lib/auth/cert.h

   1 /*
   2  * Copyright (C) 2002-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 #ifndef AUTH_CERT_H
  24 #define AUTH_CERT_H
  25 #include "gnutls_auth.h"
  26 #include <auth/dh_common.h>
  27 #include <x509/x509_int.h>
  28 #include <openpgp/openpgp_int.h>
  29 #include <gnutls/abstract.h>
  30 #include <gnutls/compat.h>
  31 #include <gnutls_str_array.h>
  32
  33 typedef struct {
  34   gnutls_pcert_st * cert_list; /* a certificate chain */
  35   unsigned int cert_list_length; /* its length */
  36   gnutls_str_array_t names; /* the names in the first certificate */
  37 } certs_st;
  38
  39 /* This structure may be complex, but it's the only way to
  40  * support a server that has multiple certificates
  41  */
  42 typedef struct gnutls_certificate_credentials_st
  43 {
  44   gnutls_dh_params_t dh_params;
  45   gnutls_rsa_params_t rsa_params;
  46   /* this callback is used to retrieve the DH or RSA
  47    * parameters.
  48    */
  49   gnutls_params_function *params_func;
  50
  51   certs_st *certs;
  52   unsigned ncerts; /* the number of certs */
  53
  54   gnutls_privkey_t *pkey;
  55   /* private keys. It contains ncerts private
  56    * keys. pkey[i] corresponds to certificate in
  57    * cert_list[i][0].
  58    */
  59
  60 #ifdef ENABLE_OPENPGP
  61   /* OpenPGP specific stuff */
  62   gnutls_openpgp_keyring_t keyring;
  63 #endif
  64
  65   /* X509 specific stuff */
  66   gnutls_x509_trust_list_t tlist;
  67   unsigned int verify_flags;    /* flags to be used at
  68                                  * certificate verification.
  69                                  */
  70   unsigned int verify_depth;
  71   unsigned int verify_bits;
  72
  73   /* holds a sequence of the
  74    * RDNs of the CAs above.
  75    * This is better than
  76    * generating on every handshake.
  77    */
  78   gnutls_datum_t x509_rdn_sequence;
  79
  80   /* It's a mess here. However we need to keep the old 3 functions
  81    * for compatibility */
  82   gnutls_certificate_retrieve_function *get_cert_callback; /* deprecated */
  83   gnutls_certificate_client_retrieve_function *client_get_cert_callback;        /* deprecated */
  84   gnutls_certificate_server_retrieve_function *server_get_cert_callback;        /* deprecated */
  85   gnutls_certificate_retrieve_function2 *get_cert_callback2;
  86
  87   gnutls_certificate_verify_function *verify_callback;
  88
  89   struct pin_info_st pin;
  90
  91   /* OCSP */
  92   gnutls_status_request_ocsp_func ocsp_func;
  93   void *ocsp_func_ptr;
  94   char *ocsp_response_file;
  95 } certificate_credentials_st;
  96
  97 typedef struct rsa_info_st
  98 {
  99   gnutls_datum_t modulus;
 100   gnutls_datum_t exponent;
 101 } rsa_info_st;
 102
 103 /* This is the information we keep for the peer
 104  * certificate.
 105  */
 106 typedef struct cert_auth_info_st
 107 {
 108   /* These (dh/rsa) are just copies from the credentials_t structure.
 109    * They must be freed.
 110    */
 111   dh_info_st dh;
 112   rsa_info_st rsa_export;
 113
 114   gnutls_datum_t *raw_certificate_list; /* holds the raw certificate of the
 115                                          * peer.
 116                                          */
 117   unsigned int ncerts;          /* holds the size of the list above */
 118
 119   gnutls_certificate_type_t cert_type;
 120 #ifdef ENABLE_OPENPGP
 121   uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
 122 #endif
 123 } *cert_auth_info_t;
 124
 125 typedef struct cert_auth_info_st cert_auth_info_st;
 126
 127 void _gnutls_free_rsa_info (rsa_info_st * rsa);
 128
 129 /* AUTH X509 functions */
 130 int _gnutls_gen_cert_server_crt (gnutls_session_t, gnutls_buffer_st *);
 131 int _gnutls_gen_cert_client_crt (gnutls_session_t, gnutls_buffer_st *);
 132 int _gnutls_gen_cert_client_crt_vrfy (gnutls_session_t, gnutls_buffer_st *);
 133 int _gnutls_gen_cert_server_cert_req (gnutls_session_t, gnutls_buffer_st *);
 134 int _gnutls_proc_cert_cert_req (gnutls_session_t, uint8_t *, size_t);
 135 int _gnutls_proc_cert_client_crt_vrfy (gnutls_session_t, uint8_t *, size_t);
 136 int _gnutls_proc_crt (gnutls_session_t, uint8_t *, size_t);
 137 int _gnutls_get_selected_cert (gnutls_session_t session,
 138                                gnutls_pcert_st ** apr_cert_list,
 139                                int *apr_cert_list_length,
 140                                gnutls_privkey_t * apr_pkey);
 141
 142 int _gnutls_server_select_cert (struct gnutls_session_int *,
 143                                 gnutls_pk_algorithm_t*, size_t);
 144 void _gnutls_selected_certs_deinit (gnutls_session_t session);
 145 void _gnutls_selected_certs_set (gnutls_session_t session,
 146                                  gnutls_pcert_st * certs, int ncerts,
 147                                  gnutls_privkey_t key, int need_free);
 148
 149 gnutls_rsa_params_t _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t
 150                                                         rsa_params,
 151                                                         gnutls_params_function
 152                                                         * func,
 153                                                         gnutls_session_t);
 154
 155 int _gnutls_get_auth_info_pcert (gnutls_pcert_st* gcert,
 156                                  gnutls_certificate_type_t type,
 157                                  cert_auth_info_t info);
 158
 159 int certificate_credential_append_crt_list (gnutls_certificate_credentials_t
 160                                             res, gnutls_str_array_t names,
 161                                             gnutls_pcert_st* crt, int nr);
 162 int certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
 163                                          gnutls_privkey_t pkey);
 164
 165 int _gnutls_selected_cert_supported_kx (struct gnutls_session_int *session,
 166                                         gnutls_kx_algorithm_t * alg,
 167                                         int *alg_size);
 168
 169 int
 170 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res);
 171
 172 #endif