openconnect with Belgian EID

David Woodhouse dwmw2 at infradead.org
Fri Nov 15 06:16:52 EST 2013 

On Sat, 2013-11-09 at 23:10 +0100, Nikos Mavrogiannopoulos wrote:
> Ok, it seems I've managed to implement it. If you're using
> gnutls_certificate_set_x509_key_file() ...

We're not. I think this ought to work though... ? 

diff --git a/configure.ac b/configure.ac
index 357b001..72012b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -254,6 +254,8 @@ if test "$with_gnutls" = "yes"; then
     CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
     AC_CHECK_FUNC(gnutls_dtls_set_data_mtu,
 		 [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], [])
+    AC_CHECK_FUNC(gnutls_pkcs11_get_raw_issuer,
+		 [AC_DEFINE(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER, 1)], [])
     AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
 		 [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], [])
     if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then
diff --git a/gnutls.c b/gnutls.c
index 2b3b45f..e57fbd6 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -397,7 +397,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
 }
 
 /* Older versions of GnuTLS didn't actually bother to check this, so we'll
-   do it for them. */
+   do it for them. Is there a bug reference for this? Or just the git commit
+   reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */
 static int check_issuer_sanity(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
 {
 #if GNUTLS_VERSION_NUMBER > 0x300014
@@ -1460,21 +1461,37 @@ static int load_certificate(struct openconnect_info *vpninfo)
 			/* Look for it in the system trust cafile too. */
 			err = gnutls_certificate_get_issuer(vpninfo->https_cred,
 							    last_cert, &issuer, 0);
-			if (err)
-				break;
-
 			/* The check_issuer_sanity() function works fine as a workaround where
 			   it was used above, but when gnutls_certificate_get_issuer() returns
 			   a bogus cert, there's nothing we can do to fix it up. We don't get
 			   to iterate over all the available certs like we can over our own
 			   list. */
-			if (check_issuer_sanity(last_cert, issuer)) {
-				/* Hm, is there a bug reference for this? Or just the git commit
-				   reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */
+			if (!err && check_issuer_sanity(last_cert, issuer)) {
+				gnutls_x509_crt_deinit(issuer);
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("WARNING: GnuTLS returned incorrect issuer certs; authentication may fail!\n"));
-				break;
+				err = GNUTLS_E_INTERNAL_ERROR;
 			}
+
+#if defined(HAVE_P11KIT) && defined(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER)
+			if (err && cert_is_p11) {
+				gnutls_datum_t t;
+
+				err = gnutls_pkcs11_get_raw_issuer(cert_url, &t, GNUTLS_X509_FMT_DER, 0);
+				if (!err) {
+					err = gnutls_x509_crt_init(&issuer);
+					if (!err) {
+						err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+						if (err)
+							gnutls_x509_crt_deinit(issuer);
+					}
+				}
+				gnutls_free(t.data);
+			}
+#endif
+			if (err)
+				break;
+
 		}
 
 		if (issuer == last_cert) {


-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131115/c4099292/attachment-0001.bin>

More information about the openconnect-devel mailing list