search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix.
[gnutls.git] / lib / gnutls_x509.c
blobab7e44709f5cbe37902675e5b402ec1dca1583f1
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 #include <gnutls_int.h>
26 #include "gnutls_auth.h"
27 #include "gnutls_errors.h"
28 #include <gnutls_cert.h>
29 #include <auth_cert.h>
30 #include "gnutls_dh.h"
31 #include "gnutls_num.h"
32 #include "gnutls_datum.h"
33 #include <gnutls_pk.h>
34 #include <gnutls_algorithms.h>
35 #include <gnutls_global.h>
36 #include <gnutls_record.h>
37 #include <gnutls_sig.h>
38 #include <gnutls_state.h>
39 #include <gnutls_pk.h>
40 #include <gnutls_str.h>
41 #include <debug.h>
42 #include <x509_b64.h>
43 #include <gnutls_x509.h>
44 #include "x509/common.h"
45 #include "x509/x509_int.h"
46 #include "read-file.h"
47
48 /*
49 * some x509 certificate parsing functions.
50 */
51
52 /* Check if the number of bits of the key in the certificate
53 * is unacceptable.
54 */
55 inline static int
56 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
57 {
58 int ret;
59 unsigned int bits;
60
61 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
62 if (ret < 0)
63 {
64 gnutls_assert ();
65 return ret;
66 }
67
68 if (bits > max_bits && max_bits > 0)
69 {
70 gnutls_assert ();
71 return GNUTLS_E_CONSTRAINT_ERROR;
72 }
73
74 return 0;
75 }
76
77
78 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
79 if (peer_certificate_list[x]) \
80 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
81 } \
82 gnutls_free( peer_certificate_list)
83
84 /*-
85 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
86 * @session: is a gnutls session
87 *
88 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
89 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
90 * However you must also check the peer's name in order to check if the verified certificate belongs to the
91 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
92 *
93 -*/
94 int
95 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
96 unsigned int *status)
97 {
98 cert_auth_info_t info;
99 gnutls_certificate_credentials_t cred;
100 gnutls_x509_crt_t *peer_certificate_list;
101 int peer_certificate_list_size, i, x, ret;
102
103 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
104
105 info = _gnutls_get_auth_info (session);
106 if (info == NULL)
107 {
108 gnutls_assert ();
109 return GNUTLS_E_INVALID_REQUEST;
110 }
111
112 cred = (gnutls_certificate_credentials_t)
113 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
114 if (cred == NULL)
115 {
116 gnutls_assert ();
117 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
118 }
119
120 if (info->raw_certificate_list == NULL || info->ncerts == 0)
121 return GNUTLS_E_NO_CERTIFICATE_FOUND;
122
123 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
124 {
125 gnutls_assert ();
126 return GNUTLS_E_CONSTRAINT_ERROR;
127 }
128
129 /* generate a list of gnutls_certs based on the auth info
130 * raw certs.
131 */
132 peer_certificate_list_size = info->ncerts;
133 peer_certificate_list =
134 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
135 if (peer_certificate_list == NULL)
136 {
137 gnutls_assert ();
138 return GNUTLS_E_MEMORY_ERROR;
139 }
140
141 for (i = 0; i < peer_certificate_list_size; i++)
142 {
143 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
144 if (ret < 0)
145 {
146 gnutls_assert ();
147 CLEAR_CERTS;
148 return ret;
149 }
150
151 ret =
152 gnutls_x509_crt_import (peer_certificate_list[i],
153 &info->raw_certificate_list[i],
154 GNUTLS_X509_FMT_DER);
155 if (ret < 0)
156 {
157 gnutls_assert ();
158 CLEAR_CERTS;
159 return ret;
160 }
161
162
163 if (ret < 0)
164 {
165 gnutls_assert();
166 CLEAR_CERTS;
167 return ret;
168 }
169
170 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
171 if (ret < 0)
172 {
173 gnutls_assert ();
174 CLEAR_CERTS;
175 return ret;
176 }
177
178 }
179
180 /* Verify certificate
181 */
182
183 ret = gnutls_x509_crt_list_verify (peer_certificate_list,
184 peer_certificate_list_size,
185 cred->x509_ca_list, cred->x509_ncas,
186 cred->x509_crl_list, cred->x509_ncrls,
187 cred->verify_flags | session->internals.priorities.additional_verify_flags,
188 status);
189
190 CLEAR_CERTS;
191
192 if (ret < 0)
193 {
194 gnutls_assert ();
195 return ret;
196 }
197
198 return 0;
199 }
200
201 /*
202 * Read certificates and private keys, from files, memory etc.
203 */
204
205 /* returns error if the certificate has different algorithm than
206 * the given key parameters.
207 */
208 static int
209 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
210 {
211 gnutls_datum_t cid;
212 gnutls_datum_t kid;
213 unsigned pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
214
215 if (res->pkey[res->ncerts - 1].pk_algorithm != pk)
216 {
217 gnutls_assert ();
218 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
219 }
220
221 if (pk == GNUTLS_PK_RSA)
222 {
223 _gnutls_x509_write_rsa_params (res->pkey[res->ncerts - 1].params,
224 res->pkey[res->ncerts -
225 1].params_size, &kid);
226
227
228 _gnutls_x509_write_rsa_params (res->cert_list[res->ncerts - 1][0].
229 params,
230 res->cert_list[res->ncerts -
231 1][0].params_size, &cid);
232 }
233 else if (pk == GNUTLS_PK_DSA)
234 {
235
236 _gnutls_x509_write_dsa_params (res->pkey[res->ncerts - 1].params,
237 res->pkey[res->ncerts -
238 1].params_size, &kid);
239
240 _gnutls_x509_write_dsa_params (res->cert_list[res->ncerts - 1][0].
241 params,
242 res->cert_list[res->ncerts -
243 1][0].params_size, &cid);
244 }
245
246 if (cid.size != kid.size)
247 {
248 gnutls_assert ();
249 _gnutls_free_datum (&kid);
250 _gnutls_free_datum (&cid);
251 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
252 }
253
254 if (memcmp (kid.data, cid.data, kid.size) != 0)
255 {
256 gnutls_assert ();
257 _gnutls_free_datum (&kid);
258 _gnutls_free_datum (&cid);
259 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
260 }
261
262 _gnutls_free_datum (&kid);
263 _gnutls_free_datum (&cid);
264 return 0;
265 }
266
267 /* Reads a DER encoded certificate list from memory and stores it to a
268 * gnutls_cert structure. Returns the number of certificates parsed.
269 */
270 static int
271 parse_crt_mem (gnutls_cert ** cert_list, unsigned *ncerts,
272 gnutls_x509_crt_t cert)
273 {
274 int i;
275 int ret;
276
277 i = *ncerts + 1;
278
279 *cert_list =
280 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
281 i * sizeof (gnutls_cert));
282
283 if (*cert_list == NULL)
284 {
285 gnutls_assert ();
286 return GNUTLS_E_MEMORY_ERROR;
287 }
288
289 ret = _gnutls_x509_crt_to_gcert (&cert_list[0][i - 1], cert, 0);
290 if (ret < 0)
291 {
292 gnutls_assert ();
293 return ret;
294 }
295
296 *ncerts = i;
297
298 return 1; /* one certificate parsed */
299 }
300
301 /* Reads a DER encoded certificate list from memory and stores it to a
302 * gnutls_cert structure. Returns the number of certificates parsed.
303 */
304 static int
305 parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
306 const void *input_cert, int input_cert_size)
307 {
308 gnutls_datum_t tmp;
309 gnutls_x509_crt_t cert;
310 int ret;
311
312 ret = gnutls_x509_crt_init (&cert);
313 if (ret < 0)
314 {
315 gnutls_assert ();
316 return ret;
317 }
318
319 tmp.data = (opaque *) input_cert;
320 tmp.size = input_cert_size;
321
322 ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
323 if (ret < 0)
324 {
325 gnutls_assert ();
326 gnutls_x509_crt_deinit (cert);
327 return ret;
328 }
329
330 ret = parse_crt_mem (cert_list, ncerts, cert);
331 gnutls_x509_crt_deinit (cert);
332
333 return ret;
334 }
335
336 /* Reads a base64 encoded certificate list from memory and stores it to
337 * a gnutls_cert structure. Returns the number of certificate parsed.
338 */
339 static int
340 parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
341 const char *input_cert, int input_cert_size)
342 {
343 int size, siz2, i;
344 const char *ptr;
345 opaque *ptr2;
346 gnutls_datum_t tmp;
347 int ret, count;
348
349 /* move to the certificate
350 */
351 ptr = memmem (input_cert, input_cert_size,
352 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
353 if (ptr == NULL)
354 ptr = memmem (input_cert, input_cert_size,
355 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
356
357 if (ptr == NULL)
358 {
359 gnutls_assert ();
360 return GNUTLS_E_BASE64_DECODING_ERROR;
361 }
362 size = input_cert_size - (ptr - input_cert);
363
364 i = *ncerts + 1;
365 count = 0;
366
367 do
368 {
369
370 siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
371
372 if (siz2 < 0)
373 {
374 gnutls_assert ();
375 return GNUTLS_E_BASE64_DECODING_ERROR;
376 }
377
378 *cert_list =
379 (gnutls_cert *) gnutls_realloc_fast (*cert_list,
380 i * sizeof (gnutls_cert));
381
382 if (*cert_list == NULL)
383 {
384 gnutls_assert ();
385 return GNUTLS_E_MEMORY_ERROR;
386 }
387
388 tmp.data = ptr2;
389 tmp.size = siz2;
390
391 ret = _gnutls_x509_raw_cert_to_gcert (&cert_list[0][i - 1], &tmp, 0);
392 if (ret < 0)
393 {
394 gnutls_assert ();
395 return ret;
396 }
397 _gnutls_free_datum (&tmp); /* free ptr2 */
398
399 /* now we move ptr after the pem header
400 */
401 ptr++;
402 /* find the next certificate (if any)
403 */
404 size = input_cert_size - (ptr - input_cert);
405
406 if (size > 0)
407 {
408 char *ptr3;
409
410 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
411 if (ptr3 == NULL)
412 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
413 sizeof (PEM_CERT_SEP2) - 1);
414
415 ptr = ptr3;
416 }
417 else
418 ptr = NULL;
419
420 i++;
421 count++;
422
423 }
424 while (ptr != NULL);
425
426 *ncerts = i - 1;
427
428 return count;
429 }
430
431
432
433 /* Reads a DER or PEM certificate from memory
434 */
435 static int
436 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
437 int cert_size, gnutls_x509_crt_fmt_t type)
438 {
439 int ret;
440
441 /* allocate space for the certificate to add
442 */
443 res->cert_list = gnutls_realloc_fast (res->cert_list,
444 (1 +
445 res->ncerts) *
446 sizeof (gnutls_cert *));
447 if (res->cert_list == NULL)
448 {
449 gnutls_assert ();
450 return GNUTLS_E_MEMORY_ERROR;
451 }
452
453 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
454 (1 +
455 res->ncerts) * sizeof (int));
456 if (res->cert_list_length == NULL)
457 {
458 gnutls_assert ();
459 return GNUTLS_E_MEMORY_ERROR;
460 }
461
462 res->cert_list[res->ncerts] = NULL; /* for realloc */
463 res->cert_list_length[res->ncerts] = 0;
464
465 if (type == GNUTLS_X509_FMT_DER)
466 ret = parse_der_cert_mem (&res->cert_list[res->ncerts],
467 &res->cert_list_length[res->ncerts],
468 cert, cert_size);
469 else
470 ret = parse_pem_cert_mem (&res->cert_list[res->ncerts],
471 &res->cert_list_length[res->ncerts], cert,
472 cert_size);
473
474 if (ret < 0)
475 {
476 gnutls_assert ();
477 return ret;
478 }
479
480 return ret;
481 }
482
483
484 int
485 _gnutls_x509_privkey_to_gkey (gnutls_privkey * dest,
486 gnutls_x509_privkey_t src)
487 {
488 int i, ret;
489
490 memset (dest, 0, sizeof (gnutls_privkey));
491
492 for (i = 0; i < src->params_size; i++)
493 {
494 dest->params[i] = _gnutls_mpi_copy (src->params[i]);
495 if (dest->params[i] == NULL)
496 {
497 gnutls_assert ();
498 ret = GNUTLS_E_MEMORY_ERROR;
499 goto cleanup;
500 }
501 }
502
503 dest->pk_algorithm = src->pk_algorithm;
504 dest->params_size = src->params_size;
505
506 return 0;
507
508 cleanup:
509
510 for (i = 0; i < src->params_size; i++)
511 {
512 _gnutls_mpi_release (&dest->params[i]);
513 }
514 return ret;
515 }
516
517 void
518 _gnutls_gkey_deinit (gnutls_privkey * key)
519 {
520 int i;
521 if (key == NULL)
522 return;
523
524 for (i = 0; i < key->params_size; i++)
525 {
526 _gnutls_mpi_release (&key->params[i]);
527 }
528 }
529
530 int
531 _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey,
532 const gnutls_datum_t * raw_key,
533 gnutls_x509_crt_fmt_t type)
534 {
535 gnutls_x509_privkey_t tmpkey;
536 int ret;
537
538 ret = gnutls_x509_privkey_init (&tmpkey);
539 if (ret < 0)
540 {
541 gnutls_assert ();
542 return ret;
543 }
544
545 ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
546
547 #ifdef ENABLE_PKI
548 /* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
549 if (ret < 0)
550 ret = gnutls_x509_privkey_import_pkcs8 (tmpkey, raw_key, type,
551 NULL, GNUTLS_PKCS_PLAIN);
552 #endif
553
554 if (ret < 0)
555 {
556 gnutls_assert ();
557 gnutls_x509_privkey_deinit (tmpkey);
558 return ret;
559 }
560
561 ret = _gnutls_x509_privkey_to_gkey (privkey, tmpkey);
562 if (ret < 0)
563 {
564 gnutls_assert ();
565 gnutls_x509_privkey_deinit (tmpkey);
566 return ret;
567 }
568
569 gnutls_x509_privkey_deinit (tmpkey);
570
571 return 0;
572 }
573
574 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
575 * indicates the certificate format. KEY can be NULL, to indicate
576 * that GnuTLS doesn't know the private key.
577 */
578 static int
579 read_key_mem (gnutls_certificate_credentials_t res,
580 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
581 {
582 int ret;
583 gnutls_datum_t tmp;
584
585 /* allocate space for the pkey list
586 */
587 res->pkey =
588 gnutls_realloc_fast (res->pkey,
589 (res->ncerts + 1) * sizeof (gnutls_privkey));
590 if (res->pkey == NULL)
591 {
592 gnutls_assert ();
593 return GNUTLS_E_MEMORY_ERROR;
594 }
595
596 if (key)
597 {
598 tmp.data = (opaque *) key;
599 tmp.size = key_size;
600
601 ret =
602 _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp,
603 type);
604 if (ret < 0)
605 {
606 gnutls_assert ();
607 return ret;
608 }
609 }
610 else
611 memset (&res->pkey[res->ncerts], 0, sizeof (gnutls_privkey));
612
613 return 0;
614 }
615
616 /* Reads a certificate file
617 */
618 static int
619 read_cert_file (gnutls_certificate_credentials_t res,
620 const char *certfile, gnutls_x509_crt_fmt_t type)
621 {
622 int ret;
623 size_t size;
624 char *data = read_binary_file (certfile, &size);
625
626 if (data == NULL)
627 {
628 gnutls_assert ();
629 return GNUTLS_E_FILE_ERROR;
630 }
631
632 ret = read_cert_mem (res, data, size, type);
633 free (data);
634
635 return ret;
636
637 }
638
639
640
641 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
642 * stores it).
643 */
644 static int
645 read_key_file (gnutls_certificate_credentials_t res,
646 const char *keyfile, gnutls_x509_crt_fmt_t type)
647 {
648 int ret;
649 size_t size;
650 char *data = read_binary_file (keyfile, &size);
651
652 if (data == NULL)
653 {
654 gnutls_assert ();
655 return GNUTLS_E_FILE_ERROR;
656 }
657
658 ret = read_key_mem (res, data, size, type);
659 free (data);
660
661 return ret;
662 }
663
664 /**
665 * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials_t structure
666 * @res: is a #gnutls_certificate_credentials_t structure.
667 * @cert: contains a certificate list (path) for the specified private key
668 * @key: is the private key, or %NULL
669 * @type: is PEM or DER
670 *
671 * This function sets a certificate/private key pair in the
672 * gnutls_certificate_credentials_t structure. This function may be called
673 * more than once (in case multiple keys/certificates exist for the
674 * server).
675 *
676 * Currently are supported: RSA PKCS-1 encoded private keys,
677 * DSA private keys.
678 *
679 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
680 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
681 *
682 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
683 * is supported. This means that certificates intended for signing cannot
684 * be used for ciphersuites that require encryption.
685 *
686 * If the certificate and the private key are given in PEM encoding
687 * then the strings that hold their values must be null terminated.
688 *
689 * The @key may be %NULL if you are using a sign callback, see
690 * gnutls_sign_callback_set().
691 *
692 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
693 **/
694 int
695 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
696 const gnutls_datum_t * cert,
697 const gnutls_datum_t * key,
698 gnutls_x509_crt_fmt_t type)
699 {
700 int ret;
701
702 /* this should be first
703 */
704 if ((ret = read_key_mem (res, key ? key->data : NULL,
705 key ? key->size : 0, type)) < 0)
706 return ret;
707
708 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
709 return ret;
710
711 res->ncerts++;
712
713 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
714 {
715 gnutls_assert ();
716 return ret;
717 }
718
719 return 0;
720 }
721
722 /**
723 * gnutls_certificate_set_x509_key - Used to set keys in a gnutls_certificate_credentials_t structure
724 * @res: is a #gnutls_certificate_credentials_t structure.
725 * @cert_list: contains a certificate list (path) for the specified private key
726 * @cert_list_size: holds the size of the certificate list
727 * @key: is a gnutls_x509_privkey_t key
728 *
729 * This function sets a certificate/private key pair in the
730 * gnutls_certificate_credentials_t structure. This function may be
731 * called more than once (in case multiple keys/certificates exist
732 * for the server).
733 *
734 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
735 *
736 * Since: 2.4.0
737 **/
738 int
739 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
740 gnutls_x509_crt_t * cert_list,
741 int cert_list_size,
742 gnutls_x509_privkey_t key)
743 {
744 int ret, i;
745
746 /* this should be first
747 */
748
749 res->pkey =
750 gnutls_realloc_fast (res->pkey,
751 (res->ncerts + 1) * sizeof (gnutls_privkey));
752 if (res->pkey == NULL)
753 {
754 gnutls_assert ();
755 return GNUTLS_E_MEMORY_ERROR;
756 }
757
758 ret = _gnutls_x509_privkey_to_gkey (&res->pkey[res->ncerts], key);
759 if (ret < 0)
760 {
761 gnutls_assert ();
762 return ret;
763 }
764
765 res->cert_list = gnutls_realloc_fast (res->cert_list,
766 (1 +
767 res->ncerts) *
768 sizeof (gnutls_cert *));
769 if (res->cert_list == NULL)
770 {
771 gnutls_assert ();
772 return GNUTLS_E_MEMORY_ERROR;
773 }
774
775 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
776 (1 +
777 res->ncerts) * sizeof (int));
778 if (res->cert_list_length == NULL)
779 {
780 gnutls_assert ();
781 return GNUTLS_E_MEMORY_ERROR;
782 }
783
784 res->cert_list[res->ncerts] = NULL; /* for realloc */
785 res->cert_list_length[res->ncerts] = 0;
786
787
788 for (i = 0; i < cert_list_size; i++)
789 {
790 ret = parse_crt_mem (&res->cert_list[res->ncerts],
791 &res->cert_list_length[res->ncerts], cert_list[i]);
792 if (ret < 0)
793 {
794 gnutls_assert ();
795 return ret;
796 }
797 }
798 res->ncerts++;
799
800 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
801 {
802 gnutls_assert ();
803 return ret;
804 }
805
806 return 0;
807 }
808
809 /**
810 * gnutls_certificate_set_x509_key_file - Used to set keys in a gnutls_certificate_credentials_t structure
811 * @res: is a #gnutls_certificate_credentials_t structure.
812 * @certfile: is a file that containing the certificate list (path) for
813 * the specified private key, in PKCS7 format, or a list of certificates
814 * @keyfile: is a file that contains the private key
815 * @type: is PEM or DER
816 *
817 * This function sets a certificate/private key pair in the
818 * gnutls_certificate_credentials_t structure. This function may be
819 * called more than once (in case multiple keys/certificates exist
820 * for the server).
821 *
822 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
823 * this function.
824 *
825 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
826 **/
827 int
828 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
829 const char *certfile,
830 const char *keyfile,
831 gnutls_x509_crt_fmt_t type)
832 {
833 int ret;
834
835 /* this should be first
836 */
837 if ((ret = read_key_file (res, keyfile, type)) < 0)
838 return ret;
839
840 if ((ret = read_cert_file (res, certfile, type)) < 0)
841 return ret;
842
843 res->ncerts++;
844
845 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
846 {
847 gnutls_assert ();
848 return ret;
849 }
850
851 return 0;
852 }
853
854 static int
855 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, int new)
856 {
857 gnutls_datum_t tmp;
858 int ret;
859 size_t newsize;
860 unsigned char *newdata;
861 unsigned i;
862
863 /* Add DN of the last added CAs to the RDN sequence
864 * This will be sent to clients when a certificate
865 * request message is sent.
866 */
867
868 /* FIXME: in case of a client it is not needed
869 * to do that. This would save time and memory.
870 * However we don't have that information available
871 * here.
872 * Further, this function is now much more efficient,
873 * so optimizing that is less important.
874 */
875
876 for (i = res->x509_ncas - new; i < res->x509_ncas; i++)
877 {
878 if ((ret = gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
879 {
880 gnutls_assert ();
881 return ret;
882 }
883
884 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
885 if (newsize < res->x509_rdn_sequence.size)
886 {
887 gnutls_assert ();
888 _gnutls_free_datum (&tmp);
889 return GNUTLS_E_SHORT_MEMORY_BUFFER;
890 }
891
892 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
893 if (newdata == NULL)
894 {
895 gnutls_assert ();
896 _gnutls_free_datum (&tmp);
897 return GNUTLS_E_MEMORY_ERROR;
898 }
899
900 _gnutls_write_datum16 (newdata + res->x509_rdn_sequence.size, tmp);
901 _gnutls_free_datum (&tmp);
902
903 res->x509_rdn_sequence.size = newsize;
904 res->x509_rdn_sequence.data = newdata;
905 }
906
907 return 0;
908 }
909
910 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
911 * certificate (uses the KeyUsage field).
912 */
913 int
914 _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
915 {
916 unsigned int key_usage = 0;
917 int encipher_type;
918
919 if (cert == NULL)
920 {
921 gnutls_assert ();
922 return GNUTLS_E_INTERNAL_ERROR;
923 }
924
925 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
926 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
927 {
928
929 key_usage = cert->key_usage;
930
931 encipher_type = _gnutls_kx_encipher_type (alg);
932
933 if (key_usage != 0 && encipher_type != CIPHER_IGN)
934 {
935 /* If key_usage has been set in the certificate
936 */
937
938 if (encipher_type == CIPHER_ENCRYPT)
939 {
940 /* If the key exchange method requires an encipher
941 * type algorithm, and key's usage does not permit
942 * encipherment, then fail.
943 */
944 if (!(key_usage & KEY_KEY_ENCIPHERMENT))
945 {
946 gnutls_assert ();
947 return GNUTLS_E_KEY_USAGE_VIOLATION;
948 }
949 }
950
951 if (encipher_type == CIPHER_SIGN)
952 {
953 /* The same as above, but for sign only keys
954 */
955 if (!(key_usage & KEY_DIGITAL_SIGNATURE))
956 {
957 gnutls_assert ();
958 return GNUTLS_E_KEY_USAGE_VIOLATION;
959 }
960 }
961 }
962 }
963 return 0;
964 }
965
966
967
968 static int
969 parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
970 const opaque * input_cert, int input_cert_size)
971 {
972 int i, size;
973 const opaque *ptr;
974 gnutls_datum_t tmp;
975 int ret, count;
976
977 /* move to the certificate
978 */
979 ptr = memmem (input_cert, input_cert_size,
980 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
981 if (ptr == NULL)
982 ptr = memmem (input_cert, input_cert_size,
983 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
984
985 if (ptr == NULL)
986 {
987 gnutls_assert ();
988 return GNUTLS_E_BASE64_DECODING_ERROR;
989 }
990 size = input_cert_size - (ptr - input_cert);
991
992 i = *ncerts + 1;
993 count = 0;
994
995 do
996 {
997
998 *cert_list =
999 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1000 i *
1001 sizeof
1002 (gnutls_x509_crt_t));
1003
1004 if (*cert_list == NULL)
1005 {
1006 gnutls_assert ();
1007 return GNUTLS_E_MEMORY_ERROR;
1008 }
1009
1010 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1011 if (ret < 0)
1012 {
1013 gnutls_assert ();
1014 return ret;
1015 }
1016
1017 tmp.data = (opaque *) ptr;
1018 tmp.size = size;
1019
1020 ret =
1021 gnutls_x509_crt_import (cert_list[0][i - 1],
1022 &tmp, GNUTLS_X509_FMT_PEM);
1023 if (ret < 0)
1024 {
1025 gnutls_assert ();
1026 return ret;
1027 }
1028
1029 /* now we move ptr after the pem header
1030 */
1031 ptr++;
1032 size--;
1033 /* find the next certificate (if any)
1034 */
1035
1036 if (size > 0)
1037 {
1038 char *ptr3;
1039
1040 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1041 if (ptr3 == NULL)
1042 ptr3 = memmem (ptr, size,
1043 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1044
1045 ptr = ptr3;
1046 size = input_cert_size - (ptr - input_cert);
1047 }
1048 else
1049 ptr = NULL;
1050
1051 i++;
1052 count++;
1053
1054 }
1055 while (ptr != NULL);
1056
1057 *ncerts = i - 1;
1058
1059 return count;
1060 }
1061
1062 /* Reads a DER encoded certificate list from memory and stores it to a
1063 * gnutls_cert structure. Returns the number of certificates parsed.
1064 */
1065 static int
1066 parse_der_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1067 const void *input_cert, int input_cert_size)
1068 {
1069 int i;
1070 gnutls_datum_t tmp;
1071 int ret;
1072
1073 i = *ncerts + 1;
1074
1075 *cert_list =
1076 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1077 i *
1078 sizeof (gnutls_x509_crt_t));
1079
1080 if (*cert_list == NULL)
1081 {
1082 gnutls_assert ();
1083 return GNUTLS_E_MEMORY_ERROR;
1084 }
1085
1086 tmp.data = (opaque *) input_cert;
1087 tmp.size = input_cert_size;
1088
1089 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1090 if (ret < 0)
1091 {
1092 gnutls_assert ();
1093 return ret;
1094 }
1095
1096 ret =
1097 gnutls_x509_crt_import (cert_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1098 if (ret < 0)
1099 {
1100 gnutls_assert ();
1101 return ret;
1102 }
1103
1104 *ncerts = i;
1105
1106 return 1; /* one certificate parsed */
1107 }
1108
1109 /**
1110 * gnutls_certificate_set_x509_trust_mem - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1111 * @res: is a #gnutls_certificate_credentials_t structure.
1112 * @ca: is a list of trusted CAs or a DER certificate
1113 * @type: is DER or PEM
1114 *
1115 * This function adds the trusted CAs in order to verify client or
1116 * server certificates. In case of a client this is not required to
1117 * be called if the certificates are not verified using
1118 * gnutls_certificate_verify_peers2(). This function may be called
1119 * multiple times.
1120 *
1121 * In case of a server the CAs set here will be sent to the client if
1122 * a certificate request is sent. This can be disabled using
1123 * gnutls_certificate_send_x509_rdn_sequence().
1124 *
1125 * Returns: the number of certificates processed or a negative value
1126 * on error.
1127 **/
1128 int
1129 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1130 const gnutls_datum_t * ca,
1131 gnutls_x509_crt_fmt_t type)
1132 {
1133 int ret, ret2;
1134
1135 if (type == GNUTLS_X509_FMT_DER)
1136 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1137 ca->data, ca->size);
1138 else
1139 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1140 ca->data, ca->size);
1141
1142 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1143 return ret2;
1144
1145 return ret;
1146 }
1147
1148 /**
1149 * gnutls_certificate_set_x509_trust - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1150 * @res: is a #gnutls_certificate_credentials_t structure.
1151 * @ca_list: is a list of trusted CAs
1152 * @ca_list_size: holds the size of the CA list
1153 *
1154 * This function adds the trusted CAs in order to verify client
1155 * or server certificates. In case of a client this is not required
1156 * to be called if the certificates are not verified using
1157 * gnutls_certificate_verify_peers2().
1158 * This function may be called multiple times.
1159 *
1160 * In case of a server the CAs set here will be sent to the client if
1161 * a certificate request is sent. This can be disabled using
1162 * gnutls_certificate_send_x509_rdn_sequence().
1163 *
1164 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1165 *
1166 * Since: 2.4.0
1167 **/
1168 int
1169 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1170 gnutls_x509_crt_t * ca_list,
1171 int ca_list_size)
1172 {
1173 int ret, i, ret2;
1174
1175 res->x509_ca_list = gnutls_realloc_fast (res->x509_ca_list,
1176 (ca_list_size +
1177 res->x509_ncas) *
1178 sizeof (gnutls_x509_crt_t));
1179 if (res->x509_ca_list == NULL)
1180 {
1181 gnutls_assert ();
1182 return GNUTLS_E_MEMORY_ERROR;
1183 }
1184
1185 for (i = 0; i < ca_list_size; i++)
1186 {
1187 ret = gnutls_x509_crt_init (&res->x509_ca_list[res->x509_ncas]);
1188 if (ret < 0)
1189 {
1190 gnutls_assert ();
1191 return ret;
1192 }
1193
1194 ret = _gnutls_x509_crt_cpy (res->x509_ca_list[res->x509_ncas],
1195 ca_list[i]);
1196 if (ret < 0)
1197 {
1198 gnutls_assert ();
1199 gnutls_x509_crt_deinit (res->x509_ca_list[res->x509_ncas]);
1200 return ret;
1201 }
1202 res->x509_ncas++;
1203 }
1204
1205 if ((ret2 = add_new_crt_to_rdn_seq (res, ca_list_size)) < 0)
1206 return ret2;
1207
1208 return 0;
1209 }
1210
1211 /**
1212 * gnutls_certificate_set_x509_trust_file - Used to add trusted CAs in a gnutls_certificate_credentials_t structure
1213 * @res: is a #gnutls_certificate_credentials_t structure.
1214 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1215 * @type: is PEM or DER
1216 *
1217 * This function adds the trusted CAs in order to verify client or
1218 * server certificates. In case of a client this is not required to
1219 * be called if the certificates are not verified using
1220 * gnutls_certificate_verify_peers2(). This function may be called
1221 * multiple times.
1222 *
1223 * In case of a server the names of the CAs set here will be sent to
1224 * the client if a certificate request is sent. This can be disabled
1225 * using gnutls_certificate_send_x509_rdn_sequence().
1226 *
1227 * Returns: number of certificates processed, or a negative value on
1228 * error.
1229 **/
1230 int
1231 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
1232 const char *cafile,
1233 gnutls_x509_crt_fmt_t type)
1234 {
1235 int ret, ret2;
1236 size_t size;
1237 char *data = read_binary_file (cafile, &size);
1238
1239 if (data == NULL)
1240 {
1241 gnutls_assert ();
1242 return GNUTLS_E_FILE_ERROR;
1243 }
1244
1245 if (type == GNUTLS_X509_FMT_DER)
1246 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1247 else
1248 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1249
1250 free (data);
1251
1252 if (ret < 0)
1253 {
1254 gnutls_assert ();
1255 return ret;
1256 }
1257
1258 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1259 return ret2;
1260
1261 return ret;
1262 }
1263
1264 #ifdef ENABLE_PKI
1265
1266 static int
1267 parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1268 const opaque * input_crl, int input_crl_size)
1269 {
1270 int size, i;
1271 const opaque *ptr;
1272 gnutls_datum_t tmp;
1273 int ret, count;
1274
1275 /* move to the certificate
1276 */
1277 ptr = memmem (input_crl, input_crl_size,
1278 PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1279 if (ptr == NULL)
1280 {
1281 gnutls_assert ();
1282 return GNUTLS_E_BASE64_DECODING_ERROR;
1283 }
1284
1285 size = input_crl_size - (ptr - input_crl);
1286
1287 i = *ncrls + 1;
1288 count = 0;
1289
1290 do
1291 {
1292
1293 *crl_list =
1294 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1295 i *
1296 sizeof
1297 (gnutls_x509_crl_t));
1298
1299 if (*crl_list == NULL)
1300 {
1301 gnutls_assert ();
1302 return GNUTLS_E_MEMORY_ERROR;
1303 }
1304
1305 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1306 if (ret < 0)
1307 {
1308 gnutls_assert ();
1309 return ret;
1310 }
1311
1312 tmp.data = (char *) ptr;
1313 tmp.size = size;
1314
1315 ret =
1316 gnutls_x509_crl_import (crl_list[0][i - 1],
1317 &tmp, GNUTLS_X509_FMT_PEM);
1318 if (ret < 0)
1319 {
1320 gnutls_assert ();
1321 return ret;
1322 }
1323
1324 /* now we move ptr after the pem header
1325 */
1326 ptr++;
1327 /* find the next certificate (if any)
1328 */
1329
1330 size = input_crl_size - (ptr - input_crl);
1331
1332 if (size > 0)
1333 ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1334 else
1335 ptr = NULL;
1336 i++;
1337 count++;
1338
1339 }
1340 while (ptr != NULL);
1341
1342 *ncrls = i - 1;
1343
1344 return count;
1345 }
1346
1347 /* Reads a DER encoded certificate list from memory and stores it to a
1348 * gnutls_cert structure. Returns the number of certificates parsed.
1349 */
1350 static int
1351 parse_der_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1352 const void *input_crl, int input_crl_size)
1353 {
1354 int i;
1355 gnutls_datum_t tmp;
1356 int ret;
1357
1358 i = *ncrls + 1;
1359
1360 *crl_list =
1361 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1362 i *
1363 sizeof (gnutls_x509_crl_t));
1364
1365 if (*crl_list == NULL)
1366 {
1367 gnutls_assert ();
1368 return GNUTLS_E_MEMORY_ERROR;
1369 }
1370
1371 tmp.data = (opaque *) input_crl;
1372 tmp.size = input_crl_size;
1373
1374 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1375 if (ret < 0)
1376 {
1377 gnutls_assert ();
1378 return ret;
1379 }
1380
1381 ret =
1382 gnutls_x509_crl_import (crl_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1383 if (ret < 0)
1384 {
1385 gnutls_assert ();
1386 return ret;
1387 }
1388
1389 *ncrls = i;
1390
1391 return 1; /* one certificate parsed */
1392 }
1393
1394
1395 /* Reads a DER or PEM CRL from memory
1396 */
1397 static int
1398 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1399 int crl_size, gnutls_x509_crt_fmt_t type)
1400 {
1401 int ret;
1402
1403 /* allocate space for the certificate to add
1404 */
1405 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1406 (1 +
1407 res->x509_ncrls) *
1408 sizeof (gnutls_x509_crl_t));
1409 if (res->x509_crl_list == NULL)
1410 {
1411 gnutls_assert ();
1412 return GNUTLS_E_MEMORY_ERROR;
1413 }
1414
1415 if (type == GNUTLS_X509_FMT_DER)
1416 ret = parse_der_crl_mem (&res->x509_crl_list,
1417 &res->x509_ncrls, crl, crl_size);
1418 else
1419 ret = parse_pem_crl_mem (&res->x509_crl_list,
1420 &res->x509_ncrls, crl, crl_size);
1421
1422 if (ret < 0)
1423 {
1424 gnutls_assert ();
1425 return ret;
1426 }
1427
1428 return ret;
1429 }
1430
1431 /**
1432 * gnutls_certificate_set_x509_crl_mem - Used to add CRLs in a gnutls_certificate_credentials_t structure
1433 * @res: is a #gnutls_certificate_credentials_t structure.
1434 * @CRL: is a list of trusted CRLs. They should have been verified before.
1435 * @type: is DER or PEM
1436 *
1437 * This function adds the trusted CRLs in order to verify client or
1438 * server certificates. In case of a client this is not required to
1439 * be called if the certificates are not verified using
1440 * gnutls_certificate_verify_peers2(). This function may be called
1441 * multiple times.
1442 *
1443 * Returns: number of CRLs processed, or a negative value on error.
1444 **/
1445 int
1446 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1447 const gnutls_datum_t * CRL,
1448 gnutls_x509_crt_fmt_t type)
1449 {
1450 int ret;
1451
1452 if ((ret = read_crl_mem (res, CRL->data, CRL->size, type)) < 0)
1453 return ret;
1454
1455 return ret;
1456 }
1457
1458 /**
1459 * gnutls_certificate_set_x509_crl - Used to add CRLs in a gnutls_certificate_credentials_t structure
1460 * @res: is a #gnutls_certificate_credentials_t structure.
1461 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1462 * @crl_list_size: holds the size of the crl_list
1463 *
1464 * This function adds the trusted CRLs in order to verify client or
1465 * server certificates. In case of a client this is not required to
1466 * be called if the certificates are not verified using
1467 * gnutls_certificate_verify_peers2(). This function may be called
1468 * multiple times.
1469 *
1470 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1471 *
1472 * Since: 2.4.0
1473 **/
1474 int
1475 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1476 gnutls_x509_crl_t * crl_list,
1477 int crl_list_size)
1478 {
1479 int ret, i;
1480
1481 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1482 (crl_list_size +
1483 res->x509_ncrls) *
1484 sizeof (gnutls_x509_crl_t));
1485 if (res->x509_crl_list == NULL)
1486 {
1487 gnutls_assert ();
1488 return GNUTLS_E_MEMORY_ERROR;
1489 }
1490
1491 for (i = 0; i < crl_list_size; i++)
1492 {
1493 ret = gnutls_x509_crl_init (&res->x509_crl_list[res->x509_ncrls]);
1494 if (ret < 0)
1495 {
1496 gnutls_assert ();
1497 return ret;
1498 }
1499
1500 ret = _gnutls_x509_crl_cpy (res->x509_crl_list[res->x509_ncrls],
1501 crl_list[i]);
1502 if (ret < 0)
1503 {
1504 gnutls_assert ();
1505 return ret;
1506 }
1507 res->x509_ncrls++;
1508 }
1509
1510 return 0;
1511 }
1512
1513 /**
1514 * gnutls_certificate_set_x509_crl_file - Used to add CRLs in a gnutls_certificate_credentials_t structure
1515 * @res: is a #gnutls_certificate_credentials_t structure.
1516 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1517 * @type: is PEM or DER
1518 *
1519 * This function adds the trusted CRLs in order to verify client or server
1520 * certificates. In case of a client this is not required
1521 * to be called if the certificates are not verified using
1522 * gnutls_certificate_verify_peers2().
1523 * This function may be called multiple times.
1524 *
1525 * Returns: number of CRLs processed or a negative value on error.
1526 **/
1527 int
1528 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1529 const char *crlfile,
1530 gnutls_x509_crt_fmt_t type)
1531 {
1532 int ret;
1533 size_t size;
1534 char *data = read_binary_file (crlfile, &size);
1535
1536 if (data == NULL)
1537 {
1538 gnutls_assert ();
1539 return GNUTLS_E_FILE_ERROR;
1540 }
1541
1542 if (type == GNUTLS_X509_FMT_DER)
1543 ret = parse_der_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1544 data, size);
1545 else
1546 ret = parse_pem_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1547 data, size);
1548
1549 free (data);
1550
1551 if (ret < 0)
1552 {
1553 gnutls_assert ();
1554 return ret;
1555 }
1556
1557 return ret;
1558 }
1559
1560 #include <gnutls/pkcs12.h>
1561
1562 static int
1563 parse_pkcs12 (gnutls_certificate_credentials_t res,
1564 gnutls_pkcs12_t p12,
1565 const char *password,
1566 gnutls_x509_privkey_t * key,
1567 gnutls_x509_crt_t * cert, gnutls_x509_crl_t * crl)
1568 {
1569 gnutls_pkcs12_bag_t bag = NULL;
1570 int idx = 0;
1571 int ret;
1572 size_t cert_id_size = 0;
1573 size_t key_id_size = 0;
1574 opaque cert_id[20];
1575 opaque key_id[20];
1576 int privkey_ok = 0;
1577
1578 *cert = NULL;
1579 *key = NULL;
1580 *crl = NULL;
1581
1582 /* find the first private key */
1583 for (;;)
1584 {
1585 int elements_in_bag;
1586 int i;
1587
1588 ret = gnutls_pkcs12_bag_init (&bag);
1589 if (ret < 0)
1590 {
1591 bag = NULL;
1592 gnutls_assert ();
1593 goto done;
1594 }
1595
1596 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1597 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1598 break;
1599 if (ret < 0)
1600 {
1601 gnutls_assert ();
1602 goto done;
1603 }
1604
1605 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1606 if (ret < 0)
1607 {
1608 gnutls_assert ();
1609 goto done;
1610 }
1611
1612 if (ret == GNUTLS_BAG_ENCRYPTED)
1613 {
1614 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1615 if (ret < 0)
1616 {
1617 gnutls_assert ();
1618 goto done;
1619 }
1620 }
1621
1622 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1623 if (elements_in_bag < 0)
1624 {
1625 gnutls_assert ();
1626 goto done;
1627 }
1628
1629 for (i = 0; i < elements_in_bag; i++)
1630 {
1631 int type;
1632 gnutls_datum_t data;
1633
1634 type = gnutls_pkcs12_bag_get_type (bag, i);
1635 if (type < 0)
1636 {
1637 gnutls_assert ();
1638 goto done;
1639 }
1640
1641 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1642 if (ret < 0)
1643 {
1644 gnutls_assert ();
1645 goto done;
1646 }
1647
1648 switch (type)
1649 {
1650 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
1651 case GNUTLS_BAG_PKCS8_KEY:
1652 if (*key != NULL) /* too simple to continue */
1653 {
1654 gnutls_assert();
1655 break;
1656 }
1657
1658 ret = gnutls_x509_privkey_init (key);
1659 if (ret < 0)
1660 {
1661 gnutls_assert ();
1662 goto done;
1663 }
1664
1665 ret = gnutls_x509_privkey_import_pkcs8
1666 (*key, &data, GNUTLS_X509_FMT_DER, password,
1667 type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
1668 if (ret < 0)
1669 {
1670 gnutls_assert ();
1671 gnutls_x509_privkey_deinit( *key);
1672 goto done;
1673 }
1674
1675 key_id_size = sizeof(key_id);
1676 ret = gnutls_x509_privkey_get_key_id( *key, 0, key_id, &key_id_size);
1677 if (ret < 0)
1678 {
1679 gnutls_assert ();
1680 gnutls_x509_privkey_deinit( *key);
1681 goto done;
1682 }
1683
1684 privkey_ok = 1; /* break */
1685 break;
1686 default:
1687 break;
1688 }
1689 }
1690
1691 idx++;
1692 gnutls_pkcs12_bag_deinit (bag);
1693
1694 if (privkey_ok != 0) /* private key was found */
1695 break;
1696 }
1697
1698 if (privkey_ok == 0) /* no private key */
1699 {
1700 gnutls_assert();
1701 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1702 }
1703
1704 /* now find the corresponding certificate
1705 */
1706 idx = 0;
1707 bag = NULL;
1708 for (;;)
1709 {
1710 int elements_in_bag;
1711 int i;
1712
1713 ret = gnutls_pkcs12_bag_init (&bag);
1714 if (ret < 0)
1715 {
1716 bag = NULL;
1717 gnutls_assert ();
1718 goto done;
1719 }
1720
1721 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1722 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1723 break;
1724 if (ret < 0)
1725 {
1726 gnutls_assert ();
1727 goto done;
1728 }
1729
1730 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1731 if (ret < 0)
1732 {
1733 gnutls_assert ();
1734 goto done;
1735 }
1736
1737 if (ret == GNUTLS_BAG_ENCRYPTED)
1738 {
1739 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1740 if (ret < 0)
1741 {
1742 gnutls_assert ();
1743 goto done;
1744 }
1745 }
1746
1747 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1748 if (elements_in_bag < 0)
1749 {
1750 gnutls_assert ();
1751 goto done;
1752 }
1753
1754 for (i = 0; i < elements_in_bag; i++)
1755 {
1756 int type;
1757 gnutls_datum_t data;
1758
1759 type = gnutls_pkcs12_bag_get_type (bag, i);
1760 if (type < 0)
1761 {
1762 gnutls_assert ();
1763 goto done;
1764 }
1765
1766 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1767 if (ret < 0)
1768 {
1769 gnutls_assert ();
1770 goto done;
1771 }
1772
1773 switch (type)
1774 {
1775 case GNUTLS_BAG_CERTIFICATE:
1776 if (*cert != NULL) /* no need to set it again */
1777 {
1778 gnutls_assert();
1779 break;
1780 }
1781
1782 ret = gnutls_x509_crt_init (cert);
1783 if (ret < 0)
1784 {
1785 gnutls_assert ();
1786 goto done;
1787 }
1788
1789 ret =
1790 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
1791 if (ret < 0)
1792 {
1793 gnutls_assert ();
1794 gnutls_x509_crt_deinit( *cert);
1795 goto done;
1796 }
1797
1798 /* check if the key id match */
1799 cert_id_size = sizeof(cert_id);
1800 ret = gnutls_x509_crt_get_key_id( *cert, 0, cert_id, &cert_id_size);
1801 if (ret < 0)
1802 {
1803 gnutls_assert ();
1804 gnutls_x509_crt_deinit( *cert);
1805 goto done;
1806 }
1807
1808 if (memcmp( cert_id, key_id, cert_id_size) != 0)
1809 { /* they don't match - skip the certificate */
1810 gnutls_x509_crt_deinit( *cert);
1811 *cert = NULL;
1812 }
1813 break;
1814
1815 case GNUTLS_BAG_CRL:
1816 if (*crl != NULL)
1817 {
1818 gnutls_assert();
1819 break;
1820 }
1821
1822 ret = gnutls_x509_crl_init (crl);
1823 if (ret < 0)
1824 {
1825 gnutls_assert ();
1826 goto done;
1827 }
1828
1829 ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER);
1830 if (ret < 0)
1831 {
1832 gnutls_assert ();
1833 gnutls_x509_crl_deinit( *crl);
1834 goto done;
1835 }
1836 break;
1837
1838 case GNUTLS_BAG_ENCRYPTED:
1839 /* XXX Bother to recurse one level down? Unlikely to
1840 use the same password anyway. */
1841 case GNUTLS_BAG_EMPTY:
1842 default:
1843 break;
1844 }
1845 }
1846
1847 idx++;
1848 gnutls_pkcs12_bag_deinit (bag);
1849 }
1850
1851 ret = 0;
1852
1853 done:
1854 if (bag)
1855 gnutls_pkcs12_bag_deinit (bag);
1856
1857 return ret;
1858 }
1859
1860 /**
1861 * gnutls_certificate_set_x509_simple_pkcs12_file:
1862 * @res: is a #gnutls_certificate_credentials_t structure.
1863 * @pkcs12file: filename of file containing PKCS#12 blob.
1864 * @type: is PEM or DER of the @pkcs12file.
1865 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1866 *
1867 * This function sets a certificate/private key pair and/or a CRL in
1868 * the gnutls_certificate_credentials_t structure. This function may
1869 * be called more than once (in case multiple keys/certificates exist
1870 * for the server).
1871 *
1872 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1873 * supported. Encrypted PKCS#8 private keys are supported. However,
1874 * only password based security, and the same password for all
1875 * operations, are supported.
1876 *
1877 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1878 * the OpenSSL way.
1879 *
1880 * PKCS#12 file may contain many keys and/or certificates, and there
1881 * is no way to identify which key/certificate pair you want. You
1882 * should make sure the PKCS#12 file only contain one key/certificate
1883 * pair and/or one CRL.
1884 *
1885 * It is believed that the limitations of this function is acceptable
1886 * for most usage, and that any more flexibility would introduce
1887 * complexity that would make it harder to use this functionality at
1888 * all.
1889 *
1890 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1891 **/
1892 int
1893 gnutls_certificate_set_x509_simple_pkcs12_file
1894 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1895 gnutls_x509_crt_fmt_t type, const char *password)
1896 {
1897 gnutls_datum_t p12blob;
1898 size_t size;
1899 int ret;
1900
1901 p12blob.data = read_binary_file (pkcs12file, &size);
1902 p12blob.size = (unsigned int) size;
1903 if (p12blob.data == NULL)
1904 {
1905 gnutls_assert ();
1906 return GNUTLS_E_FILE_ERROR;
1907 }
1908
1909 ret = gnutls_certificate_set_x509_simple_pkcs12_mem(res, &p12blob, type, password);
1910 free(p12blob.data);
1911
1912 return ret;
1913 }
1914
1915 /**
1916 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1917 * @res: is a #gnutls_certificate_credentials_t structure.
1918 * @p12blob: the PKCS#12 blob.
1919 * @type: is PEM or DER of the @pkcs12file.
1920 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1921 *
1922 * This function sets a certificate/private key pair and/or a CRL in
1923 * the gnutls_certificate_credentials_t structure. This function may
1924 * be called more than once (in case multiple keys/certificates exist
1925 * for the server).
1926 *
1927 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
1928 * supported. Encrypted PKCS#8 private keys are supported. However,
1929 * only password based security, and the same password for all
1930 * operations, are supported.
1931 *
1932 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
1933 * the OpenSSL way.
1934 *
1935 * PKCS#12 file may contain many keys and/or certificates, and there
1936 * is no way to identify which key/certificate pair you want. You
1937 * should make sure the PKCS#12 file only contain one key/certificate
1938 * pair and/or one CRL.
1939 *
1940 * It is believed that the limitations of this function is acceptable
1941 * for most usage, and that any more flexibility would introduce
1942 * complexity that would make it harder to use this functionality at
1943 * all.
1944 *
1945 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1946 *
1947 * Since: 2.8.0
1948 **/
1949 int
1950 gnutls_certificate_set_x509_simple_pkcs12_mem
1951 (gnutls_certificate_credentials_t res, const gnutls_datum_t *p12blob,
1952 gnutls_x509_crt_fmt_t type, const char *password)
1953 {
1954 gnutls_pkcs12_t p12;
1955 gnutls_x509_privkey_t key = NULL;
1956 gnutls_x509_crt_t cert = NULL;
1957 gnutls_x509_crl_t crl = NULL;
1958 int ret;
1959
1960 ret = gnutls_pkcs12_init (&p12);
1961 if (ret < 0)
1962 {
1963 gnutls_assert ();
1964 return ret;
1965 }
1966
1967 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
1968 if (ret < 0)
1969 {
1970 gnutls_assert ();
1971 gnutls_pkcs12_deinit (p12);
1972 return ret;
1973 }
1974
1975 if (password)
1976 {
1977 ret = gnutls_pkcs12_verify_mac (p12, password);
1978 if (ret < 0)
1979 {
1980 gnutls_assert ();
1981 gnutls_pkcs12_deinit (p12);
1982 return ret;
1983 }
1984 }
1985
1986 ret = parse_pkcs12 (res, p12, password, &key, &cert, &crl);
1987 gnutls_pkcs12_deinit (p12);
1988 if (ret < 0)
1989 {
1990 gnutls_assert ();
1991 return ret;
1992 }
1993
1994 if (key && cert)
1995 {
1996 ret = gnutls_certificate_set_x509_key (res, &cert, 1, key);
1997 if (ret < 0)
1998 {
1999 gnutls_assert ();
2000 goto done;
2001 }
2002 }
2003
2004 if (crl)
2005 {
2006 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2007 if (ret < 0)
2008 {
2009 gnutls_assert ();
2010 goto done;
2011 }
2012 }
2013
2014 /* check if the key and certificate found match */
2015 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
2016 {
2017 gnutls_assert ();
2018 goto done;
2019 }
2020
2021 ret = 0;
2022
2023 done:
2024 if (cert)
2025 gnutls_x509_crt_deinit (cert);
2026 if (key)
2027 gnutls_x509_privkey_deinit (key);
2028 if (crl)
2029 gnutls_x509_crl_deinit (crl);
2030
2031 return ret;
2032 }
2033
2034
2035
2036 /**
2037 * gnutls_certificate_free_crls - Used to free all the CRLs from a gnutls_certificate_credentials_t structure
2038 * @sc: is a #gnutls_certificate_credentials_t structure.
2039 *
2040 * This function will delete all the CRLs associated
2041 * with the given credentials.
2042 *
2043 **/
2044 void
2045 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2046 {
2047 unsigned j;
2048
2049 for (j = 0; j < sc->x509_ncrls; j++)
2050 {
2051 gnutls_x509_crl_deinit (sc->x509_crl_list[j]);
2052 }
2053
2054 sc->x509_ncrls = 0;
2055
2056 gnutls_free (sc->x509_crl_list);
2057 sc->x509_crl_list = NULL;
2058 }
2059
2060 #endif
Implementation of the SSL/TLS protocol