2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
3 * 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* The certificate authentication functions which are needed in the handshake,
27 * and are common to RSA and DHE key exchange, are in this file.
30 #include <gnutls_int.h>
31 #include "gnutls_auth.h"
32 #include "gnutls_errors.h"
33 #include <gnutls_cert.h>
34 #include <auth_cert.h>
35 #include "gnutls_dh.h"
36 #include "gnutls_num.h"
38 #include "gnutls_datum.h"
39 #include "ext_signature.h"
40 #include <gnutls_pk.h>
41 #include <gnutls_algorithms.h>
42 #include <gnutls_global.h>
43 #include <gnutls_record.h>
44 #include <gnutls_sig.h>
45 #include <gnutls_state.h>
46 #include <gnutls_pk.h>
47 #include <gnutls_x509.h>
48 #include <gnutls/abstract.h>
52 #include "openpgp/gnutls_openpgp.h"
54 static gnutls_privkey_t
alloc_and_load_pgp_key (const gnutls_openpgp_privkey_t
56 static gnutls_cert
*alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert
);
60 static gnutls_cert
*alloc_and_load_x509_certs (gnutls_x509_crt_t
* certs
,
62 static gnutls_privkey_t
alloc_and_load_x509_key (gnutls_x509_privkey_t key
,
65 static gnutls_privkey_t
alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t
69 /* Copies data from a internal certificate struct (gnutls_cert) to
70 * exported certificate struct (cert_auth_info_t)
73 _gnutls_copy_certificate_auth_info (cert_auth_info_t info
,
74 gnutls_cert
* cert
, size_t ncerts
)
76 /* Copy peer's information to auth_info_t
81 if (info
->raw_certificate_list
!= NULL
)
83 for (j
= 0; j
< info
->ncerts
; j
++)
84 _gnutls_free_datum (&info
->raw_certificate_list
[j
]);
85 gnutls_free (info
->raw_certificate_list
);
90 info
->raw_certificate_list
= NULL
;
95 info
->raw_certificate_list
=
96 gnutls_calloc (ncerts
, sizeof (gnutls_datum_t
));
97 if (info
->raw_certificate_list
== NULL
)
100 return GNUTLS_E_MEMORY_ERROR
;
103 for (i
= 0; i
< ncerts
; i
++)
105 if (cert
->raw
.size
> 0)
108 _gnutls_set_datum (&info
->raw_certificate_list
[i
],
109 cert
[i
].raw
.data
, cert
[i
].raw
.size
);
117 info
->ncerts
= ncerts
;
119 info
->cert_type
= cert
[0].cert_type
;
120 info
->sign_algo
= cert
[0].sign_algo
;
122 #ifdef ENABLE_OPENPGP
123 if (cert
[0].cert_type
== GNUTLS_CRT_OPENPGP
)
125 info
->use_subkey
= cert
[0].use_subkey
;
126 memcpy (info
->subkey_id
, cert
[0].subkey_id
, sizeof (info
->subkey_id
));
134 for (j
= 0; j
< i
; j
++)
135 _gnutls_free_datum (&info
->raw_certificate_list
[j
]);
137 gnutls_free (info
->raw_certificate_list
);
138 info
->raw_certificate_list
= NULL
;
146 /* returns 0 if the algo_to-check exists in the pk_algos list,
150 _gnutls_check_pk_algo_in_list (const gnutls_pk_algorithm_t
*
151 pk_algos
, int pk_algos_length
,
152 gnutls_pk_algorithm_t algo_to_check
)
155 for (i
= 0; i
< pk_algos_length
; i
++)
157 if (algo_to_check
== pk_algos
[i
])
166 /* Returns the issuer's Distinguished name in odn, of the certificate
170 _gnutls_cert_get_issuer_dn (gnutls_cert
* cert
, gnutls_datum_t
* odn
)
176 if ((result
= asn1_create_element
177 (_gnutls_get_pkix (), "PKIX1.Certificate", &dn
)) != ASN1_SUCCESS
)
180 return _gnutls_asn2err (result
);
183 result
= asn1_der_decoding (&dn
, cert
->raw
.data
, cert
->raw
.size
, NULL
);
184 if (result
!= ASN1_SUCCESS
)
186 /* couldn't decode DER */
188 asn1_delete_structure (&dn
);
189 return _gnutls_asn2err (result
);
192 result
= asn1_der_decoding_startEnd (dn
, cert
->raw
.data
, cert
->raw
.size
,
193 "tbsCertificate.issuer", &start
, &end
);
195 if (result
!= ASN1_SUCCESS
)
197 /* couldn't decode DER */
199 asn1_delete_structure (&dn
);
200 return _gnutls_asn2err (result
);
202 asn1_delete_structure (&dn
);
204 len
= end
- start
+ 1;
207 odn
->data
= &cert
->raw
.data
[start
];
213 /* Locates the most appropriate x509 certificate using the
214 * given DN. If indx == -1 then no certificate was found.
216 * That is to guess which certificate to use, based on the
217 * CAs and sign algorithms supported by the peer server.
220 _find_x509_cert (const gnutls_certificate_credentials_t cred
,
221 opaque
* _data
, size_t _data_size
,
222 const gnutls_pk_algorithm_t
* pk_algos
,
223 int pk_algos_length
, int *indx
)
226 gnutls_datum_t odn
= { NULL
, 0 };
227 opaque
*data
= _data
;
228 ssize_t data_size
= _data_size
;
237 DECR_LENGTH_RET (data_size
, 2, 0);
238 size
= _gnutls_read_uint16 (data
);
239 DECR_LENGTH_RET (data_size
, size
, 0);
242 for (i
= 0; i
< cred
->ncerts
; i
++)
244 for (j
= 0; j
< cred
->cert_list_length
[i
]; j
++)
247 _gnutls_cert_get_issuer_dn (&cred
->cert_list
[i
][j
],
254 if (odn
.size
!= size
)
257 /* If the DN matches and
258 * the *_SIGN algorithm matches
259 * the cert is our cert!
261 cert_pk
= cred
->cert_list
[i
][0].subject_pk_algorithm
;
263 if ((memcmp (odn
.data
, data
, size
) == 0) &&
264 (_gnutls_check_pk_algo_in_list
265 (pk_algos
, pk_algos_length
, cert_pk
) == 0))
278 /* move to next record */
288 #ifdef ENABLE_OPENPGP
289 /* Locates the most appropriate openpgp cert
292 _find_openpgp_cert (const gnutls_certificate_credentials_t cred
,
293 gnutls_pk_algorithm_t
* pk_algos
,
294 int pk_algos_length
, int *indx
)
300 for (i
= 0; i
< cred
->ncerts
; i
++)
302 for (j
= 0; j
< cred
->cert_list_length
[i
]; j
++)
305 /* If the *_SIGN algorithm matches
306 * the cert is our cert!
308 if ((_gnutls_check_pk_algo_in_list
309 (pk_algos
, pk_algos_length
,
310 cred
->cert_list
[i
][0].subject_pk_algorithm
) == 0)
311 && (cred
->cert_list
[i
][0].cert_type
== GNUTLS_CRT_OPENPGP
))
325 /* Returns the number of issuers in the server's
326 * certificate request packet.
329 get_issuers_num (gnutls_session_t session
, opaque
* data
, ssize_t data_size
)
331 int issuers_dn_len
= 0, result
;
334 /* Count the number of the given issuers;
335 * This is used to allocate the issuers_dn without
339 if (data_size
== 0 || data
== NULL
)
345 /* This works like DECR_LEN()
347 result
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
348 DECR_LENGTH_COM (data_size
, 2, goto error
);
349 size
= _gnutls_read_uint16 (data
);
351 result
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
352 DECR_LENGTH_COM (data_size
, size
, goto error
);
368 return issuers_dn_len
;
374 /* Returns the issuers in the server's certificate request
378 get_issuers (gnutls_session_t session
,
379 gnutls_datum_t
* issuers_dn
, int issuers_len
,
380 opaque
* data
, size_t data_size
)
385 if (gnutls_certificate_type_get (session
) != GNUTLS_CRT_X509
)
388 /* put the requested DNs to req_dn, only in case
389 * of X509 certificates.
394 for (i
= 0; i
< issuers_len
; i
++)
396 /* The checks here for the buffer boundaries
397 * are not needed since the buffer has been
402 size
= _gnutls_read_uint16 (data
);
406 issuers_dn
[i
].data
= data
;
407 issuers_dn
[i
].size
= size
;
417 st_to_st2 (gnutls_retr2_st
* st2
, gnutls_retr_st
* st
)
419 st2
->cert_type
= st
->type
;
420 if (st
->type
== GNUTLS_CRT_OPENPGP
)
422 st2
->key_type
= GNUTLS_PRIVKEY_OPENPGP
;
426 st2
->key_type
= GNUTLS_PRIVKEY_X509
;
428 st2
->ncerts
= st
->ncerts
;
429 st2
->deinit_all
= st
->deinit_all
;
431 switch (st2
->cert_type
)
433 case GNUTLS_CRT_OPENPGP
:
434 st2
->cert
.pgp
= st
->cert
.pgp
;
435 st2
->key
.pgp
= st
->key
.pgp
;
437 case GNUTLS_CRT_X509
:
438 st2
->cert
.x509
= st
->cert
.x509
;
439 st2
->key
.x509
= st
->key
.x509
;
447 /* Calls the client get callback.
450 call_get_cert_callback (gnutls_session_t session
,
451 const gnutls_datum_t
* issuers_dn
,
452 int issuers_dn_length
,
453 gnutls_pk_algorithm_t
* pk_algos
, int pk_algos_length
)
456 gnutls_cert
*local_certs
= NULL
;
457 gnutls_privkey_t local_key
= NULL
;
458 int ret
= GNUTLS_E_INTERNAL_ERROR
;
459 gnutls_certificate_type_t type
= gnutls_certificate_type_get (session
);
460 gnutls_certificate_credentials_t cred
;
463 cred
= (gnutls_certificate_credentials_t
)
464 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
468 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
471 memset (&st2
, 0, sizeof (st2
));
473 if (cred
->get_cert_callback
)
475 ret
= cred
->get_cert_callback (session
, issuers_dn
, issuers_dn_length
,
476 pk_algos
, pk_algos_length
, &st2
);
480 { /* compatibility mode */
482 memset (&st
, 0, sizeof (st
));
483 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
485 if (cred
->server_get_cert_callback
== NULL
)
488 return GNUTLS_E_INTERNAL_ERROR
;
490 ret
= cred
->server_get_cert_callback (session
, &st
);
492 st_to_st2 (&st2
, &st
);
497 if (cred
->client_get_cert_callback
== NULL
)
500 return GNUTLS_E_INTERNAL_ERROR
;
502 ret
= cred
->client_get_cert_callback (session
,
503 issuers_dn
, issuers_dn_length
,
504 pk_algos
, pk_algos_length
,
507 st_to_st2 (&st2
, &st
);
514 return GNUTLS_E_INTERNAL_ERROR
;
518 return 0; /* no certificate was selected */
520 if (type
!= st2
.cert_type
)
523 ret
= GNUTLS_E_INVALID_REQUEST
;
528 if (type
== GNUTLS_CRT_X509
)
530 local_certs
= alloc_and_load_x509_certs (st2
.cert
.x509
, st2
.ncerts
);
537 ret
= GNUTLS_E_INVALID_REQUEST
;
540 #ifdef ENABLE_OPENPGP
542 local_certs
= alloc_and_load_pgp_certs (st2
.cert
.pgp
);
545 ret
= GNUTLS_E_UNIMPLEMENTED_FEATURE
;
550 if (local_certs
== NULL
)
553 ret
= GNUTLS_E_MEMORY_ERROR
;
557 switch (st2
.key_type
)
559 case GNUTLS_PRIVKEY_OPENPGP
:
560 #ifdef ENABLE_OPENPGP
561 if (st2
.key
.pgp
!= NULL
)
563 local_key
= alloc_and_load_pgp_key (st2
.key
.pgp
, st2
.deinit_all
);
564 if (local_key
== NULL
)
567 ret
= GNUTLS_E_INTERNAL_ERROR
;
573 case GNUTLS_PRIVKEY_PKCS11
:
574 if (st2
.key
.pkcs11
!= NULL
)
577 alloc_and_load_pkcs11_key (st2
.key
.pkcs11
, st2
.deinit_all
);
578 if (local_key
== NULL
)
581 ret
= GNUTLS_E_INTERNAL_ERROR
;
586 case GNUTLS_PRIVKEY_X509
:
587 if (st2
.key
.x509
!= NULL
)
589 local_key
= alloc_and_load_x509_key (st2
.key
.x509
, st2
.deinit_all
);
590 if (local_key
== NULL
)
593 ret
= GNUTLS_E_INTERNAL_ERROR
;
600 _gnutls_selected_certs_set (session
, local_certs
,
601 (local_certs
!= NULL
) ? st2
.ncerts
: 0,
608 if (st2
.cert_type
== GNUTLS_CRT_X509
)
612 for (i
= 0; i
< st2
.ncerts
; i
++)
614 gnutls_x509_crt_deinit (st2
.cert
.x509
[i
]);
620 #ifdef ENABLE_OPENPGP
623 gnutls_openpgp_crt_deinit (st2
.cert
.pgp
);
630 if (local_key
!= NULL
)
631 gnutls_privkey_deinit (local_key
);
637 /* Finds the appropriate certificate depending on the cA Distinguished name
638 * advertized by the server. If none matches then returns 0 and -1 as index.
639 * In case of an error a negative value, is returned.
641 * 20020128: added ability to select a certificate depending on the SIGN
642 * algorithm (only in automatic mode).
645 _select_client_cert (gnutls_session_t session
,
646 opaque
* _data
, size_t _data_size
,
647 gnutls_pk_algorithm_t
* pk_algos
, int pk_algos_length
)
651 gnutls_certificate_credentials_t cred
;
652 opaque
*data
= _data
;
653 ssize_t data_size
= _data_size
;
654 int issuers_dn_length
;
655 gnutls_datum_t
*issuers_dn
= NULL
;
657 cred
= (gnutls_certificate_credentials_t
)
658 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
662 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
665 if (cred
->client_get_cert_callback
!= NULL
666 || cred
->get_cert_callback
!= NULL
)
669 /* use a callback to get certificate
671 if (session
->security_parameters
.cert_type
!= GNUTLS_CRT_X509
)
672 issuers_dn_length
= 0;
675 issuers_dn_length
= get_issuers_num (session
, data
, data_size
);
676 if (issuers_dn_length
< 0)
679 return issuers_dn_length
;
682 if (issuers_dn_length
> 0)
685 gnutls_malloc (sizeof (gnutls_datum_t
) * issuers_dn_length
);
686 if (issuers_dn
== NULL
)
689 return GNUTLS_E_MEMORY_ERROR
;
693 get_issuers (session
, issuers_dn
, issuers_dn_length
,
704 call_get_cert_callback (session
, issuers_dn
, issuers_dn_length
,
705 pk_algos
, pk_algos_length
);
711 /* If we have no callbacks, try to guess.
715 if (session
->security_parameters
.cert_type
== GNUTLS_CRT_X509
)
717 _find_x509_cert (cred
, _data
, _data_size
,
718 pk_algos
, pk_algos_length
, &indx
);
720 #ifdef ENABLE_OPENPGP
721 if (session
->security_parameters
.cert_type
== GNUTLS_CRT_OPENPGP
)
722 result
= _find_openpgp_cert (cred
, pk_algos
, pk_algos_length
, &indx
);
733 _gnutls_selected_certs_set (session
,
734 &cred
->cert_list
[indx
][0],
735 cred
->cert_list_length
[indx
],
736 cred
->pkey
[indx
], 0);
740 _gnutls_selected_certs_set (session
, NULL
, 0, NULL
, 0);
747 gnutls_free (issuers_dn
);
752 /* Generate client certificate
756 _gnutls_gen_x509_crt (gnutls_session_t session
, gnutls_buffer_st
* data
)
759 gnutls_cert
*apr_cert_list
;
760 gnutls_privkey_t apr_pkey
;
761 int apr_cert_list_length
;
763 /* find the appropriate certificate
766 _gnutls_get_selected_cert (session
, &apr_cert_list
,
767 &apr_cert_list_length
, &apr_pkey
)) < 0)
774 for (i
= 0; i
< apr_cert_list_length
; i
++)
776 ret
+= apr_cert_list
[i
].raw
.size
+ 3;
781 /* if no certificates were found then send:
782 * 0B 00 00 03 00 00 00 // Certificate with no certs
784 * 0B 00 00 00 // empty certificate handshake
786 * ( the above is the whole handshake message, not
787 * the one produced here )
790 ret
= _gnutls_buffer_append_prefix(data
, 24, ret
- 3);
792 return gnutls_assert_val(ret
);
794 for (i
= 0; i
< apr_cert_list_length
; i
++)
796 ret
= _gnutls_buffer_append_data_prefix( data
, 24, apr_cert_list
[i
].raw
.data
,
797 apr_cert_list
[i
].raw
.size
);
799 return gnutls_assert_val(ret
);
805 enum PGPKeyDescriptorType
806 { PGP_KEY_FINGERPRINT
, PGP_KEY
, PGP_KEY_SUBKEY
, PGP_KEY_FINGERPRINT_SUBKEY
};
808 #ifdef ENABLE_OPENPGP
810 _gnutls_gen_openpgp_certificate (gnutls_session_t session
, gnutls_buffer_st
* data
)
813 gnutls_cert
*apr_cert_list
;
814 gnutls_privkey_t apr_pkey
;
815 int apr_cert_list_length
;
818 /* find the appropriate certificate */
820 _gnutls_get_selected_cert (session
, &apr_cert_list
,
821 &apr_cert_list_length
, &apr_pkey
)) < 0)
830 if (apr_cert_list_length
> 0)
832 if (apr_cert_list
[0].use_subkey
!= 0)
833 ret
+= 1 + sizeof (apr_cert_list
[0].subkey_id
); /* for the keyid */
835 ret
+= apr_cert_list
[0].raw
.size
;
838 ret
= _gnutls_buffer_append_prefix( data
, 24, ret
- 3);
840 return gnutls_assert_val(ret
);
843 if (apr_cert_list_length
> 0)
845 if (apr_cert_list
[0].use_subkey
!= 0)
847 type
= PGP_KEY_SUBKEY
;
849 ret
= _gnutls_buffer_append_data( data
, &type
, 1);
851 return gnutls_assert_val(ret
);
853 ret
= _gnutls_buffer_append_data_prefix( data
, 8, apr_cert_list
[0].subkey_id
,
854 sizeof (apr_cert_list
[0].subkey_id
));
856 return gnutls_assert_val(ret
);
861 ret
= _gnutls_buffer_append_data( data
, &type
, 1);
863 return gnutls_assert_val(ret
);
866 ret
= _gnutls_buffer_append_data_prefix( data
, 24, apr_cert_list
[0].raw
.data
,
867 apr_cert_list
[0].raw
.size
);
869 return gnutls_assert_val(ret
);
871 else /* empty - no certificate */
873 ret
= _gnutls_buffer_append_data( data
, &type
, 1);
875 return gnutls_assert_val(ret
);
877 ret
= _gnutls_buffer_append_prefix( data
, 24, 0);
879 return gnutls_assert_val(ret
);
886 _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session
, gnutls_buffer_st
* data
)
888 int ret
, packet_size
;
889 uint8_t type
, fpr
[20];
891 gnutls_cert
*apr_cert_list
;
892 gnutls_privkey_t apr_pkey
;
893 int apr_cert_list_length
;
895 /* find the appropriate certificate */
897 _gnutls_get_selected_cert (session
, &apr_cert_list
,
898 &apr_cert_list_length
, &apr_pkey
)) < 0)
906 if (apr_cert_list
[0].use_subkey
)
907 packet_size
+= 1 + sizeof (apr_cert_list
[0].subkey_id
); /* for the keyid */
909 /* Only v4 fingerprints are sent
911 if (apr_cert_list_length
> 0 && apr_cert_list
[0].version
== 4)
912 packet_size
+= 20 + 1;
913 else /* empty certificate case */
914 return _gnutls_gen_openpgp_certificate (session
, data
);
916 ret
= _gnutls_buffer_append_prefix( data
, 24, packet_size
- 3);
918 return gnutls_assert_val(ret
);
920 if (apr_cert_list
[0].use_subkey
)
922 type
= PGP_KEY_FINGERPRINT_SUBKEY
;
923 ret
= _gnutls_buffer_append_data( data
, &type
, 1);
925 return gnutls_assert_val(ret
);
927 ret
= _gnutls_buffer_append_data_prefix( data
, 8,
928 apr_cert_list
[0].subkey_id
, sizeof(apr_cert_list
[0].subkey_id
));
930 return gnutls_assert_val(ret
);
934 type
= PGP_KEY_FINGERPRINT
; /* key fingerprint */
935 ret
= _gnutls_buffer_append_data( data
, &type
, 1);
937 return gnutls_assert_val(ret
);
940 fpr_size
= sizeof(fpr
);
942 _gnutls_openpgp_fingerprint (&apr_cert_list
[0].raw
, fpr
,
949 ret
= _gnutls_buffer_append_data_prefix( data
, 8, fpr
, fpr_size
);
951 return gnutls_assert_val(ret
);
959 _gnutls_gen_cert_client_certificate (gnutls_session_t session
, gnutls_buffer_st
* data
)
961 switch (session
->security_parameters
.cert_type
)
963 #ifdef ENABLE_OPENPGP
964 case GNUTLS_CRT_OPENPGP
:
965 if (_gnutls_openpgp_send_fingerprint (session
) == 0)
966 return _gnutls_gen_openpgp_certificate (session
, data
);
968 return _gnutls_gen_openpgp_certificate_fpr (session
, data
);
970 case GNUTLS_CRT_X509
:
971 return _gnutls_gen_x509_crt (session
, data
);
975 return GNUTLS_E_INTERNAL_ERROR
;
980 _gnutls_gen_cert_server_certificate (gnutls_session_t session
, gnutls_buffer_st
* data
)
982 switch (session
->security_parameters
.cert_type
)
984 #ifdef ENABLE_OPENPGP
985 case GNUTLS_CRT_OPENPGP
:
986 return _gnutls_gen_openpgp_certificate (session
, data
);
988 case GNUTLS_CRT_X509
:
989 return _gnutls_gen_x509_crt (session
, data
);
992 return GNUTLS_E_INTERNAL_ERROR
;
996 /* Process server certificate
999 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x])
1001 _gnutls_proc_x509_server_certificate (gnutls_session_t session
,
1002 opaque
* data
, size_t data_size
)
1006 cert_auth_info_t info
;
1007 gnutls_certificate_credentials_t cred
;
1008 ssize_t dsize
= data_size
;
1010 gnutls_cert
*peer_certificate_list
;
1011 size_t peer_certificate_list_size
= 0, j
, x
;
1014 cred
= (gnutls_certificate_credentials_t
)
1015 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
1019 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1024 _gnutls_auth_info_set (session
, GNUTLS_CRD_CERTIFICATE
,
1025 sizeof (cert_auth_info_st
), 1)) < 0)
1031 info
= _gnutls_get_auth_info (session
);
1033 if (data
== NULL
|| data_size
== 0)
1036 /* no certificate was sent */
1037 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1040 DECR_LEN (dsize
, 3);
1041 size
= _gnutls_read_uint24 (p
);
1044 /* some implementations send 0B 00 00 06 00 00 03 00 00 00
1045 * instead of just 0B 00 00 03 00 00 00 as an empty certificate message.
1047 if (size
== 0 || size
== 3)
1050 /* no certificate was sent */
1051 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1057 DECR_LEN (dsize
, 3);
1058 len
= _gnutls_read_uint24 (p
);
1060 DECR_LEN (dsize
, len
);
1061 peer_certificate_list_size
++;
1066 if (peer_certificate_list_size
== 0)
1069 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1072 /* Ok we now allocate the memory to hold the
1076 peer_certificate_list
=
1077 gnutls_malloc (sizeof (gnutls_cert
) * (peer_certificate_list_size
));
1079 if (peer_certificate_list
== NULL
)
1082 return GNUTLS_E_MEMORY_ERROR
;
1084 memset (peer_certificate_list
, 0, sizeof (gnutls_cert
) *
1085 peer_certificate_list_size
);
1089 /* Now we start parsing the list (again).
1090 * We don't use DECR_LEN since the list has
1091 * been parsed before.
1094 for (j
= 0; j
< peer_certificate_list_size
; j
++)
1096 len
= _gnutls_read_uint24 (p
);
1103 _gnutls_x509_raw_cert_to_gcert (&peer_certificate_list
1105 CERT_ONLY_EXTENSIONS
)) < 0)
1111 /* check if signature algorithm is supported */
1113 _gnutls_session_sign_algo_enabled (session
,
1114 peer_certificate_list
1127 _gnutls_copy_certificate_auth_info (info
,
1128 peer_certificate_list
,
1129 peer_certificate_list_size
)) < 0)
1136 _gnutls_check_key_usage (&peer_certificate_list
[0],
1137 gnutls_kx_get (session
))) < 0)
1147 gnutls_free (peer_certificate_list
);
1152 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) _gnutls_gcert_deinit(&peer_certificate_list[x])
1153 #ifdef ENABLE_OPENPGP
1155 _gnutls_proc_openpgp_server_certificate (gnutls_session_t session
,
1156 opaque
* data
, size_t data_size
)
1160 cert_auth_info_t info
;
1161 gnutls_certificate_credentials_t cred
;
1162 ssize_t dsize
= data_size
;
1164 gnutls_cert
*peer_certificate_list
= NULL
;
1165 int peer_certificate_list_size
= 0;
1166 gnutls_datum_t tmp
, akey
= { NULL
, 0 };
1167 gnutls_openpgp_keyid_t subkey_id
;
1168 unsigned int subkey_id_set
= 0;
1170 cred
= (gnutls_certificate_credentials_t
)
1171 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
1175 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1179 _gnutls_auth_info_set (session
, GNUTLS_CRD_CERTIFICATE
,
1180 sizeof (cert_auth_info_st
), 1)) < 0)
1186 info
= _gnutls_get_auth_info (session
);
1188 if (data
== NULL
|| data_size
== 0)
1191 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1194 DECR_LEN (dsize
, 3);
1195 size
= _gnutls_read_uint24 (p
);
1201 /* no certificate was sent */
1202 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1205 /* Read PGPKeyDescriptor */
1206 DECR_LEN (dsize
, 1);
1210 /* Try to read the keyid if present */
1211 if (key_type
== PGP_KEY_FINGERPRINT_SUBKEY
|| key_type
== PGP_KEY_SUBKEY
)
1214 if (*p
!= sizeof (subkey_id
))
1217 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
1220 DECR_LEN (dsize
, 1);
1223 DECR_LEN (dsize
, sizeof (subkey_id
));
1224 memcpy (subkey_id
, p
, sizeof (subkey_id
));
1225 p
+= sizeof (subkey_id
);
1231 /* read the actual key or fingerprint */
1232 if (key_type
== PGP_KEY_FINGERPRINT
1233 || key_type
== PGP_KEY_FINGERPRINT_SUBKEY
)
1234 { /* the fingerprint */
1236 DECR_LEN (dsize
, 1);
1237 len
= (uint8_t) * p
;
1243 return GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED
;
1246 DECR_LEN (dsize
, 20);
1248 /* request the actual key from our database, or
1249 * a key server or anything.
1252 _gnutls_openpgp_request_key (session
, &akey
, cred
, p
, 20)) < 0)
1258 peer_certificate_list_size
++;
1261 else if (key_type
== PGP_KEY
|| key_type
== PGP_KEY_SUBKEY
)
1262 { /* the whole key */
1264 /* Read the actual certificate */
1265 DECR_LEN (dsize
, 3);
1266 len
= _gnutls_read_uint24 (p
);
1272 /* no certificate was sent */
1273 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
1276 DECR_LEN (dsize
, len
);
1277 peer_certificate_list_size
++;
1286 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
1289 /* ok we now have the peer's key in tmp datum
1292 if (peer_certificate_list_size
== 0)
1295 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1298 peer_certificate_list
=
1299 gnutls_malloc (sizeof (gnutls_cert
) * (peer_certificate_list_size
));
1300 if (peer_certificate_list
== NULL
)
1303 ret
= GNUTLS_E_MEMORY_ERROR
;
1306 memset (peer_certificate_list
, 0, sizeof (gnutls_cert
) *
1307 peer_certificate_list_size
);
1310 _gnutls_openpgp_raw_crt_to_gcert (&peer_certificate_list
[0],
1312 subkey_id_set
? subkey_id
: NULL
)) <
1320 _gnutls_copy_certificate_auth_info (info
,
1321 peer_certificate_list
,
1322 peer_certificate_list_size
)) < 0)
1329 _gnutls_check_key_usage (&peer_certificate_list
[0],
1330 gnutls_kx_get (session
))) < 0)
1340 _gnutls_free_datum (&akey
);
1342 gnutls_free (peer_certificate_list
);
1349 _gnutls_proc_cert_server_certificate (gnutls_session_t session
,
1350 opaque
* data
, size_t data_size
)
1353 gnutls_certificate_credentials_t cred
;
1356 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
1357 GNUTLS_CRD_CERTIFICATE
,
1362 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1365 switch (session
->security_parameters
.cert_type
)
1367 #ifdef ENABLE_OPENPGP
1368 case GNUTLS_CRT_OPENPGP
:
1369 ret
= _gnutls_proc_openpgp_server_certificate (session
,
1373 case GNUTLS_CRT_X509
:
1374 ret
= _gnutls_proc_x509_server_certificate (session
, data
, data_size
);
1378 return GNUTLS_E_INTERNAL_ERROR
;
1381 if (ret
== 0 && cred
->verify_callback
!= NULL
)
1383 ret
= cred
->verify_callback (session
);
1385 ret
= GNUTLS_E_CERTIFICATE_ERROR
;
1391 #define MAX_SIGN_ALGOS 2
1392 typedef enum CertificateSigType
1393 { RSA_SIGN
= 1, DSA_SIGN
1394 } CertificateSigType
;
1396 /* Checks if we support the given signature algorithm
1397 * (RSA or DSA). Returns the corresponding gnutls_pk_algorithm_t
1401 _gnutls_check_supported_sign_algo (CertificateSigType algo
)
1406 return GNUTLS_PK_RSA
;
1408 return GNUTLS_PK_DSA
;
1415 _gnutls_proc_cert_cert_req (gnutls_session_t session
, opaque
* data
,
1420 gnutls_certificate_credentials_t cred
;
1423 gnutls_pk_algorithm_t pk_algos
[MAX_SIGN_ALGOS
];
1424 int pk_algos_length
;
1425 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
1427 cred
= (gnutls_certificate_credentials_t
)
1428 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
1432 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1436 _gnutls_auth_info_set (session
, GNUTLS_CRD_CERTIFICATE
,
1437 sizeof (cert_auth_info_st
), 0)) < 0)
1446 DECR_LEN (dsize
, 1);
1449 /* check if the sign algorithm is supported.
1451 pk_algos_length
= j
= 0;
1452 for (i
= 0; i
< size
; i
++, p
++)
1454 DECR_LEN (dsize
, 1);
1455 if ((ret
= _gnutls_check_supported_sign_algo (*p
)) > 0)
1457 if (j
< MAX_SIGN_ALGOS
)
1459 pk_algos
[j
++] = ret
;
1465 if (pk_algos_length
== 0)
1468 return GNUTLS_E_UNKNOWN_PK_ALGORITHM
;
1471 if (_gnutls_version_has_selectable_sighash (ver
))
1473 /* read supported hashes */
1475 DECR_LEN (dsize
, 2);
1476 hash_num
= _gnutls_read_uint16 (p
);
1478 DECR_LEN (dsize
, hash_num
);
1480 ret
= _gnutls_sign_algorithm_parse_data (session
, p
, hash_num
);
1490 /* read the certificate authorities */
1491 DECR_LEN (dsize
, 2);
1492 size
= _gnutls_read_uint16 (p
);
1495 if (session
->security_parameters
.cert_type
== GNUTLS_CRT_OPENPGP
1499 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1502 DECR_LEN (dsize
, size
);
1504 /* now we ask the user to tell which one
1508 _select_client_cert (session
, p
, size
, pk_algos
, pk_algos_length
)) < 0)
1514 /* We should reply with a certificate message,
1515 * even if we have no certificate to send.
1517 session
->key
->certificate_requested
= 1;
1523 _gnutls_gen_cert_client_cert_vrfy (gnutls_session_t session
, gnutls_buffer_st
* data
)
1526 gnutls_cert
*apr_cert_list
;
1527 gnutls_privkey_t apr_pkey
;
1528 int apr_cert_list_length
;
1529 gnutls_datum_t signature
= { NULL
, 0 };
1531 gnutls_sign_algorithm_t sign_algo
;
1532 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
1534 /* find the appropriate certificate */
1536 _gnutls_get_selected_cert (session
, &apr_cert_list
,
1537 &apr_cert_list_length
, &apr_pkey
)) < 0)
1543 if (apr_cert_list_length
> 0)
1546 _gnutls_handshake_sign_cert_vrfy (session
,
1548 apr_pkey
, &signature
)) < 0)
1560 total_data
= signature
.size
+ 2;
1562 /* add hash and signature algorithms */
1563 if (_gnutls_version_has_selectable_sighash (ver
))
1568 if (_gnutls_version_has_selectable_sighash (ver
))
1570 const sign_algorithm_st
*aid
;
1572 /* error checking is not needed here since we have used those algorithms */
1573 aid
= _gnutls_sign_to_tls_aid (sign_algo
);
1575 return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM
);
1577 p
[0] = aid
->hash_algorithm
;
1578 p
[1] = aid
->sign_algorithm
;
1579 ret
= _gnutls_buffer_append_data(data
, p
, 2);
1587 ret
= _gnutls_buffer_append_data_prefix(data
, 16, signature
.data
, signature
.size
);
1594 return data
->length
;
1597 _gnutls_free_datum (&signature
);
1602 _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t session
,
1603 opaque
* data
, size_t data_size
)
1606 ssize_t dsize
= data_size
;
1607 opaque
*pdata
= data
;
1609 cert_auth_info_t info
= _gnutls_get_auth_info (session
);
1610 gnutls_cert peer_cert
;
1611 gnutls_sign_algorithm_t sign_algo
= GNUTLS_SIGN_UNKNOWN
;
1612 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
1614 if (info
== NULL
|| info
->ncerts
== 0)
1617 /* we need this in order to get peer's certificate */
1618 return GNUTLS_E_INTERNAL_ERROR
;
1621 if (_gnutls_version_has_selectable_sighash (ver
))
1623 sign_algorithm_st aid
;
1625 DECR_LEN (dsize
, 2);
1626 aid
.hash_algorithm
= pdata
[0];
1627 aid
.sign_algorithm
= pdata
[1];
1629 sign_algo
= _gnutls_tls_aid_to_sign (&aid
);
1630 if (sign_algo
== GNUTLS_PK_UNKNOWN
)
1633 return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM
;
1638 ret
= _gnutls_session_sign_algo_enabled (session
, sign_algo
);
1642 return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM
;
1645 DECR_LEN (dsize
, 2);
1646 size
= _gnutls_read_uint16 (pdata
);
1649 DECR_LEN (dsize
, size
);
1654 ret
= _gnutls_get_auth_info_gcert (&peer_cert
,
1655 session
->security_parameters
.cert_type
,
1656 info
, CERT_NO_COPY
);
1665 _gnutls_handshake_verify_cert_vrfy (session
, &peer_cert
, &sig
,
1669 _gnutls_gcert_deinit (&peer_cert
);
1672 _gnutls_gcert_deinit (&peer_cert
);
1677 #define CERTTYPE_SIZE 3
1679 _gnutls_gen_cert_server_cert_req (gnutls_session_t session
, gnutls_buffer_st
* data
)
1681 gnutls_certificate_credentials_t cred
;
1683 uint8_t tmp_data
[CERTTYPE_SIZE
];
1684 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
1686 /* Now we need to generate the RDN sequence. This is
1687 * already in the CERTIFICATE_CRED structure, to improve
1691 cred
= (gnutls_certificate_credentials_t
)
1692 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
1696 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1699 size
= CERTTYPE_SIZE
+ 2; /* 2 for gnutls_certificate_type_t + 2 for size of rdn_seq
1702 if (session
->security_parameters
.cert_type
== GNUTLS_CRT_X509
&&
1703 session
->internals
.ignore_rdn_sequence
== 0)
1704 size
+= cred
->x509_rdn_sequence
.size
;
1706 if (_gnutls_version_has_selectable_sighash (ver
))
1707 /* Need two bytes to announce the number of supported hash
1708 functions (see below). */
1709 size
+= MAX_SIGN_ALGO_SIZE
;
1711 tmp_data
[0] = CERTTYPE_SIZE
- 1;
1712 tmp_data
[1] = RSA_SIGN
;
1713 tmp_data
[2] = DSA_SIGN
; /* only these for now */
1715 ret
= _gnutls_buffer_append_data( data
, tmp_data
, CERTTYPE_SIZE
);
1717 return gnutls_assert_val(ret
);
1719 if (_gnutls_version_has_selectable_sighash (ver
))
1721 uint8_t p
[MAX_SIGN_ALGO_SIZE
];
1724 _gnutls_sign_algorithm_write_params (session
, p
, MAX_SIGN_ALGO_SIZE
);
1731 /* recalculate size */
1732 size
-= MAX_SIGN_ALGO_SIZE
+ ret
;
1734 ret
= _gnutls_buffer_append_data( data
, p
, ret
);
1736 return gnutls_assert_val(ret
);
1739 if (session
->security_parameters
.cert_type
== GNUTLS_CRT_X509
&&
1740 session
->internals
.ignore_rdn_sequence
== 0)
1742 ret
= _gnutls_buffer_append_data_prefix( data
, 16, cred
->x509_rdn_sequence
.data
,
1743 cred
->x509_rdn_sequence
.size
);
1745 return gnutls_assert_val(ret
);
1749 ret
= _gnutls_buffer_append_prefix( data
, 16, 0);
1751 return gnutls_assert_val(ret
);
1754 return data
->length
;
1758 /* This function will return the appropriate certificate to use.
1759 * Fills in the apr_cert_list, apr_cert_list_length and apr_pkey.
1760 * The return value is a negative value on error.
1762 * It is normal to return 0 with no certificates in client side.
1766 _gnutls_get_selected_cert (gnutls_session_t session
,
1767 gnutls_cert
** apr_cert_list
,
1768 int *apr_cert_list_length
,
1769 gnutls_privkey_t
* apr_pkey
)
1771 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
1774 /* select_client_cert() has been called before.
1777 *apr_cert_list
= session
->internals
.selected_cert_list
;
1778 *apr_pkey
= session
->internals
.selected_key
;
1779 *apr_cert_list_length
= session
->internals
.selected_cert_list_length
;
1781 if (*apr_cert_list_length
== 0 || *apr_cert_list
== NULL
)
1784 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1792 /* we have already decided which certificate
1795 *apr_cert_list
= session
->internals
.selected_cert_list
;
1796 *apr_cert_list_length
= session
->internals
.selected_cert_list_length
;
1797 *apr_pkey
= session
->internals
.selected_key
;
1804 /* converts the given x509 certificate to gnutls_cert* and allocates
1807 static gnutls_cert
*
1808 alloc_and_load_x509_certs (gnutls_x509_crt_t
* certs
, unsigned ncerts
)
1810 gnutls_cert
*local_certs
;
1817 local_certs
= gnutls_malloc (sizeof (gnutls_cert
) * ncerts
);
1818 if (local_certs
== NULL
)
1824 for (i
= 0; i
< ncerts
; i
++)
1826 ret
= _gnutls_x509_crt_to_gcert (&local_certs
[i
], certs
[i
], 0);
1834 for (j
= 0; j
< i
; j
++)
1836 _gnutls_gcert_deinit (&local_certs
[j
]);
1838 gnutls_free (local_certs
);
1845 /* converts the given x509 key to gnutls_privkey* and allocates
1848 static gnutls_privkey_t
1849 alloc_and_load_x509_key (gnutls_x509_privkey_t key
, int deinit
)
1851 gnutls_privkey_t local_key
;
1857 ret
= gnutls_privkey_init (&local_key
);
1865 gnutls_privkey_import_x509 (local_key
, key
,
1866 deinit
? GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
:
1871 gnutls_privkey_deinit (local_key
);
1878 /* converts the given pgp certificate to gnutls_cert* and allocates
1881 #ifdef ENABLE_OPENPGP
1882 static gnutls_cert
*
1883 alloc_and_load_pgp_certs (gnutls_openpgp_crt_t cert
)
1885 gnutls_cert
*local_certs
;
1891 local_certs
= gnutls_malloc (sizeof (gnutls_cert
));
1892 if (local_certs
== NULL
)
1898 ret
= _gnutls_openpgp_crt_to_gcert (local_certs
, cert
);
1908 _gnutls_gcert_deinit (local_certs
);
1909 gnutls_free (local_certs
);
1914 gnutls_openpgp_crt_get_preferred_key_id (cert
, local_certs
->subkey_id
);
1916 local_certs
->use_subkey
= 0;
1918 local_certs
->use_subkey
= 1;
1923 /* converts the given raw key to gnutls_privkey* and allocates
1926 static gnutls_privkey_t
1927 alloc_and_load_pgp_key (gnutls_openpgp_privkey_t key
, int deinit
)
1929 gnutls_privkey_t local_key
;
1935 ret
= gnutls_privkey_init (&local_key
);
1943 gnutls_privkey_import_openpgp (local_key
, key
,
1944 deinit
? GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
1949 gnutls_privkey_deinit (local_key
);
1957 /* converts the given raw key to gnutls_privkey* and allocates
1960 static gnutls_privkey_t
1961 alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t key
, int deinit
)
1963 gnutls_privkey_t local_key
;
1969 ret
= gnutls_privkey_init (&local_key
);
1977 gnutls_privkey_import_pkcs11 (local_key
, key
,
1978 deinit
? GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
1983 gnutls_privkey_deinit (local_key
);
1991 _gnutls_selected_certs_deinit (gnutls_session_t session
)
1993 if (session
->internals
.selected_need_free
!= 0)
1997 for (i
= 0; i
< session
->internals
.selected_cert_list_length
; i
++)
1999 _gnutls_gcert_deinit (&session
->internals
.selected_cert_list
[i
]);
2001 gnutls_free (session
->internals
.selected_cert_list
);
2002 session
->internals
.selected_cert_list
= NULL
;
2003 session
->internals
.selected_cert_list_length
= 0;
2005 session
->internals
.selected_key
= NULL
;
2012 _gnutls_selected_certs_set (gnutls_session_t session
,
2013 gnutls_cert
* certs
, int ncerts
,
2014 gnutls_privkey_t key
, int need_free
)
2016 _gnutls_selected_certs_deinit (session
);
2018 session
->internals
.selected_cert_list
= certs
;
2019 session
->internals
.selected_cert_list_length
= ncerts
;
2020 session
->internals
.selected_key
= key
;
2021 session
->internals
.selected_need_free
= need_free
;
2026 /* finds the most appropriate certificate in the cert list.
2027 * The 'appropriate' is defined by the user.
2029 * requested_algo holds the parameters required by the peer (RSA, DSA
2032 * Returns 0 on success and a negative value on error. The
2033 * selected certificate will be in session->internals.selected_*.
2037 _gnutls_server_select_cert (gnutls_session_t session
,
2038 gnutls_pk_algorithm_t requested_algo
)
2042 gnutls_certificate_credentials_t cred
;
2044 cred
= (gnutls_certificate_credentials_t
)
2045 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
2049 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
2052 /* If the callback which retrieves certificate has been set,
2055 if (cred
->server_get_cert_callback
!= NULL
)
2057 ret
= call_get_cert_callback (session
, NULL
, 0, NULL
, 0);
2059 return gnutls_assert_val(ret
);
2065 idx
= -1; /* default is use no certificate */
2067 _gnutls_handshake_log("HSK[%p]: Requested PK algorithm: %s (%d) -- ctype: %s (%d)\n", session
,
2068 gnutls_pk_get_name(requested_algo
), requested_algo
,
2069 gnutls_certificate_type_get_name(session
->security_parameters
.cert_type
), session
->security_parameters
.cert_type
);
2071 for (i
= 0; i
< cred
->ncerts
; i
++)
2073 /* find one compatible certificate
2075 _gnutls_handshake_log("HSK[%p]: certificate[%d] PK algorithm: %s (%d) - ctype: %s (%d) - sig: %s (%d)\n", session
, i
,
2076 gnutls_pk_get_name(cred
->cert_list
[i
][0].subject_pk_algorithm
), cred
->cert_list
[i
][0].subject_pk_algorithm
,
2077 gnutls_certificate_type_get_name(cred
->cert_list
[i
][0].cert_type
), cred
->cert_list
[i
][0].cert_type
,
2078 gnutls_sign_get_name(cred
->cert_list
[i
][0].sign_algo
), cred
->cert_list
[i
][0].sign_algo
);
2080 if (requested_algo
== GNUTLS_PK_ANY
||
2081 requested_algo
== cred
->cert_list
[i
][0].subject_pk_algorithm
)
2083 /* if cert type and signature algorithm matches
2086 if (session
->security_parameters
.cert_type
2087 == cred
->cert_list
[i
][0].cert_type
2088 && (cred
->cert_list
[i
][0].cert_type
== GNUTLS_CRT_OPENPGP
2089 || /* FIXME: make this a check for certificate
2090 type capabilities */
2091 _gnutls_session_sign_algo_requested
2092 (session
, cred
->cert_list
[i
][0].sign_algo
) == 0))
2101 /* store the certificate pointer for future use, in the handshake.
2102 * (This will allow not calling this callback again.)
2106 _gnutls_selected_certs_set (session
,
2107 &cred
->cert_list
[idx
][0],
2108 cred
->cert_list_length
[idx
],
2109 cred
->pkey
[idx
], 0);
2114 /* Certificate does not support REQUESTED_ALGO. */
2115 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
2121 /* Frees the rsa_info_st structure.
2124 _gnutls_free_rsa_info (rsa_info_st
* rsa
)
2126 _gnutls_free_datum (&rsa
->modulus
);
2127 _gnutls_free_datum (&rsa
->exponent
);