search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix use of deprecated types, for now and the future.
[gnutls.git] / lib / gnutls_cert.c
blob42db17cb793b4eb7b27104d657167d4b8618d2e1
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 /* Some of the stuff needed for Certificate authentication is contained
26 * in this file.
27 */
28
29 #include <gnutls_int.h>
30 #include <gnutls_errors.h>
31 #include <auth_cert.h>
32 #include <gnutls_cert.h>
33 #include <gnutls_datum.h>
34 #include <gnutls_mpi.h>
35 #include <gnutls_global.h>
36 #include <gnutls_algorithms.h>
37 #include <gnutls_dh.h>
38 #include <gnutls_str.h>
39 #include <gnutls_state.h>
40 #include <gnutls_auth.h>
41 #include <gnutls_x509.h>
42 #include "x509/x509_int.h"
43 #ifdef ENABLE_OPENPGP
44 # include "openpgp/gnutls_openpgp.h"
45 #endif
46
47 /**
48 * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials_t structure
49 * @sc: is a #gnutls_certificate_credentials_t structure.
50 *
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
54 *
55 **/
56 void
57 gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc)
58 {
59 unsigned i, j;
60
61 for (i = 0; i < sc->ncerts; i++)
62 {
63 for (j = 0; j < sc->cert_list_length[i]; j++)
64 {
65 _gnutls_gcert_deinit (&sc->cert_list[i][j]);
66 }
67 gnutls_free (sc->cert_list[i]);
68 }
69
70 gnutls_free (sc->cert_list_length);
71 sc->cert_list_length = NULL;
72
73 gnutls_free (sc->cert_list);
74 sc->cert_list = NULL;
75
76 for (i = 0; i < sc->ncerts; i++)
77 {
78 _gnutls_gkey_deinit (&sc->pkey[i]);
79 }
80
81 gnutls_free (sc->pkey);
82 sc->pkey = NULL;
83
84 sc->ncerts = 0;
85
86 }
87
88 /**
89 * gnutls_certificate_free_cas - Used to free all the CAs from a gnutls_certificate_credentials_t structure
90 * @sc: is a #gnutls_certificate_credentials_t structure.
91 *
92 * This function will delete all the CAs associated
93 * with the given credentials. Servers that do not use
94 * gnutls_certificate_verify_peers2() may call this to
95 * save some memory.
96 *
97 **/
98 void
99 gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc)
100 {
101 unsigned j;
102
103 for (j = 0; j < sc->x509_ncas; j++)
104 {
105 gnutls_x509_crt_deinit (sc->x509_ca_list[j]);
106 }
107
108 sc->x509_ncas = 0;
109
110 gnutls_free (sc->x509_ca_list);
111 sc->x509_ca_list = NULL;
112
113 }
114
115 /**
116 * gnutls_certificate_get_x509_cas - Used to export all the CAs from a gnutls_certificate_credentials_t structure
117 * @sc: is a #gnutls_certificate_credentials_t structure.
118 * @x509_ca_list: will point to the CA list. Should be treated as constant
119 * @ncas: the number of CAs
120 *
121 * This function will export all the CAs associated
122 * with the given credentials.
123 *
124 * Since: 2.4.0
125 **/
126 void
127 gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc,
128 gnutls_x509_crt_t ** x509_ca_list,
129 unsigned int *ncas)
130 {
131 *x509_ca_list = sc->x509_ca_list;
132 *ncas = sc->x509_ncas;
133 }
134
135 /**
136 * gnutls_certificate_get_x509_crls - Used to export all the CRLs from a gnutls_certificate_credentials_t structure
137 * @sc: is a #gnutls_certificate_credentials_t structure.
138 * @x509_crl_list: the exported CRL list. Should be treated as constant
139 * @ncrls: the number of exported CRLs
140 *
141 * This function will export all the CRLs associated with the given
142 * credentials.
143 *
144 * Since: 2.4.0
145 **/
146 void
147 gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc,
148 gnutls_x509_crl_t ** x509_crl_list,
149 unsigned int *ncrls)
150 {
151 *x509_crl_list = sc->x509_crl_list;
152 *ncrls = sc->x509_ncrls;
153 }
154
155 #ifdef ENABLE_OPENPGP
156
157 /**
158 * gnutls_certificate_get_openpgp_keyring - export keyring from a #gnutls_certificate_credentials_t
159 * @sc: is a #gnutls_certificate_credentials_t structure.
160 * @keyring: the exported keyring. Should be treated as constant
161 *
162 * This function will export the OpenPGP keyring associated with the
163 * given credentials.
164 *
165 * Since: 2.4.0
166 **/
167 void
168 gnutls_certificate_get_openpgp_keyring (gnutls_certificate_credentials_t sc,
169 gnutls_openpgp_keyring_t * keyring)
170 {
171 *keyring = sc->keyring;
172 }
173
174 #endif
175
176 /**
177 * gnutls_certificate_free_ca_names - Used to free all the CA names from a gnutls_certificate_credentials_t structure
178 * @sc: is a #gnutls_certificate_credentials_t structure.
179 *
180 * This function will delete all the CA name in the
181 * given credentials. Clients may call this to save some memory
182 * since in client side the CA names are not used.
183 *
184 * CA names are used by servers to advertize the CAs they
185 * support to clients.
186 *
187 **/
188 void
189 gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc)
190 {
191 _gnutls_free_datum (&sc->x509_rdn_sequence);
192 }
193
194 /*-
195 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
196 * @rsa_params: holds the RSA parameters or NULL.
197 * @func: function to retrieve the parameters or NULL.
198 * @session: The session.
199 *
200 * This function will return the rsa parameters pointer.
201 *
202 -*/
203 gnutls_rsa_params_t
204 _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params,
205 gnutls_params_function * func,
206 gnutls_session_t session)
207 {
208 gnutls_params_st params;
209 int ret;
210
211 if (session->internals.params.rsa_params)
212 {
213 return session->internals.params.rsa_params;
214 }
215
216 if (rsa_params)
217 {
218 session->internals.params.rsa_params = rsa_params;
219 }
220 else if (func)
221 {
222 ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, &params);
223 if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
224 {
225 session->internals.params.rsa_params = params.params.rsa_export;
226 session->internals.params.free_rsa_params = params.deinit;
227 }
228 }
229
230 return session->internals.params.rsa_params;
231 }
232
233
234 /**
235 * gnutls_certificate_free_credentials - Used to free an allocated gnutls_certificate_credentials_t structure
236 * @sc: is a #gnutls_certificate_credentials_t structure.
237 *
238 * This structure is complex enough to manipulate directly thus
239 * this helper function is provided in order to free (deallocate) it.
240 *
241 * This function does not free any temporary parameters associated
242 * with this structure (ie RSA and DH parameters are not freed by
243 * this function).
244 **/
245 void
246 gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc)
247 {
248 gnutls_certificate_free_keys (sc);
249 gnutls_certificate_free_cas (sc);
250 gnutls_certificate_free_ca_names (sc);
251 #ifdef ENABLE_PKI
252 gnutls_certificate_free_crls (sc);
253 #endif
254
255 #ifdef ENABLE_OPENPGP
256 gnutls_openpgp_keyring_deinit (sc->keyring);
257 #endif
258
259 gnutls_free (sc);
260 }
261
262
263 /**
264 * gnutls_certificate_allocate_credentials - Used to allocate a gnutls_certificate_credentials_t structure
265 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
266 *
267 * This structure is complex enough to manipulate directly thus this
268 * helper function is provided in order to allocate it.
269 *
270 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
271 **/
272 int
273 gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
274 res)
275 {
276 *res = gnutls_calloc (1, sizeof (certificate_credentials_st));
277
278 if (*res == NULL)
279 return GNUTLS_E_MEMORY_ERROR;
280
281 (*res)->verify_bits = DEFAULT_VERIFY_BITS;
282 (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
283
284 return 0;
285 }
286
287
288 /* returns the KX algorithms that are supported by a
289 * certificate. (Eg a certificate with RSA params, supports
290 * GNUTLS_KX_RSA algorithm).
291 * This function also uses the KeyUsage field of the certificate
292 * extensions in order to disable unneded algorithms.
293 */
294 int
295 _gnutls_selected_cert_supported_kx (gnutls_session_t session,
296 gnutls_kx_algorithm_t ** alg,
297 int *alg_size)
298 {
299 gnutls_kx_algorithm_t kx;
300 gnutls_pk_algorithm_t pk;
301 gnutls_kx_algorithm_t kxlist[MAX_ALGOS];
302 gnutls_cert *cert;
303 int i;
304
305 if (session->internals.selected_cert_list_length == 0)
306 {
307 *alg_size = 0;
308 *alg = NULL;
309 return 0;
310 }
311
312 cert = &session->internals.selected_cert_list[0];
313 i = 0;
314
315 for (kx = 0; kx < MAX_ALGOS; kx++)
316 {
317 pk = _gnutls_map_pk_get_pk (kx);
318 if (pk == cert->subject_pk_algorithm)
319 {
320 /* then check key usage */
321 if (_gnutls_check_key_usage (cert, kx) == 0)
322 {
323 kxlist[i] = kx;
324 i++;
325 }
326 }
327 }
328
329 if (i == 0)
330 {
331 gnutls_assert ();
332 return GNUTLS_E_INVALID_REQUEST;
333 }
334
335 *alg = gnutls_calloc (i, sizeof (gnutls_kx_algorithm_t));
336 if (*alg == NULL)
337 return GNUTLS_E_MEMORY_ERROR;
338
339 *alg_size = i;
340
341 memcpy (*alg, kxlist, i * sizeof (gnutls_kx_algorithm_t));
342
343 return 0;
344 }
345
346
347 /**
348 * gnutls_certificate_server_set_request - Used to set whether to request a client certificate
349 * @session: is a #gnutls_session_t structure.
350 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
351 *
352 * This function specifies if we (in case of a server) are going
353 * to send a certificate request message to the client. If @req
354 * is GNUTLS_CERT_REQUIRE then the server will return an error if
355 * the peer does not provide a certificate. If you do not
356 * call this function then the client will not be asked to
357 * send a certificate.
358 **/
359 void
360 gnutls_certificate_server_set_request (gnutls_session_t session,
361 gnutls_certificate_request_t req)
362 {
363 session->internals.send_cert_req = req;
364 }
365
366 /**
367 * gnutls_certificate_client_set_retrieve_function - Used to set a callback to retrieve the certificate
368 * @cred: is a #gnutls_certificate_credentials_t structure.
369 * @func: is the callback function
370 *
371 * This function sets a callback to be called in order to retrieve the certificate
372 * to be used in the handshake.
373 * The callback's function prototype is:
374 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
375 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
376 *
377 * @req_ca_cert is only used in X.509 certificates.
378 * Contains a list with the CA names that the server considers trusted.
379 * Normally we should send a certificate that is signed
380 * by one of these CAs. These names are DER encoded. To get a more
381 * meaningful value use the function gnutls_x509_rdn_get().
382 *
383 * @pk_algos contains a list with server's acceptable signature algorithms.
384 * The certificate returned should support the server's given algorithms.
385 *
386 * @st should contain the certificates and private keys.
387 *
388 * If the callback function is provided then gnutls will call it, in the
389 * handshake, after the certificate request message has been received.
390 *
391 * The callback function should set the certificate list to be sent, and
392 * return 0 on success. If no certificate was selected then the number of certificates
393 * should be set to zero. The value (-1) indicates error and the handshake
394 * will be terminated.
395 **/
396 void gnutls_certificate_client_set_retrieve_function
397 (gnutls_certificate_credentials_t cred,
398 gnutls_certificate_client_retrieve_function * func)
399 {
400 cred->client_get_cert_callback = func;
401 }
402
403 /**
404 * gnutls_certificate_server_set_retrieve_function - Used to set a callback to retrieve the certificate
405 * @cred: is a #gnutls_certificate_credentials_t structure.
406 * @func: is the callback function
407 *
408 * This function sets a callback to be called in order to retrieve the certificate
409 * to be used in the handshake.
410 * The callback's function prototype is:
411 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
412 *
413 * @st should contain the certificates and private keys.
414 *
415 * If the callback function is provided then gnutls will call it, in the
416 * handshake, after the certificate request message has been received.
417 *
418 * The callback function should set the certificate list to be sent, and
419 * return 0 on success. The value (-1) indicates error and the handshake
420 * will be terminated.
421 **/
422 void gnutls_certificate_server_set_retrieve_function
423 (gnutls_certificate_credentials_t cred,
424 gnutls_certificate_server_retrieve_function * func)
425 {
426 cred->server_get_cert_callback = func;
427 }
428
429 /*-
430 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
431 * @cert: should contain an X.509 DER encoded certificate
432 *
433 * This function will return the certificate's activation time in UNIX time
434 * (ie seconds since 00:00:00 UTC January 1, 1970).
435 *
436 * Returns a (time_t) -1 in case of an error.
437 *
438 -*/
439 static time_t
440 _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert)
441 {
442 gnutls_x509_crt_t xcert;
443 time_t result;
444
445 result = gnutls_x509_crt_init (&xcert);
446 if (result < 0)
447 return (time_t) - 1;
448
449 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
450 if (result < 0)
451 {
452 gnutls_x509_crt_deinit (xcert);
453 return (time_t) - 1;
454 }
455
456 result = gnutls_x509_crt_get_activation_time (xcert);
457
458 gnutls_x509_crt_deinit (xcert);
459
460 return result;
461 }
462
463 /*-
464 * gnutls_x509_extract_certificate_expiration_time - return the certificate's expiration time
465 * @cert: should contain an X.509 DER encoded certificate
466 *
467 * This function will return the certificate's expiration time in UNIX
468 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
469 *
470 * (time_t) -1 in case of an error.
471 *
472 -*/
473 static time_t
474 _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert)
475 {
476 gnutls_x509_crt_t xcert;
477 time_t result;
478
479 result = gnutls_x509_crt_init (&xcert);
480 if (result < 0)
481 return (time_t) - 1;
482
483 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
484 if (result < 0)
485 {
486 gnutls_x509_crt_deinit (xcert);
487 return (time_t) - 1;
488 }
489
490 result = gnutls_x509_crt_get_expiration_time (xcert);
491
492 gnutls_x509_crt_deinit (xcert);
493
494 return result;
495 }
496
497 #ifdef ENABLE_OPENPGP
498 /*-
499 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
500 * @session: is a gnutls session
501 *
502 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
503 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
504 *
505 -*/
506 static int
507 _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
508 unsigned int *status)
509 {
510 cert_auth_info_t info;
511 gnutls_certificate_credentials_t cred;
512 int peer_certificate_list_size, ret;
513
514 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
515
516 info = _gnutls_get_auth_info (session);
517 if (info == NULL)
518 return GNUTLS_E_INVALID_REQUEST;
519
520 cred = (gnutls_certificate_credentials_t)
521 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
522 if (cred == NULL)
523 {
524 gnutls_assert ();
525 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
526 }
527
528 if (info->raw_certificate_list == NULL || info->ncerts == 0)
529 {
530 gnutls_assert ();
531 return GNUTLS_E_NO_CERTIFICATE_FOUND;
532 }
533
534 /* generate a list of gnutls_certs based on the auth info
535 * raw certs.
536 */
537 peer_certificate_list_size = info->ncerts;
538
539 if (peer_certificate_list_size != 1)
540 {
541 gnutls_assert ();
542 return GNUTLS_E_INTERNAL_ERROR;
543 }
544
545 /* Verify certificate
546 */
547 ret =
548 _gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0],
549 peer_certificate_list_size, status);
550
551 if (ret < 0)
552 {
553 gnutls_assert ();
554 return ret;
555 }
556
557 return 0;
558 }
559 #endif
560
561 /**
562 * gnutls_certificate_verify_peers2 - return the peer's certificate verification status
563 * @session: is a gnutls session
564 * @status: is the output of the verification
565 *
566 * This function will try to verify the peer's certificate and return
567 * its status (trusted, invalid etc.). The value of @status should
568 * be one or more of the gnutls_certificate_status_t enumerated
569 * elements bitwise or'd. To avoid denial of service attacks some
570 * default upper limits regarding the certificate key size and chain
571 * size are set. To override them use
572 * gnutls_certificate_set_verify_limits().
573 *
574 * Note that you must also check the peer's name in order to check if
575 * the verified certificate belongs to the actual peer.
576 *
577 * This function uses gnutls_x509_crt_list_verify() with the CAs in
578 * the credentials as trusted CAs.
579 *
580 * Note that some commonly used X.509 Certificate Authorities are
581 * still using Version 1 certificates. If you want to accept them,
582 * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
583 * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
584 *
585 * Returns: a negative error code on error and zero on success.
586 **/
587 int
588 gnutls_certificate_verify_peers2 (gnutls_session_t session,
589 unsigned int *status)
590 {
591 cert_auth_info_t info;
592
593 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
594
595 info = _gnutls_get_auth_info (session);
596 if (info == NULL)
597 {
598 return GNUTLS_E_NO_CERTIFICATE_FOUND;
599 }
600
601 if (info->raw_certificate_list == NULL || info->ncerts == 0)
602 return GNUTLS_E_NO_CERTIFICATE_FOUND;
603
604 switch (gnutls_certificate_type_get (session))
605 {
606 case GNUTLS_CRT_X509:
607 return _gnutls_x509_cert_verify_peers (session, status);
608 #ifdef ENABLE_OPENPGP
609 case GNUTLS_CRT_OPENPGP:
610 return _gnutls_openpgp_crt_verify_peers (session, status);
611 #endif
612 default:
613 return GNUTLS_E_INVALID_REQUEST;
614 }
615 }
616
617 /**
618 * gnutls_certificate_verify_peers - return the peer's certificate verification status
619 * @session: is a gnutls session
620 *
621 * This function will try to verify the peer's certificate and return
622 * its status (trusted, invalid etc.). However you must also check
623 * the peer's name in order to check if the verified certificate
624 * belongs to the actual peer.
625 *
626 * This function uses gnutls_x509_crt_list_verify().
627 *
628 * Returns: one or more of the #gnutls_certificate_status_t
629 * enumerated elements bitwise or'd, or a negative value on error.
630 *
631 * Deprecated: Use gnutls_certificate_verify_peers2() instead.
632 **/
633 int
634 gnutls_certificate_verify_peers (gnutls_session_t session)
635 {
636 unsigned int status;
637 int ret;
638
639 ret = gnutls_certificate_verify_peers2 (session, &status);
640
641 if (ret < 0)
642 {
643 gnutls_assert ();
644 return ret;
645 }
646
647 return status;
648 }
649
650 /**
651 * gnutls_certificate_expiration_time_peers - return the peer's certificate expiration time
652 * @session: is a gnutls session
653 *
654 * This function will return the peer's certificate expiration time.
655 *
656 * Returns: (time_t)-1 on error.
657 *
658 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
659 **/
660 time_t
661 gnutls_certificate_expiration_time_peers (gnutls_session_t session)
662 {
663 cert_auth_info_t info;
664
665 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
666
667 info = _gnutls_get_auth_info (session);
668 if (info == NULL)
669 {
670 return (time_t) - 1;
671 }
672
673 if (info->raw_certificate_list == NULL || info->ncerts == 0)
674 {
675 gnutls_assert ();
676 return (time_t) - 1;
677 }
678
679 switch (gnutls_certificate_type_get (session))
680 {
681 case GNUTLS_CRT_X509:
682 return
683 _gnutls_x509_get_raw_crt_expiration_time (&info->raw_certificate_list
684 [0]);
685 #ifdef ENABLE_OPENPGP
686 case GNUTLS_CRT_OPENPGP:
687 return
688 _gnutls_openpgp_get_raw_key_expiration_time
689 (&info->raw_certificate_list[0]);
690 #endif
691 default:
692 return (time_t) - 1;
693 }
694 }
695
696 /**
697 * gnutls_certificate_activation_time_peers - return the peer's certificate activation time
698 * @session: is a gnutls session
699 *
700 * This function will return the peer's certificate activation time.
701 * This is the creation time for openpgp keys.
702 *
703 * Returns: (time_t)-1 on error.
704 *
705 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
706 **/
707 time_t
708 gnutls_certificate_activation_time_peers (gnutls_session_t session)
709 {
710 cert_auth_info_t info;
711
712 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
713
714 info = _gnutls_get_auth_info (session);
715 if (info == NULL)
716 {
717 return (time_t) - 1;
718 }
719
720 if (info->raw_certificate_list == NULL || info->ncerts == 0)
721 {
722 gnutls_assert ();
723 return (time_t) - 1;
724 }
725
726 switch (gnutls_certificate_type_get (session))
727 {
728 case GNUTLS_CRT_X509:
729 return
730 _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list
731 [0]);
732 #ifdef ENABLE_OPENPGP
733 case GNUTLS_CRT_OPENPGP:
734 return
735 _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list
736 [0]);
737 #endif
738 default:
739 return (time_t) - 1;
740 }
741 }
742
743 /* Converts the first certificate for the cert_auth_info structure
744 * to a gcert.
745 */
746 int
747 _gnutls_get_auth_info_gcert (gnutls_cert * gcert,
748 gnutls_certificate_type_t type,
749 cert_auth_info_t info,
750 int flags /* OR of ConvFlags */ )
751 {
752 switch (type)
753 {
754 case GNUTLS_CRT_X509:
755 return _gnutls_x509_raw_cert_to_gcert (gcert,
756 &info->raw_certificate_list[0],
757 flags);
758 #ifdef ENABLE_OPENPGP
759 case GNUTLS_CRT_OPENPGP:
760 return _gnutls_openpgp_raw_crt_to_gcert (gcert,
761 &info->raw_certificate_list[0],
762 info->
763 use_subkey ? info->subkey_id :
764 NULL);
765 #endif
766 default:
767 gnutls_assert ();
768 return GNUTLS_E_INTERNAL_ERROR;
769 }
770 }
771
772 /* This function will convert a der certificate to a format
773 * (structure) that gnutls can understand and use. Actually the
774 * important thing on this function is that it extracts the
775 * certificate's (public key) parameters.
776 *
777 * The noext flag is used to complete the handshake even if the
778 * extensions found in the certificate are unsupported and critical.
779 * The critical extensions will be catched by the verification functions.
780 */
781 int
782 _gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
783 const gnutls_datum_t * derCert,
784 int flags /* OR of ConvFlags */ )
785 {
786 int ret;
787 gnutls_x509_crt_t cert;
788
789 ret = gnutls_x509_crt_init (&cert);
790 if (ret < 0)
791 {
792 gnutls_assert ();
793 return ret;
794 }
795
796 ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
797 if (ret < 0)
798 {
799 gnutls_assert ();
800 gnutls_x509_crt_deinit (cert);
801 return ret;
802 }
803
804 ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
805 gnutls_x509_crt_deinit (cert);
806
807 return ret;
808 }
809
810 /* Like above but it accepts a parsed certificate instead.
811 */
812 int
813 _gnutls_x509_crt_to_gcert (gnutls_cert * gcert,
814 gnutls_x509_crt_t cert, unsigned int flags)
815 {
816 int ret = 0;
817
818 memset (gcert, 0, sizeof (gnutls_cert));
819 gcert->cert_type = GNUTLS_CRT_X509;
820
821 if (!(flags & CERT_NO_COPY))
822 {
823 #define SMALL_DER 512
824 opaque *der;
825 size_t der_size = SMALL_DER;
826
827 /* initially allocate a bogus size, just in case the certificate
828 * fits in it. That way we minimize the DER encodings performed.
829 */
830 der = gnutls_malloc (SMALL_DER);
831 if (der == NULL)
832 {
833 gnutls_assert ();
834 return GNUTLS_E_MEMORY_ERROR;
835 }
836
837 ret =
838 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, &der_size);
839 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
840 {
841 gnutls_assert ();
842 gnutls_free (der);
843 return ret;
844 }
845
846 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
847 {
848 der = gnutls_realloc (der, der_size);
849 if (der == NULL)
850 {
851 gnutls_assert ();
852 return GNUTLS_E_MEMORY_ERROR;
853 }
854
855 ret =
856 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
857 &der_size);
858 if (ret < 0)
859 {
860 gnutls_assert ();
861 gnutls_free (der);
862 return ret;
863 }
864 }
865
866 gcert->raw.data = der;
867 gcert->raw.size = der_size;
868 }
869 else
870 /* now we have 0 or a bitwise or of things to decode */
871 flags ^= CERT_NO_COPY;
872
873
874 if (flags & CERT_ONLY_EXTENSIONS || flags == 0)
875 {
876 gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL);
877 gcert->version = gnutls_x509_crt_get_version (cert);
878 }
879 gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL);
880
881 if (flags & CERT_ONLY_PUBKEY || flags == 0)
882 {
883 gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
884 ret =
885 _gnutls_x509_crt_get_mpis (cert, gcert->params, &gcert->params_size);
886 if (ret < 0)
887 {
888 gnutls_assert ();
889 return ret;
890 }
891 }
892
893 return 0;
894
895 }
896
897 void
898 _gnutls_gcert_deinit (gnutls_cert * cert)
899 {
900 int i;
901
902 if (cert == NULL)
903 return;
904
905 for (i = 0; i < cert->params_size; i++)
906 {
907 _gnutls_mpi_release (&cert->params[i]);
908 }
909
910 _gnutls_free_datum (&cert->raw);
911 }
912
913 /**
914 * gnutls_sign_callback_set:
915 * @session: is a gnutls session
916 * @sign_func: function pointer to application's sign callback.
917 * @userdata: void pointer that will be passed to sign callback.
918 *
919 * Set the callback function. The function must have this prototype:
920 *
921 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
922 * void *userdata,
923 * gnutls_certificate_type_t cert_type,
924 * const gnutls_datum_t * cert,
925 * const gnutls_datum_t * hash,
926 * gnutls_datum_t * signature);
927 *
928 * The @userdata parameter is passed to the @sign_func verbatim, and
929 * can be used to store application-specific data needed in the
930 * callback function. See also gnutls_sign_callback_get().
931 **/
932 void
933 gnutls_sign_callback_set (gnutls_session_t session,
934 gnutls_sign_func sign_func, void *userdata)
935 {
936 session->internals.sign_func = sign_func;
937 session->internals.sign_func_userdata = userdata;
938 }
939
940 /**
941 * gnutls_sign_callback_get:
942 * @session: is a gnutls session
943 * @userdata: if non-%NULL, will be set to abstract callback pointer.
944 *
945 * Retrieve the callback function, and its userdata pointer.
946 *
947 * Returns: The function pointer set by gnutls_sign_callback_set(), or
948 * if not set, %NULL.
949 **/
950 gnutls_sign_func
951 gnutls_sign_callback_get (gnutls_session_t session, void **userdata)
952 {
953 if (userdata)
954 *userdata = session->internals.sign_func_userdata;
955 return session->internals.sign_func;
956 }
Implementation of the SSL/TLS protocol