(xmlsec-mscng,xmsec-mscrypto,xmlsec-gnutls) Improve certificates veri…

…fication (#822)
lsh123 · Jul 18, 2024 · f15b0cb · f15b0cb
1 parent f68e012
commit f15b0cb
Show file tree

Hide file tree

Showing 22 changed files with 543 additions and 187 deletions.
diff --git a/.github/workflows/make-check.yml b/.github/workflows/make-check.yml
@@ -11,7 +11,7 @@ on:
           - xmlsec-1_2_x
 
 jobs:
-  check-ubuntu-openssl300:
+  check-ubuntu:
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
@@ -45,7 +45,7 @@ jobs:
       run: |
           make check
 
-  check-ubuntu-openssl110:
+  check-ubuntu-openssl-111:
     runs-on: ubuntu-20.04
     strategy:
       fail-fast: false

diff --git a/docs/index.html b/docs/index.html
@@ -67,42 +67,59 @@ <h1>XML Security Library</h1>
 see the Copyright file in the distribution  for details.<br><br></p>
 <p><b>News</b></p>
 <ul>
-<li>July 11 2024<br>
+    <li>
+        TBD<br>
+        The <a href="download.html">XML Security Library 1.2.41</a> release includes the following changes:
+        <ul>
+            <li>(xmlsec-mscng,xmlsec-mscrypto) Improved certificates verification.</li>
+            <li>(xmlsec-gnutls) Added support for self-signed certificates.</li>
+            <li>Several other small fixes (see <a href="https://github.com/lsh123/xmlsec/commits/master">more details</a>).</li>
+        </ul>
+    </li>
+    <br>
+
+    <li>
+        July 11 2024<br>
         The <a href="download.html">XML Security Library 1.2.40</a> release includes the following changes:
-                <ul>
-                <li>(xmlsec-core) Fixed functions deprecated in LibXML2 2.13.1 (including disabling HTTP support by default).</li>
-                <li>(xmlsec-nss) Increased keys size in all tests to support NSS 3.101.</li>
-                <li>(windows) Added "ftp" and "http" flags in 'configure.js' (both are disabled by default).</li>
-                <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
-                </ul>
-</li>
-<br>
-<li>December 12 2023<br>
-The <a href="download.html">XML Security Library 1.2.39</a> release includes the following changes:
         <ul>
-        <li>Added options to enable/disable local files, HTTP, and FTP support. FTP is disabled by default.</li>
-        <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
+            <li>(xmlsec-core) Fixed functions deprecated in LibXML2 2.13.1 (including disabling HTTP support by default).</li>
+            <li>(xmlsec-nss) Increased keys size in all tests to support NSS 3.101.</li>
+            <li>(windows) Added "ftp" and "http" flags in 'configure.js' (both are disabled by default).</li>
+            <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
+        </ul>
+    </li>
+    <br>
+    <li>
+        December 12 2023<br>
+        The <a href="download.html">XML Security Library 1.2.39</a> release includes the following changes:
+        <ul>
+            <li>Added options to enable/disable local files, HTTP, and FTP support. FTP is disabled by default.</li>
+            <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
         </ul>
-</li>
-<br>
-<li>July 5 2023<br>
-The <a href="download.html">XML Security Library 1.2.38</a> release includes the following changes:
+    </li>
+    <br>
+    <li>
+        July 5 2023<br>
+        The <a href="download.html">XML Security Library 1.2.38</a> release includes the following changes:
         <ul>
-        <li>Fixed static linking with MinGW.</li>
-        <li>(xmlsec-mscng) Fixed block ciphers key size.</li>
-        <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
+            <li>Fixed static linking with MinGW.</li>
+            <li>(xmlsec-mscng) Fixed block ciphers key size.</li>
+            <li>Several other small fixes (<a href="https://github.com/lsh123/xmlsec/commits/xmlsec-1_2_x">more details</a>).</li>
         </ul>
-</li>
-<br>
-<li>November 30 2022<br>
+    </li>
+    <br>
+    <li>
+        November 30 2022<br>
         The <a href="download.html">XML Security Library 1.2.37</a> release includes the following changes:
         <ul>
-        <li>Fixed two regressions from 1.2.36 release: <a href="https://github.com/lsh123/xmlsec/issues/437">issue #437</a>
-        and <a href="https://github.com/lsh123/xmlsec/issues/449">issue #449</a>.</li>
+            <li>
+                Fixed two regressions from 1.2.36 release: <a href="https://github.com/lsh123/xmlsec/issues/437">issue #437</a>
+                and <a href="https://github.com/lsh123/xmlsec/issues/449">issue #449</a>.
+            </li>
         </ul>
-</li>
-<br>
-<li>See <a href="news.html">News page</a> for older announcements.</li>
+    </li>
+    <br>
+    <li>See <a href="news.html">News page</a> for older announcements.</li>
 </ul>
 </td></tr></table></td>
 </tr></table></body>

diff --git a/include/xmlsec/errors.h b/include/xmlsec/errors.h
@@ -347,6 +347,13 @@ extern "C" {
  */
 #define XMLSEC_ERRORS_R_CERT_HAS_EXPIRED                76
 
+ /**
+  * XMLSEC_ERRORS_R_CRL_VERIFY_FAILED:
+  *
+  * CRL verification failed.
+  */
+#define XMLSEC_ERRORS_R_CRL_VERIFY_FAILED               77
+
 /**
  * XMLSEC_ERRORS_R_DSIG_NO_REFERENCES:
  *

diff --git a/src/gnutls/x509utils.c b/src/gnutls/x509utils.c
@@ -199,6 +199,17 @@ xmlSecGnuTLSX509CertDup(gnutls_x509_crt_t src) {
     return (res);
 }
 
+
+/* returns 1 if self signed; 0 - if not; <0 on error*/
+int
+xmlSecGnuTLSX509CertIsSelfSigned(gnutls_x509_crt_t cert) {
+    unsigned ret;
+
+    xmlSecAssert2(cert != NULL, -1);
+    ret = gnutls_x509_crt_check_issuer(cert, cert);
+    return ((ret != 0) ? 1 : 0);
+}
+
 xmlChar *
 xmlSecGnuTLSX509CertGetSubjectDN(gnutls_x509_crt_t cert) {
     char* buf = NULL;

diff --git a/src/gnutls/x509utils.h b/src/gnutls/x509utils.h
@@ -46,6 +46,7 @@ xmlSecPtrListId         xmlSecGnuTLSX509CrlListGetKlass         (void);
  *
  ************************************************************************/
 gnutls_x509_crt_t       xmlSecGnuTLSX509CertDup                 (gnutls_x509_crt_t src);
+int                     xmlSecGnuTLSX509CertIsSelfSigned        (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetSubjectDN        (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetIssuerDN         (gnutls_x509_crt_t cert);
 xmlChar *               xmlSecGnuTLSX509CertGetIssuerSerial     (gnutls_x509_crt_t cert);

diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
@@ -364,27 +364,36 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
             goto done;
         }
 
-        /* check if we are the "leaf" node in the certs chain */
-        if(xmlSecGnuTLSX509FindSignedCert(certs, cert) != NULL) {
-            continue;
-        }
-
-        /* build the chain */
-        for(cert2 = cert, cert_list_cur_size = 0;
-            (cert2 != NULL) && (cert_list_cur_size < cert_list_size);
-            ++cert_list_cur_size)
-        {
-            gnutls_x509_crt_t tmp;
-
-            /* store */
-            cert_list[cert_list_cur_size] = cert2;
+        if (xmlSecGnuTLSX509CertIsSelfSigned(cert) != 1) {
+            /* check if we are the "leaf" node in the certs chain */
+            if (xmlSecGnuTLSX509FindSignedCert(certs, cert) != NULL) {
+                continue;
+            }
 
-            /* find next */
-            tmp = xmlSecGnuTLSX509FindSignerCert(certs, cert2);
-            if(tmp == NULL) {
-                tmp = xmlSecGnuTLSX509FindSignerCert(&(ctx->certsUntrusted), cert2);
+            /* build the chain */
+            for (cert2 = cert, cert_list_cur_size = 0;
+                (cert2 != NULL) && (cert_list_cur_size < cert_list_size);
+                ++cert_list_cur_size)
+            {
+                gnutls_x509_crt_t tmp;
+
+                /* store */
+                cert_list[cert_list_cur_size] = cert2;
+
+                /* find next */
+                tmp = xmlSecGnuTLSX509FindSignerCert(certs, cert2);
+                if (tmp == NULL) {
+                    tmp = xmlSecGnuTLSX509FindSignerCert(&(ctx->certsUntrusted), cert2);
+                }
+                cert2 = tmp;
             }
-            cert2 = tmp;
+        } else if (certs_size == 1) {
+            /* only do self signed cert when it is the only cert */
+            /* chain for self signed cert is easy */
+            cert_list[0] = cert;
+            cert_list_cur_size = 1;
+        } else {
+            continue;
         }
 
         /* try to verify */

diff --git a/src/mscng/certkeys.c b/src/mscng/certkeys.c
@@ -60,7 +60,7 @@ xmlSecMSCngKeyDataCertGetPubkey(PCCERT_CONTEXT cert, BCRYPT_KEY_HANDLE* key) {
     xmlSecAssert2(key != NULL, -1);
 
     if(!CryptImportPublicKeyInfoEx2(X509_ASN_ENCODING,
-            &cert->pCertInfo->SubjectPublicKeyInfo,
+            &(cert->pCertInfo->SubjectPublicKeyInfo),
             0,
             NULL,
             key)) {