search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tpmtool now accepts the --inder and --outder options.
[gnutls.git] / lib / gnutls_x509.c
blobe4bb73c32d6442160eb428dfcfe0e81100bc2651
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
38 #include <debug.h>
39 #include <x509_b64.h>
40 #include <gnutls_x509.h>
41 #include "x509/common.h"
42 #include "x509/x509_int.h"
43 #include <gnutls_str_array.h>
44 #include "read-file.h"
45 #ifdef _WIN32
46 # include <wincrypt.h>
47 #endif
48
49 /*
50 * some x509 certificate parsing functions.
51 */
52
53 /* Check if the number of bits of the key in the certificate
54 * is unacceptable.
55 */
56 inline static int
57 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
58 {
59 int ret;
60 unsigned int bits;
61
62 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
63 if (ret < 0)
64 {
65 gnutls_assert ();
66 return ret;
67 }
68
69 if (bits > max_bits && max_bits > 0)
70 {
71 gnutls_assert ();
72 return GNUTLS_E_CONSTRAINT_ERROR;
73 }
74
75 return 0;
76 }
77
78
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
82 } \
83 gnutls_free( peer_certificate_list)
84
85 /*-
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
88 *
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
93 -*/
94 int
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
96 unsigned int *status)
97 {
98 cert_auth_info_t info;
99 gnutls_certificate_credentials_t cred;
100 gnutls_x509_crt_t *peer_certificate_list;
101 int peer_certificate_list_size, i, x, ret;
102
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
104
105 info = _gnutls_get_auth_info (session);
106 if (info == NULL)
107 {
108 gnutls_assert ();
109 return GNUTLS_E_INVALID_REQUEST;
110 }
111
112 cred = (gnutls_certificate_credentials_t)
113 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
114 if (cred == NULL)
115 {
116 gnutls_assert ();
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
118 }
119
120 if (info->raw_certificate_list == NULL || info->ncerts == 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND;
122
123 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
124 {
125 gnutls_assert ();
126 return GNUTLS_E_CONSTRAINT_ERROR;
127 }
128
129 /* generate a list of gnutls_certs based on the auth info
130 * raw certs.
131 */
132 peer_certificate_list_size = info->ncerts;
133 peer_certificate_list =
134 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
135 if (peer_certificate_list == NULL)
136 {
137 gnutls_assert ();
138 return GNUTLS_E_MEMORY_ERROR;
139 }
140
141 for (i = 0; i < peer_certificate_list_size; i++)
142 {
143 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
144 if (ret < 0)
145 {
146 gnutls_assert ();
147 CLEAR_CERTS;
148 return ret;
149 }
150
151 ret =
152 gnutls_x509_crt_import (peer_certificate_list[i],
153 &info->raw_certificate_list[i],
154 GNUTLS_X509_FMT_DER);
155 if (ret < 0)
156 {
157 gnutls_assert ();
158 CLEAR_CERTS;
159 return ret;
160 }
161
162 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
163 if (ret < 0)
164 {
165 gnutls_assert ();
166 CLEAR_CERTS;
167 return ret;
168 }
169
170 }
171
172 /* Verify certificate
173 */
174
175 ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
176 peer_certificate_list_size,
177 cred->verify_flags | session->internals.
178 priorities.additional_verify_flags,
179 status, NULL);
180
181 CLEAR_CERTS;
182
183 if (ret < 0)
184 {
185 gnutls_assert ();
186 return ret;
187 }
188
189 return 0;
190 }
191
192 /*
193 * Read certificates and private keys, from files, memory etc.
194 */
195
196 /* returns error if the certificate has different algorithm than
197 * the given key parameters.
198 */
199 static int
200 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
201 {
202 int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL);
203
204 if (gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL) !=
205 pk)
206 {
207 gnutls_assert ();
208 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
209 }
210
211 return 0;
212 }
213
214 /* Returns the name of the certificate of a null name
215 */
216 static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names)
217 {
218 size_t max_size;
219 int i, ret = 0, ret2;
220 char name[MAX_CN];
221
222 for (i = 0; !(ret < 0); i++)
223 {
224 max_size = sizeof(name);
225
226 ret = gnutls_x509_crt_get_subject_alt_name(crt, i, name, &max_size, NULL);
227 if (ret == GNUTLS_SAN_DNSNAME)
228 {
229 ret2 = _gnutls_str_array_append(names, name, max_size);
230 if (ret2 < 0)
231 {
232 _gnutls_str_array_clear(names);
233 return gnutls_assert_val(ret2);
234 }
235 }
236 }
237
238 max_size = sizeof(name);
239 ret = gnutls_x509_crt_get_dn_by_oid (crt, OID_X520_COMMON_NAME, 0, 0, name, &max_size);
240 if (ret >= 0)
241 {
242 ret = _gnutls_str_array_append(names, name, max_size);
243 if (ret < 0)
244 {
245 _gnutls_str_array_clear(names);
246 return gnutls_assert_val(ret);
247 }
248 }
249
250 return 0;
251 }
252
253 static int get_x509_name_raw(gnutls_datum_t *raw, gnutls_x509_crt_fmt_t type, gnutls_str_array_t *names)
254 {
255 int ret;
256 gnutls_x509_crt_t crt;
257
258 ret = gnutls_x509_crt_init (&crt);
259 if (ret < 0)
260 {
261 gnutls_assert ();
262 return ret;
263 }
264
265 ret = gnutls_x509_crt_import (crt, raw, type);
266 if (ret < 0)
267 {
268 gnutls_assert ();
269 gnutls_x509_crt_deinit (crt);
270 return ret;
271 }
272
273 ret = get_x509_name(crt, names);
274 gnutls_x509_crt_deinit (crt);
275 return ret;
276 }
277
278 /* Reads a DER encoded certificate list from memory and stores it to a
279 * gnutls_cert structure. Returns the number of certificates parsed.
280 */
281 static int
282 parse_der_cert_mem (gnutls_certificate_credentials_t res,
283 const void *input_cert, int input_cert_size)
284 {
285 gnutls_datum_t tmp;
286 gnutls_x509_crt_t crt;
287 gnutls_pcert_st *ccert;
288 int ret;
289 gnutls_str_array_t names;
290
291 _gnutls_str_array_init(&names);
292
293 ccert = gnutls_malloc (sizeof (*ccert));
294 if (ccert == NULL)
295 {
296 gnutls_assert ();
297 return GNUTLS_E_MEMORY_ERROR;
298 }
299
300 ret = gnutls_x509_crt_init (&crt);
301 if (ret < 0)
302 {
303 gnutls_assert ();
304 goto cleanup;
305 }
306
307 tmp.data = (uint8_t *) input_cert;
308 tmp.size = input_cert_size;
309
310 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
311 if (ret < 0)
312 {
313 gnutls_assert ();
314 gnutls_x509_crt_deinit (crt);
315 goto cleanup;
316 }
317
318 ret = get_x509_name(crt, &names);
319 if (ret < 0)
320 {
321 gnutls_assert();
322 gnutls_x509_crt_deinit (crt);
323 goto cleanup;
324 }
325
326 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
327 gnutls_x509_crt_deinit (crt);
328
329 if (ret < 0)
330 {
331 gnutls_assert ();
332 goto cleanup;
333 }
334
335 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
336 if (ret < 0)
337 {
338 gnutls_assert ();
339 goto cleanup;
340 }
341
342 return ret;
343
344 cleanup:
345 _gnutls_str_array_clear(&names);
346 gnutls_free (ccert);
347 return ret;
348 }
349
350 /* Reads a base64 encoded certificate list from memory and stores it to
351 * a gnutls_cert structure. Returns the number of certificate parsed.
352 */
353 static int
354 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
355 const char *input_cert, int input_cert_size)
356 {
357 int size;
358 const char *ptr;
359 gnutls_datum_t tmp;
360 int ret, count, i;
361 gnutls_pcert_st *certs = NULL;
362 gnutls_str_array_t names;
363
364 _gnutls_str_array_init(&names);
365
366 /* move to the certificate
367 */
368 ptr = memmem (input_cert, input_cert_size,
369 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
370 if (ptr == NULL)
371 ptr = memmem (input_cert, input_cert_size,
372 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
373
374 if (ptr == NULL)
375 {
376 gnutls_assert ();
377 return GNUTLS_E_BASE64_DECODING_ERROR;
378 }
379 size = input_cert_size - (ptr - input_cert);
380
381 count = 0;
382
383 do
384 {
385 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_pcert_st));
386
387 if (certs == NULL)
388 {
389 gnutls_assert ();
390 ret = GNUTLS_E_MEMORY_ERROR;
391 goto cleanup;
392 }
393
394 tmp.data = (void*)ptr;
395 tmp.size = size;
396
397 if (count == 0)
398 {
399 ret = get_x509_name_raw(&tmp, GNUTLS_X509_FMT_PEM, &names);
400 if (ret < 0)
401 {
402 gnutls_assert();
403 goto cleanup;
404 }
405 }
406
407 ret = gnutls_pcert_import_x509_raw (&certs[count], &tmp, GNUTLS_X509_FMT_PEM, 0);
408 if (ret < 0)
409 {
410 gnutls_assert ();
411 goto cleanup;
412 }
413
414 /* now we move ptr after the pem header
415 */
416 ptr++;
417 /* find the next certificate (if any)
418 */
419 size = input_cert_size - (ptr - input_cert);
420
421 if (size > 0)
422 {
423 char *ptr3;
424
425 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
426 if (ptr3 == NULL)
427 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
428 sizeof (PEM_CERT_SEP2) - 1);
429
430 ptr = ptr3;
431 }
432 else
433 ptr = NULL;
434
435 count++;
436
437 }
438 while (ptr != NULL);
439
440 ret = certificate_credential_append_crt_list (res, names, certs, count);
441 if (ret < 0)
442 {
443 gnutls_assert ();
444 goto cleanup;
445 }
446
447 return count;
448
449 cleanup:
450 _gnutls_str_array_clear(&names);
451 for (i=0;i<count;i++)
452 gnutls_pcert_deinit(&certs[i]);
453 gnutls_free(certs);
454 return ret;
455 }
456
457
458
459 /* Reads a DER or PEM certificate from memory
460 */
461 static int
462 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
463 int cert_size, gnutls_x509_crt_fmt_t type)
464 {
465 int ret;
466
467 if (type == GNUTLS_X509_FMT_DER)
468 ret = parse_der_cert_mem (res, cert, cert_size);
469 else
470 ret = parse_pem_cert_mem (res, cert, cert_size);
471
472 if (ret < 0)
473 {
474 gnutls_assert ();
475 return ret;
476 }
477
478 return ret;
479 }
480
481 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
482 * indicates the certificate format. KEY can be NULL, to indicate
483 * that GnuTLS doesn't know the private key.
484 */
485 static int
486 read_key_mem (gnutls_certificate_credentials_t res,
487 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
488 {
489 int ret;
490 gnutls_datum_t tmp;
491 gnutls_privkey_t privkey;
492
493 if (key)
494 {
495 tmp.data = (uint8_t *) key;
496 tmp.size = key_size;
497
498 ret = gnutls_privkey_init(&privkey);
499 if (ret < 0)
500 {
501 gnutls_assert ();
502 return ret;
503 }
504
505 if (res->pin.cb)
506 gnutls_privkey_set_pin_function(privkey, res->pin.cb, res->pin.data);
507
508 ret = gnutls_privkey_import_x509_raw (privkey, &tmp, type, NULL);
509 if (ret < 0)
510 {
511 gnutls_assert ();
512 return ret;
513 }
514
515 ret = certificate_credentials_append_pkey (res, privkey);
516 if (ret < 0)
517 {
518 gnutls_assert ();
519 gnutls_privkey_deinit (privkey);
520 return ret;
521 }
522
523 }
524 else
525 {
526 gnutls_assert ();
527 return GNUTLS_E_INVALID_REQUEST;
528 }
529
530
531 return 0;
532 }
533
534
535 /* Reads a private key from a token.
536 */
537 static int
538 read_key_url (gnutls_certificate_credentials_t res, const char *url)
539 {
540 int ret;
541 gnutls_privkey_t pkey = NULL;
542
543 /* allocate space for the pkey list
544 */
545 ret = gnutls_privkey_init (&pkey);
546 if (ret < 0)
547 {
548 gnutls_assert ();
549 return ret;
550 }
551
552 if (res->pin.cb)
553 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
554
555 ret = gnutls_privkey_import_url (pkey, url, 0);
556 if (ret < 0)
557 {
558 gnutls_assert ();
559 goto cleanup;
560 }
561
562 ret = certificate_credentials_append_pkey (res, pkey);
563 if (ret < 0)
564 {
565 gnutls_assert ();
566 goto cleanup;
567 }
568
569 return 0;
570
571 cleanup:
572 if (pkey)
573 gnutls_privkey_deinit (pkey);
574
575 return ret;
576 }
577
578 #ifdef ENABLE_PKCS11
579 /* Reads a private key from a token.
580 */
581 static int
582 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
583 {
584 int ret;
585 gnutls_x509_crt_t *xcrt_list = NULL;
586 gnutls_pkcs11_obj_t *pcrt_list = NULL;
587 unsigned int pcrt_list_size = 0;
588
589 /* FIXME: should we use login? */
590 ret =
591 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
592 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
593 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
594 {
595 gnutls_assert ();
596 return ret;
597 }
598
599 if (pcrt_list_size == 0)
600 {
601 gnutls_assert ();
602 return 0;
603 }
604
605 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
606 if (pcrt_list == NULL)
607 {
608 gnutls_assert ();
609 return GNUTLS_E_MEMORY_ERROR;
610 }
611
612 ret =
613 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
614 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
615 if (ret < 0)
616 {
617 gnutls_assert ();
618 goto cleanup;
619 }
620
621 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
622 if (xcrt_list == NULL)
623 {
624 gnutls_assert ();
625 ret = GNUTLS_E_MEMORY_ERROR;
626 goto cleanup;
627 }
628
629 ret =
630 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
631 0);
632 if (xcrt_list == NULL)
633 {
634 gnutls_assert ();
635 ret = GNUTLS_E_MEMORY_ERROR;
636 goto cleanup;
637 }
638
639 ret = gnutls_x509_trust_list_add_cas(res->tlist, xcrt_list, pcrt_list_size, 0);
640 if (ret < 0)
641 {
642 gnutls_assert();
643 goto cleanup;
644 }
645
646 cleanup:
647 gnutls_free (xcrt_list);
648 gnutls_free (pcrt_list);
649
650 return ret;
651
652 }
653
654
655 /* Reads a certificate key from a token.
656 */
657 static int
658 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
659 {
660 int ret;
661 gnutls_x509_crt_t crt;
662 gnutls_pcert_st *ccert;
663 gnutls_str_array_t names;
664
665 _gnutls_str_array_init(&names);
666
667 ccert = gnutls_malloc (sizeof (*ccert));
668 if (ccert == NULL)
669 {
670 gnutls_assert ();
671 return GNUTLS_E_MEMORY_ERROR;
672 }
673
674 ret = gnutls_x509_crt_init (&crt);
675 if (ret < 0)
676 {
677 gnutls_assert ();
678 goto cleanup;
679 }
680
681 if (res->pin.cb)
682 gnutls_x509_crt_set_pin_function(crt, res->pin.cb, res->pin.data);
683
684 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
685 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
686 ret =
687 gnutls_x509_crt_import_pkcs11_url (crt, url,
688 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
689
690 if (ret < 0)
691 {
692 gnutls_assert ();
693 gnutls_x509_crt_deinit (crt);
694 goto cleanup;
695 }
696
697 ret = get_x509_name(crt, &names);
698 if (ret < 0)
699 {
700 gnutls_assert ();
701 gnutls_x509_crt_deinit (crt);
702 goto cleanup;
703 }
704
705 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
706 gnutls_x509_crt_deinit (crt);
707
708 if (ret < 0)
709 {
710 gnutls_assert ();
711 goto cleanup;
712 }
713
714 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
715 if (ret < 0)
716 {
717 gnutls_assert ();
718 goto cleanup;
719 }
720
721 return 0;
722
723 cleanup:
724 _gnutls_str_array_clear(&names);
725 gnutls_free (ccert);
726 return ret;
727 }
728 #endif
729
730 /* Reads a certificate file
731 */
732 static int
733 read_cert_file (gnutls_certificate_credentials_t res,
734 const char *certfile, gnutls_x509_crt_fmt_t type)
735 {
736 int ret;
737 size_t size;
738 char *data;
739
740 #ifdef ENABLE_PKCS11
741 if (strncmp (certfile, "pkcs11:", 7) == 0)
742 {
743 return read_cert_url (res, certfile);
744 }
745 #endif /* ENABLE_PKCS11 */
746
747 data = read_binary_file (certfile, &size);
748
749 if (data == NULL)
750 {
751 gnutls_assert ();
752 return GNUTLS_E_FILE_ERROR;
753 }
754
755 ret = read_cert_mem (res, data, size, type);
756 free (data);
757
758 return ret;
759
760 }
761
762
763
764 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
765 * stores it).
766 */
767 static int
768 read_key_file (gnutls_certificate_credentials_t res,
769 const char *keyfile, gnutls_x509_crt_fmt_t type)
770 {
771 int ret;
772 size_t size;
773 char *data;
774
775 if (gnutls_url_is_supported(keyfile))
776 {
777 return read_key_url (res, keyfile);
778 }
779
780 data = read_binary_file (keyfile, &size);
781
782 if (data == NULL)
783 {
784 gnutls_assert ();
785 return GNUTLS_E_FILE_ERROR;
786 }
787
788 ret = read_key_mem (res, data, size, type);
789 free (data);
790
791 return ret;
792 }
793
794 /**
795 * gnutls_certificate_set_x509_key_mem:
796 * @res: is a #gnutls_certificate_credentials_t structure.
797 * @cert: contains a certificate list (path) for the specified private key
798 * @key: is the private key, or %NULL
799 * @type: is PEM or DER
800 *
801 * This function sets a certificate/private key pair in the
802 * gnutls_certificate_credentials_t structure. This function may be called
803 * more than once, in case multiple keys/certificates exist for the
804 * server.
805 *
806 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
807 * is supported. This means that certificates intended for signing cannot
808 * be used for ciphersuites that require encryption.
809 *
810 * If the certificate and the private key are given in PEM encoding
811 * then the strings that hold their values must be null terminated.
812 *
813 * The @key may be %NULL if you are using a sign callback, see
814 * gnutls_sign_callback_set().
815 *
816 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
817 **/
818 int
819 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
820 const gnutls_datum_t * cert,
821 const gnutls_datum_t * key,
822 gnutls_x509_crt_fmt_t type)
823 {
824 int ret;
825
826 /* this should be first
827 */
828 if ((ret = read_key_mem (res, key ? key->data : NULL,
829 key ? key->size : 0, type)) < 0)
830 return ret;
831
832 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
833 return ret;
834
835 res->ncerts++;
836
837 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
838 {
839 gnutls_assert ();
840 return ret;
841 }
842
843 return 0;
844 }
845
846 static int check_if_sorted(gnutls_pcert_st * crt, int nr)
847 {
848 gnutls_x509_crt_t x509;
849 char prev_dn[MAX_DN];
850 char dn[MAX_DN];
851 size_t prev_dn_size, dn_size;
852 int i, ret;
853
854 /* check if the X.509 list is ordered */
855 if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
856 {
857
858 for (i=0;i<nr;i++)
859 {
860 ret = gnutls_x509_crt_init(&x509);
861 if (ret < 0)
862 return gnutls_assert_val(ret);
863
864 ret = gnutls_x509_crt_import(x509, &crt[i].cert, GNUTLS_X509_FMT_DER);
865 if (ret < 0)
866 {
867 ret = gnutls_assert_val(ret);
868 goto cleanup;
869 }
870
871 if (i>0)
872 {
873 dn_size = sizeof(dn);
874 ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
875 if (ret < 0)
876 {
877 ret = gnutls_assert_val(ret);
878 goto cleanup;
879 }
880
881 if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
882 {
883 ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
884 goto cleanup;
885 }
886 }
887
888 prev_dn_size = sizeof(prev_dn);
889 ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
890 if (ret < 0)
891 {
892 ret = gnutls_assert_val(ret);
893 goto cleanup;
894 }
895
896 gnutls_x509_crt_deinit(x509);
897 }
898 }
899
900 return 0;
901
902 cleanup:
903 gnutls_x509_crt_deinit(x509);
904 return ret;
905 }
906
907 int
908 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
909 gnutls_str_array_t names, gnutls_pcert_st * crt, int nr)
910 {
911 int ret;
912
913 ret = check_if_sorted(crt, nr);
914 if (ret < 0)
915 return gnutls_assert_val(ret);
916
917 res->certs = gnutls_realloc_fast (res->certs,
918 (1 + res->ncerts) *
919 sizeof (certs_st));
920 if (res->certs == NULL)
921 {
922 gnutls_assert ();
923 return GNUTLS_E_MEMORY_ERROR;
924 }
925
926 res->certs[res->ncerts].cert_list = crt;
927 res->certs[res->ncerts].cert_list_length = nr;
928 res->certs[res->ncerts].names = names;
929
930 return 0;
931
932 }
933
934 int
935 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
936 gnutls_privkey_t pkey)
937 {
938 res->pkey = gnutls_realloc_fast (res->pkey,
939 (1 + res->ncerts) *
940 sizeof (gnutls_privkey_t));
941 if (res->pkey == NULL)
942 {
943 gnutls_assert ();
944 return GNUTLS_E_MEMORY_ERROR;
945 }
946 res->pkey[res->ncerts] = pkey;
947 return 0;
948
949 }
950
951 /**
952 * gnutls_certificate_set_x509_key:
953 * @res: is a #gnutls_certificate_credentials_t structure.
954 * @cert_list: contains a certificate list (path) for the specified private key
955 * @cert_list_size: holds the size of the certificate list
956 * @key: is a #gnutls_x509_privkey_t key
957 *
958 * This function sets a certificate/private key pair in the
959 * gnutls_certificate_credentials_t structure. This function may be
960 * called more than once, in case multiple keys/certificates exist for
961 * the server. For clients that wants to send more than their own end
962 * entity certificate (e.g., also an intermediate CA cert) then put
963 * the certificate chain in @cert_list.
964 *
965 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
966 *
967 * Since: 2.4.0
968 **/
969 int
970 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
971 gnutls_x509_crt_t * cert_list,
972 int cert_list_size,
973 gnutls_x509_privkey_t key)
974 {
975 int ret, i;
976 gnutls_privkey_t pkey;
977 gnutls_pcert_st *pcerts = NULL;
978 gnutls_str_array_t names;
979
980 _gnutls_str_array_init(&names);
981
982 /* this should be first
983 */
984 ret = gnutls_privkey_init (&pkey);
985 if (ret < 0)
986 {
987 gnutls_assert ();
988 return ret;
989 }
990
991 if (res->pin.cb)
992 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
993
994 ret = gnutls_privkey_import_x509 (pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY);
995 if (ret < 0)
996 {
997 gnutls_assert ();
998 return ret;
999 }
1000
1001 ret = certificate_credentials_append_pkey (res, pkey);
1002 if (ret < 0)
1003 {
1004 gnutls_assert ();
1005 return ret;
1006 }
1007
1008 /* load certificates */
1009 pcerts = gnutls_malloc (sizeof (gnutls_pcert_st) * cert_list_size);
1010 if (pcerts == NULL)
1011 {
1012 gnutls_assert ();
1013 return GNUTLS_E_MEMORY_ERROR;
1014 }
1015
1016 ret = get_x509_name(cert_list[0], &names);
1017 if (ret < 0)
1018 return gnutls_assert_val(ret);
1019
1020 for (i = 0; i < cert_list_size; i++)
1021 {
1022 ret = gnutls_pcert_import_x509 (&pcerts[i], cert_list[i], 0);
1023 if (ret < 0)
1024 {
1025 gnutls_assert ();
1026 goto cleanup;
1027 }
1028 }
1029
1030 ret = certificate_credential_append_crt_list (res, names, pcerts, cert_list_size);
1031 if (ret < 0)
1032 {
1033 gnutls_assert ();
1034 goto cleanup;
1035 }
1036
1037 res->ncerts++;
1038
1039 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1040 {
1041 gnutls_assert ();
1042 return ret;
1043 }
1044
1045 return 0;
1046
1047 cleanup:
1048 _gnutls_str_array_clear(&names);
1049 return ret;
1050 }
1051
1052 /**
1053 * gnutls_certificate_set_key:
1054 * @res: is a #gnutls_certificate_credentials_t structure.
1055 * @names: is an array of DNS name of the certificate (NULL if none)
1056 * @names_size: holds the size of the names list
1057 * @pcert_list: contains a certificate list (path) for the specified private key
1058 * @pcert_list_size: holds the size of the certificate list
1059 * @key: is a #gnutls_privkey_t key
1060 *
1061 * This function sets a certificate/private key pair in the
1062 * gnutls_certificate_credentials_t structure. This function may be
1063 * called more than once, in case multiple keys/certificates exist for
1064 * the server. For clients that wants to send more than its own end
1065 * entity certificate (e.g., also an intermediate CA cert) then put
1066 * the certificate chain in @pcert_list. The @pcert_list and @key will
1067 * become part of the credentials structure and must not
1068 * be deallocated. They will be automatically deallocated when @res
1069 * is deinitialized.
1070 *
1071 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1072 *
1073 * Since: 3.0
1074 **/
1075 int
1076 gnutls_certificate_set_key (gnutls_certificate_credentials_t res,
1077 const char** names,
1078 int names_size,
1079 gnutls_pcert_st * pcert_list,
1080 int pcert_list_size,
1081 gnutls_privkey_t key)
1082 {
1083 int ret, i;
1084 gnutls_str_array_t str_names;
1085
1086 _gnutls_str_array_init(&str_names);
1087
1088 if (names != NULL && names_size > 0)
1089 {
1090 for (i=0;i<names_size;i++)
1091 {
1092 ret = _gnutls_str_array_append(&str_names, names[i], strlen(names[i]));
1093 if (ret < 0)
1094 {
1095 ret = gnutls_assert_val(ret);
1096 goto cleanup;
1097 }
1098 }
1099 }
1100
1101 if (res->pin.cb)
1102 gnutls_privkey_set_pin_function(key, res->pin.cb, res->pin.data);
1103
1104 ret = certificate_credentials_append_pkey (res, key);
1105 if (ret < 0)
1106 {
1107 gnutls_assert ();
1108 goto cleanup;
1109 }
1110
1111 ret = certificate_credential_append_crt_list (res, str_names, pcert_list, pcert_list_size);
1112 if (ret < 0)
1113 {
1114 gnutls_assert ();
1115 goto cleanup;
1116 }
1117
1118 res->ncerts++;
1119
1120 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1121 {
1122 gnutls_assert ();
1123 return ret;
1124 }
1125
1126 return 0;
1127
1128 cleanup:
1129 _gnutls_str_array_clear(&str_names);
1130 return ret;
1131 }
1132
1133 /**
1134 * gnutls_certificate_set_x509_key_file:
1135 * @res: is a #gnutls_certificate_credentials_t structure.
1136 * @certfile: is a file that containing the certificate list (path) for
1137 * the specified private key, in PKCS7 format, or a list of certificates
1138 * @keyfile: is a file that contains the private key
1139 * @type: is PEM or DER
1140 *
1141 * This function sets a certificate/private key pair in the
1142 * gnutls_certificate_credentials_t structure. This function may be
1143 * called more than once, in case multiple keys/certificates exist for
1144 * the server. For clients that need to send more than its own end
1145 * entity certificate, e.g., also an intermediate CA cert, then the
1146 * @certfile must contain the ordered certificate chain.
1147 *
1148 * This function can also accept URLs at @keyfile and @certfile. In that case it
1149 * will import the private key and certificate indicated by the URLs. Note
1150 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1151 *
1152 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1153 **/
1154 int
1155 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
1156 const char *certfile,
1157 const char *keyfile,
1158 gnutls_x509_crt_fmt_t type)
1159 {
1160 int ret;
1161
1162 /* this should be first
1163 */
1164 if ((ret = read_key_file (res, keyfile, type)) < 0)
1165 return ret;
1166
1167 if ((ret = read_cert_file (res, certfile, type)) < 0)
1168 return ret;
1169
1170 res->ncerts++;
1171
1172 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1173 {
1174 gnutls_assert ();
1175 return ret;
1176 }
1177
1178 return 0;
1179 }
1180
1181 static int
1182 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, gnutls_x509_crt_t* crts,
1183 unsigned int crt_size)
1184 {
1185 gnutls_datum_t tmp;
1186 int ret;
1187 size_t newsize;
1188 unsigned char *newdata;
1189 unsigned i;
1190
1191 /* Add DN of the last added CAs to the RDN sequence
1192 * This will be sent to clients when a certificate
1193 * request message is sent.
1194 */
1195
1196 /* FIXME: in case of a client it is not needed
1197 * to do that. This would save time and memory.
1198 * However we don't have that information available
1199 * here.
1200 * Further, this function is now much more efficient,
1201 * so optimizing that is less important.
1202 */
1203
1204 for (i = 0; i < crt_size; i++)
1205 {
1206 if ((ret = gnutls_x509_crt_get_raw_dn (crts[i], &tmp)) < 0)
1207 {
1208 gnutls_assert ();
1209 return ret;
1210 }
1211
1212 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1213 if (newsize < res->x509_rdn_sequence.size)
1214 {
1215 gnutls_assert ();
1216 _gnutls_free_datum (&tmp);
1217 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1218 }
1219
1220 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1221 if (newdata == NULL)
1222 {
1223 gnutls_assert ();
1224 _gnutls_free_datum (&tmp);
1225 return GNUTLS_E_MEMORY_ERROR;
1226 }
1227
1228 _gnutls_write_datum16 (newdata + res->x509_rdn_sequence.size, tmp);
1229 _gnutls_free_datum (&tmp);
1230
1231 res->x509_rdn_sequence.size = newsize;
1232 res->x509_rdn_sequence.data = newdata;
1233 }
1234
1235 return 0;
1236 }
1237
1238 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1239 * certificate (uses the KeyUsage field).
1240 */
1241 int
1242 _gnutls_check_key_usage (const gnutls_pcert_st* cert, gnutls_kx_algorithm_t alg)
1243 {
1244 unsigned int key_usage = 0;
1245 int encipher_type;
1246
1247 if (cert == NULL)
1248 {
1249 gnutls_assert ();
1250 return GNUTLS_E_INTERNAL_ERROR;
1251 }
1252
1253 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1254 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1255 {
1256
1257 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
1258
1259 encipher_type = _gnutls_kx_encipher_type (alg);
1260
1261 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1262 {
1263 /* If key_usage has been set in the certificate
1264 */
1265
1266 if (encipher_type == CIPHER_ENCRYPT)
1267 {
1268 /* If the key exchange method requires an encipher
1269 * type algorithm, and key's usage does not permit
1270 * encipherment, then fail.
1271 */
1272 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1273 {
1274 gnutls_assert ();
1275 return GNUTLS_E_KEY_USAGE_VIOLATION;
1276 }
1277 }
1278
1279 if (encipher_type == CIPHER_SIGN)
1280 {
1281 /* The same as above, but for sign only keys
1282 */
1283 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1284 {
1285 gnutls_assert ();
1286 return GNUTLS_E_KEY_USAGE_VIOLATION;
1287 }
1288 }
1289 }
1290 }
1291 return 0;
1292 }
1293
1294 static int
1295 parse_pem_ca_mem (gnutls_certificate_credentials_t res,
1296 const uint8_t * input_cert, int input_cert_size)
1297 {
1298 gnutls_x509_crt_t *x509_cert_list;
1299 unsigned int x509_ncerts;
1300 gnutls_datum_t tmp;
1301 int ret;
1302
1303 tmp.data = (void*)input_cert;
1304 tmp.size = input_cert_size;
1305
1306 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
1307 GNUTLS_X509_FMT_PEM, 0);
1308 if (ret < 0)
1309 {
1310 gnutls_assert();
1311 return ret;
1312 }
1313
1314 if ((ret = add_new_crt_to_rdn_seq (res, x509_cert_list, x509_ncerts)) < 0)
1315 {
1316 gnutls_assert();
1317 goto cleanup;
1318 }
1319
1320 ret = gnutls_x509_trust_list_add_cas(res->tlist, x509_cert_list, x509_ncerts, 0);
1321 if (ret < 0)
1322 {
1323 gnutls_assert();
1324 goto cleanup;
1325 }
1326
1327 cleanup:
1328 gnutls_free(x509_cert_list);
1329 return ret;
1330 }
1331
1332 /* Reads a DER encoded certificate list from memory and stores it to a
1333 * gnutls_cert structure. Returns the number of certificates parsed.
1334 */
1335 static int
1336 parse_der_ca_mem (gnutls_certificate_credentials_t res,
1337 const void *input_cert, int input_cert_size)
1338 {
1339 gnutls_x509_crt_t crt;
1340 gnutls_datum_t tmp;
1341 int ret;
1342
1343 tmp.data = (void*)input_cert;
1344 tmp.size = input_cert_size;
1345
1346 ret = gnutls_x509_crt_init( &crt);
1347 if (ret < 0)
1348 {
1349 gnutls_assert();
1350 return ret;
1351 }
1352
1353 ret = gnutls_x509_crt_import( crt, &tmp, GNUTLS_X509_FMT_DER);
1354 if (ret < 0)
1355 {
1356 gnutls_assert();
1357 goto cleanup;
1358 }
1359
1360 if ((ret = add_new_crt_to_rdn_seq (res, &crt, 1)) < 0)
1361 {
1362 gnutls_assert();
1363 goto cleanup;
1364 }
1365
1366 ret = gnutls_x509_trust_list_add_cas(res->tlist, &crt, 1, 0);
1367 if (ret < 0)
1368 {
1369 gnutls_assert();
1370 goto cleanup;
1371 }
1372
1373 return ret;
1374
1375 cleanup:
1376 gnutls_x509_crt_deinit(crt);
1377 return ret;
1378 }
1379
1380 /**
1381 * gnutls_certificate_set_x509_trust_mem:
1382 * @res: is a #gnutls_certificate_credentials_t structure.
1383 * @ca: is a list of trusted CAs or a DER certificate
1384 * @type: is DER or PEM
1385 *
1386 * This function adds the trusted CAs in order to verify client or
1387 * server certificates. In case of a client this is not required to be
1388 * called if the certificates are not verified using
1389 * gnutls_certificate_verify_peers2(). This function may be called
1390 * multiple times.
1391 *
1392 * In case of a server the CAs set here will be sent to the client if
1393 * a certificate request is sent. This can be disabled using
1394 * gnutls_certificate_send_x509_rdn_sequence().
1395 *
1396 * Returns: the number of certificates processed or a negative error code
1397 * on error.
1398 **/
1399 int
1400 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1401 const gnutls_datum_t * ca,
1402 gnutls_x509_crt_fmt_t type)
1403 {
1404 int ret;
1405
1406 if (type == GNUTLS_X509_FMT_DER)
1407 ret = parse_der_ca_mem (res,
1408 ca->data, ca->size);
1409 else
1410 ret = parse_pem_ca_mem (res,
1411 ca->data, ca->size);
1412
1413 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
1414 return 0;
1415
1416 return ret;
1417 }
1418
1419 /**
1420 * gnutls_certificate_set_x509_trust:
1421 * @res: is a #gnutls_certificate_credentials_t structure.
1422 * @ca_list: is a list of trusted CAs
1423 * @ca_list_size: holds the size of the CA list
1424 *
1425 * This function adds the trusted CAs in order to verify client
1426 * or server certificates. In case of a client this is not required
1427 * to be called if the certificates are not verified using
1428 * gnutls_certificate_verify_peers2().
1429 * This function may be called multiple times.
1430 *
1431 * In case of a server the CAs set here will be sent to the client if
1432 * a certificate request is sent. This can be disabled using
1433 * gnutls_certificate_send_x509_rdn_sequence().
1434 *
1435 * Returns: the number of certificates processed or a negative error code
1436 * on error.
1437 *
1438 * Since: 2.4.0
1439 **/
1440 int
1441 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1442 gnutls_x509_crt_t * ca_list,
1443 int ca_list_size)
1444 {
1445 int ret, i, j;
1446 gnutls_x509_crt_t new_list[ca_list_size];
1447
1448 for (i = 0; i < ca_list_size; i++)
1449 {
1450 ret = gnutls_x509_crt_init (&new_list[i]);
1451 if (ret < 0)
1452 {
1453 gnutls_assert ();
1454 goto cleanup;
1455 }
1456
1457 ret = _gnutls_x509_crt_cpy (new_list[i], ca_list[i]);
1458 if (ret < 0)
1459 {
1460 gnutls_assert ();
1461 goto cleanup;
1462 }
1463 }
1464
1465 if ((ret = add_new_crt_to_rdn_seq (res, new_list, ca_list_size)) < 0)
1466 {
1467 gnutls_assert();
1468 goto cleanup;
1469 }
1470
1471 ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, 0);
1472 if (ret < 0)
1473 {
1474 gnutls_assert ();
1475 goto cleanup;
1476 }
1477
1478 return ret;
1479
1480 cleanup:
1481 for (j=0;j<i;i++)
1482 gnutls_x509_crt_deinit(new_list[j]);
1483
1484 return ret;
1485 }
1486
1487
1488 /**
1489 * gnutls_certificate_set_x509_trust_file:
1490 * @cred: is a #gnutls_certificate_credentials_t structure.
1491 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1492 * @type: is PEM or DER
1493 *
1494 * This function adds the trusted CAs in order to verify client or
1495 * server certificates. In case of a client this is not required to
1496 * be called if the certificates are not verified using
1497 * gnutls_certificate_verify_peers2(). This function may be called
1498 * multiple times.
1499 *
1500 * In case of a server the names of the CAs set here will be sent to
1501 * the client if a certificate request is sent. This can be disabled
1502 * using gnutls_certificate_send_x509_rdn_sequence().
1503 *
1504 * This function can also accept URLs. In that case it
1505 * will import all certificates that are marked as trusted. Note
1506 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1507 *
1508 * Returns: number of certificates processed, or a negative error code on
1509 * error.
1510 **/
1511 int
1512 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
1513 const char *cafile,
1514 gnutls_x509_crt_fmt_t type)
1515 {
1516 int ret;
1517 gnutls_datum_t cas;
1518 size_t size;
1519
1520 #ifdef ENABLE_PKCS11
1521 if (strncmp (cafile, "pkcs11:", 7) == 0)
1522 {
1523 return read_cas_url (cred, cafile);
1524 }
1525 #endif
1526
1527 cas.data = (void*)read_binary_file (cafile, &size);
1528 if (cas.data == NULL)
1529 {
1530 gnutls_assert ();
1531 return GNUTLS_E_FILE_ERROR;
1532 }
1533
1534 cas.size = size;
1535
1536 ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, type);
1537
1538 free (cas.data);
1539
1540 if (ret < 0)
1541 {
1542 gnutls_assert ();
1543 return ret;
1544 }
1545
1546 return ret;
1547 }
1548
1549 /**
1550 * gnutls_certificate_set_x509_system_trust:
1551 * @cred: is a #gnutls_certificate_credentials_t structure.
1552 *
1553 * This function adds the system's default trusted CAs in order to
1554 * verify client or server certificates.
1555 *
1556 * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE
1557 * is returned.
1558 *
1559 * Returns: the number of certificates processed or a negative error code
1560 * on error.
1561 *
1562 * Since: 3.0
1563 **/
1564 int
1565 gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
1566 {
1567 return gnutls_x509_trust_list_add_system_trust(cred->tlist, 0, 0);
1568 }
1569
1570 static int
1571 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
1572 const char * input_crl, unsigned int input_crl_size)
1573 {
1574 gnutls_x509_crl_t *x509_crl_list;
1575 unsigned int x509_ncrls;
1576 gnutls_datum_t tmp;
1577 int ret;
1578
1579 tmp.data = (void*)input_crl;
1580 tmp.size = input_crl_size;
1581
1582 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
1583 GNUTLS_X509_FMT_PEM, 0);
1584 if (ret < 0)
1585 {
1586 gnutls_assert();
1587 return ret;
1588 }
1589
1590 ret = gnutls_x509_trust_list_add_crls(tlist, x509_crl_list, x509_ncrls, 0, 0);
1591 if (ret < 0)
1592 {
1593 gnutls_assert();
1594 goto cleanup;
1595 }
1596
1597 cleanup:
1598 gnutls_free(x509_crl_list);
1599 return ret;
1600 }
1601
1602 /* Reads a DER encoded certificate list from memory and stores it to a
1603 * gnutls_cert structure. Returns the number of certificates parsed.
1604 */
1605 static int
1606 parse_der_crl_mem (gnutls_x509_trust_list_t tlist,
1607 const void *input_crl, unsigned int input_crl_size)
1608 {
1609 gnutls_x509_crl_t crl;
1610 gnutls_datum_t tmp;
1611 int ret;
1612
1613 tmp.data = (void*)input_crl;
1614 tmp.size = input_crl_size;
1615
1616 ret = gnutls_x509_crl_init( &crl);
1617 if (ret < 0)
1618 {
1619 gnutls_assert();
1620 return ret;
1621 }
1622
1623 ret = gnutls_x509_crl_import( crl, &tmp, GNUTLS_X509_FMT_DER);
1624 if (ret < 0)
1625 {
1626 gnutls_assert();
1627 goto cleanup;
1628 }
1629
1630 ret = gnutls_x509_trust_list_add_crls(tlist, &crl, 1, 0, 0);
1631 if (ret < 0)
1632 {
1633 gnutls_assert();
1634 goto cleanup;
1635 }
1636
1637 return ret;
1638
1639 cleanup:
1640 gnutls_x509_crl_deinit(crl);
1641 return ret;
1642
1643 }
1644
1645
1646 /* Reads a DER or PEM CRL from memory
1647 */
1648 static int
1649 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1650 int crl_size, gnutls_x509_crt_fmt_t type)
1651 {
1652 int ret;
1653
1654 if (type == GNUTLS_X509_FMT_DER)
1655 ret = parse_der_crl_mem (res->tlist, crl, crl_size);
1656 else
1657 ret = parse_pem_crl_mem (res->tlist, crl, crl_size);
1658
1659 if (ret < 0)
1660 {
1661 gnutls_assert ();
1662 }
1663
1664 return ret;
1665 }
1666
1667 /**
1668 * gnutls_certificate_set_x509_crl_mem:
1669 * @res: is a #gnutls_certificate_credentials_t structure.
1670 * @CRL: is a list of trusted CRLs. They should have been verified before.
1671 * @type: is DER or PEM
1672 *
1673 * This function adds the trusted CRLs in order to verify client or
1674 * server certificates. In case of a client this is not required to
1675 * be called if the certificates are not verified using
1676 * gnutls_certificate_verify_peers2(). This function may be called
1677 * multiple times.
1678 *
1679 * Returns: number of CRLs processed, or a negative error code on error.
1680 **/
1681 int
1682 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1683 const gnutls_datum_t * CRL,
1684 gnutls_x509_crt_fmt_t type)
1685 {
1686 return read_crl_mem (res, CRL->data, CRL->size, type);
1687 }
1688
1689 /**
1690 * gnutls_certificate_set_x509_crl:
1691 * @res: is a #gnutls_certificate_credentials_t structure.
1692 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1693 * @crl_list_size: holds the size of the crl_list
1694 *
1695 * This function adds the trusted CRLs in order to verify client or
1696 * server certificates. In case of a client this is not required to
1697 * be called if the certificates are not verified using
1698 * gnutls_certificate_verify_peers2(). This function may be called
1699 * multiple times.
1700 *
1701 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1702 *
1703 * Since: 2.4.0
1704 **/
1705 int
1706 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1707 gnutls_x509_crl_t * crl_list,
1708 int crl_list_size)
1709 {
1710 int ret, i, j;
1711 gnutls_x509_crl_t new_crl[crl_list_size];
1712
1713 for (i = 0; i < crl_list_size; i++)
1714 {
1715 ret = gnutls_x509_crl_init (&new_crl[i]);
1716 if (ret < 0)
1717 {
1718 gnutls_assert ();
1719 goto cleanup;
1720 }
1721
1722 ret = _gnutls_x509_crl_cpy (new_crl[i], crl_list[i]);
1723 if (ret < 0)
1724 {
1725 gnutls_assert ();
1726 goto cleanup;
1727 }
1728 }
1729
1730 ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, crl_list_size, 0, 0);
1731 if (ret < 0)
1732 {
1733 gnutls_assert ();
1734 goto cleanup;
1735 }
1736
1737 return ret;
1738
1739 cleanup:
1740 for (j=0;j<i;j++)
1741 gnutls_x509_crl_deinit(new_crl[j]);
1742
1743 return ret;
1744 }
1745
1746 /**
1747 * gnutls_certificate_set_x509_crl_file:
1748 * @res: is a #gnutls_certificate_credentials_t structure.
1749 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1750 * @type: is PEM or DER
1751 *
1752 * This function adds the trusted CRLs in order to verify client or server
1753 * certificates. In case of a client this is not required
1754 * to be called if the certificates are not verified using
1755 * gnutls_certificate_verify_peers2().
1756 * This function may be called multiple times.
1757 *
1758 * Returns: number of CRLs processed or a negative error code on error.
1759 **/
1760 int
1761 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1762 const char *crlfile,
1763 gnutls_x509_crt_fmt_t type)
1764 {
1765 int ret;
1766 size_t size;
1767 char *data = (void*)read_binary_file (crlfile, &size);
1768
1769 if (data == NULL)
1770 {
1771 gnutls_assert ();
1772 return GNUTLS_E_FILE_ERROR;
1773 }
1774
1775 if (type == GNUTLS_X509_FMT_DER)
1776 ret = parse_der_crl_mem (res->tlist, data, size);
1777 else
1778 ret = parse_pem_crl_mem (res->tlist, data, size);
1779
1780 free (data);
1781
1782 if (ret < 0)
1783 {
1784 gnutls_assert ();
1785 return ret;
1786 }
1787
1788 return ret;
1789 }
1790
1791 #include <gnutls/pkcs12.h>
1792
1793
1794 /**
1795 * gnutls_certificate_set_x509_simple_pkcs12_file:
1796 * @res: is a #gnutls_certificate_credentials_t structure.
1797 * @pkcs12file: filename of file containing PKCS#12 blob.
1798 * @type: is PEM or DER of the @pkcs12file.
1799 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1800 *
1801 * This function sets a certificate/private key pair and/or a CRL in
1802 * the gnutls_certificate_credentials_t structure. This function may
1803 * be called more than once (in case multiple keys/certificates exist
1804 * for the server).
1805 *
1806 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
1807 * private keys are supported. However,
1808 * only password based security, and the same password for all
1809 * operations, are supported.
1810 *
1811 * PKCS#12 file may contain many keys and/or certificates, and there
1812 * is no way to identify which key/certificate pair you want. You
1813 * should make sure the PKCS#12 file only contain one key/certificate
1814 * pair and/or one CRL.
1815 *
1816 * It is believed that the limitations of this function is acceptable
1817 * for most usage, and that any more flexibility would introduce
1818 * complexity that would make it harder to use this functionality at
1819 * all.
1820 *
1821 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1822 **/
1823 int
1824 gnutls_certificate_set_x509_simple_pkcs12_file
1825 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1826 gnutls_x509_crt_fmt_t type, const char *password)
1827 {
1828 gnutls_datum_t p12blob;
1829 size_t size;
1830 int ret;
1831
1832 p12blob.data = (void*)read_binary_file (pkcs12file, &size);
1833 p12blob.size = (unsigned int) size;
1834 if (p12blob.data == NULL)
1835 {
1836 gnutls_assert ();
1837 return GNUTLS_E_FILE_ERROR;
1838 }
1839
1840 ret =
1841 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1842 password);
1843 free (p12blob.data);
1844
1845 return ret;
1846 }
1847
1848 /**
1849 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1850 * @res: is a #gnutls_certificate_credentials_t structure.
1851 * @p12blob: the PKCS#12 blob.
1852 * @type: is PEM or DER of the @pkcs12file.
1853 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1854 *
1855 * This function sets a certificate/private key pair and/or a CRL in
1856 * the gnutls_certificate_credentials_t structure. This function may
1857 * be called more than once (in case multiple keys/certificates exist
1858 * for the server).
1859 *
1860 * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
1861 * only password based security, and the same password for all
1862 * operations, are supported.
1863 *
1864 * PKCS#12 file may contain many keys and/or certificates, and there
1865 * is no way to identify which key/certificate pair you want. You
1866 * should make sure the PKCS#12 file only contain one key/certificate
1867 * pair and/or one CRL.
1868 *
1869 * It is believed that the limitations of this function is acceptable
1870 * for most usage, and that any more flexibility would introduce
1871 * complexity that would make it harder to use this functionality at
1872 * all.
1873 *
1874 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1875 *
1876 * Since: 2.8.0
1877 **/
1878 int
1879 gnutls_certificate_set_x509_simple_pkcs12_mem
1880 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
1881 gnutls_x509_crt_fmt_t type, const char *password)
1882 {
1883 gnutls_pkcs12_t p12;
1884 gnutls_x509_privkey_t key = NULL;
1885 gnutls_x509_crt_t *chain = NULL;
1886 gnutls_x509_crl_t crl = NULL;
1887 unsigned int chain_size = 0, i;
1888 int ret;
1889
1890 ret = gnutls_pkcs12_init (&p12);
1891 if (ret < 0)
1892 {
1893 gnutls_assert ();
1894 return ret;
1895 }
1896
1897 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
1898 if (ret < 0)
1899 {
1900 gnutls_assert ();
1901 gnutls_pkcs12_deinit (p12);
1902 return ret;
1903 }
1904
1905 if (password)
1906 {
1907 ret = gnutls_pkcs12_verify_mac (p12, password);
1908 if (ret < 0)
1909 {
1910 gnutls_assert ();
1911 gnutls_pkcs12_deinit (p12);
1912 return ret;
1913 }
1914 }
1915
1916 ret = gnutls_pkcs12_simple_parse (p12, password, &key, &chain, &chain_size,
1917 NULL, NULL, &crl, 0);
1918 gnutls_pkcs12_deinit (p12);
1919 if (ret < 0)
1920 {
1921 gnutls_assert ();
1922 return ret;
1923 }
1924
1925 if (key && chain)
1926 {
1927 ret = gnutls_certificate_set_x509_key (res, chain, chain_size, key);
1928 if (ret < 0)
1929 {
1930 gnutls_assert ();
1931 goto done;
1932 }
1933 }
1934 else
1935 {
1936 gnutls_assert();
1937 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1938 goto done;
1939 }
1940
1941 if (crl)
1942 {
1943 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
1944 if (ret < 0)
1945 {
1946 gnutls_assert ();
1947 goto done;
1948 }
1949 }
1950
1951 ret = 0;
1952
1953 done:
1954 if (chain)
1955 {
1956 for (i=0;i<chain_size;i++)
1957 gnutls_x509_crt_deinit (chain[i]);
1958 gnutls_free(chain);
1959 }
1960 if (key)
1961 gnutls_x509_privkey_deinit (key);
1962 if (crl)
1963 gnutls_x509_crl_deinit (crl);
1964
1965 return ret;
1966 }
1967
1968
1969
1970 /**
1971 * gnutls_certificate_free_crls:
1972 * @sc: is a #gnutls_certificate_credentials_t structure.
1973 *
1974 * This function will delete all the CRLs associated
1975 * with the given credentials.
1976 **/
1977 void
1978 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
1979 {
1980 /* do nothing for now */
1981 return;
1982 }
1983
1984 /**
1985 * gnutls_certificate_credentials_t:
1986 * @cred: is a #gnutls_certificate_credentials_t structure.
1987 * @fn: A PIN callback
1988 * @userdata: Data to be passed in the callback
1989 *
1990 * This function will set a callback function to be used when
1991 * required to access a protected object. This function overrides any other
1992 * global PIN functions.
1993 *
1994 * Note that this function must be called right after initialization
1995 * to have effect.
1996 *
1997 * Since: 3.1.0
1998 **/
1999 void gnutls_certificate_set_pin_function (gnutls_certificate_credentials_t cred,
2000 gnutls_pin_callback_t fn, void *userdata)
2001 {
2002 cred->pin.cb = fn;
2003 cred->pin.data = userdata;
2004 }
Implementation of the SSL/TLS protocol