| blob | f784cc5f812377a1e3910e801d079bb9484eab34 |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Some of the stuff needed for Certificate authentication is contained
24 * in this file.
25 */
27 #include <gnutls_int.h>
28 #include <gnutls_errors.h>
29 #include <auth/cert.h>
30 #include <gnutls_datum.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_global.h>
33 #include <algorithms.h>
34 #include <gnutls_dh.h>
35 #include <gnutls_str.h>
36 #include <gnutls_state.h>
37 #include <gnutls_auth.h>
38 #include <gnutls_x509.h>
39 #include <gnutls_str_array.h>
41 #ifdef ENABLE_OPENPGP
43 #endif
45 #define _(String) dgettext (PACKAGE, String)
47 /**
48 * gnutls_certificate_free_keys:
49 * @sc: is a #gnutls_certificate_credentials_t structure.
50 *
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
54 *
55 **/
56 void
58 {
62 {
64 {
66 }
69 }
75 {
77 }
83 }
85 /**
86 * gnutls_certificate_free_cas:
87 * @sc: is a #gnutls_certificate_credentials_t structure.
88 *
89 * This function will delete all the CAs associated with the given
90 * credentials. Servers that do not use
91 * gnutls_certificate_verify_peers2() may call this to save some
92 * memory.
93 **/
94 void
96 {
97 /* FIXME: do nothing for now */
99 }
101 /**
102 * gnutls_certificate_get_issuer:
103 * @sc: is a #gnutls_certificate_credentials_t structure.
104 * @cert: is the certificate to find issuer for
105 * @issuer: Will hold the issuer if any. Should be treated as constant.
106 * @flags: Use zero.
107 *
108 * This function will return the issuer of a given certificate.
109 *
110 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
111 * negative error value.
112 *
113 * Since: 3.0
114 **/
115 int
118 {
120 }
122 /**
123 * gnutls_certificate_free_ca_names:
124 * @sc: is a #gnutls_certificate_credentials_t structure.
125 *
126 * This function will delete all the CA name in the given
127 * credentials. Clients may call this to save some memory since in
128 * client side the CA names are not used. Servers might want to use
129 * this function if a large list of trusted CAs is present and
130 * sending the names of it would just consume bandwidth without providing
131 * information to client.
132 *
133 * CA names are used by servers to advertise the CAs they support to
134 * clients.
135 **/
136 void
138 {
140 }
142 /*-
143 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
144 * @rsa_params: holds the RSA parameters or NULL.
145 * @func: function to retrieve the parameters or NULL.
146 * @session: The session.
147 *
148 * This function will return the rsa parameters pointer.
149 -*/
150 gnutls_rsa_params_t
153 gnutls_session_t session)
154 {
155 gnutls_params_st params;
159 {
161 }
164 {
166 }
168 {
171 {
174 }
175 }
178 }
181 /**
182 * gnutls_certificate_free_credentials:
183 * @sc: is a #gnutls_certificate_credentials_t structure.
184 *
185 * This structure is complex enough to manipulate directly thus this
186 * helper function is provided in order to free (deallocate) it.
187 *
188 * This function does not free any temporary parameters associated
189 * with this structure (ie RSA and DH parameters are not freed by this
190 * function).
191 **/
192 void
194 {
200 #ifdef ENABLE_OPENPGP
202 #endif
205 }
208 /**
209 * gnutls_certificate_allocate_credentials:
210 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
211 *
212 * This structure is complex enough to manipulate directly thus this
213 * helper function is provided in order to allocate it.
214 *
215 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
216 **/
217 int
219 res)
220 {
230 {
234 }
239 }
242 /* returns the KX algorithms that are supported by a
243 * certificate. (Eg a certificate with RSA params, supports
244 * GNUTLS_KX_RSA algorithm).
245 * This function also uses the KeyUsage field of the certificate
246 * extensions in order to disable unneded algorithms.
247 */
248 int
252 {
253 gnutls_kx_algorithm_t kx;
259 {
262 }
269 {
272 {
273 /* then check key usage */
275 {
277 i++;
281 }
282 }
283 }
286 {
289 }
294 }
297 /**
298 * gnutls_certificate_server_set_request:
299 * @session: is a #gnutls_session_t structure.
300 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
301 *
302 * This function specifies if we (in case of a server) are going to
303 * send a certificate request message to the client. If @req is
304 * GNUTLS_CERT_REQUIRE then the server will return an error if the
305 * peer does not provide a certificate. If you do not call this
306 * function then the client will not be asked to send a certificate.
307 **/
308 void
310 gnutls_certificate_request_t req)
311 {
313 }
315 /**
316 * gnutls_certificate_client_set_retrieve_function:
317 * @cred: is a #gnutls_certificate_credentials_t structure.
318 * @func: is the callback function
319 *
320 * This function sets a callback to be called in order to retrieve the
321 * certificate to be used in the handshake.
322 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
323 * is much more efficient in the processing it requires from gnutls.
324 *
325 * The callback's function prototype is:
326 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
327 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
328 *
329 * @req_ca_cert is only used in X.509 certificates.
330 * Contains a list with the CA names that the server considers trusted.
331 * Normally we should send a certificate that is signed
332 * by one of these CAs. These names are DER encoded. To get a more
333 * meaningful value use the function gnutls_x509_rdn_get().
334 *
335 * @pk_algos contains a list with server's acceptable signature algorithms.
336 * The certificate returned should support the server's given algorithms.
337 *
338 * @st should contain the certificates and private keys.
339 *
340 * If the callback function is provided then gnutls will call it, in the
341 * handshake, if a certificate is requested by the server (and after the
342 * certificate request message has been received).
343 *
344 * The callback function should set the certificate list to be sent,
345 * and return 0 on success. If no certificate was selected then the
346 * number of certificates should be set to zero. The value (-1)
347 * indicates error and the handshake will be terminated.
348 **/
349 void gnutls_certificate_client_set_retrieve_function
352 {
354 }
356 /**
357 * gnutls_certificate_server_set_retrieve_function:
358 * @cred: is a #gnutls_certificate_credentials_t structure.
359 * @func: is the callback function
360 *
361 * This function sets a callback to be called in order to retrieve the
362 * certificate to be used in the handshake.
363 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
364 * is much more efficient in the processing it requires from gnutls.
365 *
366 * The callback's function prototype is:
367 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
368 *
369 * @st should contain the certificates and private keys.
370 *
371 * If the callback function is provided then gnutls will call it, in the
372 * handshake, after the certificate request message has been received.
373 *
374 * The callback function should set the certificate list to be sent, and
375 * return 0 on success. The value (-1) indicates error and the handshake
376 * will be terminated.
377 **/
378 void gnutls_certificate_server_set_retrieve_function
381 {
383 }
385 /**
386 * gnutls_certificate_set_retrieve_function:
387 * @cred: is a #gnutls_certificate_credentials_t structure.
388 * @func: is the callback function
389 *
390 * This function sets a callback to be called in order to retrieve the
391 * certificate to be used in the handshake. You are advised
392 * to use gnutls_certificate_set_retrieve_function2() because it
393 * is much more efficient in the processing it requires from gnutls.
394 *
395 * The callback's function prototype is:
396 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
397 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
398 *
399 * @req_ca_cert is only used in X.509 certificates.
400 * Contains a list with the CA names that the server considers trusted.
401 * Normally we should send a certificate that is signed
402 * by one of these CAs. These names are DER encoded. To get a more
403 * meaningful value use the function gnutls_x509_rdn_get().
404 *
405 * @pk_algos contains a list with server's acceptable signature algorithms.
406 * The certificate returned should support the server's given algorithms.
407 *
408 * @st should contain the certificates and private keys.
409 *
410 * If the callback function is provided then gnutls will call it, in the
411 * handshake, after the certificate request message has been received.
412 *
413 * In server side pk_algos and req_ca_dn are NULL.
414 *
415 * The callback function should set the certificate list to be sent,
416 * and return 0 on success. If no certificate was selected then the
417 * number of certificates should be set to zero. The value (-1)
418 * indicates error and the handshake will be terminated.
419 *
420 * Since: 3.0
421 **/
422 void gnutls_certificate_set_retrieve_function
425 {
427 }
429 /**
430 * gnutls_certificate_set_retrieve_function2:
431 * @cred: is a #gnutls_certificate_credentials_t structure.
432 * @func: is the callback function
433 *
434 * This function sets a callback to be called in order to retrieve the
435 * certificate to be used in the handshake.
436 *
437 * The callback's function prototype is:
438 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
439 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
440 * unsigned int *pcert_length, gnutls_privkey_t * pkey);
441 *
442 * @req_ca_cert is only used in X.509 certificates.
443 * Contains a list with the CA names that the server considers trusted.
444 * Normally we should send a certificate that is signed
445 * by one of these CAs. These names are DER encoded. To get a more
446 * meaningful value use the function gnutls_x509_rdn_get().
447 *
448 * @pk_algos contains a list with server's acceptable signature algorithms.
449 * The certificate returned should support the server's given algorithms.
450 *
451 * @pcert should contain a single certificate and public or a list of them.
452 *
453 * @pcert_length is the size of the previous list.
454 *
455 * @pkey is the private key.
456 *
457 * If the callback function is provided then gnutls will call it, in the
458 * handshake, after the certificate request message has been received.
459 *
460 * In server side pk_algos and req_ca_dn are NULL.
461 *
462 * The callback function should set the certificate list to be sent,
463 * and return 0 on success. If no certificate was selected then the
464 * number of certificates should be set to zero. The value (-1)
465 * indicates error and the handshake will be terminated.
466 *
467 * Since: 3.0
468 **/
469 void gnutls_certificate_set_retrieve_function2
472 {
474 }
476 /**
477 * gnutls_certificate_set_verify_function:
478 * @cred: is a #gnutls_certificate_credentials_t structure.
479 * @func: is the callback function
480 *
481 * This function sets a callback to be called when peer's certificate
482 * has been received in order to verify it on receipt rather than
483 * doing after the handshake is completed.
484 *
485 * The callback's function prototype is:
486 * int (*callback)(gnutls_session_t);
487 *
488 * If the callback function is provided then gnutls will call it, in the
489 * handshake, just after the certificate message has been received.
490 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
491 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
492 * can be used.
493 *
494 * The callback function should return 0 for the handshake to continue
495 * or non-zero to terminate.
496 *
497 * Since: 2.10.0
498 **/
499 void
500 gnutls_certificate_set_verify_function
503 {
505 }
507 /*-
508 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
509 * @cert: should contain an X.509 DER encoded certificate
510 *
511 * This function will return the certificate's activation time in UNIX time
512 * (ie seconds since 00:00:00 UTC January 1, 1970).
513 *
514 * Returns a (time_t) -1 in case of an error.
515 *
516 -*/
517 static time_t
519 {
520 gnutls_x509_crt_t xcert;
529 {
532 }
539 }
541 /*-
542 * gnutls_x509_extract_certificate_expiration_time:
543 * @cert: should contain an X.509 DER encoded certificate
544 *
545 * This function will return the certificate's expiration time in UNIX
546 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
547 *
548 * (time_t) -1 in case of an error.
549 *
550 -*/
551 static time_t
553 {
554 gnutls_x509_crt_t xcert;
563 {
566 }
573 }
575 #ifdef ENABLE_OPENPGP
576 /*-
577 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
578 * @session: is a gnutls session
579 *
580 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
581 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
582 -*/
583 static int
587 {
588 cert_auth_info_t info;
589 gnutls_certificate_credentials_t cred;
601 {
604 }
607 {
610 }
612 /* generate a list of gnutls_certs based on the auth info
613 * raw certs.
614 */
618 {
621 }
623 /* Verify certificate
624 */
625 ret =
630 {
633 }
636 }
637 #endif
639 /**
640 * gnutls_certificate_verify_peers2:
641 * @session: is a gnutls session
642 * @status: is the output of the verification
643 *
644 * This function will verify the peer's certificate and return
645 * its status (trusted, invalid etc.). The value of @status will
646 * be one or more of the gnutls_certificate_status_t flags
647 * bitwise or'd or zero if the certificate is trusted. Note that verification
648 * does not imply a negative return value. Only the @status is updated.
649 *
650 * If available the OCSP Certificate Status extension will be
651 * utilized by this function.
652 *
653 * To avoid denial of service attacks some
654 * default upper limits regarding the certificate key size and chain
655 * size are set. To override them use gnutls_certificate_set_verify_limits().
656 *
657 * Note that you must also check the peer's name in order to check if
658 * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname().
659 *
660 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
661 **/
662 int
665 {
666 cert_auth_info_t info;
672 {
674 }
680 {
683 #ifdef ENABLE_OPENPGP
686 #endif
689 }
690 }
692 /**
693 * gnutls_certificate_verify_peers3:
694 * @session: is a gnutls session
695 * @hostname: is the expected name of the peer
696 * @status: is the output of the verification
697 *
698 * This function will verify the peer's certificate and its name and
699 * return its status (trusted, invalid etc.). The value of @status will
700 * be one or more of the gnutls_certificate_status_t flags
701 * bitwise or'd or zero if the certificate is trusted. Note that verification
702 * failure does not imply a negative return value. Only the @status is updated.
703 *
704 * In case the @hostname does not match the %GNUTLS_CERT_UNEXPECTED_OWNER
705 * status flag will be set.
706 *
707 * If available the OCSP Certificate Status extension will be
708 * utilized by this function.
709 *
710 * To avoid denial of service attacks some
711 * default upper limits regarding the certificate key size and chain
712 * size are set. To override them use gnutls_certificate_set_verify_limits().
713 *
714 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
715 *
716 * Since: 3.1.4
717 **/
718 int
722 {
723 cert_auth_info_t info;
729 {
731 }
737 {
740 #ifdef ENABLE_OPENPGP
743 #endif
746 }
747 }
749 /**
750 * gnutls_certificate_expiration_time_peers:
751 * @session: is a gnutls session
752 *
753 * This function will return the peer's certificate expiration time.
754 *
755 * Returns: (time_t)-1 on error.
756 *
757 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
758 **/
759 time_t
761 {
762 cert_auth_info_t info;
768 {
770 }
773 {
776 }
779 {
781 return
784 #ifdef ENABLE_OPENPGP
786 return
787 _gnutls_openpgp_get_raw_key_expiration_time
789 #endif
792 }
793 }
795 /**
796 * gnutls_certificate_activation_time_peers:
797 * @session: is a gnutls session
798 *
799 * This function will return the peer's certificate activation time.
800 * This is the creation time for openpgp keys.
801 *
802 * Returns: (time_t)-1 on error.
803 *
804 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
805 **/
806 time_t
808 {
809 cert_auth_info_t info;
815 {
817 }
820 {
823 }
826 {
828 return
831 #ifdef ENABLE_OPENPGP
833 return
836 #endif
839 }
840 }
842 /**
843 * gnutls_sign_callback_set:
844 * @session: is a gnutls session
845 * @sign_func: function pointer to application's sign callback.
846 * @userdata: void pointer that will be passed to sign callback.
847 *
848 * Set the callback function. The function must have this prototype:
849 *
850 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
851 * void *userdata,
852 * gnutls_certificate_type_t cert_type,
853 * const gnutls_datum_t * cert,
854 * const gnutls_datum_t * hash,
855 * gnutls_datum_t * signature);
856 *
857 * The @userdata parameter is passed to the @sign_func verbatim, and
858 * can be used to store application-specific data needed in the
859 * callback function. See also gnutls_sign_callback_get().
860 *
861 * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead.
862 **/
863 void
866 {
869 }
871 /**
872 * gnutls_sign_callback_get:
873 * @session: is a gnutls session
874 * @userdata: if non-%NULL, will be set to abstract callback pointer.
875 *
876 * Retrieve the callback function, and its userdata pointer.
877 *
878 * Returns: The function pointer set by gnutls_sign_callback_set(), or
879 * if not set, %NULL.
880 *
881 * Deprecated: Use the PKCS 11 interfaces instead.
882 **/
883 gnutls_sign_func
885 {
889 }
891 /* returns error if the certificate has different algorithm than
892 * the given key parameters.
893 */
894 int
896 {
901 {
904 }
907 }
909 /**
910 * gnutls_certificate_verification_status_print:
911 * @status: The status flags to be printed
912 * @type: The certificate type
913 * @out: Newly allocated datum with (0) terminated string.
914 * @flags: should be zero
915 *
916 * This function will pretty print the status of a verification
917 * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
918 *
919 * The output @out needs to be deallocated using gnutls_free().
920 *
921 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
922 * negative error value.
923 *
924 * Since: 3.1.4
925 **/
926 int
928 gnutls_certificate_type_t type,
930 {
931 gnutls_buffer_st str;
938 else
942 {
960 }
962 {
970 }
976 _gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. "));
988 _gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
994 }