lib/auth_cert.h

   1 /*
   2  * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008 Free Software Foundation
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  21  * USA
  22  *
  23  */
  24
  25 #ifndef AUTH_CERT_H
  26 # define AUTH_CERT_H
  27 # include "gnutls_cert.h"
  28 # include "gnutls_auth.h"
  29 # include "auth_dh_common.h"
  30 # include "x509/x509_int.h"
  31 # include "openpgp/openpgp_int.h"
  32
  33 /* This structure may be complex, but it's the only way to
  34  * support a server that has multiple certificates
  35  */
  36 typedef struct gnutls_certificate_credentials_st
  37 {
  38   gnutls_dh_params_t dh_params;
  39   gnutls_rsa_params_t rsa_params;
  40   /* this callback is used to retrieve the DH or RSA
  41    * parameters.
  42    */
  43   gnutls_params_function *params_func;
  44
  45   gnutls_cert **cert_list;
  46   /* contains a list of a list of certificates.
  47    * eg (X509): [0] certificate1, certificate11, certificate111
  48    * (if more than one, one certificate certifies the one before)
  49    *       [1] certificate2, certificate22, ...
  50    */
  51   unsigned *cert_list_length;
  52   /* contains the number of the certificates in a
  53    * row (should be 1 for OpenPGP keys).
  54    */
  55   unsigned ncerts;              /* contains the number of columns in cert_list.
  56                                  * This is the same with the number of pkeys.
  57                                  */
  58
  59   gnutls_privkey *pkey;
  60   /* private keys. It contains ncerts private
  61    * keys. pkey[i] corresponds to certificate in
  62    * cert_list[i][0].
  63    */
  64
  65 #ifdef ENABLE_OPENPGP
  66   /* OpenPGP specific stuff */
  67   gnutls_openpgp_keyring_t keyring;
  68 #endif
  69
  70   /* X509 specific stuff */
  71
  72   gnutls_x509_crt_t *x509_ca_list;
  73   unsigned x509_ncas;           /* number of CAs in the ca_list
  74                                  */
  75
  76   gnutls_x509_crl_t *x509_crl_list;
  77   unsigned x509_ncrls;          /* number of CRLs in the crl_list
  78                                  */
  79
  80   unsigned int verify_flags;    /* flags to be used at
  81                                  * certificate verification.
  82                                  */
  83   unsigned int verify_depth;
  84   unsigned int verify_bits;
  85
  86   /* holds a sequence of the
  87    * RDNs of the CAs above.
  88    * This is better than
  89    * generating on every handshake.
  90    */
  91   gnutls_datum_t x509_rdn_sequence;
  92
  93   gnutls_certificate_client_retrieve_function *client_get_cert_callback;
  94   gnutls_certificate_server_retrieve_function *server_get_cert_callback;
  95 } certificate_credentials_st;
  96
  97 typedef struct rsa_info_st
  98 {
  99   gnutls_datum_t modulus;
 100   gnutls_datum_t exponent;
 101 } rsa_info_st;
 102
 103 /* This is the information we keep for the peer
 104  * certificate.
 105  */
 106 typedef struct cert_auth_info_st
 107 {
 108   int certificate_requested;    /* if the peer requested certificate
 109                                  * this is non zero;
 110                                  */
 111
 112   /* These (dh/rsa) are just copies from the credentials_t structure.
 113    * They must be freed.
 114    */
 115   dh_info_st dh;
 116   rsa_info_st rsa_export;
 117
 118   gnutls_datum_t *raw_certificate_list; /* holds the raw certificate of the
 119                                          * peer.
 120                                          */
 121   unsigned int ncerts;          /* holds the size of the list above */
 122
 123   gnutls_certificate_type_t cert_type;
 124 #ifdef ENABLE_OPENPGP
 125   int use_subkey;
 126   gnutls_openpgp_keyid_t subkey_id;
 127 #endif
 128 } *cert_auth_info_t;
 129
 130 typedef struct cert_auth_info_st cert_auth_info_st;
 131
 132 void _gnutls_free_rsa_info (rsa_info_st * rsa);
 133
 134 /* AUTH X509 functions */
 135 int _gnutls_gen_cert_server_certificate (gnutls_session_t, opaque **);
 136 int _gnutls_gen_cert_client_certificate (gnutls_session_t, opaque **);
 137 int _gnutls_gen_cert_client_cert_vrfy (gnutls_session_t, opaque **);
 138 int _gnutls_gen_cert_server_cert_req (gnutls_session_t, opaque **);
 139 int _gnutls_proc_cert_cert_req (gnutls_session_t, opaque *, size_t);
 140 int _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t, opaque *, size_t);
 141 int _gnutls_proc_cert_server_certificate (gnutls_session_t, opaque *, size_t);
 142 int _gnutls_get_selected_cert (gnutls_session_t session,
 143                                gnutls_cert ** apr_cert_list,
 144                                int *apr_cert_list_length,
 145                                gnutls_privkey ** apr_pkey);
 146
 147 int _gnutls_server_select_cert (struct gnutls_session_int *,
 148                                 gnutls_pk_algorithm_t);
 149 void _gnutls_selected_certs_deinit (gnutls_session_t session);
 150 void _gnutls_selected_certs_set (gnutls_session_t session,
 151                                  gnutls_cert * certs, int ncerts,
 152                                  gnutls_privkey * key, int need_free);
 153
 154 #define _gnutls_proc_cert_client_certificate _gnutls_proc_cert_server_certificate
 155
 156 gnutls_rsa_params_t _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t
 157                                                         rsa_params,
 158                                                         gnutls_params_function
 159                                                         * func,
 160                                                         gnutls_session_t);
 161
 162 int _gnutls_get_auth_info_gcert (gnutls_cert * gcert,
 163                                gnutls_certificate_type_t type,
 164                                cert_auth_info_t info,
 165                                int flags /* OR of ConvFlags */ );
 166
 167 #endif