tls-session: change trusted-keys() validation

trusted-keys() is an alternative trust anchor, e.g. we don't need to have a valid peer certificate in this case. Even if it is invalid, trusted-keys() can forcibly accept it. This was not the case thus far, it was an _additional_ restriction. Signed-off-by: Balazs Scheidler <[email protected]>
axoflow · Jun 2, 2024 · 39e4122 · 39e4122
1 parent e7b8620
commit 39e4122
Showing 1 changed file with 26 additions and 4 deletions.
diff --git a/lib/transport/tls-session.c b/lib/transport/tls-session.c
@@ -123,10 +123,13 @@ tls_session_verify_fingerprint(X509_STORE_CTX *ctx)
   if (!cert)
     return match;
 
+
   hash = g_string_sized_new(EVP_MAX_MD_SIZE * 3);
 
   if (tls_get_x509_digest(cert, hash))
     {
+      msg_debug("Validating certificate against trusted-keys()",
+                evt_tag_str("x509-digest", hash->str));
       do
         {
           if (strcmp((const gchar *)(current_fingerprint->data), hash->str) == 0)
@@ -195,11 +198,30 @@ tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx)
 
   int ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
   /* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */
-  if (ok && ctx_error_depth == 0 && !tls_session_verify_fingerprint(ctx))
+
+  if (ctx_error_depth == 0 && self->ctx->trusted_fingerprint_list)
     {
-      msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting",
-                 tls_context_format_location_tag(self->ctx));
-      return 0;
+      /* trusted-keys() is present */
+      if (ok)
+        {
+          /* this is an extra constraint */
+          if (!tls_session_verify_fingerprint(ctx))
+            {
+              msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting",
+                         tls_context_format_location_tag(self->ctx));
+              return 0;
+            }
+        }
+      else
+        {
+          /* this is a trust anchor that forces the key to be valid */
+          if (tls_session_verify_fingerprint(ctx))
+            {
+              msg_notice("Certificate accepted due to being present on trusted-keys()",
+                         tls_context_format_location_tag(self->ctx));
+              return 1;
+            }
+        }
     }
 
   X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);