2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
40 #include <gnutls_x509.h>
41 #include "x509/common.h"
42 #include "x509/x509_int.h"
43 #include <gnutls_str_array.h>
44 #include "read-file.h"
45 #if defined _WIN32 || defined __WIN32__
50 * some x509 certificate parsing functions.
53 /* Check if the number of bits of the key in the certificate
57 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
62 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
69 if (bits
> max_bits
&& max_bits
> 0)
72 return GNUTLS_E_CONSTRAINT_ERROR
;
79 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
80 if (peer_certificate_list[x]) \
81 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
83 gnutls_free( peer_certificate_list)
86 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
87 * @session: is a gnutls session
89 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
90 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
91 * However you must also check the peer's name in order to check if the verified certificate belongs to the
92 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
98 cert_auth_info_t info
;
99 gnutls_certificate_credentials_t cred
;
100 gnutls_x509_crt_t
*peer_certificate_list
;
101 int peer_certificate_list_size
, i
, x
, ret
;
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
105 info
= _gnutls_get_auth_info (session
);
109 return GNUTLS_E_INVALID_REQUEST
;
112 cred
= (gnutls_certificate_credentials_t
)
113 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
120 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
123 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
126 return GNUTLS_E_CONSTRAINT_ERROR
;
129 /* generate a list of gnutls_certs based on the auth info
132 peer_certificate_list_size
= info
->ncerts
;
133 peer_certificate_list
=
134 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
135 if (peer_certificate_list
== NULL
)
138 return GNUTLS_E_MEMORY_ERROR
;
141 for (i
= 0; i
< peer_certificate_list_size
; i
++)
143 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
152 gnutls_x509_crt_import (peer_certificate_list
[i
],
153 &info
->raw_certificate_list
[i
],
154 GNUTLS_X509_FMT_DER
);
162 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
172 /* Verify certificate
175 ret
= gnutls_x509_trust_list_verify_crt (cred
->tlist
, peer_certificate_list
,
176 peer_certificate_list_size
,
177 cred
->verify_flags
| session
->internals
.
178 priorities
.additional_verify_flags
,
193 * Read certificates and private keys, from files, memory etc.
196 /* returns error if the certificate has different algorithm than
197 * the given key parameters.
200 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
202 int pk
= gnutls_pubkey_get_pk_algorithm(res
->certs
[res
->ncerts
-1].cert_list
[0].pubkey
, NULL
);
204 if (gnutls_privkey_get_pk_algorithm (res
->pkey
[res
->ncerts
- 1], NULL
) !=
208 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
214 /* Returns the name of the certificate of a null name
216 static int get_x509_name(gnutls_x509_crt_t crt
, gnutls_str_array_t
*names
)
219 int i
, ret
= 0, ret2
;
222 for (i
= 0; !(ret
< 0); i
++)
224 max_size
= sizeof(name
);
226 ret
= gnutls_x509_crt_get_subject_alt_name(crt
, i
, name
, &max_size
, NULL
);
227 if (ret
== GNUTLS_SAN_DNSNAME
)
229 ret2
= _gnutls_str_array_append(names
, name
, max_size
);
232 _gnutls_str_array_clear(names
);
233 return gnutls_assert_val(ret2
);
238 max_size
= sizeof(name
);
239 ret
= gnutls_x509_crt_get_dn_by_oid (crt
, OID_X520_COMMON_NAME
, 0, 0, name
, &max_size
);
242 ret
= _gnutls_str_array_append(names
, name
, max_size
);
245 _gnutls_str_array_clear(names
);
246 return gnutls_assert_val(ret
);
253 static int get_x509_name_raw(gnutls_datum_t
*raw
, gnutls_x509_crt_fmt_t type
, gnutls_str_array_t
*names
)
256 gnutls_x509_crt_t crt
;
258 ret
= gnutls_x509_crt_init (&crt
);
265 ret
= gnutls_x509_crt_import (crt
, raw
, type
);
269 gnutls_x509_crt_deinit (crt
);
273 ret
= get_x509_name(crt
, names
);
274 gnutls_x509_crt_deinit (crt
);
278 /* Reads a DER encoded certificate list from memory and stores it to a
279 * gnutls_cert structure. Returns the number of certificates parsed.
282 parse_der_cert_mem (gnutls_certificate_credentials_t res
,
283 const void *input_cert
, int input_cert_size
)
286 gnutls_x509_crt_t crt
;
287 gnutls_pcert_st
*ccert
;
289 gnutls_str_array_t names
;
291 _gnutls_str_array_init(&names
);
293 ccert
= gnutls_malloc (sizeof (*ccert
));
297 return GNUTLS_E_MEMORY_ERROR
;
300 ret
= gnutls_x509_crt_init (&crt
);
307 tmp
.data
= (uint8_t *) input_cert
;
308 tmp
.size
= input_cert_size
;
310 ret
= gnutls_x509_crt_import (crt
, &tmp
, GNUTLS_X509_FMT_DER
);
314 gnutls_x509_crt_deinit (crt
);
318 ret
= get_x509_name(crt
, &names
);
322 gnutls_x509_crt_deinit (crt
);
326 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
327 gnutls_x509_crt_deinit (crt
);
335 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
345 _gnutls_str_array_clear(&names
);
350 /* Reads a base64 encoded certificate list from memory and stores it to
351 * a gnutls_cert structure. Returns the number of certificate parsed.
354 parse_pem_cert_mem (gnutls_certificate_credentials_t res
,
355 const char *input_cert
, int input_cert_size
)
361 gnutls_pcert_st
*certs
= NULL
;
362 gnutls_str_array_t names
;
364 _gnutls_str_array_init(&names
);
366 /* move to the certificate
368 ptr
= memmem (input_cert
, input_cert_size
,
369 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
371 ptr
= memmem (input_cert
, input_cert_size
,
372 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
377 return GNUTLS_E_BASE64_DECODING_ERROR
;
379 size
= input_cert_size
- (ptr
- input_cert
);
385 certs
= gnutls_realloc_fast (certs
, (count
+ 1) * sizeof (gnutls_pcert_st
));
390 ret
= GNUTLS_E_MEMORY_ERROR
;
394 tmp
.data
= (void*)ptr
;
399 ret
= get_x509_name_raw(&tmp
, GNUTLS_X509_FMT_PEM
, &names
);
407 ret
= gnutls_pcert_import_x509_raw (&certs
[count
], &tmp
, GNUTLS_X509_FMT_PEM
, 0);
414 /* now we move ptr after the pem header
417 /* find the next certificate (if any)
419 size
= input_cert_size
- (ptr
- input_cert
);
425 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
427 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
428 sizeof (PEM_CERT_SEP2
) - 1);
440 ret
= certificate_credential_append_crt_list (res
, names
, certs
, count
);
450 _gnutls_str_array_clear(&names
);
451 for (i
=0;i
<count
;i
++)
452 gnutls_pcert_deinit(&certs
[i
]);
459 /* Reads a DER or PEM certificate from memory
462 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
463 int cert_size
, gnutls_x509_crt_fmt_t type
)
467 if (type
== GNUTLS_X509_FMT_DER
)
468 ret
= parse_der_cert_mem (res
, cert
, cert_size
);
470 ret
= parse_pem_cert_mem (res
, cert
, cert_size
);
482 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t
* privkey
,
483 const gnutls_datum_t
* raw_key
,
484 gnutls_x509_crt_fmt_t type
)
486 gnutls_x509_privkey_t tmpkey
;
489 ret
= gnutls_x509_privkey_init (&tmpkey
);
496 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
500 gnutls_x509_privkey_deinit (tmpkey
);
504 ret
= gnutls_privkey_init (privkey
);
508 gnutls_x509_privkey_deinit (tmpkey
);
513 gnutls_privkey_import_x509 (*privkey
, tmpkey
,
514 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
518 gnutls_x509_privkey_deinit (tmpkey
);
519 gnutls_privkey_deinit (*privkey
);
526 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
527 * indicates the certificate format. KEY can be NULL, to indicate
528 * that GnuTLS doesn't know the private key.
531 read_key_mem (gnutls_certificate_credentials_t res
,
532 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
536 gnutls_privkey_t privkey
;
540 tmp
.data
= (uint8_t *) key
;
543 ret
= _gnutls_x509_raw_privkey_to_privkey (&privkey
, &tmp
, type
);
550 ret
= certificate_credentials_append_pkey (res
, privkey
);
554 gnutls_privkey_deinit (privkey
);
562 return GNUTLS_E_INVALID_REQUEST
;
570 /* Reads a private key from a token.
573 read_key_url (gnutls_certificate_credentials_t res
, const char *url
)
576 gnutls_pkcs11_privkey_t key1
= NULL
;
577 gnutls_privkey_t pkey
= NULL
;
579 /* allocate space for the pkey list
582 ret
= gnutls_pkcs11_privkey_init (&key1
);
589 ret
= gnutls_pkcs11_privkey_import_url (key1
, url
, 0);
596 ret
= gnutls_privkey_init (&pkey
);
604 gnutls_privkey_import_pkcs11 (pkey
, key1
,
605 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
612 ret
= certificate_credentials_append_pkey (res
, pkey
);
623 gnutls_privkey_deinit (pkey
);
626 gnutls_pkcs11_privkey_deinit (key1
);
631 /* Reads a private key from a token.
634 read_cas_url (gnutls_certificate_credentials_t res
, const char *url
)
637 gnutls_x509_crt_t
*xcrt_list
= NULL
;
638 gnutls_pkcs11_obj_t
*pcrt_list
= NULL
;
639 unsigned int pcrt_list_size
= 0;
641 /* FIXME: should we use login? */
643 gnutls_pkcs11_obj_list_import_url (NULL
, &pcrt_list_size
, url
,
644 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
645 if (ret
< 0 && ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
651 if (pcrt_list_size
== 0)
657 pcrt_list
= gnutls_malloc (sizeof (*pcrt_list
) * pcrt_list_size
);
658 if (pcrt_list
== NULL
)
661 return GNUTLS_E_MEMORY_ERROR
;
665 gnutls_pkcs11_obj_list_import_url (pcrt_list
, &pcrt_list_size
, url
,
666 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
673 xcrt_list
= gnutls_malloc (sizeof (*xcrt_list
) * pcrt_list_size
);
674 if (xcrt_list
== NULL
)
677 ret
= GNUTLS_E_MEMORY_ERROR
;
682 gnutls_x509_crt_list_import_pkcs11 (xcrt_list
, pcrt_list_size
, pcrt_list
,
684 if (xcrt_list
== NULL
)
687 ret
= GNUTLS_E_MEMORY_ERROR
;
691 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, xcrt_list
, pcrt_list_size
, 0);
699 gnutls_free (xcrt_list
);
700 gnutls_free (pcrt_list
);
707 /* Reads a private key from a token.
710 read_cert_url (gnutls_certificate_credentials_t res
, const char *url
)
713 gnutls_x509_crt_t crt
;
714 gnutls_pcert_st
*ccert
;
715 gnutls_str_array_t names
;
717 _gnutls_str_array_init(&names
);
719 ccert
= gnutls_malloc (sizeof (*ccert
));
723 return GNUTLS_E_MEMORY_ERROR
;
726 ret
= gnutls_x509_crt_init (&crt
);
733 ret
= gnutls_x509_crt_import_pkcs11_url (crt
, url
, 0);
734 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
736 gnutls_x509_crt_import_pkcs11_url (crt
, url
,
737 GNUTLS_PKCS11_OBJ_FLAG_LOGIN
);
742 gnutls_x509_crt_deinit (crt
);
746 ret
= get_x509_name(crt
, &names
);
750 gnutls_x509_crt_deinit (crt
);
754 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
755 gnutls_x509_crt_deinit (crt
);
763 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
773 _gnutls_str_array_clear(&names
);
779 /* Reads a certificate file
782 read_cert_file (gnutls_certificate_credentials_t res
,
783 const char *certfile
, gnutls_x509_crt_fmt_t type
)
790 if (strncmp (certfile
, "pkcs11:", 7) == 0)
792 return read_cert_url (res
, certfile
);
794 #endif /* ENABLE_PKCS11 */
796 data
= read_binary_file (certfile
, &size
);
801 return GNUTLS_E_FILE_ERROR
;
804 ret
= read_cert_mem (res
, data
, size
, type
);
813 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
817 read_key_file (gnutls_certificate_credentials_t res
,
818 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
825 if (strncmp (keyfile
, "pkcs11:", 7) == 0)
827 return read_key_url (res
, keyfile
);
829 #endif /* ENABLE_PKCS11 */
831 data
= read_binary_file (keyfile
, &size
);
836 return GNUTLS_E_FILE_ERROR
;
839 ret
= read_key_mem (res
, data
, size
, type
);
846 * gnutls_certificate_set_x509_key_mem:
847 * @res: is a #gnutls_certificate_credentials_t structure.
848 * @cert: contains a certificate list (path) for the specified private key
849 * @key: is the private key, or %NULL
850 * @type: is PEM or DER
852 * This function sets a certificate/private key pair in the
853 * gnutls_certificate_credentials_t structure. This function may be called
854 * more than once, in case multiple keys/certificates exist for the
857 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
858 * is supported. This means that certificates intended for signing cannot
859 * be used for ciphersuites that require encryption.
861 * If the certificate and the private key are given in PEM encoding
862 * then the strings that hold their values must be null terminated.
864 * The @key may be %NULL if you are using a sign callback, see
865 * gnutls_sign_callback_set().
867 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
870 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
871 const gnutls_datum_t
* cert
,
872 const gnutls_datum_t
* key
,
873 gnutls_x509_crt_fmt_t type
)
877 /* this should be first
879 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
880 key
? key
->size
: 0, type
)) < 0)
883 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
888 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
897 static int check_if_sorted(gnutls_pcert_st
* crt
, int nr
)
899 gnutls_x509_crt_t x509
;
900 char prev_dn
[MAX_DN
];
902 size_t prev_dn_size
, dn_size
;
905 /* check if the X.509 list is ordered */
906 if (nr
> 1 && crt
[0].type
== GNUTLS_CRT_X509
)
911 ret
= gnutls_x509_crt_init(&x509
);
913 return gnutls_assert_val(ret
);
915 ret
= gnutls_x509_crt_import(x509
, &crt
[i
].cert
, GNUTLS_X509_FMT_DER
);
918 ret
= gnutls_assert_val(ret
);
924 dn_size
= sizeof(dn
);
925 ret
= gnutls_x509_crt_get_dn(x509
, dn
, &dn_size
);
928 ret
= gnutls_assert_val(ret
);
932 if (dn_size
!= prev_dn_size
|| memcmp(dn
, prev_dn
, dn_size
) != 0)
934 ret
= gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED
);
939 prev_dn_size
= sizeof(prev_dn
);
940 ret
= gnutls_x509_crt_get_issuer_dn(x509
, prev_dn
, &prev_dn_size
);
943 ret
= gnutls_assert_val(ret
);
947 gnutls_x509_crt_deinit(x509
);
954 gnutls_x509_crt_deinit(x509
);
959 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res
,
960 gnutls_str_array_t names
, gnutls_pcert_st
* crt
, int nr
)
964 ret
= check_if_sorted(crt
, nr
);
966 return gnutls_assert_val(ret
);
968 res
->certs
= gnutls_realloc_fast (res
->certs
,
971 if (res
->certs
== NULL
)
974 return GNUTLS_E_MEMORY_ERROR
;
977 res
->certs
[res
->ncerts
].cert_list
= crt
;
978 res
->certs
[res
->ncerts
].cert_list_length
= nr
;
979 res
->certs
[res
->ncerts
].names
= names
;
986 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res
,
987 gnutls_privkey_t pkey
)
989 res
->pkey
= gnutls_realloc_fast (res
->pkey
,
991 sizeof (gnutls_privkey_t
));
992 if (res
->pkey
== NULL
)
995 return GNUTLS_E_MEMORY_ERROR
;
997 res
->pkey
[res
->ncerts
] = pkey
;
1003 * gnutls_certificate_set_x509_key:
1004 * @res: is a #gnutls_certificate_credentials_t structure.
1005 * @cert_list: contains a certificate list (path) for the specified private key
1006 * @cert_list_size: holds the size of the certificate list
1007 * @key: is a gnutls_x509_privkey_t key
1009 * This function sets a certificate/private key pair in the
1010 * gnutls_certificate_credentials_t structure. This function may be
1011 * called more than once, in case multiple keys/certificates exist for
1012 * the server. For clients that wants to send more than its own end
1013 * entity certificate (e.g., also an intermediate CA cert) then put
1014 * the certificate chain in @cert_list.
1018 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1023 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
1024 gnutls_x509_crt_t
* cert_list
,
1026 gnutls_x509_privkey_t key
)
1029 gnutls_privkey_t pkey
;
1030 gnutls_pcert_st
*pcerts
= NULL
;
1031 gnutls_str_array_t names
;
1033 _gnutls_str_array_init(&names
);
1035 /* this should be first
1037 ret
= gnutls_privkey_init (&pkey
);
1044 ret
= gnutls_privkey_import_x509 (pkey
, key
, GNUTLS_PRIVKEY_IMPORT_COPY
);
1051 ret
= certificate_credentials_append_pkey (res
, pkey
);
1058 /* load certificates */
1059 pcerts
= gnutls_malloc (sizeof (gnutls_pcert_st
) * cert_list_size
);
1063 return GNUTLS_E_MEMORY_ERROR
;
1066 ret
= get_x509_name(cert_list
[0], &names
);
1068 return gnutls_assert_val(ret
);
1070 for (i
= 0; i
< cert_list_size
; i
++)
1072 ret
= gnutls_pcert_import_x509 (&pcerts
[i
], cert_list
[i
], 0);
1080 ret
= certificate_credential_append_crt_list (res
, names
, pcerts
, cert_list_size
);
1089 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1098 _gnutls_str_array_clear(&names
);
1103 * gnutls_certificate_set_key:
1104 * @res: is a #gnutls_certificate_credentials_t structure.
1105 * @names: is an array of DNS name of the certificate (NULL if none)
1106 * @names_size: holds the size of the names list
1107 * @pcert_list: contains a certificate list (path) for the specified private key
1108 * @pcert_list_size: holds the size of the certificate list
1109 * @key: is a gnutls_x509_privkey_t key
1111 * This function sets a certificate/private key pair in the
1112 * gnutls_certificate_credentials_t structure. This function may be
1113 * called more than once, in case multiple keys/certificates exist for
1114 * the server. For clients that wants to send more than its own end
1115 * entity certificate (e.g., also an intermediate CA cert) then put
1116 * the certificate chain in @pcert_list. The @pcert_list and @key will
1117 * become part of the credentials structure and must not
1118 * be deallocated. They will be automatically deallocated when
1119 * @res is deinitialized.
1121 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1126 gnutls_certificate_set_key (gnutls_certificate_credentials_t res
,
1129 gnutls_pcert_st
* pcert_list
,
1130 int pcert_list_size
,
1131 gnutls_privkey_t key
)
1134 gnutls_str_array_t str_names
;
1136 _gnutls_str_array_init(&str_names
);
1138 if (names
!= NULL
&& names_size
> 0)
1140 for (i
=0;i
<names_size
;i
++)
1142 ret
= _gnutls_str_array_append(&str_names
, names
[i
], strlen(names
[i
]));
1145 ret
= gnutls_assert_val(ret
);
1151 ret
= certificate_credentials_append_pkey (res
, key
);
1158 ret
= certificate_credential_append_crt_list (res
, str_names
, pcert_list
, pcert_list_size
);
1167 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1176 _gnutls_str_array_clear(&str_names
);
1181 * gnutls_certificate_set_x509_key_file:
1182 * @res: is a #gnutls_certificate_credentials_t structure.
1183 * @certfile: is a file that containing the certificate list (path) for
1184 * the specified private key, in PKCS7 format, or a list of certificates
1185 * @keyfile: is a file that contains the private key
1186 * @type: is PEM or DER
1188 * This function sets a certificate/private key pair in the
1189 * gnutls_certificate_credentials_t structure. This function may be
1190 * called more than once, in case multiple keys/certificates exist for
1191 * the server. For clients that need to send more than its own end
1192 * entity certificate, e.g., also an intermediate CA cert, then the
1193 * @certfile must contain the ordered certificate chain.
1195 * This function can also accept PKCS #11 URLs at @keyfile and @certfile. In that case it
1196 * will import the private key and certificate indicated by the URLs.
1198 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1201 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
1202 const char *certfile
,
1203 const char *keyfile
,
1204 gnutls_x509_crt_fmt_t type
)
1208 /* this should be first
1210 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
1213 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
1218 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1228 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, gnutls_x509_crt_t
* crts
,
1229 unsigned int crt_size
)
1234 unsigned char *newdata
;
1237 /* Add DN of the last added CAs to the RDN sequence
1238 * This will be sent to clients when a certificate
1239 * request message is sent.
1242 /* FIXME: in case of a client it is not needed
1243 * to do that. This would save time and memory.
1244 * However we don't have that information available
1246 * Further, this function is now much more efficient,
1247 * so optimizing that is less important.
1250 for (i
= 0; i
< crt_size
; i
++)
1252 if ((ret
= gnutls_x509_crt_get_raw_dn (crts
[i
], &tmp
)) < 0)
1258 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
1259 if (newsize
< res
->x509_rdn_sequence
.size
)
1262 _gnutls_free_datum (&tmp
);
1263 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
1266 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
1267 if (newdata
== NULL
)
1270 _gnutls_free_datum (&tmp
);
1271 return GNUTLS_E_MEMORY_ERROR
;
1274 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
1275 _gnutls_free_datum (&tmp
);
1277 res
->x509_rdn_sequence
.size
= newsize
;
1278 res
->x509_rdn_sequence
.data
= newdata
;
1284 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1285 * certificate (uses the KeyUsage field).
1288 _gnutls_check_key_usage (const gnutls_pcert_st
* cert
, gnutls_kx_algorithm_t alg
)
1290 unsigned int key_usage
= 0;
1296 return GNUTLS_E_INTERNAL_ERROR
;
1299 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
1300 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
1303 gnutls_pubkey_get_key_usage(cert
->pubkey
, &key_usage
);
1305 encipher_type
= _gnutls_kx_encipher_type (alg
);
1307 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
1309 /* If key_usage has been set in the certificate
1312 if (encipher_type
== CIPHER_ENCRYPT
)
1314 /* If the key exchange method requires an encipher
1315 * type algorithm, and key's usage does not permit
1316 * encipherment, then fail.
1318 if (!(key_usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
))
1321 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1325 if (encipher_type
== CIPHER_SIGN
)
1327 /* The same as above, but for sign only keys
1329 if (!(key_usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
))
1332 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1341 parse_pem_ca_mem (gnutls_certificate_credentials_t res
,
1342 const uint8_t * input_cert
, int input_cert_size
)
1344 gnutls_x509_crt_t
*x509_cert_list
;
1345 unsigned int x509_ncerts
;
1349 tmp
.data
= (void*)input_cert
;
1350 tmp
.size
= input_cert_size
;
1352 ret
= gnutls_x509_crt_list_import2( &x509_cert_list
, &x509_ncerts
, &tmp
,
1353 GNUTLS_X509_FMT_PEM
, 0);
1360 if ((ret
= add_new_crt_to_rdn_seq (res
, x509_cert_list
, x509_ncerts
)) < 0)
1366 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, x509_cert_list
, x509_ncerts
, 0);
1374 gnutls_free(x509_cert_list
);
1378 /* Reads a DER encoded certificate list from memory and stores it to a
1379 * gnutls_cert structure. Returns the number of certificates parsed.
1382 parse_der_ca_mem (gnutls_certificate_credentials_t res
,
1383 const void *input_cert
, int input_cert_size
)
1385 gnutls_x509_crt_t crt
;
1389 tmp
.data
= (void*)input_cert
;
1390 tmp
.size
= input_cert_size
;
1392 ret
= gnutls_x509_crt_init( &crt
);
1399 ret
= gnutls_x509_crt_import( crt
, &tmp
, GNUTLS_X509_FMT_DER
);
1406 if ((ret
= add_new_crt_to_rdn_seq (res
, &crt
, 1)) < 0)
1412 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, &crt
, 1, 0);
1422 gnutls_x509_crt_deinit(crt
);
1427 * gnutls_certificate_set_x509_trust_mem:
1428 * @res: is a #gnutls_certificate_credentials_t structure.
1429 * @ca: is a list of trusted CAs or a DER certificate
1430 * @type: is DER or PEM
1432 * This function adds the trusted CAs in order to verify client or
1433 * server certificates. In case of a client this is not required to be
1434 * called if the certificates are not verified using
1435 * gnutls_certificate_verify_peers2(). This function may be called
1438 * In case of a server the CAs set here will be sent to the client if
1439 * a certificate request is sent. This can be disabled using
1440 * gnutls_certificate_send_x509_rdn_sequence().
1442 * Returns: the number of certificates processed or a negative error code
1446 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1447 const gnutls_datum_t
* ca
,
1448 gnutls_x509_crt_fmt_t type
)
1452 if (type
== GNUTLS_X509_FMT_DER
)
1453 ret
= parse_der_ca_mem (res
,
1454 ca
->data
, ca
->size
);
1456 ret
= parse_pem_ca_mem (res
,
1457 ca
->data
, ca
->size
);
1459 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
1466 * gnutls_certificate_set_x509_trust:
1467 * @res: is a #gnutls_certificate_credentials_t structure.
1468 * @ca_list: is a list of trusted CAs
1469 * @ca_list_size: holds the size of the CA list
1471 * This function adds the trusted CAs in order to verify client
1472 * or server certificates. In case of a client this is not required
1473 * to be called if the certificates are not verified using
1474 * gnutls_certificate_verify_peers2().
1475 * This function may be called multiple times.
1477 * In case of a server the CAs set here will be sent to the client if
1478 * a certificate request is sent. This can be disabled using
1479 * gnutls_certificate_send_x509_rdn_sequence().
1481 * Returns: the number of certificates processed or a negative error code
1487 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1488 gnutls_x509_crt_t
* ca_list
,
1492 gnutls_x509_crt_t new_list
[ca_list_size
];
1494 for (i
= 0; i
< ca_list_size
; i
++)
1496 ret
= gnutls_x509_crt_init (&new_list
[i
]);
1503 ret
= _gnutls_x509_crt_cpy (new_list
[i
], ca_list
[i
]);
1511 if ((ret
= add_new_crt_to_rdn_seq (res
, new_list
, ca_list_size
)) < 0)
1517 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, new_list
, ca_list_size
, 0);
1528 gnutls_x509_crt_deinit(new_list
[j
]);
1535 * gnutls_certificate_set_x509_trust_file:
1536 * @cred: is a #gnutls_certificate_credentials_t structure.
1537 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1538 * @type: is PEM or DER
1540 * This function adds the trusted CAs in order to verify client or
1541 * server certificates. In case of a client this is not required to
1542 * be called if the certificates are not verified using
1543 * gnutls_certificate_verify_peers2(). This function may be called
1546 * In case of a server the names of the CAs set here will be sent to
1547 * the client if a certificate request is sent. This can be disabled
1548 * using gnutls_certificate_send_x509_rdn_sequence().
1550 * This function can also accept PKCS #11 URLs. In that case it
1551 * will import all certificates that are marked as trusted.
1553 * Returns: number of certificates processed, or a negative error code on
1557 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred
,
1559 gnutls_x509_crt_fmt_t type
)
1565 #ifdef ENABLE_PKCS11
1566 if (strncmp (cafile
, "pkcs11:", 7) == 0)
1568 return read_cas_url (cred
, cafile
);
1572 cas
.data
= (void*)read_binary_file (cafile
, &size
);
1573 if (cas
.data
== NULL
)
1576 return GNUTLS_E_FILE_ERROR
;
1581 ret
= gnutls_certificate_set_x509_trust_mem(cred
, &cas
, type
);
1596 set_x509_system_trust_file (gnutls_certificate_credentials_t cred
)
1598 HCERTSTORE store
= CertOpenSystemStore(0, "CA");
1599 const CERT_CONTEXT
*cert
;
1600 const CRL_CONTEXT
*crl
;
1601 gnutls_datum_t data
;
1608 if (i
==0) store
= CertOpenSystemStore(0, "ROOT");
1609 else store
= CertOpenSystemStore(0, "CA");
1611 if (store
== NULL
) return GNUTLS_E_FILE_ERROR
;
1613 cert
= CertEnumCertificatesInStore(store
, NULL
);
1614 crl
= CertEnumCRLsInStore(store
, NULL
);
1618 if (cert
->dwCertEncodingType
== X509_ASN_ENCODING
)
1620 data
.data
= cert
->pbCertEncoded
;
1621 data
.size
= cert
->cbCertEncoded
;
1622 if (gnutls_certificate_set_x509_trust_mem (cred
, &data
, GNUTLS_X509_FMT_DER
) > 0)
1625 cert
= CertEnumCertificatesInStore(store
, cert
);
1630 if (crl
->dwCertEncodingType
== X509_ASN_ENCODING
)
1632 data
.data
= crl
->pbCrlEncoded
;
1633 data
.size
= crl
->cbCrlEncoded
;
1635 gnutls_certificate_set_x509_crl_mem(cred
, &data
, GNUTLS_X509_FMT_DER
);
1637 crl
= CertEnumCRLsInStore(store
, crl
);
1639 CertCloseStore(store
, 0);
1644 #elif defined(DEFAULT_TRUST_STORE_FILE)
1646 set_x509_system_trust_file (gnutls_certificate_credentials_t cred
)
1652 cas
.data
= (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE
, &size
);
1653 if (cas
.data
== NULL
)
1656 return GNUTLS_E_FILE_ERROR
;
1661 ret
= gnutls_certificate_set_x509_trust_mem(cred
, &cas
, GNUTLS_X509_FMT_PEM
);
1673 #ifdef DEFAULT_CRL_FILE
1674 cas
.data
= (void*)read_binary_file (DEFAULT_CRL_FILE
, &size
);
1675 if (cas
.data
== NULL
)
1683 ret
= gnutls_certificate_set_x509_crl_mem(cred
, &cas
, GNUTLS_X509_FMT_PEM
);
1699 * gnutls_certificate_set_x509_system_trust:
1700 * @cred: is a #gnutls_certificate_credentials_t structure.
1702 * This function adds the system's default trusted CAs in order to
1703 * verify client or server certificates.
1705 * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE
1708 * Returns: the number of certificates processed or a negative error code
1714 gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred
)
1716 #if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE)
1717 int r
= GNUTLS_E_UNIMPLEMENTED_FEATURE
;
1722 #if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
1723 ret
= read_cas_url (cred
, DEFAULT_TRUST_STORE_PKCS11
);
1728 #ifdef DEFAULT_TRUST_STORE_FILE
1729 ret
= set_x509_system_trust_file(cred
);
1738 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist
,
1739 const char * input_crl
, unsigned int input_crl_size
)
1741 gnutls_x509_crl_t
*x509_crl_list
;
1742 unsigned int x509_ncrls
;
1746 tmp
.data
= (void*)input_crl
;
1747 tmp
.size
= input_crl_size
;
1749 ret
= gnutls_x509_crl_list_import2( &x509_crl_list
, &x509_ncrls
, &tmp
,
1750 GNUTLS_X509_FMT_PEM
, 0);
1757 ret
= gnutls_x509_trust_list_add_crls(tlist
, x509_crl_list
, x509_ncrls
, 0, 0);
1765 gnutls_free(x509_crl_list
);
1769 /* Reads a DER encoded certificate list from memory and stores it to a
1770 * gnutls_cert structure. Returns the number of certificates parsed.
1773 parse_der_crl_mem (gnutls_x509_trust_list_t tlist
,
1774 const void *input_crl
, unsigned int input_crl_size
)
1776 gnutls_x509_crl_t crl
;
1780 tmp
.data
= (void*)input_crl
;
1781 tmp
.size
= input_crl_size
;
1783 ret
= gnutls_x509_crl_init( &crl
);
1790 ret
= gnutls_x509_crl_import( crl
, &tmp
, GNUTLS_X509_FMT_DER
);
1797 ret
= gnutls_x509_trust_list_add_crls(tlist
, &crl
, 1, 0, 0);
1807 gnutls_x509_crl_deinit(crl
);
1813 /* Reads a DER or PEM CRL from memory
1816 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1817 int crl_size
, gnutls_x509_crt_fmt_t type
)
1821 if (type
== GNUTLS_X509_FMT_DER
)
1822 ret
= parse_der_crl_mem (res
->tlist
, crl
, crl_size
);
1824 ret
= parse_pem_crl_mem (res
->tlist
, crl
, crl_size
);
1835 * gnutls_certificate_set_x509_crl_mem:
1836 * @res: is a #gnutls_certificate_credentials_t structure.
1837 * @CRL: is a list of trusted CRLs. They should have been verified before.
1838 * @type: is DER or PEM
1840 * This function adds the trusted CRLs in order to verify client or
1841 * server certificates. In case of a client this is not required to
1842 * be called if the certificates are not verified using
1843 * gnutls_certificate_verify_peers2(). This function may be called
1846 * Returns: number of CRLs processed, or a negative error code on error.
1849 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1850 const gnutls_datum_t
* CRL
,
1851 gnutls_x509_crt_fmt_t type
)
1853 return read_crl_mem (res
, CRL
->data
, CRL
->size
, type
);
1857 * gnutls_certificate_set_x509_crl:
1858 * @res: is a #gnutls_certificate_credentials_t structure.
1859 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1860 * @crl_list_size: holds the size of the crl_list
1862 * This function adds the trusted CRLs in order to verify client or
1863 * server certificates. In case of a client this is not required to
1864 * be called if the certificates are not verified using
1865 * gnutls_certificate_verify_peers2(). This function may be called
1868 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1873 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1874 gnutls_x509_crl_t
* crl_list
,
1878 gnutls_x509_crl_t new_crl
[crl_list_size
];
1880 for (i
= 0; i
< crl_list_size
; i
++)
1882 ret
= gnutls_x509_crl_init (&new_crl
[i
]);
1889 ret
= _gnutls_x509_crl_cpy (new_crl
[i
], crl_list
[i
]);
1897 ret
= gnutls_x509_trust_list_add_crls(res
->tlist
, new_crl
, crl_list_size
, 0, 0);
1908 gnutls_x509_crl_deinit(new_crl
[j
]);
1914 * gnutls_certificate_set_x509_crl_file:
1915 * @res: is a #gnutls_certificate_credentials_t structure.
1916 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1917 * @type: is PEM or DER
1919 * This function adds the trusted CRLs in order to verify client or server
1920 * certificates. In case of a client this is not required
1921 * to be called if the certificates are not verified using
1922 * gnutls_certificate_verify_peers2().
1923 * This function may be called multiple times.
1925 * Returns: number of CRLs processed or a negative error code on error.
1928 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1929 const char *crlfile
,
1930 gnutls_x509_crt_fmt_t type
)
1934 char *data
= (void*)read_binary_file (crlfile
, &size
);
1939 return GNUTLS_E_FILE_ERROR
;
1942 if (type
== GNUTLS_X509_FMT_DER
)
1943 ret
= parse_der_crl_mem (res
->tlist
, data
, size
);
1945 ret
= parse_pem_crl_mem (res
->tlist
, data
, size
);
1958 #include <gnutls/pkcs12.h>
1961 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1962 gnutls_pkcs12_t p12
,
1963 const char *password
,
1964 gnutls_x509_privkey_t
* key
,
1965 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1967 gnutls_pkcs12_bag_t bag
= NULL
;
1970 size_t cert_id_size
= 0;
1971 size_t key_id_size
= 0;
1972 uint8_t cert_id
[20];
1980 /* find the first private key */
1983 int elements_in_bag
;
1986 ret
= gnutls_pkcs12_bag_init (&bag
);
1994 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1995 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
2003 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
2010 if (ret
== GNUTLS_BAG_ENCRYPTED
)
2012 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
2020 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
2021 if (elements_in_bag
< 0)
2027 for (i
= 0; i
< elements_in_bag
; i
++)
2030 gnutls_datum_t data
;
2032 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
2039 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
2048 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
2049 case GNUTLS_BAG_PKCS8_KEY
:
2050 if (*key
!= NULL
) /* too simple to continue */
2056 ret
= gnutls_x509_privkey_init (key
);
2063 ret
= gnutls_x509_privkey_import_pkcs8
2064 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
2065 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
2069 gnutls_x509_privkey_deinit (*key
);
2073 key_id_size
= sizeof (key_id
);
2075 gnutls_x509_privkey_get_key_id (*key
, 0, key_id
,
2080 gnutls_x509_privkey_deinit (*key
);
2084 privkey_ok
= 1; /* break */
2092 gnutls_pkcs12_bag_deinit (bag
);
2094 if (privkey_ok
!= 0) /* private key was found */
2098 if (privkey_ok
== 0) /* no private key */
2101 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
2104 /* now find the corresponding certificate
2110 int elements_in_bag
;
2113 ret
= gnutls_pkcs12_bag_init (&bag
);
2121 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
2122 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
2130 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
2137 if (ret
== GNUTLS_BAG_ENCRYPTED
)
2139 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
2147 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
2148 if (elements_in_bag
< 0)
2154 for (i
= 0; i
< elements_in_bag
; i
++)
2157 gnutls_datum_t data
;
2159 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
2166 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
2175 case GNUTLS_BAG_CERTIFICATE
:
2176 if (*cert
!= NULL
) /* no need to set it again */
2182 ret
= gnutls_x509_crt_init (cert
);
2190 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
2194 gnutls_x509_crt_deinit (*cert
);
2198 /* check if the key id match */
2199 cert_id_size
= sizeof (cert_id
);
2201 gnutls_x509_crt_get_key_id (*cert
, 0, cert_id
, &cert_id_size
);
2205 gnutls_x509_crt_deinit (*cert
);
2209 if (memcmp (cert_id
, key_id
, cert_id_size
) != 0)
2210 { /* they don't match - skip the certificate */
2211 gnutls_x509_crt_deinit (*cert
);
2216 case GNUTLS_BAG_CRL
:
2223 ret
= gnutls_x509_crl_init (crl
);
2230 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
2234 gnutls_x509_crl_deinit (*crl
);
2239 case GNUTLS_BAG_ENCRYPTED
:
2240 /* XXX Bother to recurse one level down? Unlikely to
2241 use the same password anyway. */
2242 case GNUTLS_BAG_EMPTY
:
2249 gnutls_pkcs12_bag_deinit (bag
);
2256 gnutls_pkcs12_bag_deinit (bag
);
2262 * gnutls_certificate_set_x509_simple_pkcs12_file:
2263 * @res: is a #gnutls_certificate_credentials_t structure.
2264 * @pkcs12file: filename of file containing PKCS#12 blob.
2265 * @type: is PEM or DER of the @pkcs12file.
2266 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2268 * This function sets a certificate/private key pair and/or a CRL in
2269 * the gnutls_certificate_credentials_t structure. This function may
2270 * be called more than once (in case multiple keys/certificates exist
2273 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
2274 * private keys are supported. However,
2275 * only password based security, and the same password for all
2276 * operations, are supported.
2278 * PKCS#12 file may contain many keys and/or certificates, and there
2279 * is no way to identify which key/certificate pair you want. You
2280 * should make sure the PKCS#12 file only contain one key/certificate
2281 * pair and/or one CRL.
2283 * It is believed that the limitations of this function is acceptable
2284 * for most usage, and that any more flexibility would introduce
2285 * complexity that would make it harder to use this functionality at
2288 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2291 gnutls_certificate_set_x509_simple_pkcs12_file
2292 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
2293 gnutls_x509_crt_fmt_t type
, const char *password
)
2295 gnutls_datum_t p12blob
;
2299 p12blob
.data
= (void*)read_binary_file (pkcs12file
, &size
);
2300 p12blob
.size
= (unsigned int) size
;
2301 if (p12blob
.data
== NULL
)
2304 return GNUTLS_E_FILE_ERROR
;
2308 gnutls_certificate_set_x509_simple_pkcs12_mem (res
, &p12blob
, type
,
2310 free (p12blob
.data
);
2316 * gnutls_certificate_set_x509_simple_pkcs12_mem:
2317 * @res: is a #gnutls_certificate_credentials_t structure.
2318 * @p12blob: the PKCS#12 blob.
2319 * @type: is PEM or DER of the @pkcs12file.
2320 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2322 * This function sets a certificate/private key pair and/or a CRL in
2323 * the gnutls_certificate_credentials_t structure. This function may
2324 * be called more than once (in case multiple keys/certificates exist
2327 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2328 * supported. Encrypted PKCS#8 private keys are supported. However,
2329 * only password based security, and the same password for all
2330 * operations, are supported.
2332 * PKCS#12 file may contain many keys and/or certificates, and there
2333 * is no way to identify which key/certificate pair you want. You
2334 * should make sure the PKCS#12 file only contain one key/certificate
2335 * pair and/or one CRL.
2337 * It is believed that the limitations of this function is acceptable
2338 * for most usage, and that any more flexibility would introduce
2339 * complexity that would make it harder to use this functionality at
2342 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2347 gnutls_certificate_set_x509_simple_pkcs12_mem
2348 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
* p12blob
,
2349 gnutls_x509_crt_fmt_t type
, const char *password
)
2351 gnutls_pkcs12_t p12
;
2352 gnutls_x509_privkey_t key
= NULL
;
2353 gnutls_x509_crt_t cert
= NULL
;
2354 gnutls_x509_crl_t crl
= NULL
;
2357 ret
= gnutls_pkcs12_init (&p12
);
2364 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
2368 gnutls_pkcs12_deinit (p12
);
2374 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
2378 gnutls_pkcs12_deinit (p12
);
2383 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
2384 gnutls_pkcs12_deinit (p12
);
2393 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2403 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2415 gnutls_x509_crt_deinit (cert
);
2417 gnutls_x509_privkey_deinit (key
);
2419 gnutls_x509_crl_deinit (crl
);
2427 * gnutls_certificate_free_crls:
2428 * @sc: is a #gnutls_certificate_credentials_t structure.
2430 * This function will delete all the CRLs associated
2431 * with the given credentials.
2434 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2436 /* do nothing for now */