2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
25 #include <gnutls_int.h>
26 #include "gnutls_auth.h"
27 #include "gnutls_errors.h"
28 #include <gnutls_cert.h>
29 #include <auth_cert.h>
30 #include "gnutls_dh.h"
31 #include "gnutls_num.h"
32 #include "gnutls_datum.h"
33 #include <gnutls_pk.h>
34 #include <gnutls_algorithms.h>
35 #include <gnutls_global.h>
36 #include <gnutls_record.h>
37 #include <gnutls_sig.h>
38 #include <gnutls_state.h>
39 #include <gnutls_pk.h>
40 #include <gnutls_str.h>
43 #include <gnutls_x509.h>
44 #include "x509/common.h"
45 #include "x509/x509_int.h"
46 #include "read-file.h"
49 * some x509 certificate parsing functions.
52 /* Check if the number of bits of the key in the certificate
56 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
61 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
68 if (bits
> max_bits
&& max_bits
> 0)
71 return GNUTLS_E_CONSTRAINT_ERROR
;
78 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
79 if (peer_certificate_list[x]) \
80 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
82 gnutls_free( peer_certificate_list)
85 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
86 * @session: is a gnutls session
88 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
89 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
90 * However you must also check the peer's name in order to check if the verified certificate belongs to the
91 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
98 cert_auth_info_t info
;
99 gnutls_certificate_credentials_t cred
;
100 gnutls_x509_crt_t
*peer_certificate_list
;
101 int peer_certificate_list_size
, i
, x
, ret
;
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
105 info
= _gnutls_get_auth_info (session
);
109 return GNUTLS_E_INVALID_REQUEST
;
112 cred
= (gnutls_certificate_credentials_t
)
113 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
120 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
123 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
126 return GNUTLS_E_CONSTRAINT_ERROR
;
129 /* generate a list of gnutls_certs based on the auth info
132 peer_certificate_list_size
= info
->ncerts
;
133 peer_certificate_list
=
134 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
135 if (peer_certificate_list
== NULL
)
138 return GNUTLS_E_MEMORY_ERROR
;
141 for (i
= 0; i
< peer_certificate_list_size
; i
++)
143 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
152 gnutls_x509_crt_import (peer_certificate_list
[i
],
153 &info
->raw_certificate_list
[i
],
154 GNUTLS_X509_FMT_DER
);
170 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
180 /* Verify certificate
183 ret
= gnutls_x509_crt_list_verify (peer_certificate_list
,
184 peer_certificate_list_size
,
185 cred
->x509_ca_list
, cred
->x509_ncas
,
186 cred
->x509_crl_list
, cred
->x509_ncrls
,
187 cred
->verify_flags
| session
->internals
.priorities
.additional_verify_flags
,
202 * Read certificates and private keys, from files, memory etc.
205 /* returns error if the certificate has different algorithm than
206 * the given key parameters.
209 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
213 unsigned pk
= res
->cert_list
[res
->ncerts
- 1][0].subject_pk_algorithm
;
215 if (res
->pkey
[res
->ncerts
- 1].pk_algorithm
!= pk
)
218 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
221 if (pk
== GNUTLS_PK_RSA
)
223 _gnutls_x509_write_rsa_params (res
->pkey
[res
->ncerts
- 1].params
,
224 res
->pkey
[res
->ncerts
-
225 1].params_size
, &kid
);
228 _gnutls_x509_write_rsa_params (res
->cert_list
[res
->ncerts
- 1][0].
230 res
->cert_list
[res
->ncerts
-
231 1][0].params_size
, &cid
);
233 else if (pk
== GNUTLS_PK_DSA
)
236 _gnutls_x509_write_dsa_params (res
->pkey
[res
->ncerts
- 1].params
,
237 res
->pkey
[res
->ncerts
-
238 1].params_size
, &kid
);
240 _gnutls_x509_write_dsa_params (res
->cert_list
[res
->ncerts
- 1][0].
242 res
->cert_list
[res
->ncerts
-
243 1][0].params_size
, &cid
);
246 if (cid
.size
!= kid
.size
)
249 _gnutls_free_datum (&kid
);
250 _gnutls_free_datum (&cid
);
251 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
254 if (memcmp (kid
.data
, cid
.data
, kid
.size
) != 0)
257 _gnutls_free_datum (&kid
);
258 _gnutls_free_datum (&cid
);
259 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
262 _gnutls_free_datum (&kid
);
263 _gnutls_free_datum (&cid
);
267 /* Reads a DER encoded certificate list from memory and stores it to a
268 * gnutls_cert structure. Returns the number of certificates parsed.
271 parse_crt_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
272 gnutls_x509_crt_t cert
)
280 (gnutls_cert
*) gnutls_realloc_fast (*cert_list
,
281 i
* sizeof (gnutls_cert
));
283 if (*cert_list
== NULL
)
286 return GNUTLS_E_MEMORY_ERROR
;
289 ret
= _gnutls_x509_crt_to_gcert (&cert_list
[0][i
- 1], cert
, 0);
298 return 1; /* one certificate parsed */
301 /* Reads a DER encoded certificate list from memory and stores it to a
302 * gnutls_cert structure. Returns the number of certificates parsed.
305 parse_der_cert_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
306 const void *input_cert
, int input_cert_size
)
309 gnutls_x509_crt_t cert
;
312 ret
= gnutls_x509_crt_init (&cert
);
319 tmp
.data
= (opaque
*) input_cert
;
320 tmp
.size
= input_cert_size
;
322 ret
= gnutls_x509_crt_import (cert
, &tmp
, GNUTLS_X509_FMT_DER
);
326 gnutls_x509_crt_deinit (cert
);
330 ret
= parse_crt_mem (cert_list
, ncerts
, cert
);
331 gnutls_x509_crt_deinit (cert
);
336 /* Reads a base64 encoded certificate list from memory and stores it to
337 * a gnutls_cert structure. Returns the number of certificate parsed.
340 parse_pem_cert_mem (gnutls_cert
** cert_list
, unsigned *ncerts
,
341 const char *input_cert
, int input_cert_size
)
349 /* move to the certificate
351 ptr
= memmem (input_cert
, input_cert_size
,
352 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
354 ptr
= memmem (input_cert
, input_cert_size
,
355 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
360 return GNUTLS_E_BASE64_DECODING_ERROR
;
362 size
= input_cert_size
- (ptr
- input_cert
);
370 siz2
= _gnutls_fbase64_decode (NULL
, ptr
, size
, &ptr2
);
375 return GNUTLS_E_BASE64_DECODING_ERROR
;
379 (gnutls_cert
*) gnutls_realloc_fast (*cert_list
,
380 i
* sizeof (gnutls_cert
));
382 if (*cert_list
== NULL
)
385 return GNUTLS_E_MEMORY_ERROR
;
391 ret
= _gnutls_x509_raw_cert_to_gcert (&cert_list
[0][i
- 1], &tmp
, 0);
397 _gnutls_free_datum (&tmp
); /* free ptr2 */
399 /* now we move ptr after the pem header
402 /* find the next certificate (if any)
404 size
= input_cert_size
- (ptr
- input_cert
);
410 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
412 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
413 sizeof (PEM_CERT_SEP2
) - 1);
433 /* Reads a DER or PEM certificate from memory
436 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
437 int cert_size
, gnutls_x509_crt_fmt_t type
)
441 /* allocate space for the certificate to add
443 res
->cert_list
= gnutls_realloc_fast (res
->cert_list
,
446 sizeof (gnutls_cert
*));
447 if (res
->cert_list
== NULL
)
450 return GNUTLS_E_MEMORY_ERROR
;
453 res
->cert_list_length
= gnutls_realloc_fast (res
->cert_list_length
,
455 res
->ncerts
) * sizeof (int));
456 if (res
->cert_list_length
== NULL
)
459 return GNUTLS_E_MEMORY_ERROR
;
462 res
->cert_list
[res
->ncerts
] = NULL
; /* for realloc */
463 res
->cert_list_length
[res
->ncerts
] = 0;
465 if (type
== GNUTLS_X509_FMT_DER
)
466 ret
= parse_der_cert_mem (&res
->cert_list
[res
->ncerts
],
467 &res
->cert_list_length
[res
->ncerts
],
470 ret
= parse_pem_cert_mem (&res
->cert_list
[res
->ncerts
],
471 &res
->cert_list_length
[res
->ncerts
], cert
,
485 _gnutls_x509_privkey_to_gkey (gnutls_privkey
* dest
,
486 gnutls_x509_privkey_t src
)
490 memset (dest
, 0, sizeof (gnutls_privkey
));
492 for (i
= 0; i
< src
->params_size
; i
++)
494 dest
->params
[i
] = _gnutls_mpi_copy (src
->params
[i
]);
495 if (dest
->params
[i
] == NULL
)
498 ret
= GNUTLS_E_MEMORY_ERROR
;
503 dest
->pk_algorithm
= src
->pk_algorithm
;
504 dest
->params_size
= src
->params_size
;
510 for (i
= 0; i
< src
->params_size
; i
++)
512 _gnutls_mpi_release (&dest
->params
[i
]);
518 _gnutls_gkey_deinit (gnutls_privkey
* key
)
524 for (i
= 0; i
< key
->params_size
; i
++)
526 _gnutls_mpi_release (&key
->params
[i
]);
531 _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey
* privkey
,
532 const gnutls_datum_t
* raw_key
,
533 gnutls_x509_crt_fmt_t type
)
535 gnutls_x509_privkey_t tmpkey
;
538 ret
= gnutls_x509_privkey_init (&tmpkey
);
545 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
548 /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
550 ret
= gnutls_x509_privkey_import_pkcs8 (tmpkey
, raw_key
, type
,
551 NULL
, GNUTLS_PKCS_PLAIN
);
557 gnutls_x509_privkey_deinit (tmpkey
);
561 ret
= _gnutls_x509_privkey_to_gkey (privkey
, tmpkey
);
565 gnutls_x509_privkey_deinit (tmpkey
);
569 gnutls_x509_privkey_deinit (tmpkey
);
574 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
575 * indicates the certificate format. KEY can be NULL, to indicate
576 * that GnuTLS doesn't know the private key.
579 read_key_mem (gnutls_certificate_credentials_t res
,
580 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
585 /* allocate space for the pkey list
588 gnutls_realloc_fast (res
->pkey
,
589 (res
->ncerts
+ 1) * sizeof (gnutls_privkey
));
590 if (res
->pkey
== NULL
)
593 return GNUTLS_E_MEMORY_ERROR
;
598 tmp
.data
= (opaque
*) key
;
602 _gnutls_x509_raw_privkey_to_gkey (&res
->pkey
[res
->ncerts
], &tmp
,
611 memset (&res
->pkey
[res
->ncerts
], 0, sizeof (gnutls_privkey
));
616 /* Reads a certificate file
619 read_cert_file (gnutls_certificate_credentials_t res
,
620 const char *certfile
, gnutls_x509_crt_fmt_t type
)
624 char *data
= read_binary_file (certfile
, &size
);
629 return GNUTLS_E_FILE_ERROR
;
632 ret
= read_cert_mem (res
, data
, size
, type
);
641 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
645 read_key_file (gnutls_certificate_credentials_t res
,
646 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
650 char *data
= read_binary_file (keyfile
, &size
);
655 return GNUTLS_E_FILE_ERROR
;
658 ret
= read_key_mem (res
, data
, size
, type
);
665 * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials_t structure
666 * @res: is a #gnutls_certificate_credentials_t structure.
667 * @cert: contains a certificate list (path) for the specified private key
668 * @key: is the private key, or %NULL
669 * @type: is PEM or DER
671 * This function sets a certificate/private key pair in the
672 * gnutls_certificate_credentials_t structure. This function may be called
673 * more than once (in case multiple keys/certificates exist for the
676 * Currently are supported: RSA PKCS-1 encoded private keys,
679 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
680 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
682 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
683 * is supported. This means that certificates intended for signing cannot
684 * be used for ciphersuites that require encryption.
686 * If the certificate and the private key are given in PEM encoding
687 * then the strings that hold their values must be null terminated.
689 * The @key may be %NULL if you are using a sign callback, see
690 * gnutls_sign_callback_set().
692 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
695 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
696 const gnutls_datum_t
* cert
,
697 const gnutls_datum_t
* key
,
698 gnutls_x509_crt_fmt_t type
)
702 /* this should be first
704 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
705 key
? key
->size
: 0, type
)) < 0)
708 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
713 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
723 * gnutls_certificate_set_x509_key - Used to set keys in a gnutls_certificate_credentials_t structure
724 * @res: is a #gnutls_certificate_credentials_t structure.
725 * @cert_list: contains a certificate list (path) for the specified private key
726 * @cert_list_size: holds the size of the certificate list
727 * @key: is a gnutls_x509_privkey_t key
729 * This function sets a certificate/private key pair in the
730 * gnutls_certificate_credentials_t structure. This function may be
731 * called more than once (in case multiple keys/certificates exist
734 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
739 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
740 gnutls_x509_crt_t
* cert_list
,
742 gnutls_x509_privkey_t key
)
746 /* this should be first
750 gnutls_realloc_fast (res
->pkey
,
751 (res
->ncerts
+ 1) * sizeof (gnutls_privkey
));
752 if (res
->pkey
== NULL
)
755 return GNUTLS_E_MEMORY_ERROR
;
758 ret
= _gnutls_x509_privkey_to_gkey (&res
->pkey
[res
->ncerts
], key
);
765 res
->cert_list
= gnutls_realloc_fast (res
->cert_list
,
768 sizeof (gnutls_cert
*));
769 if (res
->cert_list
== NULL
)
772 return GNUTLS_E_MEMORY_ERROR
;
775 res
->cert_list_length
= gnutls_realloc_fast (res
->cert_list_length
,
777 res
->ncerts
) * sizeof (int));
778 if (res
->cert_list_length
== NULL
)
781 return GNUTLS_E_MEMORY_ERROR
;
784 res
->cert_list
[res
->ncerts
] = NULL
; /* for realloc */
785 res
->cert_list_length
[res
->ncerts
] = 0;
788 for (i
= 0; i
< cert_list_size
; i
++)
790 ret
= parse_crt_mem (&res
->cert_list
[res
->ncerts
],
791 &res
->cert_list_length
[res
->ncerts
], cert_list
[i
]);
800 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
810 * gnutls_certificate_set_x509_key_file - Used to set keys in a gnutls_certificate_credentials_t structure
811 * @res: is a #gnutls_certificate_credentials_t structure.
812 * @certfile: is a file that containing the certificate list (path) for
813 * the specified private key, in PKCS7 format, or a list of certificates
814 * @keyfile: is a file that contains the private key
815 * @type: is PEM or DER
817 * This function sets a certificate/private key pair in the
818 * gnutls_certificate_credentials_t structure. This function may be
819 * called more than once (in case multiple keys/certificates exist
822 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
825 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
828 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
829 const char *certfile
,
831 gnutls_x509_crt_fmt_t type
)
835 /* this should be first
837 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
840 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
845 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
855 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, int new)
860 unsigned char *newdata
;
863 /* Add DN of the last added CAs to the RDN sequence
864 * This will be sent to clients when a certificate
865 * request message is sent.
868 /* FIXME: in case of a client it is not needed
869 * to do that. This would save time and memory.
870 * However we don't have that information available
872 * Further, this function is now much more efficient,
873 * so optimizing that is less important.
876 for (i
= res
->x509_ncas
- new; i
< res
->x509_ncas
; i
++)
878 if ((ret
= gnutls_x509_crt_get_raw_dn (res
->x509_ca_list
[i
], &tmp
)) < 0)
884 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
885 if (newsize
< res
->x509_rdn_sequence
.size
)
888 _gnutls_free_datum (&tmp
);
889 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
892 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
896 _gnutls_free_datum (&tmp
);
897 return GNUTLS_E_MEMORY_ERROR
;
900 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
901 _gnutls_free_datum (&tmp
);
903 res
->x509_rdn_sequence
.size
= newsize
;
904 res
->x509_rdn_sequence
.data
= newdata
;
910 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
911 * certificate (uses the KeyUsage field).
914 _gnutls_check_key_usage (const gnutls_cert
* cert
, gnutls_kx_algorithm_t alg
)
916 unsigned int key_usage
= 0;
922 return GNUTLS_E_INTERNAL_ERROR
;
925 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
926 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
929 key_usage
= cert
->key_usage
;
931 encipher_type
= _gnutls_kx_encipher_type (alg
);
933 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
935 /* If key_usage has been set in the certificate
938 if (encipher_type
== CIPHER_ENCRYPT
)
940 /* If the key exchange method requires an encipher
941 * type algorithm, and key's usage does not permit
942 * encipherment, then fail.
944 if (!(key_usage
& KEY_KEY_ENCIPHERMENT
))
947 return GNUTLS_E_KEY_USAGE_VIOLATION
;
951 if (encipher_type
== CIPHER_SIGN
)
953 /* The same as above, but for sign only keys
955 if (!(key_usage
& KEY_DIGITAL_SIGNATURE
))
958 return GNUTLS_E_KEY_USAGE_VIOLATION
;
969 parse_pem_ca_mem (gnutls_x509_crt_t
** cert_list
, unsigned *ncerts
,
970 const opaque
* input_cert
, int input_cert_size
)
977 /* move to the certificate
979 ptr
= memmem (input_cert
, input_cert_size
,
980 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
982 ptr
= memmem (input_cert
, input_cert_size
,
983 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
988 return GNUTLS_E_BASE64_DECODING_ERROR
;
990 size
= input_cert_size
- (ptr
- input_cert
);
999 (gnutls_x509_crt_t
*) gnutls_realloc_fast (*cert_list
,
1002 (gnutls_x509_crt_t
));
1004 if (*cert_list
== NULL
)
1007 return GNUTLS_E_MEMORY_ERROR
;
1010 ret
= gnutls_x509_crt_init (&cert_list
[0][i
- 1]);
1017 tmp
.data
= (opaque
*) ptr
;
1021 gnutls_x509_crt_import (cert_list
[0][i
- 1],
1022 &tmp
, GNUTLS_X509_FMT_PEM
);
1029 /* now we move ptr after the pem header
1033 /* find the next certificate (if any)
1040 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
1042 ptr3
= memmem (ptr
, size
,
1043 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
1046 size
= input_cert_size
- (ptr
- input_cert
);
1055 while (ptr
!= NULL
);
1062 /* Reads a DER encoded certificate list from memory and stores it to a
1063 * gnutls_cert structure. Returns the number of certificates parsed.
1066 parse_der_ca_mem (gnutls_x509_crt_t
** cert_list
, unsigned *ncerts
,
1067 const void *input_cert
, int input_cert_size
)
1076 (gnutls_x509_crt_t
*) gnutls_realloc_fast (*cert_list
,
1078 sizeof (gnutls_x509_crt_t
));
1080 if (*cert_list
== NULL
)
1083 return GNUTLS_E_MEMORY_ERROR
;
1086 tmp
.data
= (opaque
*) input_cert
;
1087 tmp
.size
= input_cert_size
;
1089 ret
= gnutls_x509_crt_init (&cert_list
[0][i
- 1]);
1097 gnutls_x509_crt_import (cert_list
[0][i
- 1], &tmp
, GNUTLS_X509_FMT_DER
);
1106 return 1; /* one certificate parsed */
1110 * gnutls_certificate_set_x509_trust_mem - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1111 * @res: is a #gnutls_certificate_credentials_t structure.
1112 * @ca: is a list of trusted CAs or a DER certificate
1113 * @type: is DER or PEM
1115 * This function adds the trusted CAs in order to verify client or
1116 * server certificates. In case of a client this is not required to
1117 * be called if the certificates are not verified using
1118 * gnutls_certificate_verify_peers2(). This function may be called
1121 * In case of a server the CAs set here will be sent to the client if
1122 * a certificate request is sent. This can be disabled using
1123 * gnutls_certificate_send_x509_rdn_sequence().
1125 * Returns: the number of certificates processed or a negative value
1129 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1130 const gnutls_datum_t
* ca
,
1131 gnutls_x509_crt_fmt_t type
)
1135 if (type
== GNUTLS_X509_FMT_DER
)
1136 ret
= parse_der_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
,
1137 ca
->data
, ca
->size
);
1139 ret
= parse_pem_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
,
1140 ca
->data
, ca
->size
);
1142 if ((ret2
= add_new_crt_to_rdn_seq (res
, ret
)) < 0)
1149 * gnutls_certificate_set_x509_trust - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1150 * @res: is a #gnutls_certificate_credentials_t structure.
1151 * @ca_list: is a list of trusted CAs
1152 * @ca_list_size: holds the size of the CA list
1154 * This function adds the trusted CAs in order to verify client
1155 * or server certificates. In case of a client this is not required
1156 * to be called if the certificates are not verified using
1157 * gnutls_certificate_verify_peers2().
1158 * This function may be called multiple times.
1160 * In case of a server the CAs set here will be sent to the client if
1161 * a certificate request is sent. This can be disabled using
1162 * gnutls_certificate_send_x509_rdn_sequence().
1164 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1169 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1170 gnutls_x509_crt_t
* ca_list
,
1175 res
->x509_ca_list
= gnutls_realloc_fast (res
->x509_ca_list
,
1178 sizeof (gnutls_x509_crt_t
));
1179 if (res
->x509_ca_list
== NULL
)
1182 return GNUTLS_E_MEMORY_ERROR
;
1185 for (i
= 0; i
< ca_list_size
; i
++)
1187 ret
= gnutls_x509_crt_init (&res
->x509_ca_list
[res
->x509_ncas
]);
1194 ret
= _gnutls_x509_crt_cpy (res
->x509_ca_list
[res
->x509_ncas
],
1199 gnutls_x509_crt_deinit (res
->x509_ca_list
[res
->x509_ncas
]);
1205 if ((ret2
= add_new_crt_to_rdn_seq (res
, ca_list_size
)) < 0)
1212 * gnutls_certificate_set_x509_trust_file - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1213 * @res: is a #gnutls_certificate_credentials_t structure.
1214 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1215 * @type: is PEM or DER
1217 * This function adds the trusted CAs in order to verify client or
1218 * server certificates. In case of a client this is not required to
1219 * be called if the certificates are not verified using
1220 * gnutls_certificate_verify_peers2(). This function may be called
1223 * In case of a server the names of the CAs set here will be sent to
1224 * the client if a certificate request is sent. This can be disabled
1225 * using gnutls_certificate_send_x509_rdn_sequence().
1227 * Returns: number of certificates processed, or a negative value on
1231 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res
,
1233 gnutls_x509_crt_fmt_t type
)
1237 char *data
= read_binary_file (cafile
, &size
);
1242 return GNUTLS_E_FILE_ERROR
;
1245 if (type
== GNUTLS_X509_FMT_DER
)
1246 ret
= parse_der_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
, data
, size
);
1248 ret
= parse_pem_ca_mem (&res
->x509_ca_list
, &res
->x509_ncas
, data
, size
);
1258 if ((ret2
= add_new_crt_to_rdn_seq (res
, ret
)) < 0)
1267 parse_pem_crl_mem (gnutls_x509_crl_t
** crl_list
, unsigned *ncrls
,
1268 const opaque
* input_crl
, int input_crl_size
)
1275 /* move to the certificate
1277 ptr
= memmem (input_crl
, input_crl_size
,
1278 PEM_CRL_SEP
, sizeof (PEM_CRL_SEP
) - 1);
1282 return GNUTLS_E_BASE64_DECODING_ERROR
;
1285 size
= input_crl_size
- (ptr
- input_crl
);
1294 (gnutls_x509_crl_t
*) gnutls_realloc_fast (*crl_list
,
1297 (gnutls_x509_crl_t
));
1299 if (*crl_list
== NULL
)
1302 return GNUTLS_E_MEMORY_ERROR
;
1305 ret
= gnutls_x509_crl_init (&crl_list
[0][i
- 1]);
1312 tmp
.data
= (char *) ptr
;
1316 gnutls_x509_crl_import (crl_list
[0][i
- 1],
1317 &tmp
, GNUTLS_X509_FMT_PEM
);
1324 /* now we move ptr after the pem header
1327 /* find the next certificate (if any)
1330 size
= input_crl_size
- (ptr
- input_crl
);
1333 ptr
= memmem (ptr
, size
, PEM_CRL_SEP
, sizeof (PEM_CRL_SEP
) - 1);
1340 while (ptr
!= NULL
);
1347 /* Reads a DER encoded certificate list from memory and stores it to a
1348 * gnutls_cert structure. Returns the number of certificates parsed.
1351 parse_der_crl_mem (gnutls_x509_crl_t
** crl_list
, unsigned *ncrls
,
1352 const void *input_crl
, int input_crl_size
)
1361 (gnutls_x509_crl_t
*) gnutls_realloc_fast (*crl_list
,
1363 sizeof (gnutls_x509_crl_t
));
1365 if (*crl_list
== NULL
)
1368 return GNUTLS_E_MEMORY_ERROR
;
1371 tmp
.data
= (opaque
*) input_crl
;
1372 tmp
.size
= input_crl_size
;
1374 ret
= gnutls_x509_crl_init (&crl_list
[0][i
- 1]);
1382 gnutls_x509_crl_import (crl_list
[0][i
- 1], &tmp
, GNUTLS_X509_FMT_DER
);
1391 return 1; /* one certificate parsed */
1395 /* Reads a DER or PEM CRL from memory
1398 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1399 int crl_size
, gnutls_x509_crt_fmt_t type
)
1403 /* allocate space for the certificate to add
1405 res
->x509_crl_list
= gnutls_realloc_fast (res
->x509_crl_list
,
1408 sizeof (gnutls_x509_crl_t
));
1409 if (res
->x509_crl_list
== NULL
)
1412 return GNUTLS_E_MEMORY_ERROR
;
1415 if (type
== GNUTLS_X509_FMT_DER
)
1416 ret
= parse_der_crl_mem (&res
->x509_crl_list
,
1417 &res
->x509_ncrls
, crl
, crl_size
);
1419 ret
= parse_pem_crl_mem (&res
->x509_crl_list
,
1420 &res
->x509_ncrls
, crl
, crl_size
);
1432 * gnutls_certificate_set_x509_crl_mem - Used to add CRLs in a gnutls_certificate_credentials_t structure
1433 * @res: is a #gnutls_certificate_credentials_t structure.
1434 * @CRL: is a list of trusted CRLs. They should have been verified before.
1435 * @type: is DER or PEM
1437 * This function adds the trusted CRLs in order to verify client or
1438 * server certificates. In case of a client this is not required to
1439 * be called if the certificates are not verified using
1440 * gnutls_certificate_verify_peers2(). This function may be called
1443 * Returns: number of CRLs processed, or a negative value on error.
1446 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1447 const gnutls_datum_t
* CRL
,
1448 gnutls_x509_crt_fmt_t type
)
1452 if ((ret
= read_crl_mem (res
, CRL
->data
, CRL
->size
, type
)) < 0)
1459 * gnutls_certificate_set_x509_crl - Used to add CRLs in a gnutls_certificate_credentials_t structure
1460 * @res: is a #gnutls_certificate_credentials_t structure.
1461 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1462 * @crl_list_size: holds the size of the crl_list
1464 * This function adds the trusted CRLs in order to verify client or
1465 * server certificates. In case of a client this is not required to
1466 * be called if the certificates are not verified using
1467 * gnutls_certificate_verify_peers2(). This function may be called
1470 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1475 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1476 gnutls_x509_crl_t
* crl_list
,
1481 res
->x509_crl_list
= gnutls_realloc_fast (res
->x509_crl_list
,
1484 sizeof (gnutls_x509_crl_t
));
1485 if (res
->x509_crl_list
== NULL
)
1488 return GNUTLS_E_MEMORY_ERROR
;
1491 for (i
= 0; i
< crl_list_size
; i
++)
1493 ret
= gnutls_x509_crl_init (&res
->x509_crl_list
[res
->x509_ncrls
]);
1500 ret
= _gnutls_x509_crl_cpy (res
->x509_crl_list
[res
->x509_ncrls
],
1514 * gnutls_certificate_set_x509_crl_file - Used to add CRLs in a gnutls_certificate_credentials_t structure
1515 * @res: is a #gnutls_certificate_credentials_t structure.
1516 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1517 * @type: is PEM or DER
1519 * This function adds the trusted CRLs in order to verify client or server
1520 * certificates. In case of a client this is not required
1521 * to be called if the certificates are not verified using
1522 * gnutls_certificate_verify_peers2().
1523 * This function may be called multiple times.
1525 * Returns: number of CRLs processed or a negative value on error.
1528 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1529 const char *crlfile
,
1530 gnutls_x509_crt_fmt_t type
)
1534 char *data
= read_binary_file (crlfile
, &size
);
1539 return GNUTLS_E_FILE_ERROR
;
1542 if (type
== GNUTLS_X509_FMT_DER
)
1543 ret
= parse_der_crl_mem (&res
->x509_crl_list
, &res
->x509_ncrls
,
1546 ret
= parse_pem_crl_mem (&res
->x509_crl_list
, &res
->x509_ncrls
,
1560 #include <gnutls/pkcs12.h>
1563 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1564 gnutls_pkcs12_t p12
,
1565 const char *password
,
1566 gnutls_x509_privkey_t
* key
,
1567 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1569 gnutls_pkcs12_bag_t bag
= NULL
;
1572 size_t cert_id_size
= 0;
1573 size_t key_id_size
= 0;
1582 /* find the first private key */
1585 int elements_in_bag
;
1588 ret
= gnutls_pkcs12_bag_init (&bag
);
1596 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1597 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1605 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1612 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1614 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1622 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1623 if (elements_in_bag
< 0)
1629 for (i
= 0; i
< elements_in_bag
; i
++)
1632 gnutls_datum_t data
;
1634 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1641 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1650 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
1651 case GNUTLS_BAG_PKCS8_KEY
:
1652 if (*key
!= NULL
) /* too simple to continue */
1658 ret
= gnutls_x509_privkey_init (key
);
1665 ret
= gnutls_x509_privkey_import_pkcs8
1666 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
1667 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
1671 gnutls_x509_privkey_deinit( *key
);
1675 key_id_size
= sizeof(key_id
);
1676 ret
= gnutls_x509_privkey_get_key_id( *key
, 0, key_id
, &key_id_size
);
1680 gnutls_x509_privkey_deinit( *key
);
1684 privkey_ok
= 1; /* break */
1692 gnutls_pkcs12_bag_deinit (bag
);
1694 if (privkey_ok
!= 0) /* private key was found */
1698 if (privkey_ok
== 0) /* no private key */
1701 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
1704 /* now find the corresponding certificate
1710 int elements_in_bag
;
1713 ret
= gnutls_pkcs12_bag_init (&bag
);
1721 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1722 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1730 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1737 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1739 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1747 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1748 if (elements_in_bag
< 0)
1754 for (i
= 0; i
< elements_in_bag
; i
++)
1757 gnutls_datum_t data
;
1759 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1766 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1775 case GNUTLS_BAG_CERTIFICATE
:
1776 if (*cert
!= NULL
) /* no need to set it again */
1782 ret
= gnutls_x509_crt_init (cert
);
1790 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
1794 gnutls_x509_crt_deinit( *cert
);
1798 /* check if the key id match */
1799 cert_id_size
= sizeof(cert_id
);
1800 ret
= gnutls_x509_crt_get_key_id( *cert
, 0, cert_id
, &cert_id_size
);
1804 gnutls_x509_crt_deinit( *cert
);
1808 if (memcmp( cert_id
, key_id
, cert_id_size
) != 0)
1809 { /* they don't match - skip the certificate */
1810 gnutls_x509_crt_deinit( *cert
);
1815 case GNUTLS_BAG_CRL
:
1822 ret
= gnutls_x509_crl_init (crl
);
1829 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
1833 gnutls_x509_crl_deinit( *crl
);
1838 case GNUTLS_BAG_ENCRYPTED
:
1839 /* XXX Bother to recurse one level down? Unlikely to
1840 use the same password anyway. */
1841 case GNUTLS_BAG_EMPTY
:
1848 gnutls_pkcs12_bag_deinit (bag
);
1855 gnutls_pkcs12_bag_deinit (bag
);
1861 * gnutls_certificate_set_x509_simple_pkcs12_file:
1862 * @res: is a #gnutls_certificate_credentials_t structure.
1863 * @pkcs12file: filename of file containing PKCS#12 blob.
1864 * @type: is PEM or DER of the @pkcs12file.
1865 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1867 * This function sets a certificate/private key pair and/or a CRL in
1868 * the gnutls_certificate_credentials_t structure. This function may
1869 * be called more than once (in case multiple keys/certificates exist
1872 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1873 * supported. Encrypted PKCS#8 private keys are supported. However,
1874 * only password based security, and the same password for all
1875 * operations, are supported.
1877 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1880 * PKCS#12 file may contain many keys and/or certificates, and there
1881 * is no way to identify which key/certificate pair you want. You
1882 * should make sure the PKCS#12 file only contain one key/certificate
1883 * pair and/or one CRL.
1885 * It is believed that the limitations of this function is acceptable
1886 * for most usage, and that any more flexibility would introduce
1887 * complexity that would make it harder to use this functionality at
1890 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1893 gnutls_certificate_set_x509_simple_pkcs12_file
1894 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
1895 gnutls_x509_crt_fmt_t type
, const char *password
)
1897 gnutls_datum_t p12blob
;
1901 p12blob
.data
= read_binary_file (pkcs12file
, &size
);
1902 p12blob
.size
= (unsigned int) size
;
1903 if (p12blob
.data
== NULL
)
1906 return GNUTLS_E_FILE_ERROR
;
1909 ret
= gnutls_certificate_set_x509_simple_pkcs12_mem(res
, &p12blob
, type
, password
);
1916 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1917 * @res: is a #gnutls_certificate_credentials_t structure.
1918 * @p12blob: the PKCS#12 blob.
1919 * @type: is PEM or DER of the @pkcs12file.
1920 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1922 * This function sets a certificate/private key pair and/or a CRL in
1923 * the gnutls_certificate_credentials_t structure. This function may
1924 * be called more than once (in case multiple keys/certificates exist
1927 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1928 * supported. Encrypted PKCS#8 private keys are supported. However,
1929 * only password based security, and the same password for all
1930 * operations, are supported.
1932 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1935 * PKCS#12 file may contain many keys and/or certificates, and there
1936 * is no way to identify which key/certificate pair you want. You
1937 * should make sure the PKCS#12 file only contain one key/certificate
1938 * pair and/or one CRL.
1940 * It is believed that the limitations of this function is acceptable
1941 * for most usage, and that any more flexibility would introduce
1942 * complexity that would make it harder to use this functionality at
1945 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1950 gnutls_certificate_set_x509_simple_pkcs12_mem
1951 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
*p12blob
,
1952 gnutls_x509_crt_fmt_t type
, const char *password
)
1954 gnutls_pkcs12_t p12
;
1955 gnutls_x509_privkey_t key
= NULL
;
1956 gnutls_x509_crt_t cert
= NULL
;
1957 gnutls_x509_crl_t crl
= NULL
;
1960 ret
= gnutls_pkcs12_init (&p12
);
1967 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
1971 gnutls_pkcs12_deinit (p12
);
1977 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
1981 gnutls_pkcs12_deinit (p12
);
1986 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
1987 gnutls_pkcs12_deinit (p12
);
1996 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2006 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2014 /* check if the key and certificate found match */
2015 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
2025 gnutls_x509_crt_deinit (cert
);
2027 gnutls_x509_privkey_deinit (key
);
2029 gnutls_x509_crl_deinit (crl
);
2037 * gnutls_certificate_free_crls - Used to free all the CRLs from a gnutls_certificate_credentials_t structure
2038 * @sc: is a #gnutls_certificate_credentials_t structure.
2040 * This function will delete all the CRLs associated
2041 * with the given credentials.
2045 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2049 for (j
= 0; j
< sc
->x509_ncrls
; j
++)
2051 gnutls_x509_crl_deinit (sc
->x509_crl_list
[j
]);
2056 gnutls_free (sc
->x509_crl_list
);
2057 sc
->x509_crl_list
= NULL
;