lib/x509/verify-high2.c

   1 /*
   2  * Copyright (C) 2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 #include <gnutls_int.h>
  24 #include <gnutls_errors.h>
  25 #include <libtasn1.h>
  26 #include <gnutls_global.h>
  27 #include <gnutls_num.h>
  28 #include <gnutls_sig.h>
  29 #include <gnutls_str.h>
  30 #include <gnutls_datum.h>
  31 #include "x509_int.h"
  32 #include <common.h>
  33 #include "verify-high.h"
  34 #include "read-file.h"
  35
  36 /* Convenience functions for verify-high functionality
  37  */
  38
  39 /**
  40  * gnutls_x509_trust_list_add_trust_mem:
  41  * @list: The structure of the list
  42  * @cas: A buffer containing a list of CAs (optional)
  43  * @crls: A buffer containing a list of CRLs (optional)
  44  * @type: The format of the certificates
  45  * @tl_flags: GNUTLS_TL_*
  46  * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
  47  *
  48  * This function will add the given certificate authorities
  49  * to the trusted list.
  50  *
  51  * Returns: The number of added elements is returned.
  52  *
  53  * Since: 3.1
  54  **/
  55 int
  56 gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
  57                                      const gnutls_datum_t * cas,
  58                                      const gnutls_datum_t * crls,
  59                                      gnutls_x509_crt_fmt_t type,
  60                                      unsigned int tl_flags,
  61                                      unsigned int tl_vflags)
  62 {
  63   int ret;
  64   gnutls_x509_crt_t *x509_ca_list = NULL;
  65   gnutls_x509_crl_t *x509_crl_list = NULL;
  66   unsigned int x509_ncas, x509_ncrls;
  67   unsigned int r = 0;
  68
  69   if (cas != NULL && cas->data != NULL)
  70     {
  71       ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, type, 0);
  72       if (ret < 0)
  73         return gnutls_assert_val(ret);
  74
  75       ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, tl_flags);
  76       gnutls_free(x509_ca_list);
  77
  78       if (ret < 0)
  79         return gnutls_assert_val(ret);
  80       else
  81         r += ret;
  82     }
  83
  84   if (crls != NULL && crls->data != NULL)
  85     {
  86       ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls, type, 0);
  87       if (ret < 0)
  88         return gnutls_assert_val(ret);
  89
  90       ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, tl_flags, tl_vflags);
  91       gnutls_free(x509_crl_list);
  92
  93       if (ret < 0)
  94         return gnutls_assert_val(ret);
  95       else
  96         r += ret;
  97     }
  98
  99   return r;
 100 }
 101
 102 #ifdef ENABLE_PKCS11
 103 static
 104 int import_pkcs11_url(gnutls_x509_trust_list_t list, const char* ca_file, unsigned int flags)
 105 {
 106 gnutls_x509_crt_t *xcrt_list = NULL;
 107 gnutls_pkcs11_obj_t *pcrt_list = NULL;
 108 unsigned int pcrt_list_size = 0, i;
 109 int ret;
 110
 111   ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, ca_file,
 112                                            GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
 113   if (ret < 0)
 114     return gnutls_assert_val(ret);
 115
 116   if (pcrt_list_size == 0)
 117     {
 118       ret = 0;
 119       goto cleanup;
 120     }
 121
 122   xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t)*pcrt_list_size);
 123   if (xcrt_list == NULL)
 124     {
 125       ret = GNUTLS_E_MEMORY_ERROR;
 126       goto cleanup;
 127     }
 128
 129   ret = gnutls_x509_crt_list_import_pkcs11( xcrt_list, pcrt_list_size, pcrt_list, 0);
 130   if (ret < 0)
 131     {
 132       gnutls_assert();
 133       goto cleanup;
 134     }
 135
 136   ret = gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, flags);
 137
 138 cleanup:
 139   for (i=0;i<pcrt_list_size;i++)
 140     gnutls_pkcs11_obj_deinit(pcrt_list[i]);
 141   gnutls_free(pcrt_list);
 142   gnutls_free(xcrt_list);
 143
 144   return ret;
 145 }
 146
 147 #endif
 148
 149
 150 /**
 151  * gnutls_x509_trust_list_add_trust_file:
 152  * @list: The structure of the list
 153  * @ca_file: A file containing a list of CAs (optional)
 154  * @crl_file: A file containing a list of CRLs (optional)
 155  * @type: The format of the certificates
 156  * @tl_flags: GNUTLS_TL_*
 157  * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
 158  *
 159  * This function will add the given certificate authorities
 160  * to the trusted list. pkcs11 URLs are also accepted, instead
 161  * of files, by this function.
 162  *
 163  * Returns: The number of added elements is returned.
 164  *
 165  * Since: 3.1
 166  **/
 167 int
 168 gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
 169                                       const char* ca_file,
 170                                       const char* crl_file,
 171                                       gnutls_x509_crt_fmt_t type,
 172                                       unsigned int tl_flags,
 173                                       unsigned int tl_vflags)
 174 {
 175   gnutls_datum_t cas = { NULL, 0 };
 176   gnutls_datum_t crls = { NULL, 0 };
 177   size_t size;
 178   int ret;
 179
 180 #ifdef ENABLE_PKCS11
 181   if (strncmp (ca_file, "pkcs11:", 7) == 0)
 182     {
 183       ret = import_pkcs11_url(list, ca_file, tl_flags);
 184       if (ret < 0)
 185         return gnutls_assert_val(ret);
 186     }
 187   else
 188 #endif
 189     {
 190       cas.data = (void*)read_binary_file (ca_file, &size);
 191       if (cas.data == NULL)
 192         {
 193           gnutls_assert ();
 194           return GNUTLS_E_FILE_ERROR;
 195         }
 196       cas.size = size;
 197     }
 198
 199   if (crl_file)
 200     {
 201       crls.data = (void*)read_binary_file (crl_file, &size);
 202       if (crls.data == NULL)
 203         {
 204           gnutls_assert ();
 205           return GNUTLS_E_FILE_ERROR;
 206         }
 207       crls.size = size;
 208     }
 209
 210   ret = gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type, tl_flags, tl_vflags);
 211   free(crls.data);
 212   free(cas.data);
 213
 214   return ret;
 215 }
 216