search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
guile: Change tests to use priority strings.
[gnutls.git] / lib / gnutls_x509.c
blob3cf9f1dba5c19d092aa272de81ab5e3dc71eda08
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 #include <gnutls_int.h>
27 #include "gnutls_auth.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_cert.h>
30 #include <auth_cert.h>
31 #include "gnutls_dh.h"
32 #include "gnutls_num.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
42 #include <debug.h>
43 #include <x509_b64.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509_int.h"
47 #include "read-file.h"
48
49 /*
50 * some x509 certificate parsing functions.
51 */
52
53 /* Check if the number of bits of the key in the certificate
54 * is unacceptable.
55 */
56 inline static int
57 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
58 {
59 int ret;
60 unsigned int bits;
61
62 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
63 if (ret < 0)
64 {
65 gnutls_assert ();
66 return ret;
67 }
68
69 if (bits > max_bits && max_bits > 0)
70 {
71 gnutls_assert ();
72 return GNUTLS_E_CONSTRAINT_ERROR;
73 }
74
75 return 0;
76 }
77
78
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
82 } \
83 gnutls_free( peer_certificate_list)
84
85 /*-
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
88 *
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
93 -*/
94 int
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
96 unsigned int *status)
97 {
98 cert_auth_info_t info;
99 gnutls_certificate_credentials_t cred;
100 gnutls_x509_crt_t *peer_certificate_list;
101 int peer_certificate_list_size, i, x, ret;
102
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
104
105 info = _gnutls_get_auth_info (session);
106 if (info == NULL)
107 {
108 gnutls_assert ();
109 return GNUTLS_E_INVALID_REQUEST;
110 }
111
112 cred = (gnutls_certificate_credentials_t)
113 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
114 if (cred == NULL)
115 {
116 gnutls_assert ();
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
118 }
119
120 if (info->raw_certificate_list == NULL || info->ncerts == 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND;
122
123 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
124 {
125 gnutls_assert ();
126 return GNUTLS_E_CONSTRAINT_ERROR;
127 }
128
129 /* generate a list of gnutls_certs based on the auth info
130 * raw certs.
131 */
132 peer_certificate_list_size = info->ncerts;
133 peer_certificate_list =
134 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
135 if (peer_certificate_list == NULL)
136 {
137 gnutls_assert ();
138 return GNUTLS_E_MEMORY_ERROR;
139 }
140
141 for (i = 0; i < peer_certificate_list_size; i++)
142 {
143 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
144 if (ret < 0)
145 {
146 gnutls_assert ();
147 CLEAR_CERTS;
148 return ret;
149 }
150
151 ret =
152 gnutls_x509_crt_import (peer_certificate_list[i],
153 &info->raw_certificate_list[i],
154 GNUTLS_X509_FMT_DER);
155 if (ret < 0)
156 {
157 gnutls_assert ();
158 CLEAR_CERTS;
159 return ret;
160 }
161
162 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
163 if (ret < 0)
164 {
165 gnutls_assert ();
166 CLEAR_CERTS;
167 return ret;
168 }
169
170 }
171
172 /* Verify certificate
173 */
174
175 ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
176 peer_certificate_list_size,
177 cred->verify_flags | session->internals.
178 priorities.additional_verify_flags,
179 status, NULL);
180
181 CLEAR_CERTS;
182
183 if (ret < 0)
184 {
185 gnutls_assert ();
186 return ret;
187 }
188
189 return 0;
190 }
191
192 /*
193 * Read certificates and private keys, from files, memory etc.
194 */
195
196 /* returns error if the certificate has different algorithm than
197 * the given key parameters.
198 */
199 static int
200 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
201 {
202 unsigned int pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
203
204 if (gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL) !=
205 pk)
206 {
207 gnutls_assert ();
208 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
209 }
210
211 return 0;
212 }
213
214 /* Reads a DER encoded certificate list from memory and stores it to a
215 * gnutls_cert structure. Returns the number of certificates parsed.
216 */
217 static int
218 parse_der_cert_mem (gnutls_certificate_credentials_t res,
219 const void *input_cert, int input_cert_size)
220 {
221 gnutls_datum_t tmp;
222 gnutls_x509_crt_t crt;
223 gnutls_cert *ccert;
224 int ret;
225
226 ccert = gnutls_malloc (sizeof (*ccert));
227 if (ccert == NULL)
228 {
229 gnutls_assert ();
230 return GNUTLS_E_MEMORY_ERROR;
231 }
232
233 ret = gnutls_x509_crt_init (&crt);
234 if (ret < 0)
235 {
236 gnutls_assert ();
237 goto cleanup;
238 }
239
240 tmp.data = (opaque *) input_cert;
241 tmp.size = input_cert_size;
242
243 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
244 if (ret < 0)
245 {
246 gnutls_assert ();
247 gnutls_x509_crt_deinit (crt);
248 goto cleanup;
249 }
250
251 ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
252 gnutls_x509_crt_deinit (crt);
253
254 if (ret < 0)
255 {
256 gnutls_assert ();
257 goto cleanup;
258 }
259
260 ret = certificate_credential_append_crt_list (res, ccert, 1);
261 if (ret < 0)
262 {
263 gnutls_assert ();
264 goto cleanup;
265 }
266
267 return ret;
268
269 cleanup:
270 gnutls_free (ccert);
271 return ret;
272 }
273
274 /* Reads a base64 encoded certificate list from memory and stores it to
275 * a gnutls_cert structure. Returns the number of certificate parsed.
276 */
277 static int
278 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
279 const char *input_cert, int input_cert_size)
280 {
281 int size, siz2;
282 const char *ptr;
283 opaque *ptr2;
284 gnutls_datum_t tmp;
285 int ret, count, i;
286 gnutls_cert *certs = NULL;
287
288 /* move to the certificate
289 */
290 ptr = memmem (input_cert, input_cert_size,
291 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
292 if (ptr == NULL)
293 ptr = memmem (input_cert, input_cert_size,
294 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
295
296 if (ptr == NULL)
297 {
298 gnutls_assert ();
299 return GNUTLS_E_BASE64_DECODING_ERROR;
300 }
301 size = input_cert_size - (ptr - input_cert);
302
303 count = 0;
304
305 do
306 {
307
308 siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
309 if (siz2 < 0)
310 {
311 gnutls_assert ();
312 ret = GNUTLS_E_BASE64_DECODING_ERROR;
313 goto cleanup;
314 }
315
316 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_cert));
317
318 if (certs == NULL)
319 {
320 gnutls_assert ();
321 ret = GNUTLS_E_MEMORY_ERROR;
322 goto cleanup;
323 }
324
325 tmp.data = ptr2;
326 tmp.size = siz2;
327
328 ret = _gnutls_x509_raw_cert_to_gcert (&certs[count], &tmp, 0);
329 if (ret < 0)
330 {
331 gnutls_assert ();
332 goto cleanup;
333 }
334
335 _gnutls_free_datum (&tmp); /* free ptr2 */
336
337 /* now we move ptr after the pem header
338 */
339 ptr++;
340 /* find the next certificate (if any)
341 */
342 size = input_cert_size - (ptr - input_cert);
343
344 if (size > 0)
345 {
346 char *ptr3;
347
348 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
349 if (ptr3 == NULL)
350 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
351 sizeof (PEM_CERT_SEP2) - 1);
352
353 ptr = ptr3;
354 }
355 else
356 ptr = NULL;
357
358 count++;
359
360 }
361 while (ptr != NULL);
362
363 ret = certificate_credential_append_crt_list (res, certs, count);
364 if (ret < 0)
365 {
366 gnutls_assert ();
367 goto cleanup;
368 }
369
370 return count;
371
372 cleanup:
373 for (i=0;i<count;i++)
374 _gnutls_gcert_deinit(&certs[i]);
375 gnutls_free(certs);
376 return ret;
377 }
378
379
380
381 /* Reads a DER or PEM certificate from memory
382 */
383 static int
384 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
385 int cert_size, gnutls_x509_crt_fmt_t type)
386 {
387 int ret;
388
389 if (type == GNUTLS_X509_FMT_DER)
390 ret = parse_der_cert_mem (res, cert, cert_size);
391 else
392 ret = parse_pem_cert_mem (res, cert, cert_size);
393
394 if (ret < 0)
395 {
396 gnutls_assert ();
397 return ret;
398 }
399
400 return ret;
401 }
402
403 static int
404 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t * privkey,
405 const gnutls_datum_t * raw_key,
406 gnutls_x509_crt_fmt_t type)
407 {
408 gnutls_x509_privkey_t tmpkey;
409 int ret;
410
411 ret = gnutls_x509_privkey_init (&tmpkey);
412 if (ret < 0)
413 {
414 gnutls_assert ();
415 return ret;
416 }
417
418 ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
419 if (ret < 0)
420 {
421 gnutls_assert ();
422 gnutls_x509_privkey_deinit (tmpkey);
423 return ret;
424 }
425
426 ret = gnutls_privkey_init (privkey);
427 if (ret < 0)
428 {
429 gnutls_assert ();
430 gnutls_x509_privkey_deinit (tmpkey);
431 return ret;
432 }
433
434 ret =
435 gnutls_privkey_import_x509 (*privkey, tmpkey,
436 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
437 if (ret < 0)
438 {
439 gnutls_assert ();
440 gnutls_x509_privkey_deinit (tmpkey);
441 gnutls_privkey_deinit (*privkey);
442 return ret;
443 }
444
445 return 0;
446 }
447
448 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
449 * indicates the certificate format. KEY can be NULL, to indicate
450 * that GnuTLS doesn't know the private key.
451 */
452 static int
453 read_key_mem (gnutls_certificate_credentials_t res,
454 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
455 {
456 int ret;
457 gnutls_datum_t tmp;
458 gnutls_privkey_t privkey;
459
460 if (key)
461 {
462 tmp.data = (opaque *) key;
463 tmp.size = key_size;
464
465 ret = _gnutls_x509_raw_privkey_to_privkey (&privkey, &tmp, type);
466 if (ret < 0)
467 {
468 gnutls_assert ();
469 return ret;
470 }
471
472 ret = certificate_credentials_append_pkey (res, privkey);
473 if (ret < 0)
474 {
475 gnutls_assert ();
476 gnutls_privkey_deinit (privkey);
477 return ret;
478 }
479
480 }
481 else
482 {
483 gnutls_assert ();
484 return GNUTLS_E_INVALID_REQUEST;
485 }
486
487
488 return 0;
489 }
490
491 /* Reads a private key from a token.
492 */
493 static int
494 read_key_url (gnutls_certificate_credentials_t res, const char *url)
495 {
496 int ret;
497 gnutls_pkcs11_privkey_t key1 = NULL;
498 gnutls_privkey_t pkey = NULL;
499
500 /* allocate space for the pkey list
501 */
502
503 ret = gnutls_pkcs11_privkey_init (&key1);
504 if (ret < 0)
505 {
506 gnutls_assert ();
507 return ret;
508 }
509
510 ret = gnutls_pkcs11_privkey_import_url (key1, url, 0);
511 if (ret < 0)
512 {
513 gnutls_assert ();
514 goto cleanup;
515 }
516
517 ret = gnutls_privkey_init (&pkey);
518 if (ret < 0)
519 {
520 gnutls_assert ();
521 goto cleanup;
522 }
523
524 ret =
525 gnutls_privkey_import_pkcs11 (pkey, key1,
526 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
527 if (ret < 0)
528 {
529 gnutls_assert ();
530 goto cleanup;
531 }
532
533 ret = certificate_credentials_append_pkey (res, pkey);
534 if (ret < 0)
535 {
536 gnutls_assert ();
537 goto cleanup;
538 }
539
540 return 0;
541
542 cleanup:
543 if (pkey)
544 gnutls_privkey_deinit (pkey);
545
546 if (key1)
547 gnutls_pkcs11_privkey_deinit (key1);
548
549 return ret;
550 }
551
552 /* Reads a private key from a token.
553 */
554 static int
555 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
556 {
557 int ret;
558 gnutls_x509_crt_t *xcrt_list = NULL;
559 gnutls_pkcs11_obj_t *pcrt_list = NULL;
560 unsigned int pcrt_list_size = 0;
561
562 /* FIXME: should we use login? */
563 ret =
564 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
565 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
566 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
567 {
568 gnutls_assert ();
569 return ret;
570 }
571
572 if (pcrt_list_size == 0)
573 {
574 gnutls_assert ();
575 return 0;
576 }
577
578 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
579 if (pcrt_list == NULL)
580 {
581 gnutls_assert ();
582 return GNUTLS_E_MEMORY_ERROR;
583 }
584
585 ret =
586 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
587 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
588 if (ret < 0)
589 {
590 gnutls_assert ();
591 goto cleanup;
592 }
593
594 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
595 if (xcrt_list == NULL)
596 {
597 gnutls_assert ();
598 ret = GNUTLS_E_MEMORY_ERROR;
599 goto cleanup;
600 }
601
602 ret =
603 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
604 0);
605 if (xcrt_list == NULL)
606 {
607 gnutls_assert ();
608 ret = GNUTLS_E_MEMORY_ERROR;
609 goto cleanup;
610 }
611
612 ret = gnutls_x509_trust_list_add_cas(res->tlist, xcrt_list, pcrt_list_size, 0);
613 if (ret < 0)
614 {
615 gnutls_assert();
616 goto cleanup;
617 }
618
619 cleanup:
620 gnutls_free (xcrt_list);
621 gnutls_free (pcrt_list);
622
623 return ret;
624
625 }
626
627
628 /* Reads a private key from a token.
629 */
630 static int
631 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
632 {
633 int ret;
634 gnutls_x509_crt_t crt;
635 gnutls_cert *ccert;
636
637 ccert = gnutls_malloc (sizeof (*ccert));
638 if (ccert == NULL)
639 {
640 gnutls_assert ();
641 return GNUTLS_E_MEMORY_ERROR;
642 }
643
644 ret = gnutls_x509_crt_init (&crt);
645 if (ret < 0)
646 {
647 gnutls_assert ();
648 gnutls_free (ccert);
649 return ret;
650 }
651
652 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
653 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
654 ret =
655 gnutls_x509_crt_import_pkcs11_url (crt, url,
656 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
657
658 if (ret < 0)
659 {
660 gnutls_assert ();
661 gnutls_free (ccert);
662 gnutls_x509_crt_deinit (crt);
663 return ret;
664 }
665
666 ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
667 gnutls_x509_crt_deinit (crt);
668
669 if (ret < 0)
670 {
671 gnutls_assert ();
672 gnutls_free (ccert);
673 return ret;
674 }
675
676 ret = certificate_credential_append_crt_list (res, ccert, 1);
677 if (ret < 0)
678 {
679 gnutls_assert ();
680 gnutls_free (ccert);
681 return ret;
682 }
683
684 return 0;
685
686 }
687
688 /* Reads a certificate file
689 */
690 static int
691 read_cert_file (gnutls_certificate_credentials_t res,
692 const char *certfile, gnutls_x509_crt_fmt_t type)
693 {
694 int ret;
695 size_t size;
696 char *data;
697
698 if (strncmp (certfile, "pkcs11:", 7) == 0)
699 {
700 return read_cert_url (res, certfile);
701 }
702
703 data = read_binary_file (certfile, &size);
704
705 if (data == NULL)
706 {
707 gnutls_assert ();
708 return GNUTLS_E_FILE_ERROR;
709 }
710
711 ret = read_cert_mem (res, data, size, type);
712 free (data);
713
714 return ret;
715
716 }
717
718
719
720 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
721 * stores it).
722 */
723 static int
724 read_key_file (gnutls_certificate_credentials_t res,
725 const char *keyfile, gnutls_x509_crt_fmt_t type)
726 {
727 int ret;
728 size_t size;
729 char *data;
730
731 if (strncmp (keyfile, "pkcs11:", 7) == 0)
732 {
733 return read_key_url (res, keyfile);
734 }
735
736 data = read_binary_file (keyfile, &size);
737
738 if (data == NULL)
739 {
740 gnutls_assert ();
741 return GNUTLS_E_FILE_ERROR;
742 }
743
744 ret = read_key_mem (res, data, size, type);
745 free (data);
746
747 return ret;
748 }
749
750 /**
751 * gnutls_certificate_set_x509_key_mem:
752 * @res: is a #gnutls_certificate_credentials_t structure.
753 * @cert: contains a certificate list (path) for the specified private key
754 * @key: is the private key, or %NULL
755 * @type: is PEM or DER
756 *
757 * This function sets a certificate/private key pair in the
758 * gnutls_certificate_credentials_t structure. This function may be called
759 * more than once (in case multiple keys/certificates exist for the
760 * server).
761 *
762 * Currently are supported: RSA PKCS-1 encoded private keys,
763 * DSA private keys.
764 *
765 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
766 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
767 *
768 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
769 * is supported. This means that certificates intended for signing cannot
770 * be used for ciphersuites that require encryption.
771 *
772 * If the certificate and the private key are given in PEM encoding
773 * then the strings that hold their values must be null terminated.
774 *
775 * The @key may be %NULL if you are using a sign callback, see
776 * gnutls_sign_callback_set().
777 *
778 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
779 **/
780 int
781 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
782 const gnutls_datum_t * cert,
783 const gnutls_datum_t * key,
784 gnutls_x509_crt_fmt_t type)
785 {
786 int ret;
787
788 /* this should be first
789 */
790 if ((ret = read_key_mem (res, key ? key->data : NULL,
791 key ? key->size : 0, type)) < 0)
792 return ret;
793
794 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
795 return ret;
796
797 res->ncerts++;
798
799 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
800 {
801 gnutls_assert ();
802 return ret;
803 }
804
805 return 0;
806 }
807
808 int
809 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
810 gnutls_cert * crt, int nr)
811 {
812 res->cert_list = gnutls_realloc_fast (res->cert_list,
813 (1 +
814 res->ncerts) *
815 sizeof (gnutls_cert *));
816 if (res->cert_list == NULL)
817 {
818 gnutls_assert ();
819 return GNUTLS_E_MEMORY_ERROR;
820 }
821
822 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
823 (1 +
824 res->ncerts) * sizeof (int));
825 if (res->cert_list_length == NULL)
826 {
827 gnutls_assert ();
828 return GNUTLS_E_MEMORY_ERROR;
829 }
830
831 res->cert_list[res->ncerts] = crt;
832 res->cert_list_length[res->ncerts] = nr;
833
834 return 0;
835
836 }
837
838 int
839 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
840 gnutls_privkey_t pkey)
841 {
842 res->pkey = gnutls_realloc_fast (res->pkey,
843 (1 + res->ncerts) *
844 sizeof (gnutls_privkey_t));
845 if (res->pkey == NULL)
846 {
847 gnutls_assert ();
848 return GNUTLS_E_MEMORY_ERROR;
849 }
850
851 res->pkey[res->ncerts] = pkey;
852 return 0;
853
854 }
855
856 /**
857 * gnutls_certificate_set_x509_key:
858 * @res: is a #gnutls_certificate_credentials_t structure.
859 * @cert_list: contains a certificate list (path) for the specified private key
860 * @cert_list_size: holds the size of the certificate list
861 * @key: is a gnutls_x509_privkey_t key
862 *
863 * This function sets a certificate/private key pair in the
864 * gnutls_certificate_credentials_t structure. This function may be
865 * called more than once (in case multiple keys/certificates exist for
866 * the server). For clients that wants to send more than its own end
867 * entity certificate (e.g., also an intermediate CA cert) then put
868 * the certificate chain in @cert_list.
869 *
870 *
871 *
872 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
873 *
874 * Since: 2.4.0
875 **/
876 int
877 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
878 gnutls_x509_crt_t * cert_list,
879 int cert_list_size,
880 gnutls_x509_privkey_t key)
881 {
882 int ret, i;
883 gnutls_privkey_t pkey;
884 gnutls_cert *pcerts = NULL;
885
886 /* this should be first
887 */
888 ret = gnutls_privkey_init (&pkey);
889 if (ret < 0)
890 {
891 gnutls_assert ();
892 return ret;
893 }
894
895 ret = gnutls_privkey_import_x509 (pkey, key, 0);
896 if (ret < 0)
897 {
898 gnutls_assert ();
899 return ret;
900 }
901
902 ret = certificate_credentials_append_pkey (res, pkey);
903 if (ret < 0)
904 {
905 gnutls_assert ();
906 return ret;
907 }
908
909 /* load certificates */
910 pcerts = gnutls_malloc (sizeof (gnutls_cert) * cert_list_size);
911 if (pcerts == NULL)
912 {
913 gnutls_assert ();
914 return GNUTLS_E_MEMORY_ERROR;
915 }
916
917 for (i = 0; i < cert_list_size; i++)
918 {
919 ret = _gnutls_x509_crt_to_gcert (&pcerts[i], cert_list[i], 0);
920 if (ret < 0)
921 {
922 gnutls_assert ();
923 return ret;
924 }
925 }
926
927 ret = certificate_credential_append_crt_list (res, pcerts, cert_list_size);
928 if (ret < 0)
929 {
930 gnutls_assert ();
931 return ret;
932 }
933
934 res->ncerts++;
935
936 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
937 {
938 gnutls_assert ();
939 return ret;
940 }
941
942 return 0;
943 }
944
945 /**
946 * gnutls_certificate_set_x509_key_file:
947 * @res: is a #gnutls_certificate_credentials_t structure.
948 * @certfile: is a file that containing the certificate list (path) for
949 * the specified private key, in PKCS7 format, or a list of certificates
950 * @keyfile: is a file that contains the private key
951 * @type: is PEM or DER
952 *
953 * This function sets a certificate/private key pair in the
954 * gnutls_certificate_credentials_t structure. This function may be
955 * called more than once (in case multiple keys/certificates exist for
956 * the server). For clients that wants to send more than its own end
957 * entity certificate (e.g., also an intermediate CA cert) then put
958 * the certificate chain in @certfile.
959 *
960 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
961 * this function.
962 *
963 * This function can also accept PKCS #11 URLs. In that case it
964 * will import the private key and certificate indicated by the urls.
965 *
966 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
967 **/
968 int
969 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
970 const char *certfile,
971 const char *keyfile,
972 gnutls_x509_crt_fmt_t type)
973 {
974 int ret;
975
976 /* this should be first
977 */
978 if ((ret = read_key_file (res, keyfile, type)) < 0)
979 return ret;
980
981 if ((ret = read_cert_file (res, certfile, type)) < 0)
982 return ret;
983
984 res->ncerts++;
985
986 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
987 {
988 gnutls_assert ();
989 return ret;
990 }
991
992 return 0;
993 }
994
995 static int
996 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, gnutls_x509_crt_t* crts,
997 unsigned int crt_size)
998 {
999 gnutls_datum_t tmp;
1000 int ret;
1001 size_t newsize;
1002 unsigned char *newdata;
1003 unsigned i;
1004
1005 /* Add DN of the last added CAs to the RDN sequence
1006 * This will be sent to clients when a certificate
1007 * request message is sent.
1008 */
1009
1010 /* FIXME: in case of a client it is not needed
1011 * to do that. This would save time and memory.
1012 * However we don't have that information available
1013 * here.
1014 * Further, this function is now much more efficient,
1015 * so optimizing that is less important.
1016 */
1017
1018 for (i = 0; i < crt_size; i++)
1019 {
1020 if ((ret = gnutls_x509_crt_get_raw_dn (crts[i], &tmp)) < 0)
1021 {
1022 gnutls_assert ();
1023 return ret;
1024 }
1025
1026 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1027 if (newsize < res->x509_rdn_sequence.size)
1028 {
1029 gnutls_assert ();
1030 _gnutls_free_datum (&tmp);
1031 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1032 }
1033
1034 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1035 if (newdata == NULL)
1036 {
1037 gnutls_assert ();
1038 _gnutls_free_datum (&tmp);
1039 return GNUTLS_E_MEMORY_ERROR;
1040 }
1041
1042 _gnutls_write_datum16 (newdata + res->x509_rdn_sequence.size, tmp);
1043 _gnutls_free_datum (&tmp);
1044
1045 res->x509_rdn_sequence.size = newsize;
1046 res->x509_rdn_sequence.data = newdata;
1047 }
1048
1049 return 0;
1050 }
1051
1052 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1053 * certificate (uses the KeyUsage field).
1054 */
1055 int
1056 _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
1057 {
1058 unsigned int key_usage = 0;
1059 int encipher_type;
1060
1061 if (cert == NULL)
1062 {
1063 gnutls_assert ();
1064 return GNUTLS_E_INTERNAL_ERROR;
1065 }
1066
1067 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1068 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1069 {
1070
1071 key_usage = cert->key_usage;
1072
1073 encipher_type = _gnutls_kx_encipher_type (alg);
1074
1075 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1076 {
1077 /* If key_usage has been set in the certificate
1078 */
1079
1080 if (encipher_type == CIPHER_ENCRYPT)
1081 {
1082 /* If the key exchange method requires an encipher
1083 * type algorithm, and key's usage does not permit
1084 * encipherment, then fail.
1085 */
1086 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1087 {
1088 gnutls_assert ();
1089 return GNUTLS_E_KEY_USAGE_VIOLATION;
1090 }
1091 }
1092
1093 if (encipher_type == CIPHER_SIGN)
1094 {
1095 /* The same as above, but for sign only keys
1096 */
1097 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1098 {
1099 gnutls_assert ();
1100 return GNUTLS_E_KEY_USAGE_VIOLATION;
1101 }
1102 }
1103 }
1104 }
1105 return 0;
1106 }
1107
1108 static int
1109 parse_pem_ca_mem (gnutls_certificate_credentials_t res,
1110 const opaque * input_cert, int input_cert_size)
1111 {
1112 gnutls_x509_crt_t *x509_cert_list;
1113 unsigned int x509_ncerts;
1114 gnutls_datum tmp;
1115 int ret;
1116
1117 tmp.data = (void*)input_cert;
1118 tmp.size = input_cert_size;
1119
1120 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
1121 GNUTLS_X509_FMT_PEM, 0);
1122 if (ret < 0)
1123 {
1124 gnutls_assert();
1125 return ret;
1126 }
1127
1128 if ((ret = add_new_crt_to_rdn_seq (res, x509_cert_list, x509_ncerts)) < 0)
1129 {
1130 gnutls_assert();
1131 goto cleanup;
1132 }
1133
1134 ret = gnutls_x509_trust_list_add_cas(res->tlist, x509_cert_list, x509_ncerts, 0);
1135 if (ret < 0)
1136 {
1137 gnutls_assert();
1138 goto cleanup;
1139 }
1140
1141 cleanup:
1142 gnutls_free(x509_cert_list);
1143 return ret;
1144 }
1145
1146 /* Reads a DER encoded certificate list from memory and stores it to a
1147 * gnutls_cert structure. Returns the number of certificates parsed.
1148 */
1149 static int
1150 parse_der_ca_mem (gnutls_certificate_credentials_t res,
1151 const void *input_cert, int input_cert_size)
1152 {
1153 gnutls_x509_crt_t crt;
1154 gnutls_datum tmp;
1155 int ret;
1156
1157 tmp.data = (void*)input_cert;
1158 tmp.size = input_cert_size;
1159
1160 ret = gnutls_x509_crt_init( &crt);
1161 if (ret < 0)
1162 {
1163 gnutls_assert();
1164 return ret;
1165 }
1166
1167 ret = gnutls_x509_crt_import( crt, &tmp, GNUTLS_X509_FMT_DER);
1168 if (ret < 0)
1169 {
1170 gnutls_assert();
1171 goto cleanup;
1172 }
1173
1174 if ((ret = add_new_crt_to_rdn_seq (res, &crt, 1)) < 0)
1175 {
1176 gnutls_assert();
1177 goto cleanup;
1178 }
1179
1180 ret = gnutls_x509_trust_list_add_cas(res->tlist, &crt, 1, 0);
1181 if (ret < 0)
1182 {
1183 gnutls_assert();
1184 goto cleanup;
1185 }
1186
1187 return ret;
1188
1189 cleanup:
1190 gnutls_x509_crt_deinit(crt);
1191 return ret;
1192 }
1193
1194 /**
1195 * gnutls_certificate_set_x509_trust_mem:
1196 * @res: is a #gnutls_certificate_credentials_t structure.
1197 * @ca: is a list of trusted CAs or a DER certificate
1198 * @type: is DER or PEM
1199 *
1200 * This function adds the trusted CAs in order to verify client or
1201 * server certificates. In case of a client this is not required to be
1202 * called if the certificates are not verified using
1203 * gnutls_certificate_verify_peers2(). This function may be called
1204 * multiple times.
1205 *
1206 * In case of a server the CAs set here will be sent to the client if
1207 * a certificate request is sent. This can be disabled using
1208 * gnutls_certificate_send_x509_rdn_sequence().
1209 *
1210 * Returns: the number of certificates processed or a negative value
1211 * on error.
1212 **/
1213 int
1214 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1215 const gnutls_datum_t * ca,
1216 gnutls_x509_crt_fmt_t type)
1217 {
1218 int ret;
1219
1220 if (type == GNUTLS_X509_FMT_DER)
1221 ret = parse_der_ca_mem (res,
1222 ca->data, ca->size);
1223 else
1224 ret = parse_pem_ca_mem (res,
1225 ca->data, ca->size);
1226
1227 return ret;
1228 }
1229
1230 /**
1231 * gnutls_certificate_set_x509_trust:
1232 * @res: is a #gnutls_certificate_credentials_t structure.
1233 * @ca_list: is a list of trusted CAs
1234 * @ca_list_size: holds the size of the CA list
1235 *
1236 * This function adds the trusted CAs in order to verify client
1237 * or server certificates. In case of a client this is not required
1238 * to be called if the certificates are not verified using
1239 * gnutls_certificate_verify_peers2().
1240 * This function may be called multiple times.
1241 *
1242 * In case of a server the CAs set here will be sent to the client if
1243 * a certificate request is sent. This can be disabled using
1244 * gnutls_certificate_send_x509_rdn_sequence().
1245 *
1246 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1247 *
1248 * Since: 2.4.0
1249 **/
1250 int
1251 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1252 gnutls_x509_crt_t * ca_list,
1253 int ca_list_size)
1254 {
1255 int ret, i, j;
1256 gnutls_x509_crt_t new_list[ca_list_size];
1257
1258 for (i = 0; i < ca_list_size; i++)
1259 {
1260 ret = gnutls_x509_crt_init (&new_list[i]);
1261 if (ret < 0)
1262 {
1263 gnutls_assert ();
1264 goto cleanup;
1265 }
1266
1267 ret = _gnutls_x509_crt_cpy (new_list[i], ca_list[i]);
1268 if (ret < 0)
1269 {
1270 gnutls_assert ();
1271 goto cleanup;
1272 }
1273 }
1274
1275 if ((ret = add_new_crt_to_rdn_seq (res, new_list, ca_list_size)) < 0)
1276 {
1277 gnutls_assert();
1278 goto cleanup;
1279 }
1280
1281 ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, 0);
1282 if (ret < 0)
1283 {
1284 gnutls_assert ();
1285 goto cleanup;
1286 }
1287
1288 return ret;
1289
1290 cleanup:
1291 for (j=0;j<i;i++)
1292 gnutls_x509_crt_deinit(new_list[j]);
1293
1294 return ret;
1295 }
1296
1297
1298 /**
1299 * gnutls_certificate_set_x509_trust_file:
1300 * @res: is a #gnutls_certificate_credentials_t structure.
1301 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1302 * @type: is PEM or DER
1303 *
1304 * This function adds the trusted CAs in order to verify client or
1305 * server certificates. In case of a client this is not required to
1306 * be called if the certificates are not verified using
1307 * gnutls_certificate_verify_peers2(). This function may be called
1308 * multiple times.
1309 *
1310 * In case of a server the names of the CAs set here will be sent to
1311 * the client if a certificate request is sent. This can be disabled
1312 * using gnutls_certificate_send_x509_rdn_sequence().
1313 *
1314 * This function can also accept PKCS #11 URLs. In that case it
1315 * will import all certificates that are marked as trusted.
1316 *
1317 * Returns: number of certificates processed, or a negative value on
1318 * error.
1319 **/
1320 int
1321 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
1322 const char *cafile,
1323 gnutls_x509_crt_fmt_t type)
1324 {
1325 int ret;
1326 size_t size;
1327 char *data;
1328
1329 if (strncmp (cafile, "pkcs11:", 7) == 0)
1330 {
1331 return read_cas_url (res, cafile);
1332 }
1333
1334 data = read_binary_file (cafile, &size);
1335 if (data == NULL)
1336 {
1337 gnutls_assert ();
1338 return GNUTLS_E_FILE_ERROR;
1339 }
1340
1341 if (type == GNUTLS_X509_FMT_DER)
1342 ret = parse_der_ca_mem (res, data, size);
1343 else
1344 ret = parse_pem_ca_mem (res, data, size);
1345
1346 free (data);
1347
1348 if (ret < 0)
1349 {
1350 gnutls_assert ();
1351 return ret;
1352 }
1353
1354 return ret;
1355 }
1356
1357 #ifdef ENABLE_PKI
1358
1359 static int
1360 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
1361 const opaque * input_crl, int input_crl_size)
1362 {
1363 gnutls_x509_crl_t *x509_crl_list;
1364 unsigned int x509_ncrls;
1365 gnutls_datum tmp;
1366 int ret;
1367
1368 tmp.data = (void*)input_crl;
1369 tmp.size = input_crl_size;
1370
1371 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
1372 GNUTLS_X509_FMT_PEM, 0);
1373 if (ret < 0)
1374 {
1375 gnutls_assert();
1376 return ret;
1377 }
1378
1379 ret = gnutls_x509_trust_list_add_crls(tlist, x509_crl_list, x509_ncrls, 0, 0);
1380 if (ret < 0)
1381 {
1382 gnutls_assert();
1383 goto cleanup;
1384 }
1385
1386 cleanup:
1387 gnutls_free(x509_crl_list);
1388 return ret;
1389 }
1390
1391 /* Reads a DER encoded certificate list from memory and stores it to a
1392 * gnutls_cert structure. Returns the number of certificates parsed.
1393 */
1394 static int
1395 parse_der_crl_mem (gnutls_x509_trust_list_t tlist,
1396 const void *input_crl, int input_crl_size)
1397 {
1398 gnutls_x509_crl_t crl;
1399 gnutls_datum tmp;
1400 int ret;
1401
1402 tmp.data = (void*)input_crl;
1403 tmp.size = input_crl_size;
1404
1405 ret = gnutls_x509_crl_init( &crl);
1406 if (ret < 0)
1407 {
1408 gnutls_assert();
1409 return ret;
1410 }
1411
1412 ret = gnutls_x509_crl_import( crl, &tmp, GNUTLS_X509_FMT_DER);
1413 if (ret < 0)
1414 {
1415 gnutls_assert();
1416 goto cleanup;
1417 }
1418
1419 ret = gnutls_x509_trust_list_add_crls(tlist, &crl, 1, 0, 0);
1420 if (ret < 0)
1421 {
1422 gnutls_assert();
1423 goto cleanup;
1424 }
1425
1426 return ret;
1427
1428 cleanup:
1429 gnutls_x509_crl_deinit(crl);
1430 return ret;
1431
1432 }
1433
1434
1435 /* Reads a DER or PEM CRL from memory
1436 */
1437 static int
1438 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1439 int crl_size, gnutls_x509_crt_fmt_t type)
1440 {
1441 int ret;
1442
1443 if (type == GNUTLS_X509_FMT_DER)
1444 ret = parse_der_crl_mem (res->tlist, crl, crl_size);
1445 else
1446 ret = parse_pem_crl_mem (res->tlist, crl, crl_size);
1447
1448 if (ret < 0)
1449 {
1450 gnutls_assert ();
1451 }
1452
1453 return ret;
1454 }
1455
1456 /**
1457 * gnutls_certificate_set_x509_crl_mem:
1458 * @res: is a #gnutls_certificate_credentials_t structure.
1459 * @CRL: is a list of trusted CRLs. They should have been verified before.
1460 * @type: is DER or PEM
1461 *
1462 * This function adds the trusted CRLs in order to verify client or
1463 * server certificates. In case of a client this is not required to
1464 * be called if the certificates are not verified using
1465 * gnutls_certificate_verify_peers2(). This function may be called
1466 * multiple times.
1467 *
1468 * Returns: number of CRLs processed, or a negative value on error.
1469 **/
1470 int
1471 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1472 const gnutls_datum_t * CRL,
1473 gnutls_x509_crt_fmt_t type)
1474 {
1475 return read_crl_mem (res, CRL->data, CRL->size, type);
1476 }
1477
1478 /**
1479 * gnutls_certificate_set_x509_crl:
1480 * @res: is a #gnutls_certificate_credentials_t structure.
1481 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1482 * @crl_list_size: holds the size of the crl_list
1483 *
1484 * This function adds the trusted CRLs in order to verify client or
1485 * server certificates. In case of a client this is not required to
1486 * be called if the certificates are not verified using
1487 * gnutls_certificate_verify_peers2(). This function may be called
1488 * multiple times.
1489 *
1490 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1491 *
1492 * Since: 2.4.0
1493 **/
1494 int
1495 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1496 gnutls_x509_crl_t * crl_list,
1497 int crl_list_size)
1498 {
1499 int ret, i, j;
1500 gnutls_x509_crl_t new_crl[crl_list_size];
1501
1502 for (i = 0; i < crl_list_size; i++)
1503 {
1504 ret = gnutls_x509_crl_init (&new_crl[i]);
1505 if (ret < 0)
1506 {
1507 gnutls_assert ();
1508 goto cleanup;
1509 }
1510
1511 ret = _gnutls_x509_crl_cpy (new_crl[i], crl_list[i]);
1512 if (ret < 0)
1513 {
1514 gnutls_assert ();
1515 goto cleanup;
1516 }
1517 }
1518
1519 ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, crl_list_size, 0, 0);
1520 if (ret < 0)
1521 {
1522 gnutls_assert ();
1523 goto cleanup;
1524 }
1525
1526 return ret;
1527
1528 cleanup:
1529 for (j=0;j<i;j++)
1530 gnutls_x509_crl_deinit(new_crl[j]);
1531
1532 return ret;
1533 }
1534
1535 /**
1536 * gnutls_certificate_set_x509_crl_file:
1537 * @res: is a #gnutls_certificate_credentials_t structure.
1538 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1539 * @type: is PEM or DER
1540 *
1541 * This function adds the trusted CRLs in order to verify client or server
1542 * certificates. In case of a client this is not required
1543 * to be called if the certificates are not verified using
1544 * gnutls_certificate_verify_peers2().
1545 * This function may be called multiple times.
1546 *
1547 * Returns: number of CRLs processed or a negative value on error.
1548 **/
1549 int
1550 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1551 const char *crlfile,
1552 gnutls_x509_crt_fmt_t type)
1553 {
1554 int ret;
1555 size_t size;
1556 char *data = read_binary_file (crlfile, &size);
1557
1558 if (data == NULL)
1559 {
1560 gnutls_assert ();
1561 return GNUTLS_E_FILE_ERROR;
1562 }
1563
1564 if (type == GNUTLS_X509_FMT_DER)
1565 ret = parse_der_crl_mem (res->tlist, data, size);
1566 else
1567 ret = parse_pem_crl_mem (res->tlist, data, size);
1568
1569 free (data);
1570
1571 if (ret < 0)
1572 {
1573 gnutls_assert ();
1574 return ret;
1575 }
1576
1577 return ret;
1578 }
1579
1580 #include <gnutls/pkcs12.h>
1581
1582 static int
1583 parse_pkcs12 (gnutls_certificate_credentials_t res,
1584 gnutls_pkcs12_t p12,
1585 const char *password,
1586 gnutls_x509_privkey_t * key,
1587 gnutls_x509_crt_t * cert, gnutls_x509_crl_t * crl)
1588 {
1589 gnutls_pkcs12_bag_t bag = NULL;
1590 int idx = 0;
1591 int ret;
1592 size_t cert_id_size = 0;
1593 size_t key_id_size = 0;
1594 opaque cert_id[20];
1595 opaque key_id[20];
1596 int privkey_ok = 0;
1597
1598 *cert = NULL;
1599 *key = NULL;
1600 *crl = NULL;
1601
1602 /* find the first private key */
1603 for (;;)
1604 {
1605 int elements_in_bag;
1606 int i;
1607
1608 ret = gnutls_pkcs12_bag_init (&bag);
1609 if (ret < 0)
1610 {
1611 bag = NULL;
1612 gnutls_assert ();
1613 goto done;
1614 }
1615
1616 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1617 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1618 break;
1619 if (ret < 0)
1620 {
1621 gnutls_assert ();
1622 goto done;
1623 }
1624
1625 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1626 if (ret < 0)
1627 {
1628 gnutls_assert ();
1629 goto done;
1630 }
1631
1632 if (ret == GNUTLS_BAG_ENCRYPTED)
1633 {
1634 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1635 if (ret < 0)
1636 {
1637 gnutls_assert ();
1638 goto done;
1639 }
1640 }
1641
1642 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1643 if (elements_in_bag < 0)
1644 {
1645 gnutls_assert ();
1646 goto done;
1647 }
1648
1649 for (i = 0; i < elements_in_bag; i++)
1650 {
1651 int type;
1652 gnutls_datum_t data;
1653
1654 type = gnutls_pkcs12_bag_get_type (bag, i);
1655 if (type < 0)
1656 {
1657 gnutls_assert ();
1658 goto done;
1659 }
1660
1661 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1662 if (ret < 0)
1663 {
1664 gnutls_assert ();
1665 goto done;
1666 }
1667
1668 switch (type)
1669 {
1670 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
1671 case GNUTLS_BAG_PKCS8_KEY:
1672 if (*key != NULL) /* too simple to continue */
1673 {
1674 gnutls_assert ();
1675 break;
1676 }
1677
1678 ret = gnutls_x509_privkey_init (key);
1679 if (ret < 0)
1680 {
1681 gnutls_assert ();
1682 goto done;
1683 }
1684
1685 ret = gnutls_x509_privkey_import_pkcs8
1686 (*key, &data, GNUTLS_X509_FMT_DER, password,
1687 type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
1688 if (ret < 0)
1689 {
1690 gnutls_assert ();
1691 gnutls_x509_privkey_deinit (*key);
1692 goto done;
1693 }
1694
1695 key_id_size = sizeof (key_id);
1696 ret =
1697 gnutls_x509_privkey_get_key_id (*key, 0, key_id,
1698 &key_id_size);
1699 if (ret < 0)
1700 {
1701 gnutls_assert ();
1702 gnutls_x509_privkey_deinit (*key);
1703 goto done;
1704 }
1705
1706 privkey_ok = 1; /* break */
1707 break;
1708 default:
1709 break;
1710 }
1711 }
1712
1713 idx++;
1714 gnutls_pkcs12_bag_deinit (bag);
1715
1716 if (privkey_ok != 0) /* private key was found */
1717 break;
1718 }
1719
1720 if (privkey_ok == 0) /* no private key */
1721 {
1722 gnutls_assert ();
1723 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1724 }
1725
1726 /* now find the corresponding certificate
1727 */
1728 idx = 0;
1729 bag = NULL;
1730 for (;;)
1731 {
1732 int elements_in_bag;
1733 int i;
1734
1735 ret = gnutls_pkcs12_bag_init (&bag);
1736 if (ret < 0)
1737 {
1738 bag = NULL;
1739 gnutls_assert ();
1740 goto done;
1741 }
1742
1743 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1744 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1745 break;
1746 if (ret < 0)
1747 {
1748 gnutls_assert ();
1749 goto done;
1750 }
1751
1752 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1753 if (ret < 0)
1754 {
1755 gnutls_assert ();
1756 goto done;
1757 }
1758
1759 if (ret == GNUTLS_BAG_ENCRYPTED)
1760 {
1761 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1762 if (ret < 0)
1763 {
1764 gnutls_assert ();
1765 goto done;
1766 }
1767 }
1768
1769 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1770 if (elements_in_bag < 0)
1771 {
1772 gnutls_assert ();
1773 goto done;
1774 }
1775
1776 for (i = 0; i < elements_in_bag; i++)
1777 {
1778 int type;
1779 gnutls_datum_t data;
1780
1781 type = gnutls_pkcs12_bag_get_type (bag, i);
1782 if (type < 0)
1783 {
1784 gnutls_assert ();
1785 goto done;
1786 }
1787
1788 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1789 if (ret < 0)
1790 {
1791 gnutls_assert ();
1792 goto done;
1793 }
1794
1795 switch (type)
1796 {
1797 case GNUTLS_BAG_CERTIFICATE:
1798 if (*cert != NULL) /* no need to set it again */
1799 {
1800 gnutls_assert ();
1801 break;
1802 }
1803
1804 ret = gnutls_x509_crt_init (cert);
1805 if (ret < 0)
1806 {
1807 gnutls_assert ();
1808 goto done;
1809 }
1810
1811 ret =
1812 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1813 if (ret < 0)
1814 {
1815 gnutls_assert ();
1816 gnutls_x509_crt_deinit (*cert);
1817 goto done;
1818 }
1819
1820 /* check if the key id match */
1821 cert_id_size = sizeof (cert_id);
1822 ret =
1823 gnutls_x509_crt_get_key_id (*cert, 0, cert_id, &cert_id_size);
1824 if (ret < 0)
1825 {
1826 gnutls_assert ();
1827 gnutls_x509_crt_deinit (*cert);
1828 goto done;
1829 }
1830
1831 if (memcmp (cert_id, key_id, cert_id_size) != 0)
1832 { /* they don't match - skip the certificate */
1833 gnutls_x509_crt_deinit (*cert);
1834 *cert = NULL;
1835 }
1836 break;
1837
1838 case GNUTLS_BAG_CRL:
1839 if (*crl != NULL)
1840 {
1841 gnutls_assert ();
1842 break;
1843 }
1844
1845 ret = gnutls_x509_crl_init (crl);
1846 if (ret < 0)
1847 {
1848 gnutls_assert ();
1849 goto done;
1850 }
1851
1852 ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER);
1853 if (ret < 0)
1854 {
1855 gnutls_assert ();
1856 gnutls_x509_crl_deinit (*crl);
1857 goto done;
1858 }
1859 break;
1860
1861 case GNUTLS_BAG_ENCRYPTED:
1862 /* XXX Bother to recurse one level down? Unlikely to
1863 use the same password anyway. */
1864 case GNUTLS_BAG_EMPTY:
1865 default:
1866 break;
1867 }
1868 }
1869
1870 idx++;
1871 gnutls_pkcs12_bag_deinit (bag);
1872 }
1873
1874 ret = 0;
1875
1876 done:
1877 if (bag)
1878 gnutls_pkcs12_bag_deinit (bag);
1879
1880 return ret;
1881 }
1882
1883 /**
1884 * gnutls_certificate_set_x509_simple_pkcs12_file:
1885 * @res: is a #gnutls_certificate_credentials_t structure.
1886 * @pkcs12file: filename of file containing PKCS#12 blob.
1887 * @type: is PEM or DER of the @pkcs12file.
1888 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1889 *
1890 * This function sets a certificate/private key pair and/or a CRL in
1891 * the gnutls_certificate_credentials_t structure. This function may
1892 * be called more than once (in case multiple keys/certificates exist
1893 * for the server).
1894 *
1895 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1896 * supported. Encrypted PKCS#8 private keys are supported. However,
1897 * only password based security, and the same password for all
1898 * operations, are supported.
1899 *
1900 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1901 * the OpenSSL way.
1902 *
1903 * PKCS#12 file may contain many keys and/or certificates, and there
1904 * is no way to identify which key/certificate pair you want. You
1905 * should make sure the PKCS#12 file only contain one key/certificate
1906 * pair and/or one CRL.
1907 *
1908 * It is believed that the limitations of this function is acceptable
1909 * for most usage, and that any more flexibility would introduce
1910 * complexity that would make it harder to use this functionality at
1911 * all.
1912 *
1913 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1914 **/
1915 int
1916 gnutls_certificate_set_x509_simple_pkcs12_file
1917 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1918 gnutls_x509_crt_fmt_t type, const char *password)
1919 {
1920 gnutls_datum_t p12blob;
1921 size_t size;
1922 int ret;
1923
1924 p12blob.data = read_binary_file (pkcs12file, &size);
1925 p12blob.size = (unsigned int) size;
1926 if (p12blob.data == NULL)
1927 {
1928 gnutls_assert ();
1929 return GNUTLS_E_FILE_ERROR;
1930 }
1931
1932 ret =
1933 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1934 password);
1935 free (p12blob.data);
1936
1937 return ret;
1938 }
1939
1940 /**
1941 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1942 * @res: is a #gnutls_certificate_credentials_t structure.
1943 * @p12blob: the PKCS#12 blob.
1944 * @type: is PEM or DER of the @pkcs12file.
1945 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1946 *
1947 * This function sets a certificate/private key pair and/or a CRL in
1948 * the gnutls_certificate_credentials_t structure. This function may
1949 * be called more than once (in case multiple keys/certificates exist
1950 * for the server).
1951 *
1952 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1953 * supported. Encrypted PKCS#8 private keys are supported. However,
1954 * only password based security, and the same password for all
1955 * operations, are supported.
1956 *
1957 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1958 * the OpenSSL way.
1959 *
1960 * PKCS#12 file may contain many keys and/or certificates, and there
1961 * is no way to identify which key/certificate pair you want. You
1962 * should make sure the PKCS#12 file only contain one key/certificate
1963 * pair and/or one CRL.
1964 *
1965 * It is believed that the limitations of this function is acceptable
1966 * for most usage, and that any more flexibility would introduce
1967 * complexity that would make it harder to use this functionality at
1968 * all.
1969 *
1970 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1971 *
1972 * Since: 2.8.0
1973 **/
1974 int
1975 gnutls_certificate_set_x509_simple_pkcs12_mem
1976 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
1977 gnutls_x509_crt_fmt_t type, const char *password)
1978 {
1979 gnutls_pkcs12_t p12;
1980 gnutls_x509_privkey_t key = NULL;
1981 gnutls_x509_crt_t cert = NULL;
1982 gnutls_x509_crl_t crl = NULL;
1983 int ret;
1984
1985 ret = gnutls_pkcs12_init (&p12);
1986 if (ret < 0)
1987 {
1988 gnutls_assert ();
1989 return ret;
1990 }
1991
1992 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
1993 if (ret < 0)
1994 {
1995 gnutls_assert ();
1996 gnutls_pkcs12_deinit (p12);
1997 return ret;
1998 }
1999
2000 if (password)
2001 {
2002 ret = gnutls_pkcs12_verify_mac (p12, password);
2003 if (ret < 0)
2004 {
2005 gnutls_assert ();
2006 gnutls_pkcs12_deinit (p12);
2007 return ret;
2008 }
2009 }
2010
2011 ret = parse_pkcs12 (res, p12, password, &key, &cert, &crl);
2012 gnutls_pkcs12_deinit (p12);
2013 if (ret < 0)
2014 {
2015 gnutls_assert ();
2016 return ret;
2017 }
2018
2019 if (key && cert)
2020 {
2021 ret = gnutls_certificate_set_x509_key (res, &cert, 1, key);
2022 if (ret < 0)
2023 {
2024 gnutls_assert ();
2025 goto done;
2026 }
2027 }
2028
2029 if (crl)
2030 {
2031 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2032 if (ret < 0)
2033 {
2034 gnutls_assert ();
2035 goto done;
2036 }
2037 }
2038
2039 ret = 0;
2040
2041 done:
2042 if (cert)
2043 gnutls_x509_crt_deinit (cert);
2044 if (key)
2045 gnutls_x509_privkey_deinit (key);
2046 if (crl)
2047 gnutls_x509_crl_deinit (crl);
2048
2049 return ret;
2050 }
2051
2052
2053
2054 /**
2055 * gnutls_certificate_free_crls:
2056 * @sc: is a #gnutls_certificate_credentials_t structure.
2057 *
2058 * This function will delete all the CRLs associated
2059 * with the given credentials.
2060 **/
2061 void
2062 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2063 {
2064 /* do nothing for now */
2065 return;
2066 }
2067
2068 #endif
Implementation of the SSL/TLS protocol