search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bump versions.
[gnutls.git] / libextra / openssl_compat.c
blob0a389856a1430bd863a1164e03618007ded6b706
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS-EXTRA.
7 *
8 * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GNUTLS-EXTRA is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* This file includes all functions that were in the 0.5.x and 0.8.x
23 * gnutls API. They are now implemented over the new certificate parsing
24 * API.
25 */
26
27 #include "gnutls_int.h"
28
29 #include <gnutls_global.h>
30 #include <gnutls_errors.h>
31 #include <string.h> /* memset */
32 #include <x509/x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls/x509.h>
35 #include <openssl_compat.h>
36
37 /*-
38 * gnutls_x509_extract_dn - This function parses an RDN sequence
39 * @idn: should contain a DER encoded RDN sequence
40 * @rdn: a pointer to a structure to hold the name
41 *
42 * This function will return the name of the given RDN sequence.
43 * The name will be returned as a gnutls_x509_dn structure.
44 * Returns a negative error code in case of an error.
45 *
46 -*/
47 int
48 gnutls_x509_extract_dn (const gnutls_datum_t * idn, gnutls_x509_dn * rdn)
49 {
50 ASN1_TYPE dn = ASN1_TYPE_EMPTY;
51 int result;
52 size_t len;
53
54 if ((result =
55 asn1_create_element (_gnutls_get_pkix (),
56 "PKIX1.Name", &dn)) != ASN1_SUCCESS)
57 {
58 return _gnutls_asn2err (result);
59 }
60
61 result = asn1_der_decoding (&dn, idn->data, idn->size, NULL);
62 if (result != ASN1_SUCCESS)
63 {
64 /* couldn't decode DER */
65 asn1_delete_structure (&dn);
66 return _gnutls_asn2err (result);
67 }
68
69 memset (rdn, 0, sizeof (gnutls_x509_dn));
70
71 len = sizeof (rdn->country);
72 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0,
73 rdn->country, &len);
74
75 len = sizeof (rdn->organization);
76 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
77 0, rdn->organization, &len);
78
79 len = sizeof (rdn->organizational_unit_name);
80 _gnutls_x509_parse_dn_oid (dn, "",
81 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
82 0, rdn->organizational_unit_name, &len);
83
84 len = sizeof (rdn->common_name);
85 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0,
86 rdn->common_name, &len);
87
88 len = sizeof (rdn->locality_name);
89 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0,
90 rdn->locality_name, &len);
91
92 len = sizeof (rdn->state_or_province_name);
93 _gnutls_x509_parse_dn_oid (dn, "",
94 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0,
95 rdn->state_or_province_name, &len);
96
97 len = sizeof (rdn->email);
98 _gnutls_x509_parse_dn_oid (dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0,
99 rdn->email, &len);
100
101 asn1_delete_structure (&dn);
102
103 return 0;
104 }
105
106 /*-
107 * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name
108 * @cert: should contain an X.509 DER encoded certificate
109 * @ret: a pointer to a structure to hold the peer's name
110 *
111 * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and
112 * is a obtained by the peer's certificate. If the certificate send by the
113 * peer is invalid, or in any other failure this function returns error.
114 * Returns a negative error code in case of an error.
115 *
116 -*/
117 int
118 gnutls_x509_extract_certificate_dn (const gnutls_datum_t * cert,
119 gnutls_x509_dn * ret)
120 {
121 gnutls_x509_crt_t xcert;
122 int result;
123 size_t len;
124
125 result = gnutls_x509_crt_init (&xcert);
126 if (result < 0)
127 return result;
128
129 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
130 if (result < 0)
131 {
132 gnutls_x509_crt_deinit (xcert);
133 return result;
134 }
135
136 len = sizeof (ret->country);
137 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0,
138 0, ret->country, &len);
139
140 len = sizeof (ret->organization);
141 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_ORGANIZATION_NAME,
142 0, 0, ret->organization, &len);
143
144 len = sizeof (ret->organizational_unit_name);
145 gnutls_x509_crt_get_dn_by_oid (xcert,
146 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
147 0, 0, ret->organizational_unit_name, &len);
148
149 len = sizeof (ret->common_name);
150 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
151 ret->common_name, &len);
152
153 len = sizeof (ret->locality_name);
154 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0,
155 0, ret->locality_name, &len);
156
157 len = sizeof (ret->state_or_province_name);
158 gnutls_x509_crt_get_dn_by_oid (xcert,
159 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
160 0, 0, ret->state_or_province_name, &len);
161
162 len = sizeof (ret->email);
163 gnutls_x509_crt_get_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0,
164 ret->email, &len);
165
166 gnutls_x509_crt_deinit (xcert);
167
168 return 0;
169 }
170
171 /*-
172 * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
173 * @cert: should contain an X.509 DER encoded certificate
174 * @ret: a pointer to a structure to hold the issuer's name
175 *
176 * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
177 * is a obtained by the peer's certificate. If the certificate send by the
178 * peer is invalid, or in any other failure this function returns error.
179 * Returns a negative error code in case of an error.
180 *
181 -*/
182 int
183 gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
184 gnutls_x509_dn * ret)
185 {
186 gnutls_x509_crt_t xcert;
187 int result;
188 size_t len;
189
190 result = gnutls_x509_crt_init (&xcert);
191 if (result < 0)
192 return result;
193
194 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
195 if (result < 0)
196 {
197 gnutls_x509_crt_deinit (xcert);
198 return result;
199 }
200
201 len = sizeof (ret->country);
202 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
203 GNUTLS_OID_X520_COUNTRY_NAME, 0,
204 0, ret->country, &len);
205
206 len = sizeof (ret->organization);
207 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
208 GNUTLS_OID_X520_ORGANIZATION_NAME,
209 0, 0, ret->organization, &len);
210
211 len = sizeof (ret->organizational_unit_name);
212 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
213 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
214 0, 0,
215 ret->organizational_unit_name, &len);
216
217 len = sizeof (ret->common_name);
218 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
219 GNUTLS_OID_X520_COMMON_NAME, 0, 0,
220 ret->common_name, &len);
221
222 len = sizeof (ret->locality_name);
223 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
224 GNUTLS_OID_X520_LOCALITY_NAME, 0,
225 0, ret->locality_name, &len);
226
227 len = sizeof (ret->state_or_province_name);
228 gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
229 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
230 0, 0, ret->state_or_province_name,
231 &len);
232
233 len = sizeof (ret->email);
234 gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
235 0, ret->email, &len);
236
237 gnutls_x509_crt_deinit (xcert);
238
239 return 0;
240 }
241
242
243 /*-
244 * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
245 * @cert: should contain an X.509 DER encoded certificate
246 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
247 * @ret: is the place where the alternative name will be copied to
248 * @ret_size: holds the size of ret.
249 *
250 * This function will return the alternative names, contained in the
251 * given certificate.
252 *
253 * This is specified in X509v3 Certificate Extensions.
254 * GNUTLS will return the Alternative name, or a negative
255 * error code.
256 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
257 * name, or the type of alternative name if everything was ok. The type is
258 * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
259 *
260 * If the certificate does not have an Alternative name with the specified
261 * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
262 *
263 -*/
264 int
265 gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t *
266 cert, int seq,
267 char *ret, int *ret_size)
268 {
269 gnutls_x509_crt_t xcert;
270 int result;
271 size_t size = *ret_size;
272
273 result = gnutls_x509_crt_init (&xcert);
274 if (result < 0)
275 return result;
276
277 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
278 if (result < 0)
279 {
280 gnutls_x509_crt_deinit (xcert);
281 return result;
282 }
283
284 result =
285 gnutls_x509_crt_get_subject_alt_name (xcert, seq, ret, &size, NULL);
286 *ret_size = size;
287
288 gnutls_x509_crt_deinit (xcert);
289
290 return result;
291 }
292
293 /*-
294 * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status
295 * @cert: should contain an X.509 DER encoded certificate
296 *
297 * This function will return certificates CA status, by reading the
298 * basicConstraints X.509 extension. If the certificate is a CA a positive
299 * value will be returned, or zero if the certificate does not have
300 * CA flag set.
301 *
302 * A negative value may be returned in case of parsing error.
303 * If the certificate does not contain the basicConstraints extension
304 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
305 *
306 -*/
307 int
308 gnutls_x509_extract_certificate_ca_status (const gnutls_datum_t * cert)
309 {
310 gnutls_x509_crt_t xcert;
311 int result;
312
313 result = gnutls_x509_crt_init (&xcert);
314 if (result < 0)
315 return result;
316
317 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
318 if (result < 0)
319 {
320 gnutls_x509_crt_deinit (xcert);
321 return result;
322 }
323
324 result = gnutls_x509_crt_get_ca_status (xcert, NULL);
325
326 gnutls_x509_crt_deinit (xcert);
327
328 return result;
329 }
330
331 /*-
332 * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time
333 * @cert: should contain an X.509 DER encoded certificate
334 *
335 * This function will return the certificate's activation time in UNIX time
336 * (ie seconds since 00:00:00 UTC January 1, 1970).
337 * Returns a (time_t) -1 in case of an error.
338 *
339 -*/
340 time_t
341 gnutls_x509_extract_certificate_activation_time (const gnutls_datum_t * cert)
342 {
343 gnutls_x509_crt_t xcert;
344 time_t result;
345
346 result = gnutls_x509_crt_init (&xcert);
347 if (result < 0)
348 return result;
349
350 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
351 if (result < 0)
352 {
353 gnutls_x509_crt_deinit (xcert);
354 return result;
355 }
356
357 result = gnutls_x509_crt_get_activation_time (xcert);
358
359 gnutls_x509_crt_deinit (xcert);
360
361 return result;
362 }
363
364 /*-
365 * gnutls_x509_extract_certificate_expiration_time - This function returns the certificate's expiration time
366 * @cert: should contain an X.509 DER encoded certificate
367 *
368 * This function will return the certificate's expiration time in UNIX time
369 * (ie seconds since 00:00:00 UTC January 1, 1970).
370 * Returns a (time_t) -1 in case of an error.
371 *
372 -*/
373 time_t
374 gnutls_x509_extract_certificate_expiration_time (const gnutls_datum_t * cert)
375 {
376 gnutls_x509_crt_t xcert;
377 time_t result;
378
379 result = gnutls_x509_crt_init (&xcert);
380 if (result < 0)
381 return result;
382
383 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
384 if (result < 0)
385 {
386 gnutls_x509_crt_deinit (xcert);
387 return result;
388 }
389
390 result = gnutls_x509_crt_get_expiration_time (xcert);
391
392 gnutls_x509_crt_deinit (xcert);
393
394 return result;
395 }
396
397 /*-
398 * gnutls_x509_extract_certificate_version - This function returns the certificate's version
399 * @cert: is an X.509 DER encoded certificate
400 *
401 * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
402 * Version field. Returns a negative value in case of an error.
403 *
404 -*/
405 int
406 gnutls_x509_extract_certificate_version (const gnutls_datum_t * cert)
407 {
408 gnutls_x509_crt_t xcert;
409 int result;
410
411 result = gnutls_x509_crt_init (&xcert);
412 if (result < 0)
413 return result;
414
415 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
416 if (result < 0)
417 {
418 gnutls_x509_crt_deinit (xcert);
419 return result;
420 }
421
422 result = gnutls_x509_crt_get_version (xcert);
423
424 gnutls_x509_crt_deinit (xcert);
425
426 return result;
427
428 }
429
430 /*-
431 * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
432 * @cert: is an X.509 DER encoded certificate
433 * @result: The place where the serial number will be copied
434 * @result_size: Holds the size of the result field.
435 *
436 * This function will return the X.509 certificate's serial number.
437 * This is obtained by the X509 Certificate serialNumber
438 * field. Serial is not always a 32 or 64bit number. Some CAs use
439 * large serial numbers, thus it may be wise to handle it as something
440 * opaque.
441 * Returns a negative value in case of an error.
442 *
443 -*/
444 int
445 gnutls_x509_extract_certificate_serial (const gnutls_datum_t * cert,
446 char *result, int *result_size)
447 {
448 gnutls_x509_crt_t xcert;
449 size_t size = *result_size;
450 int ret;
451
452 ret = gnutls_x509_crt_init (&xcert);
453 if (ret < 0)
454 return ret;
455
456 ret = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
457 if (ret < 0)
458 {
459 gnutls_x509_crt_deinit (xcert);
460 return ret;
461 }
462
463 ret = gnutls_x509_crt_get_serial (xcert, result, &size);
464 *result_size = size;
465
466 gnutls_x509_crt_deinit (xcert);
467
468 return ret;
469 }
470
471
472 /*-
473 * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm
474 * @cert: is a DER encoded X.509 certificate
475 * @bits: if bits is non null it will hold the size of the parameters' in bits
476 *
477 * This function will return the public key algorithm of an X.509
478 * certificate.
479 *
480 * If bits is non null, it should have enough size to hold the parameters
481 * size in bits. For RSA the bits returned is the modulus.
482 * For DSA the bits returned are of the public
483 * exponent.
484 *
485 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
486 * or a negative value on error.
487 *
488 -*/
489 int
490 gnutls_x509_extract_certificate_pk_algorithm (const gnutls_datum_t *
491 cert, int *bits)
492 {
493 gnutls_x509_crt_t xcert;
494 int result;
495
496 result = gnutls_x509_crt_init (&xcert);
497 if (result < 0)
498 return result;
499
500 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
501 if (result < 0)
502 {
503 gnutls_x509_crt_deinit (xcert);
504 return result;
505 }
506
507 result = gnutls_x509_crt_get_pk_algorithm (xcert, bits);
508
509 gnutls_x509_crt_deinit (xcert);
510
511 return result;
512 }
513
514
515 /*-
516 * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
517 * @cert: should contain an X.509 DER encoded certificate
518 * @buf: a pointer to a structure to hold the peer's name
519 * @sizeof_buf: holds the size of 'buf'
520 * @issuer: if non zero, then extract the name of the issuer, instead of the holder
521 *
522 * This function will copy the name of the certificate holder in the provided buffer. The name
523 * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
524 *
525 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
526 * and 0 on success.
527 *
528 -*/
529 int
530 gnutls_x509_extract_certificate_dn_string (char *buf,
531 unsigned int sizeof_buf,
532 const gnutls_datum_t * cert,
533 int issuer)
534 {
535 gnutls_x509_crt_t xcert;
536 int result;
537 size_t size;
538
539 result = gnutls_x509_crt_init (&xcert);
540 if (result < 0)
541 return result;
542
543 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
544 if (result < 0)
545 {
546 gnutls_x509_crt_deinit (xcert);
547 return result;
548 }
549
550 size = sizeof_buf;
551 if (!issuer)
552 result = gnutls_x509_crt_get_dn (xcert, buf, &size);
553 else
554 result = gnutls_x509_crt_get_issuer_dn (xcert, buf, &size);
555
556 gnutls_x509_crt_deinit (xcert);
557
558 return result;
559 }
560
561 /*-
562 * gnutls_x509_verify_certificate - This function verifies given certificate list
563 * @cert_list: is the certificate list to be verified
564 * @cert_list_length: holds the number of certificate in cert_list
565 * @CA_list: is the CA list which will be used in verification
566 * @CA_list_length: holds the number of CA certificate in CA_list
567 * @CRL_list: not used
568 * @CRL_list_length: not used
569 *
570 * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.).
571 * The return value (status) should be one or more of the gnutls_certificate_status_t
572 * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked
573 * by this function, you should check them using the appropriate functions.
574 *
575 * This function understands the basicConstraints (2.5.29.19) PKIX extension.
576 * This means that only a certificate authority can sign a certificate.
577 *
578 * However you must also check the peer's name in order to check if the verified certificate belongs to the
579 * actual peer.
580 *
581 * The return value (status) should be one or more of the gnutls_certificate_status_t
582 * enumerated elements bitwise or'd.
583 *
584 * GNUTLS_CERT_INVALID: the peer's certificate is not valid.
585 *
586 * GNUTLS_CERT_REVOKED: the certificate has been revoked.
587 *
588 * A negative error code is returned in case of an error.
589 * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that
590 * no certificate was sent by the peer.
591 *
592 *
593 -*/
594 int
595 gnutls_x509_verify_certificate (const gnutls_datum_t * cert_list,
596 int cert_list_length,
597 const gnutls_datum_t * CA_list,
598 int CA_list_length,
599 const gnutls_datum_t * CRL_list,
600 int CRL_list_length)
601 {
602 unsigned int verify;
603 gnutls_x509_crt_t *peer_certificate_list = NULL;
604 gnutls_x509_crt_t *ca_certificate_list = NULL;
605 gnutls_x509_crl_t *crl_list = NULL;
606 int peer_certificate_list_size = 0, i, x, ret;
607 int ca_certificate_list_size = 0, crl_list_size = 0;
608
609 if (cert_list == NULL || cert_list_length == 0)
610 return GNUTLS_E_NO_CERTIFICATE_FOUND;
611
612 /* generate a list of gnutls_certs based on the auth info
613 * raw certs.
614 */
615 peer_certificate_list_size = cert_list_length;
616 peer_certificate_list =
617 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
618 if (peer_certificate_list == NULL)
619 {
620 gnutls_assert ();
621 ret = GNUTLS_E_MEMORY_ERROR;
622 goto cleanup;
623 }
624
625 ca_certificate_list_size = CA_list_length;
626 ca_certificate_list =
627 gnutls_calloc (ca_certificate_list_size, sizeof (gnutls_x509_crt_t));
628 if (ca_certificate_list == NULL)
629 {
630 gnutls_assert ();
631 ret = GNUTLS_E_MEMORY_ERROR;
632 goto cleanup;
633 }
634
635 /* allocate memory for CRL
636 */
637 crl_list_size = CRL_list_length;
638 crl_list = gnutls_calloc (crl_list_size, sizeof (gnutls_x509_crl_t));
639 if (crl_list == NULL)
640 {
641 gnutls_assert ();
642 ret = GNUTLS_E_MEMORY_ERROR;
643 goto cleanup;
644 }
645
646 /* convert certA_list to gnutls_cert* list
647 */
648 for (i = 0; i < peer_certificate_list_size; i++)
649 {
650 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
651 if (ret < 0)
652 {
653 gnutls_assert ();
654 goto cleanup;
655 }
656
657 ret =
658 gnutls_x509_crt_import (peer_certificate_list[i],
659 &cert_list[i], GNUTLS_X509_FMT_DER);
660 if (ret < 0)
661 {
662 gnutls_assert ();
663 goto cleanup;
664 }
665 }
666
667 /* convert CA_list to gnutls_x509_cert* list
668 */
669 for (i = 0; i < ca_certificate_list_size; i++)
670 {
671 ret = gnutls_x509_crt_init (&ca_certificate_list[i]);
672 if (ret < 0)
673 {
674 gnutls_assert ();
675 goto cleanup;
676 }
677
678 ret =
679 gnutls_x509_crt_import (ca_certificate_list[i],
680 &CA_list[i], GNUTLS_X509_FMT_DER);
681 if (ret < 0)
682 {
683 gnutls_assert ();
684 goto cleanup;
685 }
686 }
687
688 #ifdef ENABLE_PKI
689 /* convert CRL_list to gnutls_x509_crl* list
690 */
691 for (i = 0; i < crl_list_size; i++)
692 {
693 ret = gnutls_x509_crl_init (&crl_list[i]);
694 if (ret < 0)
695 {
696 gnutls_assert ();
697 goto cleanup;
698 }
699
700 ret =
701 gnutls_x509_crl_import (crl_list[i],
702 &CRL_list[i], GNUTLS_X509_FMT_DER);
703 if (ret < 0)
704 {
705 gnutls_assert ();
706 goto cleanup;
707 }
708 }
709 #endif
710
711 /* Verify certificate
712 */
713 ret =
714 gnutls_x509_crt_list_verify (peer_certificate_list,
715 peer_certificate_list_size,
716 ca_certificate_list,
717 ca_certificate_list_size, crl_list,
718 crl_list_size, 0, &verify);
719
720 if (ret < 0)
721 {
722 gnutls_assert ();
723 goto cleanup;
724 }
725
726 ret = verify;
727
728 cleanup:
729
730 if (peer_certificate_list != NULL)
731 for (x = 0; x < peer_certificate_list_size; x++)
732 {
733 if (peer_certificate_list[x] != NULL)
734 gnutls_x509_crt_deinit (peer_certificate_list[x]);
735 }
736
737 if (ca_certificate_list != NULL)
738 for (x = 0; x < ca_certificate_list_size; x++)
739 {
740 if (ca_certificate_list[x] != NULL)
741 gnutls_x509_crt_deinit (ca_certificate_list[x]);
742 }
743 #ifdef ENABLE_PKI
744 if (crl_list != NULL)
745 for (x = 0; x < crl_list_size; x++)
746 {
747 if (crl_list[x] != NULL)
748 gnutls_x509_crl_deinit (crl_list[x]);
749 }
750
751 gnutls_free (crl_list);
752 #endif
753
754 gnutls_free (ca_certificate_list);
755 gnutls_free (peer_certificate_list);
756
757 return ret;
758 }
759
760 /*-
761 * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
762 * @cert: is a DER encoded private key
763 *
764 * This function will return the public key algorithm of a DER encoded private
765 * key.
766 *
767 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
768 * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
769 *
770 -*/
771 int
772 gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t * key)
773 {
774 gnutls_x509_privkey_t pkey;
775 int ret, pk;
776
777 ret = gnutls_x509_privkey_init (&pkey);
778 if (ret < 0)
779 {
780 gnutls_assert ();
781 return ret;
782 }
783
784 ret = gnutls_x509_privkey_import (pkey, key, GNUTLS_X509_FMT_DER);
785 if (ret < 0)
786 {
787 gnutls_assert ();
788 return ret;
789 }
790
791 pk = gnutls_x509_privkey_get_pk_algorithm (pkey);
792
793 gnutls_x509_privkey_deinit (pkey);
794 return pk;
795 }
796
797 #ifdef ENABLE_PKI
798
799 /*-
800 * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set
801 * @pkcs7_struct: should contain a PKCS7 DER formatted structure
802 * @indx: contains the index of the certificate to extract
803 * @certificate: the contents of the certificate will be copied there
804 * @certificate_size: should hold the size of the certificate
805 *
806 * This function will return a certificate of the PKCS7 or RFC2630 certificate set.
807 * Returns 0 on success. If the provided buffer is not long enough,
808 * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
809 *
810 * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
811 * will be returned.
812 *
813 -*/
814 int
815 gnutls_x509_pkcs7_extract_certificate (const gnutls_datum_t *
816 pkcs7_struct, int indx,
817 char *certificate,
818 int *certificate_size)
819 {
820 gnutls_pkcs7_t pkcs7;
821 int result;
822 size_t size = *certificate_size;
823
824 result = gnutls_pkcs7_init (&pkcs7);
825 if (result < 0)
826 return result;
827
828 result = gnutls_pkcs7_import (pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER);
829 if (result < 0)
830 {
831 gnutls_pkcs7_deinit (pkcs7);
832 return result;
833 }
834
835 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, certificate, &size);
836 *certificate_size = size;
837
838 gnutls_pkcs7_deinit (pkcs7);
839
840 return result;
841 }
842
843 #endif
Implementation of the SSL/TLS protocol