search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Documented gnutls_certificate_verification_status_print().
[gnutls.git] / lib / gnutls_x509.c
blobcf8dee55f6d49bcdf4fd9c5631800a98c86e1dce
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
38 #include <debug.h>
39 #include <x509_b64.h>
40 #include <gnutls_x509.h>
41 #include <gnutls/ocsp.h>
42 #include "x509/common.h"
43 #include "x509/x509_int.h"
44 #include <gnutls_str_array.h>
45 #include "read-file.h"
46 #ifdef _WIN32
47 # include <wincrypt.h>
48 #endif
49
50 /*
51 * some x509 certificate parsing functions.
52 */
53
54 /* Check if the number of bits of the key in the certificate
55 * is unacceptable.
56 */
57 inline static int
58 check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bits)
59 {
60 int ret, pk;
61 unsigned int bits;
62
63 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
64 if (ret < 0)
65 {
66 gnutls_assert ();
67 return ret;
68 }
69 pk = ret;
70
71 if (bits > max_bits && max_bits > 0)
72 {
73 gnutls_assert ();
74 return GNUTLS_E_CONSTRAINT_ERROR;
75 }
76
77 if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_INSECURE)
78 {
79 gnutls_assert();
80 _gnutls_audit_log(session, "The security level of the certificate (%s: %u) is weak\n", gnutls_pk_get_name(pk), bits);
81 if (session->internals.priorities.allow_weak_keys == 0)
82 return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
83 }
84
85 return 0;
86 }
87
88 /* three days */
89 #define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
90
91 /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
92 *
93 * Returns:
94 * Zero on success, a negative error code otherwise.
95 */
96 static int
97 check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
98 gnutls_x509_crt_t issuer,
99 gnutls_datum_t *data, unsigned int * ostatus)
100 {
101 gnutls_ocsp_resp_t resp;
102 int ret;
103 unsigned int status, cert_status;
104 time_t rtime, vtime, ntime, now;
105
106 now = gnutls_time(0);
107
108 ret = gnutls_ocsp_resp_init (&resp);
109 if (ret < 0)
110 return gnutls_assert_val(ret);
111
112 ret = gnutls_ocsp_resp_import (resp, data);
113 if (ret < 0)
114 return gnutls_assert_val(ret);
115
116 ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
117 if (ret < 0)
118 {
119 _gnutls_audit_log (session, "Got OCSP response on an unrelated certificate.\n");
120 goto cleanup;
121 }
122
123 ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
124 if (ret < 0)
125 return gnutls_assert_val(ret);
126
127 /* do not consider revocation data if response was not verified */
128 if (status != 0)
129 {
130 ret = gnutls_assert_val(0);
131 goto cleanup;
132 }
133
134 ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
135 &cert_status, &vtime, &ntime, &rtime, NULL);
136 if (ret < 0)
137 {
138 ret = gnutls_assert_val(0);
139 *ostatus |= GNUTLS_CERT_REVOCATION_DATA_INVALID;
140 goto cleanup;
141 }
142
143 if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
144 {
145 _gnutls_audit_log(session, "The certificate was revoked via OCSP\n");
146 *ostatus |= GNUTLS_CERT_REVOKED;
147 ret = gnutls_assert_val(0);
148 goto cleanup;
149 }
150
151 if (ntime == -1)
152 {
153 if (now - vtime > MAX_OCSP_VALIDITY_SECS)
154 {
155 _gnutls_audit_log(session, "The OCSP response is old\n");
156 }
157 }
158 else
159 {
160 /* there is a newer OCSP answer, don't trust this one */
161 if (ntime < now)
162 {
163 _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
164 if (now-ntime > MAX_OCSP_VALIDITY_SECS)
165 *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
166 }
167 }
168
169 ret = 0;
170 cleanup:
171 gnutls_ocsp_resp_deinit (resp);
172
173 return ret;
174 }
175
176
177 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
178 if (peer_certificate_list[x]) \
179 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
180 } \
181 gnutls_free( peer_certificate_list)
182
183 /*-
184 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
185 * @session: is a gnutls session
186 *
187 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
188 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
189 * However you must also check the peer's name in order to check if the verified certificate belongs to the
190 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
191 -*/
192 int
193 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
194 const char* hostname,
195 unsigned int *status)
196 {
197 cert_auth_info_t info;
198 gnutls_certificate_credentials_t cred;
199 gnutls_x509_crt_t *peer_certificate_list;
200 gnutls_datum_t resp;
201 int peer_certificate_list_size, i, x, ret;
202 gnutls_x509_crt_t issuer;
203 unsigned int ocsp_status = 0;
204 unsigned int verify_flags;
205
206 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
207
208 info = _gnutls_get_auth_info (session);
209 if (info == NULL)
210 {
211 gnutls_assert ();
212 return GNUTLS_E_INVALID_REQUEST;
213 }
214
215 cred = (gnutls_certificate_credentials_t)
216 _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
217 if (cred == NULL)
218 {
219 gnutls_assert ();
220 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
221 }
222
223 if (info->raw_certificate_list == NULL || info->ncerts == 0)
224 return GNUTLS_E_NO_CERTIFICATE_FOUND;
225
226 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
227 {
228 gnutls_assert ();
229 return GNUTLS_E_CONSTRAINT_ERROR;
230 }
231
232 verify_flags = cred->verify_flags | session->internals.priorities.additional_verify_flags;
233 /* generate a list of gnutls_certs based on the auth info
234 * raw certs.
235 */
236 peer_certificate_list_size = info->ncerts;
237 peer_certificate_list =
238 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
239 if (peer_certificate_list == NULL)
240 {
241 gnutls_assert ();
242 return GNUTLS_E_MEMORY_ERROR;
243 }
244
245 for (i = 0; i < peer_certificate_list_size; i++)
246 {
247 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
248 if (ret < 0)
249 {
250 gnutls_assert ();
251 CLEAR_CERTS;
252 return ret;
253 }
254
255 ret =
256 gnutls_x509_crt_import (peer_certificate_list[i],
257 &info->raw_certificate_list[i],
258 GNUTLS_X509_FMT_DER);
259 if (ret < 0)
260 {
261 gnutls_assert ();
262 CLEAR_CERTS;
263 return ret;
264 }
265
266 ret = check_bits (session, peer_certificate_list[i], cred->verify_bits);
267 if (ret < 0)
268 {
269 gnutls_assert ();
270 CLEAR_CERTS;
271 return ret;
272 }
273
274 }
275
276 /* Use the OCSP extension if any */
277 if (verify_flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
278 goto skip_ocsp;
279
280 ret = gnutls_ocsp_status_request_get(session, &resp);
281 if (ret < 0)
282 goto skip_ocsp;
283
284 if (peer_certificate_list_size > 1)
285 issuer = peer_certificate_list[1];
286 else
287 {
288 ret = gnutls_x509_trust_list_get_issuer(cred->tlist, peer_certificate_list[0],
289 &issuer, 0);
290 if (ret < 0)
291 {
292 goto skip_ocsp;
293 }
294 }
295
296 ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp, &ocsp_status);
297 if (ret < 0)
298 {
299 CLEAR_CERTS;
300 return gnutls_assert_val(ret);
301 }
302
303 skip_ocsp:
304 /* Verify certificate
305 */
306 ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
307 peer_certificate_list_size,
308 verify_flags, status, NULL);
309
310 if (ret < 0)
311 {
312 gnutls_assert ();
313 CLEAR_CERTS;
314 return ret;
315 }
316
317 if (hostname)
318 {
319 ret = gnutls_x509_crt_check_hostname( peer_certificate_list[0], hostname);
320 if (ret == 0)
321 *status |= GNUTLS_CERT_UNEXPECTED_OWNER;
322 }
323
324 CLEAR_CERTS;
325
326 *status |= ocsp_status;
327
328 return 0;
329 }
330
331 /* Returns the name of the certificate of a null name
332 */
333 static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names)
334 {
335 size_t max_size;
336 int i, ret = 0, ret2;
337 char name[MAX_CN];
338
339 for (i = 0; !(ret < 0); i++)
340 {
341 max_size = sizeof(name);
342
343 ret = gnutls_x509_crt_get_subject_alt_name(crt, i, name, &max_size, NULL);
344 if (ret == GNUTLS_SAN_DNSNAME)
345 {
346 ret2 = _gnutls_str_array_append(names, name, max_size);
347 if (ret2 < 0)
348 {
349 _gnutls_str_array_clear(names);
350 return gnutls_assert_val(ret2);
351 }
352 }
353 }
354
355 max_size = sizeof(name);
356 ret = gnutls_x509_crt_get_dn_by_oid (crt, OID_X520_COMMON_NAME, 0, 0, name, &max_size);
357 if (ret >= 0)
358 {
359 ret = _gnutls_str_array_append(names, name, max_size);
360 if (ret < 0)
361 {
362 _gnutls_str_array_clear(names);
363 return gnutls_assert_val(ret);
364 }
365 }
366
367 return 0;
368 }
369
370 static int get_x509_name_raw(gnutls_datum_t *raw, gnutls_x509_crt_fmt_t type, gnutls_str_array_t *names)
371 {
372 int ret;
373 gnutls_x509_crt_t crt;
374
375 ret = gnutls_x509_crt_init (&crt);
376 if (ret < 0)
377 {
378 gnutls_assert ();
379 return ret;
380 }
381
382 ret = gnutls_x509_crt_import (crt, raw, type);
383 if (ret < 0)
384 {
385 gnutls_assert ();
386 gnutls_x509_crt_deinit (crt);
387 return ret;
388 }
389
390 ret = get_x509_name(crt, names);
391 gnutls_x509_crt_deinit (crt);
392 return ret;
393 }
394
395 /* Reads a DER encoded certificate list from memory and stores it to a
396 * gnutls_cert structure. Returns the number of certificates parsed.
397 */
398 static int
399 parse_der_cert_mem (gnutls_certificate_credentials_t res,
400 const void *input_cert, int input_cert_size)
401 {
402 gnutls_datum_t tmp;
403 gnutls_x509_crt_t crt;
404 gnutls_pcert_st *ccert;
405 int ret;
406 gnutls_str_array_t names;
407
408 _gnutls_str_array_init(&names);
409
410 ccert = gnutls_malloc (sizeof (*ccert));
411 if (ccert == NULL)
412 {
413 gnutls_assert ();
414 return GNUTLS_E_MEMORY_ERROR;
415 }
416
417 ret = gnutls_x509_crt_init (&crt);
418 if (ret < 0)
419 {
420 gnutls_assert ();
421 goto cleanup;
422 }
423
424 tmp.data = (uint8_t *) input_cert;
425 tmp.size = input_cert_size;
426
427 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
428 if (ret < 0)
429 {
430 gnutls_assert ();
431 gnutls_x509_crt_deinit (crt);
432 goto cleanup;
433 }
434
435 ret = get_x509_name(crt, &names);
436 if (ret < 0)
437 {
438 gnutls_assert();
439 gnutls_x509_crt_deinit (crt);
440 goto cleanup;
441 }
442
443 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
444 gnutls_x509_crt_deinit (crt);
445
446 if (ret < 0)
447 {
448 gnutls_assert ();
449 goto cleanup;
450 }
451
452 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
453 if (ret < 0)
454 {
455 gnutls_assert ();
456 goto cleanup;
457 }
458
459 return ret;
460
461 cleanup:
462 _gnutls_str_array_clear(&names);
463 gnutls_free (ccert);
464 return ret;
465 }
466
467 /* Reads a base64 encoded certificate list from memory and stores it to
468 * a gnutls_cert structure. Returns the number of certificate parsed.
469 */
470 static int
471 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
472 const char *input_cert, int input_cert_size)
473 {
474 int size;
475 const char *ptr;
476 gnutls_datum_t tmp;
477 int ret, count, i;
478 gnutls_pcert_st *certs = NULL;
479 gnutls_str_array_t names;
480
481 _gnutls_str_array_init(&names);
482
483 /* move to the certificate
484 */
485 ptr = memmem (input_cert, input_cert_size,
486 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
487 if (ptr == NULL)
488 ptr = memmem (input_cert, input_cert_size,
489 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
490
491 if (ptr == NULL)
492 {
493 gnutls_assert ();
494 return GNUTLS_E_BASE64_DECODING_ERROR;
495 }
496 size = input_cert_size - (ptr - input_cert);
497
498 count = 0;
499
500 do
501 {
502 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_pcert_st));
503
504 if (certs == NULL)
505 {
506 gnutls_assert ();
507 ret = GNUTLS_E_MEMORY_ERROR;
508 goto cleanup;
509 }
510
511 tmp.data = (void*)ptr;
512 tmp.size = size;
513
514 if (count == 0)
515 {
516 ret = get_x509_name_raw(&tmp, GNUTLS_X509_FMT_PEM, &names);
517 if (ret < 0)
518 {
519 gnutls_assert();
520 goto cleanup;
521 }
522 }
523
524 ret = gnutls_pcert_import_x509_raw (&certs[count], &tmp, GNUTLS_X509_FMT_PEM, 0);
525 if (ret < 0)
526 {
527 gnutls_assert ();
528 goto cleanup;
529 }
530
531 /* now we move ptr after the pem header
532 */
533 ptr++;
534 /* find the next certificate (if any)
535 */
536 size = input_cert_size - (ptr - input_cert);
537
538 if (size > 0)
539 {
540 char *ptr3;
541
542 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
543 if (ptr3 == NULL)
544 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
545 sizeof (PEM_CERT_SEP2) - 1);
546
547 ptr = ptr3;
548 }
549 else
550 ptr = NULL;
551
552 count++;
553
554 }
555 while (ptr != NULL);
556
557 ret = certificate_credential_append_crt_list (res, names, certs, count);
558 if (ret < 0)
559 {
560 gnutls_assert ();
561 goto cleanup;
562 }
563
564 return count;
565
566 cleanup:
567 _gnutls_str_array_clear(&names);
568 for (i=0;i<count;i++)
569 gnutls_pcert_deinit(&certs[i]);
570 gnutls_free(certs);
571 return ret;
572 }
573
574
575
576 /* Reads a DER or PEM certificate from memory
577 */
578 static int
579 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
580 int cert_size, gnutls_x509_crt_fmt_t type)
581 {
582 int ret;
583
584 if (type == GNUTLS_X509_FMT_DER)
585 ret = parse_der_cert_mem (res, cert, cert_size);
586 else
587 ret = parse_pem_cert_mem (res, cert, cert_size);
588
589 if (ret < 0)
590 {
591 gnutls_assert ();
592 return ret;
593 }
594
595 return ret;
596 }
597
598 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
599 * indicates the certificate format. KEY can be NULL, to indicate
600 * that GnuTLS doesn't know the private key.
601 */
602 static int
603 read_key_mem (gnutls_certificate_credentials_t res,
604 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
605 {
606 int ret;
607 gnutls_datum_t tmp;
608 gnutls_privkey_t privkey;
609
610 if (key)
611 {
612 tmp.data = (uint8_t *) key;
613 tmp.size = key_size;
614
615 ret = gnutls_privkey_init(&privkey);
616 if (ret < 0)
617 {
618 gnutls_assert ();
619 return ret;
620 }
621
622 if (res->pin.cb)
623 gnutls_privkey_set_pin_function(privkey, res->pin.cb, res->pin.data);
624
625 ret = gnutls_privkey_import_x509_raw (privkey, &tmp, type, NULL, 0);
626 if (ret < 0)
627 {
628 gnutls_assert ();
629 return ret;
630 }
631
632 ret = certificate_credentials_append_pkey (res, privkey);
633 if (ret < 0)
634 {
635 gnutls_assert ();
636 gnutls_privkey_deinit (privkey);
637 return ret;
638 }
639
640 }
641 else
642 {
643 gnutls_assert ();
644 return GNUTLS_E_INVALID_REQUEST;
645 }
646
647
648 return 0;
649 }
650
651
652 /* Reads a private key from a token.
653 */
654 static int
655 read_key_url (gnutls_certificate_credentials_t res, const char *url)
656 {
657 int ret;
658 gnutls_privkey_t pkey = NULL;
659
660 /* allocate space for the pkey list
661 */
662 ret = gnutls_privkey_init (&pkey);
663 if (ret < 0)
664 {
665 gnutls_assert ();
666 return ret;
667 }
668
669 if (res->pin.cb)
670 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
671
672 ret = gnutls_privkey_import_url (pkey, url, 0);
673 if (ret < 0)
674 {
675 gnutls_assert ();
676 goto cleanup;
677 }
678
679 ret = certificate_credentials_append_pkey (res, pkey);
680 if (ret < 0)
681 {
682 gnutls_assert ();
683 goto cleanup;
684 }
685
686 return 0;
687
688 cleanup:
689 if (pkey)
690 gnutls_privkey_deinit (pkey);
691
692 return ret;
693 }
694
695 #ifdef ENABLE_PKCS11
696 /* Reads a private key from a token.
697 */
698 static int
699 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
700 {
701 int ret;
702 gnutls_x509_crt_t *xcrt_list = NULL;
703 gnutls_pkcs11_obj_t *pcrt_list = NULL;
704 unsigned int pcrt_list_size = 0;
705
706 /* FIXME: should we use login? */
707 ret =
708 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
709 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
710 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
711 {
712 gnutls_assert ();
713 return ret;
714 }
715
716 if (pcrt_list_size == 0)
717 {
718 gnutls_assert ();
719 return 0;
720 }
721
722 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
723 if (pcrt_list == NULL)
724 {
725 gnutls_assert ();
726 return GNUTLS_E_MEMORY_ERROR;
727 }
728
729 ret =
730 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
731 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
732 if (ret < 0)
733 {
734 gnutls_assert ();
735 goto cleanup;
736 }
737
738 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
739 if (xcrt_list == NULL)
740 {
741 gnutls_assert ();
742 ret = GNUTLS_E_MEMORY_ERROR;
743 goto cleanup;
744 }
745
746 ret =
747 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
748 0);
749 if (ret < 0)
750 {
751 gnutls_assert ();
752 goto cleanup;
753 }
754
755 ret = gnutls_x509_trust_list_add_cas(res->tlist, xcrt_list, pcrt_list_size, 0);
756 if (ret < 0)
757 {
758 gnutls_assert();
759 goto cleanup;
760 }
761
762 cleanup:
763 gnutls_free (xcrt_list);
764 gnutls_free (pcrt_list);
765
766 return ret;
767
768 }
769
770
771 /* Reads a certificate key from a token.
772 */
773 static int
774 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
775 {
776 int ret;
777 gnutls_x509_crt_t crt;
778 gnutls_pcert_st *ccert;
779 gnutls_str_array_t names;
780
781 _gnutls_str_array_init(&names);
782
783 ccert = gnutls_malloc (sizeof (*ccert));
784 if (ccert == NULL)
785 {
786 gnutls_assert ();
787 return GNUTLS_E_MEMORY_ERROR;
788 }
789
790 ret = gnutls_x509_crt_init (&crt);
791 if (ret < 0)
792 {
793 gnutls_assert ();
794 goto cleanup;
795 }
796
797 if (res->pin.cb)
798 gnutls_x509_crt_set_pin_function(crt, res->pin.cb, res->pin.data);
799
800 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
801 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
802 ret =
803 gnutls_x509_crt_import_pkcs11_url (crt, url,
804 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
805
806 if (ret < 0)
807 {
808 gnutls_assert ();
809 gnutls_x509_crt_deinit (crt);
810 goto cleanup;
811 }
812
813 ret = get_x509_name(crt, &names);
814 if (ret < 0)
815 {
816 gnutls_assert ();
817 gnutls_x509_crt_deinit (crt);
818 goto cleanup;
819 }
820
821 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
822 gnutls_x509_crt_deinit (crt);
823
824 if (ret < 0)
825 {
826 gnutls_assert ();
827 goto cleanup;
828 }
829
830 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
831 if (ret < 0)
832 {
833 gnutls_assert ();
834 goto cleanup;
835 }
836
837 return 0;
838
839 cleanup:
840 _gnutls_str_array_clear(&names);
841 gnutls_free (ccert);
842 return ret;
843 }
844 #endif
845
846 /* Reads a certificate file
847 */
848 static int
849 read_cert_file (gnutls_certificate_credentials_t res,
850 const char *certfile, gnutls_x509_crt_fmt_t type)
851 {
852 int ret;
853 size_t size;
854 char *data;
855
856 #ifdef ENABLE_PKCS11
857 if (strncmp (certfile, "pkcs11:", 7) == 0)
858 {
859 return read_cert_url (res, certfile);
860 }
861 #endif /* ENABLE_PKCS11 */
862
863 data = read_binary_file (certfile, &size);
864
865 if (data == NULL)
866 {
867 gnutls_assert ();
868 return GNUTLS_E_FILE_ERROR;
869 }
870
871 ret = read_cert_mem (res, data, size, type);
872 free (data);
873
874 return ret;
875
876 }
877
878
879
880 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
881 * stores it).
882 */
883 static int
884 read_key_file (gnutls_certificate_credentials_t res,
885 const char *keyfile, gnutls_x509_crt_fmt_t type)
886 {
887 int ret;
888 size_t size;
889 char *data;
890
891 if (gnutls_url_is_supported(keyfile))
892 {
893 return read_key_url (res, keyfile);
894 }
895
896 data = read_binary_file (keyfile, &size);
897
898 if (data == NULL)
899 {
900 gnutls_assert ();
901 return GNUTLS_E_FILE_ERROR;
902 }
903
904 ret = read_key_mem (res, data, size, type);
905 free (data);
906
907 return ret;
908 }
909
910 /**
911 * gnutls_certificate_set_x509_key_mem:
912 * @res: is a #gnutls_certificate_credentials_t structure.
913 * @cert: contains a certificate list (path) for the specified private key
914 * @key: is the private key, or %NULL
915 * @type: is PEM or DER
916 *
917 * This function sets a certificate/private key pair in the
918 * gnutls_certificate_credentials_t structure. This function may be called
919 * more than once, in case multiple keys/certificates exist for the
920 * server.
921 *
922 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
923 * is supported. This means that certificates intended for signing cannot
924 * be used for ciphersuites that require encryption.
925 *
926 * If the certificate and the private key are given in PEM encoding
927 * then the strings that hold their values must be null terminated.
928 *
929 * The @key may be %NULL if you are using a sign callback, see
930 * gnutls_sign_callback_set().
931 *
932 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
933 **/
934 int
935 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
936 const gnutls_datum_t * cert,
937 const gnutls_datum_t * key,
938 gnutls_x509_crt_fmt_t type)
939 {
940 int ret;
941
942 /* this should be first
943 */
944 if ((ret = read_key_mem (res, key ? key->data : NULL,
945 key ? key->size : 0, type)) < 0)
946 return ret;
947
948 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
949 return ret;
950
951 res->ncerts++;
952
953 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
954 {
955 gnutls_assert ();
956 return ret;
957 }
958
959 return 0;
960 }
961
962 static int check_if_sorted(gnutls_pcert_st * crt, int nr)
963 {
964 gnutls_x509_crt_t x509;
965 char prev_dn[MAX_DN];
966 char dn[MAX_DN];
967 size_t prev_dn_size, dn_size;
968 int i, ret;
969
970 /* check if the X.509 list is ordered */
971 if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
972 {
973
974 for (i=0;i<nr;i++)
975 {
976 ret = gnutls_x509_crt_init(&x509);
977 if (ret < 0)
978 return gnutls_assert_val(ret);
979
980 ret = gnutls_x509_crt_import(x509, &crt[i].cert, GNUTLS_X509_FMT_DER);
981 if (ret < 0)
982 {
983 ret = gnutls_assert_val(ret);
984 goto cleanup;
985 }
986
987 if (i>0)
988 {
989 dn_size = sizeof(dn);
990 ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
991 if (ret < 0)
992 {
993 ret = gnutls_assert_val(ret);
994 goto cleanup;
995 }
996
997 if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
998 {
999 ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
1000 goto cleanup;
1001 }
1002 }
1003
1004 prev_dn_size = sizeof(prev_dn);
1005 ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
1006 if (ret < 0)
1007 {
1008 ret = gnutls_assert_val(ret);
1009 goto cleanup;
1010 }
1011
1012 gnutls_x509_crt_deinit(x509);
1013 }
1014 }
1015
1016 return 0;
1017
1018 cleanup:
1019 gnutls_x509_crt_deinit(x509);
1020 return ret;
1021 }
1022
1023 int
1024 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
1025 gnutls_str_array_t names, gnutls_pcert_st * crt, int nr)
1026 {
1027 int ret;
1028
1029 ret = check_if_sorted(crt, nr);
1030 if (ret < 0)
1031 return gnutls_assert_val(ret);
1032
1033 res->certs = gnutls_realloc_fast (res->certs,
1034 (1 + res->ncerts) *
1035 sizeof (certs_st));
1036 if (res->certs == NULL)
1037 {
1038 gnutls_assert ();
1039 return GNUTLS_E_MEMORY_ERROR;
1040 }
1041
1042 res->certs[res->ncerts].cert_list = crt;
1043 res->certs[res->ncerts].cert_list_length = nr;
1044 res->certs[res->ncerts].names = names;
1045
1046 return 0;
1047
1048 }
1049
1050 int
1051 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
1052 gnutls_privkey_t pkey)
1053 {
1054 res->pkey = gnutls_realloc_fast (res->pkey,
1055 (1 + res->ncerts) *
1056 sizeof (gnutls_privkey_t));
1057 if (res->pkey == NULL)
1058 {
1059 gnutls_assert ();
1060 return GNUTLS_E_MEMORY_ERROR;
1061 }
1062 res->pkey[res->ncerts] = pkey;
1063 return 0;
1064
1065 }
1066
1067 /**
1068 * gnutls_certificate_set_x509_key:
1069 * @res: is a #gnutls_certificate_credentials_t structure.
1070 * @cert_list: contains a certificate list (path) for the specified private key
1071 * @cert_list_size: holds the size of the certificate list
1072 * @key: is a #gnutls_x509_privkey_t key
1073 *
1074 * This function sets a certificate/private key pair in the
1075 * gnutls_certificate_credentials_t structure. This function may be
1076 * called more than once, in case multiple keys/certificates exist for
1077 * the server. For clients that wants to send more than their own end
1078 * entity certificate (e.g., also an intermediate CA cert) then put
1079 * the certificate chain in @cert_list.
1080 *
1081 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1082 *
1083 * Since: 2.4.0
1084 **/
1085 int
1086 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
1087 gnutls_x509_crt_t * cert_list,
1088 int cert_list_size,
1089 gnutls_x509_privkey_t key)
1090 {
1091 int ret, i;
1092 gnutls_privkey_t pkey;
1093 gnutls_pcert_st *pcerts = NULL;
1094 gnutls_str_array_t names;
1095
1096 _gnutls_str_array_init(&names);
1097
1098 /* this should be first
1099 */
1100 ret = gnutls_privkey_init (&pkey);
1101 if (ret < 0)
1102 {
1103 gnutls_assert ();
1104 return ret;
1105 }
1106
1107 if (res->pin.cb)
1108 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
1109
1110 ret = gnutls_privkey_import_x509 (pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY);
1111 if (ret < 0)
1112 {
1113 gnutls_assert ();
1114 return ret;
1115 }
1116
1117 ret = certificate_credentials_append_pkey (res, pkey);
1118 if (ret < 0)
1119 {
1120 gnutls_assert ();
1121 return ret;
1122 }
1123
1124 /* load certificates */
1125 pcerts = gnutls_malloc (sizeof (gnutls_pcert_st) * cert_list_size);
1126 if (pcerts == NULL)
1127 {
1128 gnutls_assert ();
1129 return GNUTLS_E_MEMORY_ERROR;
1130 }
1131
1132 ret = get_x509_name(cert_list[0], &names);
1133 if (ret < 0)
1134 return gnutls_assert_val(ret);
1135
1136 for (i = 0; i < cert_list_size; i++)
1137 {
1138 ret = gnutls_pcert_import_x509 (&pcerts[i], cert_list[i], 0);
1139 if (ret < 0)
1140 {
1141 gnutls_assert ();
1142 goto cleanup;
1143 }
1144 }
1145
1146 ret = certificate_credential_append_crt_list (res, names, pcerts, cert_list_size);
1147 if (ret < 0)
1148 {
1149 gnutls_assert ();
1150 goto cleanup;
1151 }
1152
1153 res->ncerts++;
1154
1155 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1156 {
1157 gnutls_assert ();
1158 return ret;
1159 }
1160
1161 return 0;
1162
1163 cleanup:
1164 _gnutls_str_array_clear(&names);
1165 return ret;
1166 }
1167
1168 /**
1169 * gnutls_certificate_set_key:
1170 * @res: is a #gnutls_certificate_credentials_t structure.
1171 * @names: is an array of DNS name of the certificate (NULL if none)
1172 * @names_size: holds the size of the names list
1173 * @pcert_list: contains a certificate list (path) for the specified private key
1174 * @pcert_list_size: holds the size of the certificate list
1175 * @key: is a #gnutls_privkey_t key
1176 *
1177 * This function sets a certificate/private key pair in the
1178 * gnutls_certificate_credentials_t structure. This function may be
1179 * called more than once, in case multiple keys/certificates exist for
1180 * the server. For clients that wants to send more than its own end
1181 * entity certificate (e.g., also an intermediate CA cert) then put
1182 * the certificate chain in @pcert_list. The @pcert_list and @key will
1183 * become part of the credentials structure and must not
1184 * be deallocated. They will be automatically deallocated when @res
1185 * is deinitialized.
1186 *
1187 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1188 *
1189 * Since: 3.0
1190 **/
1191 int
1192 gnutls_certificate_set_key (gnutls_certificate_credentials_t res,
1193 const char** names,
1194 int names_size,
1195 gnutls_pcert_st * pcert_list,
1196 int pcert_list_size,
1197 gnutls_privkey_t key)
1198 {
1199 int ret, i;
1200 gnutls_str_array_t str_names;
1201
1202 _gnutls_str_array_init(&str_names);
1203
1204 if (names != NULL && names_size > 0)
1205 {
1206 for (i=0;i<names_size;i++)
1207 {
1208 ret = _gnutls_str_array_append(&str_names, names[i], strlen(names[i]));
1209 if (ret < 0)
1210 {
1211 ret = gnutls_assert_val(ret);
1212 goto cleanup;
1213 }
1214 }
1215 }
1216
1217 if (res->pin.cb)
1218 gnutls_privkey_set_pin_function(key, res->pin.cb, res->pin.data);
1219
1220 ret = certificate_credentials_append_pkey (res, key);
1221 if (ret < 0)
1222 {
1223 gnutls_assert ();
1224 goto cleanup;
1225 }
1226
1227 ret = certificate_credential_append_crt_list (res, str_names, pcert_list, pcert_list_size);
1228 if (ret < 0)
1229 {
1230 gnutls_assert ();
1231 goto cleanup;
1232 }
1233
1234 res->ncerts++;
1235
1236 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1237 {
1238 gnutls_assert ();
1239 return ret;
1240 }
1241
1242 return 0;
1243
1244 cleanup:
1245 _gnutls_str_array_clear(&str_names);
1246 return ret;
1247 }
1248
1249 /**
1250 * gnutls_certificate_set_x509_key_file:
1251 * @res: is a #gnutls_certificate_credentials_t structure.
1252 * @certfile: is a file that containing the certificate list (path) for
1253 * the specified private key, in PKCS7 format, or a list of certificates
1254 * @keyfile: is a file that contains the private key
1255 * @type: is PEM or DER
1256 *
1257 * This function sets a certificate/private key pair in the
1258 * gnutls_certificate_credentials_t structure. This function may be
1259 * called more than once, in case multiple keys/certificates exist for
1260 * the server. For clients that need to send more than its own end
1261 * entity certificate, e.g., also an intermediate CA cert, then the
1262 * @certfile must contain the ordered certificate chain.
1263 *
1264 * This function can also accept URLs at @keyfile and @certfile. In that case it
1265 * will import the private key and certificate indicated by the URLs. Note
1266 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1267 *
1268 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1269 **/
1270 int
1271 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
1272 const char *certfile,
1273 const char *keyfile,
1274 gnutls_x509_crt_fmt_t type)
1275 {
1276 int ret;
1277
1278 /* this should be first
1279 */
1280 if ((ret = read_key_file (res, keyfile, type)) < 0)
1281 return ret;
1282
1283 if ((ret = read_cert_file (res, certfile, type)) < 0)
1284 return ret;
1285
1286 res->ncerts++;
1287
1288 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1289 {
1290 gnutls_assert ();
1291 return ret;
1292 }
1293
1294 return 0;
1295 }
1296
1297 static int
1298 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, gnutls_x509_crt_t* crts,
1299 unsigned int crt_size)
1300 {
1301 gnutls_datum_t tmp;
1302 int ret;
1303 size_t newsize;
1304 unsigned char *newdata, *p;
1305 unsigned i;
1306
1307 /* Add DN of the last added CAs to the RDN sequence
1308 * This will be sent to clients when a certificate
1309 * request message is sent.
1310 */
1311
1312 /* FIXME: in case of a client it is not needed
1313 * to do that. This would save time and memory.
1314 * However we don't have that information available
1315 * here.
1316 * Further, this function is now much more efficient,
1317 * so optimizing that is less important.
1318 */
1319
1320 for (i = 0; i < crt_size; i++)
1321 {
1322 if ((ret = gnutls_x509_crt_get_raw_dn (crts[i], &tmp)) < 0)
1323 {
1324 gnutls_assert ();
1325 return ret;
1326 }
1327
1328 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1329 if (newsize < res->x509_rdn_sequence.size)
1330 {
1331 gnutls_assert ();
1332 _gnutls_free_datum (&tmp);
1333 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1334 }
1335
1336 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1337 if (newdata == NULL)
1338 {
1339 gnutls_assert ();
1340 _gnutls_free_datum (&tmp);
1341 return GNUTLS_E_MEMORY_ERROR;
1342 }
1343
1344 p = newdata + res->x509_rdn_sequence.size;
1345 _gnutls_write_uint16 (tmp.size, p);
1346 if (tmp.data != NULL)
1347 memcpy (p+2, tmp.data, tmp.size);
1348
1349 _gnutls_free_datum (&tmp);
1350
1351 res->x509_rdn_sequence.size = newsize;
1352 res->x509_rdn_sequence.data = newdata;
1353 }
1354
1355 return 0;
1356 }
1357
1358 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1359 * certificate (uses the KeyUsage field).
1360 */
1361 int
1362 _gnutls_check_key_usage (const gnutls_pcert_st* cert, gnutls_kx_algorithm_t alg)
1363 {
1364 unsigned int key_usage = 0;
1365 int encipher_type;
1366
1367 if (cert == NULL)
1368 {
1369 gnutls_assert ();
1370 return GNUTLS_E_INTERNAL_ERROR;
1371 }
1372
1373 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1374 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1375 {
1376
1377 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
1378
1379 encipher_type = _gnutls_kx_encipher_type (alg);
1380
1381 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1382 {
1383 /* If key_usage has been set in the certificate
1384 */
1385
1386 if (encipher_type == CIPHER_ENCRYPT)
1387 {
1388 /* If the key exchange method requires an encipher
1389 * type algorithm, and key's usage does not permit
1390 * encipherment, then fail.
1391 */
1392 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1393 {
1394 gnutls_assert ();
1395 return GNUTLS_E_KEY_USAGE_VIOLATION;
1396 }
1397 }
1398
1399 if (encipher_type == CIPHER_SIGN)
1400 {
1401 /* The same as above, but for sign only keys
1402 */
1403 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1404 {
1405 gnutls_assert ();
1406 return GNUTLS_E_KEY_USAGE_VIOLATION;
1407 }
1408 }
1409 }
1410 }
1411 return 0;
1412 }
1413
1414 static int
1415 parse_pem_ca_mem (gnutls_certificate_credentials_t res,
1416 const uint8_t * input_cert, int input_cert_size)
1417 {
1418 gnutls_x509_crt_t *x509_cert_list;
1419 unsigned int x509_ncerts;
1420 gnutls_datum_t tmp;
1421 int ret;
1422
1423 tmp.data = (void*)input_cert;
1424 tmp.size = input_cert_size;
1425
1426 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
1427 GNUTLS_X509_FMT_PEM, 0);
1428 if (ret < 0)
1429 {
1430 gnutls_assert();
1431 return ret;
1432 }
1433
1434 if ((ret = add_new_crt_to_rdn_seq (res, x509_cert_list, x509_ncerts)) < 0)
1435 {
1436 gnutls_assert();
1437 goto cleanup;
1438 }
1439
1440 ret = gnutls_x509_trust_list_add_cas(res->tlist, x509_cert_list, x509_ncerts, 0);
1441 if (ret < 0)
1442 {
1443 gnutls_assert();
1444 goto cleanup;
1445 }
1446
1447 cleanup:
1448 gnutls_free(x509_cert_list);
1449 return ret;
1450 }
1451
1452 /* Reads a DER encoded certificate list from memory and stores it to a
1453 * gnutls_cert structure. Returns the number of certificates parsed.
1454 */
1455 static int
1456 parse_der_ca_mem (gnutls_certificate_credentials_t res,
1457 const void *input_cert, int input_cert_size)
1458 {
1459 gnutls_x509_crt_t crt;
1460 gnutls_datum_t tmp;
1461 int ret;
1462
1463 tmp.data = (void*)input_cert;
1464 tmp.size = input_cert_size;
1465
1466 ret = gnutls_x509_crt_init( &crt);
1467 if (ret < 0)
1468 {
1469 gnutls_assert();
1470 return ret;
1471 }
1472
1473 ret = gnutls_x509_crt_import( crt, &tmp, GNUTLS_X509_FMT_DER);
1474 if (ret < 0)
1475 {
1476 gnutls_assert();
1477 goto cleanup;
1478 }
1479
1480 if ((ret = add_new_crt_to_rdn_seq (res, &crt, 1)) < 0)
1481 {
1482 gnutls_assert();
1483 goto cleanup;
1484 }
1485
1486 ret = gnutls_x509_trust_list_add_cas(res->tlist, &crt, 1, 0);
1487 if (ret < 0)
1488 {
1489 gnutls_assert();
1490 goto cleanup;
1491 }
1492
1493 return ret;
1494
1495 cleanup:
1496 gnutls_x509_crt_deinit(crt);
1497 return ret;
1498 }
1499
1500 /**
1501 * gnutls_certificate_set_x509_trust_mem:
1502 * @res: is a #gnutls_certificate_credentials_t structure.
1503 * @ca: is a list of trusted CAs or a DER certificate
1504 * @type: is DER or PEM
1505 *
1506 * This function adds the trusted CAs in order to verify client or
1507 * server certificates. In case of a client this is not required to be
1508 * called if the certificates are not verified using
1509 * gnutls_certificate_verify_peers2(). This function may be called
1510 * multiple times.
1511 *
1512 * In case of a server the CAs set here will be sent to the client if
1513 * a certificate request is sent. This can be disabled using
1514 * gnutls_certificate_send_x509_rdn_sequence().
1515 *
1516 * Returns: the number of certificates processed or a negative error code
1517 * on error.
1518 **/
1519 int
1520 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1521 const gnutls_datum_t * ca,
1522 gnutls_x509_crt_fmt_t type)
1523 {
1524 int ret;
1525
1526 if (type == GNUTLS_X509_FMT_DER)
1527 ret = parse_der_ca_mem (res,
1528 ca->data, ca->size);
1529 else
1530 ret = parse_pem_ca_mem (res,
1531 ca->data, ca->size);
1532
1533 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
1534 return 0;
1535
1536 return ret;
1537 }
1538
1539 /**
1540 * gnutls_certificate_set_x509_trust:
1541 * @res: is a #gnutls_certificate_credentials_t structure.
1542 * @ca_list: is a list of trusted CAs
1543 * @ca_list_size: holds the size of the CA list
1544 *
1545 * This function adds the trusted CAs in order to verify client
1546 * or server certificates. In case of a client this is not required
1547 * to be called if the certificates are not verified using
1548 * gnutls_certificate_verify_peers2().
1549 * This function may be called multiple times.
1550 *
1551 * In case of a server the CAs set here will be sent to the client if
1552 * a certificate request is sent. This can be disabled using
1553 * gnutls_certificate_send_x509_rdn_sequence().
1554 *
1555 * Returns: the number of certificates processed or a negative error code
1556 * on error.
1557 *
1558 * Since: 2.4.0
1559 **/
1560 int
1561 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1562 gnutls_x509_crt_t * ca_list,
1563 int ca_list_size)
1564 {
1565 int ret, i, j;
1566 gnutls_x509_crt_t new_list[ca_list_size];
1567
1568 for (i = 0; i < ca_list_size; i++)
1569 {
1570 ret = gnutls_x509_crt_init (&new_list[i]);
1571 if (ret < 0)
1572 {
1573 gnutls_assert ();
1574 goto cleanup;
1575 }
1576
1577 ret = _gnutls_x509_crt_cpy (new_list[i], ca_list[i]);
1578 if (ret < 0)
1579 {
1580 gnutls_assert ();
1581 goto cleanup;
1582 }
1583 }
1584
1585 if ((ret = add_new_crt_to_rdn_seq (res, new_list, ca_list_size)) < 0)
1586 {
1587 gnutls_assert();
1588 goto cleanup;
1589 }
1590
1591 ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, 0);
1592 if (ret < 0)
1593 {
1594 gnutls_assert ();
1595 goto cleanup;
1596 }
1597
1598 return ret;
1599
1600 cleanup:
1601 for (j=0;j<i;i++)
1602 gnutls_x509_crt_deinit(new_list[j]);
1603
1604 return ret;
1605 }
1606
1607
1608 /**
1609 * gnutls_certificate_set_x509_trust_file:
1610 * @cred: is a #gnutls_certificate_credentials_t structure.
1611 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1612 * @type: is PEM or DER
1613 *
1614 * This function adds the trusted CAs in order to verify client or
1615 * server certificates. In case of a client this is not required to
1616 * be called if the certificates are not verified using
1617 * gnutls_certificate_verify_peers2(). This function may be called
1618 * multiple times.
1619 *
1620 * In case of a server the names of the CAs set here will be sent to
1621 * the client if a certificate request is sent. This can be disabled
1622 * using gnutls_certificate_send_x509_rdn_sequence().
1623 *
1624 * This function can also accept URLs. In that case it
1625 * will import all certificates that are marked as trusted. Note
1626 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1627 *
1628 * Returns: number of certificates processed, or a negative error code on
1629 * error.
1630 **/
1631 int
1632 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
1633 const char *cafile,
1634 gnutls_x509_crt_fmt_t type)
1635 {
1636 int ret;
1637 gnutls_datum_t cas;
1638 size_t size;
1639
1640 #ifdef ENABLE_PKCS11
1641 if (strncmp (cafile, "pkcs11:", 7) == 0)
1642 {
1643 return read_cas_url (cred, cafile);
1644 }
1645 #endif
1646
1647 cas.data = (void*)read_binary_file (cafile, &size);
1648 if (cas.data == NULL)
1649 {
1650 gnutls_assert ();
1651 return GNUTLS_E_FILE_ERROR;
1652 }
1653
1654 cas.size = size;
1655
1656 ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, type);
1657
1658 free (cas.data);
1659
1660 if (ret < 0)
1661 {
1662 gnutls_assert ();
1663 return ret;
1664 }
1665
1666 return ret;
1667 }
1668
1669 /**
1670 * gnutls_certificate_set_x509_system_trust:
1671 * @cred: is a #gnutls_certificate_credentials_t structure.
1672 *
1673 * This function adds the system's default trusted CAs in order to
1674 * verify client or server certificates.
1675 *
1676 * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE
1677 * is returned.
1678 *
1679 * Returns: the number of certificates processed or a negative error code
1680 * on error.
1681 *
1682 * Since: 3.0
1683 **/
1684 int
1685 gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
1686 {
1687 return gnutls_x509_trust_list_add_system_trust(cred->tlist, 0, 0);
1688 }
1689
1690 static int
1691 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
1692 const char * input_crl, unsigned int input_crl_size)
1693 {
1694 gnutls_x509_crl_t *x509_crl_list;
1695 unsigned int x509_ncrls;
1696 gnutls_datum_t tmp;
1697 int ret;
1698
1699 tmp.data = (void*)input_crl;
1700 tmp.size = input_crl_size;
1701
1702 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
1703 GNUTLS_X509_FMT_PEM, 0);
1704 if (ret < 0)
1705 {
1706 gnutls_assert();
1707 return ret;
1708 }
1709
1710 ret = gnutls_x509_trust_list_add_crls(tlist, x509_crl_list, x509_ncrls, 0, 0);
1711 if (ret < 0)
1712 {
1713 gnutls_assert();
1714 goto cleanup;
1715 }
1716
1717 cleanup:
1718 gnutls_free(x509_crl_list);
1719 return ret;
1720 }
1721
1722 /* Reads a DER encoded certificate list from memory and stores it to a
1723 * gnutls_cert structure. Returns the number of certificates parsed.
1724 */
1725 static int
1726 parse_der_crl_mem (gnutls_x509_trust_list_t tlist,
1727 const void *input_crl, unsigned int input_crl_size)
1728 {
1729 gnutls_x509_crl_t crl;
1730 gnutls_datum_t tmp;
1731 int ret;
1732
1733 tmp.data = (void*)input_crl;
1734 tmp.size = input_crl_size;
1735
1736 ret = gnutls_x509_crl_init( &crl);
1737 if (ret < 0)
1738 {
1739 gnutls_assert();
1740 return ret;
1741 }
1742
1743 ret = gnutls_x509_crl_import( crl, &tmp, GNUTLS_X509_FMT_DER);
1744 if (ret < 0)
1745 {
1746 gnutls_assert();
1747 goto cleanup;
1748 }
1749
1750 ret = gnutls_x509_trust_list_add_crls(tlist, &crl, 1, 0, 0);
1751 if (ret < 0)
1752 {
1753 gnutls_assert();
1754 goto cleanup;
1755 }
1756
1757 return ret;
1758
1759 cleanup:
1760 gnutls_x509_crl_deinit(crl);
1761 return ret;
1762
1763 }
1764
1765
1766 /* Reads a DER or PEM CRL from memory
1767 */
1768 static int
1769 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1770 int crl_size, gnutls_x509_crt_fmt_t type)
1771 {
1772 int ret;
1773
1774 if (type == GNUTLS_X509_FMT_DER)
1775 ret = parse_der_crl_mem (res->tlist, crl, crl_size);
1776 else
1777 ret = parse_pem_crl_mem (res->tlist, crl, crl_size);
1778
1779 if (ret < 0)
1780 {
1781 gnutls_assert ();
1782 }
1783
1784 return ret;
1785 }
1786
1787 /**
1788 * gnutls_certificate_set_x509_crl_mem:
1789 * @res: is a #gnutls_certificate_credentials_t structure.
1790 * @CRL: is a list of trusted CRLs. They should have been verified before.
1791 * @type: is DER or PEM
1792 *
1793 * This function adds the trusted CRLs in order to verify client or
1794 * server certificates. In case of a client this is not required to
1795 * be called if the certificates are not verified using
1796 * gnutls_certificate_verify_peers2(). This function may be called
1797 * multiple times.
1798 *
1799 * Returns: number of CRLs processed, or a negative error code on error.
1800 **/
1801 int
1802 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1803 const gnutls_datum_t * CRL,
1804 gnutls_x509_crt_fmt_t type)
1805 {
1806 return read_crl_mem (res, CRL->data, CRL->size, type);
1807 }
1808
1809 /**
1810 * gnutls_certificate_set_x509_crl:
1811 * @res: is a #gnutls_certificate_credentials_t structure.
1812 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1813 * @crl_list_size: holds the size of the crl_list
1814 *
1815 * This function adds the trusted CRLs in order to verify client or
1816 * server certificates. In case of a client this is not required to
1817 * be called if the certificates are not verified using
1818 * gnutls_certificate_verify_peers2(). This function may be called
1819 * multiple times.
1820 *
1821 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1822 *
1823 * Since: 2.4.0
1824 **/
1825 int
1826 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1827 gnutls_x509_crl_t * crl_list,
1828 int crl_list_size)
1829 {
1830 int ret, i, j;
1831 gnutls_x509_crl_t new_crl[crl_list_size];
1832
1833 for (i = 0; i < crl_list_size; i++)
1834 {
1835 ret = gnutls_x509_crl_init (&new_crl[i]);
1836 if (ret < 0)
1837 {
1838 gnutls_assert ();
1839 goto cleanup;
1840 }
1841
1842 ret = _gnutls_x509_crl_cpy (new_crl[i], crl_list[i]);
1843 if (ret < 0)
1844 {
1845 gnutls_assert ();
1846 goto cleanup;
1847 }
1848 }
1849
1850 ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, crl_list_size, 0, 0);
1851 if (ret < 0)
1852 {
1853 gnutls_assert ();
1854 goto cleanup;
1855 }
1856
1857 return ret;
1858
1859 cleanup:
1860 for (j=0;j<i;j++)
1861 gnutls_x509_crl_deinit(new_crl[j]);
1862
1863 return ret;
1864 }
1865
1866 /**
1867 * gnutls_certificate_set_x509_crl_file:
1868 * @res: is a #gnutls_certificate_credentials_t structure.
1869 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1870 * @type: is PEM or DER
1871 *
1872 * This function adds the trusted CRLs in order to verify client or server
1873 * certificates. In case of a client this is not required
1874 * to be called if the certificates are not verified using
1875 * gnutls_certificate_verify_peers2().
1876 * This function may be called multiple times.
1877 *
1878 * Returns: number of CRLs processed or a negative error code on error.
1879 **/
1880 int
1881 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1882 const char *crlfile,
1883 gnutls_x509_crt_fmt_t type)
1884 {
1885 int ret;
1886 size_t size;
1887 char *data = (void*)read_binary_file (crlfile, &size);
1888
1889 if (data == NULL)
1890 {
1891 gnutls_assert ();
1892 return GNUTLS_E_FILE_ERROR;
1893 }
1894
1895 if (type == GNUTLS_X509_FMT_DER)
1896 ret = parse_der_crl_mem (res->tlist, data, size);
1897 else
1898 ret = parse_pem_crl_mem (res->tlist, data, size);
1899
1900 free (data);
1901
1902 if (ret < 0)
1903 {
1904 gnutls_assert ();
1905 return ret;
1906 }
1907
1908 return ret;
1909 }
1910
1911 #include <gnutls/pkcs12.h>
1912
1913
1914 /**
1915 * gnutls_certificate_set_x509_simple_pkcs12_file:
1916 * @res: is a #gnutls_certificate_credentials_t structure.
1917 * @pkcs12file: filename of file containing PKCS#12 blob.
1918 * @type: is PEM or DER of the @pkcs12file.
1919 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1920 *
1921 * This function sets a certificate/private key pair and/or a CRL in
1922 * the gnutls_certificate_credentials_t structure. This function may
1923 * be called more than once (in case multiple keys/certificates exist
1924 * for the server).
1925 *
1926 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
1927 * private keys are supported. However,
1928 * only password based security, and the same password for all
1929 * operations, are supported.
1930 *
1931 * PKCS#12 file may contain many keys and/or certificates, and there
1932 * is no way to identify which key/certificate pair you want. You
1933 * should make sure the PKCS#12 file only contain one key/certificate
1934 * pair and/or one CRL.
1935 *
1936 * It is believed that the limitations of this function is acceptable
1937 * for most usage, and that any more flexibility would introduce
1938 * complexity that would make it harder to use this functionality at
1939 * all.
1940 *
1941 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1942 **/
1943 int
1944 gnutls_certificate_set_x509_simple_pkcs12_file
1945 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1946 gnutls_x509_crt_fmt_t type, const char *password)
1947 {
1948 gnutls_datum_t p12blob;
1949 size_t size;
1950 int ret;
1951
1952 p12blob.data = (void*)read_binary_file (pkcs12file, &size);
1953 p12blob.size = (unsigned int) size;
1954 if (p12blob.data == NULL)
1955 {
1956 gnutls_assert ();
1957 return GNUTLS_E_FILE_ERROR;
1958 }
1959
1960 ret =
1961 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1962 password);
1963 free (p12blob.data);
1964
1965 return ret;
1966 }
1967
1968 /**
1969 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1970 * @res: is a #gnutls_certificate_credentials_t structure.
1971 * @p12blob: the PKCS#12 blob.
1972 * @type: is PEM or DER of the @pkcs12file.
1973 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1974 *
1975 * This function sets a certificate/private key pair and/or a CRL in
1976 * the gnutls_certificate_credentials_t structure. This function may
1977 * be called more than once (in case multiple keys/certificates exist
1978 * for the server).
1979 *
1980 * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
1981 * only password based security, and the same password for all
1982 * operations, are supported.
1983 *
1984 * PKCS#12 file may contain many keys and/or certificates, and there
1985 * is no way to identify which key/certificate pair you want. You
1986 * should make sure the PKCS#12 file only contain one key/certificate
1987 * pair and/or one CRL.
1988 *
1989 * It is believed that the limitations of this function is acceptable
1990 * for most usage, and that any more flexibility would introduce
1991 * complexity that would make it harder to use this functionality at
1992 * all.
1993 *
1994 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1995 *
1996 * Since: 2.8.0
1997 **/
1998 int
1999 gnutls_certificate_set_x509_simple_pkcs12_mem
2000 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
2001 gnutls_x509_crt_fmt_t type, const char *password)
2002 {
2003 gnutls_pkcs12_t p12;
2004 gnutls_x509_privkey_t key = NULL;
2005 gnutls_x509_crt_t *chain = NULL;
2006 gnutls_x509_crl_t crl = NULL;
2007 unsigned int chain_size = 0, i;
2008 int ret;
2009
2010 ret = gnutls_pkcs12_init (&p12);
2011 if (ret < 0)
2012 {
2013 gnutls_assert ();
2014 return ret;
2015 }
2016
2017 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
2018 if (ret < 0)
2019 {
2020 gnutls_assert ();
2021 gnutls_pkcs12_deinit (p12);
2022 return ret;
2023 }
2024
2025 if (password)
2026 {
2027 ret = gnutls_pkcs12_verify_mac (p12, password);
2028 if (ret < 0)
2029 {
2030 gnutls_assert ();
2031 gnutls_pkcs12_deinit (p12);
2032 return ret;
2033 }
2034 }
2035
2036 ret = gnutls_pkcs12_simple_parse (p12, password, &key, &chain, &chain_size,
2037 NULL, NULL, &crl, 0);
2038 gnutls_pkcs12_deinit (p12);
2039 if (ret < 0)
2040 {
2041 gnutls_assert ();
2042 return ret;
2043 }
2044
2045 if (key && chain)
2046 {
2047 ret = gnutls_certificate_set_x509_key (res, chain, chain_size, key);
2048 if (ret < 0)
2049 {
2050 gnutls_assert ();
2051 goto done;
2052 }
2053 }
2054 else
2055 {
2056 gnutls_assert();
2057 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2058 goto done;
2059 }
2060
2061 if (crl)
2062 {
2063 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2064 if (ret < 0)
2065 {
2066 gnutls_assert ();
2067 goto done;
2068 }
2069 }
2070
2071 ret = 0;
2072
2073 done:
2074 if (chain)
2075 {
2076 for (i=0;i<chain_size;i++)
2077 gnutls_x509_crt_deinit (chain[i]);
2078 gnutls_free(chain);
2079 }
2080 if (key)
2081 gnutls_x509_privkey_deinit (key);
2082 if (crl)
2083 gnutls_x509_crl_deinit (crl);
2084
2085 return ret;
2086 }
2087
2088
2089
2090 /**
2091 * gnutls_certificate_free_crls:
2092 * @sc: is a #gnutls_certificate_credentials_t structure.
2093 *
2094 * This function will delete all the CRLs associated
2095 * with the given credentials.
2096 **/
2097 void
2098 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2099 {
2100 /* do nothing for now */
2101 return;
2102 }
2103
2104 /**
2105 * gnutls_certificate_credentials_t:
2106 * @cred: is a #gnutls_certificate_credentials_t structure.
2107 * @fn: A PIN callback
2108 * @userdata: Data to be passed in the callback
2109 *
2110 * This function will set a callback function to be used when
2111 * required to access a protected object. This function overrides any other
2112 * global PIN functions.
2113 *
2114 * Note that this function must be called right after initialization
2115 * to have effect.
2116 *
2117 * Since: 3.1.0
2118 **/
2119 void gnutls_certificate_set_pin_function (gnutls_certificate_credentials_t cred,
2120 gnutls_pin_callback_t fn, void *userdata)
2121 {
2122 cred->pin.cb = fn;
2123 cred->pin.data = userdata;
2124 }
Implementation of the SSL/TLS protocol