| blob | d5912e9a28589642dcc571d7ca6847bca1988600 |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Some of the stuff needed for Certificate authentication is contained
24 * in this file.
25 */
27 #include <gnutls_int.h>
28 #include <gnutls_errors.h>
29 #include <auth/cert.h>
30 #include <gnutls_datum.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_global.h>
33 #include <algorithms.h>
34 #include <gnutls_dh.h>
35 #include <gnutls_str.h>
36 #include <gnutls_state.h>
37 #include <gnutls_auth.h>
38 #include <gnutls_x509.h>
39 #include <gnutls_str_array.h>
41 #ifdef ENABLE_OPENPGP
43 #endif
45 /**
46 * gnutls_certificate_free_keys:
47 * @sc: is a #gnutls_certificate_credentials_t structure.
48 *
49 * This function will delete all the keys and the certificates associated
50 * with the given credentials. This function must not be called when a
51 * TLS negotiation that uses the credentials is in progress.
52 *
53 **/
54 void
56 {
60 {
62 {
64 }
67 }
73 {
75 }
81 }
83 /**
84 * gnutls_certificate_free_cas:
85 * @sc: is a #gnutls_certificate_credentials_t structure.
86 *
87 * This function will delete all the CAs associated with the given
88 * credentials. Servers that do not use
89 * gnutls_certificate_verify_peers2() may call this to save some
90 * memory.
91 **/
92 void
94 {
95 /* FIXME: do nothing for now */
97 }
99 /**
100 * gnutls_certificate_get_issuer:
101 * @sc: is a #gnutls_certificate_credentials_t structure.
102 * @cert: is the certificate to find issuer for
103 * @issuer: Will hold the issuer if any. Should be treated as constant.
104 * @flags: Use zero.
105 *
106 * This function will return the issuer of a given certificate.
107 *
108 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
109 * negative error value.
110 *
111 * Since: 3.0
112 **/
113 int
116 {
118 }
120 /**
121 * gnutls_certificate_free_ca_names:
122 * @sc: is a #gnutls_certificate_credentials_t structure.
123 *
124 * This function will delete all the CA name in the given
125 * credentials. Clients may call this to save some memory since in
126 * client side the CA names are not used. Servers might want to use
127 * this function if a large list of trusted CAs is present and
128 * sending the names of it would just consume bandwidth without providing
129 * information to client.
130 *
131 * CA names are used by servers to advertise the CAs they support to
132 * clients.
133 **/
134 void
136 {
138 }
140 /*-
141 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
142 * @rsa_params: holds the RSA parameters or NULL.
143 * @func: function to retrieve the parameters or NULL.
144 * @session: The session.
145 *
146 * This function will return the rsa parameters pointer.
147 -*/
148 gnutls_rsa_params_t
151 gnutls_session_t session)
152 {
153 gnutls_params_st params;
157 {
159 }
162 {
164 }
166 {
169 {
172 }
173 }
176 }
179 /**
180 * gnutls_certificate_free_credentials:
181 * @sc: is a #gnutls_certificate_credentials_t structure.
182 *
183 * This structure is complex enough to manipulate directly thus this
184 * helper function is provided in order to free (deallocate) it.
185 *
186 * This function does not free any temporary parameters associated
187 * with this structure (ie RSA and DH parameters are not freed by this
188 * function).
189 **/
190 void
192 {
198 #ifdef ENABLE_OPENPGP
200 #endif
203 }
206 /**
207 * gnutls_certificate_allocate_credentials:
208 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
209 *
210 * This structure is complex enough to manipulate directly thus this
211 * helper function is provided in order to allocate it.
212 *
213 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
214 **/
215 int
217 res)
218 {
228 {
232 }
238 }
241 /* returns the KX algorithms that are supported by a
242 * certificate. (Eg a certificate with RSA params, supports
243 * GNUTLS_KX_RSA algorithm).
244 * This function also uses the KeyUsage field of the certificate
245 * extensions in order to disable unneded algorithms.
246 */
247 int
251 {
252 gnutls_kx_algorithm_t kx;
258 {
261 }
268 {
271 {
272 /* then check key usage */
274 {
276 i++;
280 }
281 }
282 }
285 {
288 }
293 }
296 /**
297 * gnutls_certificate_server_set_request:
298 * @session: is a #gnutls_session_t structure.
299 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
300 *
301 * This function specifies if we (in case of a server) are going to
302 * send a certificate request message to the client. If @req is
303 * GNUTLS_CERT_REQUIRE then the server will return an error if the
304 * peer does not provide a certificate. If you do not call this
305 * function then the client will not be asked to send a certificate.
306 **/
307 void
309 gnutls_certificate_request_t req)
310 {
312 }
314 /**
315 * gnutls_certificate_client_set_retrieve_function:
316 * @cred: is a #gnutls_certificate_credentials_t structure.
317 * @func: is the callback function
318 *
319 * This function sets a callback to be called in order to retrieve the
320 * certificate to be used in the handshake.
321 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
322 * is much more efficient in the processing it requires from gnutls.
323 *
324 * The callback's function prototype is:
325 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
326 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
327 *
328 * @req_ca_cert is only used in X.509 certificates.
329 * Contains a list with the CA names that the server considers trusted.
330 * Normally we should send a certificate that is signed
331 * by one of these CAs. These names are DER encoded. To get a more
332 * meaningful value use the function gnutls_x509_rdn_get().
333 *
334 * @pk_algos contains a list with server's acceptable signature algorithms.
335 * The certificate returned should support the server's given algorithms.
336 *
337 * @st should contain the certificates and private keys.
338 *
339 * If the callback function is provided then gnutls will call it, in the
340 * handshake, if a certificate is requested by the server (and after the
341 * certificate request message has been received).
342 *
343 * The callback function should set the certificate list to be sent,
344 * and return 0 on success. If no certificate was selected then the
345 * number of certificates should be set to zero. The value (-1)
346 * indicates error and the handshake will be terminated.
347 **/
348 void gnutls_certificate_client_set_retrieve_function
351 {
353 }
355 /**
356 * gnutls_certificate_server_set_retrieve_function:
357 * @cred: is a #gnutls_certificate_credentials_t structure.
358 * @func: is the callback function
359 *
360 * This function sets a callback to be called in order to retrieve the
361 * certificate to be used in the handshake.
362 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
363 * is much more efficient in the processing it requires from gnutls.
364 *
365 * The callback's function prototype is:
366 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
367 *
368 * @st should contain the certificates and private keys.
369 *
370 * If the callback function is provided then gnutls will call it, in the
371 * handshake, after the certificate request message has been received.
372 *
373 * The callback function should set the certificate list to be sent, and
374 * return 0 on success. The value (-1) indicates error and the handshake
375 * will be terminated.
376 **/
377 void gnutls_certificate_server_set_retrieve_function
380 {
382 }
384 /**
385 * gnutls_certificate_set_retrieve_function:
386 * @cred: is a #gnutls_certificate_credentials_t structure.
387 * @func: is the callback function
388 *
389 * This function sets a callback to be called in order to retrieve the
390 * certificate to be used in the handshake. You are advised
391 * to use gnutls_certificate_set_retrieve_function2() because it
392 * is much more efficient in the processing it requires from gnutls.
393 *
394 * The callback's function prototype is:
395 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
396 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
397 *
398 * @req_ca_cert is only used in X.509 certificates.
399 * Contains a list with the CA names that the server considers trusted.
400 * Normally we should send a certificate that is signed
401 * by one of these CAs. These names are DER encoded. To get a more
402 * meaningful value use the function gnutls_x509_rdn_get().
403 *
404 * @pk_algos contains a list with server's acceptable signature algorithms.
405 * The certificate returned should support the server's given algorithms.
406 *
407 * @st should contain the certificates and private keys.
408 *
409 * If the callback function is provided then gnutls will call it, in the
410 * handshake, after the certificate request message has been received.
411 *
412 * In server side pk_algos and req_ca_dn are NULL.
413 *
414 * The callback function should set the certificate list to be sent,
415 * and return 0 on success. If no certificate was selected then the
416 * number of certificates should be set to zero. The value (-1)
417 * indicates error and the handshake will be terminated.
418 *
419 * Since: 3.0
420 **/
421 void gnutls_certificate_set_retrieve_function
424 {
426 }
428 /**
429 * gnutls_certificate_set_retrieve_function2:
430 * @cred: is a #gnutls_certificate_credentials_t structure.
431 * @func: is the callback function
432 *
433 * This function sets a callback to be called in order to retrieve the
434 * certificate to be used in the handshake.
435 *
436 * The callback's function prototype is:
437 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
438 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
439 * unsigned int *pcert_length, gnutls_privkey_t * pkey);
440 *
441 * @req_ca_cert is only used in X.509 certificates.
442 * Contains a list with the CA names that the server considers trusted.
443 * Normally we should send a certificate that is signed
444 * by one of these CAs. These names are DER encoded. To get a more
445 * meaningful value use the function gnutls_x509_rdn_get().
446 *
447 * @pk_algos contains a list with server's acceptable signature algorithms.
448 * The certificate returned should support the server's given algorithms.
449 *
450 * @pcert should contain a single certificate and public or a list of them.
451 *
452 * @pcert_length is the size of the previous list.
453 *
454 * @pkey is the private key.
455 *
456 * If the callback function is provided then gnutls will call it, in the
457 * handshake, after the certificate request message has been received.
458 *
459 * In server side pk_algos and req_ca_dn are NULL.
460 *
461 * The callback function should set the certificate list to be sent,
462 * and return 0 on success. If no certificate was selected then the
463 * number of certificates should be set to zero. The value (-1)
464 * indicates error and the handshake will be terminated.
465 *
466 * Since: 3.0
467 **/
468 void gnutls_certificate_set_retrieve_function2
471 {
473 }
475 /**
476 * gnutls_certificate_set_verify_function:
477 * @cred: is a #gnutls_certificate_credentials_t structure.
478 * @func: is the callback function
479 *
480 * This function sets a callback to be called when peer's certificate
481 * has been received in order to verify it on receipt rather than
482 * doing after the handshake is completed.
483 *
484 * The callback's function prototype is:
485 * int (*callback)(gnutls_session_t);
486 *
487 * If the callback function is provided then gnutls will call it, in the
488 * handshake, just after the certificate message has been received.
489 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
490 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
491 * can be used.
492 *
493 * The callback function should return 0 for the handshake to continue
494 * or non-zero to terminate.
495 *
496 * Since: 2.10.0
497 **/
498 void
499 gnutls_certificate_set_verify_function
502 {
504 }
506 /*-
507 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
508 * @cert: should contain an X.509 DER encoded certificate
509 *
510 * This function will return the certificate's activation time in UNIX time
511 * (ie seconds since 00:00:00 UTC January 1, 1970).
512 *
513 * Returns a (time_t) -1 in case of an error.
514 *
515 -*/
516 static time_t
518 {
519 gnutls_x509_crt_t xcert;
528 {
531 }
538 }
540 /*-
541 * gnutls_x509_extract_certificate_expiration_time:
542 * @cert: should contain an X.509 DER encoded certificate
543 *
544 * This function will return the certificate's expiration time in UNIX
545 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
546 *
547 * (time_t) -1 in case of an error.
548 *
549 -*/
550 static time_t
552 {
553 gnutls_x509_crt_t xcert;
562 {
565 }
572 }
574 #ifdef ENABLE_OPENPGP
575 /*-
576 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
577 * @session: is a gnutls session
578 *
579 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
580 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
581 -*/
582 static int
585 {
586 cert_auth_info_t info;
587 gnutls_certificate_credentials_t cred;
599 {
602 }
605 {
608 }
610 /* generate a list of gnutls_certs based on the auth info
611 * raw certs.
612 */
616 {
619 }
621 /* Verify certificate
622 */
623 ret =
628 {
631 }
634 }
635 #endif
637 /**
638 * gnutls_certificate_verify_peers2:
639 * @session: is a gnutls session
640 * @status: is the output of the verification
641 *
642 * This function will try to verify the peer's certificate and return
643 * its status (trusted, invalid etc.). The value of @status should
644 * be one or more of the gnutls_certificate_status_t enumerated
645 * elements bitwise or'd. To avoid denial of service attacks some
646 * default upper limits regarding the certificate key size and chain
647 * size are set. To override them use gnutls_certificate_set_verify_limits().
648 *
649 * This function will utilize the OCSP Certificate Status extension if
650 * negotiated --to enable see gnutls_ocsp_status_request_enable_client().
651 *
652 * Note that you must also check the peer's name in order to check if
653 * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname().
654 *
655 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
656 **/
657 int
660 {
661 cert_auth_info_t info;
667 {
669 }
675 {
678 #ifdef ENABLE_OPENPGP
681 #endif
684 }
685 }
687 /**
688 * gnutls_certificate_expiration_time_peers:
689 * @session: is a gnutls session
690 *
691 * This function will return the peer's certificate expiration time.
692 *
693 * Returns: (time_t)-1 on error.
694 *
695 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
696 **/
697 time_t
699 {
700 cert_auth_info_t info;
706 {
708 }
711 {
714 }
717 {
719 return
722 #ifdef ENABLE_OPENPGP
724 return
725 _gnutls_openpgp_get_raw_key_expiration_time
727 #endif
730 }
731 }
733 /**
734 * gnutls_certificate_activation_time_peers:
735 * @session: is a gnutls session
736 *
737 * This function will return the peer's certificate activation time.
738 * This is the creation time for openpgp keys.
739 *
740 * Returns: (time_t)-1 on error.
741 *
742 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
743 **/
744 time_t
746 {
747 cert_auth_info_t info;
753 {
755 }
758 {
761 }
764 {
766 return
769 #ifdef ENABLE_OPENPGP
771 return
774 #endif
777 }
778 }
780 /**
781 * gnutls_sign_callback_set:
782 * @session: is a gnutls session
783 * @sign_func: function pointer to application's sign callback.
784 * @userdata: void pointer that will be passed to sign callback.
785 *
786 * Set the callback function. The function must have this prototype:
787 *
788 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
789 * void *userdata,
790 * gnutls_certificate_type_t cert_type,
791 * const gnutls_datum_t * cert,
792 * const gnutls_datum_t * hash,
793 * gnutls_datum_t * signature);
794 *
795 * The @userdata parameter is passed to the @sign_func verbatim, and
796 * can be used to store application-specific data needed in the
797 * callback function. See also gnutls_sign_callback_get().
798 *
799 * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead.
800 **/
801 void
804 {
807 }
809 /**
810 * gnutls_sign_callback_get:
811 * @session: is a gnutls session
812 * @userdata: if non-%NULL, will be set to abstract callback pointer.
813 *
814 * Retrieve the callback function, and its userdata pointer.
815 *
816 * Returns: The function pointer set by gnutls_sign_callback_set(), or
817 * if not set, %NULL.
818 *
819 * Deprecated: Use the PKCS 11 interfaces instead.
820 **/
821 gnutls_sign_func
823 {
827 }
829 /* returns error if the certificate has different algorithm than
830 * the given key parameters.
831 */
832 int
834 {
839 {
842 }
845 }