search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
certtool is able to set certificate policies via a template
[gnutls.git] / lib / gnutls_x509.c
blob1ae5bddac4bbfdeb0d6e41741bad75d00ee8bf93
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
38 #include <debug.h>
39 #include <x509_b64.h>
40 #include <gnutls_x509.h>
41 #include <gnutls/ocsp.h>
42 #include "x509/common.h"
43 #include "x509/x509_int.h"
44 #include <gnutls_str_array.h>
45 #include "read-file.h"
46 #ifdef _WIN32
47 # include <wincrypt.h>
48 #endif
49
50 /*
51 * some x509 certificate parsing functions.
52 */
53
54 /* Check if the number of bits of the key in the certificate
55 * is unacceptable.
56 */
57 inline static int
58 check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bits)
59 {
60 int ret, pk;
61 unsigned int bits;
62
63 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
64 if (ret < 0)
65 {
66 gnutls_assert ();
67 return ret;
68 }
69 pk = ret;
70
71 if (bits > max_bits && max_bits > 0)
72 {
73 gnutls_assert ();
74 return GNUTLS_E_CONSTRAINT_ERROR;
75 }
76
77 if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_INSECURE)
78 {
79 gnutls_assert();
80 _gnutls_audit_log(session, "The security level of the certificate (%s: %u) is weak\n", gnutls_pk_get_name(pk), bits);
81 if (session->internals.priorities.allow_weak_keys == 0)
82 return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
83 }
84
85 return 0;
86 }
87
88 /* three days */
89 #define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
90
91 /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
92 *
93 * Returns:
94 * Zero on success, a negative error code otherwise.
95 */
96 static int
97 check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
98 gnutls_x509_crt_t issuer,
99 gnutls_datum_t *data, unsigned int * ostatus)
100 {
101 gnutls_ocsp_resp_t resp;
102 int ret;
103 unsigned int status, cert_status;
104 time_t rtime, vtime, ntime, now;
105 int check_failed = 0;
106
107 now = gnutls_time(0);
108
109 ret = gnutls_ocsp_resp_init (&resp);
110 if (ret < 0)
111 return gnutls_assert_val(ret);
112
113 ret = gnutls_ocsp_resp_import (resp, data);
114 if (ret < 0)
115 {
116 _gnutls_audit_log (session, "There was an error parsing the OCSP response: %s.\n", gnutls_strerror(ret));
117 ret = gnutls_assert_val(0);
118 check_failed = 1;
119 goto cleanup;
120 }
121
122 ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
123 if (ret < 0)
124 {
125 ret = gnutls_assert_val(0);
126 _gnutls_audit_log (session, "Got OCSP response with an unrelated certificate.\n");
127 check_failed = 1;
128 goto cleanup;
129 }
130
131 ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
132 if (ret < 0)
133 {
134 ret = gnutls_assert_val(0);
135 gnutls_assert();
136 check_failed = 1;
137 goto cleanup;
138 }
139
140 /* do not consider revocation data if response was not verified */
141 if (status != 0)
142 {
143 ret = gnutls_assert_val(0);
144 check_failed = 1;
145 goto cleanup;
146 }
147
148 ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
149 &cert_status, &vtime, &ntime, &rtime, NULL);
150 if (ret < 0)
151 {
152 _gnutls_audit_log (session, "There was an error parsing the OCSP response: %s.\n", gnutls_strerror(ret));
153 ret = gnutls_assert_val(0);
154 check_failed = 1;
155 goto cleanup;
156 }
157
158 if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
159 {
160 _gnutls_audit_log(session, "The certificate was revoked via OCSP\n");
161 check_failed = 1;
162 *ostatus |= GNUTLS_CERT_REVOKED;
163 ret = gnutls_assert_val(0);
164 goto cleanup;
165 }
166
167 /* Report but do not fail on the following errors. That is
168 * because including the OCSP response in the handshake shouldn't
169 * cause more problems that not including it.
170 */
171 if (ntime == -1)
172 {
173 if (now - vtime > MAX_OCSP_VALIDITY_SECS)
174 {
175 _gnutls_audit_log(session, "The OCSP response is old\n");
176 check_failed = 1;
177 goto cleanup;
178 }
179 }
180 else
181 {
182 /* there is a newer OCSP answer, don't trust this one */
183 if (ntime < now)
184 {
185 _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
186 check_failed = 1;
187 goto cleanup;
188 }
189 }
190
191 ret = 0;
192 cleanup:
193 if (check_failed == 0)
194 session->internals.ocsp_check_ok = 1;
195
196 gnutls_ocsp_resp_deinit (resp);
197
198 return ret;
199 }
200
201
202 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
203 if (peer_certificate_list[x]) \
204 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
205 } \
206 gnutls_free( peer_certificate_list)
207
208 /*-
209 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
210 * @session: is a gnutls session
211 *
212 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
213 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
214 * However you must also check the peer's name in order to check if the verified certificate belongs to the
215 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
216 -*/
217 int
218 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
219 const char* hostname,
220 unsigned int *status)
221 {
222 cert_auth_info_t info;
223 gnutls_certificate_credentials_t cred;
224 gnutls_x509_crt_t *peer_certificate_list;
225 gnutls_datum_t resp;
226 int peer_certificate_list_size, i, x, ret;
227 gnutls_x509_crt_t issuer;
228 unsigned int ocsp_status = 0;
229 unsigned int verify_flags;
230
231 /* No OCSP check so far */
232 session->internals.ocsp_check_ok = 0;
233
234 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
235
236 info = _gnutls_get_auth_info (session);
237 if (info == NULL)
238 {
239 gnutls_assert ();
240 return GNUTLS_E_INVALID_REQUEST;
241 }
242
243 cred = (gnutls_certificate_credentials_t)
244 _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
245 if (cred == NULL)
246 {
247 gnutls_assert ();
248 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
249 }
250
251 if (info->raw_certificate_list == NULL || info->ncerts == 0)
252 return GNUTLS_E_NO_CERTIFICATE_FOUND;
253
254 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
255 {
256 gnutls_assert ();
257 return GNUTLS_E_CONSTRAINT_ERROR;
258 }
259
260 verify_flags = cred->verify_flags | session->internals.priorities.additional_verify_flags;
261 /* generate a list of gnutls_certs based on the auth info
262 * raw certs.
263 */
264 peer_certificate_list_size = info->ncerts;
265 peer_certificate_list =
266 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
267 if (peer_certificate_list == NULL)
268 {
269 gnutls_assert ();
270 return GNUTLS_E_MEMORY_ERROR;
271 }
272
273 for (i = 0; i < peer_certificate_list_size; i++)
274 {
275 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
276 if (ret < 0)
277 {
278 gnutls_assert ();
279 CLEAR_CERTS;
280 return ret;
281 }
282
283 ret =
284 gnutls_x509_crt_import (peer_certificate_list[i],
285 &info->raw_certificate_list[i],
286 GNUTLS_X509_FMT_DER);
287 if (ret < 0)
288 {
289 gnutls_assert ();
290 CLEAR_CERTS;
291 return ret;
292 }
293
294 ret = check_bits (session, peer_certificate_list[i], cred->verify_bits);
295 if (ret < 0)
296 {
297 gnutls_assert ();
298 CLEAR_CERTS;
299 return ret;
300 }
301
302 }
303
304 /* Use the OCSP extension if any */
305 if (verify_flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
306 goto skip_ocsp;
307
308 ret = gnutls_ocsp_status_request_get(session, &resp);
309 if (ret < 0)
310 goto skip_ocsp;
311
312 if (peer_certificate_list_size > 1)
313 issuer = peer_certificate_list[1];
314 else
315 {
316 ret = gnutls_x509_trust_list_get_issuer(cred->tlist, peer_certificate_list[0],
317 &issuer, 0);
318 if (ret < 0)
319 {
320 goto skip_ocsp;
321 }
322 }
323
324 ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp, &ocsp_status);
325 if (ret < 0)
326 {
327 CLEAR_CERTS;
328 return gnutls_assert_val(ret);
329 }
330
331 skip_ocsp:
332 /* Verify certificate
333 */
334 ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
335 peer_certificate_list_size,
336 verify_flags, status, NULL);
337
338 if (ret < 0)
339 {
340 gnutls_assert ();
341 CLEAR_CERTS;
342 return ret;
343 }
344
345 if (hostname)
346 {
347 ret = gnutls_x509_crt_check_hostname( peer_certificate_list[0], hostname);
348 if (ret == 0)
349 *status |= GNUTLS_CERT_UNEXPECTED_OWNER;
350 }
351
352 CLEAR_CERTS;
353
354 *status |= ocsp_status;
355
356 return 0;
357 }
358
359 /* Returns the name of the certificate of a null name
360 */
361 static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names)
362 {
363 size_t max_size;
364 int i, ret = 0, ret2;
365 char name[MAX_CN];
366
367 for (i = 0; !(ret < 0); i++)
368 {
369 max_size = sizeof(name);
370
371 ret = gnutls_x509_crt_get_subject_alt_name(crt, i, name, &max_size, NULL);
372 if (ret == GNUTLS_SAN_DNSNAME)
373 {
374 ret2 = _gnutls_str_array_append(names, name, max_size);
375 if (ret2 < 0)
376 {
377 _gnutls_str_array_clear(names);
378 return gnutls_assert_val(ret2);
379 }
380 }
381 }
382
383 max_size = sizeof(name);
384 ret = gnutls_x509_crt_get_dn_by_oid (crt, OID_X520_COMMON_NAME, 0, 0, name, &max_size);
385 if (ret >= 0)
386 {
387 ret = _gnutls_str_array_append(names, name, max_size);
388 if (ret < 0)
389 {
390 _gnutls_str_array_clear(names);
391 return gnutls_assert_val(ret);
392 }
393 }
394
395 return 0;
396 }
397
398 static int get_x509_name_raw(gnutls_datum_t *raw, gnutls_x509_crt_fmt_t type, gnutls_str_array_t *names)
399 {
400 int ret;
401 gnutls_x509_crt_t crt;
402
403 ret = gnutls_x509_crt_init (&crt);
404 if (ret < 0)
405 {
406 gnutls_assert ();
407 return ret;
408 }
409
410 ret = gnutls_x509_crt_import (crt, raw, type);
411 if (ret < 0)
412 {
413 gnutls_assert ();
414 gnutls_x509_crt_deinit (crt);
415 return ret;
416 }
417
418 ret = get_x509_name(crt, names);
419 gnutls_x509_crt_deinit (crt);
420 return ret;
421 }
422
423 /* Reads a DER encoded certificate list from memory and stores it to a
424 * gnutls_cert structure. Returns the number of certificates parsed.
425 */
426 static int
427 parse_der_cert_mem (gnutls_certificate_credentials_t res,
428 const void *input_cert, int input_cert_size)
429 {
430 gnutls_datum_t tmp;
431 gnutls_x509_crt_t crt;
432 gnutls_pcert_st *ccert;
433 int ret;
434 gnutls_str_array_t names;
435
436 _gnutls_str_array_init(&names);
437
438 ccert = gnutls_malloc (sizeof (*ccert));
439 if (ccert == NULL)
440 {
441 gnutls_assert ();
442 return GNUTLS_E_MEMORY_ERROR;
443 }
444
445 ret = gnutls_x509_crt_init (&crt);
446 if (ret < 0)
447 {
448 gnutls_assert ();
449 goto cleanup;
450 }
451
452 tmp.data = (uint8_t *) input_cert;
453 tmp.size = input_cert_size;
454
455 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
456 if (ret < 0)
457 {
458 gnutls_assert ();
459 gnutls_x509_crt_deinit (crt);
460 goto cleanup;
461 }
462
463 ret = get_x509_name(crt, &names);
464 if (ret < 0)
465 {
466 gnutls_assert();
467 gnutls_x509_crt_deinit (crt);
468 goto cleanup;
469 }
470
471 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
472 gnutls_x509_crt_deinit (crt);
473
474 if (ret < 0)
475 {
476 gnutls_assert ();
477 goto cleanup;
478 }
479
480 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
481 if (ret < 0)
482 {
483 gnutls_assert ();
484 goto cleanup;
485 }
486
487 return ret;
488
489 cleanup:
490 _gnutls_str_array_clear(&names);
491 gnutls_free (ccert);
492 return ret;
493 }
494
495 /* Reads a base64 encoded certificate list from memory and stores it to
496 * a gnutls_cert structure. Returns the number of certificate parsed.
497 */
498 static int
499 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
500 const char *input_cert, int input_cert_size)
501 {
502 int size;
503 const char *ptr;
504 gnutls_datum_t tmp;
505 int ret, count, i;
506 gnutls_pcert_st *certs = NULL;
507 gnutls_str_array_t names;
508
509 _gnutls_str_array_init(&names);
510
511 /* move to the certificate
512 */
513 ptr = memmem (input_cert, input_cert_size,
514 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
515 if (ptr == NULL)
516 ptr = memmem (input_cert, input_cert_size,
517 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
518
519 if (ptr == NULL)
520 {
521 gnutls_assert ();
522 return GNUTLS_E_BASE64_DECODING_ERROR;
523 }
524 size = input_cert_size - (ptr - input_cert);
525
526 count = 0;
527
528 do
529 {
530 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_pcert_st));
531
532 if (certs == NULL)
533 {
534 gnutls_assert ();
535 ret = GNUTLS_E_MEMORY_ERROR;
536 goto cleanup;
537 }
538
539 tmp.data = (void*)ptr;
540 tmp.size = size;
541
542 if (count == 0)
543 {
544 ret = get_x509_name_raw(&tmp, GNUTLS_X509_FMT_PEM, &names);
545 if (ret < 0)
546 {
547 gnutls_assert();
548 goto cleanup;
549 }
550 }
551
552 ret = gnutls_pcert_import_x509_raw (&certs[count], &tmp, GNUTLS_X509_FMT_PEM, 0);
553 if (ret < 0)
554 {
555 gnutls_assert ();
556 goto cleanup;
557 }
558
559 /* now we move ptr after the pem header
560 */
561 ptr++;
562 /* find the next certificate (if any)
563 */
564 size = input_cert_size - (ptr - input_cert);
565
566 if (size > 0)
567 {
568 char *ptr3;
569
570 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
571 if (ptr3 == NULL)
572 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
573 sizeof (PEM_CERT_SEP2) - 1);
574
575 ptr = ptr3;
576 }
577 else
578 ptr = NULL;
579
580 count++;
581
582 }
583 while (ptr != NULL);
584
585 ret = certificate_credential_append_crt_list (res, names, certs, count);
586 if (ret < 0)
587 {
588 gnutls_assert ();
589 goto cleanup;
590 }
591
592 return count;
593
594 cleanup:
595 _gnutls_str_array_clear(&names);
596 for (i=0;i<count;i++)
597 gnutls_pcert_deinit(&certs[i]);
598 gnutls_free(certs);
599 return ret;
600 }
601
602
603
604 /* Reads a DER or PEM certificate from memory
605 */
606 static int
607 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
608 int cert_size, gnutls_x509_crt_fmt_t type)
609 {
610 int ret;
611
612 if (type == GNUTLS_X509_FMT_DER)
613 ret = parse_der_cert_mem (res, cert, cert_size);
614 else
615 ret = parse_pem_cert_mem (res, cert, cert_size);
616
617 if (ret < 0)
618 {
619 gnutls_assert ();
620 return ret;
621 }
622
623 return ret;
624 }
625
626 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
627 * indicates the certificate format. KEY can be NULL, to indicate
628 * that GnuTLS doesn't know the private key.
629 */
630 static int
631 read_key_mem (gnutls_certificate_credentials_t res,
632 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
633 {
634 int ret;
635 gnutls_datum_t tmp;
636 gnutls_privkey_t privkey;
637
638 if (key)
639 {
640 tmp.data = (uint8_t *) key;
641 tmp.size = key_size;
642
643 ret = gnutls_privkey_init(&privkey);
644 if (ret < 0)
645 {
646 gnutls_assert ();
647 return ret;
648 }
649
650 if (res->pin.cb)
651 gnutls_privkey_set_pin_function(privkey, res->pin.cb, res->pin.data);
652
653 ret = gnutls_privkey_import_x509_raw (privkey, &tmp, type, NULL, 0);
654 if (ret < 0)
655 {
656 gnutls_assert ();
657 return ret;
658 }
659
660 ret = certificate_credentials_append_pkey (res, privkey);
661 if (ret < 0)
662 {
663 gnutls_assert ();
664 gnutls_privkey_deinit (privkey);
665 return ret;
666 }
667
668 }
669 else
670 {
671 gnutls_assert ();
672 return GNUTLS_E_INVALID_REQUEST;
673 }
674
675
676 return 0;
677 }
678
679
680 /* Reads a private key from a token.
681 */
682 static int
683 read_key_url (gnutls_certificate_credentials_t res, const char *url)
684 {
685 int ret;
686 gnutls_privkey_t pkey = NULL;
687
688 /* allocate space for the pkey list
689 */
690 ret = gnutls_privkey_init (&pkey);
691 if (ret < 0)
692 {
693 gnutls_assert ();
694 return ret;
695 }
696
697 if (res->pin.cb)
698 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
699
700 ret = gnutls_privkey_import_url (pkey, url, 0);
701 if (ret < 0)
702 {
703 gnutls_assert ();
704 goto cleanup;
705 }
706
707 ret = certificate_credentials_append_pkey (res, pkey);
708 if (ret < 0)
709 {
710 gnutls_assert ();
711 goto cleanup;
712 }
713
714 return 0;
715
716 cleanup:
717 if (pkey)
718 gnutls_privkey_deinit (pkey);
719
720 return ret;
721 }
722
723 #ifdef ENABLE_PKCS11
724 /* Reads a private key from a token.
725 */
726 static int
727 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
728 {
729 int ret;
730 gnutls_x509_crt_t *xcrt_list = NULL;
731 gnutls_pkcs11_obj_t *pcrt_list = NULL;
732 unsigned int pcrt_list_size = 0;
733
734 /* FIXME: should we use login? */
735 ret =
736 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
737 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
738 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
739 {
740 gnutls_assert ();
741 return ret;
742 }
743
744 if (pcrt_list_size == 0)
745 {
746 gnutls_assert ();
747 return 0;
748 }
749
750 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
751 if (pcrt_list == NULL)
752 {
753 gnutls_assert ();
754 return GNUTLS_E_MEMORY_ERROR;
755 }
756
757 ret =
758 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
759 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
760 if (ret < 0)
761 {
762 gnutls_assert ();
763 goto cleanup;
764 }
765
766 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
767 if (xcrt_list == NULL)
768 {
769 gnutls_assert ();
770 ret = GNUTLS_E_MEMORY_ERROR;
771 goto cleanup;
772 }
773
774 ret =
775 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
776 0);
777 if (ret < 0)
778 {
779 gnutls_assert ();
780 goto cleanup;
781 }
782
783 ret = gnutls_x509_trust_list_add_cas(res->tlist, xcrt_list, pcrt_list_size, 0);
784 if (ret < 0)
785 {
786 gnutls_assert();
787 goto cleanup;
788 }
789
790 cleanup:
791 gnutls_free (xcrt_list);
792 gnutls_free (pcrt_list);
793
794 return ret;
795
796 }
797
798
799 /* Reads a certificate key from a token.
800 */
801 static int
802 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
803 {
804 int ret;
805 gnutls_x509_crt_t crt;
806 gnutls_pcert_st *ccert;
807 gnutls_str_array_t names;
808
809 _gnutls_str_array_init(&names);
810
811 ccert = gnutls_malloc (sizeof (*ccert));
812 if (ccert == NULL)
813 {
814 gnutls_assert ();
815 return GNUTLS_E_MEMORY_ERROR;
816 }
817
818 ret = gnutls_x509_crt_init (&crt);
819 if (ret < 0)
820 {
821 gnutls_assert ();
822 goto cleanup;
823 }
824
825 if (res->pin.cb)
826 gnutls_x509_crt_set_pin_function(crt, res->pin.cb, res->pin.data);
827
828 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
829 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
830 ret =
831 gnutls_x509_crt_import_pkcs11_url (crt, url,
832 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
833
834 if (ret < 0)
835 {
836 gnutls_assert ();
837 gnutls_x509_crt_deinit (crt);
838 goto cleanup;
839 }
840
841 ret = get_x509_name(crt, &names);
842 if (ret < 0)
843 {
844 gnutls_assert ();
845 gnutls_x509_crt_deinit (crt);
846 goto cleanup;
847 }
848
849 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
850 gnutls_x509_crt_deinit (crt);
851
852 if (ret < 0)
853 {
854 gnutls_assert ();
855 goto cleanup;
856 }
857
858 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
859 if (ret < 0)
860 {
861 gnutls_assert ();
862 goto cleanup;
863 }
864
865 return 0;
866
867 cleanup:
868 _gnutls_str_array_clear(&names);
869 gnutls_free (ccert);
870 return ret;
871 }
872 #endif
873
874 /* Reads a certificate file
875 */
876 static int
877 read_cert_file (gnutls_certificate_credentials_t res,
878 const char *certfile, gnutls_x509_crt_fmt_t type)
879 {
880 int ret;
881 size_t size;
882 char *data;
883
884 #ifdef ENABLE_PKCS11
885 if (strncmp (certfile, "pkcs11:", 7) == 0)
886 {
887 return read_cert_url (res, certfile);
888 }
889 #endif /* ENABLE_PKCS11 */
890
891 data = read_binary_file (certfile, &size);
892
893 if (data == NULL)
894 {
895 gnutls_assert ();
896 return GNUTLS_E_FILE_ERROR;
897 }
898
899 ret = read_cert_mem (res, data, size, type);
900 free (data);
901
902 return ret;
903
904 }
905
906
907
908 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
909 * stores it).
910 */
911 static int
912 read_key_file (gnutls_certificate_credentials_t res,
913 const char *keyfile, gnutls_x509_crt_fmt_t type)
914 {
915 int ret;
916 size_t size;
917 char *data;
918
919 if (gnutls_url_is_supported(keyfile))
920 {
921 return read_key_url (res, keyfile);
922 }
923
924 data = read_binary_file (keyfile, &size);
925
926 if (data == NULL)
927 {
928 gnutls_assert ();
929 return GNUTLS_E_FILE_ERROR;
930 }
931
932 ret = read_key_mem (res, data, size, type);
933 free (data);
934
935 return ret;
936 }
937
938 /**
939 * gnutls_certificate_set_x509_key_mem:
940 * @res: is a #gnutls_certificate_credentials_t structure.
941 * @cert: contains a certificate list (path) for the specified private key
942 * @key: is the private key, or %NULL
943 * @type: is PEM or DER
944 *
945 * This function sets a certificate/private key pair in the
946 * gnutls_certificate_credentials_t structure. This function may be called
947 * more than once, in case multiple keys/certificates exist for the
948 * server.
949 *
950 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
951 * is supported. This means that certificates intended for signing cannot
952 * be used for ciphersuites that require encryption.
953 *
954 * If the certificate and the private key are given in PEM encoding
955 * then the strings that hold their values must be null terminated.
956 *
957 * The @key may be %NULL if you are using a sign callback, see
958 * gnutls_sign_callback_set().
959 *
960 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
961 **/
962 int
963 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
964 const gnutls_datum_t * cert,
965 const gnutls_datum_t * key,
966 gnutls_x509_crt_fmt_t type)
967 {
968 int ret;
969
970 /* this should be first
971 */
972 if ((ret = read_key_mem (res, key ? key->data : NULL,
973 key ? key->size : 0, type)) < 0)
974 return ret;
975
976 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
977 return ret;
978
979 res->ncerts++;
980
981 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
982 {
983 gnutls_assert ();
984 return ret;
985 }
986
987 return 0;
988 }
989
990 static int check_if_sorted(gnutls_pcert_st * crt, int nr)
991 {
992 gnutls_x509_crt_t x509;
993 char prev_dn[MAX_DN];
994 char dn[MAX_DN];
995 size_t prev_dn_size, dn_size;
996 int i, ret;
997
998 /* check if the X.509 list is ordered */
999 if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
1000 {
1001
1002 for (i=0;i<nr;i++)
1003 {
1004 ret = gnutls_x509_crt_init(&x509);
1005 if (ret < 0)
1006 return gnutls_assert_val(ret);
1007
1008 ret = gnutls_x509_crt_import(x509, &crt[i].cert, GNUTLS_X509_FMT_DER);
1009 if (ret < 0)
1010 {
1011 ret = gnutls_assert_val(ret);
1012 goto cleanup;
1013 }
1014
1015 if (i>0)
1016 {
1017 dn_size = sizeof(dn);
1018 ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
1019 if (ret < 0)
1020 {
1021 ret = gnutls_assert_val(ret);
1022 goto cleanup;
1023 }
1024
1025 if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
1026 {
1027 ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
1028 goto cleanup;
1029 }
1030 }
1031
1032 prev_dn_size = sizeof(prev_dn);
1033 ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
1034 if (ret < 0)
1035 {
1036 ret = gnutls_assert_val(ret);
1037 goto cleanup;
1038 }
1039
1040 gnutls_x509_crt_deinit(x509);
1041 }
1042 }
1043
1044 return 0;
1045
1046 cleanup:
1047 gnutls_x509_crt_deinit(x509);
1048 return ret;
1049 }
1050
1051 int
1052 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
1053 gnutls_str_array_t names, gnutls_pcert_st * crt, int nr)
1054 {
1055 int ret;
1056
1057 ret = check_if_sorted(crt, nr);
1058 if (ret < 0)
1059 return gnutls_assert_val(ret);
1060
1061 res->certs = gnutls_realloc_fast (res->certs,
1062 (1 + res->ncerts) *
1063 sizeof (certs_st));
1064 if (res->certs == NULL)
1065 {
1066 gnutls_assert ();
1067 return GNUTLS_E_MEMORY_ERROR;
1068 }
1069
1070 res->certs[res->ncerts].cert_list = crt;
1071 res->certs[res->ncerts].cert_list_length = nr;
1072 res->certs[res->ncerts].names = names;
1073
1074 return 0;
1075
1076 }
1077
1078 int
1079 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
1080 gnutls_privkey_t pkey)
1081 {
1082 res->pkey = gnutls_realloc_fast (res->pkey,
1083 (1 + res->ncerts) *
1084 sizeof (gnutls_privkey_t));
1085 if (res->pkey == NULL)
1086 {
1087 gnutls_assert ();
1088 return GNUTLS_E_MEMORY_ERROR;
1089 }
1090 res->pkey[res->ncerts] = pkey;
1091 return 0;
1092
1093 }
1094
1095 /**
1096 * gnutls_certificate_set_x509_key:
1097 * @res: is a #gnutls_certificate_credentials_t structure.
1098 * @cert_list: contains a certificate list (path) for the specified private key
1099 * @cert_list_size: holds the size of the certificate list
1100 * @key: is a #gnutls_x509_privkey_t key
1101 *
1102 * This function sets a certificate/private key pair in the
1103 * gnutls_certificate_credentials_t structure. This function may be
1104 * called more than once, in case multiple keys/certificates exist for
1105 * the server. For clients that wants to send more than their own end
1106 * entity certificate (e.g., also an intermediate CA cert) then put
1107 * the certificate chain in @cert_list.
1108 *
1109 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1110 *
1111 * Since: 2.4.0
1112 **/
1113 int
1114 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
1115 gnutls_x509_crt_t * cert_list,
1116 int cert_list_size,
1117 gnutls_x509_privkey_t key)
1118 {
1119 int ret, i;
1120 gnutls_privkey_t pkey;
1121 gnutls_pcert_st *pcerts = NULL;
1122 gnutls_str_array_t names;
1123
1124 _gnutls_str_array_init(&names);
1125
1126 /* this should be first
1127 */
1128 ret = gnutls_privkey_init (&pkey);
1129 if (ret < 0)
1130 {
1131 gnutls_assert ();
1132 return ret;
1133 }
1134
1135 if (res->pin.cb)
1136 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
1137
1138 ret = gnutls_privkey_import_x509 (pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY);
1139 if (ret < 0)
1140 {
1141 gnutls_assert ();
1142 return ret;
1143 }
1144
1145 ret = certificate_credentials_append_pkey (res, pkey);
1146 if (ret < 0)
1147 {
1148 gnutls_assert ();
1149 return ret;
1150 }
1151
1152 /* load certificates */
1153 pcerts = gnutls_malloc (sizeof (gnutls_pcert_st) * cert_list_size);
1154 if (pcerts == NULL)
1155 {
1156 gnutls_assert ();
1157 return GNUTLS_E_MEMORY_ERROR;
1158 }
1159
1160 ret = get_x509_name(cert_list[0], &names);
1161 if (ret < 0)
1162 return gnutls_assert_val(ret);
1163
1164 for (i = 0; i < cert_list_size; i++)
1165 {
1166 ret = gnutls_pcert_import_x509 (&pcerts[i], cert_list[i], 0);
1167 if (ret < 0)
1168 {
1169 gnutls_assert ();
1170 goto cleanup;
1171 }
1172 }
1173
1174 ret = certificate_credential_append_crt_list (res, names, pcerts, cert_list_size);
1175 if (ret < 0)
1176 {
1177 gnutls_assert ();
1178 goto cleanup;
1179 }
1180
1181 res->ncerts++;
1182
1183 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1184 {
1185 gnutls_assert ();
1186 return ret;
1187 }
1188
1189 return 0;
1190
1191 cleanup:
1192 _gnutls_str_array_clear(&names);
1193 return ret;
1194 }
1195
1196 /**
1197 * gnutls_certificate_set_key:
1198 * @res: is a #gnutls_certificate_credentials_t structure.
1199 * @names: is an array of DNS name of the certificate (NULL if none)
1200 * @names_size: holds the size of the names list
1201 * @pcert_list: contains a certificate list (path) for the specified private key
1202 * @pcert_list_size: holds the size of the certificate list
1203 * @key: is a #gnutls_privkey_t key
1204 *
1205 * This function sets a certificate/private key pair in the
1206 * gnutls_certificate_credentials_t structure. This function may be
1207 * called more than once, in case multiple keys/certificates exist for
1208 * the server. For clients that wants to send more than its own end
1209 * entity certificate (e.g., also an intermediate CA cert) then put
1210 * the certificate chain in @pcert_list. The @pcert_list and @key will
1211 * become part of the credentials structure and must not
1212 * be deallocated. They will be automatically deallocated when @res
1213 * is deinitialized.
1214 *
1215 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1216 *
1217 * Since: 3.0
1218 **/
1219 int
1220 gnutls_certificate_set_key (gnutls_certificate_credentials_t res,
1221 const char** names,
1222 int names_size,
1223 gnutls_pcert_st * pcert_list,
1224 int pcert_list_size,
1225 gnutls_privkey_t key)
1226 {
1227 int ret, i;
1228 gnutls_str_array_t str_names;
1229
1230 _gnutls_str_array_init(&str_names);
1231
1232 if (names != NULL && names_size > 0)
1233 {
1234 for (i=0;i<names_size;i++)
1235 {
1236 ret = _gnutls_str_array_append(&str_names, names[i], strlen(names[i]));
1237 if (ret < 0)
1238 {
1239 ret = gnutls_assert_val(ret);
1240 goto cleanup;
1241 }
1242 }
1243 }
1244
1245 if (res->pin.cb)
1246 gnutls_privkey_set_pin_function(key, res->pin.cb, res->pin.data);
1247
1248 ret = certificate_credentials_append_pkey (res, key);
1249 if (ret < 0)
1250 {
1251 gnutls_assert ();
1252 goto cleanup;
1253 }
1254
1255 ret = certificate_credential_append_crt_list (res, str_names, pcert_list, pcert_list_size);
1256 if (ret < 0)
1257 {
1258 gnutls_assert ();
1259 goto cleanup;
1260 }
1261
1262 res->ncerts++;
1263
1264 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1265 {
1266 gnutls_assert ();
1267 return ret;
1268 }
1269
1270 return 0;
1271
1272 cleanup:
1273 _gnutls_str_array_clear(&str_names);
1274 return ret;
1275 }
1276
1277 /**
1278 * gnutls_certificate_set_x509_key_file:
1279 * @res: is a #gnutls_certificate_credentials_t structure.
1280 * @certfile: is a file that containing the certificate list (path) for
1281 * the specified private key, in PKCS7 format, or a list of certificates
1282 * @keyfile: is a file that contains the private key
1283 * @type: is PEM or DER
1284 *
1285 * This function sets a certificate/private key pair in the
1286 * gnutls_certificate_credentials_t structure. This function may be
1287 * called more than once, in case multiple keys/certificates exist for
1288 * the server. For clients that need to send more than its own end
1289 * entity certificate, e.g., also an intermediate CA cert, then the
1290 * @certfile must contain the ordered certificate chain.
1291 *
1292 * This function can also accept URLs at @keyfile and @certfile. In that case it
1293 * will import the private key and certificate indicated by the URLs. Note
1294 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1295 *
1296 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1297 **/
1298 int
1299 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
1300 const char *certfile,
1301 const char *keyfile,
1302 gnutls_x509_crt_fmt_t type)
1303 {
1304 int ret;
1305
1306 /* this should be first
1307 */
1308 if ((ret = read_key_file (res, keyfile, type)) < 0)
1309 return ret;
1310
1311 if ((ret = read_cert_file (res, certfile, type)) < 0)
1312 return ret;
1313
1314 res->ncerts++;
1315
1316 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1317 {
1318 gnutls_assert ();
1319 return ret;
1320 }
1321
1322 return 0;
1323 }
1324
1325 static int
1326 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, gnutls_x509_crt_t* crts,
1327 unsigned int crt_size)
1328 {
1329 gnutls_datum_t tmp;
1330 int ret;
1331 size_t newsize;
1332 unsigned char *newdata, *p;
1333 unsigned i;
1334
1335 /* Add DN of the last added CAs to the RDN sequence
1336 * This will be sent to clients when a certificate
1337 * request message is sent.
1338 */
1339
1340 /* FIXME: in case of a client it is not needed
1341 * to do that. This would save time and memory.
1342 * However we don't have that information available
1343 * here.
1344 * Further, this function is now much more efficient,
1345 * so optimizing that is less important.
1346 */
1347
1348 for (i = 0; i < crt_size; i++)
1349 {
1350 if ((ret = gnutls_x509_crt_get_raw_dn (crts[i], &tmp)) < 0)
1351 {
1352 gnutls_assert ();
1353 return ret;
1354 }
1355
1356 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1357 if (newsize < res->x509_rdn_sequence.size)
1358 {
1359 gnutls_assert ();
1360 _gnutls_free_datum (&tmp);
1361 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1362 }
1363
1364 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1365 if (newdata == NULL)
1366 {
1367 gnutls_assert ();
1368 _gnutls_free_datum (&tmp);
1369 return GNUTLS_E_MEMORY_ERROR;
1370 }
1371
1372 p = newdata + res->x509_rdn_sequence.size;
1373 _gnutls_write_uint16 (tmp.size, p);
1374 if (tmp.data != NULL)
1375 memcpy (p+2, tmp.data, tmp.size);
1376
1377 _gnutls_free_datum (&tmp);
1378
1379 res->x509_rdn_sequence.size = newsize;
1380 res->x509_rdn_sequence.data = newdata;
1381 }
1382
1383 return 0;
1384 }
1385
1386 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1387 * certificate (uses the KeyUsage field).
1388 */
1389 int
1390 _gnutls_check_key_usage (const gnutls_pcert_st* cert, gnutls_kx_algorithm_t alg)
1391 {
1392 unsigned int key_usage = 0;
1393 int encipher_type;
1394
1395 if (cert == NULL)
1396 {
1397 gnutls_assert ();
1398 return GNUTLS_E_INTERNAL_ERROR;
1399 }
1400
1401 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1402 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1403 {
1404
1405 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
1406
1407 encipher_type = _gnutls_kx_encipher_type (alg);
1408
1409 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1410 {
1411 /* If key_usage has been set in the certificate
1412 */
1413
1414 if (encipher_type == CIPHER_ENCRYPT)
1415 {
1416 /* If the key exchange method requires an encipher
1417 * type algorithm, and key's usage does not permit
1418 * encipherment, then fail.
1419 */
1420 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1421 {
1422 gnutls_assert ();
1423 return GNUTLS_E_KEY_USAGE_VIOLATION;
1424 }
1425 }
1426
1427 if (encipher_type == CIPHER_SIGN)
1428 {
1429 /* The same as above, but for sign only keys
1430 */
1431 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1432 {
1433 gnutls_assert ();
1434 return GNUTLS_E_KEY_USAGE_VIOLATION;
1435 }
1436 }
1437 }
1438 }
1439 return 0;
1440 }
1441
1442 static int
1443 parse_pem_ca_mem (gnutls_certificate_credentials_t res,
1444 const uint8_t * input_cert, int input_cert_size)
1445 {
1446 gnutls_x509_crt_t *x509_cert_list;
1447 unsigned int x509_ncerts;
1448 gnutls_datum_t tmp;
1449 int ret;
1450
1451 tmp.data = (void*)input_cert;
1452 tmp.size = input_cert_size;
1453
1454 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
1455 GNUTLS_X509_FMT_PEM, 0);
1456 if (ret < 0)
1457 {
1458 gnutls_assert();
1459 return ret;
1460 }
1461
1462 if ((ret = add_new_crt_to_rdn_seq (res, x509_cert_list, x509_ncerts)) < 0)
1463 {
1464 gnutls_assert();
1465 goto cleanup;
1466 }
1467
1468 ret = gnutls_x509_trust_list_add_cas(res->tlist, x509_cert_list, x509_ncerts, 0);
1469 if (ret < 0)
1470 {
1471 gnutls_assert();
1472 goto cleanup;
1473 }
1474
1475 cleanup:
1476 gnutls_free(x509_cert_list);
1477 return ret;
1478 }
1479
1480 /* Reads a DER encoded certificate list from memory and stores it to a
1481 * gnutls_cert structure. Returns the number of certificates parsed.
1482 */
1483 static int
1484 parse_der_ca_mem (gnutls_certificate_credentials_t res,
1485 const void *input_cert, int input_cert_size)
1486 {
1487 gnutls_x509_crt_t crt;
1488 gnutls_datum_t tmp;
1489 int ret;
1490
1491 tmp.data = (void*)input_cert;
1492 tmp.size = input_cert_size;
1493
1494 ret = gnutls_x509_crt_init( &crt);
1495 if (ret < 0)
1496 {
1497 gnutls_assert();
1498 return ret;
1499 }
1500
1501 ret = gnutls_x509_crt_import( crt, &tmp, GNUTLS_X509_FMT_DER);
1502 if (ret < 0)
1503 {
1504 gnutls_assert();
1505 goto cleanup;
1506 }
1507
1508 if ((ret = add_new_crt_to_rdn_seq (res, &crt, 1)) < 0)
1509 {
1510 gnutls_assert();
1511 goto cleanup;
1512 }
1513
1514 ret = gnutls_x509_trust_list_add_cas(res->tlist, &crt, 1, 0);
1515 if (ret < 0)
1516 {
1517 gnutls_assert();
1518 goto cleanup;
1519 }
1520
1521 return ret;
1522
1523 cleanup:
1524 gnutls_x509_crt_deinit(crt);
1525 return ret;
1526 }
1527
1528 /**
1529 * gnutls_certificate_set_x509_trust_mem:
1530 * @res: is a #gnutls_certificate_credentials_t structure.
1531 * @ca: is a list of trusted CAs or a DER certificate
1532 * @type: is DER or PEM
1533 *
1534 * This function adds the trusted CAs in order to verify client or
1535 * server certificates. In case of a client this is not required to be
1536 * called if the certificates are not verified using
1537 * gnutls_certificate_verify_peers2(). This function may be called
1538 * multiple times.
1539 *
1540 * In case of a server the CAs set here will be sent to the client if
1541 * a certificate request is sent. This can be disabled using
1542 * gnutls_certificate_send_x509_rdn_sequence().
1543 *
1544 * Returns: the number of certificates processed or a negative error code
1545 * on error.
1546 **/
1547 int
1548 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1549 const gnutls_datum_t * ca,
1550 gnutls_x509_crt_fmt_t type)
1551 {
1552 int ret;
1553
1554 if (type == GNUTLS_X509_FMT_DER)
1555 ret = parse_der_ca_mem (res,
1556 ca->data, ca->size);
1557 else
1558 ret = parse_pem_ca_mem (res,
1559 ca->data, ca->size);
1560
1561 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
1562 return 0;
1563
1564 return ret;
1565 }
1566
1567 /**
1568 * gnutls_certificate_set_x509_trust:
1569 * @res: is a #gnutls_certificate_credentials_t structure.
1570 * @ca_list: is a list of trusted CAs
1571 * @ca_list_size: holds the size of the CA list
1572 *
1573 * This function adds the trusted CAs in order to verify client
1574 * or server certificates. In case of a client this is not required
1575 * to be called if the certificates are not verified using
1576 * gnutls_certificate_verify_peers2().
1577 * This function may be called multiple times.
1578 *
1579 * In case of a server the CAs set here will be sent to the client if
1580 * a certificate request is sent. This can be disabled using
1581 * gnutls_certificate_send_x509_rdn_sequence().
1582 *
1583 * Returns: the number of certificates processed or a negative error code
1584 * on error.
1585 *
1586 * Since: 2.4.0
1587 **/
1588 int
1589 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1590 gnutls_x509_crt_t * ca_list,
1591 int ca_list_size)
1592 {
1593 int ret, i, j;
1594 gnutls_x509_crt_t new_list[ca_list_size];
1595
1596 for (i = 0; i < ca_list_size; i++)
1597 {
1598 ret = gnutls_x509_crt_init (&new_list[i]);
1599 if (ret < 0)
1600 {
1601 gnutls_assert ();
1602 goto cleanup;
1603 }
1604
1605 ret = _gnutls_x509_crt_cpy (new_list[i], ca_list[i]);
1606 if (ret < 0)
1607 {
1608 gnutls_assert ();
1609 goto cleanup;
1610 }
1611 }
1612
1613 if ((ret = add_new_crt_to_rdn_seq (res, new_list, ca_list_size)) < 0)
1614 {
1615 gnutls_assert();
1616 goto cleanup;
1617 }
1618
1619 ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, 0);
1620 if (ret < 0)
1621 {
1622 gnutls_assert ();
1623 goto cleanup;
1624 }
1625
1626 return ret;
1627
1628 cleanup:
1629 for (j=0;j<i;i++)
1630 gnutls_x509_crt_deinit(new_list[j]);
1631
1632 return ret;
1633 }
1634
1635
1636 /**
1637 * gnutls_certificate_set_x509_trust_file:
1638 * @cred: is a #gnutls_certificate_credentials_t structure.
1639 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1640 * @type: is PEM or DER
1641 *
1642 * This function adds the trusted CAs in order to verify client or
1643 * server certificates. In case of a client this is not required to
1644 * be called if the certificates are not verified using
1645 * gnutls_certificate_verify_peers2(). This function may be called
1646 * multiple times.
1647 *
1648 * In case of a server the names of the CAs set here will be sent to
1649 * the client if a certificate request is sent. This can be disabled
1650 * using gnutls_certificate_send_x509_rdn_sequence().
1651 *
1652 * This function can also accept URLs. In that case it
1653 * will import all certificates that are marked as trusted. Note
1654 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1655 *
1656 * Returns: number of certificates processed, or a negative error code on
1657 * error.
1658 **/
1659 int
1660 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
1661 const char *cafile,
1662 gnutls_x509_crt_fmt_t type)
1663 {
1664 int ret;
1665 gnutls_datum_t cas;
1666 size_t size;
1667
1668 #ifdef ENABLE_PKCS11
1669 if (strncmp (cafile, "pkcs11:", 7) == 0)
1670 {
1671 return read_cas_url (cred, cafile);
1672 }
1673 #endif
1674
1675 cas.data = (void*)read_binary_file (cafile, &size);
1676 if (cas.data == NULL)
1677 {
1678 gnutls_assert ();
1679 return GNUTLS_E_FILE_ERROR;
1680 }
1681
1682 cas.size = size;
1683
1684 ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, type);
1685
1686 free (cas.data);
1687
1688 if (ret < 0)
1689 {
1690 gnutls_assert ();
1691 return ret;
1692 }
1693
1694 return ret;
1695 }
1696
1697 /**
1698 * gnutls_certificate_set_x509_system_trust:
1699 * @cred: is a #gnutls_certificate_credentials_t structure.
1700 *
1701 * This function adds the system's default trusted CAs in order to
1702 * verify client or server certificates.
1703 *
1704 * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE
1705 * is returned.
1706 *
1707 * Returns: the number of certificates processed or a negative error code
1708 * on error.
1709 *
1710 * Since: 3.0
1711 **/
1712 int
1713 gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
1714 {
1715 return gnutls_x509_trust_list_add_system_trust(cred->tlist, 0, 0);
1716 }
1717
1718 static int
1719 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
1720 const char * input_crl, unsigned int input_crl_size)
1721 {
1722 gnutls_x509_crl_t *x509_crl_list;
1723 unsigned int x509_ncrls;
1724 gnutls_datum_t tmp;
1725 int ret;
1726
1727 tmp.data = (void*)input_crl;
1728 tmp.size = input_crl_size;
1729
1730 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
1731 GNUTLS_X509_FMT_PEM, 0);
1732 if (ret < 0)
1733 {
1734 gnutls_assert();
1735 return ret;
1736 }
1737
1738 ret = gnutls_x509_trust_list_add_crls(tlist, x509_crl_list, x509_ncrls, 0, 0);
1739 if (ret < 0)
1740 {
1741 gnutls_assert();
1742 goto cleanup;
1743 }
1744
1745 cleanup:
1746 gnutls_free(x509_crl_list);
1747 return ret;
1748 }
1749
1750 /* Reads a DER encoded certificate list from memory and stores it to a
1751 * gnutls_cert structure. Returns the number of certificates parsed.
1752 */
1753 static int
1754 parse_der_crl_mem (gnutls_x509_trust_list_t tlist,
1755 const void *input_crl, unsigned int input_crl_size)
1756 {
1757 gnutls_x509_crl_t crl;
1758 gnutls_datum_t tmp;
1759 int ret;
1760
1761 tmp.data = (void*)input_crl;
1762 tmp.size = input_crl_size;
1763
1764 ret = gnutls_x509_crl_init( &crl);
1765 if (ret < 0)
1766 {
1767 gnutls_assert();
1768 return ret;
1769 }
1770
1771 ret = gnutls_x509_crl_import( crl, &tmp, GNUTLS_X509_FMT_DER);
1772 if (ret < 0)
1773 {
1774 gnutls_assert();
1775 goto cleanup;
1776 }
1777
1778 ret = gnutls_x509_trust_list_add_crls(tlist, &crl, 1, 0, 0);
1779 if (ret < 0)
1780 {
1781 gnutls_assert();
1782 goto cleanup;
1783 }
1784
1785 return ret;
1786
1787 cleanup:
1788 gnutls_x509_crl_deinit(crl);
1789 return ret;
1790
1791 }
1792
1793
1794 /* Reads a DER or PEM CRL from memory
1795 */
1796 static int
1797 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1798 int crl_size, gnutls_x509_crt_fmt_t type)
1799 {
1800 int ret;
1801
1802 if (type == GNUTLS_X509_FMT_DER)
1803 ret = parse_der_crl_mem (res->tlist, crl, crl_size);
1804 else
1805 ret = parse_pem_crl_mem (res->tlist, crl, crl_size);
1806
1807 if (ret < 0)
1808 {
1809 gnutls_assert ();
1810 }
1811
1812 return ret;
1813 }
1814
1815 /**
1816 * gnutls_certificate_set_x509_crl_mem:
1817 * @res: is a #gnutls_certificate_credentials_t structure.
1818 * @CRL: is a list of trusted CRLs. They should have been verified before.
1819 * @type: is DER or PEM
1820 *
1821 * This function adds the trusted CRLs in order to verify client or
1822 * server certificates. In case of a client this is not required to
1823 * be called if the certificates are not verified using
1824 * gnutls_certificate_verify_peers2(). This function may be called
1825 * multiple times.
1826 *
1827 * Returns: number of CRLs processed, or a negative error code on error.
1828 **/
1829 int
1830 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1831 const gnutls_datum_t * CRL,
1832 gnutls_x509_crt_fmt_t type)
1833 {
1834 return read_crl_mem (res, CRL->data, CRL->size, type);
1835 }
1836
1837 /**
1838 * gnutls_certificate_set_x509_crl:
1839 * @res: is a #gnutls_certificate_credentials_t structure.
1840 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1841 * @crl_list_size: holds the size of the crl_list
1842 *
1843 * This function adds the trusted CRLs in order to verify client or
1844 * server certificates. In case of a client this is not required to
1845 * be called if the certificates are not verified using
1846 * gnutls_certificate_verify_peers2(). This function may be called
1847 * multiple times.
1848 *
1849 * Returns: number of CRLs processed, or a negative error code on error.
1850 *
1851 * Since: 2.4.0
1852 **/
1853 int
1854 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1855 gnutls_x509_crl_t * crl_list,
1856 int crl_list_size)
1857 {
1858 int ret, i, j;
1859 gnutls_x509_crl_t new_crl[crl_list_size];
1860
1861 for (i = 0; i < crl_list_size; i++)
1862 {
1863 ret = gnutls_x509_crl_init (&new_crl[i]);
1864 if (ret < 0)
1865 {
1866 gnutls_assert ();
1867 goto cleanup;
1868 }
1869
1870 ret = _gnutls_x509_crl_cpy (new_crl[i], crl_list[i]);
1871 if (ret < 0)
1872 {
1873 gnutls_assert ();
1874 goto cleanup;
1875 }
1876 }
1877
1878 ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, crl_list_size, 0, 0);
1879 if (ret < 0)
1880 {
1881 gnutls_assert ();
1882 goto cleanup;
1883 }
1884
1885 return ret;
1886
1887 cleanup:
1888 for (j=0;j<i;j++)
1889 gnutls_x509_crl_deinit(new_crl[j]);
1890
1891 return ret;
1892 }
1893
1894 /**
1895 * gnutls_certificate_set_x509_crl_file:
1896 * @res: is a #gnutls_certificate_credentials_t structure.
1897 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1898 * @type: is PEM or DER
1899 *
1900 * This function adds the trusted CRLs in order to verify client or server
1901 * certificates. In case of a client this is not required
1902 * to be called if the certificates are not verified using
1903 * gnutls_certificate_verify_peers2().
1904 * This function may be called multiple times.
1905 *
1906 * Returns: number of CRLs processed or a negative error code on error.
1907 **/
1908 int
1909 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1910 const char *crlfile,
1911 gnutls_x509_crt_fmt_t type)
1912 {
1913 int ret;
1914 size_t size;
1915 char *data = (void*)read_binary_file (crlfile, &size);
1916
1917 if (data == NULL)
1918 {
1919 gnutls_assert ();
1920 return GNUTLS_E_FILE_ERROR;
1921 }
1922
1923 if (type == GNUTLS_X509_FMT_DER)
1924 ret = parse_der_crl_mem (res->tlist, data, size);
1925 else
1926 ret = parse_pem_crl_mem (res->tlist, data, size);
1927
1928 free (data);
1929
1930 if (ret < 0)
1931 {
1932 gnutls_assert ();
1933 return ret;
1934 }
1935
1936 return ret;
1937 }
1938
1939 #include <gnutls/pkcs12.h>
1940
1941
1942 /**
1943 * gnutls_certificate_set_x509_simple_pkcs12_file:
1944 * @res: is a #gnutls_certificate_credentials_t structure.
1945 * @pkcs12file: filename of file containing PKCS#12 blob.
1946 * @type: is PEM or DER of the @pkcs12file.
1947 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1948 *
1949 * This function sets a certificate/private key pair and/or a CRL in
1950 * the gnutls_certificate_credentials_t structure. This function may
1951 * be called more than once (in case multiple keys/certificates exist
1952 * for the server).
1953 *
1954 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
1955 * private keys are supported. However,
1956 * only password based security, and the same password for all
1957 * operations, are supported.
1958 *
1959 * PKCS#12 file may contain many keys and/or certificates, and there
1960 * is no way to identify which key/certificate pair you want. You
1961 * should make sure the PKCS#12 file only contain one key/certificate
1962 * pair and/or one CRL.
1963 *
1964 * It is believed that the limitations of this function is acceptable
1965 * for most usage, and that any more flexibility would introduce
1966 * complexity that would make it harder to use this functionality at
1967 * all.
1968 *
1969 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1970 **/
1971 int
1972 gnutls_certificate_set_x509_simple_pkcs12_file
1973 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1974 gnutls_x509_crt_fmt_t type, const char *password)
1975 {
1976 gnutls_datum_t p12blob;
1977 size_t size;
1978 int ret;
1979
1980 p12blob.data = (void*)read_binary_file (pkcs12file, &size);
1981 p12blob.size = (unsigned int) size;
1982 if (p12blob.data == NULL)
1983 {
1984 gnutls_assert ();
1985 return GNUTLS_E_FILE_ERROR;
1986 }
1987
1988 ret =
1989 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1990 password);
1991 free (p12blob.data);
1992
1993 return ret;
1994 }
1995
1996 /**
1997 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1998 * @res: is a #gnutls_certificate_credentials_t structure.
1999 * @p12blob: the PKCS#12 blob.
2000 * @type: is PEM or DER of the @pkcs12file.
2001 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2002 *
2003 * This function sets a certificate/private key pair and/or a CRL in
2004 * the gnutls_certificate_credentials_t structure. This function may
2005 * be called more than once (in case multiple keys/certificates exist
2006 * for the server).
2007 *
2008 * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
2009 * only password based security, and the same password for all
2010 * operations, are supported.
2011 *
2012 * PKCS#12 file may contain many keys and/or certificates, and there
2013 * is no way to identify which key/certificate pair you want. You
2014 * should make sure the PKCS#12 file only contain one key/certificate
2015 * pair and/or one CRL.
2016 *
2017 * It is believed that the limitations of this function is acceptable
2018 * for most usage, and that any more flexibility would introduce
2019 * complexity that would make it harder to use this functionality at
2020 * all.
2021 *
2022 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2023 *
2024 * Since: 2.8.0
2025 **/
2026 int
2027 gnutls_certificate_set_x509_simple_pkcs12_mem
2028 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
2029 gnutls_x509_crt_fmt_t type, const char *password)
2030 {
2031 gnutls_pkcs12_t p12;
2032 gnutls_x509_privkey_t key = NULL;
2033 gnutls_x509_crt_t *chain = NULL;
2034 gnutls_x509_crl_t crl = NULL;
2035 unsigned int chain_size = 0, i;
2036 int ret;
2037
2038 ret = gnutls_pkcs12_init (&p12);
2039 if (ret < 0)
2040 {
2041 gnutls_assert ();
2042 return ret;
2043 }
2044
2045 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
2046 if (ret < 0)
2047 {
2048 gnutls_assert ();
2049 gnutls_pkcs12_deinit (p12);
2050 return ret;
2051 }
2052
2053 if (password)
2054 {
2055 ret = gnutls_pkcs12_verify_mac (p12, password);
2056 if (ret < 0)
2057 {
2058 gnutls_assert ();
2059 gnutls_pkcs12_deinit (p12);
2060 return ret;
2061 }
2062 }
2063
2064 ret = gnutls_pkcs12_simple_parse (p12, password, &key, &chain, &chain_size,
2065 NULL, NULL, &crl, 0);
2066 gnutls_pkcs12_deinit (p12);
2067 if (ret < 0)
2068 {
2069 gnutls_assert ();
2070 return ret;
2071 }
2072
2073 if (key && chain)
2074 {
2075 ret = gnutls_certificate_set_x509_key (res, chain, chain_size, key);
2076 if (ret < 0)
2077 {
2078 gnutls_assert ();
2079 goto done;
2080 }
2081 }
2082 else
2083 {
2084 gnutls_assert();
2085 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2086 goto done;
2087 }
2088
2089 if (crl)
2090 {
2091 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2092 if (ret < 0)
2093 {
2094 gnutls_assert ();
2095 goto done;
2096 }
2097 }
2098
2099 ret = 0;
2100
2101 done:
2102 if (chain)
2103 {
2104 for (i=0;i<chain_size;i++)
2105 gnutls_x509_crt_deinit (chain[i]);
2106 gnutls_free(chain);
2107 }
2108 if (key)
2109 gnutls_x509_privkey_deinit (key);
2110 if (crl)
2111 gnutls_x509_crl_deinit (crl);
2112
2113 return ret;
2114 }
2115
2116
2117
2118 /**
2119 * gnutls_certificate_free_crls:
2120 * @sc: is a #gnutls_certificate_credentials_t structure.
2121 *
2122 * This function will delete all the CRLs associated
2123 * with the given credentials.
2124 **/
2125 void
2126 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2127 {
2128 /* do nothing for now */
2129 return;
2130 }
2131
2132 /**
2133 * gnutls_certificate_credentials_t:
2134 * @cred: is a #gnutls_certificate_credentials_t structure.
2135 * @fn: A PIN callback
2136 * @userdata: Data to be passed in the callback
2137 *
2138 * This function will set a callback function to be used when
2139 * required to access a protected object. This function overrides any other
2140 * global PIN functions.
2141 *
2142 * Note that this function must be called right after initialization
2143 * to have effect.
2144 *
2145 * Since: 3.1.0
2146 **/
2147 void gnutls_certificate_set_pin_function (gnutls_certificate_credentials_t cred,
2148 gnutls_pin_callback_t fn, void *userdata)
2149 {
2150 cred->pin.cb = fn;
2151 cred->pin.data = userdata;
2152 }
Implementation of the SSL/TLS protocol