avoid unnecessary newline
[gnutls.git] / lib / gnutls_cert.c
blob9e73d9194241dc33d07da9be4a4908d5e2d2526e
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Some of the stuff needed for Certificate authentication is contained
24 * in this file.
27 #include <gnutls_int.h>
28 #include <gnutls_errors.h>
29 #include <auth/cert.h>
30 #include <gnutls_datum.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_global.h>
33 #include <algorithms.h>
34 #include <gnutls_dh.h>
35 #include <gnutls_str.h>
36 #include <gnutls_state.h>
37 #include <gnutls_auth.h>
38 #include <gnutls_x509.h>
39 #include <gnutls_str_array.h>
40 #include "x509/x509_int.h"
41 #ifdef ENABLE_OPENPGP
42 #include "openpgp/gnutls_openpgp.h"
43 #endif
44 #include "gettext.h"
45 #define _(String) dgettext (PACKAGE, String)
47 /**
48 * gnutls_certificate_free_keys:
49 * @sc: is a #gnutls_certificate_credentials_t structure.
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
55 **/
56 void
57 gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc)
59 unsigned i, j;
61 for (i = 0; i < sc->ncerts; i++)
63 for (j = 0; j < sc->certs[i].cert_list_length; j++)
65 gnutls_pcert_deinit (&sc->certs[i].cert_list[j]);
67 gnutls_free (sc->certs[i].cert_list);
68 _gnutls_str_array_clear (&sc->certs[i].names);
71 gnutls_free (sc->certs);
72 sc->certs = NULL;
74 for (i = 0; i < sc->ncerts; i++)
76 gnutls_privkey_deinit (sc->pkey[i]);
79 gnutls_free (sc->pkey);
80 sc->pkey = NULL;
82 sc->ncerts = 0;
85 /**
86 * gnutls_certificate_free_cas:
87 * @sc: is a #gnutls_certificate_credentials_t structure.
89 * This function will delete all the CAs associated with the given
90 * credentials. Servers that do not use
91 * gnutls_certificate_verify_peers2() may call this to save some
92 * memory.
93 **/
94 void
95 gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc)
97 /* FIXME: do nothing for now */
98 return;
102 * gnutls_certificate_get_issuer:
103 * @sc: is a #gnutls_certificate_credentials_t structure.
104 * @cert: is the certificate to find issuer for
105 * @issuer: Will hold the issuer if any. Should be treated as constant.
106 * @flags: Use zero.
108 * This function will return the issuer of a given certificate.
110 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
111 * negative error value.
113 * Since: 3.0
116 gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc,
117 gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags)
119 return gnutls_x509_trust_list_get_issuer(sc->tlist, cert, issuer, flags);
123 * gnutls_certificate_free_ca_names:
124 * @sc: is a #gnutls_certificate_credentials_t structure.
126 * This function will delete all the CA name in the given
127 * credentials. Clients may call this to save some memory since in
128 * client side the CA names are not used. Servers might want to use
129 * this function if a large list of trusted CAs is present and
130 * sending the names of it would just consume bandwidth without providing
131 * information to client.
133 * CA names are used by servers to advertise the CAs they support to
134 * clients.
136 void
137 gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc)
139 _gnutls_free_datum (&sc->x509_rdn_sequence);
143 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
144 * @rsa_params: holds the RSA parameters or NULL.
145 * @func: function to retrieve the parameters or NULL.
146 * @session: The session.
148 * This function will return the rsa parameters pointer.
150 gnutls_rsa_params_t
151 _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params,
152 gnutls_params_function * func,
153 gnutls_session_t session)
155 gnutls_params_st params;
156 int ret;
158 if (session->internals.params.rsa_params)
160 return session->internals.params.rsa_params;
163 if (rsa_params)
165 session->internals.params.rsa_params = rsa_params;
167 else if (func)
169 ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, &params);
170 if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
172 session->internals.params.rsa_params = params.params.rsa_export;
173 session->internals.params.free_rsa_params = params.deinit;
177 return session->internals.params.rsa_params;
182 * gnutls_certificate_free_credentials:
183 * @sc: is a #gnutls_certificate_credentials_t structure.
185 * This structure is complex enough to manipulate directly thus this
186 * helper function is provided in order to free (deallocate) it.
188 * This function does not free any temporary parameters associated
189 * with this structure (ie RSA and DH parameters are not freed by this
190 * function).
192 void
193 gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc)
195 gnutls_x509_trust_list_deinit(sc->tlist, 1);
196 gnutls_certificate_free_keys (sc);
197 gnutls_certificate_free_ca_names (sc);
198 gnutls_free(sc->ocsp_response_file);
200 #ifdef ENABLE_OPENPGP
201 gnutls_openpgp_keyring_deinit (sc->keyring);
202 #endif
204 gnutls_free (sc);
209 * gnutls_certificate_allocate_credentials:
210 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
212 * This structure is complex enough to manipulate directly thus this
213 * helper function is provided in order to allocate it.
215 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
218 gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
219 res)
221 int ret;
223 *res = gnutls_calloc (1, sizeof (certificate_credentials_st));
225 if (*res == NULL)
226 return GNUTLS_E_MEMORY_ERROR;
228 ret = gnutls_x509_trust_list_init( &(*res)->tlist, 0);
229 if (ret < 0)
231 gnutls_assert();
232 gnutls_free(*res);
233 return GNUTLS_E_MEMORY_ERROR;
235 (*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
236 (*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
237 (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
239 return 0;
243 /* returns the KX algorithms that are supported by a
244 * certificate. (Eg a certificate with RSA params, supports
245 * GNUTLS_KX_RSA algorithm).
246 * This function also uses the KeyUsage field of the certificate
247 * extensions in order to disable unneded algorithms.
250 _gnutls_selected_cert_supported_kx (gnutls_session_t session,
251 gnutls_kx_algorithm_t * alg,
252 int *alg_size)
254 gnutls_kx_algorithm_t kx;
255 gnutls_pk_algorithm_t pk, cert_pk;
256 gnutls_pcert_st *cert;
257 int i;
259 if (session->internals.selected_cert_list_length == 0)
261 *alg_size = 0;
262 return 0;
265 cert = &session->internals.selected_cert_list[0];
266 cert_pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
267 i = 0;
269 for (kx = 0; kx < MAX_ALGOS; kx++)
271 pk = _gnutls_map_pk_get_pk (kx);
272 if (pk == cert_pk)
274 /* then check key usage */
275 if (_gnutls_check_key_usage (cert, kx) == 0)
277 alg[i] = kx;
278 i++;
280 if (i > *alg_size)
281 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
286 if (i == 0)
288 gnutls_assert ();
289 return GNUTLS_E_INVALID_REQUEST;
292 *alg_size = i;
294 return 0;
299 * gnutls_certificate_server_set_request:
300 * @session: is a #gnutls_session_t structure.
301 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
303 * This function specifies if we (in case of a server) are going to
304 * send a certificate request message to the client. If @req is
305 * GNUTLS_CERT_REQUIRE then the server will return an error if the
306 * peer does not provide a certificate. If you do not call this
307 * function then the client will not be asked to send a certificate.
309 void
310 gnutls_certificate_server_set_request (gnutls_session_t session,
311 gnutls_certificate_request_t req)
313 session->internals.send_cert_req = req;
317 * gnutls_certificate_client_set_retrieve_function:
318 * @cred: is a #gnutls_certificate_credentials_t structure.
319 * @func: is the callback function
321 * This function sets a callback to be called in order to retrieve the
322 * certificate to be used in the handshake.
323 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
324 * is much more efficient in the processing it requires from gnutls.
326 * The callback's function prototype is:
327 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
328 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
330 * @req_ca_cert is only used in X.509 certificates.
331 * Contains a list with the CA names that the server considers trusted.
332 * Normally we should send a certificate that is signed
333 * by one of these CAs. These names are DER encoded. To get a more
334 * meaningful value use the function gnutls_x509_rdn_get().
336 * @pk_algos contains a list with server's acceptable signature algorithms.
337 * The certificate returned should support the server's given algorithms.
339 * @st should contain the certificates and private keys.
341 * If the callback function is provided then gnutls will call it, in the
342 * handshake, if a certificate is requested by the server (and after the
343 * certificate request message has been received).
345 * The callback function should set the certificate list to be sent,
346 * and return 0 on success. If no certificate was selected then the
347 * number of certificates should be set to zero. The value (-1)
348 * indicates error and the handshake will be terminated.
350 void gnutls_certificate_client_set_retrieve_function
351 (gnutls_certificate_credentials_t cred,
352 gnutls_certificate_client_retrieve_function * func)
354 cred->client_get_cert_callback = func;
358 * gnutls_certificate_server_set_retrieve_function:
359 * @cred: is a #gnutls_certificate_credentials_t structure.
360 * @func: is the callback function
362 * This function sets a callback to be called in order to retrieve the
363 * certificate to be used in the handshake.
364 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
365 * is much more efficient in the processing it requires from gnutls.
367 * The callback's function prototype is:
368 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
370 * @st should contain the certificates and private keys.
372 * If the callback function is provided then gnutls will call it, in the
373 * handshake, after the certificate request message has been received.
375 * The callback function should set the certificate list to be sent, and
376 * return 0 on success. The value (-1) indicates error and the handshake
377 * will be terminated.
379 void gnutls_certificate_server_set_retrieve_function
380 (gnutls_certificate_credentials_t cred,
381 gnutls_certificate_server_retrieve_function * func)
383 cred->server_get_cert_callback = func;
387 * gnutls_certificate_set_retrieve_function:
388 * @cred: is a #gnutls_certificate_credentials_t structure.
389 * @func: is the callback function
391 * This function sets a callback to be called in order to retrieve the
392 * certificate to be used in the handshake. You are advised
393 * to use gnutls_certificate_set_retrieve_function2() because it
394 * is much more efficient in the processing it requires from gnutls.
396 * The callback's function prototype is:
397 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
398 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
400 * @req_ca_cert is only used in X.509 certificates.
401 * Contains a list with the CA names that the server considers trusted.
402 * Normally we should send a certificate that is signed
403 * by one of these CAs. These names are DER encoded. To get a more
404 * meaningful value use the function gnutls_x509_rdn_get().
406 * @pk_algos contains a list with server's acceptable signature algorithms.
407 * The certificate returned should support the server's given algorithms.
409 * @st should contain the certificates and private keys.
411 * If the callback function is provided then gnutls will call it, in the
412 * handshake, after the certificate request message has been received.
414 * In server side pk_algos and req_ca_dn are NULL.
416 * The callback function should set the certificate list to be sent,
417 * and return 0 on success. If no certificate was selected then the
418 * number of certificates should be set to zero. The value (-1)
419 * indicates error and the handshake will be terminated.
421 * Since: 3.0
423 void gnutls_certificate_set_retrieve_function
424 (gnutls_certificate_credentials_t cred,
425 gnutls_certificate_retrieve_function * func)
427 cred->get_cert_callback = func;
431 * gnutls_certificate_set_retrieve_function2:
432 * @cred: is a #gnutls_certificate_credentials_t structure.
433 * @func: is the callback function
435 * This function sets a callback to be called in order to retrieve the
436 * certificate to be used in the handshake.
438 * The callback's function prototype is:
439 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
440 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
441 * unsigned int *pcert_length, gnutls_privkey_t * pkey);
443 * @req_ca_cert is only used in X.509 certificates.
444 * Contains a list with the CA names that the server considers trusted.
445 * Normally we should send a certificate that is signed
446 * by one of these CAs. These names are DER encoded. To get a more
447 * meaningful value use the function gnutls_x509_rdn_get().
449 * @pk_algos contains a list with server's acceptable signature algorithms.
450 * The certificate returned should support the server's given algorithms.
452 * @pcert should contain a single certificate and public or a list of them.
454 * @pcert_length is the size of the previous list.
456 * @pkey is the private key.
458 * If the callback function is provided then gnutls will call it, in the
459 * handshake, after the certificate request message has been received.
461 * In server side pk_algos and req_ca_dn are NULL.
463 * The callback function should set the certificate list to be sent,
464 * and return 0 on success. If no certificate was selected then the
465 * number of certificates should be set to zero. The value (-1)
466 * indicates error and the handshake will be terminated.
468 * Since: 3.0
470 void gnutls_certificate_set_retrieve_function2
471 (gnutls_certificate_credentials_t cred,
472 gnutls_certificate_retrieve_function2 * func)
474 cred->get_cert_callback2 = func;
478 * gnutls_certificate_set_verify_function:
479 * @cred: is a #gnutls_certificate_credentials_t structure.
480 * @func: is the callback function
482 * This function sets a callback to be called when peer's certificate
483 * has been received in order to verify it on receipt rather than
484 * doing after the handshake is completed.
486 * The callback's function prototype is:
487 * int (*callback)(gnutls_session_t);
489 * If the callback function is provided then gnutls will call it, in the
490 * handshake, just after the certificate message has been received.
491 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
492 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
493 * can be used.
495 * The callback function should return 0 for the handshake to continue
496 * or non-zero to terminate.
498 * Since: 2.10.0
500 void
501 gnutls_certificate_set_verify_function
502 (gnutls_certificate_credentials_t cred,
503 gnutls_certificate_verify_function * func)
505 cred->verify_callback = func;
509 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
510 * @cert: should contain an X.509 DER encoded certificate
512 * This function will return the certificate's activation time in UNIX time
513 * (ie seconds since 00:00:00 UTC January 1, 1970).
515 * Returns a (time_t) -1 in case of an error.
518 static time_t
519 _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert)
521 gnutls_x509_crt_t xcert;
522 time_t result;
524 result = gnutls_x509_crt_init (&xcert);
525 if (result < 0)
526 return (time_t) - 1;
528 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
529 if (result < 0)
531 gnutls_x509_crt_deinit (xcert);
532 return (time_t) - 1;
535 result = gnutls_x509_crt_get_activation_time (xcert);
537 gnutls_x509_crt_deinit (xcert);
539 return result;
543 * gnutls_x509_extract_certificate_expiration_time:
544 * @cert: should contain an X.509 DER encoded certificate
546 * This function will return the certificate's expiration time in UNIX
547 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
549 * (time_t) -1 in case of an error.
552 static time_t
553 _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert)
555 gnutls_x509_crt_t xcert;
556 time_t result;
558 result = gnutls_x509_crt_init (&xcert);
559 if (result < 0)
560 return (time_t) - 1;
562 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
563 if (result < 0)
565 gnutls_x509_crt_deinit (xcert);
566 return (time_t) - 1;
569 result = gnutls_x509_crt_get_expiration_time (xcert);
571 gnutls_x509_crt_deinit (xcert);
573 return result;
576 #ifdef ENABLE_OPENPGP
578 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
579 * @session: is a gnutls session
581 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
582 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
584 static int
585 _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
586 const char* hostname,
587 unsigned int *status)
589 cert_auth_info_t info;
590 gnutls_certificate_credentials_t cred;
591 int peer_certificate_list_size, ret;
593 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
595 info = _gnutls_get_auth_info (session);
596 if (info == NULL)
597 return GNUTLS_E_INVALID_REQUEST;
599 cred = (gnutls_certificate_credentials_t)
600 _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
601 if (cred == NULL)
603 gnutls_assert ();
604 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
607 if (info->raw_certificate_list == NULL || info->ncerts == 0)
609 gnutls_assert ();
610 return GNUTLS_E_NO_CERTIFICATE_FOUND;
613 /* generate a list of gnutls_certs based on the auth info
614 * raw certs.
616 peer_certificate_list_size = info->ncerts;
618 if (peer_certificate_list_size != 1)
620 gnutls_assert ();
621 return GNUTLS_E_INTERNAL_ERROR;
624 /* Verify certificate
626 ret =
627 _gnutls_openpgp_verify_key (cred, hostname, &info->raw_certificate_list[0],
628 peer_certificate_list_size, status);
630 if (ret < 0)
632 gnutls_assert ();
633 return ret;
636 return 0;
638 #endif
641 * gnutls_certificate_verify_peers2:
642 * @session: is a gnutls session
643 * @status: is the output of the verification
645 * This function will verify the peer's certificate and return
646 * its status (trusted, invalid etc.). The value of @status will
647 * be one or more of the gnutls_certificate_status_t flags
648 * bitwise or'd or zero if the certificate is trusted. Note that verification
649 * does not imply a negative return value. Only the @status is updated.
651 * If available the OCSP Certificate Status extension will be
652 * utilized by this function.
654 * To avoid denial of service attacks some
655 * default upper limits regarding the certificate key size and chain
656 * size are set. To override them use gnutls_certificate_set_verify_limits().
658 * Note that you must also check the peer's name in order to check if
659 * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname().
661 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
664 gnutls_certificate_verify_peers2 (gnutls_session_t session,
665 unsigned int *status)
667 cert_auth_info_t info;
669 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
671 info = _gnutls_get_auth_info (session);
672 if (info == NULL)
674 return GNUTLS_E_NO_CERTIFICATE_FOUND;
677 if (info->raw_certificate_list == NULL || info->ncerts == 0)
678 return GNUTLS_E_NO_CERTIFICATE_FOUND;
680 switch (gnutls_certificate_type_get (session))
682 case GNUTLS_CRT_X509:
683 return _gnutls_x509_cert_verify_peers (session, NULL, status);
684 #ifdef ENABLE_OPENPGP
685 case GNUTLS_CRT_OPENPGP:
686 return _gnutls_openpgp_crt_verify_peers (session, NULL, status);
687 #endif
688 default:
689 return GNUTLS_E_INVALID_REQUEST;
694 * gnutls_certificate_verify_peers3:
695 * @session: is a gnutls session
696 * @hostname: is the expected name of the peer
697 * @status: is the output of the verification
699 * This function will verify the peer's certificate and its name and
700 * return its status (trusted, invalid etc.). The value of @status will
701 * be one or more of the gnutls_certificate_status_t flags
702 * bitwise or'd or zero if the certificate is trusted. Note that verification
703 * failure does not imply a negative return value. Only the @status is updated.
705 * In case the @hostname does not match the %GNUTLS_CERT_UNEXPECTED_OWNER
706 * status flag will be set.
708 * If available the OCSP Certificate Status extension will be
709 * utilized by this function.
711 * To avoid denial of service attacks some
712 * default upper limits regarding the certificate key size and chain
713 * size are set. To override them use gnutls_certificate_set_verify_limits().
715 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
717 * Since: 3.1.4
720 gnutls_certificate_verify_peers3 (gnutls_session_t session,
721 const char* hostname,
722 unsigned int *status)
724 cert_auth_info_t info;
726 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
728 info = _gnutls_get_auth_info (session);
729 if (info == NULL)
731 return GNUTLS_E_NO_CERTIFICATE_FOUND;
734 if (info->raw_certificate_list == NULL || info->ncerts == 0)
735 return GNUTLS_E_NO_CERTIFICATE_FOUND;
737 switch (gnutls_certificate_type_get (session))
739 case GNUTLS_CRT_X509:
740 return _gnutls_x509_cert_verify_peers (session, hostname, status);
741 #ifdef ENABLE_OPENPGP
742 case GNUTLS_CRT_OPENPGP:
743 return _gnutls_openpgp_crt_verify_peers (session, hostname, status);
744 #endif
745 default:
746 return GNUTLS_E_INVALID_REQUEST;
751 * gnutls_certificate_expiration_time_peers:
752 * @session: is a gnutls session
754 * This function will return the peer's certificate expiration time.
756 * Returns: (time_t)-1 on error.
758 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
760 time_t
761 gnutls_certificate_expiration_time_peers (gnutls_session_t session)
763 cert_auth_info_t info;
765 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
767 info = _gnutls_get_auth_info (session);
768 if (info == NULL)
770 return (time_t) - 1;
773 if (info->raw_certificate_list == NULL || info->ncerts == 0)
775 gnutls_assert ();
776 return (time_t) - 1;
779 switch (gnutls_certificate_type_get (session))
781 case GNUTLS_CRT_X509:
782 return
783 _gnutls_x509_get_raw_crt_expiration_time (&info->raw_certificate_list
784 [0]);
785 #ifdef ENABLE_OPENPGP
786 case GNUTLS_CRT_OPENPGP:
787 return
788 _gnutls_openpgp_get_raw_key_expiration_time
789 (&info->raw_certificate_list[0]);
790 #endif
791 default:
792 return (time_t) - 1;
797 * gnutls_certificate_activation_time_peers:
798 * @session: is a gnutls session
800 * This function will return the peer's certificate activation time.
801 * This is the creation time for openpgp keys.
803 * Returns: (time_t)-1 on error.
805 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
807 time_t
808 gnutls_certificate_activation_time_peers (gnutls_session_t session)
810 cert_auth_info_t info;
812 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
814 info = _gnutls_get_auth_info (session);
815 if (info == NULL)
817 return (time_t) - 1;
820 if (info->raw_certificate_list == NULL || info->ncerts == 0)
822 gnutls_assert ();
823 return (time_t) - 1;
826 switch (gnutls_certificate_type_get (session))
828 case GNUTLS_CRT_X509:
829 return
830 _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list
831 [0]);
832 #ifdef ENABLE_OPENPGP
833 case GNUTLS_CRT_OPENPGP:
834 return
835 _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list
836 [0]);
837 #endif
838 default:
839 return (time_t) - 1;
844 * gnutls_sign_callback_set:
845 * @session: is a gnutls session
846 * @sign_func: function pointer to application's sign callback.
847 * @userdata: void pointer that will be passed to sign callback.
849 * Set the callback function. The function must have this prototype:
851 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
852 * void *userdata,
853 * gnutls_certificate_type_t cert_type,
854 * const gnutls_datum_t * cert,
855 * const gnutls_datum_t * hash,
856 * gnutls_datum_t * signature);
858 * The @userdata parameter is passed to the @sign_func verbatim, and
859 * can be used to store application-specific data needed in the
860 * callback function. See also gnutls_sign_callback_get().
862 * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead.
864 void
865 gnutls_sign_callback_set (gnutls_session_t session,
866 gnutls_sign_func sign_func, void *userdata)
868 session->internals.sign_func = sign_func;
869 session->internals.sign_func_userdata = userdata;
873 * gnutls_sign_callback_get:
874 * @session: is a gnutls session
875 * @userdata: if non-%NULL, will be set to abstract callback pointer.
877 * Retrieve the callback function, and its userdata pointer.
879 * Returns: The function pointer set by gnutls_sign_callback_set(), or
880 * if not set, %NULL.
882 * Deprecated: Use the PKCS 11 interfaces instead.
884 gnutls_sign_func
885 gnutls_sign_callback_get (gnutls_session_t session, void **userdata)
887 if (userdata)
888 *userdata = session->internals.sign_func_userdata;
889 return session->internals.sign_func;
892 /* returns error if the certificate has different algorithm than
893 * the given key parameters.
896 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
898 int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL);
899 int pk2 = gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL);
901 if (pk2 != pk)
903 gnutls_assert ();
904 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
907 return 0;
911 * gnutls_certificate_verification_status_print:
912 * @status: The status flags to be printed
913 * @type: The certificate type
914 * @out: Newly allocated datum with (0) terminated string.
915 * @flags: should be zero
917 * This function will pretty print the status of a verification
918 * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
920 * The output @out needs to be deallocated using gnutls_free().
922 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
923 * negative error value.
925 * Since: 3.1.4
928 gnutls_certificate_verification_status_print (unsigned int status,
929 gnutls_certificate_type_t type,
930 gnutls_datum_t * out, unsigned int flags)
932 gnutls_buffer_st str;
933 int ret;
935 _gnutls_buffer_init (&str);
937 if (status == 0)
938 _gnutls_buffer_append_str (&str, _("Peer's certificate is trusted. "));
939 else
940 _gnutls_buffer_append_str (&str, _("Peer's certificate is NOT trusted. "));
942 if (type == GNUTLS_CRT_X509)
944 if (status & GNUTLS_CERT_REVOKED)
945 _gnutls_buffer_append_str (&str, _("Peer's certificate chain revoked. "));
947 if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
948 _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are too old. "));
950 if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
951 _gnutls_buffer_append_str (&str, _("The revocation data provided by the peer are invalid. "));
953 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
954 _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is unknown. "));
956 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
957 _gnutls_buffer_append_str (&str, _("Peer's certificate issuer is not a CA. "));
959 else if (type == GNUTLS_CRT_OPENPGP)
961 _gnutls_buffer_append_str (&str, _("Peer's certificate is not trusted. "));
963 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
964 _gnutls_buffer_append_str (&str, _("Could not find a signer of the peer's certificate. "));
966 if (status & GNUTLS_CERT_REVOKED)
967 _gnutls_buffer_append_str (&str, _("Peer's certificate is revoked. "));
970 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
971 _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses insecure algorithm. "));
973 if (status & GNUTLS_CERT_NOT_ACTIVATED)
974 _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses not yet valid certificate. "));
976 if (status & GNUTLS_CERT_EXPIRED)
977 _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses expired certificate. "));
979 if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
980 _gnutls_buffer_append_str (&str, _("The signature in the certificate is invalid. "));
982 if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
983 _gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
985 ret = _gnutls_buffer_to_datum( &str, out);
986 if (out->size > 0) out->size--;
988 return ret;