search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add.
[gnutls.git] / lib / gnutls_x509.c
blobd4b66ac50005864fb3be3f41079bd09ec637fc9f
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavroyanopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 #include <gnutls_int.h>
26 #include "gnutls_auth_int.h"
27 #include "gnutls_errors.h"
28 #include <gnutls_cert.h>
29 #include <auth_cert.h>
30 #include "gnutls_dh.h"
31 #include "gnutls_num.h"
32 #include "libtasn1.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
42 #include <debug.h>
43 #include <x509_b64.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509.h"
47 #include "x509/verify.h"
48 #include "x509/mpi.h"
49 #include "x509/pkcs7.h"
50 #include "x509/privkey.h"
51 #include "read-file.h"
52
53 /*
54 * some x509 certificate parsing functions.
55 */
56
57 /* Check if the number of bits of the key in the certificate
58 * is unacceptable.
59 */
60 inline static int
61 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
62 {
63 int ret;
64 unsigned int bits;
65
66 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
67 if (ret < 0)
68 {
69 gnutls_assert ();
70 return ret;
71 }
72
73 if (bits > max_bits)
74 {
75 gnutls_assert ();
76 return GNUTLS_E_CONSTRAINT_ERROR;
77 }
78
79 return 0;
80 }
81
82
83 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
84 if (peer_certificate_list[x]) \
85 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
86 } \
87 gnutls_free( peer_certificate_list)
88
89 /*-
90 * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status
91 * @session: is a gnutls session
92 *
93 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
94 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
95 * However you must also check the peer's name in order to check if the verified certificate belongs to the
96 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
97 *
98 -*/
99 int
100 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
101 unsigned int *status)
102 {
103 cert_auth_info_t info;
104 gnutls_certificate_credentials_t cred;
105 gnutls_x509_crt_t *peer_certificate_list;
106 int peer_certificate_list_size, i, x, ret;
107
108 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
109
110 info = _gnutls_get_auth_info (session);
111 if (info == NULL)
112 {
113 gnutls_assert ();
114 return GNUTLS_E_INVALID_REQUEST;
115 }
116
117 cred = (gnutls_certificate_credentials_t)
118 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
119 if (cred == NULL)
120 {
121 gnutls_assert ();
122 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
123 }
124
125 if (info->raw_certificate_list == NULL || info->ncerts == 0)
126 return GNUTLS_E_NO_CERTIFICATE_FOUND;
127
128 if (info->ncerts > cred->verify_depth)
129 {
130 gnutls_assert ();
131 return GNUTLS_E_CONSTRAINT_ERROR;
132 }
133
134 /* generate a list of gnutls_certs based on the auth info
135 * raw certs.
136 */
137 peer_certificate_list_size = info->ncerts;
138 peer_certificate_list =
139 gnutls_calloc (1,
140 peer_certificate_list_size * sizeof (gnutls_x509_crt_t));
141 if (peer_certificate_list == NULL)
142 {
143 gnutls_assert ();
144 return GNUTLS_E_MEMORY_ERROR;
145 }
146
147 for (i = 0; i < peer_certificate_list_size; i++)
148 {
149 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
150 if (ret < 0)
151 {
152 gnutls_assert ();
153 CLEAR_CERTS;
154 return ret;
155 }
156
157 ret =
158 gnutls_x509_crt_import (peer_certificate_list[i],
159 &info->raw_certificate_list[i],
160 GNUTLS_X509_FMT_DER);
161 if (ret < 0)
162 {
163 gnutls_assert ();
164 CLEAR_CERTS;
165 return ret;
166 }
167
168 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
169 if (ret < 0)
170 {
171 gnutls_assert ();
172 CLEAR_CERTS;
173 return ret;
174 }
175
176 }
177
178 /* Verify certificate
179 */
180 ret =
181 gnutls_x509_crt_list_verify (peer_certificate_list,
182 peer_certificate_list_size,
183 cred->x509_ca_list, cred->x509_ncas,
184 cred->x509_crl_list, cred->x509_ncrls,
185 cred->verify_flags, status);
186
187 CLEAR_CERTS;
188
189 if (ret < 0)
190 {
191 gnutls_assert ();
192 return ret;
193 }
194
195 return 0;
196 }
197
198 /*
199 * Read certificates and private keys, from files, memory etc.
200 */
201
202 /* returns error if the certificate has different algorithm than
203 * the given key parameters.
204 */
205 static int
206 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
207 {
208 gnutls_datum_t cid;
209 gnutls_datum_t kid;
210 unsigned pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
211
212 if (res->pkey[res->ncerts - 1].pk_algorithm != pk)
213 {
214 gnutls_assert ();
215 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
216 }
217
218 if (pk == GNUTLS_PK_RSA)
219 {
220 _gnutls_x509_write_rsa_params (res->pkey[res->ncerts - 1].params,
221 res->pkey[res->ncerts -
222 1].params_size, &kid);
223
224
225 _gnutls_x509_write_rsa_params (res->cert_list[res->ncerts - 1][0].
226 params,
227 res->cert_list[res->ncerts -
228 1][0].params_size, &cid);
229 }
230 else if (pk == GNUTLS_PK_DSA)
231 {
232
233 _gnutls_x509_write_dsa_params (res->pkey[res->ncerts - 1].params,
234 res->pkey[res->ncerts -
235 1].params_size, &kid);
236
237 _gnutls_x509_write_dsa_params (res->cert_list[res->ncerts - 1][0].
238 params,
239 res->cert_list[res->ncerts -
240 1][0].params_size, &cid);
241 }
242
243 if (cid.size != kid.size)
244 {
245 gnutls_assert ();
246 _gnutls_free_datum (&kid);
247 _gnutls_free_datum (&cid);
248 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
249 }
250
251 if (memcmp (kid.data, cid.data, kid.size) != 0)
252 {
253 gnutls_assert ();
254 _gnutls_free_datum (&kid);
255 _gnutls_free_datum (&cid);
256 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
257 }
258
259 _gnutls_free_datum (&kid);
260 _gnutls_free_datum (&cid);
261 return 0;
262 }
263
264 /* Reads a DER encoded certificate list from memory and stores it to
265 * a gnutls_cert structure. This is only called if PKCS7 read fails.
266 * returns the number of certificates parsed (1)
267 */
268 static int
269 parse_crt_mem (gnutls_cert ** cert_list, unsigned *ncerts,
270 gnutls_x509_crt_t cert)
271 {
272 int i;
273 int ret;
274
275 i = *ncerts + 1;
276
277 *cert_list =
278 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
279 i * sizeof (gnutls_cert));
280
281 if (*cert_list == NULL)
282 {
283 gnutls_assert ();
284 return GNUTLS_E_MEMORY_ERROR;
285 }
286
287 ret = _gnutls_x509_crt_to_gcert (&cert_list[0][i - 1], cert, 0);
288 if (ret < 0)
289 {
290 gnutls_assert ();
291 return ret;
292 }
293
294 *ncerts = i;
295
296 return 1; /* one certificate parsed */
297 }
298
299 /* Reads a DER encoded certificate list from memory and stores it to
300 * a gnutls_cert structure. This is only called if PKCS7 read fails.
301 * returns the number of certificates parsed (1)
302 */
303 static int
304 parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
305 const void *input_cert, int input_cert_size)
306 {
307 gnutls_datum_t tmp;
308 gnutls_x509_crt_t cert;
309 int ret;
310
311 ret = gnutls_x509_crt_init (&cert);
312 if (ret < 0)
313 {
314 gnutls_assert ();
315 return ret;
316 }
317
318 tmp.data = (opaque *) input_cert;
319 tmp.size = input_cert_size;
320
321 ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
322 if (ret < 0)
323 {
324 gnutls_assert ();
325 gnutls_x509_crt_deinit (cert);
326 return ret;
327 }
328
329 ret = parse_crt_mem (cert_list, ncerts, cert);
330 gnutls_x509_crt_deinit (cert);
331
332 return ret;
333 }
334
335 #define CERT_PEM 1
336
337
338 /* Reads a PKCS7 base64 encoded certificate list from memory and stores it to
339 * a gnutls_cert structure.
340 * returns the number of certificate parsed
341 */
342 static int
343 parse_pkcs7_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts, const
344 void *input_cert, int input_cert_size, int flags)
345 {
346 #ifdef ENABLE_PKI
347 int i, j, count;
348 gnutls_datum_t tmp, tmp2;
349 int ret;
350 opaque *pcert = NULL;
351 size_t pcert_size;
352 gnutls_pkcs7_t pkcs7;
353
354 ret = gnutls_pkcs7_init (&pkcs7);
355 if (ret < 0)
356 {
357 gnutls_assert ();
358 return ret;
359 }
360
361 if (flags & CERT_PEM)
362 ret = gnutls_pkcs7_import (pkcs7, &tmp, GNUTLS_X509_FMT_PEM);
363 else
364 ret = gnutls_pkcs7_import (pkcs7, &tmp, GNUTLS_X509_FMT_DER);
365 if (ret < 0)
366 {
367 /* if we failed to read the structure,
368 * then just try to decode a plain DER
369 * certificate.
370 */
371 gnutls_assert ();
372 gnutls_pkcs7_deinit (pkcs7);
373 #endif
374 return parse_der_cert_mem (cert_list, ncerts,
375 input_cert, input_cert_size);
376 #ifdef ENABLE_PKI
377 }
378
379 i = *ncerts + 1;
380
381 /* tmp now contains the decoded certificate list */
382 tmp.data = (opaque *) input_cert;
383 tmp.size = input_cert_size;
384
385 ret = gnutls_pkcs7_get_crt_count (pkcs7);
386
387 if (ret < 0)
388 {
389 gnutls_assert ();
390 gnutls_pkcs7_deinit (pkcs7);
391 return ret;
392 }
393 count = ret;
394
395 j = count - 1;
396 do
397 {
398 pcert_size = 0;
399 ret = gnutls_pkcs7_get_crt_raw (pkcs7, j, NULL, &pcert_size);
400 if (ret != GNUTLS_E_MEMORY_ERROR)
401 {
402 count--;
403 continue;
404 }
405
406 pcert = gnutls_malloc (pcert_size);
407 if (ret == GNUTLS_E_MEMORY_ERROR)
408 {
409 gnutls_assert ();
410 count--;
411 continue;
412 }
413
414 /* read the certificate
415 */
416 ret = gnutls_pkcs7_get_crt_raw (pkcs7, j, pcert, &pcert_size);
417
418 j--;
419
420 if (ret >= 0)
421 {
422 *cert_list =
423 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
424 i * sizeof (gnutls_cert));
425
426 if (*cert_list == NULL)
427 {
428 gnutls_assert ();
429 gnutls_free (pcert);
430 return GNUTLS_E_MEMORY_ERROR;
431 }
432
433 tmp2.data = pcert;
434 tmp2.size = pcert_size;
435
436 ret =
437 _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp2, 0);
438
439 if (ret < 0)
440 {
441 gnutls_assert ();
442 gnutls_pkcs7_deinit (pkcs7);
443 gnutls_free (pcert);
444 return ret;
445 }
446
447 i++;
448 }
449
450 gnutls_free (pcert);
451
452 }
453 while (ret >= 0 && j >= 0);
454
455 *ncerts = i - 1;
456
457 gnutls_pkcs7_deinit (pkcs7);
458 return count;
459 #endif
460 }
461
462 /* Reads a base64 encoded certificate list from memory and stores it to
463 * a gnutls_cert structure. Returns the number of certificate parsed.
464 */
465 static int
466 parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
467 const char *input_cert, int input_cert_size)
468 {
469 int size, siz2, i;
470 const char *ptr;
471 opaque *ptr2;
472 gnutls_datum_t tmp;
473 int ret, count;
474
475 #ifdef ENABLE_PKI
476 if ((ptr = memmem (input_cert, input_cert_size,
477 PEM_PKCS7_SEP, sizeof (PEM_PKCS7_SEP) - 1)) != NULL)
478 {
479 size = strlen (ptr);
480
481 ret = parse_pkcs7_cert_mem (cert_list, ncerts, ptr, size, CERT_PEM);
482
483 return ret;
484 }
485 #endif
486
487 /* move to the certificate
488 */
489 ptr = memmem (input_cert, input_cert_size,
490 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
491 if (ptr == NULL)
492 ptr = memmem (input_cert, input_cert_size,
493 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
494
495 if (ptr == NULL)
496 {
497 gnutls_assert ();
498 return GNUTLS_E_BASE64_DECODING_ERROR;
499 }
500 size = input_cert_size - (ptr - input_cert);
501
502 i = *ncerts + 1;
503 count = 0;
504
505 do
506 {
507
508 siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
509
510 if (siz2 < 0)
511 {
512 gnutls_assert ();
513 return GNUTLS_E_BASE64_DECODING_ERROR;
514 }
515
516 *cert_list =
517 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
518 i * sizeof (gnutls_cert));
519
520 if (*cert_list == NULL)
521 {
522 gnutls_assert ();
523 return GNUTLS_E_MEMORY_ERROR;
524 }
525
526 tmp.data = ptr2;
527 tmp.size = siz2;
528
529 ret = _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp, 0);
530 if (ret < 0)
531 {
532 gnutls_assert ();
533 return ret;
534 }
535 _gnutls_free_datum (&tmp); /* free ptr2 */
536
537 /* now we move ptr after the pem header
538 */
539 ptr++;
540 /* find the next certificate (if any)
541 */
542 size = input_cert_size - (ptr - input_cert);
543
544 if (size > 0)
545 {
546 char *ptr3;
547
548 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
549 if (ptr3 == NULL)
550 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
551 sizeof (PEM_CERT_SEP2) - 1);
552
553 ptr = ptr3;
554 }
555 else
556 ptr = NULL;
557
558 i++;
559 count++;
560
561 }
562 while (ptr != NULL);
563
564 *ncerts = i - 1;
565
566 return count;
567 }
568
569
570
571 /* Reads a DER or PEM certificate from memory
572 */
573 static int
574 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
575 int cert_size, gnutls_x509_crt_fmt_t type)
576 {
577 int ret;
578
579 /* allocate space for the certificate to add
580 */
581 res->cert_list = gnutls_realloc_fast (res->cert_list,
582 (1 +
583 res->ncerts) *
584 sizeof (gnutls_cert *));
585 if (res->cert_list == NULL)
586 {
587 gnutls_assert ();
588 return GNUTLS_E_MEMORY_ERROR;
589 }
590
591 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
592 (1 +
593 res->ncerts) * sizeof (int));
594 if (res->cert_list_length == NULL)
595 {
596 gnutls_assert ();
597 return GNUTLS_E_MEMORY_ERROR;
598 }
599
600 res->cert_list[res->ncerts] = NULL; /* for realloc */
601 res->cert_list_length[res->ncerts] = 0;
602
603 if (type == GNUTLS_X509_FMT_DER)
604 ret = parse_pkcs7_cert_mem (&res->cert_list[res->ncerts],
605 &res->cert_list_length[res->ncerts],
606 cert, cert_size, 0);
607 else
608 ret =
609 parse_pem_cert_mem (&res->cert_list[res->ncerts],
610 &res->cert_list_length[res->ncerts], cert,
611 cert_size);
612
613 if (ret < 0)
614 {
615 gnutls_assert ();
616 return ret;
617 }
618
619 return ret;
620 }
621
622
623 int
624 _gnutls_x509_privkey_to_gkey (gnutls_privkey * dest,
625 gnutls_x509_privkey_t src)
626 {
627 int i, ret;
628
629 memset (dest, 0, sizeof (gnutls_privkey));
630
631 for (i = 0; i < src->params_size; i++)
632 {
633 dest->params[i] = _gnutls_mpi_copy (src->params[i]);
634 if (dest->params[i] == NULL)
635 {
636 gnutls_assert ();
637 ret = GNUTLS_E_MEMORY_ERROR;
638 goto cleanup;
639 }
640 }
641
642 dest->pk_algorithm = src->pk_algorithm;
643 dest->params_size = src->params_size;
644
645 return 0;
646
647 cleanup:
648
649 for (i = 0; i < src->params_size; i++)
650 {
651 _gnutls_mpi_release (&dest->params[i]);
652 }
653 return ret;
654 }
655
656 void
657 _gnutls_gkey_deinit (gnutls_privkey * key)
658 {
659 int i;
660 if (key == NULL)
661 return;
662
663 for (i = 0; i < key->params_size; i++)
664 {
665 _gnutls_mpi_release (&key->params[i]);
666 }
667 }
668
669 int
670 _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey,
671 const gnutls_datum_t * raw_key,
672 gnutls_x509_crt_fmt_t type)
673 {
674 gnutls_x509_privkey_t tmpkey;
675 int ret;
676
677 ret = gnutls_x509_privkey_init (&tmpkey);
678 if (ret < 0)
679 {
680 gnutls_assert ();
681 return ret;
682 }
683
684 ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
685 if (ret < 0)
686 {
687 gnutls_assert ();
688 gnutls_x509_privkey_deinit (tmpkey);
689 return ret;
690 }
691
692 ret = _gnutls_x509_privkey_to_gkey (privkey, tmpkey);
693 if (ret < 0)
694 {
695 gnutls_assert ();
696 gnutls_x509_privkey_deinit (tmpkey);
697 return ret;
698 }
699
700 gnutls_x509_privkey_deinit (tmpkey);
701
702 return 0;
703 }
704
705 /* Reads a PEM encoded PKCS-1 RSA private key from memory
706 * 2002-01-26: Added ability to read DSA keys.
707 * type indicates the certificate format.
708 */
709 static int
710 read_key_mem (gnutls_certificate_credentials_t res,
711 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
712 {
713 int ret;
714 gnutls_datum_t tmp;
715
716 /* allocate space for the pkey list
717 */
718 res->pkey =
719 gnutls_realloc_fast (res->pkey,
720 (res->ncerts + 1) * sizeof (gnutls_privkey));
721 if (res->pkey == NULL)
722 {
723 gnutls_assert ();
724 return GNUTLS_E_MEMORY_ERROR;
725 }
726
727 tmp.data = (opaque *) key;
728 tmp.size = key_size;
729
730 ret =
731 _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp, type);
732 if (ret < 0)
733 {
734 gnutls_assert ();
735 return ret;
736 }
737
738 return 0;
739 }
740
741 /* Reads a certificate file
742 */
743 static int
744 read_cert_file (gnutls_certificate_credentials_t res,
745 const char *certfile, gnutls_x509_crt_fmt_t type)
746 {
747 int ret;
748 size_t size;
749 char *data = read_binary_file (certfile, &size);
750
751 if (data == NULL)
752 {
753 gnutls_assert ();
754 return GNUTLS_E_FILE_ERROR;
755 }
756
757 ret = read_cert_mem (res, data, size, type);
758 free (data);
759
760 return ret;
761
762 }
763
764
765
766 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
767 * stores it).
768 */
769 static int
770 read_key_file (gnutls_certificate_credentials_t res,
771 const char *keyfile, gnutls_x509_crt_fmt_t type)
772 {
773 int ret;
774 size_t size;
775 char *data = read_binary_file (keyfile, &size);
776
777 if (data == NULL)
778 {
779 gnutls_assert ();
780 return GNUTLS_E_FILE_ERROR;
781 }
782
783 ret = read_key_mem (res, data, size, type);
784 free (data);
785
786 return ret;
787 }
788
789 /**
790 * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials_t structure
791 * @res: is an #gnutls_certificate_credentials_t structure.
792 * @cert: contains a certificate list (path) for the specified private key
793 * @key: is the private key
794 * @type: is PEM or DER
795 *
796 * This function sets a certificate/private key pair in the
797 * gnutls_certificate_credentials_t structure. This function may be called
798 * more than once (in case multiple keys/certificates exist for the
799 * server).
800 *
801 * Currently are supported: RSA PKCS-1 encoded private keys,
802 * DSA private keys.
803 *
804 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
805 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
806 *
807 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
808 * is supported. This means that certificates intended for signing cannot
809 * be used for ciphersuites that require encryption.
810 *
811 * If the certificate and the private key are given in PEM encoding
812 * then the strings that hold their values must be null terminated.
813 *
814 **/
815 int
816 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t
817 res, const gnutls_datum_t * cert,
818 const gnutls_datum_t * key,
819 gnutls_x509_crt_fmt_t type)
820 {
821 int ret;
822
823 /* this should be first
824 */
825 if ((ret = read_key_mem (res, key->data, key->size, type)) < 0)
826 return ret;
827
828 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
829 return ret;
830
831 res->ncerts++;
832
833 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
834 {
835 gnutls_assert ();
836 return ret;
837 }
838
839 return 0;
840 }
841
842 /**
843 * gnutls_certificate_set_x509_key - Used to set keys in a gnutls_certificate_credentials_t structure
844 * @res: is an #gnutls_certificate_credentials_t structure.
845 * @cert_list: contains a certificate list (path) for the specified private key
846 * @cert_list_size: holds the size of the certificate list
847 * @key: is a gnutls_x509_privkey_t key
848 *
849 * This function sets a certificate/private key pair in the
850 * gnutls_certificate_credentials_t structure. This function may be called
851 * more than once (in case multiple keys/certificates exist for the
852 * server).
853 *
854 **/
855 int
856 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
857 gnutls_x509_crt_t * cert_list,
858 int cert_list_size,
859 gnutls_x509_privkey_t key)
860 {
861 int ret, i;
862
863 /* this should be first
864 */
865
866 res->pkey =
867 gnutls_realloc_fast (res->pkey,
868 (res->ncerts + 1) * sizeof (gnutls_privkey));
869 if (res->pkey == NULL)
870 {
871 gnutls_assert ();
872 return GNUTLS_E_MEMORY_ERROR;
873 }
874
875 ret = _gnutls_x509_privkey_to_gkey (&res->pkey[res->ncerts], key);
876 if (ret < 0)
877 {
878 gnutls_assert ();
879 return ret;
880 }
881
882 res->cert_list = gnutls_realloc_fast (res->cert_list,
883 (1 +
884 res->ncerts) *
885 sizeof (gnutls_cert *));
886 if (res->cert_list == NULL)
887 {
888 gnutls_assert ();
889 return GNUTLS_E_MEMORY_ERROR;
890 }
891
892 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
893 (1 +
894 res->ncerts) * sizeof (int));
895 if (res->cert_list_length == NULL)
896 {
897 gnutls_assert ();
898 return GNUTLS_E_MEMORY_ERROR;
899 }
900
901 res->cert_list[res->ncerts] = NULL; /* for realloc */
902 res->cert_list_length[res->ncerts] = 0;
903
904
905 for (i = 0; i < cert_list_size; i++)
906 {
907 ret = parse_crt_mem (&res->cert_list[res->ncerts],
908 &res->cert_list_length[res->ncerts], cert_list[i]);
909 if (ret < 0)
910 {
911 gnutls_assert ();
912 return ret;
913 }
914 }
915 res->ncerts++;
916
917 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
918 {
919 gnutls_assert ();
920 return ret;
921 }
922
923 return 0;
924 }
925
926 /**
927 * gnutls_certificate_set_x509_key_file - Used to set keys in a gnutls_certificate_credentials_t structure
928 * @res: is an #gnutls_certificate_credentials_t structure.
929 * @CERTFILE: is a file that containing the certificate list (path) for
930 * the specified private key, in PKCS7 format, or a list of certificates
931 * @KEYFILE: is a file that contains the private key
932 * @type: is PEM or DER
933 *
934 * This function sets a certificate/private key pair in the
935 * gnutls_certificate_credentials_t structure. This function may be called
936 * more than once (in case multiple keys/certificates exist for the
937 * server).
938 *
939 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
940 * this function.
941 *
942 **/
943 int
944 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t
945 res, const char *CERTFILE,
946 const char *KEYFILE,
947 gnutls_x509_crt_fmt_t type)
948 {
949 int ret;
950
951 /* this should be first
952 */
953 if ((ret = read_key_file (res, KEYFILE, type)) < 0)
954 return ret;
955
956 if ((ret = read_cert_file (res, CERTFILE, type)) < 0)
957 return ret;
958
959 res->ncerts++;
960
961 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
962 {
963 gnutls_assert ();
964 return ret;
965 }
966
967 return 0;
968 }
969
970 static int
971 generate_rdn_seq (gnutls_certificate_credentials_t res)
972 {
973 gnutls_datum_t tmp;
974 int ret;
975 unsigned size, i;
976 opaque *pdata;
977
978 /* Generate the RDN sequence
979 * This will be sent to clients when a certificate
980 * request message is sent.
981 */
982
983 /* FIXME: in case of a client it is not needed
984 * to do that. This would save time and memory.
985 * However we don't have that information available
986 * here.
987 */
988
989 size = 0;
990 for (i = 0; i < res->x509_ncas; i++)
991 {
992 if ((ret = gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
993 {
994 gnutls_assert ();
995 return ret;
996 }
997 size += (2 + tmp.size);
998 _gnutls_free_datum (&tmp);
999 }
1000
1001 if (res->x509_rdn_sequence.data != NULL)
1002 gnutls_free (res->x509_rdn_sequence.data);
1003
1004 res->x509_rdn_sequence.data = gnutls_malloc (size);
1005 if (res->x509_rdn_sequence.data == NULL)
1006 {
1007 gnutls_assert ();
1008 return GNUTLS_E_MEMORY_ERROR;
1009 }
1010 res->x509_rdn_sequence.size = size;
1011
1012 pdata = res->x509_rdn_sequence.data;
1013
1014 for (i = 0; i < res->x509_ncas; i++)
1015 {
1016 if ((ret = gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
1017 {
1018 _gnutls_free_datum (&res->x509_rdn_sequence);
1019 gnutls_assert ();
1020 return ret;
1021 }
1022
1023 _gnutls_write_datum16 (pdata, tmp);
1024 pdata += (2 + tmp.size);
1025 _gnutls_free_datum (&tmp);
1026 }
1027
1028 return 0;
1029 }
1030
1031
1032
1033
1034 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1035 * certificate (uses the KeyUsage field).
1036 */
1037 int
1038 _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
1039 {
1040 unsigned int key_usage = 0;
1041 int encipher_type;
1042
1043 if (cert == NULL)
1044 {
1045 gnutls_assert ();
1046 return GNUTLS_E_INTERNAL_ERROR;
1047 }
1048
1049 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1050 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1051 {
1052
1053 key_usage = cert->key_usage;
1054
1055 encipher_type = _gnutls_kx_encipher_type (alg);
1056
1057 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1058 {
1059 /* If key_usage has been set in the certificate
1060 */
1061
1062 if (encipher_type == CIPHER_ENCRYPT)
1063 {
1064 /* If the key exchange method requires an encipher
1065 * type algorithm, and key's usage does not permit
1066 * encipherment, then fail.
1067 */
1068 if (!(key_usage & KEY_KEY_ENCIPHERMENT))
1069 {
1070 gnutls_assert ();
1071 return GNUTLS_E_KEY_USAGE_VIOLATION;
1072 }
1073 }
1074
1075 if (encipher_type == CIPHER_SIGN)
1076 {
1077 /* The same as above, but for sign only keys
1078 */
1079 if (!(key_usage & KEY_DIGITAL_SIGNATURE))
1080 {
1081 gnutls_assert ();
1082 return GNUTLS_E_KEY_USAGE_VIOLATION;
1083 }
1084 }
1085 }
1086 }
1087 return 0;
1088 }
1089
1090
1091
1092 static int
1093 parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1094 const opaque * input_cert, int input_cert_size)
1095 {
1096 int i, size;
1097 const opaque *ptr;
1098 gnutls_datum_t tmp;
1099 int ret, count;
1100
1101 /* move to the certificate
1102 */
1103 ptr = memmem (input_cert, input_cert_size,
1104 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1105 if (ptr == NULL)
1106 ptr = memmem (input_cert, input_cert_size,
1107 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1108
1109 if (ptr == NULL)
1110 {
1111 gnutls_assert ();
1112 return GNUTLS_E_BASE64_DECODING_ERROR;
1113 }
1114 size = input_cert_size - (ptr - input_cert);
1115
1116 i = *ncerts + 1;
1117 count = 0;
1118
1119 do
1120 {
1121
1122 *cert_list =
1123 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1124 i *
1125 sizeof
1126 (gnutls_x509_crt_t));
1127
1128 if (*cert_list == NULL)
1129 {
1130 gnutls_assert ();
1131 return GNUTLS_E_MEMORY_ERROR;
1132 }
1133
1134 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1135 if (ret < 0)
1136 {
1137 gnutls_assert ();
1138 return ret;
1139 }
1140
1141 tmp.data = (opaque *) ptr;
1142 tmp.size = size;
1143
1144 ret =
1145 gnutls_x509_crt_import (cert_list[0][i - 1],
1146 &tmp, GNUTLS_X509_FMT_PEM);
1147 if (ret < 0)
1148 {
1149 gnutls_assert ();
1150 return ret;
1151 }
1152
1153 /* now we move ptr after the pem header
1154 */
1155 ptr++;
1156 size--;
1157 /* find the next certificate (if any)
1158 */
1159
1160 if (size > 0)
1161 {
1162 char *ptr3;
1163
1164 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1165 if (ptr3 == NULL)
1166 ptr3 = memmem (ptr, size,
1167 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1168
1169 ptr = ptr3;
1170 size = input_cert_size - (ptr - input_cert);
1171 }
1172 else
1173 ptr = NULL;
1174
1175 i++;
1176 count++;
1177
1178 }
1179 while (ptr != NULL);
1180
1181 *ncerts = i - 1;
1182
1183 return count;
1184 }
1185
1186 /* Reads a DER encoded certificate list from memory and stores it to
1187 * a gnutls_cert structure. This is only called if PKCS7 read fails.
1188 * returns the number of certificates parsed (1)
1189 */
1190 static int
1191 parse_der_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1192 const void *input_cert, int input_cert_size)
1193 {
1194 int i;
1195 gnutls_datum_t tmp;
1196 int ret;
1197
1198 i = *ncerts + 1;
1199
1200 *cert_list =
1201 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1202 i *
1203 sizeof (gnutls_x509_crt_t));
1204
1205 if (*cert_list == NULL)
1206 {
1207 gnutls_assert ();
1208 return GNUTLS_E_MEMORY_ERROR;
1209 }
1210
1211 tmp.data = (opaque *) input_cert;
1212 tmp.size = input_cert_size;
1213
1214 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1215 if (ret < 0)
1216 {
1217 gnutls_assert ();
1218 return ret;
1219 }
1220
1221 ret =
1222 gnutls_x509_crt_import (cert_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1223 if (ret < 0)
1224 {
1225 gnutls_assert ();
1226 return ret;
1227 }
1228
1229 *ncerts = i;
1230
1231 return 1; /* one certificate parsed */
1232 }
1233
1234 /**
1235 * gnutls_certificate_set_x509_trust_mem - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1236 * @res: is an #gnutls_certificate_credentials_t structure.
1237 * @ca: is a list of trusted CAs or a DER certificate
1238 * @type: is DER or PEM
1239 *
1240 * This function adds the trusted CAs in order to verify client
1241 * or server certificates. In case of a client this is not required
1242 * to be called if the certificates are not verified using
1243 * gnutls_certificate_verify_peers2().
1244 * This function may be called multiple times.
1245 *
1246 * In case of a server the CAs set here will be sent to the client if
1247 * a certificate request is sent. This can be disabled using
1248 * gnutls_certificate_send_x509_rdn_sequence().
1249 *
1250 * Returns the number of certificates processed or a negative
1251 * value on error.
1252 *
1253 **/
1254 int
1255 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t
1256 res, const gnutls_datum_t * ca,
1257 gnutls_x509_crt_fmt_t type)
1258 {
1259 int ret, ret2;
1260
1261 if (type == GNUTLS_X509_FMT_DER)
1262 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1263 ca->data, ca->size);
1264 else
1265 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1266 ca->data, ca->size);
1267
1268 if ((ret2 = generate_rdn_seq (res)) < 0)
1269 return ret2;
1270
1271 return ret;
1272 }
1273
1274 /**
1275 * gnutls_certificate_set_x509_trust - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1276 * @res: is an #gnutls_certificate_credentials_t structure.
1277 * @ca_list: is a list of trusted CAs
1278 * @ca_list_size: holds the size of the CA list
1279 *
1280 * This function adds the trusted CAs in order to verify client
1281 * or server certificates. In case of a client this is not required
1282 * to be called if the certificates are not verified using
1283 * gnutls_certificate_verify_peers2().
1284 * This function may be called multiple times.
1285 *
1286 * In case of a server the CAs set here will be sent to the client if
1287 * a certificate request is sent. This can be disabled using
1288 * gnutls_certificate_send_x509_rdn_sequence().
1289 *
1290 * Returns 0 on success.
1291 *
1292 **/
1293 int
1294 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1295 gnutls_x509_crt_t * ca_list,
1296 int ca_list_size)
1297 {
1298 int ret, i, ret2;
1299
1300 res->x509_ca_list = gnutls_realloc_fast (res->x509_ca_list,
1301 (ca_list_size +
1302 res->x509_ncas) *
1303 sizeof (gnutls_x509_crt_t));
1304 if (res->x509_ca_list == NULL)
1305 {
1306 gnutls_assert ();
1307 return GNUTLS_E_MEMORY_ERROR;
1308 }
1309
1310 for (i = 0; i < ca_list_size; i++)
1311 {
1312 ret = gnutls_x509_crt_init (&res->x509_ca_list[ res->x509_ncas]);
1313 if (ret < 0)
1314 {
1315 gnutls_assert ();
1316 return ret;
1317 }
1318
1319 ret = _gnutls_x509_crt_cpy (res->x509_ca_list[ res->x509_ncas],
1320 ca_list[i]);
1321 if (ret < 0)
1322 {
1323 gnutls_assert ();
1324 gnutls_x509_crt_deinit (res->x509_ca_list[ res->x509_ncas]);
1325 return ret;
1326 }
1327 res->x509_ncas++;
1328 }
1329
1330 if ((ret2 = generate_rdn_seq (res)) < 0)
1331 return ret2;
1332
1333 return 0;
1334 }
1335
1336 /**
1337 * gnutls_certificate_set_x509_trust_file - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1338 * @res: is an #gnutls_certificate_credentials_t structure.
1339 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1340 * @type: is PEM or DER
1341 *
1342 * This function adds the trusted CAs in order to verify client
1343 * or server certificates. In case of a client this is not required
1344 * to be called if the certificates are not verified using
1345 * gnutls_certificate_verify_peers2().
1346 * This function may be called multiple times.
1347 *
1348 * In case of a server the names of the CAs set here will be sent to the
1349 * client if a certificate request is sent. This can be disabled using
1350 * gnutls_certificate_send_x509_rdn_sequence().
1351 *
1352 * Returns the number of certificates processed or a negative
1353 * value on error.
1354 *
1355 **/
1356 int
1357 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
1358 res, const char *cafile,
1359 gnutls_x509_crt_fmt_t type)
1360 {
1361 int ret, ret2;
1362 size_t size;
1363 char *data = read_binary_file (cafile, &size);
1364
1365 if (data == NULL)
1366 {
1367 gnutls_assert ();
1368 return GNUTLS_E_FILE_ERROR;
1369 }
1370
1371 if (type == GNUTLS_X509_FMT_DER)
1372 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1373 data, size);
1374 else
1375 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1376 data, size);
1377
1378 free (data);
1379
1380 if (ret < 0)
1381 {
1382 gnutls_assert ();
1383 return ret;
1384 }
1385
1386 if ((ret2 = generate_rdn_seq (res)) < 0)
1387 return ret2;
1388
1389 return ret;
1390 }
1391
1392 #ifdef ENABLE_PKI
1393
1394 static int
1395 parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1396 const opaque * input_crl, int input_crl_size)
1397 {
1398 int size, i;
1399 const opaque *ptr;
1400 gnutls_datum_t tmp;
1401 int ret, count;
1402
1403 /* move to the certificate
1404 */
1405 ptr = memmem (input_crl, input_crl_size,
1406 PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1407 if (ptr == NULL)
1408 {
1409 gnutls_assert ();
1410 return GNUTLS_E_BASE64_DECODING_ERROR;
1411 }
1412
1413 size = input_crl_size - (ptr - input_crl);
1414
1415 i = *ncrls + 1;
1416 count = 0;
1417
1418 do
1419 {
1420
1421 *crl_list =
1422 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1423 i *
1424 sizeof
1425 (gnutls_x509_crl_t));
1426
1427 if (*crl_list == NULL)
1428 {
1429 gnutls_assert ();
1430 return GNUTLS_E_MEMORY_ERROR;
1431 }
1432
1433 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1434 if (ret < 0)
1435 {
1436 gnutls_assert ();
1437 return ret;
1438 }
1439
1440 tmp.data = (char *) ptr;
1441 tmp.size = size;
1442
1443 ret =
1444 gnutls_x509_crl_import (crl_list[0][i - 1],
1445 &tmp, GNUTLS_X509_FMT_PEM);
1446 if (ret < 0)
1447 {
1448 gnutls_assert ();
1449 return ret;
1450 }
1451
1452 /* now we move ptr after the pem header
1453 */
1454 ptr++;
1455 /* find the next certificate (if any)
1456 */
1457
1458 size = input_crl_size - (ptr - input_crl);
1459
1460 if (size > 0)
1461 ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1462 else
1463 ptr = NULL;
1464 i++;
1465 count++;
1466
1467 }
1468 while (ptr != NULL);
1469
1470 *ncrls = i - 1;
1471
1472 return count;
1473 }
1474
1475 /* Reads a DER encoded certificate list from memory and stores it to
1476 * a gnutls_cert structure. This is only called if PKCS7 read fails.
1477 * returns the number of certificates parsed (1)
1478 */
1479 static int
1480 parse_der_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1481 const void *input_crl, int input_crl_size)
1482 {
1483 int i;
1484 gnutls_datum_t tmp;
1485 int ret;
1486
1487 i = *ncrls + 1;
1488
1489 *crl_list =
1490 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1491 i *
1492 sizeof (gnutls_x509_crl_t));
1493
1494 if (*crl_list == NULL)
1495 {
1496 gnutls_assert ();
1497 return GNUTLS_E_MEMORY_ERROR;
1498 }
1499
1500 tmp.data = (opaque *) input_crl;
1501 tmp.size = input_crl_size;
1502
1503 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1504 if (ret < 0)
1505 {
1506 gnutls_assert ();
1507 return ret;
1508 }
1509
1510 ret =
1511 gnutls_x509_crl_import (crl_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1512 if (ret < 0)
1513 {
1514 gnutls_assert ();
1515 return ret;
1516 }
1517
1518 *ncrls = i;
1519
1520 return 1; /* one certificate parsed */
1521 }
1522
1523
1524 /* Reads a DER or PEM CRL from memory
1525 */
1526 static int
1527 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1528 int crl_size, gnutls_x509_crt_fmt_t type)
1529 {
1530 int ret;
1531
1532 /* allocate space for the certificate to add
1533 */
1534 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1535 (1 +
1536 res->x509_ncrls) *
1537 sizeof (gnutls_x509_crl_t));
1538 if (res->x509_crl_list == NULL)
1539 {
1540 gnutls_assert ();
1541 return GNUTLS_E_MEMORY_ERROR;
1542 }
1543
1544 if (type == GNUTLS_X509_FMT_DER)
1545 ret = parse_der_crl_mem (&res->x509_crl_list,
1546 &res->x509_ncrls, crl, crl_size);
1547 else
1548 ret = parse_pem_crl_mem (&res->x509_crl_list,
1549 &res->x509_ncrls, crl, crl_size);
1550
1551 if (ret < 0)
1552 {
1553 gnutls_assert ();
1554 return ret;
1555 }
1556
1557 return ret;
1558 }
1559
1560 /**
1561 * gnutls_certificate_set_x509_crl_mem - Used to add CRLs in a gnutls_certificate_credentials_t structure
1562 * @res: is an #gnutls_certificate_credentials_t structure.
1563 * @CRL: is a list of trusted CRLs. They should have been verified before.
1564 * @type: is DER or PEM
1565 *
1566 * This function adds the trusted CRLs in order to verify client or server
1567 * certificates. In case of a client this is not required
1568 * to be called if the certificates are not verified using
1569 * gnutls_certificate_verify_peers2().
1570 * This function may be called multiple times.
1571 *
1572 * Returns the number of CRLs processed or a negative value on error.
1573 *
1574 **/
1575 int
1576 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t
1577 res, const gnutls_datum_t * CRL,
1578 gnutls_x509_crt_fmt_t type)
1579 {
1580 int ret;
1581
1582 if ((ret = read_crl_mem (res, CRL->data, CRL->size, type)) < 0)
1583 return ret;
1584
1585 return ret;
1586 }
1587
1588 /**
1589 * gnutls_certificate_set_x509_crl - Used to add CRLs in a gnutls_certificate_credentials_t structure
1590 * @res: is an #gnutls_certificate_credentials_t structure.
1591 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1592 * @crl_list_size: holds the size of the crl_list
1593 *
1594 * This function adds the trusted CRLs in order to verify client or server
1595 * certificates. In case of a client this is not required
1596 * to be called if the certificates are not verified using
1597 * gnutls_certificate_verify_peers2().
1598 * This function may be called multiple times.
1599 *
1600 * Returns 0 on success.
1601 *
1602 **/
1603 int
1604 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1605 gnutls_x509_crl_t * crl_list,
1606 int crl_list_size)
1607 {
1608 int ret, i;
1609
1610 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1611 (crl_list_size +
1612 res->x509_ncrls) *
1613 sizeof (gnutls_x509_crl_t));
1614 if (res->x509_crl_list == NULL)
1615 {
1616 gnutls_assert ();
1617 return GNUTLS_E_MEMORY_ERROR;
1618 }
1619
1620 for (i = 0; i < crl_list_size; i++)
1621 {
1622 ret = gnutls_x509_crl_init (&res->x509_crl_list[res->x509_ncrls]);
1623 if (ret < 0)
1624 {
1625 gnutls_assert ();
1626 return ret;
1627 }
1628
1629 ret = _gnutls_x509_crl_cpy (res->x509_crl_list[res->x509_ncrls],
1630 crl_list[i]);
1631 if (ret < 0)
1632 {
1633 gnutls_assert ();
1634 return ret;
1635 }
1636 res->x509_ncrls++;
1637 }
1638
1639 return 0;
1640 }
1641
1642 /**
1643 * gnutls_certificate_set_x509_crl_file - Used to add CRLs in a gnutls_certificate_credentials_t structure
1644 * @res: is an #gnutls_certificate_credentials_t structure.
1645 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1646 * @type: is PEM or DER
1647 *
1648 * This function adds the trusted CRLs in order to verify client or server
1649 * certificates. In case of a client this is not required
1650 * to be called if the certificates are not verified using
1651 * gnutls_certificate_verify_peers2().
1652 * This function may be called multiple times.
1653 *
1654 * Returns the number of CRLs processed or a negative value on error.
1655 *
1656 **/
1657 int
1658 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t
1659 res, const char *crlfile,
1660 gnutls_x509_crt_fmt_t type)
1661 {
1662 int ret;
1663 size_t size;
1664 char *data = read_binary_file (crlfile, &size);
1665
1666 if (data == NULL)
1667 {
1668 gnutls_assert ();
1669 return GNUTLS_E_FILE_ERROR;
1670 }
1671
1672 if (type == GNUTLS_X509_FMT_DER)
1673 ret = parse_der_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1674 data, size);
1675 else
1676 ret = parse_pem_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1677 data, size);
1678
1679 free (data);
1680
1681 if (ret < 0)
1682 {
1683 gnutls_assert ();
1684 return ret;
1685 }
1686
1687 return ret;
1688 }
1689
1690 #include <gnutls/pkcs12.h>
1691
1692 static int
1693 parse_pkcs12 (gnutls_certificate_credentials_t res,
1694 gnutls_pkcs12_t p12,
1695 const char *password,
1696 gnutls_x509_privkey * key,
1697 gnutls_x509_crt_t * cert, gnutls_x509_crl_t * crl)
1698 {
1699 gnutls_pkcs12_bag bag = NULL;
1700 int index = 0;
1701 int ret;
1702
1703 for (;;)
1704 {
1705 int elements_in_bag;
1706 int i;
1707
1708 ret = gnutls_pkcs12_bag_init (&bag);
1709 if (ret < 0)
1710 {
1711 bag = NULL;
1712 gnutls_assert ();
1713 goto done;
1714 }
1715
1716 ret = gnutls_pkcs12_get_bag (p12, index, bag);
1717 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1718 break;
1719 if (ret < 0)
1720 {
1721 gnutls_assert ();
1722 goto done;
1723 }
1724
1725 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1726 if (ret < 0)
1727 {
1728 gnutls_assert ();
1729 goto done;
1730 }
1731
1732 if (ret == GNUTLS_BAG_ENCRYPTED)
1733 {
1734 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1735 if (ret < 0)
1736 {
1737 gnutls_assert ();
1738 goto done;
1739 }
1740 }
1741
1742 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1743 if (elements_in_bag < 0)
1744 {
1745 gnutls_assert ();
1746 goto done;
1747 }
1748
1749 for (i = 0; i < elements_in_bag; i++)
1750 {
1751 int type;
1752 gnutls_datum data;
1753
1754 type = gnutls_pkcs12_bag_get_type (bag, i);
1755 if (type < 0)
1756 {
1757 gnutls_assert ();
1758 goto done;
1759 }
1760
1761 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1762 if (ret < 0)
1763 {
1764 gnutls_assert ();
1765 goto done;
1766 }
1767
1768 switch (type)
1769 {
1770 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
1771 case GNUTLS_BAG_PKCS8_KEY:
1772 ret = gnutls_x509_privkey_init (key);
1773 if (ret < 0)
1774 {
1775 gnutls_assert ();
1776 goto done;
1777 }
1778
1779 ret = gnutls_x509_privkey_import_pkcs8
1780 (*key, &data, GNUTLS_X509_FMT_DER, password,
1781 type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
1782 if (ret < 0)
1783 {
1784 gnutls_assert ();
1785 goto done;
1786 }
1787 break;
1788
1789 case GNUTLS_BAG_CERTIFICATE:
1790 ret = gnutls_x509_crt_init (cert);
1791 if (ret < 0)
1792 {
1793 gnutls_assert ();
1794 goto done;
1795 }
1796
1797 ret =
1798 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1799 if (ret < 0)
1800 {
1801 gnutls_assert ();
1802 goto done;
1803 }
1804 break;
1805
1806 case GNUTLS_BAG_CRL:
1807 ret = gnutls_x509_crl_init (crl);
1808 if (ret < 0)
1809 {
1810 gnutls_assert ();
1811 goto done;
1812 }
1813
1814 ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER);
1815 if (ret < 0)
1816 {
1817 gnutls_assert ();
1818 goto done;
1819 }
1820 break;
1821
1822 case GNUTLS_BAG_ENCRYPTED:
1823 /* XXX Bother to recurse one level down? Unlikely to
1824 use the same password anyway. */
1825 case GNUTLS_BAG_EMPTY:
1826 default:
1827 break;
1828 }
1829 }
1830
1831 index++;
1832 gnutls_pkcs12_bag_deinit (bag);
1833 }
1834
1835 ret = 0;
1836
1837 done:
1838 if (bag)
1839 gnutls_pkcs12_bag_deinit (bag);
1840
1841 return ret;
1842 }
1843
1844 /**
1845 * gnutls_certificate_set_x509_simple_pkcs12_file:
1846 * @res: is an #gnutls_certificate_credentials_t structure.
1847 * @pkcs12file: filename of file containing PKCS#12 blob.
1848 * @type: is PEM or DER of the @pkcs12file.
1849 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1850 *
1851 * This function sets a certificate/private key pair and/or a CRL in
1852 * the gnutls_certificate_credentials_t structure. This function may
1853 * be called more than once (in case multiple keys/certificates exist
1854 * for the server).
1855 *
1856 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1857 * supported. Encrypted PKCS#8 private keys are supported. However,
1858 * only password based security, and the same password for all
1859 * operations, are supported.
1860 *
1861 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1862 * the OpenSSL way.
1863 *
1864 * PKCS#12 file may contain many keys and/or certificates, and there
1865 * is no way to identify which key/certificate pair you want. You
1866 * should make sure the PKCS#12 file only contain one key/certificate
1867 * pair and/or one CRL.
1868 *
1869 * It is believed that the limitations of this function is acceptable
1870 * for most usage, and that any more flexibility would introduce
1871 * complexity that would make it harder to use this functionality at
1872 * all.
1873 *
1874 * Return value: Returns 0 on success, or an error code.
1875 **/
1876 int
1877 gnutls_certificate_set_x509_simple_pkcs12_file
1878 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1879 gnutls_x509_crt_fmt_t type, const char *password)
1880 {
1881 gnutls_pkcs12_t p12;
1882 gnutls_datum_t p12blob;
1883 gnutls_x509_privkey key = NULL;
1884 gnutls_x509_crt_t cert = NULL;
1885 gnutls_x509_crl_t crl = NULL;
1886 int ret;
1887
1888 ret = gnutls_pkcs12_init (&p12);
1889 if (ret < 0)
1890 {
1891 gnutls_assert ();
1892 return ret;
1893 }
1894
1895 p12blob.data = read_binary_file (pkcs12file, &p12blob.size);
1896 if (p12blob.data == NULL)
1897 {
1898 gnutls_assert ();
1899 gnutls_pkcs12_deinit (p12);
1900 return GNUTLS_E_FILE_ERROR;
1901 }
1902
1903 ret = gnutls_pkcs12_import (p12, &p12blob, type, 0);
1904 free (p12blob.data);
1905 if (ret < 0)
1906 {
1907 gnutls_assert ();
1908 gnutls_pkcs12_deinit (p12);
1909 return ret;
1910 }
1911
1912 if (password)
1913 {
1914 ret = gnutls_pkcs12_verify_mac (p12, password);
1915 if (ret < 0)
1916 {
1917 gnutls_assert ();
1918 gnutls_pkcs12_deinit (p12);
1919 return ret;
1920 }
1921 }
1922
1923 ret = parse_pkcs12 (res, p12, password, &key, &cert, &crl);
1924 gnutls_pkcs12_deinit (p12);
1925 if (ret < 0)
1926 {
1927 gnutls_assert ();
1928 return ret;
1929 }
1930
1931 if (key && cert)
1932 {
1933 ret = gnutls_certificate_set_x509_key (res, &cert, 1, key);
1934 if (ret < 0)
1935 {
1936 gnutls_assert ();
1937 goto done;
1938 }
1939 }
1940
1941 if (crl)
1942 {
1943 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
1944 if (ret < 0)
1945 {
1946 gnutls_assert ();
1947 goto done;
1948 }
1949 }
1950
1951 ret = 0;
1952
1953 done:
1954 if (cert)
1955 gnutls_x509_crt_deinit (cert);
1956 if (key)
1957 gnutls_x509_privkey_deinit (key);
1958 if (crl)
1959 gnutls_x509_crl_deinit (crl);
1960
1961 return ret;
1962 }
1963
1964
1965 /**
1966 * gnutls_certificate_free_crls - Used to free all the CRLs from a gnutls_certificate_credentials_t structure
1967 * @sc: is an #gnutls_certificate_credentials_t structure.
1968 *
1969 * This function will delete all the CRLs associated
1970 * with the given credentials.
1971 *
1972 **/
1973 void
1974 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
1975 {
1976 unsigned j;
1977
1978 for (j = 0; j < sc->x509_ncrls; j++)
1979 {
1980 gnutls_x509_crl_deinit (sc->x509_crl_list[j]);
1981 }
1982
1983 sc->x509_ncrls = 0;
1984
1985 gnutls_free (sc->x509_crl_list);
1986 sc->x509_crl_list = NULL;
1987 }
1988
1989 #endif
Implementation of the SSL/TLS protocol