2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 #include <gnutls_int.h>
27 #include "gnutls_auth.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_cert.h>
30 #include <auth_cert.h>
31 #include "gnutls_dh.h"
32 #include "gnutls_num.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509_int.h"
47 #include "read-file.h"
50 * some x509 certificate parsing functions.
53 /* Check if the number of bits of the key in the certificate
57 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
62 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
69 if (bits
> max_bits
&& max_bits
> 0)
72 return GNUTLS_E_CONSTRAINT_ERROR
;
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
83 gnutls_free( peer_certificate_list)
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
98 cert_auth_info_t info
;
99 gnutls_certificate_credentials_t cred
;
100 gnutls_x509_crt_t
*peer_certificate_list
;
101 int peer_certificate_list_size
, i
, x
, ret
;
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
105 info
= _gnutls_get_auth_info (session
);
109 return GNUTLS_E_INVALID_REQUEST
;
112 cred
= (gnutls_certificate_credentials_t
)
113 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
120 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
123 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
126 return GNUTLS_E_CONSTRAINT_ERROR
;
129 /* generate a list of gnutls_certs based on the auth info
132 peer_certificate_list_size
= info
->ncerts
;
133 peer_certificate_list
=
134 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
135 if (peer_certificate_list
== NULL
)
138 return GNUTLS_E_MEMORY_ERROR
;
141 for (i
= 0; i
< peer_certificate_list_size
; i
++)
143 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
152 gnutls_x509_crt_import (peer_certificate_list
[i
],
153 &info
->raw_certificate_list
[i
],
154 GNUTLS_X509_FMT_DER
);
162 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
172 /* Verify certificate
175 ret
= gnutls_x509_trust_list_verify_crt (cred
->tlist
, peer_certificate_list
,
176 peer_certificate_list_size
,
177 cred
->verify_flags
| session
->internals
.
178 priorities
.additional_verify_flags
,
193 * Read certificates and private keys, from files, memory etc.
196 /* returns error if the certificate has different algorithm than
197 * the given key parameters.
200 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
202 unsigned int pk
= res
->cert_list
[res
->ncerts
- 1][0].subject_pk_algorithm
;
204 if (gnutls_privkey_get_pk_algorithm (res
->pkey
[res
->ncerts
- 1], NULL
) !=
208 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
214 /* Reads a DER encoded certificate list from memory and stores it to a
215 * gnutls_cert structure. Returns the number of certificates parsed.
218 parse_der_cert_mem (gnutls_certificate_credentials_t res
,
219 const void *input_cert
, int input_cert_size
)
222 gnutls_x509_crt_t crt
;
226 ccert
= gnutls_malloc (sizeof (*ccert
));
230 return GNUTLS_E_MEMORY_ERROR
;
233 ret
= gnutls_x509_crt_init (&crt
);
240 tmp
.data
= (opaque
*) input_cert
;
241 tmp
.size
= input_cert_size
;
243 ret
= gnutls_x509_crt_import (crt
, &tmp
, GNUTLS_X509_FMT_DER
);
247 gnutls_x509_crt_deinit (crt
);
251 ret
= _gnutls_x509_crt_to_gcert (ccert
, crt
, 0);
252 gnutls_x509_crt_deinit (crt
);
260 ret
= certificate_credential_append_crt_list (res
, ccert
, 1);
274 /* Reads a base64 encoded certificate list from memory and stores it to
275 * a gnutls_cert structure. Returns the number of certificate parsed.
278 parse_pem_cert_mem (gnutls_certificate_credentials_t res
,
279 const char *input_cert
, int input_cert_size
)
286 gnutls_cert
*certs
= NULL
;
288 /* move to the certificate
290 ptr
= memmem (input_cert
, input_cert_size
,
291 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
293 ptr
= memmem (input_cert
, input_cert_size
,
294 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
299 return GNUTLS_E_BASE64_DECODING_ERROR
;
301 size
= input_cert_size
- (ptr
- input_cert
);
308 siz2
= _gnutls_fbase64_decode (NULL
, ptr
, size
, &ptr2
);
312 ret
= GNUTLS_E_BASE64_DECODING_ERROR
;
316 certs
= gnutls_realloc_fast (certs
, (count
+ 1) * sizeof (gnutls_cert
));
321 ret
= GNUTLS_E_MEMORY_ERROR
;
328 ret
= _gnutls_x509_raw_cert_to_gcert (&certs
[count
], &tmp
, 0);
335 _gnutls_free_datum (&tmp
); /* free ptr2 */
337 /* now we move ptr after the pem header
340 /* find the next certificate (if any)
342 size
= input_cert_size
- (ptr
- input_cert
);
348 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
350 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
351 sizeof (PEM_CERT_SEP2
) - 1);
363 ret
= certificate_credential_append_crt_list (res
, certs
, count
);
373 for (i
=0;i
<count
;i
++)
374 _gnutls_gcert_deinit(&certs
[i
]);
381 /* Reads a DER or PEM certificate from memory
384 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
385 int cert_size
, gnutls_x509_crt_fmt_t type
)
389 if (type
== GNUTLS_X509_FMT_DER
)
390 ret
= parse_der_cert_mem (res
, cert
, cert_size
);
392 ret
= parse_pem_cert_mem (res
, cert
, cert_size
);
404 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t
* privkey
,
405 const gnutls_datum_t
* raw_key
,
406 gnutls_x509_crt_fmt_t type
)
408 gnutls_x509_privkey_t tmpkey
;
411 ret
= gnutls_x509_privkey_init (&tmpkey
);
418 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
422 gnutls_x509_privkey_deinit (tmpkey
);
426 ret
= gnutls_privkey_init (privkey
);
430 gnutls_x509_privkey_deinit (tmpkey
);
435 gnutls_privkey_import_x509 (*privkey
, tmpkey
,
436 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
440 gnutls_x509_privkey_deinit (tmpkey
);
441 gnutls_privkey_deinit (*privkey
);
448 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
449 * indicates the certificate format. KEY can be NULL, to indicate
450 * that GnuTLS doesn't know the private key.
453 read_key_mem (gnutls_certificate_credentials_t res
,
454 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
458 gnutls_privkey_t privkey
;
462 tmp
.data
= (opaque
*) key
;
465 ret
= _gnutls_x509_raw_privkey_to_privkey (&privkey
, &tmp
, type
);
472 ret
= certificate_credentials_append_pkey (res
, privkey
);
476 gnutls_privkey_deinit (privkey
);
484 return GNUTLS_E_INVALID_REQUEST
;
491 /* Reads a private key from a token.
494 read_key_url (gnutls_certificate_credentials_t res
, const char *url
)
497 gnutls_pkcs11_privkey_t key1
= NULL
;
498 gnutls_privkey_t pkey
= NULL
;
500 /* allocate space for the pkey list
503 ret
= gnutls_pkcs11_privkey_init (&key1
);
510 ret
= gnutls_pkcs11_privkey_import_url (key1
, url
, 0);
517 ret
= gnutls_privkey_init (&pkey
);
525 gnutls_privkey_import_pkcs11 (pkey
, key1
,
526 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
533 ret
= certificate_credentials_append_pkey (res
, pkey
);
544 gnutls_privkey_deinit (pkey
);
547 gnutls_pkcs11_privkey_deinit (key1
);
552 /* Reads a private key from a token.
555 read_cas_url (gnutls_certificate_credentials_t res
, const char *url
)
558 gnutls_x509_crt_t
*xcrt_list
= NULL
;
559 gnutls_pkcs11_obj_t
*pcrt_list
= NULL
;
560 unsigned int pcrt_list_size
= 0;
562 /* FIXME: should we use login? */
564 gnutls_pkcs11_obj_list_import_url (NULL
, &pcrt_list_size
, url
,
565 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
566 if (ret
< 0 && ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
572 if (pcrt_list_size
== 0)
578 pcrt_list
= gnutls_malloc (sizeof (*pcrt_list
) * pcrt_list_size
);
579 if (pcrt_list
== NULL
)
582 return GNUTLS_E_MEMORY_ERROR
;
586 gnutls_pkcs11_obj_list_import_url (pcrt_list
, &pcrt_list_size
, url
,
587 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
594 xcrt_list
= gnutls_malloc (sizeof (*xcrt_list
) * pcrt_list_size
);
595 if (xcrt_list
== NULL
)
598 ret
= GNUTLS_E_MEMORY_ERROR
;
603 gnutls_x509_crt_list_import_pkcs11 (xcrt_list
, pcrt_list_size
, pcrt_list
,
605 if (xcrt_list
== NULL
)
608 ret
= GNUTLS_E_MEMORY_ERROR
;
612 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, xcrt_list
, pcrt_list_size
, 0);
620 gnutls_free (xcrt_list
);
621 gnutls_free (pcrt_list
);
628 /* Reads a private key from a token.
631 read_cert_url (gnutls_certificate_credentials_t res
, const char *url
)
634 gnutls_x509_crt_t crt
;
637 ccert
= gnutls_malloc (sizeof (*ccert
));
641 return GNUTLS_E_MEMORY_ERROR
;
644 ret
= gnutls_x509_crt_init (&crt
);
652 ret
= gnutls_x509_crt_import_pkcs11_url (crt
, url
, 0);
653 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
655 gnutls_x509_crt_import_pkcs11_url (crt
, url
,
656 GNUTLS_PKCS11_OBJ_FLAG_LOGIN
);
662 gnutls_x509_crt_deinit (crt
);
666 ret
= _gnutls_x509_crt_to_gcert (ccert
, crt
, 0);
667 gnutls_x509_crt_deinit (crt
);
676 ret
= certificate_credential_append_crt_list (res
, ccert
, 1);
688 /* Reads a certificate file
691 read_cert_file (gnutls_certificate_credentials_t res
,
692 const char *certfile
, gnutls_x509_crt_fmt_t type
)
698 if (strncmp (certfile
, "pkcs11:", 7) == 0)
700 return read_cert_url (res
, certfile
);
703 data
= read_binary_file (certfile
, &size
);
708 return GNUTLS_E_FILE_ERROR
;
711 ret
= read_cert_mem (res
, data
, size
, type
);
720 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
724 read_key_file (gnutls_certificate_credentials_t res
,
725 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
731 if (strncmp (keyfile
, "pkcs11:", 7) == 0)
733 return read_key_url (res
, keyfile
);
736 data
= read_binary_file (keyfile
, &size
);
741 return GNUTLS_E_FILE_ERROR
;
744 ret
= read_key_mem (res
, data
, size
, type
);
751 * gnutls_certificate_set_x509_key_mem:
752 * @res: is a #gnutls_certificate_credentials_t structure.
753 * @cert: contains a certificate list (path) for the specified private key
754 * @key: is the private key, or %NULL
755 * @type: is PEM or DER
757 * This function sets a certificate/private key pair in the
758 * gnutls_certificate_credentials_t structure. This function may be called
759 * more than once (in case multiple keys/certificates exist for the
762 * Currently are supported: RSA PKCS-1 encoded private keys,
765 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
766 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
768 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
769 * is supported. This means that certificates intended for signing cannot
770 * be used for ciphersuites that require encryption.
772 * If the certificate and the private key are given in PEM encoding
773 * then the strings that hold their values must be null terminated.
775 * The @key may be %NULL if you are using a sign callback, see
776 * gnutls_sign_callback_set().
778 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
781 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
782 const gnutls_datum_t
* cert
,
783 const gnutls_datum_t
* key
,
784 gnutls_x509_crt_fmt_t type
)
788 /* this should be first
790 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
791 key
? key
->size
: 0, type
)) < 0)
794 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
799 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
809 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res
,
810 gnutls_cert
* crt
, int nr
)
812 res
->cert_list
= gnutls_realloc_fast (res
->cert_list
,
815 sizeof (gnutls_cert
*));
816 if (res
->cert_list
== NULL
)
819 return GNUTLS_E_MEMORY_ERROR
;
822 res
->cert_list_length
= gnutls_realloc_fast (res
->cert_list_length
,
824 res
->ncerts
) * sizeof (int));
825 if (res
->cert_list_length
== NULL
)
828 return GNUTLS_E_MEMORY_ERROR
;
831 res
->cert_list
[res
->ncerts
] = crt
;
832 res
->cert_list_length
[res
->ncerts
] = nr
;
839 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res
,
840 gnutls_privkey_t pkey
)
842 res
->pkey
= gnutls_realloc_fast (res
->pkey
,
844 sizeof (gnutls_privkey_t
));
845 if (res
->pkey
== NULL
)
848 return GNUTLS_E_MEMORY_ERROR
;
851 res
->pkey
[res
->ncerts
] = pkey
;
857 * gnutls_certificate_set_x509_key:
858 * @res: is a #gnutls_certificate_credentials_t structure.
859 * @cert_list: contains a certificate list (path) for the specified private key
860 * @cert_list_size: holds the size of the certificate list
861 * @key: is a gnutls_x509_privkey_t key
863 * This function sets a certificate/private key pair in the
864 * gnutls_certificate_credentials_t structure. This function may be
865 * called more than once (in case multiple keys/certificates exist for
866 * the server). For clients that wants to send more than its own end
867 * entity certificate (e.g., also an intermediate CA cert) then put
868 * the certificate chain in @cert_list.
872 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
877 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
878 gnutls_x509_crt_t
* cert_list
,
880 gnutls_x509_privkey_t key
)
883 gnutls_privkey_t pkey
;
884 gnutls_cert
*pcerts
= NULL
;
886 /* this should be first
888 ret
= gnutls_privkey_init (&pkey
);
895 ret
= gnutls_privkey_import_x509 (pkey
, key
, 0);
902 ret
= certificate_credentials_append_pkey (res
, pkey
);
909 /* load certificates */
910 pcerts
= gnutls_malloc (sizeof (gnutls_cert
) * cert_list_size
);
914 return GNUTLS_E_MEMORY_ERROR
;
917 for (i
= 0; i
< cert_list_size
; i
++)
919 ret
= _gnutls_x509_crt_to_gcert (&pcerts
[i
], cert_list
[i
], 0);
927 ret
= certificate_credential_append_crt_list (res
, pcerts
, cert_list_size
);
936 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
946 * gnutls_certificate_set_x509_key_file:
947 * @res: is a #gnutls_certificate_credentials_t structure.
948 * @certfile: is a file that containing the certificate list (path) for
949 * the specified private key, in PKCS7 format, or a list of certificates
950 * @keyfile: is a file that contains the private key
951 * @type: is PEM or DER
953 * This function sets a certificate/private key pair in the
954 * gnutls_certificate_credentials_t structure. This function may be
955 * called more than once (in case multiple keys/certificates exist for
956 * the server). For clients that wants to send more than its own end
957 * entity certificate (e.g., also an intermediate CA cert) then put
958 * the certificate chain in @certfile.
960 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
963 * This function can also accept PKCS #11 URLs. In that case it
964 * will import the private key and certificate indicated by the urls.
966 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
969 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
970 const char *certfile
,
972 gnutls_x509_crt_fmt_t type
)
976 /* this should be first
978 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
981 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
986 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
996 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, gnutls_x509_crt_t
* crts
,
997 unsigned int crt_size
)
1002 unsigned char *newdata
;
1005 /* Add DN of the last added CAs to the RDN sequence
1006 * This will be sent to clients when a certificate
1007 * request message is sent.
1010 /* FIXME: in case of a client it is not needed
1011 * to do that. This would save time and memory.
1012 * However we don't have that information available
1014 * Further, this function is now much more efficient,
1015 * so optimizing that is less important.
1018 for (i
= 0; i
< crt_size
; i
++)
1020 if ((ret
= gnutls_x509_crt_get_raw_dn (crts
[i
], &tmp
)) < 0)
1026 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
1027 if (newsize
< res
->x509_rdn_sequence
.size
)
1030 _gnutls_free_datum (&tmp
);
1031 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
1034 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
1035 if (newdata
== NULL
)
1038 _gnutls_free_datum (&tmp
);
1039 return GNUTLS_E_MEMORY_ERROR
;
1042 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
1043 _gnutls_free_datum (&tmp
);
1045 res
->x509_rdn_sequence
.size
= newsize
;
1046 res
->x509_rdn_sequence
.data
= newdata
;
1052 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1053 * certificate (uses the KeyUsage field).
1056 _gnutls_check_key_usage (const gnutls_cert
* cert
, gnutls_kx_algorithm_t alg
)
1058 unsigned int key_usage
= 0;
1064 return GNUTLS_E_INTERNAL_ERROR
;
1067 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
1068 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
1071 key_usage
= cert
->key_usage
;
1073 encipher_type
= _gnutls_kx_encipher_type (alg
);
1075 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
1077 /* If key_usage has been set in the certificate
1080 if (encipher_type
== CIPHER_ENCRYPT
)
1082 /* If the key exchange method requires an encipher
1083 * type algorithm, and key's usage does not permit
1084 * encipherment, then fail.
1086 if (!(key_usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
))
1089 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1093 if (encipher_type
== CIPHER_SIGN
)
1095 /* The same as above, but for sign only keys
1097 if (!(key_usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
))
1100 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1109 parse_pem_ca_mem (gnutls_certificate_credentials_t res
,
1110 const opaque
* input_cert
, int input_cert_size
)
1112 gnutls_x509_crt_t
*x509_cert_list
;
1113 unsigned int x509_ncerts
;
1117 tmp
.data
= (void*)input_cert
;
1118 tmp
.size
= input_cert_size
;
1120 ret
= gnutls_x509_crt_list_import2( &x509_cert_list
, &x509_ncerts
, &tmp
,
1121 GNUTLS_X509_FMT_PEM
, 0);
1128 if ((ret
= add_new_crt_to_rdn_seq (res
, x509_cert_list
, x509_ncerts
)) < 0)
1134 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, x509_cert_list
, x509_ncerts
, 0);
1142 gnutls_free(x509_cert_list
);
1146 /* Reads a DER encoded certificate list from memory and stores it to a
1147 * gnutls_cert structure. Returns the number of certificates parsed.
1150 parse_der_ca_mem (gnutls_certificate_credentials_t res
,
1151 const void *input_cert
, int input_cert_size
)
1153 gnutls_x509_crt_t crt
;
1157 tmp
.data
= (void*)input_cert
;
1158 tmp
.size
= input_cert_size
;
1160 ret
= gnutls_x509_crt_init( &crt
);
1167 ret
= gnutls_x509_crt_import( crt
, &tmp
, GNUTLS_X509_FMT_DER
);
1174 if ((ret
= add_new_crt_to_rdn_seq (res
, &crt
, 1)) < 0)
1180 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, &crt
, 1, 0);
1190 gnutls_x509_crt_deinit(crt
);
1195 * gnutls_certificate_set_x509_trust_mem:
1196 * @res: is a #gnutls_certificate_credentials_t structure.
1197 * @ca: is a list of trusted CAs or a DER certificate
1198 * @type: is DER or PEM
1200 * This function adds the trusted CAs in order to verify client or
1201 * server certificates. In case of a client this is not required to be
1202 * called if the certificates are not verified using
1203 * gnutls_certificate_verify_peers2(). This function may be called
1206 * In case of a server the CAs set here will be sent to the client if
1207 * a certificate request is sent. This can be disabled using
1208 * gnutls_certificate_send_x509_rdn_sequence().
1210 * Returns: the number of certificates processed or a negative value
1214 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1215 const gnutls_datum_t
* ca
,
1216 gnutls_x509_crt_fmt_t type
)
1220 if (type
== GNUTLS_X509_FMT_DER
)
1221 ret
= parse_der_ca_mem (res
,
1222 ca
->data
, ca
->size
);
1224 ret
= parse_pem_ca_mem (res
,
1225 ca
->data
, ca
->size
);
1231 * gnutls_certificate_set_x509_trust:
1232 * @res: is a #gnutls_certificate_credentials_t structure.
1233 * @ca_list: is a list of trusted CAs
1234 * @ca_list_size: holds the size of the CA list
1236 * This function adds the trusted CAs in order to verify client
1237 * or server certificates. In case of a client this is not required
1238 * to be called if the certificates are not verified using
1239 * gnutls_certificate_verify_peers2().
1240 * This function may be called multiple times.
1242 * In case of a server the CAs set here will be sent to the client if
1243 * a certificate request is sent. This can be disabled using
1244 * gnutls_certificate_send_x509_rdn_sequence().
1246 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1251 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1252 gnutls_x509_crt_t
* ca_list
,
1256 gnutls_x509_crt_t new_list
[ca_list_size
];
1258 for (i
= 0; i
< ca_list_size
; i
++)
1260 ret
= gnutls_x509_crt_init (&new_list
[i
]);
1267 ret
= _gnutls_x509_crt_cpy (new_list
[i
], ca_list
[i
]);
1275 if ((ret
= add_new_crt_to_rdn_seq (res
, new_list
, ca_list_size
)) < 0)
1281 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, new_list
, ca_list_size
, 0);
1292 gnutls_x509_crt_deinit(new_list
[j
]);
1299 * gnutls_certificate_set_x509_trust_file:
1300 * @res: is a #gnutls_certificate_credentials_t structure.
1301 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1302 * @type: is PEM or DER
1304 * This function adds the trusted CAs in order to verify client or
1305 * server certificates. In case of a client this is not required to
1306 * be called if the certificates are not verified using
1307 * gnutls_certificate_verify_peers2(). This function may be called
1310 * In case of a server the names of the CAs set here will be sent to
1311 * the client if a certificate request is sent. This can be disabled
1312 * using gnutls_certificate_send_x509_rdn_sequence().
1314 * This function can also accept PKCS #11 URLs. In that case it
1315 * will import all certificates that are marked as trusted.
1317 * Returns: number of certificates processed, or a negative value on
1321 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res
,
1323 gnutls_x509_crt_fmt_t type
)
1329 if (strncmp (cafile
, "pkcs11:", 7) == 0)
1331 return read_cas_url (res
, cafile
);
1334 data
= read_binary_file (cafile
, &size
);
1338 return GNUTLS_E_FILE_ERROR
;
1341 if (type
== GNUTLS_X509_FMT_DER
)
1342 ret
= parse_der_ca_mem (res
, data
, size
);
1344 ret
= parse_pem_ca_mem (res
, data
, size
);
1360 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist
,
1361 const opaque
* input_crl
, int input_crl_size
)
1363 gnutls_x509_crl_t
*x509_crl_list
;
1364 unsigned int x509_ncrls
;
1368 tmp
.data
= (void*)input_crl
;
1369 tmp
.size
= input_crl_size
;
1371 ret
= gnutls_x509_crl_list_import2( &x509_crl_list
, &x509_ncrls
, &tmp
,
1372 GNUTLS_X509_FMT_PEM
, 0);
1379 ret
= gnutls_x509_trust_list_add_crls(tlist
, x509_crl_list
, x509_ncrls
, 0, 0);
1387 gnutls_free(x509_crl_list
);
1391 /* Reads a DER encoded certificate list from memory and stores it to a
1392 * gnutls_cert structure. Returns the number of certificates parsed.
1395 parse_der_crl_mem (gnutls_x509_trust_list_t tlist
,
1396 const void *input_crl
, int input_crl_size
)
1398 gnutls_x509_crl_t crl
;
1402 tmp
.data
= (void*)input_crl
;
1403 tmp
.size
= input_crl_size
;
1405 ret
= gnutls_x509_crl_init( &crl
);
1412 ret
= gnutls_x509_crl_import( crl
, &tmp
, GNUTLS_X509_FMT_DER
);
1419 ret
= gnutls_x509_trust_list_add_crls(tlist
, &crl
, 1, 0, 0);
1429 gnutls_x509_crl_deinit(crl
);
1435 /* Reads a DER or PEM CRL from memory
1438 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1439 int crl_size
, gnutls_x509_crt_fmt_t type
)
1443 if (type
== GNUTLS_X509_FMT_DER
)
1444 ret
= parse_der_crl_mem (res
->tlist
, crl
, crl_size
);
1446 ret
= parse_pem_crl_mem (res
->tlist
, crl
, crl_size
);
1457 * gnutls_certificate_set_x509_crl_mem:
1458 * @res: is a #gnutls_certificate_credentials_t structure.
1459 * @CRL: is a list of trusted CRLs. They should have been verified before.
1460 * @type: is DER or PEM
1462 * This function adds the trusted CRLs in order to verify client or
1463 * server certificates. In case of a client this is not required to
1464 * be called if the certificates are not verified using
1465 * gnutls_certificate_verify_peers2(). This function may be called
1468 * Returns: number of CRLs processed, or a negative value on error.
1471 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1472 const gnutls_datum_t
* CRL
,
1473 gnutls_x509_crt_fmt_t type
)
1475 return read_crl_mem (res
, CRL
->data
, CRL
->size
, type
);
1479 * gnutls_certificate_set_x509_crl:
1480 * @res: is a #gnutls_certificate_credentials_t structure.
1481 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1482 * @crl_list_size: holds the size of the crl_list
1484 * This function adds the trusted CRLs in order to verify client or
1485 * server certificates. In case of a client this is not required to
1486 * be called if the certificates are not verified using
1487 * gnutls_certificate_verify_peers2(). This function may be called
1490 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1495 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1496 gnutls_x509_crl_t
* crl_list
,
1500 gnutls_x509_crl_t new_crl
[crl_list_size
];
1502 for (i
= 0; i
< crl_list_size
; i
++)
1504 ret
= gnutls_x509_crl_init (&new_crl
[i
]);
1511 ret
= _gnutls_x509_crl_cpy (new_crl
[i
], crl_list
[i
]);
1519 ret
= gnutls_x509_trust_list_add_crls(res
->tlist
, new_crl
, crl_list_size
, 0, 0);
1530 gnutls_x509_crl_deinit(new_crl
[j
]);
1536 * gnutls_certificate_set_x509_crl_file:
1537 * @res: is a #gnutls_certificate_credentials_t structure.
1538 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1539 * @type: is PEM or DER
1541 * This function adds the trusted CRLs in order to verify client or server
1542 * certificates. In case of a client this is not required
1543 * to be called if the certificates are not verified using
1544 * gnutls_certificate_verify_peers2().
1545 * This function may be called multiple times.
1547 * Returns: number of CRLs processed or a negative value on error.
1550 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1551 const char *crlfile
,
1552 gnutls_x509_crt_fmt_t type
)
1556 char *data
= read_binary_file (crlfile
, &size
);
1561 return GNUTLS_E_FILE_ERROR
;
1564 if (type
== GNUTLS_X509_FMT_DER
)
1565 ret
= parse_der_crl_mem (res
->tlist
, data
, size
);
1567 ret
= parse_pem_crl_mem (res
->tlist
, data
, size
);
1580 #include <gnutls/pkcs12.h>
1583 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1584 gnutls_pkcs12_t p12
,
1585 const char *password
,
1586 gnutls_x509_privkey_t
* key
,
1587 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1589 gnutls_pkcs12_bag_t bag
= NULL
;
1592 size_t cert_id_size
= 0;
1593 size_t key_id_size
= 0;
1602 /* find the first private key */
1605 int elements_in_bag
;
1608 ret
= gnutls_pkcs12_bag_init (&bag
);
1616 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1617 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1625 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1632 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1634 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1642 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1643 if (elements_in_bag
< 0)
1649 for (i
= 0; i
< elements_in_bag
; i
++)
1652 gnutls_datum_t data
;
1654 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1661 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1670 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
1671 case GNUTLS_BAG_PKCS8_KEY
:
1672 if (*key
!= NULL
) /* too simple to continue */
1678 ret
= gnutls_x509_privkey_init (key
);
1685 ret
= gnutls_x509_privkey_import_pkcs8
1686 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
1687 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
1691 gnutls_x509_privkey_deinit (*key
);
1695 key_id_size
= sizeof (key_id
);
1697 gnutls_x509_privkey_get_key_id (*key
, 0, key_id
,
1702 gnutls_x509_privkey_deinit (*key
);
1706 privkey_ok
= 1; /* break */
1714 gnutls_pkcs12_bag_deinit (bag
);
1716 if (privkey_ok
!= 0) /* private key was found */
1720 if (privkey_ok
== 0) /* no private key */
1723 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
1726 /* now find the corresponding certificate
1732 int elements_in_bag
;
1735 ret
= gnutls_pkcs12_bag_init (&bag
);
1743 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1744 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1752 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1759 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1761 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1769 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1770 if (elements_in_bag
< 0)
1776 for (i
= 0; i
< elements_in_bag
; i
++)
1779 gnutls_datum_t data
;
1781 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1788 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1797 case GNUTLS_BAG_CERTIFICATE
:
1798 if (*cert
!= NULL
) /* no need to set it again */
1804 ret
= gnutls_x509_crt_init (cert
);
1812 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
1816 gnutls_x509_crt_deinit (*cert
);
1820 /* check if the key id match */
1821 cert_id_size
= sizeof (cert_id
);
1823 gnutls_x509_crt_get_key_id (*cert
, 0, cert_id
, &cert_id_size
);
1827 gnutls_x509_crt_deinit (*cert
);
1831 if (memcmp (cert_id
, key_id
, cert_id_size
) != 0)
1832 { /* they don't match - skip the certificate */
1833 gnutls_x509_crt_deinit (*cert
);
1838 case GNUTLS_BAG_CRL
:
1845 ret
= gnutls_x509_crl_init (crl
);
1852 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
1856 gnutls_x509_crl_deinit (*crl
);
1861 case GNUTLS_BAG_ENCRYPTED
:
1862 /* XXX Bother to recurse one level down? Unlikely to
1863 use the same password anyway. */
1864 case GNUTLS_BAG_EMPTY
:
1871 gnutls_pkcs12_bag_deinit (bag
);
1878 gnutls_pkcs12_bag_deinit (bag
);
1884 * gnutls_certificate_set_x509_simple_pkcs12_file:
1885 * @res: is a #gnutls_certificate_credentials_t structure.
1886 * @pkcs12file: filename of file containing PKCS#12 blob.
1887 * @type: is PEM or DER of the @pkcs12file.
1888 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1890 * This function sets a certificate/private key pair and/or a CRL in
1891 * the gnutls_certificate_credentials_t structure. This function may
1892 * be called more than once (in case multiple keys/certificates exist
1895 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1896 * supported. Encrypted PKCS#8 private keys are supported. However,
1897 * only password based security, and the same password for all
1898 * operations, are supported.
1900 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1903 * PKCS#12 file may contain many keys and/or certificates, and there
1904 * is no way to identify which key/certificate pair you want. You
1905 * should make sure the PKCS#12 file only contain one key/certificate
1906 * pair and/or one CRL.
1908 * It is believed that the limitations of this function is acceptable
1909 * for most usage, and that any more flexibility would introduce
1910 * complexity that would make it harder to use this functionality at
1913 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1916 gnutls_certificate_set_x509_simple_pkcs12_file
1917 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
1918 gnutls_x509_crt_fmt_t type
, const char *password
)
1920 gnutls_datum_t p12blob
;
1924 p12blob
.data
= read_binary_file (pkcs12file
, &size
);
1925 p12blob
.size
= (unsigned int) size
;
1926 if (p12blob
.data
== NULL
)
1929 return GNUTLS_E_FILE_ERROR
;
1933 gnutls_certificate_set_x509_simple_pkcs12_mem (res
, &p12blob
, type
,
1935 free (p12blob
.data
);
1941 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1942 * @res: is a #gnutls_certificate_credentials_t structure.
1943 * @p12blob: the PKCS#12 blob.
1944 * @type: is PEM or DER of the @pkcs12file.
1945 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1947 * This function sets a certificate/private key pair and/or a CRL in
1948 * the gnutls_certificate_credentials_t structure. This function may
1949 * be called more than once (in case multiple keys/certificates exist
1952 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1953 * supported. Encrypted PKCS#8 private keys are supported. However,
1954 * only password based security, and the same password for all
1955 * operations, are supported.
1957 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1960 * PKCS#12 file may contain many keys and/or certificates, and there
1961 * is no way to identify which key/certificate pair you want. You
1962 * should make sure the PKCS#12 file only contain one key/certificate
1963 * pair and/or one CRL.
1965 * It is believed that the limitations of this function is acceptable
1966 * for most usage, and that any more flexibility would introduce
1967 * complexity that would make it harder to use this functionality at
1970 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1975 gnutls_certificate_set_x509_simple_pkcs12_mem
1976 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
* p12blob
,
1977 gnutls_x509_crt_fmt_t type
, const char *password
)
1979 gnutls_pkcs12_t p12
;
1980 gnutls_x509_privkey_t key
= NULL
;
1981 gnutls_x509_crt_t cert
= NULL
;
1982 gnutls_x509_crl_t crl
= NULL
;
1985 ret
= gnutls_pkcs12_init (&p12
);
1992 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
1996 gnutls_pkcs12_deinit (p12
);
2002 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
2006 gnutls_pkcs12_deinit (p12
);
2011 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
2012 gnutls_pkcs12_deinit (p12
);
2021 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2031 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2043 gnutls_x509_crt_deinit (cert
);
2045 gnutls_x509_privkey_deinit (key
);
2047 gnutls_x509_crl_deinit (crl
);
2055 * gnutls_certificate_free_crls:
2056 * @sc: is a #gnutls_certificate_credentials_t structure.
2058 * This function will delete all the CRLs associated
2059 * with the given credentials.
2062 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2064 /* do nothing for now */