search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gnutls-cli: Fix uninitialized variable when PKCS#11 uris in use.
[gnutls.git] / lib / gnutls_x509.c
blob6ee0549c5cdcb73a2b40f1b3ad0f7ed08d2617fb
1 /*
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 #include <gnutls_int.h>
27 #include "gnutls_auth.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_cert.h>
30 #include <auth_cert.h>
31 #include "gnutls_dh.h"
32 #include "gnutls_num.h"
33 #include "gnutls_datum.h"
34 #include <gnutls_pk.h>
35 #include <gnutls_algorithms.h>
36 #include <gnutls_global.h>
37 #include <gnutls_record.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_state.h>
40 #include <gnutls_pk.h>
41 #include <gnutls_str.h>
42 #include <debug.h>
43 #include <x509_b64.h>
44 #include <gnutls_x509.h>
45 #include "x509/common.h"
46 #include "x509/x509_int.h"
47 #include "read-file.h"
48
49
50 /*
51 * some x509 certificate parsing functions.
52 */
53
54 /* Check if the number of bits of the key in the certificate
55 * is unacceptable.
56 */
57 inline static int
58 check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
59 {
60 int ret;
61 unsigned int bits;
62
63 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
64 if (ret < 0)
65 {
66 gnutls_assert ();
67 return ret;
68 }
69
70 if (bits > max_bits && max_bits > 0)
71 {
72 gnutls_assert ();
73 return GNUTLS_E_CONSTRAINT_ERROR;
74 }
75
76 return 0;
77 }
78
79
80 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
81 if (peer_certificate_list[x]) \
82 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
83 } \
84 gnutls_free( peer_certificate_list)
85
86 /*-
87 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
88 * @session: is a gnutls session
89 *
90 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
91 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
92 * However you must also check the peer's name in order to check if the verified certificate belongs to the
93 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
94 -*/
95 int
96 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
97 unsigned int *status)
98 {
99 cert_auth_info_t info;
100 gnutls_certificate_credentials_t cred;
101 gnutls_x509_crt_t *peer_certificate_list;
102 int peer_certificate_list_size, i, x, ret;
103
104 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
105
106 info = _gnutls_get_auth_info (session);
107 if (info == NULL)
108 {
109 gnutls_assert ();
110 return GNUTLS_E_INVALID_REQUEST;
111 }
112
113 cred = (gnutls_certificate_credentials_t)
114 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
115 if (cred == NULL)
116 {
117 gnutls_assert ();
118 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
119 }
120
121 if (info->raw_certificate_list == NULL || info->ncerts == 0)
122 return GNUTLS_E_NO_CERTIFICATE_FOUND;
123
124 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
125 {
126 gnutls_assert ();
127 return GNUTLS_E_CONSTRAINT_ERROR;
128 }
129
130 /* generate a list of gnutls_certs based on the auth info
131 * raw certs.
132 */
133 peer_certificate_list_size = info->ncerts;
134 peer_certificate_list =
135 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
136 if (peer_certificate_list == NULL)
137 {
138 gnutls_assert ();
139 return GNUTLS_E_MEMORY_ERROR;
140 }
141
142 for (i = 0; i < peer_certificate_list_size; i++)
143 {
144 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
145 if (ret < 0)
146 {
147 gnutls_assert ();
148 CLEAR_CERTS;
149 return ret;
150 }
151
152 ret =
153 gnutls_x509_crt_import (peer_certificate_list[i],
154 &info->raw_certificate_list[i],
155 GNUTLS_X509_FMT_DER);
156 if (ret < 0)
157 {
158 gnutls_assert ();
159 CLEAR_CERTS;
160 return ret;
161 }
162
163 ret = check_bits (peer_certificate_list[i], cred->verify_bits);
164 if (ret < 0)
165 {
166 gnutls_assert ();
167 CLEAR_CERTS;
168 return ret;
169 }
170
171 }
172
173 /* Verify certificate
174 */
175
176 ret = gnutls_x509_crt_list_verify (peer_certificate_list,
177 peer_certificate_list_size,
178 cred->x509_ca_list, cred->x509_ncas,
179 cred->x509_crl_list, cred->x509_ncrls,
180 cred->verify_flags | session->internals.
181 priorities.additional_verify_flags,
182 status);
183
184 CLEAR_CERTS;
185
186 if (ret < 0)
187 {
188 gnutls_assert ();
189 return ret;
190 }
191
192 return 0;
193 }
194
195 /*
196 * Read certificates and private keys, from files, memory etc.
197 */
198
199 /* returns error if the certificate has different algorithm than
200 * the given key parameters.
201 */
202 static int
203 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
204 {
205 unsigned int pk = res->cert_list[res->ncerts - 1][0].subject_pk_algorithm;
206
207 if (gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL) !=
208 pk)
209 {
210 gnutls_assert ();
211 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
212 }
213
214 return 0;
215 }
216
217 /* Reads a DER encoded certificate list from memory and stores it to a
218 * gnutls_cert structure. Returns the number of certificates parsed.
219 */
220 static int
221 parse_der_cert_mem (gnutls_certificate_credentials_t res,
222 const void *input_cert, int input_cert_size)
223 {
224 gnutls_datum_t tmp;
225 gnutls_x509_crt_t crt;
226 gnutls_cert *ccert;
227 int ret;
228
229 ccert = gnutls_malloc (sizeof (*ccert));
230 if (ccert == NULL)
231 {
232 gnutls_assert ();
233 return GNUTLS_E_MEMORY_ERROR;
234 }
235
236 ret = gnutls_x509_crt_init (&crt);
237 if (ret < 0)
238 {
239 gnutls_assert ();
240 goto cleanup;
241 }
242
243 tmp.data = (opaque *) input_cert;
244 tmp.size = input_cert_size;
245
246 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
247 if (ret < 0)
248 {
249 gnutls_assert ();
250 gnutls_x509_crt_deinit (crt);
251 goto cleanup;
252 }
253
254 ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
255 gnutls_x509_crt_deinit (crt);
256
257 if (ret < 0)
258 {
259 gnutls_assert ();
260 goto cleanup;
261 }
262
263 ret = certificate_credential_append_crt_list (res, ccert, 1);
264 if (ret < 0)
265 {
266 gnutls_assert ();
267 goto cleanup;
268 }
269
270 return ret;
271
272 cleanup:
273 gnutls_free (ccert);
274 return ret;
275 }
276
277 /* Reads a base64 encoded certificate list from memory and stores it to
278 * a gnutls_cert structure. Returns the number of certificate parsed.
279 */
280 static int
281 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
282 const char *input_cert, int input_cert_size)
283 {
284 int size, siz2;
285 const char *ptr;
286 opaque *ptr2;
287 gnutls_datum_t tmp;
288 int ret, count, i;
289 gnutls_cert *certs = NULL;
290
291 /* move to the certificate
292 */
293 ptr = memmem (input_cert, input_cert_size,
294 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
295 if (ptr == NULL)
296 ptr = memmem (input_cert, input_cert_size,
297 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
298
299 if (ptr == NULL)
300 {
301 gnutls_assert ();
302 return GNUTLS_E_BASE64_DECODING_ERROR;
303 }
304 size = input_cert_size - (ptr - input_cert);
305
306 count = 0;
307
308 do
309 {
310
311 siz2 = _gnutls_fbase64_decode (NULL, ptr, size, &ptr2);
312 if (siz2 < 0)
313 {
314 gnutls_assert ();
315 ret = GNUTLS_E_BASE64_DECODING_ERROR;
316 goto cleanup;
317 }
318
319 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_cert));
320
321 if (certs == NULL)
322 {
323 gnutls_assert ();
324 ret = GNUTLS_E_MEMORY_ERROR;
325 goto cleanup;
326 }
327
328 tmp.data = ptr2;
329 tmp.size = siz2;
330
331 ret = _gnutls_x509_raw_cert_to_gcert (&certs[count], &tmp, 0);
332 if (ret < 0)
333 {
334 gnutls_assert ();
335 goto cleanup;
336 }
337
338 _gnutls_free_datum (&tmp); /* free ptr2 */
339
340 /* now we move ptr after the pem header
341 */
342 ptr++;
343 /* find the next certificate (if any)
344 */
345 size = input_cert_size - (ptr - input_cert);
346
347 if (size > 0)
348 {
349 char *ptr3;
350
351 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
352 if (ptr3 == NULL)
353 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
354 sizeof (PEM_CERT_SEP2) - 1);
355
356 ptr = ptr3;
357 }
358 else
359 ptr = NULL;
360
361 count++;
362
363 }
364 while (ptr != NULL);
365
366 ret = certificate_credential_append_crt_list (res, certs, count);
367 if (ret < 0)
368 {
369 gnutls_assert ();
370 goto cleanup;
371 }
372
373 return count;
374
375 cleanup:
376 for (i=0;i<count;i++)
377 _gnutls_gcert_deinit(&certs[i]);
378 gnutls_free(certs);
379 return ret;
380 }
381
382
383
384 /* Reads a DER or PEM certificate from memory
385 */
386 static int
387 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
388 int cert_size, gnutls_x509_crt_fmt_t type)
389 {
390 int ret;
391
392 if (type == GNUTLS_X509_FMT_DER)
393 ret = parse_der_cert_mem (res, cert, cert_size);
394 else
395 ret = parse_pem_cert_mem (res, cert, cert_size);
396
397 if (ret < 0)
398 {
399 gnutls_assert ();
400 return ret;
401 }
402
403 return ret;
404 }
405
406 static int
407 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t * privkey,
408 const gnutls_datum_t * raw_key,
409 gnutls_x509_crt_fmt_t type)
410 {
411 gnutls_x509_privkey_t tmpkey;
412 int ret;
413
414 ret = gnutls_x509_privkey_init (&tmpkey);
415 if (ret < 0)
416 {
417 gnutls_assert ();
418 return ret;
419 }
420
421 ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
422 if (ret < 0)
423 {
424 gnutls_assert ();
425 gnutls_x509_privkey_deinit (tmpkey);
426 return ret;
427 }
428
429 ret = gnutls_privkey_init (privkey);
430 if (ret < 0)
431 {
432 gnutls_assert ();
433 gnutls_x509_privkey_deinit (tmpkey);
434 return ret;
435 }
436
437 ret =
438 gnutls_privkey_import_x509 (*privkey, tmpkey,
439 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
440 if (ret < 0)
441 {
442 gnutls_assert ();
443 gnutls_x509_privkey_deinit (tmpkey);
444 gnutls_privkey_deinit (*privkey);
445 return ret;
446 }
447
448 return 0;
449 }
450
451 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
452 * indicates the certificate format. KEY can be NULL, to indicate
453 * that GnuTLS doesn't know the private key.
454 */
455 static int
456 read_key_mem (gnutls_certificate_credentials_t res,
457 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
458 {
459 int ret;
460 gnutls_datum_t tmp;
461 gnutls_privkey_t privkey;
462
463 if (key)
464 {
465 tmp.data = (opaque *) key;
466 tmp.size = key_size;
467
468 ret = _gnutls_x509_raw_privkey_to_privkey (&privkey, &tmp, type);
469 if (ret < 0)
470 {
471 gnutls_assert ();
472 return ret;
473 }
474
475 ret = certificate_credentials_append_pkey (res, privkey);
476 if (ret < 0)
477 {
478 gnutls_assert ();
479 gnutls_privkey_deinit (privkey);
480 return ret;
481 }
482
483 }
484 else
485 {
486 gnutls_assert ();
487 return GNUTLS_E_INVALID_REQUEST;
488 }
489
490
491 return 0;
492 }
493
494 /* Reads a private key from a token.
495 */
496 static int
497 read_key_url (gnutls_certificate_credentials_t res, const char *url)
498 {
499 int ret;
500 gnutls_pkcs11_privkey_t key1 = NULL;
501 gnutls_privkey_t pkey = NULL;
502
503 /* allocate space for the pkey list
504 */
505
506 ret = gnutls_pkcs11_privkey_init (&key1);
507 if (ret < 0)
508 {
509 gnutls_assert ();
510 return ret;
511 }
512
513 ret = gnutls_pkcs11_privkey_import_url (key1, url, 0);
514 if (ret < 0)
515 {
516 gnutls_assert ();
517 goto cleanup;
518 }
519
520 ret = gnutls_privkey_init (&pkey);
521 if (ret < 0)
522 {
523 gnutls_assert ();
524 goto cleanup;
525 }
526
527 ret =
528 gnutls_privkey_import_pkcs11 (pkey, key1,
529 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
530 if (ret < 0)
531 {
532 gnutls_assert ();
533 goto cleanup;
534 }
535
536 ret = certificate_credentials_append_pkey (res, pkey);
537 if (ret < 0)
538 {
539 gnutls_assert ();
540 goto cleanup;
541 }
542
543 return 0;
544
545 cleanup:
546 if (pkey)
547 gnutls_privkey_deinit (pkey);
548
549 if (key1)
550 gnutls_pkcs11_privkey_deinit (key1);
551
552 return ret;
553 }
554
555 /* Reads a private key from a token.
556 */
557 static int
558 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
559 {
560 int ret;
561 gnutls_x509_crt_t *xcrt_list = NULL;
562 gnutls_pkcs11_obj_t *pcrt_list = NULL;
563 unsigned int pcrt_list_size = 0;
564
565 /* FIXME: should we use login? */
566 ret =
567 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
568 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
569 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
570 {
571 gnutls_assert ();
572 return ret;
573 }
574
575 if (pcrt_list_size == 0)
576 {
577 gnutls_assert ();
578 return 0;
579 }
580
581 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
582 if (pcrt_list == NULL)
583 {
584 gnutls_assert ();
585 return GNUTLS_E_MEMORY_ERROR;
586 }
587
588 ret =
589 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
590 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
591 if (ret < 0)
592 {
593 gnutls_assert ();
594 goto cleanup;
595 }
596
597 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
598 if (xcrt_list == NULL)
599 {
600 gnutls_assert ();
601 ret = GNUTLS_E_MEMORY_ERROR;
602 goto cleanup;
603 }
604
605 ret =
606 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
607 0);
608 if (xcrt_list == NULL)
609 {
610 gnutls_assert ();
611 ret = GNUTLS_E_MEMORY_ERROR;
612 goto cleanup;
613 }
614
615 res->x509_ca_list = xcrt_list;
616 res->x509_ncas = pcrt_list_size;
617
618 gnutls_free (pcrt_list);
619
620 return pcrt_list_size;
621
622 cleanup:
623 gnutls_free (xcrt_list);
624 gnutls_free (pcrt_list);
625
626 return ret;
627
628 }
629
630
631 /* Reads a private key from a token.
632 */
633 static int
634 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
635 {
636 int ret;
637 gnutls_x509_crt_t crt;
638 gnutls_cert *ccert;
639
640 ccert = gnutls_malloc (sizeof (*ccert));
641 if (ccert == NULL)
642 {
643 gnutls_assert ();
644 return GNUTLS_E_MEMORY_ERROR;
645 }
646
647 ret = gnutls_x509_crt_init (&crt);
648 if (ret < 0)
649 {
650 gnutls_assert ();
651 gnutls_free (ccert);
652 return ret;
653 }
654
655 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
656 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
657 ret =
658 gnutls_x509_crt_import_pkcs11_url (crt, url,
659 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
660
661 if (ret < 0)
662 {
663 gnutls_assert ();
664 gnutls_free (ccert);
665 gnutls_x509_crt_deinit (crt);
666 return ret;
667 }
668
669 ret = _gnutls_x509_crt_to_gcert (ccert, crt, 0);
670 gnutls_x509_crt_deinit (crt);
671
672 if (ret < 0)
673 {
674 gnutls_assert ();
675 gnutls_free (ccert);
676 return ret;
677 }
678
679 ret = certificate_credential_append_crt_list (res, ccert, 1);
680 if (ret < 0)
681 {
682 gnutls_assert ();
683 gnutls_free (ccert);
684 return ret;
685 }
686
687 return 0;
688
689 }
690
691 /* Reads a certificate file
692 */
693 static int
694 read_cert_file (gnutls_certificate_credentials_t res,
695 const char *certfile, gnutls_x509_crt_fmt_t type)
696 {
697 int ret;
698 size_t size;
699 char *data;
700
701 if (strncmp (certfile, "pkcs11:", 7) == 0)
702 {
703 return read_cert_url (res, certfile);
704 }
705
706 data = read_binary_file (certfile, &size);
707
708 if (data == NULL)
709 {
710 gnutls_assert ();
711 return GNUTLS_E_FILE_ERROR;
712 }
713
714 ret = read_cert_mem (res, data, size, type);
715 free (data);
716
717 return ret;
718
719 }
720
721
722
723 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
724 * stores it).
725 */
726 static int
727 read_key_file (gnutls_certificate_credentials_t res,
728 const char *keyfile, gnutls_x509_crt_fmt_t type)
729 {
730 int ret;
731 size_t size;
732 char *data;
733
734 if (strncmp (keyfile, "pkcs11:", 7) == 0)
735 {
736 return read_key_url (res, keyfile);
737 }
738
739 data = read_binary_file (keyfile, &size);
740
741 if (data == NULL)
742 {
743 gnutls_assert ();
744 return GNUTLS_E_FILE_ERROR;
745 }
746
747 ret = read_key_mem (res, data, size, type);
748 free (data);
749
750 return ret;
751 }
752
753 /**
754 * gnutls_certificate_set_x509_key_mem:
755 * @res: is a #gnutls_certificate_credentials_t structure.
756 * @cert: contains a certificate list (path) for the specified private key
757 * @key: is the private key, or %NULL
758 * @type: is PEM or DER
759 *
760 * This function sets a certificate/private key pair in the
761 * gnutls_certificate_credentials_t structure. This function may be called
762 * more than once (in case multiple keys/certificates exist for the
763 * server).
764 *
765 * Currently are supported: RSA PKCS-1 encoded private keys,
766 * DSA private keys.
767 *
768 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
769 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
770 *
771 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
772 * is supported. This means that certificates intended for signing cannot
773 * be used for ciphersuites that require encryption.
774 *
775 * If the certificate and the private key are given in PEM encoding
776 * then the strings that hold their values must be null terminated.
777 *
778 * The @key may be %NULL if you are using a sign callback, see
779 * gnutls_sign_callback_set().
780 *
781 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
782 **/
783 int
784 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
785 const gnutls_datum_t * cert,
786 const gnutls_datum_t * key,
787 gnutls_x509_crt_fmt_t type)
788 {
789 int ret;
790
791 /* this should be first
792 */
793 if ((ret = read_key_mem (res, key ? key->data : NULL,
794 key ? key->size : 0, type)) < 0)
795 return ret;
796
797 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
798 return ret;
799
800 res->ncerts++;
801
802 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
803 {
804 gnutls_assert ();
805 return ret;
806 }
807
808 return 0;
809 }
810
811 static int check_if_sorted(gnutls_cert * crt, int nr)
812 {
813 gnutls_x509_crt_t x509;
814 char prev_dn[MAX_DN];
815 char dn[MAX_DN];
816 size_t prev_dn_size, dn_size;
817 int i, ret;
818
819 /* check if the X.509 list is ordered */
820 if (nr > 1 && crt[0].cert_type == GNUTLS_CRT_X509)
821 {
822
823 for (i=0;i<nr;i++)
824 {
825 ret = gnutls_x509_crt_init(&x509);
826 if (ret < 0)
827 return gnutls_assert_val(ret);
828
829 ret = gnutls_x509_crt_import(x509, &crt[i].raw, GNUTLS_X509_FMT_DER);
830 if (ret < 0)
831 {
832 ret = gnutls_assert_val(ret);
833 goto cleanup;
834 }
835
836 if (i>0)
837 {
838 dn_size = sizeof(dn);
839 ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
840 if (ret < 0)
841 {
842 ret = gnutls_assert_val(ret);
843 goto cleanup;
844 }
845
846 if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
847 {
848 ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
849 goto cleanup;
850 }
851 }
852
853 prev_dn_size = sizeof(prev_dn);
854 ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
855 if (ret < 0)
856 {
857 ret = gnutls_assert_val(ret);
858 goto cleanup;
859 }
860
861 gnutls_x509_crt_deinit(x509);
862 }
863 }
864
865 return 0;
866
867 cleanup:
868 gnutls_x509_crt_deinit(x509);
869 return ret;
870 }
871
872 int
873 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
874 gnutls_cert * crt, int nr)
875 {
876 int ret;
877
878 ret = check_if_sorted(crt, nr);
879 if (ret < 0)
880 return gnutls_assert_val(ret);
881
882 res->cert_list = gnutls_realloc_fast (res->cert_list,
883 (1 +
884 res->ncerts) *
885 sizeof (gnutls_cert *));
886 if (res->cert_list == NULL)
887 {
888 gnutls_assert ();
889 return GNUTLS_E_MEMORY_ERROR;
890 }
891
892 res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
893 (1 +
894 res->ncerts) * sizeof (int));
895 if (res->cert_list_length == NULL)
896 {
897 gnutls_assert ();
898 return GNUTLS_E_MEMORY_ERROR;
899 }
900
901 res->cert_list[res->ncerts] = crt;
902 res->cert_list_length[res->ncerts] = nr;
903
904 return 0;
905
906 }
907
908 int
909 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
910 gnutls_privkey_t pkey)
911 {
912 res->pkey = gnutls_realloc_fast (res->pkey,
913 (1 + res->ncerts) *
914 sizeof (gnutls_privkey_t));
915 if (res->pkey == NULL)
916 {
917 gnutls_assert ();
918 return GNUTLS_E_MEMORY_ERROR;
919 }
920 res->pkey[res->ncerts] = pkey;
921 return 0;
922
923 }
924
925 /**
926 * gnutls_certificate_set_x509_key:
927 * @res: is a #gnutls_certificate_credentials_t structure.
928 * @cert_list: contains a certificate list (path) for the specified private key
929 * @cert_list_size: holds the size of the certificate list
930 * @key: is a gnutls_x509_privkey_t key
931 *
932 * This function sets a certificate/private key pair in the
933 * gnutls_certificate_credentials_t structure. This function may be
934 * called more than once (in case multiple keys/certificates exist for
935 * the server). For clients that wants to send more than its own end
936 * entity certificate (e.g., also an intermediate CA cert) then put
937 * the certificate chain in @cert_list.
938 *
939 *
940 *
941 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
942 *
943 * Since: 2.4.0
944 **/
945 int
946 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
947 gnutls_x509_crt_t * cert_list,
948 int cert_list_size,
949 gnutls_x509_privkey_t key)
950 {
951 int ret, i;
952 gnutls_privkey_t pkey;
953 gnutls_cert *pcerts = NULL;
954
955 /* this should be first
956 */
957 ret = gnutls_privkey_init (&pkey);
958 if (ret < 0)
959 {
960 gnutls_assert ();
961 return ret;
962 }
963
964 ret = gnutls_privkey_import_x509 (pkey, key, 0);
965 if (ret < 0)
966 {
967 gnutls_assert ();
968 return ret;
969 }
970
971 ret = certificate_credentials_append_pkey (res, pkey);
972 if (ret < 0)
973 {
974 gnutls_assert ();
975 return ret;
976 }
977
978 /* load certificates */
979 pcerts = gnutls_malloc (sizeof (gnutls_cert) * cert_list_size);
980 if (pcerts == NULL)
981 {
982 gnutls_assert ();
983 return GNUTLS_E_MEMORY_ERROR;
984 }
985
986 for (i = 0; i < cert_list_size; i++)
987 {
988 ret = _gnutls_x509_crt_to_gcert (&pcerts[i], cert_list[i], 0);
989 if (ret < 0)
990 {
991 gnutls_assert ();
992 return ret;
993 }
994 }
995
996 ret = certificate_credential_append_crt_list (res, pcerts, cert_list_size);
997 if (ret < 0)
998 {
999 gnutls_assert ();
1000 return ret;
1001 }
1002
1003 res->ncerts++;
1004
1005 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1006 {
1007 gnutls_assert ();
1008 return ret;
1009 }
1010
1011 return 0;
1012 }
1013
1014 /**
1015 * gnutls_certificate_set_x509_key_file:
1016 * @res: is a #gnutls_certificate_credentials_t structure.
1017 * @certfile: is a file that containing the certificate list (path) for
1018 * the specified private key, in PKCS7 format, or a list of certificates
1019 * @keyfile: is a file that contains the private key
1020 * @type: is PEM or DER
1021 *
1022 * This function sets a certificate/private key pair in the
1023 * gnutls_certificate_credentials_t structure. This function may be
1024 * called more than once (in case multiple keys/certificates exist for
1025 * the server). For clients that wants to send more than its own end
1026 * entity certificate (e.g., also an intermediate CA cert) then put
1027 * the certificate chain in @certfile.
1028 *
1029 * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
1030 * this function.
1031 *
1032 * This function can also accept PKCS #11 URLs. In that case it
1033 * will import the private key and certificate indicated by the urls.
1034 *
1035 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1036 **/
1037 int
1038 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
1039 const char *certfile,
1040 const char *keyfile,
1041 gnutls_x509_crt_fmt_t type)
1042 {
1043 int ret;
1044
1045 /* this should be first
1046 */
1047 if ((ret = read_key_file (res, keyfile, type)) < 0)
1048 return ret;
1049
1050 if ((ret = read_cert_file (res, certfile, type)) < 0)
1051 return ret;
1052
1053 res->ncerts++;
1054
1055 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1056 {
1057 gnutls_assert ();
1058 return ret;
1059 }
1060
1061 return 0;
1062 }
1063
1064 static int
1065 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, int new)
1066 {
1067 gnutls_datum_t tmp;
1068 int ret;
1069 size_t newsize;
1070 unsigned char *newdata;
1071 unsigned i;
1072
1073 /* Add DN of the last added CAs to the RDN sequence
1074 * This will be sent to clients when a certificate
1075 * request message is sent.
1076 */
1077
1078 /* FIXME: in case of a client it is not needed
1079 * to do that. This would save time and memory.
1080 * However we don't have that information available
1081 * here.
1082 * Further, this function is now much more efficient,
1083 * so optimizing that is less important.
1084 */
1085
1086 for (i = res->x509_ncas - new; i < res->x509_ncas; i++)
1087 {
1088 if ((ret = gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
1089 {
1090 gnutls_assert ();
1091 return ret;
1092 }
1093
1094 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1095 if (newsize < res->x509_rdn_sequence.size)
1096 {
1097 gnutls_assert ();
1098 _gnutls_free_datum (&tmp);
1099 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1100 }
1101
1102 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1103 if (newdata == NULL)
1104 {
1105 gnutls_assert ();
1106 _gnutls_free_datum (&tmp);
1107 return GNUTLS_E_MEMORY_ERROR;
1108 }
1109
1110 _gnutls_write_datum16 (newdata + res->x509_rdn_sequence.size, tmp);
1111 _gnutls_free_datum (&tmp);
1112
1113 res->x509_rdn_sequence.size = newsize;
1114 res->x509_rdn_sequence.data = newdata;
1115 }
1116
1117 return 0;
1118 }
1119
1120 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1121 * certificate (uses the KeyUsage field).
1122 */
1123 int
1124 _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
1125 {
1126 unsigned int key_usage = 0;
1127 int encipher_type;
1128
1129 if (cert == NULL)
1130 {
1131 gnutls_assert ();
1132 return GNUTLS_E_INTERNAL_ERROR;
1133 }
1134
1135 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1136 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1137 {
1138
1139 key_usage = cert->key_usage;
1140
1141 encipher_type = _gnutls_kx_encipher_type (alg);
1142
1143 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1144 {
1145 /* If key_usage has been set in the certificate
1146 */
1147
1148 if (encipher_type == CIPHER_ENCRYPT)
1149 {
1150 /* If the key exchange method requires an encipher
1151 * type algorithm, and key's usage does not permit
1152 * encipherment, then fail.
1153 */
1154 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1155 {
1156 gnutls_assert ();
1157 return GNUTLS_E_KEY_USAGE_VIOLATION;
1158 }
1159 }
1160
1161 if (encipher_type == CIPHER_SIGN)
1162 {
1163 /* The same as above, but for sign only keys
1164 */
1165 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1166 {
1167 gnutls_assert ();
1168 return GNUTLS_E_KEY_USAGE_VIOLATION;
1169 }
1170 }
1171 }
1172 }
1173 return 0;
1174 }
1175
1176
1177
1178 static int
1179 parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1180 const opaque * input_cert, int input_cert_size)
1181 {
1182 int i, size;
1183 const opaque *ptr;
1184 gnutls_datum_t tmp;
1185 int ret, count;
1186
1187 /* move to the certificate
1188 */
1189 ptr = memmem (input_cert, input_cert_size,
1190 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1191 if (ptr == NULL)
1192 ptr = memmem (input_cert, input_cert_size,
1193 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1194
1195 if (ptr == NULL)
1196 {
1197 gnutls_assert ();
1198 return GNUTLS_E_BASE64_DECODING_ERROR;
1199 }
1200 size = input_cert_size - (ptr - input_cert);
1201
1202 i = *ncerts + 1;
1203 count = 0;
1204
1205 do
1206 {
1207
1208 *cert_list =
1209 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1210 i *
1211 sizeof
1212 (gnutls_x509_crt_t));
1213
1214 if (*cert_list == NULL)
1215 {
1216 gnutls_assert ();
1217 return GNUTLS_E_MEMORY_ERROR;
1218 }
1219
1220 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1221 if (ret < 0)
1222 {
1223 gnutls_assert ();
1224 return ret;
1225 }
1226
1227 tmp.data = (opaque *) ptr;
1228 tmp.size = size;
1229
1230 ret =
1231 gnutls_x509_crt_import (cert_list[0][i - 1],
1232 &tmp, GNUTLS_X509_FMT_PEM);
1233 if (ret < 0)
1234 {
1235 gnutls_assert ();
1236 return ret;
1237 }
1238
1239 /* now we move ptr after the pem header
1240 */
1241 ptr++;
1242 size--;
1243 /* find the next certificate (if any)
1244 */
1245
1246 if (size > 0)
1247 {
1248 char *ptr3;
1249
1250 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
1251 if (ptr3 == NULL)
1252 ptr3 = memmem (ptr, size,
1253 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
1254
1255 ptr = ptr3;
1256 size = input_cert_size - (ptr - input_cert);
1257 }
1258 else
1259 ptr = NULL;
1260
1261 i++;
1262 count++;
1263
1264 }
1265 while (ptr != NULL);
1266
1267 *ncerts = i - 1;
1268
1269 return count;
1270 }
1271
1272 /* Reads a DER encoded certificate list from memory and stores it to a
1273 * gnutls_cert structure. Returns the number of certificates parsed.
1274 */
1275 static int
1276 parse_der_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1277 const void *input_cert, int input_cert_size)
1278 {
1279 int i;
1280 gnutls_datum_t tmp;
1281 int ret;
1282
1283 i = *ncerts + 1;
1284
1285 *cert_list =
1286 (gnutls_x509_crt_t *) gnutls_realloc_fast (*cert_list,
1287 i *
1288 sizeof (gnutls_x509_crt_t));
1289
1290 if (*cert_list == NULL)
1291 {
1292 gnutls_assert ();
1293 return GNUTLS_E_MEMORY_ERROR;
1294 }
1295
1296 tmp.data = (opaque *) input_cert;
1297 tmp.size = input_cert_size;
1298
1299 ret = gnutls_x509_crt_init (&cert_list[0][i - 1]);
1300 if (ret < 0)
1301 {
1302 gnutls_assert ();
1303 return ret;
1304 }
1305
1306 ret =
1307 gnutls_x509_crt_import (cert_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1308 if (ret < 0)
1309 {
1310 gnutls_assert ();
1311 return ret;
1312 }
1313
1314 *ncerts = i;
1315
1316 return 1; /* one certificate parsed */
1317 }
1318
1319 /**
1320 * gnutls_certificate_set_x509_trust_mem:
1321 * @res: is a #gnutls_certificate_credentials_t structure.
1322 * @ca: is a list of trusted CAs or a DER certificate
1323 * @type: is DER or PEM
1324 *
1325 * This function adds the trusted CAs in order to verify client or
1326 * server certificates. In case of a client this is not required to be
1327 * called if the certificates are not verified using
1328 * gnutls_certificate_verify_peers2(). This function may be called
1329 * multiple times.
1330 *
1331 * In case of a server the CAs set here will be sent to the client if
1332 * a certificate request is sent. This can be disabled using
1333 * gnutls_certificate_send_x509_rdn_sequence().
1334 *
1335 * Returns: the number of certificates processed or a negative value
1336 * on error.
1337 **/
1338 int
1339 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1340 const gnutls_datum_t * ca,
1341 gnutls_x509_crt_fmt_t type)
1342 {
1343 int ret, ret2;
1344
1345 if (type == GNUTLS_X509_FMT_DER)
1346 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1347 ca->data, ca->size);
1348 else
1349 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
1350 ca->data, ca->size);
1351
1352 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1353 return ret2;
1354
1355 return ret;
1356 }
1357
1358 /**
1359 * gnutls_certificate_set_x509_trust:
1360 * @res: is a #gnutls_certificate_credentials_t structure.
1361 * @ca_list: is a list of trusted CAs
1362 * @ca_list_size: holds the size of the CA list
1363 *
1364 * This function adds the trusted CAs in order to verify client
1365 * or server certificates. In case of a client this is not required
1366 * to be called if the certificates are not verified using
1367 * gnutls_certificate_verify_peers2().
1368 * This function may be called multiple times.
1369 *
1370 * In case of a server the CAs set here will be sent to the client if
1371 * a certificate request is sent. This can be disabled using
1372 * gnutls_certificate_send_x509_rdn_sequence().
1373 *
1374 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1375 *
1376 * Since: 2.4.0
1377 **/
1378 int
1379 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1380 gnutls_x509_crt_t * ca_list,
1381 int ca_list_size)
1382 {
1383 int ret, i, ret2;
1384
1385 res->x509_ca_list = gnutls_realloc_fast (res->x509_ca_list,
1386 (ca_list_size +
1387 res->x509_ncas) *
1388 sizeof (gnutls_x509_crt_t));
1389 if (res->x509_ca_list == NULL)
1390 {
1391 gnutls_assert ();
1392 return GNUTLS_E_MEMORY_ERROR;
1393 }
1394
1395 for (i = 0; i < ca_list_size; i++)
1396 {
1397 ret = gnutls_x509_crt_init (&res->x509_ca_list[res->x509_ncas]);
1398 if (ret < 0)
1399 {
1400 gnutls_assert ();
1401 return ret;
1402 }
1403
1404 ret = _gnutls_x509_crt_cpy (res->x509_ca_list[res->x509_ncas],
1405 ca_list[i]);
1406 if (ret < 0)
1407 {
1408 gnutls_assert ();
1409 gnutls_x509_crt_deinit (res->x509_ca_list[res->x509_ncas]);
1410 return ret;
1411 }
1412 res->x509_ncas++;
1413 }
1414
1415 if ((ret2 = add_new_crt_to_rdn_seq (res, ca_list_size)) < 0)
1416 return ret2;
1417
1418 return 0;
1419 }
1420
1421 /**
1422 * gnutls_certificate_set_x509_trust_file:
1423 * @res: is a #gnutls_certificate_credentials_t structure.
1424 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1425 * @type: is PEM or DER
1426 *
1427 * This function adds the trusted CAs in order to verify client or
1428 * server certificates. In case of a client this is not required to
1429 * be called if the certificates are not verified using
1430 * gnutls_certificate_verify_peers2(). This function may be called
1431 * multiple times.
1432 *
1433 * In case of a server the names of the CAs set here will be sent to
1434 * the client if a certificate request is sent. This can be disabled
1435 * using gnutls_certificate_send_x509_rdn_sequence().
1436 *
1437 * This function can also accept PKCS #11 URLs. In that case it
1438 * will import all certificates that are marked as trusted.
1439 *
1440 * Returns: number of certificates processed, or a negative value on
1441 * error.
1442 **/
1443 int
1444 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
1445 const char *cafile,
1446 gnutls_x509_crt_fmt_t type)
1447 {
1448 int ret, ret2;
1449 size_t size;
1450 char *data;
1451
1452 if (strncmp (cafile, "pkcs11:", 7) == 0)
1453 {
1454 return read_cas_url (res, cafile);
1455 }
1456
1457 data = read_binary_file (cafile, &size);
1458 if (data == NULL)
1459 {
1460 gnutls_assert ();
1461 return GNUTLS_E_FILE_ERROR;
1462 }
1463
1464 if (type == GNUTLS_X509_FMT_DER)
1465 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1466 else
1467 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas, data, size);
1468
1469 free (data);
1470
1471 if (ret < 0)
1472 {
1473 gnutls_assert ();
1474 return ret;
1475 }
1476
1477 if ((ret2 = add_new_crt_to_rdn_seq (res, ret)) < 0)
1478 return ret2;
1479
1480 return ret;
1481 }
1482
1483 #ifdef ENABLE_PKI
1484
1485 static int
1486 parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1487 const opaque * input_crl, int input_crl_size)
1488 {
1489 int size, i;
1490 const opaque *ptr;
1491 gnutls_datum_t tmp;
1492 int ret, count;
1493
1494 /* move to the certificate
1495 */
1496 ptr = memmem (input_crl, input_crl_size,
1497 PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1498 if (ptr == NULL)
1499 {
1500 gnutls_assert ();
1501 return GNUTLS_E_BASE64_DECODING_ERROR;
1502 }
1503
1504 size = input_crl_size - (ptr - input_crl);
1505
1506 i = *ncrls + 1;
1507 count = 0;
1508
1509 do
1510 {
1511
1512 *crl_list =
1513 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1514 i *
1515 sizeof
1516 (gnutls_x509_crl_t));
1517
1518 if (*crl_list == NULL)
1519 {
1520 gnutls_assert ();
1521 return GNUTLS_E_MEMORY_ERROR;
1522 }
1523
1524 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1525 if (ret < 0)
1526 {
1527 gnutls_assert ();
1528 return ret;
1529 }
1530
1531 tmp.data = (char *) ptr;
1532 tmp.size = size;
1533
1534 ret =
1535 gnutls_x509_crl_import (crl_list[0][i - 1],
1536 &tmp, GNUTLS_X509_FMT_PEM);
1537 if (ret < 0)
1538 {
1539 gnutls_assert ();
1540 return ret;
1541 }
1542
1543 /* now we move ptr after the pem header
1544 */
1545 ptr++;
1546 /* find the next certificate (if any)
1547 */
1548
1549 size = input_crl_size - (ptr - input_crl);
1550
1551 if (size > 0)
1552 ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1553 else
1554 ptr = NULL;
1555 i++;
1556 count++;
1557
1558 }
1559 while (ptr != NULL);
1560
1561 *ncrls = i - 1;
1562
1563 return count;
1564 }
1565
1566 /* Reads a DER encoded certificate list from memory and stores it to a
1567 * gnutls_cert structure. Returns the number of certificates parsed.
1568 */
1569 static int
1570 parse_der_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1571 const void *input_crl, int input_crl_size)
1572 {
1573 int i;
1574 gnutls_datum_t tmp;
1575 int ret;
1576
1577 i = *ncrls + 1;
1578
1579 *crl_list =
1580 (gnutls_x509_crl_t *) gnutls_realloc_fast (*crl_list,
1581 i *
1582 sizeof (gnutls_x509_crl_t));
1583
1584 if (*crl_list == NULL)
1585 {
1586 gnutls_assert ();
1587 return GNUTLS_E_MEMORY_ERROR;
1588 }
1589
1590 tmp.data = (opaque *) input_crl;
1591 tmp.size = input_crl_size;
1592
1593 ret = gnutls_x509_crl_init (&crl_list[0][i - 1]);
1594 if (ret < 0)
1595 {
1596 gnutls_assert ();
1597 return ret;
1598 }
1599
1600 ret =
1601 gnutls_x509_crl_import (crl_list[0][i - 1], &tmp, GNUTLS_X509_FMT_DER);
1602 if (ret < 0)
1603 {
1604 gnutls_assert ();
1605 return ret;
1606 }
1607
1608 *ncrls = i;
1609
1610 return 1; /* one certificate parsed */
1611 }
1612
1613
1614 /* Reads a DER or PEM CRL from memory
1615 */
1616 static int
1617 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1618 int crl_size, gnutls_x509_crt_fmt_t type)
1619 {
1620 int ret;
1621
1622 /* allocate space for the certificate to add
1623 */
1624 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1625 (1 +
1626 res->x509_ncrls) *
1627 sizeof (gnutls_x509_crl_t));
1628 if (res->x509_crl_list == NULL)
1629 {
1630 gnutls_assert ();
1631 return GNUTLS_E_MEMORY_ERROR;
1632 }
1633
1634 if (type == GNUTLS_X509_FMT_DER)
1635 ret = parse_der_crl_mem (&res->x509_crl_list,
1636 &res->x509_ncrls, crl, crl_size);
1637 else
1638 ret = parse_pem_crl_mem (&res->x509_crl_list,
1639 &res->x509_ncrls, crl, crl_size);
1640
1641 if (ret < 0)
1642 {
1643 gnutls_assert ();
1644 return ret;
1645 }
1646
1647 return ret;
1648 }
1649
1650 /**
1651 * gnutls_certificate_set_x509_crl_mem:
1652 * @res: is a #gnutls_certificate_credentials_t structure.
1653 * @CRL: is a list of trusted CRLs. They should have been verified before.
1654 * @type: is DER or PEM
1655 *
1656 * This function adds the trusted CRLs in order to verify client or
1657 * server certificates. In case of a client this is not required to
1658 * be called if the certificates are not verified using
1659 * gnutls_certificate_verify_peers2(). This function may be called
1660 * multiple times.
1661 *
1662 * Returns: number of CRLs processed, or a negative value on error.
1663 **/
1664 int
1665 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1666 const gnutls_datum_t * CRL,
1667 gnutls_x509_crt_fmt_t type)
1668 {
1669 int ret;
1670
1671 if ((ret = read_crl_mem (res, CRL->data, CRL->size, type)) < 0)
1672 return ret;
1673
1674 return ret;
1675 }
1676
1677 /**
1678 * gnutls_certificate_set_x509_crl:
1679 * @res: is a #gnutls_certificate_credentials_t structure.
1680 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1681 * @crl_list_size: holds the size of the crl_list
1682 *
1683 * This function adds the trusted CRLs in order to verify client or
1684 * server certificates. In case of a client this is not required to
1685 * be called if the certificates are not verified using
1686 * gnutls_certificate_verify_peers2(). This function may be called
1687 * multiple times.
1688 *
1689 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1690 *
1691 * Since: 2.4.0
1692 **/
1693 int
1694 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1695 gnutls_x509_crl_t * crl_list,
1696 int crl_list_size)
1697 {
1698 int ret, i;
1699
1700 res->x509_crl_list = gnutls_realloc_fast (res->x509_crl_list,
1701 (crl_list_size +
1702 res->x509_ncrls) *
1703 sizeof (gnutls_x509_crl_t));
1704 if (res->x509_crl_list == NULL)
1705 {
1706 gnutls_assert ();
1707 return GNUTLS_E_MEMORY_ERROR;
1708 }
1709
1710 for (i = 0; i < crl_list_size; i++)
1711 {
1712 ret = gnutls_x509_crl_init (&res->x509_crl_list[res->x509_ncrls]);
1713 if (ret < 0)
1714 {
1715 gnutls_assert ();
1716 return ret;
1717 }
1718
1719 ret = _gnutls_x509_crl_cpy (res->x509_crl_list[res->x509_ncrls],
1720 crl_list[i]);
1721 if (ret < 0)
1722 {
1723 gnutls_assert ();
1724 return ret;
1725 }
1726 res->x509_ncrls++;
1727 }
1728
1729 return 0;
1730 }
1731
1732 /**
1733 * gnutls_certificate_set_x509_crl_file:
1734 * @res: is a #gnutls_certificate_credentials_t structure.
1735 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1736 * @type: is PEM or DER
1737 *
1738 * This function adds the trusted CRLs in order to verify client or server
1739 * certificates. In case of a client this is not required
1740 * to be called if the certificates are not verified using
1741 * gnutls_certificate_verify_peers2().
1742 * This function may be called multiple times.
1743 *
1744 * Returns: number of CRLs processed or a negative value on error.
1745 **/
1746 int
1747 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1748 const char *crlfile,
1749 gnutls_x509_crt_fmt_t type)
1750 {
1751 int ret;
1752 size_t size;
1753 char *data = read_binary_file (crlfile, &size);
1754
1755 if (data == NULL)
1756 {
1757 gnutls_assert ();
1758 return GNUTLS_E_FILE_ERROR;
1759 }
1760
1761 if (type == GNUTLS_X509_FMT_DER)
1762 ret = parse_der_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1763 data, size);
1764 else
1765 ret = parse_pem_crl_mem (&res->x509_crl_list, &res->x509_ncrls,
1766 data, size);
1767
1768 free (data);
1769
1770 if (ret < 0)
1771 {
1772 gnutls_assert ();
1773 return ret;
1774 }
1775
1776 return ret;
1777 }
1778
1779 #include <gnutls/pkcs12.h>
1780
1781 static int
1782 parse_pkcs12 (gnutls_certificate_credentials_t res,
1783 gnutls_pkcs12_t p12,
1784 const char *password,
1785 gnutls_x509_privkey_t * key,
1786 gnutls_x509_crt_t * cert, gnutls_x509_crl_t * crl)
1787 {
1788 gnutls_pkcs12_bag_t bag = NULL;
1789 int idx = 0;
1790 int ret;
1791 size_t cert_id_size = 0;
1792 size_t key_id_size = 0;
1793 opaque cert_id[20];
1794 opaque key_id[20];
1795 int privkey_ok = 0;
1796
1797 *cert = NULL;
1798 *key = NULL;
1799 *crl = NULL;
1800
1801 /* find the first private key */
1802 for (;;)
1803 {
1804 int elements_in_bag;
1805 int i;
1806
1807 ret = gnutls_pkcs12_bag_init (&bag);
1808 if (ret < 0)
1809 {
1810 bag = NULL;
1811 gnutls_assert ();
1812 goto done;
1813 }
1814
1815 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1816 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1817 break;
1818 if (ret < 0)
1819 {
1820 gnutls_assert ();
1821 goto done;
1822 }
1823
1824 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1825 if (ret < 0)
1826 {
1827 gnutls_assert ();
1828 goto done;
1829 }
1830
1831 if (ret == GNUTLS_BAG_ENCRYPTED)
1832 {
1833 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1834 if (ret < 0)
1835 {
1836 gnutls_assert ();
1837 goto done;
1838 }
1839 }
1840
1841 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1842 if (elements_in_bag < 0)
1843 {
1844 gnutls_assert ();
1845 goto done;
1846 }
1847
1848 for (i = 0; i < elements_in_bag; i++)
1849 {
1850 int type;
1851 gnutls_datum_t data;
1852
1853 type = gnutls_pkcs12_bag_get_type (bag, i);
1854 if (type < 0)
1855 {
1856 gnutls_assert ();
1857 goto done;
1858 }
1859
1860 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1861 if (ret < 0)
1862 {
1863 gnutls_assert ();
1864 goto done;
1865 }
1866
1867 switch (type)
1868 {
1869 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
1870 case GNUTLS_BAG_PKCS8_KEY:
1871 if (*key != NULL) /* too simple to continue */
1872 {
1873 gnutls_assert ();
1874 break;
1875 }
1876
1877 ret = gnutls_x509_privkey_init (key);
1878 if (ret < 0)
1879 {
1880 gnutls_assert ();
1881 goto done;
1882 }
1883
1884 ret = gnutls_x509_privkey_import_pkcs8
1885 (*key, &data, GNUTLS_X509_FMT_DER, password,
1886 type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0);
1887 if (ret < 0)
1888 {
1889 gnutls_assert ();
1890 gnutls_x509_privkey_deinit (*key);
1891 goto done;
1892 }
1893
1894 key_id_size = sizeof (key_id);
1895 ret =
1896 gnutls_x509_privkey_get_key_id (*key, 0, key_id,
1897 &key_id_size);
1898 if (ret < 0)
1899 {
1900 gnutls_assert ();
1901 gnutls_x509_privkey_deinit (*key);
1902 goto done;
1903 }
1904
1905 privkey_ok = 1; /* break */
1906 break;
1907 default:
1908 break;
1909 }
1910 }
1911
1912 idx++;
1913 gnutls_pkcs12_bag_deinit (bag);
1914
1915 if (privkey_ok != 0) /* private key was found */
1916 break;
1917 }
1918
1919 if (privkey_ok == 0) /* no private key */
1920 {
1921 gnutls_assert ();
1922 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1923 }
1924
1925 /* now find the corresponding certificate
1926 */
1927 idx = 0;
1928 bag = NULL;
1929 for (;;)
1930 {
1931 int elements_in_bag;
1932 int i;
1933
1934 ret = gnutls_pkcs12_bag_init (&bag);
1935 if (ret < 0)
1936 {
1937 bag = NULL;
1938 gnutls_assert ();
1939 goto done;
1940 }
1941
1942 ret = gnutls_pkcs12_get_bag (p12, idx, bag);
1943 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1944 break;
1945 if (ret < 0)
1946 {
1947 gnutls_assert ();
1948 goto done;
1949 }
1950
1951 ret = gnutls_pkcs12_bag_get_type (bag, 0);
1952 if (ret < 0)
1953 {
1954 gnutls_assert ();
1955 goto done;
1956 }
1957
1958 if (ret == GNUTLS_BAG_ENCRYPTED)
1959 {
1960 ret = gnutls_pkcs12_bag_decrypt (bag, password);
1961 if (ret < 0)
1962 {
1963 gnutls_assert ();
1964 goto done;
1965 }
1966 }
1967
1968 elements_in_bag = gnutls_pkcs12_bag_get_count (bag);
1969 if (elements_in_bag < 0)
1970 {
1971 gnutls_assert ();
1972 goto done;
1973 }
1974
1975 for (i = 0; i < elements_in_bag; i++)
1976 {
1977 int type;
1978 gnutls_datum_t data;
1979
1980 type = gnutls_pkcs12_bag_get_type (bag, i);
1981 if (type < 0)
1982 {
1983 gnutls_assert ();
1984 goto done;
1985 }
1986
1987 ret = gnutls_pkcs12_bag_get_data (bag, i, &data);
1988 if (ret < 0)
1989 {
1990 gnutls_assert ();
1991 goto done;
1992 }
1993
1994 switch (type)
1995 {
1996 case GNUTLS_BAG_CERTIFICATE:
1997 if (*cert != NULL) /* no need to set it again */
1998 {
1999 gnutls_assert ();
2000 break;
2001 }
2002
2003 ret = gnutls_x509_crt_init (cert);
2004 if (ret < 0)
2005 {
2006 gnutls_assert ();
2007 goto done;
2008 }
2009
2010 ret =
2011 gnutls_x509_crt_import (*cert, &data, GNUTLS_X509_FMT_DER);
2012 if (ret < 0)
2013 {
2014 gnutls_assert ();
2015 gnutls_x509_crt_deinit (*cert);
2016 goto done;
2017 }
2018
2019 /* check if the key id match */
2020 cert_id_size = sizeof (cert_id);
2021 ret =
2022 gnutls_x509_crt_get_key_id (*cert, 0, cert_id, &cert_id_size);
2023 if (ret < 0)
2024 {
2025 gnutls_assert ();
2026 gnutls_x509_crt_deinit (*cert);
2027 goto done;
2028 }
2029
2030 if (memcmp (cert_id, key_id, cert_id_size) != 0)
2031 { /* they don't match - skip the certificate */
2032 gnutls_x509_crt_deinit (*cert);
2033 *cert = NULL;
2034 }
2035 break;
2036
2037 case GNUTLS_BAG_CRL:
2038 if (*crl != NULL)
2039 {
2040 gnutls_assert ();
2041 break;
2042 }
2043
2044 ret = gnutls_x509_crl_init (crl);
2045 if (ret < 0)
2046 {
2047 gnutls_assert ();
2048 goto done;
2049 }
2050
2051 ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER);
2052 if (ret < 0)
2053 {
2054 gnutls_assert ();
2055 gnutls_x509_crl_deinit (*crl);
2056 goto done;
2057 }
2058 break;
2059
2060 case GNUTLS_BAG_ENCRYPTED:
2061 /* XXX Bother to recurse one level down? Unlikely to
2062 use the same password anyway. */
2063 case GNUTLS_BAG_EMPTY:
2064 default:
2065 break;
2066 }
2067 }
2068
2069 idx++;
2070 gnutls_pkcs12_bag_deinit (bag);
2071 }
2072
2073 ret = 0;
2074
2075 done:
2076 if (bag)
2077 gnutls_pkcs12_bag_deinit (bag);
2078
2079 return ret;
2080 }
2081
2082 /**
2083 * gnutls_certificate_set_x509_simple_pkcs12_file:
2084 * @res: is a #gnutls_certificate_credentials_t structure.
2085 * @pkcs12file: filename of file containing PKCS#12 blob.
2086 * @type: is PEM or DER of the @pkcs12file.
2087 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2088 *
2089 * This function sets a certificate/private key pair and/or a CRL in
2090 * the gnutls_certificate_credentials_t structure. This function may
2091 * be called more than once (in case multiple keys/certificates exist
2092 * for the server).
2093 *
2094 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2095 * supported. Encrypted PKCS#8 private keys are supported. However,
2096 * only password based security, and the same password for all
2097 * operations, are supported.
2098 *
2099 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
2100 * the OpenSSL way.
2101 *
2102 * PKCS#12 file may contain many keys and/or certificates, and there
2103 * is no way to identify which key/certificate pair you want. You
2104 * should make sure the PKCS#12 file only contain one key/certificate
2105 * pair and/or one CRL.
2106 *
2107 * It is believed that the limitations of this function is acceptable
2108 * for most usage, and that any more flexibility would introduce
2109 * complexity that would make it harder to use this functionality at
2110 * all.
2111 *
2112 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
2113 **/
2114 int
2115 gnutls_certificate_set_x509_simple_pkcs12_file
2116 (gnutls_certificate_credentials_t res, const char *pkcs12file,
2117 gnutls_x509_crt_fmt_t type, const char *password)
2118 {
2119 gnutls_datum_t p12blob;
2120 size_t size;
2121 int ret;
2122
2123 p12blob.data = read_binary_file (pkcs12file, &size);
2124 p12blob.size = (unsigned int) size;
2125 if (p12blob.data == NULL)
2126 {
2127 gnutls_assert ();
2128 return GNUTLS_E_FILE_ERROR;
2129 }
2130
2131 ret =
2132 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
2133 password);
2134 free (p12blob.data);
2135
2136 return ret;
2137 }
2138
2139 /**
2140 * gnutls_certificate_set_x509_simple_pkcs12_mem:
2141 * @res: is a #gnutls_certificate_credentials_t structure.
2142 * @p12blob: the PKCS#12 blob.
2143 * @type: is PEM or DER of the @pkcs12file.
2144 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2145 *
2146 * This function sets a certificate/private key pair and/or a CRL in
2147 * the gnutls_certificate_credentials_t structure. This function may
2148 * be called more than once (in case multiple keys/certificates exist
2149 * for the server).
2150 *
2151 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2152 * supported. Encrypted PKCS#8 private keys are supported. However,
2153 * only password based security, and the same password for all
2154 * operations, are supported.
2155 *
2156 * The private keys may be RSA PKCS#1 or DSA private keys encoded in
2157 * the OpenSSL way.
2158 *
2159 * PKCS#12 file may contain many keys and/or certificates, and there
2160 * is no way to identify which key/certificate pair you want. You
2161 * should make sure the PKCS#12 file only contain one key/certificate
2162 * pair and/or one CRL.
2163 *
2164 * It is believed that the limitations of this function is acceptable
2165 * for most usage, and that any more flexibility would introduce
2166 * complexity that would make it harder to use this functionality at
2167 * all.
2168 *
2169 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
2170 *
2171 * Since: 2.8.0
2172 **/
2173 int
2174 gnutls_certificate_set_x509_simple_pkcs12_mem
2175 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
2176 gnutls_x509_crt_fmt_t type, const char *password)
2177 {
2178 gnutls_pkcs12_t p12;
2179 gnutls_x509_privkey_t key = NULL;
2180 gnutls_x509_crt_t cert = NULL;
2181 gnutls_x509_crl_t crl = NULL;
2182 int ret;
2183
2184 ret = gnutls_pkcs12_init (&p12);
2185 if (ret < 0)
2186 {
2187 gnutls_assert ();
2188 return ret;
2189 }
2190
2191 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
2192 if (ret < 0)
2193 {
2194 gnutls_assert ();
2195 gnutls_pkcs12_deinit (p12);
2196 return ret;
2197 }
2198
2199 if (password)
2200 {
2201 ret = gnutls_pkcs12_verify_mac (p12, password);
2202 if (ret < 0)
2203 {
2204 gnutls_assert ();
2205 gnutls_pkcs12_deinit (p12);
2206 return ret;
2207 }
2208 }
2209
2210 ret = parse_pkcs12 (res, p12, password, &key, &cert, &crl);
2211 gnutls_pkcs12_deinit (p12);
2212 if (ret < 0)
2213 {
2214 gnutls_assert ();
2215 return ret;
2216 }
2217
2218 if (key && cert)
2219 {
2220 ret = gnutls_certificate_set_x509_key (res, &cert, 1, key);
2221 if (ret < 0)
2222 {
2223 gnutls_assert ();
2224 goto done;
2225 }
2226 }
2227
2228 if (crl)
2229 {
2230 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2231 if (ret < 0)
2232 {
2233 gnutls_assert ();
2234 goto done;
2235 }
2236 }
2237
2238 ret = 0;
2239
2240 done:
2241 if (cert)
2242 gnutls_x509_crt_deinit (cert);
2243 if (key)
2244 gnutls_x509_privkey_deinit (key);
2245 if (crl)
2246 gnutls_x509_crl_deinit (crl);
2247
2248 return ret;
2249 }
2250
2251
2252
2253 /**
2254 * gnutls_certificate_free_crls:
2255 * @sc: is a #gnutls_certificate_credentials_t structure.
2256 *
2257 * This function will delete all the CRLs associated
2258 * with the given credentials.
2259 **/
2260 void
2261 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2262 {
2263 unsigned j;
2264
2265 for (j = 0; j < sc->x509_ncrls; j++)
2266 {
2267 gnutls_x509_crl_deinit (sc->x509_crl_list[j]);
2268 }
2269
2270 sc->x509_ncrls = 0;
2271
2272 gnutls_free (sc->x509_crl_list);
2273 sc->x509_crl_list = NULL;
2274 }
2275
2276 #endif
Implementation of the SSL/TLS protocol