search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add announcement message.
[gnutls.git] / libextra / openssl_compat.c
blobac7a2db8185b168bdbb5e9fe414e04a1cd4ac305
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008, 2010 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GNUTLS-EXTRA.
8 *
9 * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * GNUTLS-EXTRA is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /* This file includes all functions that were in the 0.5.x and 0.8.x
24 * gnutls API. They are now implemented over the new certificate parsing
25 * API.
26 */
27
28 #include "gnutls_int.h"
29
30 #include <gnutls_global.h>
31 #include <gnutls_errors.h>
32 #include <string.h> /* memset */
33 #include <x509/x509_int.h>
34 #include <libtasn1.h>
35 #include <gnutls/x509.h>
36 #include <openssl_compat.h>
37
38 /*-
39 * gnutls_x509_extract_dn - This function parses an RDN sequence
40 * @idn: should contain a DER encoded RDN sequence
41 * @rdn: a pointer to a structure to hold the name
42 *
43 * This function will return the name of the given RDN sequence.
44 * The name will be returned as a gnutls_x509_dn structure.
45 * Returns a negative error code in case of an error.
46 *
47 -*/
48 int
49 gnutls_x509_extract_dn (const gnutls_datum_t * idn, gnutls_x509_dn * rdn)
50 {
51 ASN1_TYPE dn = ASN1_TYPE_EMPTY;
52 int result;
53 size_t len;
54
55 if ((result =
56 asn1_create_element (_gnutls_get_pkix (),
57 "PKIX1.Name", &dn)) != ASN1_SUCCESS)
58 {
59 return _gnutls_asn2err (result);
60 }
61
62 result = asn1_der_decoding (&dn, idn->data, idn->size, NULL);
63 if (result != ASN1_SUCCESS)
64 {
65 /* couldn't decode DER */
66 asn1_delete_structure (&dn);
67 return _gnutls_asn2err (result);
68 }
69
70 memset (rdn, 0, sizeof (gnutls_x509_dn));
71
72 len = sizeof (rdn->country);
73 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
74 rdn->country, &len);
75
76 len = sizeof (rdn->organization);
77 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
78 0, rdn->organization, &len);
79
80 len = sizeof (rdn->organizational_unit_name);
81 _gnutls_x509_parse_dn_oid (dn, "",
82 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
83 0, rdn->organizational_unit_name, &len);
84
85 len = sizeof (rdn->common_name);
86 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0,
87 rdn->common_name, &len);
88
89 len = sizeof (rdn->locality_name);
90 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0,
91 rdn->locality_name, &len);
92
93 len = sizeof (rdn->state_or_province_name);
94 _gnutls_x509_parse_dn_oid (dn, "",
95 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0,
96 rdn->state_or_province_name, &len);
97
98 len = sizeof (rdn->email);
99 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0,
100 rdn->email, &len);
101
102 asn1_delete_structure (&dn);
103
104 return 0;
105 }
106
107 /*-
108 * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name
109 * @cert: should contain an X.509 DER encoded certificate
110 * @ret: a pointer to a structure to hold the peer's name
111 *
112 * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and
113 * is a obtained by the peer's certificate. If the certificate send by the
114 * peer is invalid, or in any other failure this function returns error.
115 * Returns a negative error code in case of an error.
116 *
117 -*/
118 int
119 gnutls_x509_extract_certificate_dn (const gnutls_datum_t * cert,
120 gnutls_x509_dn * ret)
121 {
122 gnutls_x509_crt_t xcert;
123 int result;
124 size_t len;
125
126 result = gnutls_x509_crt_init (&xcert);
127 if (result < 0)
128 return result;
129
130 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
131 if (result < 0)
132 {
133 gnutls_x509_crt_deinit (xcert);
134 return result;
135 }
136
137 len = sizeof (ret->country);
138 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0,
139 0, ret->country, &len);
140
141 len = sizeof (ret->organization);
142 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_ORGANIZATION_NAME,
143 0, 0, ret->organization, &len);
144
145 len = sizeof (ret->organizational_unit_name);
146 gnutls_x509_crt_get_dn_by_oid (xcert,
147 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
148 0, 0, ret->organizational_unit_name, &len);
149
150 len = sizeof (ret->common_name);
151 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
152 ret->common_name, &len);
153
154 len = sizeof (ret->locality_name);
155 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0,
156 0, ret->locality_name, &len);
157
158 len = sizeof (ret->state_or_province_name);
159 gnutls_x509_crt_get_dn_by_oid (xcert,
160 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
161 0, 0, ret->state_or_province_name, &len);
162
163 len = sizeof (ret->email);
164 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0,
165 ret->email, &len);
166
167 gnutls_x509_crt_deinit (xcert);
168
169 return 0;
170 }
171
172 /*-
173 * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
174 * @cert: should contain an X.509 DER encoded certificate
175 * @ret: a pointer to a structure to hold the issuer's name
176 *
177 * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
178 * is a obtained by the peer's certificate. If the certificate send by the
179 * peer is invalid, or in any other failure this function returns error.
180 * Returns a negative error code in case of an error.
181 *
182 -*/
183 int
184 gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
185 gnutls_x509_dn * ret)
186 {
187 gnutls_x509_crt_t xcert;
188 int result;
189 size_t len;
190
191 result = gnutls_x509_crt_init (&xcert);
192 if (result < 0)
193 return result;
194
195 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
196 if (result < 0)
197 {
198 gnutls_x509_crt_deinit (xcert);
199 return result;
200 }
201
202 len = sizeof (ret->country);
203 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
204 GNUTLS_OID_X520_COUNTRY_NAME, 0,
205 0, ret->country, &len);
206
207 len = sizeof (ret->organization);
208 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
209 GNUTLS_OID_X520_ORGANIZATION_NAME,
210 0, 0, ret->organization, &len);
211
212 len = sizeof (ret->organizational_unit_name);
213 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
214 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
215 0, 0,
216 ret->organizational_unit_name, &len);
217
218 len = sizeof (ret->common_name);
219 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
220 GNUTLS_OID_X520_COMMON_NAME, 0, 0,
221 ret->common_name, &len);
222
223 len = sizeof (ret->locality_name);
224 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
225 GNUTLS_OID_X520_LOCALITY_NAME, 0,
226 0, ret->locality_name, &len);
227
228 len = sizeof (ret->state_or_province_name);
229 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
230 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
231 0, 0, ret->state_or_province_name,
232 &len);
233
234 len = sizeof (ret->email);
235 gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
236 0, ret->email, &len);
237
238 gnutls_x509_crt_deinit (xcert);
239
240 return 0;
241 }
242
243
244 /*-
245 * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
246 * @cert: should contain an X.509 DER encoded certificate
247 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
248 * @ret: is the place where the alternative name will be copied to
249 * @ret_size: holds the size of ret.
250 *
251 * This function will return the alternative names, contained in the
252 * given certificate.
253 *
254 * This is specified in X509v3 Certificate Extensions.
255 * GNUTLS will return the Alternative name, or a negative
256 * error code.
257 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
258 * name, or the type of alternative name if everything was ok. The type is
259 * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
260 *
261 * If the certificate does not have an Alternative name with the specified
262 * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
263 *
264 -*/
265 int
266 gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t *
267 cert, int seq,
268 char *ret, int *ret_size)
269 {
270 gnutls_x509_crt_t xcert;
271 int result;
272 size_t size = *ret_size;
273
274 result = gnutls_x509_crt_init (&xcert);
275 if (result < 0)
276 return result;
277
278 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
279 if (result < 0)
280 {
281 gnutls_x509_crt_deinit (xcert);
282 return result;
283 }
284
285 result =
286 gnutls_x509_crt_get_subject_alt_name (xcert, seq, ret, &size, NULL);
287 *ret_size = size;
288
289 gnutls_x509_crt_deinit (xcert);
290
291 return result;
292 }
293
294 /*-
295 * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status
296 * @cert: should contain an X.509 DER encoded certificate
297 *
298 * This function will return certificates CA status, by reading the
299 * basicConstraints X.509 extension. If the certificate is a CA a positive
300 * value will be returned, or zero if the certificate does not have
301 * CA flag set.
302 *
303 * A negative value may be returned in case of parsing error.
304 * If the certificate does not contain the basicConstraints extension
305 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
306 *
307 -*/
308 int
309 gnutls_x509_extract_certificate_ca_status (const gnutls_datum_t * cert)
310 {
311 gnutls_x509_crt_t xcert;
312 int result;
313
314 result = gnutls_x509_crt_init (&xcert);
315 if (result < 0)
316 return result;
317
318 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
319 if (result < 0)
320 {
321 gnutls_x509_crt_deinit (xcert);
322 return result;
323 }
324
325 result = gnutls_x509_crt_get_ca_status (xcert, NULL);
326
327 gnutls_x509_crt_deinit (xcert);
328
329 return result;
330 }
331
332 /*-
333 * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time
334 * @cert: should contain an X.509 DER encoded certificate
335 *
336 * This function will return the certificate's activation time in UNIX time
337 * (ie seconds since 00:00:00 UTC January 1, 1970).
338 * Returns a (time_t) -1 in case of an error.
339 *
340 -*/
341 time_t
342 gnutls_x509_extract_certificate_activation_time (const gnutls_datum_t * cert)
343 {
344 gnutls_x509_crt_t xcert;
345 time_t result;
346
347 result = gnutls_x509_crt_init (&xcert);
348 if (result < 0)
349 return result;
350
351 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
352 if (result < 0)
353 {
354 gnutls_x509_crt_deinit (xcert);
355 return result;
356 }
357
358 result = gnutls_x509_crt_get_activation_time (xcert);
359
360 gnutls_x509_crt_deinit (xcert);
361
362 return result;
363 }
364
365 /*-
366 * gnutls_x509_extract_certificate_expiration_time - This function returns the certificate's expiration time
367 * @cert: should contain an X.509 DER encoded certificate
368 *
369 * This function will return the certificate's expiration time in UNIX time
370 * (ie seconds since 00:00:00 UTC January 1, 1970).
371 * Returns a (time_t) -1 in case of an error.
372 *
373 -*/
374 time_t
375 gnutls_x509_extract_certificate_expiration_time (const gnutls_datum_t * cert)
376 {
377 gnutls_x509_crt_t xcert;
378 time_t result;
379
380 result = gnutls_x509_crt_init (&xcert);
381 if (result < 0)
382 return result;
383
384 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
385 if (result < 0)
386 {
387 gnutls_x509_crt_deinit (xcert);
388 return result;
389 }
390
391 result = gnutls_x509_crt_get_expiration_time (xcert);
392
393 gnutls_x509_crt_deinit (xcert);
394
395 return result;
396 }
397
398 /*-
399 * gnutls_x509_extract_certificate_version - This function returns the certificate's version
400 * @cert: is an X.509 DER encoded certificate
401 *
402 * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
403 * Version field. Returns a negative value in case of an error.
404 *
405 -*/
406 int
407 gnutls_x509_extract_certificate_version (const gnutls_datum_t * cert)
408 {
409 gnutls_x509_crt_t xcert;
410 int result;
411
412 result = gnutls_x509_crt_init (&xcert);
413 if (result < 0)
414 return result;
415
416 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
417 if (result < 0)
418 {
419 gnutls_x509_crt_deinit (xcert);
420 return result;
421 }
422
423 result = gnutls_x509_crt_get_version (xcert);
424
425 gnutls_x509_crt_deinit (xcert);
426
427 return result;
428
429 }
430
431 /*-
432 * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
433 * @cert: is an X.509 DER encoded certificate
434 * @result: The place where the serial number will be copied
435 * @result_size: Holds the size of the result field.
436 *
437 * This function will return the X.509 certificate's serial number.
438 * This is obtained by the X509 Certificate serialNumber
439 * field. Serial is not always a 32 or 64bit number. Some CAs use
440 * large serial numbers, thus it may be wise to handle it as something
441 * opaque.
442 * Returns a negative value in case of an error.
443 *
444 -*/
445 int
446 gnutls_x509_extract_certificate_serial (const gnutls_datum_t * cert,
447 char *result, int *result_size)
448 {
449 gnutls_x509_crt_t xcert;
450 size_t size = *result_size;
451 int ret;
452
453 ret = gnutls_x509_crt_init (&xcert);
454 if (ret < 0)
455 return ret;
456
457 ret = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
458 if (ret < 0)
459 {
460 gnutls_x509_crt_deinit (xcert);
461 return ret;
462 }
463
464 ret = gnutls_x509_crt_get_serial (xcert, result, &size);
465 *result_size = size;
466
467 gnutls_x509_crt_deinit (xcert);
468
469 return ret;
470 }
471
472
473 /*-
474 * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm
475 * @cert: is a DER encoded X.509 certificate
476 * @bits: if bits is non null it will hold the size of the parameters' in bits
477 *
478 * This function will return the public key algorithm of an X.509
479 * certificate.
480 *
481 * If bits is non null, it should have enough size to hold the parameters
482 * size in bits. For RSA the bits returned is the modulus.
483 * For DSA the bits returned are of the public
484 * exponent.
485 *
486 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
487 * or a negative value on error.
488 *
489 -*/
490 int
491 gnutls_x509_extract_certificate_pk_algorithm (const gnutls_datum_t *
492 cert, int *bits)
493 {
494 gnutls_x509_crt_t xcert;
495 int result;
496
497 result = gnutls_x509_crt_init (&xcert);
498 if (result < 0)
499 return result;
500
501 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
502 if (result < 0)
503 {
504 gnutls_x509_crt_deinit (xcert);
505 return result;
506 }
507
508 result = gnutls_x509_crt_get_pk_algorithm (xcert, bits);
509
510 gnutls_x509_crt_deinit (xcert);
511
512 return result;
513 }
514
515
516 /*-
517 * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
518 * @cert: should contain an X.509 DER encoded certificate
519 * @buf: a pointer to a structure to hold the peer's name
520 * @sizeof_buf: holds the size of 'buf'
521 * @issuer: if non zero, then extract the name of the issuer, instead of the holder
522 *
523 * This function will copy the name of the certificate holder in the provided buffer. The name
524 * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
525 *
526 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
527 * and 0 on success.
528 *
529 -*/
530 int
531 gnutls_x509_extract_certificate_dn_string (char *buf,
532 unsigned int sizeof_buf,
533 const gnutls_datum_t * cert,
534 int issuer)
535 {
536 gnutls_x509_crt_t xcert;
537 int result;
538 size_t size;
539
540 result = gnutls_x509_crt_init (&xcert);
541 if (result < 0)
542 return result;
543
544 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
545 if (result < 0)
546 {
547 gnutls_x509_crt_deinit (xcert);
548 return result;
549 }
550
551 size = sizeof_buf;
552 if (!issuer)
553 result = gnutls_x509_crt_get_dn (xcert, buf, &size);
554 else
555 result = gnutls_x509_crt_get_issuer_dn (xcert, buf, &size);
556
557 gnutls_x509_crt_deinit (xcert);
558
559 return result;
560 }
561
562 /*-
563 * gnutls_x509_verify_certificate - This function verifies given certificate list
564 * @cert_list: is the certificate list to be verified
565 * @cert_list_length: holds the number of certificate in cert_list
566 * @CA_list: is the CA list which will be used in verification
567 * @CA_list_length: holds the number of CA certificate in CA_list
568 * @CRL_list: not used
569 * @CRL_list_length: not used
570 *
571 * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.).
572 * The return value (status) should be one or more of the gnutls_certificate_status_t
573 * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked
574 * by this function, you should check them using the appropriate functions.
575 *
576 * This function understands the basicConstraints (2.5.29.19) PKIX extension.
577 * This means that only a certificate authority can sign a certificate.
578 *
579 * However you must also check the peer's name in order to check if the verified certificate belongs to the
580 * actual peer.
581 *
582 * The return value (status) should be one or more of the gnutls_certificate_status_t
583 * enumerated elements bitwise or'd.
584 *
585 * GNUTLS_CERT_INVALID: the peer's certificate is not valid.
586 *
587 * GNUTLS_CERT_REVOKED: the certificate has been revoked.
588 *
589 * A negative error code is returned in case of an error.
590 * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that
591 * no certificate was sent by the peer.
592 *
593 *
594 -*/
595 int
596 gnutls_x509_verify_certificate (const gnutls_datum_t * cert_list,
597 int cert_list_length,
598 const gnutls_datum_t * CA_list,
599 int CA_list_length,
600 const gnutls_datum_t * CRL_list,
601 int CRL_list_length)
602 {
603 unsigned int verify;
604 gnutls_x509_crt_t *peer_certificate_list = NULL;
605 gnutls_x509_crt_t *ca_certificate_list = NULL;
606 gnutls_x509_crl_t *crl_list = NULL;
607 int peer_certificate_list_size = 0, i, x, ret;
608 int ca_certificate_list_size = 0, crl_list_size = 0;
609
610 if (cert_list == NULL || cert_list_length == 0)
611 return GNUTLS_E_NO_CERTIFICATE_FOUND;
612
613 /* generate a list of gnutls_certs based on the auth info
614 * raw certs.
615 */
616 peer_certificate_list_size = cert_list_length;
617 peer_certificate_list =
618 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
619 if (peer_certificate_list == NULL)
620 {
621 gnutls_assert ();
622 ret = GNUTLS_E_MEMORY_ERROR;
623 goto cleanup;
624 }
625
626 ca_certificate_list_size = CA_list_length;
627 ca_certificate_list =
628 gnutls_calloc (ca_certificate_list_size, sizeof (gnutls_x509_crt_t));
629 if (ca_certificate_list == NULL)
630 {
631 gnutls_assert ();
632 ret = GNUTLS_E_MEMORY_ERROR;
633 goto cleanup;
634 }
635
636 /* allocate memory for CRL
637 */
638 crl_list_size = CRL_list_length;
639 crl_list = gnutls_calloc (crl_list_size, sizeof (gnutls_x509_crl_t));
640 if (crl_list == NULL)
641 {
642 gnutls_assert ();
643 ret = GNUTLS_E_MEMORY_ERROR;
644 goto cleanup;
645 }
646
647 /* convert certA_list to gnutls_cert* list
648 */
649 for (i = 0; i < peer_certificate_list_size; i++)
650 {
651 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
652 if (ret < 0)
653 {
654 gnutls_assert ();
655 goto cleanup;
656 }
657
658 ret =
659 gnutls_x509_crt_import (peer_certificate_list[i],
660 &cert_list[i], GNUTLS_X509_FMT_DER);
661 if (ret < 0)
662 {
663 gnutls_assert ();
664 goto cleanup;
665 }
666 }
667
668 /* convert CA_list to gnutls_x509_cert* list
669 */
670 for (i = 0; i < ca_certificate_list_size; i++)
671 {
672 ret = gnutls_x509_crt_init (&ca_certificate_list[i]);
673 if (ret < 0)
674 {
675 gnutls_assert ();
676 goto cleanup;
677 }
678
679 ret =
680 gnutls_x509_crt_import (ca_certificate_list[i],
681 &CA_list[i], GNUTLS_X509_FMT_DER);
682 if (ret < 0)
683 {
684 gnutls_assert ();
685 goto cleanup;
686 }
687 }
688
689 #ifdef ENABLE_PKI
690 /* convert CRL_list to gnutls_x509_crl* list
691 */
692 for (i = 0; i < crl_list_size; i++)
693 {
694 ret = gnutls_x509_crl_init (&crl_list[i]);
695 if (ret < 0)
696 {
697 gnutls_assert ();
698 goto cleanup;
699 }
700
701 ret =
702 gnutls_x509_crl_import (crl_list[i],
703 &CRL_list[i], GNUTLS_X509_FMT_DER);
704 if (ret < 0)
705 {
706 gnutls_assert ();
707 goto cleanup;
708 }
709 }
710 #endif
711
712 /* Verify certificate
713 */
714 ret =
715 gnutls_x509_crt_list_verify (peer_certificate_list,
716 peer_certificate_list_size,
717 ca_certificate_list,
718 ca_certificate_list_size, crl_list,
719 crl_list_size, 0, &verify);
720
721 if (ret < 0)
722 {
723 gnutls_assert ();
724 goto cleanup;
725 }
726
727 ret = verify;
728
729 cleanup:
730
731 if (peer_certificate_list != NULL)
732 for (x = 0; x < peer_certificate_list_size; x++)
733 {
734 if (peer_certificate_list[x] != NULL)
735 gnutls_x509_crt_deinit (peer_certificate_list[x]);
736 }
737
738 if (ca_certificate_list != NULL)
739 for (x = 0; x < ca_certificate_list_size; x++)
740 {
741 if (ca_certificate_list[x] != NULL)
742 gnutls_x509_crt_deinit (ca_certificate_list[x]);
743 }
744 #ifdef ENABLE_PKI
745 if (crl_list != NULL)
746 for (x = 0; x < crl_list_size; x++)
747 {
748 if (crl_list[x] != NULL)
749 gnutls_x509_crl_deinit (crl_list[x]);
750 }
751
752 gnutls_free (crl_list);
753 #endif
754
755 gnutls_free (ca_certificate_list);
756 gnutls_free (peer_certificate_list);
757
758 return ret;
759 }
760
761 /*-
762 * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
763 * @cert: is a DER encoded private key
764 *
765 * This function will return the public key algorithm of a DER encoded private
766 * key.
767 *
768 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
769 * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
770 *
771 -*/
772 int
773 gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t * key)
774 {
775 gnutls_x509_privkey_t pkey;
776 int ret, pk;
777
778 ret = gnutls_x509_privkey_init (&pkey);
779 if (ret < 0)
780 {
781 gnutls_assert ();
782 return ret;
783 }
784
785 ret = gnutls_x509_privkey_import (pkey, key, GNUTLS_X509_FMT_DER);
786 if (ret < 0)
787 {
788 gnutls_assert ();
789 return ret;
790 }
791
792 pk = gnutls_x509_privkey_get_pk_algorithm (pkey);
793
794 gnutls_x509_privkey_deinit (pkey);
795 return pk;
796 }
797
798 #ifdef ENABLE_PKI
799
800 /*-
801 * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set
802 * @pkcs7_struct: should contain a PKCS7 DER formatted structure
803 * @indx: contains the index of the certificate to extract
804 * @certificate: the contents of the certificate will be copied there
805 * @certificate_size: should hold the size of the certificate
806 *
807 * This function will return a certificate of the PKCS7 or RFC2630 certificate set.
808 * Returns 0 on success. If the provided buffer is not long enough,
809 * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
810 *
811 * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
812 * will be returned.
813 *
814 -*/
815 int
816 gnutls_x509_pkcs7_extract_certificate (const gnutls_datum_t *
817 pkcs7_struct, int indx,
818 char *certificate,
819 int *certificate_size)
820 {
821 gnutls_pkcs7_t pkcs7;
822 int result;
823 size_t size = *certificate_size;
824
825 result = gnutls_pkcs7_init (&pkcs7);
826 if (result < 0)
827 return result;
828
829 result = gnutls_pkcs7_import (pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER);
830 if (result < 0)
831 {
832 gnutls_pkcs7_deinit (pkcs7);
833 return result;
834 }
835
836 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, certificate, &size);
837 *certificate_size = size;
838
839 gnutls_pkcs7_deinit (pkcs7);
840
841 return result;
842 }
843
844 #endif
Implementation of the SSL/TLS protocol