search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove.
[gnutls.git] / lib / gnutls_x509.c
blob44a9042331f8c37ef973ab232ef5c59c3d451094
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GNUTLS.
8 *
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 #include <gnutls_int.h>
27 #include "gnutls_auth.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_cert.h>
30 #include <auth_cert.h>
31 #include "gnutls_dh.h"
32 #include "gnutls_num.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
42 #include <debug.h>
43 #include <x509_b64.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509_int.h"
47 #include "read-file.h"
48
49 /*
50 * some x509 certificate parsing functions.
51 */
52
53 /* Check if the number of bits of the key in the certificate
54 * is unacceptable.
55 */
56 inline static int
57 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
58 {
59 int ret;
60 unsigned int bits;
61
62 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
63 if (ret < 0)
64 {
65 gnutls_assert ();
66 return ret;
67 }
68
69 if (bits > max_bits && max_bits > 0)
70 {
71 gnutls_assert ();
72 return GNUTLS_E_CONSTRAINT_ERROR;
73 }
74
75 return 0;
76 }
77
78
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
82 } \
83 gnutls_free( peer_certificate_list)
84
85 /*-
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
88 *
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
93 -*/
94 int
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
96 unsigned int *status)
97 {
98 cert_auth_info_t info;
99 gnutls_certificate_credentials_t cred;
100 gnutls_x509_crt_t *peer_certificate_list;
101 int peer_certificate_list_size, i, x, ret;
102
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
104
105 info = _gnutls_get_auth_info (session);
106 if (info == NULL)
107 {
108 gnutls_assert ();
109 return GNUTLS_E_INVALID_REQUEST;
110 }
111
112 cred = (gnutls_certificate_credentials_t)
113 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
114 if (cred == NULL)
115 {
116 gnutls_assert ();
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
118 }
119
120 if (info->raw_certificate_list == NULL || info->ncerts == 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND;
122
123 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
124 {
125 gnutls_assert ();
126 return GNUTLS_E_CONSTRAINT_ERROR;
127 }
128
129 /* generate a list of gnutls_certs based on the auth info
130 * raw certs.
131 */
132 peer_certificate_list_size = info->ncerts;
133 peer_certificate_list =
134 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
135 if (peer_certificate_list == NULL)
136 {
137 gnutls_assert ();
138 return GNUTLS_E_MEMORY_ERROR;
139 }
140
141 for (i = 0; i < peer_certificate_list_size; i++)
142 {
143 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
144 if (ret < 0)
145 {
146 gnutls_assert ();
147 CLEAR_CERTS;
148 return ret;
149 }
150
151 ret =
152 gnutls_x509_crt_import (peer_certificate_list[i],
153 &info->raw_certificate_list[i],
154 GNUTLS_X509_FMT_DER);
155 if (ret < 0)
156 {
157 gnutls_assert ();
158 CLEAR_CERTS;
159 return ret;
160 }
161
162
163 if (ret < 0)
164 {
165 gnutls_assert ();
166 CLEAR_CERTS;
167 return ret;
168 }
169
170 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
171 if (ret < 0)
172 {
173 gnutls_assert ();
174 CLEAR_CERTS;
175 return ret;
176 }
177
178 }
179
180 /* Verify certificate
181 */
182
183 ret = gnutls_x509_crt_list_verify (peer_certificate_list,
184 peer_certificate_list_size,
185 cred->x509_ca_list, cred->x509_ncas,
186 cred->x509_crl_list, cred->x509_ncrls,
187 cred->verify_flags | session->
188 internals.priorities.
189 additional_verify_flags, status);
190
191 CLEAR_CERTS;
192
193 if (ret < 0)
194 {
195 gnutls_assert ();
196 return ret;
197 }
198
199 return 0;
200 }
201
202 /*
203 * Read certificates and private keys, from files, memory etc.
204 */
205
206 /* returns error if the certificate has different algorithm than
207 * the given key parameters.
208 */
209 static int
210 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
211 {
212 gnutls_datum_t cid;
213 gnutls_datum_t kid;
214 unsigned pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
215
216 if (res->pkey[res->ncerts - 1].pk_algorithm != pk)
217 {
218 gnutls_assert ();
219 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
220 }
221
222 if (pk == GNUTLS_PK_RSA)
223 {
224 _gnutls_x509_write_rsa_params (res->pkey[res->ncerts - 1].params,
225 res->pkey[res->ncerts -
226 1].params_size, &kid);
227
228
229 _gnutls_x509_write_rsa_params (res->cert_list[res->ncerts - 1][0].
230 params,
231 res->cert_list[res->ncerts -
232 1][0].params_size, &cid);
233 }
234 else if (pk == GNUTLS_PK_DSA)
235 {
236
237 _gnutls_x509_write_dsa_params (res->pkey[res->ncerts - 1].params,
238 res->pkey[res->ncerts -
239 1].params_size, &kid);
240
241 _gnutls_x509_write_dsa_params (res->cert_list[res->ncerts - 1][0].
242 params,
243 res->cert_list[res->ncerts -
244 1][0].params_size, &cid);
245 }
246
247 if (cid.size != kid.size)
248 {
249 gnutls_assert ();
250 _gnutls_free_datum (&kid);
251 _gnutls_free_datum (&cid);
252 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
253 }
254
255 if (memcmp (kid.data, cid.data, kid.size) != 0)
256 {
257 gnutls_assert ();
258 _gnutls_free_datum (&kid);
259 _gnutls_free_datum (&cid);
260 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
261 }
262
263 _gnutls_free_datum (&kid);
264 _gnutls_free_datum (&cid);
265 return 0;
266 }
267
268 /* Reads a DER encoded certificate list from memory and stores it to a
269 * gnutls_cert structure. Returns the number of certificates parsed.
270 */
271 static int
272 parse_crt_mem (gnutls_cert ** cert_list, unsigned *ncerts,
273 gnutls_x509_crt_t cert)
274 {
275 int i;
276 int ret;
277
278 i = *ncerts + 1;
279
280 *cert_list =
281 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
282 i * sizeof (gnutls_cert));
283
284 if (*cert_list == NULL)
285 {
286 gnutls_assert ();
287 return GNUTLS_E_MEMORY_ERROR;
288 }
289
290 ret = _gnutls_x509_crt_to_gcert (&cert_list[0][i - 1], cert, 0);
291 if (ret < 0)
292 {
293 gnutls_assert ();
294 return ret;
295 }
296
297 *ncerts = i;
298
299 return 1; /* one certificate parsed */
300 }
301
302 /* Reads a DER encoded certificate list from memory and stores it to a
303 * gnutls_cert structure. Returns the number of certificates parsed.
304 */
305 static int
306 parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
307 const void *input_cert, int input_cert_size)
308 {
309 gnutls_datum_t tmp;
310 gnutls_x509_crt_t cert;
311 int ret;
312
313 ret = gnutls_x509_crt_init (&cert);
314 if (ret < 0)
315 {
316 gnutls_assert ();
317 return ret;
318 }
319
320 tmp.data = (opaque *) input_cert;
321 tmp.size = input_cert_size;
322
323 ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
324 if (ret < 0)
325 {
326 gnutls_assert ();
327 gnutls_x509_crt_deinit (cert);
328 return ret;
329 }
330
331 ret = parse_crt_mem (cert_list, ncerts, cert);
332 gnutls_x509_crt_deinit (cert);
333
334 return ret;
335 }
336
337 /* Reads a base64 encoded certificate list from memory and stores it to
338 * a gnutls_cert structure. Returns the number of certificate parsed.
339 */
340 static int
341 parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
342 const char *input_cert, int input_cert_size)
343 {
344 int size, siz2, i;
345 const char *ptr;
346 opaque *ptr2;
347 gnutls_datum_t tmp;
348 int ret, count;
349
350 /* move to the certificate
351 */
352 ptr = memmem (input_cert, input_cert_size,
353 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
354 if (ptr == NULL)
355 ptr = memmem (input_cert, input_cert_size,
356 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
357
358 if (ptr == NULL)
359 {
360 gnutls_assert ();
361 return GNUTLS_E_BASE64_DECODING_ERROR;
362 }
363 size = input_cert_size - (ptr - input_cert);
364
365 i = *ncerts + 1;
366 count = 0;
367
368 do
369 {
370
371 siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
372
373 if (siz2 < 0)
374 {
375 gnutls_assert ();
376 return GNUTLS_E_BASE64_DECODING_ERROR;
377 }
378
379 *cert_list =
380 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
381 i * sizeof (gnutls_cert));
382
383 if (*cert_list == NULL)
384 {
385 gnutls_assert ();
386 return GNUTLS_E_MEMORY_ERROR;
387 }
388
389 tmp.data = ptr2;
390 tmp.size = siz2;
391
392 ret = _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp, 0);
393 if (ret < 0)
394 {
395 gnutls_assert ();
396 return ret;
397 }
398 _gnutls_free_datum (&tmp); /* free ptr2 */
399
400 /* now we move ptr after the pem header
401 */
402 ptr++;
403 /* find the next certificate (if any)
404 */
405 size = input_cert_size - (ptr - input_cert);
406
407 if (size > 0)
408 {
409 char *ptr3;
410
411 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
412 if (ptr3 == NULL)
413 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
414 sizeof (PEM_CERT_SEP2) - 1);
415
416 ptr = ptr3;
417 }
418 else
419 ptr = NULL;
420
421 i++;
422 count++;
423
424 }
425 while (ptr != NULL);
426
427 *ncerts = i - 1;
428
429 return count;
430 }
431
432
433
434 /* Reads a DER or PEM certificate from memory
435 */
436 static int
437 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
438 int cert_size, gnutls_x509_crt_fmt_t type)
439 {
440 int ret;
441
442 /* allocate space for the certificate to add
443 */
444 res->cert_list = gnutls_realloc_fast (res->cert_list,
445 (1 +
446 res->ncerts) *
447 sizeof (gnutls_cert *));
448 if (res->cert_list == NULL)
449 {
450 gnutls_assert ();
451 return GNUTLS_E_MEMORY_ERROR;
452 }
453
454 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
455 (1 +
456 res->ncerts) * sizeof (int));
457 if (res->cert_list_length == NULL)
458 {
459 gnutls_assert ();
460 return GNUTLS_E_MEMORY_ERROR;
461 }
462
463 res->cert_list[res->ncerts] = NULL; /* for realloc */
464 res->cert_list_length[res->ncerts] = 0;
465
466 if (type == GNUTLS_X509_FMT_DER)
467 ret = parse_der_cert_mem (&res->cert_list[res->ncerts],
468 &res->cert_list_length[res->ncerts],
469 cert, cert_size);
470 else
471 ret = parse_pem_cert_mem (&res->cert_list[res->ncerts],
472 &res->cert_list_length[res->ncerts], cert,
473 cert_size);
474
475 if (ret < 0)
476 {
477 gnutls_assert ();
478 return ret;
479 }
480
481 return ret;
482 }
483
484
485 int
486 _gnutls_x509_privkey_to_gkey (gnutls_privkey * dest,
487 gnutls_x509_privkey_t src)
488 {
489 int i, ret;
490
491 memset (dest, 0, sizeof (gnutls_privkey));
492
493 for (i = 0; i < src->params_size; i++)
494 {
495 dest->params[i] = _gnutls_mpi_copy (src->params[i]);
496 if (dest->params[i] == NULL)
497 {
498 gnutls_assert ();
499 ret = GNUTLS_E_MEMORY_ERROR;
500 goto cleanup;
501 }
502 }
503
504 dest->pk_algorithm = src->pk_algorithm;
505 dest->params_size = src->params_size;
506
507 return 0;
508
509 cleanup:
510
511 for (i = 0; i < src->params_size; i++)
512 {
513 _gnutls_mpi_release (&dest->params[i]);
514 }
515 return ret;
516 }
517
518 void
519 _gnutls_gkey_deinit (gnutls_privkey * key)
520 {
521 int i;
522 if (key == NULL)
523 return;
524
525 for (i = 0; i < key->params_size; i++)
526 {
527 _gnutls_mpi_release (&key->params[i]);
528 }
529 }
530
531 int
532 _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey,
533 const gnutls_datum_t * raw_key,
534 gnutls_x509_crt_fmt_t type)
535 {
536 gnutls_x509_privkey_t tmpkey;
537 int ret;
538
539 ret = gnutls_x509_privkey_init (&tmpkey);
540 if (ret < 0)
541 {
542 gnutls_assert ();
543 return ret;
544 }
545
546 ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
547
548 #ifdef ENABLE_PKI
549 /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
550 if (ret < 0)
551 ret = gnutls_x509_privkey_import_pkcs8 (tmpkey, raw_key, type,
552 NULL, GNUTLS_PKCS_PLAIN);
553 #endif
554
555 if (ret < 0)
556 {
557 gnutls_assert ();
558 gnutls_x509_privkey_deinit (tmpkey);
559 return ret;
560 }
561
562 ret = _gnutls_x509_privkey_to_gkey (privkey, tmpkey);
563 if (ret < 0)
564 {
565 gnutls_assert ();
566 gnutls_x509_privkey_deinit (tmpkey);
567 return ret;
568 }
569
570 gnutls_x509_privkey_deinit (tmpkey);
571
572 return 0;
573 }
574
575 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
576 * indicates the certificate format. KEY can be NULL, to indicate
577 * that GnuTLS doesn't know the private key.
578 */
579 static int
580 read_key_mem (gnutls_certificate_credentials_t res,
581 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
582 {
583 int ret;
584 gnutls_datum_t tmp;
585
586 /* allocate space for the pkey list
587 */
588 res->pkey =
589 gnutls_realloc_fast (res->pkey,
590 (res->ncerts + 1) * sizeof (gnutls_privkey));
591 if (res->pkey == NULL)
592 {
593 gnutls_assert ();
594 return GNUTLS_E_MEMORY_ERROR;
595 }
596
597 if (key)
598 {
599 tmp.data = (opaque *) key;
600 tmp.size = key_size;
601
602 ret =
603 _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp,
604 type);
605 if (ret < 0)
606 {
607 gnutls_assert ();
608 return ret;
609 }
610 }
611 else
612 memset (&res->pkey[res->ncerts], 0, sizeof (gnutls_privkey));
613
614 return 0;
615 }
616
617 /* Reads a certificate file
618 */
619 static int
620 read_cert_file (gnutls_certificate_credentials_t res,
621 const char *certfile, gnutls_x509_crt_fmt_t type)
622 {
623 int ret;
624 size_t size;
625 char *data = read_binary_file (certfile, &size);
626
627 if (data == NULL)
628 {
629 gnutls_assert ();
630 return GNUTLS_E_FILE_ERROR;
631 }
632
633 ret = read_cert_mem (res, data, size, type);
634 free (data);
635
636 return ret;
637
638 }
639
640
641
642 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
643 * stores it).
644 */
645 static int
646 read_key_file (gnutls_certificate_credentials_t res,
647 const char *keyfile, gnutls_x509_crt_fmt_t type)
648 {
649 int ret;
650 size_t size;
651 char *data = read_binary_file (keyfile, &size);
652
653 if (data == NULL)
654 {
655 gnutls_assert ();
656 return GNUTLS_E_FILE_ERROR;
657 }
658
659 ret = read_key_mem (res, data, size, type);
660 free (data);
661
662 return ret;
663 }
664
665 /**
666 * gnutls_certificate_set_x509_key_mem:
667 * @res: is a #gnutls_certificate_credentials_t structure.
668 * @cert: contains a certificate list (path) for the specified private key
669 * @key: is the private key, or %NULL
670 * @type: is PEM or DER
671 *
672 * This function sets a certificate/private key pair in the
673 * gnutls_certificate_credentials_t structure. This function may be called
674 * more than once (in case multiple keys/certificates exist for the
675 * server).
676 *
677 * Currently are supported: RSA PKCS-1 encoded private keys,
678 * DSA private keys.
679 *
680 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
681 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
682 *
683 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
684 * is supported. This means that certificates intended for signing cannot
685 * be used for ciphersuites that require encryption.
686 *
687 * If the certificate and the private key are given in PEM encoding
688 * then the strings that hold their values must be null terminated.
689 *
690 * The @key may be %NULL if you are using a sign callback, see
691 * gnutls_sign_callback_set().
692 *
693 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
694 **/
695 int
696 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
697 const gnutls_datum_t * cert,
698 const gnutls_datum_t * key,
699 gnutls_x509_crt_fmt_t type)
700 {
701 int ret;
702
703 /* this should be first
704 */
705 if ((ret = read_key_mem (res, key ? key->data : NULL,
706 key ? key->size : 0, type)) < 0)
707 return ret;
708
709 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
710 return ret;
711
712 res->ncerts++;
713
714 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
715 {
716 gnutls_assert ();
717 return ret;
718 }
719
720 return 0;
721 }
722
723 /**
724 * gnutls_certificate_set_x509_key:
725 * @res: is a #gnutls_certificate_credentials_t structure.
726 * @cert_list: contains a certificate list (path) for the specified private key
727 * @cert_list_size: holds the size of the certificate list
728 * @key: is a gnutls_x509_privkey_t key
729 *
730 * This function sets a certificate/private key pair in the
731 * gnutls_certificate_credentials_t structure. This function may be
732 * called more than once (in case multiple keys/certificates exist for
733 * the server). For clients that wants to send more than its own end
734 * entity certificate (e.g., also an intermediate CA cert) then put
735 * the certificate chain in @cert_list.
736 *
737 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
738 *
739 * Since: 2.4.0
740 **/
741 int
742 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
743 gnutls_x509_crt_t * cert_list,
744 int cert_list_size,
745 gnutls_x509_privkey_t key)
746 {
747 int ret, i;
748
749 /* this should be first
750 */
751
752 res->pkey =
753 gnutls_realloc_fast (res->pkey,
754 (res->ncerts + 1) * sizeof (gnutls_privkey));
755 if (res->pkey == NULL)
756 {
757 gnutls_assert ();
758 return GNUTLS_E_MEMORY_ERROR;
759 }
760
761 ret = _gnutls_x509_privkey_to_gkey (&res->pkey[res->ncerts], key);
762 if (ret < 0)
763 {
764 gnutls_assert ();
765 return ret;
766 }
767
768 res->cert_list = gnutls_realloc_fast (res->cert_list,
769 (1 +
770 res->ncerts) *
771 sizeof (gnutls_cert *));
772 if (res->cert_list == NULL)
773 {
774 gnutls_assert ();
775 return GNUTLS_E_MEMORY_ERROR;
776 }
777
778 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
779 (1 +
780 res->ncerts) * sizeof (int));
781 if (res->cert_list_length == NULL)
782 {
783 gnutls_assert ();
784 return GNUTLS_E_MEMORY_ERROR;
785 }
786
787 res->cert_list[res->ncerts] = NULL; /* for realloc */
788 res->cert_list_length[res->ncerts] = 0;
789
790
791 for (i = 0; i < cert_list_size; i++)
792 {
793 ret = parse_crt_mem (&res->cert_list[res->ncerts],
794 &res->cert_list_length[res->ncerts], cert_list[i]);
795 if (ret < 0)
796 {
797 gnutls_assert ();
798 return ret;
799 }
800 }
801 res->ncerts++;
802
803 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
804 {
805 gnutls_assert ();
806 return ret;
807 }
808
809 return 0;
810 }
811
812 /**
813 * gnutls_certificate_set_x509_key_file:
814 * @res: is a #gnutls_certificate_credentials_t structure.
815 * @certfile: is a file that containing the certificate list (path) for
816 * the specified private key, in PKCS7 format, or a list of certificates
817 * @keyfile: is a file that contains the private key
818 * @type: is PEM or DER
819 *
820 * This function sets a certificate/private key pair in the
821 * gnutls_certificate_credentials_t structure. This function may be
822 * called more than once (in case multiple keys/certificates exist for
823 * the server). For clients that wants to send more than its own end
824 * entity certificate (e.g., also an intermediate CA cert) then put
825 * the certificate chain in @certfile.
826 *
827 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
828 * this function.
829 *
830 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
831 **/
832 int
833 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
834 const char *certfile,
835 const char *keyfile,
836 gnutls_x509_crt_fmt_t type)
837 {
838 int ret;
839
840 /* this should be first
841 */
842 if ((ret = read_key_file (res, keyfile, type)) < 0)
843 return ret;
844
845 if ((ret = read_cert_file (res, certfile, type)) < 0)
846 return ret;
847
848 res->ncerts++;
849
850 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
851 {
852 gnutls_assert ();
853 return ret;
854 }
855
856 return 0;
857 }
858
859 static int
860 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, int new)
861 {
862 gnutls_datum_t tmp;
863 int ret;
864 size_t newsize;
865 unsigned char *newdata;
866 unsigned i;
867
868 /* Add DN of the last added CAs to the RDN sequence
869 * This will be sent to clients when a certificate
870 * request message is sent.
871 */
872
873 /* FIXME: in case of a client it is not needed
874 * to do that. This would save time and memory.
875 * However we don't have that information available
876 * here.
877 * Further, this function is now much more efficient,
878 * so optimizing that is less important.
879 */
880
881 for (i = res->x509_ncas - new; i < res->x509_ncas; i++)
882 {
883 if ((ret = gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
884 {
885 gnutls_assert ();
886 return ret;
887 }
888
889 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
890 if (newsize < res->x509_rdn_sequence.size)
891 {
892 gnutls_assert ();
893 _gnutls_free_datum (&tmp);
894 return GNUTLS_E_SHORT_MEMORY_BUFFER;
895 }
896
897 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
898 if (newdata == NULL)
899 {
900 gnutls_assert ();
901 _gnutls_free_datum (&tmp);
902 return GNUTLS_E_MEMORY_ERROR;
903 }
904
905 _gnutls_write_datum16 (newdata + res->x509_rdn_sequence.size, tmp);
906 _gnutls_free_datum (&tmp);
907
908 res->x509_rdn_sequence.size = newsize;
909 res->x509_rdn_sequence.data = newdata;
910 }
911
912 return 0;
913 }
914
915 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
916 * certificate (uses the KeyUsage field).
917 */
918 int
919 _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
920 {
921 unsigned int key_usage = 0;
922 int encipher_type;
923
924 if (cert == NULL)
925 {
926 gnutls_assert ();
927 return GNUTLS_E_INTERNAL_ERROR;
928 }
929
930 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
931 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
932 {
933
934 key_usage = cert->key_usage;
935
936 encipher_type = _gnutls_kx_encipher_type (alg);
937
938 if (key_usage != 0 && encipher_type != CIPHER_IGN)
939 {
940 /* If key_usage has been set in the certificate
941 */
942
943 if (encipher_type == CIPHER_ENCRYPT)
944 {
945 /* If the key exchange method requires an encipher
946 * type algorithm, and key's usage does not permit
947 * encipherment, then fail.
948 */
949 if (!(key_usage & KEY_KEY_ENCIPHERMENT))
950 {
951 gnutls_assert ();
952 return GNUTLS_E_KEY_USAGE_VIOLATION;
953 }
954 }
955
956 if (encipher_type == CIPHER_SIGN)
957 {
958 /* The same as above, but for sign only keys
959 */
960 if (!(key_usage & KEY_DIGITAL_SIGNATURE))
961 {
962 gnutls_assert ();
963 return GNUTLS_E_KEY_USAGE_VIOLATION;
964 }
965 }
966 }
967 }
968 return 0;
969 }
970
971
972
973 static int
974 parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
975 const opaque * input_cert, int input_cert_size)
976 {
977 int i, size;
978 const opaque *ptr;
979 gnutls_datum_t tmp;
980 int ret, count;
981
982 /* move to the certificate
983 */
984 ptr = memmem (input_cert, input_cert_size,
985 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
986 if (ptr == NULL)
987 ptr = memmem (input_cert, input_cert_size,
988 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
989
990 if (ptr == NULL)
991 {
992 gnutls_assert ();
993 return GNUTLS_E_BASE64_DECODING_ERROR;
994 }
995 size = input_cert_size - (ptr - input_cert);
996
997 i = *ncerts + 1;
998 count = 0;
999
1000 do
1001 {
1002
1003 *cert_list =
1004 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1005 i *
1006 sizeof
1007 (gnutls_x509_crt_t));
1008
1009 if (*cert_list == NULL)
1010 {
1011 gnutls_assert ();
1012 return GNUTLS_E_MEMORY_ERROR;
1013 }
1014
1015 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1016 if (ret < 0)
1017 {
1018 gnutls_assert ();
1019 return ret;
1020 }
1021
1022 tmp.data = (opaque *) ptr;
1023 tmp.size = size;
1024
1025 ret =
1026 gnutls_x509_crt_import (cert_list[0][i - 1],
1027 &tmp, GNUTLS_X509_FMT_PEM);
1028 if (ret < 0)
1029 {
1030 gnutls_assert ();
1031 return ret;
1032 }
1033
1034 /* now we move ptr after the pem header
1035 */
1036 ptr++;
1037 size--;
1038 /* find the next certificate (if any)
1039 */
1040
1041 if (size > 0)
1042 {
1043 char *ptr3;
1044
1045 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1046 if (ptr3 == NULL)
1047 ptr3 = memmem (ptr, size,
1048 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1049
1050 ptr = ptr3;
1051 size = input_cert_size - (ptr - input_cert);
1052 }
1053 else
1054 ptr = NULL;
1055
1056 i++;
1057 count++;
1058
1059 }
1060 while (ptr != NULL);
1061
1062 *ncerts = i - 1;
1063
1064 return count;
1065 }
1066
1067 /* Reads a DER encoded certificate list from memory and stores it to a
1068 * gnutls_cert structure. Returns the number of certificates parsed.
1069 */
1070 static int
1071 parse_der_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1072 const void *input_cert, int input_cert_size)
1073 {
1074 int i;
1075 gnutls_datum_t tmp;
1076 int ret;
1077
1078 i = *ncerts + 1;
1079
1080 *cert_list =
1081 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1082 i *
1083 sizeof (gnutls_x509_crt_t));
1084
1085 if (*cert_list == NULL)
1086 {
1087 gnutls_assert ();
1088 return GNUTLS_E_MEMORY_ERROR;
1089 }
1090
1091 tmp.data = (opaque *) input_cert;
1092 tmp.size = input_cert_size;
1093
1094 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1095 if (ret < 0)
1096 {
1097 gnutls_assert ();
1098 return ret;
1099 }
1100
1101 ret =
1102 gnutls_x509_crt_import (cert_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1103 if (ret < 0)
1104 {
1105 gnutls_assert ();
1106 return ret;
1107 }
1108
1109 *ncerts = i;
1110
1111 return 1; /* one certificate parsed */
1112 }
1113
1114 /**
1115 * gnutls_certificate_set_x509_trust_mem:
1116 * @res: is a #gnutls_certificate_credentials_t structure.
1117 * @ca: is a list of trusted CAs or a DER certificate
1118 * @type: is DER or PEM
1119 *
1120 * This function adds the trusted CAs in order to verify client or
1121 * server certificates. In case of a client this is not required to be
1122 * called if the certificates are not verified using
1123 * gnutls_certificate_verify_peers2(). This function may be called
1124 * multiple times.
1125 *
1126 * In case of a server the CAs set here will be sent to the client if
1127 * a certificate request is sent. This can be disabled using
1128 * gnutls_certificate_send_x509_rdn_sequence().
1129 *
1130 * Returns: the number of certificates processed or a negative value
1131 * on error.
1132 **/
1133 int
1134 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1135 const gnutls_datum_t * ca,
1136 gnutls_x509_crt_fmt_t type)
1137 {
1138 int ret, ret2;
1139
1140 if (type == GNUTLS_X509_FMT_DER)
1141 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1142 ca->data, ca->size);
1143 else
1144 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1145 ca->data, ca->size);
1146
1147 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1148 return ret2;
1149
1150 return ret;
1151 }
1152
1153 /**
1154 * gnutls_certificate_set_x509_trust:
1155 * @res: is a #gnutls_certificate_credentials_t structure.
1156 * @ca_list: is a list of trusted CAs
1157 * @ca_list_size: holds the size of the CA list
1158 *
1159 * This function adds the trusted CAs in order to verify client
1160 * or server certificates. In case of a client this is not required
1161 * to be called if the certificates are not verified using
1162 * gnutls_certificate_verify_peers2().
1163 * This function may be called multiple times.
1164 *
1165 * In case of a server the CAs set here will be sent to the client if
1166 * a certificate request is sent. This can be disabled using
1167 * gnutls_certificate_send_x509_rdn_sequence().
1168 *
1169 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1170 *
1171 * Since: 2.4.0
1172 **/
1173 int
1174 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1175 gnutls_x509_crt_t * ca_list,
1176 int ca_list_size)
1177 {
1178 int ret, i, ret2;
1179
1180 res->x509_ca_list = gnutls_realloc_fast (res->x509_ca_list,
1181 (ca_list_size +
1182 res->x509_ncas) *
1183 sizeof (gnutls_x509_crt_t));
1184 if (res->x509_ca_list == NULL)
1185 {
1186 gnutls_assert ();
1187 return GNUTLS_E_MEMORY_ERROR;
1188 }
1189
1190 for (i = 0; i < ca_list_size; i++)
1191 {
1192 ret = gnutls_x509_crt_init (&res->x509_ca_list[res->x509_ncas]);
1193 if (ret < 0)
1194 {
1195 gnutls_assert ();
1196 return ret;
1197 }
1198
1199 ret = _gnutls_x509_crt_cpy (res->x509_ca_list[res->x509_ncas],
1200 ca_list[i]);
1201 if (ret < 0)
1202 {
1203 gnutls_assert ();
1204 gnutls_x509_crt_deinit (res->x509_ca_list[res->x509_ncas]);
1205 return ret;
1206 }
1207 res->x509_ncas++;
1208 }
1209
1210 if ((ret2 = add_new_crt_to_rdn_seq (res, ca_list_size)) < 0)
1211 return ret2;
1212
1213 return 0;
1214 }
1215
1216 /**
1217 * gnutls_certificate_set_x509_trust_file:
1218 * @res: is a #gnutls_certificate_credentials_t structure.
1219 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1220 * @type: is PEM or DER
1221 *
1222 * This function adds the trusted CAs in order to verify client or
1223 * server certificates. In case of a client this is not required to
1224 * be called if the certificates are not verified using
1225 * gnutls_certificate_verify_peers2(). This function may be called
1226 * multiple times.
1227 *
1228 * In case of a server the names of the CAs set here will be sent to
1229 * the client if a certificate request is sent. This can be disabled
1230 * using gnutls_certificate_send_x509_rdn_sequence().
1231 *
1232 * Returns: number of certificates processed, or a negative value on
1233 * error.
1234 **/
1235 int
1236 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
1237 const char *cafile,
1238 gnutls_x509_crt_fmt_t type)
1239 {
1240 int ret, ret2;
1241 size_t size;
1242 char *data = read_binary_file (cafile, &size);
1243
1244 if (data == NULL)
1245 {
1246 gnutls_assert ();
1247 return GNUTLS_E_FILE_ERROR;
1248 }
1249
1250 if (type == GNUTLS_X509_FMT_DER)
1251 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1252 else
1253 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1254
1255 free (data);
1256
1257 if (ret < 0)
1258 {
1259 gnutls_assert ();
1260 return ret;
1261 }
1262
1263 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1264 return ret2;
1265
1266 return ret;
1267 }
1268
1269 #ifdef ENABLE_PKI
1270
1271 static int
1272 parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1273 const opaque * input_crl, int input_crl_size)
1274 {
1275 int size, i;
1276 const opaque *ptr;
1277 gnutls_datum_t tmp;
1278 int ret, count;
1279
1280 /* move to the certificate
1281 */
1282 ptr = memmem (input_crl, input_crl_size,
1283 PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1284 if (ptr == NULL)
1285 {
1286 gnutls_assert ();
1287 return GNUTLS_E_BASE64_DECODING_ERROR;
1288 }
1289
1290 size = input_crl_size - (ptr - input_crl);
1291
1292 i = *ncrls + 1;
1293 count = 0;
1294
1295 do
1296 {
1297
1298 *crl_list =
1299 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1300 i *
1301 sizeof
1302 (gnutls_x509_crl_t));
1303
1304 if (*crl_list == NULL)
1305 {
1306 gnutls_assert ();
1307 return GNUTLS_E_MEMORY_ERROR;
1308 }
1309
1310 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1311 if (ret < 0)
1312 {
1313 gnutls_assert ();
1314 return ret;
1315 }
1316
1317 tmp.data = (char *) ptr;
1318 tmp.size = size;
1319
1320 ret =
1321 gnutls_x509_crl_import (crl_list[0][i - 1],
1322 &tmp, GNUTLS_X509_FMT_PEM);
1323 if (ret < 0)
1324 {
1325 gnutls_assert ();
1326 return ret;
1327 }
1328
1329 /* now we move ptr after the pem header
1330 */
1331 ptr++;
1332 /* find the next certificate (if any)
1333 */
1334
1335 size = input_crl_size - (ptr - input_crl);
1336
1337 if (size > 0)
1338 ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1339 else
1340 ptr = NULL;
1341 i++;
1342 count++;
1343
1344 }
1345 while (ptr != NULL);
1346
1347 *ncrls = i - 1;
1348
1349 return count;
1350 }
1351
1352 /* Reads a DER encoded certificate list from memory and stores it to a
1353 * gnutls_cert structure. Returns the number of certificates parsed.
1354 */
1355 static int
1356 parse_der_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1357 const void *input_crl, int input_crl_size)
1358 {
1359 int i;
1360 gnutls_datum_t tmp;
1361 int ret;
1362
1363 i = *ncrls + 1;
1364
1365 *crl_list =
1366 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1367 i *
1368 sizeof (gnutls_x509_crl_t));
1369
1370 if (*crl_list == NULL)
1371 {
1372 gnutls_assert ();
1373 return GNUTLS_E_MEMORY_ERROR;
1374 }
1375
1376 tmp.data = (opaque *) input_crl;
1377 tmp.size = input_crl_size;
1378
1379 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1380 if (ret < 0)
1381 {
1382 gnutls_assert ();
1383 return ret;
1384 }
1385
1386 ret =
1387 gnutls_x509_crl_import (crl_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1388 if (ret < 0)
1389 {
1390 gnutls_assert ();
1391 return ret;
1392 }
1393
1394 *ncrls = i;
1395
1396 return 1; /* one certificate parsed */
1397 }
1398
1399
1400 /* Reads a DER or PEM CRL from memory
1401 */
1402 static int
1403 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1404 int crl_size, gnutls_x509_crt_fmt_t type)
1405 {
1406 int ret;
1407
1408 /* allocate space for the certificate to add
1409 */
1410 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1411 (1 +
1412 res->x509_ncrls) *
1413 sizeof (gnutls_x509_crl_t));
1414 if (res->x509_crl_list == NULL)
1415 {
1416 gnutls_assert ();
1417 return GNUTLS_E_MEMORY_ERROR;
1418 }
1419
1420 if (type == GNUTLS_X509_FMT_DER)
1421 ret = parse_der_crl_mem (&res->x509_crl_list,
1422 &res->x509_ncrls, crl, crl_size);
1423 else
1424 ret = parse_pem_crl_mem (&res->x509_crl_list,
1425 &res->x509_ncrls, crl, crl_size);
1426
1427 if (ret < 0)
1428 {
1429 gnutls_assert ();
1430 return ret;
1431 }
1432
1433 return ret;
1434 }
1435
1436 /**
1437 * gnutls_certificate_set_x509_crl_mem:
1438 * @res: is a #gnutls_certificate_credentials_t structure.
1439 * @CRL: is a list of trusted CRLs. They should have been verified before.
1440 * @type: is DER or PEM
1441 *
1442 * This function adds the trusted CRLs in order to verify client or
1443 * server certificates. In case of a client this is not required to
1444 * be called if the certificates are not verified using
1445 * gnutls_certificate_verify_peers2(). This function may be called
1446 * multiple times.
1447 *
1448 * Returns: number of CRLs processed, or a negative value on error.
1449 **/
1450 int
1451 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1452 const gnutls_datum_t * CRL,
1453 gnutls_x509_crt_fmt_t type)
1454 {
1455 int ret;
1456
1457 if ((ret = read_crl_mem (res, CRL->data, CRL->size, type)) < 0)
1458 return ret;
1459
1460 return ret;
1461 }
1462
1463 /**
1464 * gnutls_certificate_set_x509_crl:
1465 * @res: is a #gnutls_certificate_credentials_t structure.
1466 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1467 * @crl_list_size: holds the size of the crl_list
1468 *
1469 * This function adds the trusted CRLs in order to verify client or
1470 * server certificates. In case of a client this is not required to
1471 * be called if the certificates are not verified using
1472 * gnutls_certificate_verify_peers2(). This function may be called
1473 * multiple times.
1474 *
1475 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1476 *
1477 * Since: 2.4.0
1478 **/
1479 int
1480 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1481 gnutls_x509_crl_t * crl_list,
1482 int crl_list_size)
1483 {
1484 int ret, i;
1485
1486 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1487 (crl_list_size +
1488 res->x509_ncrls) *
1489 sizeof (gnutls_x509_crl_t));
1490 if (res->x509_crl_list == NULL)
1491 {
1492 gnutls_assert ();
1493 return GNUTLS_E_MEMORY_ERROR;
1494 }
1495
1496 for (i = 0; i < crl_list_size; i++)
1497 {
1498 ret = gnutls_x509_crl_init (&res->x509_crl_list[res->x509_ncrls]);
1499 if (ret < 0)
1500 {
1501 gnutls_assert ();
1502 return ret;
1503 }
1504
1505 ret = _gnutls_x509_crl_cpy (res->x509_crl_list[res->x509_ncrls],
1506 crl_list[i]);
1507 if (ret < 0)
1508 {
1509 gnutls_assert ();
1510 return ret;
1511 }
1512 res->x509_ncrls++;
1513 }
1514
1515 return 0;
1516 }
1517
1518 /**
1519 * gnutls_certificate_set_x509_crl_file:
1520 * @res: is a #gnutls_certificate_credentials_t structure.
1521 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1522 * @type: is PEM or DER
1523 *
1524 * This function adds the trusted CRLs in order to verify client or server
1525 * certificates. In case of a client this is not required
1526 * to be called if the certificates are not verified using
1527 * gnutls_certificate_verify_peers2().
1528 * This function may be called multiple times.
1529 *
1530 * Returns: number of CRLs processed or a negative value on error.
1531 **/
1532 int
1533 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1534 const char *crlfile,
1535 gnutls_x509_crt_fmt_t type)
1536 {
1537 int ret;
1538 size_t size;
1539 char *data = read_binary_file (crlfile, &size);
1540
1541 if (data == NULL)
1542 {
1543 gnutls_assert ();
1544 return GNUTLS_E_FILE_ERROR;
1545 }
1546
1547 if (type == GNUTLS_X509_FMT_DER)
1548 ret = parse_der_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1549 data, size);
1550 else
1551 ret = parse_pem_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1552 data, size);
1553
1554 free (data);
1555
1556 if (ret < 0)
1557 {
1558 gnutls_assert ();
1559 return ret;
1560 }
1561
1562 return ret;
1563 }
1564
1565 #include <gnutls/pkcs12.h>
1566
1567 static int
1568 parse_pkcs12 (gnutls_certificate_credentials_t res,
1569 gnutls_pkcs12_t p12,
1570 const char *password,
1571 gnutls_x509_privkey_t * key,
1572 gnutls_x509_crt_t * cert, gnutls_x509_crl_t * crl)
1573 {
1574 gnutls_pkcs12_bag_t bag = NULL;
1575 int idx = 0;
1576 int ret;
1577 size_t cert_id_size = 0;
1578 size_t key_id_size = 0;
1579 opaque cert_id[20];
1580 opaque key_id[20];
1581 int privkey_ok = 0;
1582
1583 *cert = NULL;
1584 *key = NULL;
1585 *crl = NULL;
1586
1587 /* find the first private key */
1588 for (;;)
1589 {
1590 int elements_in_bag;
1591 int i;
1592
1593 ret = gnutls_pkcs12_bag_init (&bag);
1594 if (ret < 0)
1595 {
1596 bag = NULL;
1597 gnutls_assert ();
1598 goto done;
1599 }
1600
1601 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1602 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1603 break;
1604 if (ret < 0)
1605 {
1606 gnutls_assert ();
1607 goto done;
1608 }
1609
1610 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1611 if (ret < 0)
1612 {
1613 gnutls_assert ();
1614 goto done;
1615 }
1616
1617 if (ret == GNUTLS_BAG_ENCRYPTED)
1618 {
1619 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1620 if (ret < 0)
1621 {
1622 gnutls_assert ();
1623 goto done;
1624 }
1625 }
1626
1627 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1628 if (elements_in_bag < 0)
1629 {
1630 gnutls_assert ();
1631 goto done;
1632 }
1633
1634 for (i = 0; i < elements_in_bag; i++)
1635 {
1636 int type;
1637 gnutls_datum_t data;
1638
1639 type = gnutls_pkcs12_bag_get_type (bag, i);
1640 if (type < 0)
1641 {
1642 gnutls_assert ();
1643 goto done;
1644 }
1645
1646 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1647 if (ret < 0)
1648 {
1649 gnutls_assert ();
1650 goto done;
1651 }
1652
1653 switch (type)
1654 {
1655 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
1656 case GNUTLS_BAG_PKCS8_KEY:
1657 if (*key != NULL) /* too simple to continue */
1658 {
1659 gnutls_assert ();
1660 break;
1661 }
1662
1663 ret = gnutls_x509_privkey_init (key);
1664 if (ret < 0)
1665 {
1666 gnutls_assert ();
1667 goto done;
1668 }
1669
1670 ret = gnutls_x509_privkey_import_pkcs8
1671 (*key, &data, GNUTLS_X509_FMT_DER, password,
1672 type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
1673 if (ret < 0)
1674 {
1675 gnutls_assert ();
1676 gnutls_x509_privkey_deinit (*key);
1677 goto done;
1678 }
1679
1680 key_id_size = sizeof (key_id);
1681 ret =
1682 gnutls_x509_privkey_get_key_id (*key, 0, key_id,
1683 &key_id_size);
1684 if (ret < 0)
1685 {
1686 gnutls_assert ();
1687 gnutls_x509_privkey_deinit (*key);
1688 goto done;
1689 }
1690
1691 privkey_ok = 1; /* break */
1692 break;
1693 default:
1694 break;
1695 }
1696 }
1697
1698 idx++;
1699 gnutls_pkcs12_bag_deinit (bag);
1700
1701 if (privkey_ok != 0) /* private key was found */
1702 break;
1703 }
1704
1705 if (privkey_ok == 0) /* no private key */
1706 {
1707 gnutls_assert ();
1708 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1709 }
1710
1711 /* now find the corresponding certificate
1712 */
1713 idx = 0;
1714 bag = NULL;
1715 for (;;)
1716 {
1717 int elements_in_bag;
1718 int i;
1719
1720 ret = gnutls_pkcs12_bag_init (&bag);
1721 if (ret < 0)
1722 {
1723 bag = NULL;
1724 gnutls_assert ();
1725 goto done;
1726 }
1727
1728 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1729 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1730 break;
1731 if (ret < 0)
1732 {
1733 gnutls_assert ();
1734 goto done;
1735 }
1736
1737 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1738 if (ret < 0)
1739 {
1740 gnutls_assert ();
1741 goto done;
1742 }
1743
1744 if (ret == GNUTLS_BAG_ENCRYPTED)
1745 {
1746 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1747 if (ret < 0)
1748 {
1749 gnutls_assert ();
1750 goto done;
1751 }
1752 }
1753
1754 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1755 if (elements_in_bag < 0)
1756 {
1757 gnutls_assert ();
1758 goto done;
1759 }
1760
1761 for (i = 0; i < elements_in_bag; i++)
1762 {
1763 int type;
1764 gnutls_datum_t data;
1765
1766 type = gnutls_pkcs12_bag_get_type (bag, i);
1767 if (type < 0)
1768 {
1769 gnutls_assert ();
1770 goto done;
1771 }
1772
1773 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1774 if (ret < 0)
1775 {
1776 gnutls_assert ();
1777 goto done;
1778 }
1779
1780 switch (type)
1781 {
1782 case GNUTLS_BAG_CERTIFICATE:
1783 if (*cert != NULL) /* no need to set it again */
1784 {
1785 gnutls_assert ();
1786 break;
1787 }
1788
1789 ret = gnutls_x509_crt_init (cert);
1790 if (ret < 0)
1791 {
1792 gnutls_assert ();
1793 goto done;
1794 }
1795
1796 ret =
1797 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1798 if (ret < 0)
1799 {
1800 gnutls_assert ();
1801 gnutls_x509_crt_deinit (*cert);
1802 goto done;
1803 }
1804
1805 /* check if the key id match */
1806 cert_id_size = sizeof (cert_id);
1807 ret =
1808 gnutls_x509_crt_get_key_id (*cert, 0, cert_id, &cert_id_size);
1809 if (ret < 0)
1810 {
1811 gnutls_assert ();
1812 gnutls_x509_crt_deinit (*cert);
1813 goto done;
1814 }
1815
1816 if (memcmp (cert_id, key_id, cert_id_size) != 0)
1817 { /* they don't match - skip the certificate */
1818 gnutls_x509_crt_deinit (*cert);
1819 *cert = NULL;
1820 }
1821 break;
1822
1823 case GNUTLS_BAG_CRL:
1824 if (*crl != NULL)
1825 {
1826 gnutls_assert ();
1827 break;
1828 }
1829
1830 ret = gnutls_x509_crl_init (crl);
1831 if (ret < 0)
1832 {
1833 gnutls_assert ();
1834 goto done;
1835 }
1836
1837 ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER);
1838 if (ret < 0)
1839 {
1840 gnutls_assert ();
1841 gnutls_x509_crl_deinit (*crl);
1842 goto done;
1843 }
1844 break;
1845
1846 case GNUTLS_BAG_ENCRYPTED:
1847 /* XXX Bother to recurse one level down? Unlikely to
1848 use the same password anyway. */
1849 case GNUTLS_BAG_EMPTY:
1850 default:
1851 break;
1852 }
1853 }
1854
1855 idx++;
1856 gnutls_pkcs12_bag_deinit (bag);
1857 }
1858
1859 ret = 0;
1860
1861 done:
1862 if (bag)
1863 gnutls_pkcs12_bag_deinit (bag);
1864
1865 return ret;
1866 }
1867
1868 /**
1869 * gnutls_certificate_set_x509_simple_pkcs12_file:
1870 * @res: is a #gnutls_certificate_credentials_t structure.
1871 * @pkcs12file: filename of file containing PKCS#12 blob.
1872 * @type: is PEM or DER of the @pkcs12file.
1873 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1874 *
1875 * This function sets a certificate/private key pair and/or a CRL in
1876 * the gnutls_certificate_credentials_t structure. This function may
1877 * be called more than once (in case multiple keys/certificates exist
1878 * for the server).
1879 *
1880 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1881 * supported. Encrypted PKCS#8 private keys are supported. However,
1882 * only password based security, and the same password for all
1883 * operations, are supported.
1884 *
1885 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1886 * the OpenSSL way.
1887 *
1888 * PKCS#12 file may contain many keys and/or certificates, and there
1889 * is no way to identify which key/certificate pair you want. You
1890 * should make sure the PKCS#12 file only contain one key/certificate
1891 * pair and/or one CRL.
1892 *
1893 * It is believed that the limitations of this function is acceptable
1894 * for most usage, and that any more flexibility would introduce
1895 * complexity that would make it harder to use this functionality at
1896 * all.
1897 *
1898 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1899 **/
1900 int
1901 gnutls_certificate_set_x509_simple_pkcs12_file
1902 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1903 gnutls_x509_crt_fmt_t type, const char *password)
1904 {
1905 gnutls_datum_t p12blob;
1906 size_t size;
1907 int ret;
1908
1909 p12blob.data = read_binary_file (pkcs12file, &size);
1910 p12blob.size = (unsigned int) size;
1911 if (p12blob.data == NULL)
1912 {
1913 gnutls_assert ();
1914 return GNUTLS_E_FILE_ERROR;
1915 }
1916
1917 ret =
1918 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1919 password);
1920 free (p12blob.data);
1921
1922 return ret;
1923 }
1924
1925 /**
1926 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1927 * @res: is a #gnutls_certificate_credentials_t structure.
1928 * @p12blob: the PKCS#12 blob.
1929 * @type: is PEM or DER of the @pkcs12file.
1930 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1931 *
1932 * This function sets a certificate/private key pair and/or a CRL in
1933 * the gnutls_certificate_credentials_t structure. This function may
1934 * be called more than once (in case multiple keys/certificates exist
1935 * for the server).
1936 *
1937 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1938 * supported. Encrypted PKCS#8 private keys are supported. However,
1939 * only password based security, and the same password for all
1940 * operations, are supported.
1941 *
1942 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1943 * the OpenSSL way.
1944 *
1945 * PKCS#12 file may contain many keys and/or certificates, and there
1946 * is no way to identify which key/certificate pair you want. You
1947 * should make sure the PKCS#12 file only contain one key/certificate
1948 * pair and/or one CRL.
1949 *
1950 * It is believed that the limitations of this function is acceptable
1951 * for most usage, and that any more flexibility would introduce
1952 * complexity that would make it harder to use this functionality at
1953 * all.
1954 *
1955 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1956 *
1957 * Since: 2.8.0
1958 **/
1959 int
1960 gnutls_certificate_set_x509_simple_pkcs12_mem
1961 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
1962 gnutls_x509_crt_fmt_t type, const char *password)
1963 {
1964 gnutls_pkcs12_t p12;
1965 gnutls_x509_privkey_t key = NULL;
1966 gnutls_x509_crt_t cert = NULL;
1967 gnutls_x509_crl_t crl = NULL;
1968 int ret;
1969
1970 ret = gnutls_pkcs12_init (&p12);
1971 if (ret < 0)
1972 {
1973 gnutls_assert ();
1974 return ret;
1975 }
1976
1977 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
1978 if (ret < 0)
1979 {
1980 gnutls_assert ();
1981 gnutls_pkcs12_deinit (p12);
1982 return ret;
1983 }
1984
1985 if (password)
1986 {
1987 ret = gnutls_pkcs12_verify_mac (p12, password);
1988 if (ret < 0)
1989 {
1990 gnutls_assert ();
1991 gnutls_pkcs12_deinit (p12);
1992 return ret;
1993 }
1994 }
1995
1996 ret = parse_pkcs12 (res, p12, password, &key, &cert, &crl);
1997 gnutls_pkcs12_deinit (p12);
1998 if (ret < 0)
1999 {
2000 gnutls_assert ();
2001 return ret;
2002 }
2003
2004 if (key && cert)
2005 {
2006 ret = gnutls_certificate_set_x509_key (res, &cert, 1, key);
2007 if (ret < 0)
2008 {
2009 gnutls_assert ();
2010 goto done;
2011 }
2012 }
2013
2014 if (crl)
2015 {
2016 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2017 if (ret < 0)
2018 {
2019 gnutls_assert ();
2020 goto done;
2021 }
2022 }
2023
2024 /* check if the key and certificate found match */
2025 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
2026 {
2027 gnutls_assert ();
2028 goto done;
2029 }
2030
2031 ret = 0;
2032
2033 done:
2034 if (cert)
2035 gnutls_x509_crt_deinit (cert);
2036 if (key)
2037 gnutls_x509_privkey_deinit (key);
2038 if (crl)
2039 gnutls_x509_crl_deinit (crl);
2040
2041 return ret;
2042 }
2043
2044
2045
2046 /**
2047 * gnutls_certificate_free_crls:
2048 * @sc: is a #gnutls_certificate_credentials_t structure.
2049 *
2050 * This function will delete all the CRLs associated
2051 * with the given credentials.
2052 **/
2053 void
2054 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2055 {
2056 unsigned j;
2057
2058 for (j = 0; j < sc->x509_ncrls; j++)
2059 {
2060 gnutls_x509_crl_deinit (sc->x509_crl_list[j]);
2061 }
2062
2063 sc->x509_ncrls = 0;
2064
2065 gnutls_free (sc->x509_crl_list);
2066 sc->x509_crl_list = NULL;
2067 }
2068
2069 #endif
Implementation of the SSL/TLS protocol