2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 #include <gnutls_int.h>
27 #include "gnutls_auth.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_cert.h>
30 #include <auth_cert.h>
31 #include "gnutls_dh.h"
32 #include "gnutls_num.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509_int.h"
47 #include "read-file.h"
50 * some x509 certificate parsing functions.
53 /* Check if the number of bits of the key in the certificate
57 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
62 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
69 if (bits
> max_bits
&& max_bits
> 0)
72 return GNUTLS_E_CONSTRAINT_ERROR
;
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
83 gnutls_free( peer_certificate_list)
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
98 cert_auth_info_t info
;
99 gnutls_certificate_credentials_t cred
;
100 gnutls_x509_crt_t
*peer_certificate_list
;
101 int peer_certificate_list_size
, i
, x
, ret
;
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
105 info
= _gnutls_get_auth_info (session
);
109 return GNUTLS_E_INVALID_REQUEST
;
112 cred
= (gnutls_certificate_credentials_t
)
113 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
120 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
123 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
126 return GNUTLS_E_CONSTRAINT_ERROR
;
129 /* generate a list of gnutls_certs based on the auth info
132 peer_certificate_list_size
= info
->ncerts
;
133 peer_certificate_list
=
134 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
135 if (peer_certificate_list
== NULL
)
138 return GNUTLS_E_MEMORY_ERROR
;
141 for (i
= 0; i
< peer_certificate_list_size
; i
++)
143 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
152 gnutls_x509_crt_import (peer_certificate_list
[i
],
153 &info
->raw_certificate_list
[i
],
154 GNUTLS_X509_FMT_DER
);
170 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
180 /* Verify certificate
183 ret
= gnutls_x509_crt_list_verify (peer_certificate_list
,
184 peer_certificate_list_size
,
185 cred
->x509_ca_list
, cred
->x509_ncas
,
186 cred
->x509_crl_list
, cred
->x509_ncrls
,
187 cred
->verify_flags
| session
->
188 internals
.priorities
.
189 additional_verify_flags
, status
);
203 * Read certificates and private keys, from files, memory etc.
206 /* returns error if the certificate has different algorithm than
207 * the given key parameters.
210 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
214 unsigned pk
= res
->cert_list
[res
->ncerts
- 1][0].subject_pk_algorithm
;
216 if (res
->pkey
[res
->ncerts
- 1].pk_algorithm
!= pk
)
219 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
222 if (pk
== GNUTLS_PK_RSA
)
224 _gnutls_x509_write_rsa_params (res
->pkey
[res
->ncerts
- 1].params
,
225 res
->pkey
[res
->ncerts
-
226 1].params_size
, &kid
);
229 _gnutls_x509_write_rsa_params (res
->cert_list
[res
->ncerts
- 1][0].
231 res
->cert_list
[res
->ncerts
-
232 1][0].params_size
, &cid
);
234 else if (pk
== GNUTLS_PK_DSA
)
237 _gnutls_x509_write_dsa_params (res
->pkey
[res
->ncerts
- 1].params
,
238 res
->pkey
[res
->ncerts
-
239 1].params_size
, &kid
);
241 _gnutls_x509_write_dsa_params (res
->cert_list
[res
->ncerts
- 1][0].
243 res
->cert_list
[res
->ncerts
-
244 1][0].params_size
, &cid
);
247 if (cid
.size
!= kid
.size
)
250 _gnutls_free_datum (&kid
);
251 _gnutls_free_datum (&cid
);
252 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
255 if (memcmp (kid
.data
, cid
.data
, kid
.size
) != 0)
258 _gnutls_free_datum (&kid
);
259 _gnutls_free_datum (&cid
);
260 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
263 _gnutls_free_datum (&kid
);
264 _gnutls_free_datum (&cid
);
268 /* Reads a DER encoded certificate list from memory and stores it to a
269 * gnutls_cert structure. Returns the number of certificates parsed.
272 parse_crt_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
273 gnutls_x509_crt_t cert
)
281 (gnutls_cert
*) gnutls_realloc_fast (*cert_list
,
282 i
* sizeof (gnutls_cert
));
284 if (*cert_list
== NULL
)
287 return GNUTLS_E_MEMORY_ERROR
;
290 ret
= _gnutls_x509_crt_to_gcert (&cert_list
[0][i
- 1], cert
, 0);
299 return 1; /* one certificate parsed */
302 /* Reads a DER encoded certificate list from memory and stores it to a
303 * gnutls_cert structure. Returns the number of certificates parsed.
306 parse_der_cert_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
307 const void *input_cert
, int input_cert_size
)
310 gnutls_x509_crt_t cert
;
313 ret
= gnutls_x509_crt_init (&cert
);
320 tmp
.data
= (opaque
*) input_cert
;
321 tmp
.size
= input_cert_size
;
323 ret
= gnutls_x509_crt_import (cert
, &tmp
, GNUTLS_X509_FMT_DER
);
327 gnutls_x509_crt_deinit (cert
);
331 ret
= parse_crt_mem (cert_list
, ncerts
, cert
);
332 gnutls_x509_crt_deinit (cert
);
337 /* Reads a base64 encoded certificate list from memory and stores it to
338 * a gnutls_cert structure. Returns the number of certificate parsed.
341 parse_pem_cert_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
342 const char *input_cert
, int input_cert_size
)
350 /* move to the certificate
352 ptr
= memmem (input_cert
, input_cert_size
,
353 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
355 ptr
= memmem (input_cert
, input_cert_size
,
356 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
361 return GNUTLS_E_BASE64_DECODING_ERROR
;
363 size
= input_cert_size
- (ptr
- input_cert
);
371 siz2
= _gnutls_fbase64_decode (NULL
, ptr
, size
, &ptr2
);
376 return GNUTLS_E_BASE64_DECODING_ERROR
;
380 (gnutls_cert
*) gnutls_realloc_fast (*cert_list
,
381 i
* sizeof (gnutls_cert
));
383 if (*cert_list
== NULL
)
386 return GNUTLS_E_MEMORY_ERROR
;
392 ret
= _gnutls_x509_raw_cert_to_gcert (&cert_list
[0][i
- 1], &tmp
, 0);
398 _gnutls_free_datum (&tmp
); /* free ptr2 */
400 /* now we move ptr after the pem header
403 /* find the next certificate (if any)
405 size
= input_cert_size
- (ptr
- input_cert
);
411 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
413 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
414 sizeof (PEM_CERT_SEP2
) - 1);
434 /* Reads a DER or PEM certificate from memory
437 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
438 int cert_size
, gnutls_x509_crt_fmt_t type
)
442 /* allocate space for the certificate to add
444 res
->cert_list
= gnutls_realloc_fast (res
->cert_list
,
447 sizeof (gnutls_cert
*));
448 if (res
->cert_list
== NULL
)
451 return GNUTLS_E_MEMORY_ERROR
;
454 res
->cert_list_length
= gnutls_realloc_fast (res
->cert_list_length
,
456 res
->ncerts
) * sizeof (int));
457 if (res
->cert_list_length
== NULL
)
460 return GNUTLS_E_MEMORY_ERROR
;
463 res
->cert_list
[res
->ncerts
] = NULL
; /* for realloc */
464 res
->cert_list_length
[res
->ncerts
] = 0;
466 if (type
== GNUTLS_X509_FMT_DER
)
467 ret
= parse_der_cert_mem (&res
->cert_list
[res
->ncerts
],
468 &res
->cert_list_length
[res
->ncerts
],
471 ret
= parse_pem_cert_mem (&res
->cert_list
[res
->ncerts
],
472 &res
->cert_list_length
[res
->ncerts
], cert
,
486 _gnutls_x509_privkey_to_gkey (gnutls_privkey
* dest
,
487 gnutls_x509_privkey_t src
)
491 memset (dest
, 0, sizeof (gnutls_privkey
));
493 for (i
= 0; i
< src
->params_size
; i
++)
495 dest
->params
[i
] = _gnutls_mpi_copy (src
->params
[i
]);
496 if (dest
->params
[i
] == NULL
)
499 ret
= GNUTLS_E_MEMORY_ERROR
;
504 dest
->pk_algorithm
= src
->pk_algorithm
;
505 dest
->params_size
= src
->params_size
;
511 for (i
= 0; i
< src
->params_size
; i
++)
513 _gnutls_mpi_release (&dest
->params
[i
]);
519 _gnutls_gkey_deinit (gnutls_privkey
* key
)
525 for (i
= 0; i
< key
->params_size
; i
++)
527 _gnutls_mpi_release (&key
->params
[i
]);
532 _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey
* privkey
,
533 const gnutls_datum_t
* raw_key
,
534 gnutls_x509_crt_fmt_t type
)
536 gnutls_x509_privkey_t tmpkey
;
539 ret
= gnutls_x509_privkey_init (&tmpkey
);
546 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
549 /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
551 ret
= gnutls_x509_privkey_import_pkcs8 (tmpkey
, raw_key
, type
,
552 NULL
, GNUTLS_PKCS_PLAIN
);
558 gnutls_x509_privkey_deinit (tmpkey
);
562 ret
= _gnutls_x509_privkey_to_gkey (privkey
, tmpkey
);
566 gnutls_x509_privkey_deinit (tmpkey
);
570 gnutls_x509_privkey_deinit (tmpkey
);
575 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
576 * indicates the certificate format. KEY can be NULL, to indicate
577 * that GnuTLS doesn't know the private key.
580 read_key_mem (gnutls_certificate_credentials_t res
,
581 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
586 /* allocate space for the pkey list
589 gnutls_realloc_fast (res
->pkey
,
590 (res
->ncerts
+ 1) * sizeof (gnutls_privkey
));
591 if (res
->pkey
== NULL
)
594 return GNUTLS_E_MEMORY_ERROR
;
599 tmp
.data
= (opaque
*) key
;
603 _gnutls_x509_raw_privkey_to_gkey (&res
->pkey
[res
->ncerts
], &tmp
,
612 memset (&res
->pkey
[res
->ncerts
], 0, sizeof (gnutls_privkey
));
617 /* Reads a certificate file
620 read_cert_file (gnutls_certificate_credentials_t res
,
621 const char *certfile
, gnutls_x509_crt_fmt_t type
)
625 char *data
= read_binary_file (certfile
, &size
);
630 return GNUTLS_E_FILE_ERROR
;
633 ret
= read_cert_mem (res
, data
, size
, type
);
642 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
646 read_key_file (gnutls_certificate_credentials_t res
,
647 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
651 char *data
= read_binary_file (keyfile
, &size
);
656 return GNUTLS_E_FILE_ERROR
;
659 ret
= read_key_mem (res
, data
, size
, type
);
666 * gnutls_certificate_set_x509_key_mem:
667 * @res: is a #gnutls_certificate_credentials_t structure.
668 * @cert: contains a certificate list (path) for the specified private key
669 * @key: is the private key, or %NULL
670 * @type: is PEM or DER
672 * This function sets a certificate/private key pair in the
673 * gnutls_certificate_credentials_t structure. This function may be called
674 * more than once (in case multiple keys/certificates exist for the
677 * Currently are supported: RSA PKCS-1 encoded private keys,
680 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
681 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
683 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
684 * is supported. This means that certificates intended for signing cannot
685 * be used for ciphersuites that require encryption.
687 * If the certificate and the private key are given in PEM encoding
688 * then the strings that hold their values must be null terminated.
690 * The @key may be %NULL if you are using a sign callback, see
691 * gnutls_sign_callback_set().
693 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
696 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
697 const gnutls_datum_t
* cert
,
698 const gnutls_datum_t
* key
,
699 gnutls_x509_crt_fmt_t type
)
703 /* this should be first
705 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
706 key
? key
->size
: 0, type
)) < 0)
709 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
714 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
724 * gnutls_certificate_set_x509_key:
725 * @res: is a #gnutls_certificate_credentials_t structure.
726 * @cert_list: contains a certificate list (path) for the specified private key
727 * @cert_list_size: holds the size of the certificate list
728 * @key: is a gnutls_x509_privkey_t key
730 * This function sets a certificate/private key pair in the
731 * gnutls_certificate_credentials_t structure. This function may be
732 * called more than once (in case multiple keys/certificates exist for
733 * the server). For clients that wants to send more than its own end
734 * entity certificate (e.g., also an intermediate CA cert) then put
735 * the certificate chain in @cert_list.
737 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
742 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
743 gnutls_x509_crt_t
* cert_list
,
745 gnutls_x509_privkey_t key
)
749 /* this should be first
753 gnutls_realloc_fast (res
->pkey
,
754 (res
->ncerts
+ 1) * sizeof (gnutls_privkey
));
755 if (res
->pkey
== NULL
)
758 return GNUTLS_E_MEMORY_ERROR
;
761 ret
= _gnutls_x509_privkey_to_gkey (&res
->pkey
[res
->ncerts
], key
);
768 res
->cert_list
= gnutls_realloc_fast (res
->cert_list
,
771 sizeof (gnutls_cert
*));
772 if (res
->cert_list
== NULL
)
775 return GNUTLS_E_MEMORY_ERROR
;
778 res
->cert_list_length
= gnutls_realloc_fast (res
->cert_list_length
,
780 res
->ncerts
) * sizeof (int));
781 if (res
->cert_list_length
== NULL
)
784 return GNUTLS_E_MEMORY_ERROR
;
787 res
->cert_list
[res
->ncerts
] = NULL
; /* for realloc */
788 res
->cert_list_length
[res
->ncerts
] = 0;
791 for (i
= 0; i
< cert_list_size
; i
++)
793 ret
= parse_crt_mem (&res
->cert_list
[res
->ncerts
],
794 &res
->cert_list_length
[res
->ncerts
], cert_list
[i
]);
803 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
813 * gnutls_certificate_set_x509_key_file:
814 * @res: is a #gnutls_certificate_credentials_t structure.
815 * @certfile: is a file that containing the certificate list (path) for
816 * the specified private key, in PKCS7 format, or a list of certificates
817 * @keyfile: is a file that contains the private key
818 * @type: is PEM or DER
820 * This function sets a certificate/private key pair in the
821 * gnutls_certificate_credentials_t structure. This function may be
822 * called more than once (in case multiple keys/certificates exist for
823 * the server). For clients that wants to send more than its own end
824 * entity certificate (e.g., also an intermediate CA cert) then put
825 * the certificate chain in @certfile.
827 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
830 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
833 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
834 const char *certfile
,
836 gnutls_x509_crt_fmt_t type
)
840 /* this should be first
842 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
845 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
850 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
860 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, int new)
865 unsigned char *newdata
;
868 /* Add DN of the last added CAs to the RDN sequence
869 * This will be sent to clients when a certificate
870 * request message is sent.
873 /* FIXME: in case of a client it is not needed
874 * to do that. This would save time and memory.
875 * However we don't have that information available
877 * Further, this function is now much more efficient,
878 * so optimizing that is less important.
881 for (i
= res
->x509_ncas
- new; i
< res
->x509_ncas
; i
++)
883 if ((ret
= gnutls_x509_crt_get_raw_dn (res
->x509_ca_list
[i
], &tmp
)) < 0)
889 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
890 if (newsize
< res
->x509_rdn_sequence
.size
)
893 _gnutls_free_datum (&tmp
);
894 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
897 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
901 _gnutls_free_datum (&tmp
);
902 return GNUTLS_E_MEMORY_ERROR
;
905 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
906 _gnutls_free_datum (&tmp
);
908 res
->x509_rdn_sequence
.size
= newsize
;
909 res
->x509_rdn_sequence
.data
= newdata
;
915 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
916 * certificate (uses the KeyUsage field).
919 _gnutls_check_key_usage (const gnutls_cert
* cert
, gnutls_kx_algorithm_t alg
)
921 unsigned int key_usage
= 0;
927 return GNUTLS_E_INTERNAL_ERROR
;
930 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
931 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
934 key_usage
= cert
->key_usage
;
936 encipher_type
= _gnutls_kx_encipher_type (alg
);
938 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
940 /* If key_usage has been set in the certificate
943 if (encipher_type
== CIPHER_ENCRYPT
)
945 /* If the key exchange method requires an encipher
946 * type algorithm, and key's usage does not permit
947 * encipherment, then fail.
949 if (!(key_usage
& KEY_KEY_ENCIPHERMENT
))
952 return GNUTLS_E_KEY_USAGE_VIOLATION
;
956 if (encipher_type
== CIPHER_SIGN
)
958 /* The same as above, but for sign only keys
960 if (!(key_usage
& KEY_DIGITAL_SIGNATURE
))
963 return GNUTLS_E_KEY_USAGE_VIOLATION
;
974 parse_pem_ca_mem (gnutls_x509_crt_t
** cert_list
, unsigned *ncerts
,
975 const opaque
* input_cert
, int input_cert_size
)
982 /* move to the certificate
984 ptr
= memmem (input_cert
, input_cert_size
,
985 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
987 ptr
= memmem (input_cert
, input_cert_size
,
988 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
993 return GNUTLS_E_BASE64_DECODING_ERROR
;
995 size
= input_cert_size
- (ptr
- input_cert
);
1004 (gnutls_x509_crt_t
*) gnutls_realloc_fast (*cert_list
,
1007 (gnutls_x509_crt_t
));
1009 if (*cert_list
== NULL
)
1012 return GNUTLS_E_MEMORY_ERROR
;
1015 ret
= gnutls_x509_crt_init (&cert_list
[0][i
- 1]);
1022 tmp
.data
= (opaque
*) ptr
;
1026 gnutls_x509_crt_import (cert_list
[0][i
- 1],
1027 &tmp
, GNUTLS_X509_FMT_PEM
);
1034 /* now we move ptr after the pem header
1038 /* find the next certificate (if any)
1045 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
1047 ptr3
= memmem (ptr
, size
,
1048 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
1051 size
= input_cert_size
- (ptr
- input_cert
);
1060 while (ptr
!= NULL
);
1067 /* Reads a DER encoded certificate list from memory and stores it to a
1068 * gnutls_cert structure. Returns the number of certificates parsed.
1071 parse_der_ca_mem (gnutls_x509_crt_t
** cert_list
, unsigned *ncerts
,
1072 const void *input_cert
, int input_cert_size
)
1081 (gnutls_x509_crt_t
*) gnutls_realloc_fast (*cert_list
,
1083 sizeof (gnutls_x509_crt_t
));
1085 if (*cert_list
== NULL
)
1088 return GNUTLS_E_MEMORY_ERROR
;
1091 tmp
.data
= (opaque
*) input_cert
;
1092 tmp
.size
= input_cert_size
;
1094 ret
= gnutls_x509_crt_init (&cert_list
[0][i
- 1]);
1102 gnutls_x509_crt_import (cert_list
[0][i
- 1], &tmp
, GNUTLS_X509_FMT_DER
);
1111 return 1; /* one certificate parsed */
1115 * gnutls_certificate_set_x509_trust_mem:
1116 * @res: is a #gnutls_certificate_credentials_t structure.
1117 * @ca: is a list of trusted CAs or a DER certificate
1118 * @type: is DER or PEM
1120 * This function adds the trusted CAs in order to verify client or
1121 * server certificates. In case of a client this is not required to be
1122 * called if the certificates are not verified using
1123 * gnutls_certificate_verify_peers2(). This function may be called
1126 * In case of a server the CAs set here will be sent to the client if
1127 * a certificate request is sent. This can be disabled using
1128 * gnutls_certificate_send_x509_rdn_sequence().
1130 * Returns: the number of certificates processed or a negative value
1134 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1135 const gnutls_datum_t
* ca
,
1136 gnutls_x509_crt_fmt_t type
)
1140 if (type
== GNUTLS_X509_FMT_DER
)
1141 ret
= parse_der_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
,
1142 ca
->data
, ca
->size
);
1144 ret
= parse_pem_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
,
1145 ca
->data
, ca
->size
);
1147 if ((ret2
= add_new_crt_to_rdn_seq (res
, ret
)) < 0)
1154 * gnutls_certificate_set_x509_trust:
1155 * @res: is a #gnutls_certificate_credentials_t structure.
1156 * @ca_list: is a list of trusted CAs
1157 * @ca_list_size: holds the size of the CA list
1159 * This function adds the trusted CAs in order to verify client
1160 * or server certificates. In case of a client this is not required
1161 * to be called if the certificates are not verified using
1162 * gnutls_certificate_verify_peers2().
1163 * This function may be called multiple times.
1165 * In case of a server the CAs set here will be sent to the client if
1166 * a certificate request is sent. This can be disabled using
1167 * gnutls_certificate_send_x509_rdn_sequence().
1169 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1174 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1175 gnutls_x509_crt_t
* ca_list
,
1180 res
->x509_ca_list
= gnutls_realloc_fast (res
->x509_ca_list
,
1183 sizeof (gnutls_x509_crt_t
));
1184 if (res
->x509_ca_list
== NULL
)
1187 return GNUTLS_E_MEMORY_ERROR
;
1190 for (i
= 0; i
< ca_list_size
; i
++)
1192 ret
= gnutls_x509_crt_init (&res
->x509_ca_list
[res
->x509_ncas
]);
1199 ret
= _gnutls_x509_crt_cpy (res
->x509_ca_list
[res
->x509_ncas
],
1204 gnutls_x509_crt_deinit (res
->x509_ca_list
[res
->x509_ncas
]);
1210 if ((ret2
= add_new_crt_to_rdn_seq (res
, ca_list_size
)) < 0)
1217 * gnutls_certificate_set_x509_trust_file:
1218 * @res: is a #gnutls_certificate_credentials_t structure.
1219 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1220 * @type: is PEM or DER
1222 * This function adds the trusted CAs in order to verify client or
1223 * server certificates. In case of a client this is not required to
1224 * be called if the certificates are not verified using
1225 * gnutls_certificate_verify_peers2(). This function may be called
1228 * In case of a server the names of the CAs set here will be sent to
1229 * the client if a certificate request is sent. This can be disabled
1230 * using gnutls_certificate_send_x509_rdn_sequence().
1232 * Returns: number of certificates processed, or a negative value on
1236 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res
,
1238 gnutls_x509_crt_fmt_t type
)
1242 char *data
= read_binary_file (cafile
, &size
);
1247 return GNUTLS_E_FILE_ERROR
;
1250 if (type
== GNUTLS_X509_FMT_DER
)
1251 ret
= parse_der_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
, data
, size
);
1253 ret
= parse_pem_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
, data
, size
);
1263 if ((ret2
= add_new_crt_to_rdn_seq (res
, ret
)) < 0)
1272 parse_pem_crl_mem (gnutls_x509_crl_t
** crl_list
, unsigned *ncrls
,
1273 const opaque
* input_crl
, int input_crl_size
)
1280 /* move to the certificate
1282 ptr
= memmem (input_crl
, input_crl_size
,
1283 PEM_CRL_SEP
, sizeof (PEM_CRL_SEP
) - 1);
1287 return GNUTLS_E_BASE64_DECODING_ERROR
;
1290 size
= input_crl_size
- (ptr
- input_crl
);
1299 (gnutls_x509_crl_t
*) gnutls_realloc_fast (*crl_list
,
1302 (gnutls_x509_crl_t
));
1304 if (*crl_list
== NULL
)
1307 return GNUTLS_E_MEMORY_ERROR
;
1310 ret
= gnutls_x509_crl_init (&crl_list
[0][i
- 1]);
1317 tmp
.data
= (char *) ptr
;
1321 gnutls_x509_crl_import (crl_list
[0][i
- 1],
1322 &tmp
, GNUTLS_X509_FMT_PEM
);
1329 /* now we move ptr after the pem header
1332 /* find the next certificate (if any)
1335 size
= input_crl_size
- (ptr
- input_crl
);
1338 ptr
= memmem (ptr
, size
, PEM_CRL_SEP
, sizeof (PEM_CRL_SEP
) - 1);
1345 while (ptr
!= NULL
);
1352 /* Reads a DER encoded certificate list from memory and stores it to a
1353 * gnutls_cert structure. Returns the number of certificates parsed.
1356 parse_der_crl_mem (gnutls_x509_crl_t
** crl_list
, unsigned *ncrls
,
1357 const void *input_crl
, int input_crl_size
)
1366 (gnutls_x509_crl_t
*) gnutls_realloc_fast (*crl_list
,
1368 sizeof (gnutls_x509_crl_t
));
1370 if (*crl_list
== NULL
)
1373 return GNUTLS_E_MEMORY_ERROR
;
1376 tmp
.data
= (opaque
*) input_crl
;
1377 tmp
.size
= input_crl_size
;
1379 ret
= gnutls_x509_crl_init (&crl_list
[0][i
- 1]);
1387 gnutls_x509_crl_import (crl_list
[0][i
- 1], &tmp
, GNUTLS_X509_FMT_DER
);
1396 return 1; /* one certificate parsed */
1400 /* Reads a DER or PEM CRL from memory
1403 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1404 int crl_size
, gnutls_x509_crt_fmt_t type
)
1408 /* allocate space for the certificate to add
1410 res
->x509_crl_list
= gnutls_realloc_fast (res
->x509_crl_list
,
1413 sizeof (gnutls_x509_crl_t
));
1414 if (res
->x509_crl_list
== NULL
)
1417 return GNUTLS_E_MEMORY_ERROR
;
1420 if (type
== GNUTLS_X509_FMT_DER
)
1421 ret
= parse_der_crl_mem (&res
->x509_crl_list
,
1422 &res
->x509_ncrls
, crl
, crl_size
);
1424 ret
= parse_pem_crl_mem (&res
->x509_crl_list
,
1425 &res
->x509_ncrls
, crl
, crl_size
);
1437 * gnutls_certificate_set_x509_crl_mem:
1438 * @res: is a #gnutls_certificate_credentials_t structure.
1439 * @CRL: is a list of trusted CRLs. They should have been verified before.
1440 * @type: is DER or PEM
1442 * This function adds the trusted CRLs in order to verify client or
1443 * server certificates. In case of a client this is not required to
1444 * be called if the certificates are not verified using
1445 * gnutls_certificate_verify_peers2(). This function may be called
1448 * Returns: number of CRLs processed, or a negative value on error.
1451 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1452 const gnutls_datum_t
* CRL
,
1453 gnutls_x509_crt_fmt_t type
)
1457 if ((ret
= read_crl_mem (res
, CRL
->data
, CRL
->size
, type
)) < 0)
1464 * gnutls_certificate_set_x509_crl:
1465 * @res: is a #gnutls_certificate_credentials_t structure.
1466 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1467 * @crl_list_size: holds the size of the crl_list
1469 * This function adds the trusted CRLs in order to verify client or
1470 * server certificates. In case of a client this is not required to
1471 * be called if the certificates are not verified using
1472 * gnutls_certificate_verify_peers2(). This function may be called
1475 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1480 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1481 gnutls_x509_crl_t
* crl_list
,
1486 res
->x509_crl_list
= gnutls_realloc_fast (res
->x509_crl_list
,
1489 sizeof (gnutls_x509_crl_t
));
1490 if (res
->x509_crl_list
== NULL
)
1493 return GNUTLS_E_MEMORY_ERROR
;
1496 for (i
= 0; i
< crl_list_size
; i
++)
1498 ret
= gnutls_x509_crl_init (&res
->x509_crl_list
[res
->x509_ncrls
]);
1505 ret
= _gnutls_x509_crl_cpy (res
->x509_crl_list
[res
->x509_ncrls
],
1519 * gnutls_certificate_set_x509_crl_file:
1520 * @res: is a #gnutls_certificate_credentials_t structure.
1521 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1522 * @type: is PEM or DER
1524 * This function adds the trusted CRLs in order to verify client or server
1525 * certificates. In case of a client this is not required
1526 * to be called if the certificates are not verified using
1527 * gnutls_certificate_verify_peers2().
1528 * This function may be called multiple times.
1530 * Returns: number of CRLs processed or a negative value on error.
1533 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1534 const char *crlfile
,
1535 gnutls_x509_crt_fmt_t type
)
1539 char *data
= read_binary_file (crlfile
, &size
);
1544 return GNUTLS_E_FILE_ERROR
;
1547 if (type
== GNUTLS_X509_FMT_DER
)
1548 ret
= parse_der_crl_mem (&res
->x509_crl_list
, &res
->x509_ncrls
,
1551 ret
= parse_pem_crl_mem (&res
->x509_crl_list
, &res
->x509_ncrls
,
1565 #include <gnutls/pkcs12.h>
1568 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1569 gnutls_pkcs12_t p12
,
1570 const char *password
,
1571 gnutls_x509_privkey_t
* key
,
1572 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1574 gnutls_pkcs12_bag_t bag
= NULL
;
1577 size_t cert_id_size
= 0;
1578 size_t key_id_size
= 0;
1587 /* find the first private key */
1590 int elements_in_bag
;
1593 ret
= gnutls_pkcs12_bag_init (&bag
);
1601 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1602 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1610 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1617 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1619 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1627 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1628 if (elements_in_bag
< 0)
1634 for (i
= 0; i
< elements_in_bag
; i
++)
1637 gnutls_datum_t data
;
1639 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1646 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1655 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
1656 case GNUTLS_BAG_PKCS8_KEY
:
1657 if (*key
!= NULL
) /* too simple to continue */
1663 ret
= gnutls_x509_privkey_init (key
);
1670 ret
= gnutls_x509_privkey_import_pkcs8
1671 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
1672 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
1676 gnutls_x509_privkey_deinit (*key
);
1680 key_id_size
= sizeof (key_id
);
1682 gnutls_x509_privkey_get_key_id (*key
, 0, key_id
,
1687 gnutls_x509_privkey_deinit (*key
);
1691 privkey_ok
= 1; /* break */
1699 gnutls_pkcs12_bag_deinit (bag
);
1701 if (privkey_ok
!= 0) /* private key was found */
1705 if (privkey_ok
== 0) /* no private key */
1708 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
1711 /* now find the corresponding certificate
1717 int elements_in_bag
;
1720 ret
= gnutls_pkcs12_bag_init (&bag
);
1728 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1729 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1737 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1744 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1746 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1754 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1755 if (elements_in_bag
< 0)
1761 for (i
= 0; i
< elements_in_bag
; i
++)
1764 gnutls_datum_t data
;
1766 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1773 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1782 case GNUTLS_BAG_CERTIFICATE
:
1783 if (*cert
!= NULL
) /* no need to set it again */
1789 ret
= gnutls_x509_crt_init (cert
);
1797 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
1801 gnutls_x509_crt_deinit (*cert
);
1805 /* check if the key id match */
1806 cert_id_size
= sizeof (cert_id
);
1808 gnutls_x509_crt_get_key_id (*cert
, 0, cert_id
, &cert_id_size
);
1812 gnutls_x509_crt_deinit (*cert
);
1816 if (memcmp (cert_id
, key_id
, cert_id_size
) != 0)
1817 { /* they don't match - skip the certificate */
1818 gnutls_x509_crt_deinit (*cert
);
1823 case GNUTLS_BAG_CRL
:
1830 ret
= gnutls_x509_crl_init (crl
);
1837 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
1841 gnutls_x509_crl_deinit (*crl
);
1846 case GNUTLS_BAG_ENCRYPTED
:
1847 /* XXX Bother to recurse one level down? Unlikely to
1848 use the same password anyway. */
1849 case GNUTLS_BAG_EMPTY
:
1856 gnutls_pkcs12_bag_deinit (bag
);
1863 gnutls_pkcs12_bag_deinit (bag
);
1869 * gnutls_certificate_set_x509_simple_pkcs12_file:
1870 * @res: is a #gnutls_certificate_credentials_t structure.
1871 * @pkcs12file: filename of file containing PKCS#12 blob.
1872 * @type: is PEM or DER of the @pkcs12file.
1873 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1875 * This function sets a certificate/private key pair and/or a CRL in
1876 * the gnutls_certificate_credentials_t structure. This function may
1877 * be called more than once (in case multiple keys/certificates exist
1880 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1881 * supported. Encrypted PKCS#8 private keys are supported. However,
1882 * only password based security, and the same password for all
1883 * operations, are supported.
1885 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1888 * PKCS#12 file may contain many keys and/or certificates, and there
1889 * is no way to identify which key/certificate pair you want. You
1890 * should make sure the PKCS#12 file only contain one key/certificate
1891 * pair and/or one CRL.
1893 * It is believed that the limitations of this function is acceptable
1894 * for most usage, and that any more flexibility would introduce
1895 * complexity that would make it harder to use this functionality at
1898 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1901 gnutls_certificate_set_x509_simple_pkcs12_file
1902 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
1903 gnutls_x509_crt_fmt_t type
, const char *password
)
1905 gnutls_datum_t p12blob
;
1909 p12blob
.data
= read_binary_file (pkcs12file
, &size
);
1910 p12blob
.size
= (unsigned int) size
;
1911 if (p12blob
.data
== NULL
)
1914 return GNUTLS_E_FILE_ERROR
;
1918 gnutls_certificate_set_x509_simple_pkcs12_mem (res
, &p12blob
, type
,
1920 free (p12blob
.data
);
1926 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1927 * @res: is a #gnutls_certificate_credentials_t structure.
1928 * @p12blob: the PKCS#12 blob.
1929 * @type: is PEM or DER of the @pkcs12file.
1930 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1932 * This function sets a certificate/private key pair and/or a CRL in
1933 * the gnutls_certificate_credentials_t structure. This function may
1934 * be called more than once (in case multiple keys/certificates exist
1937 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1938 * supported. Encrypted PKCS#8 private keys are supported. However,
1939 * only password based security, and the same password for all
1940 * operations, are supported.
1942 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1945 * PKCS#12 file may contain many keys and/or certificates, and there
1946 * is no way to identify which key/certificate pair you want. You
1947 * should make sure the PKCS#12 file only contain one key/certificate
1948 * pair and/or one CRL.
1950 * It is believed that the limitations of this function is acceptable
1951 * for most usage, and that any more flexibility would introduce
1952 * complexity that would make it harder to use this functionality at
1955 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1960 gnutls_certificate_set_x509_simple_pkcs12_mem
1961 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
* p12blob
,
1962 gnutls_x509_crt_fmt_t type
, const char *password
)
1964 gnutls_pkcs12_t p12
;
1965 gnutls_x509_privkey_t key
= NULL
;
1966 gnutls_x509_crt_t cert
= NULL
;
1967 gnutls_x509_crl_t crl
= NULL
;
1970 ret
= gnutls_pkcs12_init (&p12
);
1977 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
1981 gnutls_pkcs12_deinit (p12
);
1987 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
1991 gnutls_pkcs12_deinit (p12
);
1996 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
1997 gnutls_pkcs12_deinit (p12
);
2006 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2016 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2024 /* check if the key and certificate found match */
2025 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
2035 gnutls_x509_crt_deinit (cert
);
2037 gnutls_x509_privkey_deinit (key
);
2039 gnutls_x509_crl_deinit (crl
);
2047 * gnutls_certificate_free_crls:
2048 * @sc: is a #gnutls_certificate_credentials_t structure.
2050 * This function will delete all the CRLs associated
2051 * with the given credentials.
2054 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2058 for (j
= 0; j
< sc
->x509_ncrls
; j
++)
2060 gnutls_x509_crl_deinit (sc
->x509_crl_list
[j
]);
2065 gnutls_free (sc
->x509_crl_list
);
2066 sc
->x509_crl_list
= NULL
;