &cert->pCertInfo->Issuer, cert);
+        &(cert->pCertInfo->Issuer), cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecMSCngX509StoreContainsCert", NULL);
         return(-1);
@@ -529,8 +566,8 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
 
     /* is cert self-signed? no recursion in that case */
     if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-            &cert->pCertInfo->Subject,
-            &cert->pCertInfo->Issuer)) {
+            &(cert->pCertInfo->Subject),
+            &(cert->pCertInfo->Issuer))) {
         /* not verified */
         return(0);
     }
@@ -540,14 +577,19 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
         X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
         0,
         CERT_FIND_SUBJECT_NAME,
-        &cert->pCertInfo->Issuer,
+        &(cert->pCertInfo->Issuer),
         NULL);
     if(issuerCert != NULL) {
-        flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
-        ret = CertVerifySubjectCertificateContext(cert, issuerCert, &flags);
-        if(ret == 0) {
-            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, NULL,
-                "CertVerifySubjectCertificateContext");
+        ret = xmlSecMSCngX509StoreVerifySubject(cert, issuerCert);
+        if (ret < 0) {
+            xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
+            CertFreeCertificateContext(issuerCert);
+            return(-1);
+        }
+        else if (ret == 0) {
+            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+                NULL,
+                "xmlSecMSCngX509StoreVerifySubject");
             CertFreeCertificateContext(issuerCert);
             return(-1);
         }
@@ -571,14 +613,19 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
         X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
         0,
         CERT_FIND_SUBJECT_NAME,
-        &cert->pCertInfo->Issuer,
+        &(cert->pCertInfo->Issuer),
         NULL);
     if(issuerCert != NULL) {
-        flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
-        ret = CertVerifySubjectCertificateContext(cert, issuerCert, &flags);
-        if(ret == 0) {
-            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, NULL,
-                "CertVerifySubjectCertificateContext");
+        ret = xmlSecMSCngX509StoreVerifySubject(cert, issuerCert);
+        if (ret < 0) {
+            xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
+            CertFreeCertificateContext(issuerCert);
+            return(-1);
+        }
+        else if (ret == 0) {
+            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+                NULL,
+                "xmlSecMSCngX509StoreVerifySubject");
             CertFreeCertificateContext(issuerCert);
             return(-1);
         }