removed keyid_t types.
[gnutls.git] / lib / gnutls_cert.c
blob72887e5e1e3fa962faa4cf892e1f63a46d146061
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
3 * 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
26 /* Some of the stuff needed for Certificate authentication is contained
27 * in this file.
30 #include <gnutls_int.h>
31 #include <gnutls_errors.h>
32 #include <auth_cert.h>
33 #include <gnutls_cert.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_mpi.h>
36 #include <gnutls_global.h>
37 #include <gnutls_algorithms.h>
38 #include <gnutls_dh.h>
39 #include <gnutls_str.h>
40 #include <gnutls_state.h>
41 #include <gnutls_auth.h>
42 #include <gnutls_x509.h>
43 #include "x509/x509_int.h"
44 #ifdef ENABLE_OPENPGP
45 #include "openpgp/gnutls_openpgp.h"
46 #endif
48 /**
49 * gnutls_certificate_free_keys:
50 * @sc: is a #gnutls_certificate_credentials_t structure.
52 * This function will delete all the keys and the certificates associated
53 * with the given credentials. This function must not be called when a
54 * TLS negotiation that uses the credentials is in progress.
56 **/
57 void
58 gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc)
60 unsigned i, j;
62 for (i = 0; i < sc->ncerts; i++)
64 for (j = 0; j < sc->cert_list_length[i]; j++)
66 _gnutls_gcert_deinit (&sc->cert_list[i][j]);
68 gnutls_free (sc->cert_list[i]);
71 gnutls_free (sc->cert_list_length);
72 sc->cert_list_length = NULL;
74 gnutls_free (sc->cert_list);
75 sc->cert_list = NULL;
77 for (i = 0; i < sc->ncerts; i++)
79 gnutls_privkey_deinit (sc->pkey[i]);
82 gnutls_free (sc->pkey);
83 sc->pkey = NULL;
85 sc->ncerts = 0;
89 /**
90 * gnutls_certificate_free_cas:
91 * @sc: is a #gnutls_certificate_credentials_t structure.
93 * This function will delete all the CAs associated with the given
94 * credentials. Servers that do not use
95 * gnutls_certificate_verify_peers2() may call this to save some
96 * memory.
97 **/
98 void
99 gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc)
101 unsigned j;
103 for (j = 0; j < sc->x509_ncas; j++)
105 gnutls_x509_crt_deinit (sc->x509_ca_list[j]);
108 sc->x509_ncas = 0;
110 gnutls_free (sc->x509_ca_list);
111 sc->x509_ca_list = NULL;
116 * gnutls_certificate_get_x509_cas:
117 * @sc: is a #gnutls_certificate_credentials_t structure.
118 * @x509_ca_list: will point to the CA list. Should be treated as constant
119 * @ncas: the number of CAs
121 * This function will export all the CAs associated with the given
122 * credentials.
124 * Since: 2.4.0
126 void
127 gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc,
128 gnutls_x509_crt_t ** x509_ca_list,
129 unsigned int *ncas)
131 *x509_ca_list = sc->x509_ca_list;
132 *ncas = sc->x509_ncas;
136 * gnutls_certificate_get_x509_crls:
137 * @sc: is a #gnutls_certificate_credentials_t structure.
138 * @x509_crl_list: the exported CRL list. Should be treated as constant
139 * @ncrls: the number of exported CRLs
141 * This function will export all the CRLs associated with the given
142 * credentials.
144 * Since: 2.4.0
146 void
147 gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc,
148 gnutls_x509_crl_t ** x509_crl_list,
149 unsigned int *ncrls)
151 *x509_crl_list = sc->x509_crl_list;
152 *ncrls = sc->x509_ncrls;
155 #ifdef ENABLE_OPENPGP
158 * gnutls_certificate_get_openpgp_keyring:
159 * @sc: is a #gnutls_certificate_credentials_t structure.
160 * @keyring: the exported keyring. Should be treated as constant
162 * This function will export the OpenPGP keyring associated with the
163 * given credentials.
165 * Since: 2.4.0
167 void
168 gnutls_certificate_get_openpgp_keyring (gnutls_certificate_credentials_t sc,
169 gnutls_openpgp_keyring_t * keyring)
171 *keyring = sc->keyring;
174 #endif
177 * gnutls_certificate_free_ca_names:
178 * @sc: is a #gnutls_certificate_credentials_t structure.
180 * This function will delete all the CA name in the given
181 * credentials. Clients may call this to save some memory since in
182 * client side the CA names are not used. Servers might want to use
183 * this function if a large list of trusted CAs is present and
184 * sending the names of it would just consume bandwidth without providing
185 * information to client.
187 * CA names are used by servers to advertize the CAs they support to
188 * clients.
190 void
191 gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc)
193 _gnutls_free_datum (&sc->x509_rdn_sequence);
197 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
198 * @rsa_params: holds the RSA parameters or NULL.
199 * @func: function to retrieve the parameters or NULL.
200 * @session: The session.
202 * This function will return the rsa parameters pointer.
204 gnutls_rsa_params_t
205 _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params,
206 gnutls_params_function * func,
207 gnutls_session_t session)
209 gnutls_params_st params;
210 int ret;
212 if (session->internals.params.rsa_params)
214 return session->internals.params.rsa_params;
217 if (rsa_params)
219 session->internals.params.rsa_params = rsa_params;
221 else if (func)
223 ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, &params);
224 if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
226 session->internals.params.rsa_params = params.params.rsa_export;
227 session->internals.params.free_rsa_params = params.deinit;
231 return session->internals.params.rsa_params;
236 * gnutls_certificate_free_credentials:
237 * @sc: is a #gnutls_certificate_credentials_t structure.
239 * This structure is complex enough to manipulate directly thus this
240 * helper function is provided in order to free (deallocate) it.
242 * This function does not free any temporary parameters associated
243 * with this structure (ie RSA and DH parameters are not freed by this
244 * function).
246 void
247 gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc)
249 gnutls_certificate_free_keys (sc);
250 gnutls_certificate_free_cas (sc);
251 gnutls_certificate_free_ca_names (sc);
252 #ifdef ENABLE_PKI
253 gnutls_certificate_free_crls (sc);
254 #endif
256 #ifdef ENABLE_OPENPGP
257 gnutls_openpgp_keyring_deinit (sc->keyring);
258 #endif
260 gnutls_free (sc);
265 * gnutls_certificate_allocate_credentials:
266 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
268 * This structure is complex enough to manipulate directly thus this
269 * helper function is provided in order to allocate it.
271 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
274 gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
275 res)
277 *res = gnutls_calloc (1, sizeof (certificate_credentials_st));
279 if (*res == NULL)
280 return GNUTLS_E_MEMORY_ERROR;
282 (*res)->verify_bits = DEFAULT_VERIFY_BITS;
283 (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
285 return 0;
289 /* returns the KX algorithms that are supported by a
290 * certificate. (Eg a certificate with RSA params, supports
291 * GNUTLS_KX_RSA algorithm).
292 * This function also uses the KeyUsage field of the certificate
293 * extensions in order to disable unneded algorithms.
296 _gnutls_selected_cert_supported_kx (gnutls_session_t session,
297 gnutls_kx_algorithm_t ** alg,
298 int *alg_size)
300 gnutls_kx_algorithm_t kx;
301 gnutls_pk_algorithm_t pk;
302 gnutls_kx_algorithm_t kxlist[MAX_ALGOS];
303 gnutls_cert *cert;
304 int i;
306 if (session->internals.selected_cert_list_length == 0)
308 *alg_size = 0;
309 *alg = NULL;
310 return 0;
313 cert = &session->internals.selected_cert_list[0];
314 i = 0;
316 for (kx = 0; kx < MAX_ALGOS; kx++)
318 pk = _gnutls_map_pk_get_pk (kx);
319 if (pk == cert->subject_pk_algorithm)
321 /* then check key usage */
322 if (_gnutls_check_key_usage (cert, kx) == 0)
324 kxlist[i] = kx;
325 i++;
330 if (i == 0)
332 gnutls_assert ();
333 return GNUTLS_E_INVALID_REQUEST;
336 *alg = gnutls_calloc (i, sizeof (gnutls_kx_algorithm_t));
337 if (*alg == NULL)
338 return GNUTLS_E_MEMORY_ERROR;
340 *alg_size = i;
342 memcpy (*alg, kxlist, i * sizeof (gnutls_kx_algorithm_t));
344 return 0;
349 * gnutls_certificate_server_set_request:
350 * @session: is a #gnutls_session_t structure.
351 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
353 * This function specifies if we (in case of a server) are going to
354 * send a certificate request message to the client. If @req is
355 * GNUTLS_CERT_REQUIRE then the server will return an error if the
356 * peer does not provide a certificate. If you do not call this
357 * function then the client will not be asked to send a certificate.
359 void
360 gnutls_certificate_server_set_request (gnutls_session_t session,
361 gnutls_certificate_request_t req)
363 session->internals.send_cert_req = req;
367 * gnutls_certificate_client_set_retrieve_function:
368 * @cred: is a #gnutls_certificate_credentials_t structure.
369 * @func: is the callback function
371 * This function sets a callback to be called in order to retrieve the
372 * certificate to be used in the handshake.
374 * The callback's function prototype is:
375 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
376 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
378 * @req_ca_cert is only used in X.509 certificates.
379 * Contains a list with the CA names that the server considers trusted.
380 * Normally we should send a certificate that is signed
381 * by one of these CAs. These names are DER encoded. To get a more
382 * meaningful value use the function gnutls_x509_rdn_get().
384 * @pk_algos contains a list with server's acceptable signature algorithms.
385 * The certificate returned should support the server's given algorithms.
387 * @st should contain the certificates and private keys.
389 * If the callback function is provided then gnutls will call it, in the
390 * handshake, after the certificate request message has been received.
392 * The callback function should set the certificate list to be sent,
393 * and return 0 on success. If no certificate was selected then the
394 * number of certificates should be set to zero. The value (-1)
395 * indicates error and the handshake will be terminated.
397 void gnutls_certificate_client_set_retrieve_function
398 (gnutls_certificate_credentials_t cred,
399 gnutls_certificate_client_retrieve_function * func)
401 cred->client_get_cert_callback = func;
405 * gnutls_certificate_server_set_retrieve_function:
406 * @cred: is a #gnutls_certificate_credentials_t structure.
407 * @func: is the callback function
409 * This function sets a callback to be called in order to retrieve the
410 * certificate to be used in the handshake.
412 * The callback's function prototype is:
413 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
415 * @st should contain the certificates and private keys.
417 * If the callback function is provided then gnutls will call it, in the
418 * handshake, after the certificate request message has been received.
420 * The callback function should set the certificate list to be sent, and
421 * return 0 on success. The value (-1) indicates error and the handshake
422 * will be terminated.
424 void gnutls_certificate_server_set_retrieve_function
425 (gnutls_certificate_credentials_t cred,
426 gnutls_certificate_server_retrieve_function * func)
428 cred->server_get_cert_callback = func;
432 * gnutls_certificate_set_retrieve_function:
433 * @cred: is a #gnutls_certificate_credentials_t structure.
434 * @func: is the callback function
436 * This function sets a callback to be called in order to retrieve the
437 * certificate to be used in the handshake.
439 * The callback's function prototype is:
440 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
441 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
443 * @req_ca_cert is only used in X.509 certificates.
444 * Contains a list with the CA names that the server considers trusted.
445 * Normally we should send a certificate that is signed
446 * by one of these CAs. These names are DER encoded. To get a more
447 * meaningful value use the function gnutls_x509_rdn_get().
449 * @pk_algos contains a list with server's acceptable signature algorithms.
450 * The certificate returned should support the server's given algorithms.
452 * @st should contain the certificates and private keys.
454 * If the callback function is provided then gnutls will call it, in the
455 * handshake, after the certificate request message has been received.
457 * In server side pk_algos and req_ca_dn are NULL.
459 * The callback function should set the certificate list to be sent,
460 * and return 0 on success. If no certificate was selected then the
461 * number of certificates should be set to zero. The value (-1)
462 * indicates error and the handshake will be terminated.
464 void gnutls_certificate_set_retrieve_function
465 (gnutls_certificate_credentials_t cred,
466 gnutls_certificate_retrieve_function * func)
468 cred->get_cert_callback = func;
472 * gnutls_certificate_set_verify_function:
473 * @cred: is a #gnutls_certificate_credentials_t structure.
474 * @func: is the callback function
476 * This function sets a callback to be called when peer's certificate
477 * has been received in order to verify it on receipt rather than
478 * doing after the handshake is completed.
480 * The callback's function prototype is:
481 * int (*callback)(gnutls_session_t);
483 * If the callback function is provided then gnutls will call it, in the
484 * handshake, just after the certificate message has been received.
485 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
486 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
487 * can be used.
489 * The callback function should return 0 for the handshake to continue
490 * or non-zero to terminate.
492 * Since: 2.10.0
494 void
495 gnutls_certificate_set_verify_function
496 (gnutls_certificate_credentials_t cred,
497 gnutls_certificate_verify_function * func)
499 cred->verify_callback = func;
503 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
504 * @cert: should contain an X.509 DER encoded certificate
506 * This function will return the certificate's activation time in UNIX time
507 * (ie seconds since 00:00:00 UTC January 1, 1970).
509 * Returns a (time_t) -1 in case of an error.
512 static time_t
513 _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert)
515 gnutls_x509_crt_t xcert;
516 time_t result;
518 result = gnutls_x509_crt_init (&xcert);
519 if (result < 0)
520 return (time_t) - 1;
522 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
523 if (result < 0)
525 gnutls_x509_crt_deinit (xcert);
526 return (time_t) - 1;
529 result = gnutls_x509_crt_get_activation_time (xcert);
531 gnutls_x509_crt_deinit (xcert);
533 return result;
537 * gnutls_x509_extract_certificate_expiration_time:
538 * @cert: should contain an X.509 DER encoded certificate
540 * This function will return the certificate's expiration time in UNIX
541 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
543 * (time_t) -1 in case of an error.
546 static time_t
547 _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert)
549 gnutls_x509_crt_t xcert;
550 time_t result;
552 result = gnutls_x509_crt_init (&xcert);
553 if (result < 0)
554 return (time_t) - 1;
556 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
557 if (result < 0)
559 gnutls_x509_crt_deinit (xcert);
560 return (time_t) - 1;
563 result = gnutls_x509_crt_get_expiration_time (xcert);
565 gnutls_x509_crt_deinit (xcert);
567 return result;
570 #ifdef ENABLE_OPENPGP
572 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
573 * @session: is a gnutls session
575 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
576 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
578 static int
579 _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
580 unsigned int *status)
582 cert_auth_info_t info;
583 gnutls_certificate_credentials_t cred;
584 int peer_certificate_list_size, ret;
586 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
588 info = _gnutls_get_auth_info (session);
589 if (info == NULL)
590 return GNUTLS_E_INVALID_REQUEST;
592 cred = (gnutls_certificate_credentials_t)
593 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
594 if (cred == NULL)
596 gnutls_assert ();
597 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
600 if (info->raw_certificate_list == NULL || info->ncerts == 0)
602 gnutls_assert ();
603 return GNUTLS_E_NO_CERTIFICATE_FOUND;
606 /* generate a list of gnutls_certs based on the auth info
607 * raw certs.
609 peer_certificate_list_size = info->ncerts;
611 if (peer_certificate_list_size != 1)
613 gnutls_assert ();
614 return GNUTLS_E_INTERNAL_ERROR;
617 /* Verify certificate
619 ret =
620 _gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0],
621 peer_certificate_list_size, status);
623 if (ret < 0)
625 gnutls_assert ();
626 return ret;
629 return 0;
631 #endif
634 * gnutls_certificate_verify_peers2:
635 * @session: is a gnutls session
636 * @status: is the output of the verification
638 * This function will try to verify the peer's certificate and return
639 * its status (trusted, invalid etc.). The value of @status should
640 * be one or more of the gnutls_certificate_status_t enumerated
641 * elements bitwise or'd. To avoid denial of service attacks some
642 * default upper limits regarding the certificate key size and chain
643 * size are set. To override them use
644 * gnutls_certificate_set_verify_limits().
646 * Note that you must also check the peer's name in order to check if
647 * the verified certificate belongs to the actual peer.
649 * This function uses gnutls_x509_crt_list_verify() with the CAs in
650 * the credentials as trusted CAs.
652 * Returns: a negative error code on error and zero on success.
655 gnutls_certificate_verify_peers2 (gnutls_session_t session,
656 unsigned int *status)
658 cert_auth_info_t info;
660 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
662 info = _gnutls_get_auth_info (session);
663 if (info == NULL)
665 return GNUTLS_E_NO_CERTIFICATE_FOUND;
668 if (info->raw_certificate_list == NULL || info->ncerts == 0)
669 return GNUTLS_E_NO_CERTIFICATE_FOUND;
671 switch (gnutls_certificate_type_get (session))
673 case GNUTLS_CRT_X509:
674 return _gnutls_x509_cert_verify_peers (session, status);
675 #ifdef ENABLE_OPENPGP
676 case GNUTLS_CRT_OPENPGP:
677 return _gnutls_openpgp_crt_verify_peers (session, status);
678 #endif
679 default:
680 return GNUTLS_E_INVALID_REQUEST;
685 * gnutls_certificate_verify_peers:
686 * @session: is a gnutls session
688 * This function will try to verify the peer's certificate and return
689 * its status (trusted, invalid etc.). However you must also check
690 * the peer's name in order to check if the verified certificate
691 * belongs to the actual peer.
693 * This function uses gnutls_x509_crt_list_verify().
695 * Returns: one or more of the #gnutls_certificate_status_t
696 * enumerated elements bitwise or'd, or a negative value on error.
698 * Deprecated: Use gnutls_certificate_verify_peers2() instead.
701 gnutls_certificate_verify_peers (gnutls_session_t session)
703 unsigned int status;
704 int ret;
706 ret = gnutls_certificate_verify_peers2 (session, &status);
708 if (ret < 0)
710 gnutls_assert ();
711 return ret;
714 return status;
718 * gnutls_certificate_expiration_time_peers:
719 * @session: is a gnutls session
721 * This function will return the peer's certificate expiration time.
723 * Returns: (time_t)-1 on error.
725 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
727 time_t
728 gnutls_certificate_expiration_time_peers (gnutls_session_t session)
730 cert_auth_info_t info;
732 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
734 info = _gnutls_get_auth_info (session);
735 if (info == NULL)
737 return (time_t) - 1;
740 if (info->raw_certificate_list == NULL || info->ncerts == 0)
742 gnutls_assert ();
743 return (time_t) - 1;
746 switch (gnutls_certificate_type_get (session))
748 case GNUTLS_CRT_X509:
749 return
750 _gnutls_x509_get_raw_crt_expiration_time (&info->raw_certificate_list
751 [0]);
752 #ifdef ENABLE_OPENPGP
753 case GNUTLS_CRT_OPENPGP:
754 return
755 _gnutls_openpgp_get_raw_key_expiration_time
756 (&info->raw_certificate_list[0]);
757 #endif
758 default:
759 return (time_t) - 1;
764 * gnutls_certificate_activation_time_peers:
765 * @session: is a gnutls session
767 * This function will return the peer's certificate activation time.
768 * This is the creation time for openpgp keys.
770 * Returns: (time_t)-1 on error.
772 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
774 time_t
775 gnutls_certificate_activation_time_peers (gnutls_session_t session)
777 cert_auth_info_t info;
779 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
781 info = _gnutls_get_auth_info (session);
782 if (info == NULL)
784 return (time_t) - 1;
787 if (info->raw_certificate_list == NULL || info->ncerts == 0)
789 gnutls_assert ();
790 return (time_t) - 1;
793 switch (gnutls_certificate_type_get (session))
795 case GNUTLS_CRT_X509:
796 return
797 _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list
798 [0]);
799 #ifdef ENABLE_OPENPGP
800 case GNUTLS_CRT_OPENPGP:
801 return
802 _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list
803 [0]);
804 #endif
805 default:
806 return (time_t) - 1;
810 /* Converts the first certificate for the cert_auth_info structure
811 * to a gcert.
814 _gnutls_get_auth_info_gcert (gnutls_cert * gcert,
815 gnutls_certificate_type_t type,
816 cert_auth_info_t info,
817 int flags /* OR of ConvFlags */ )
819 switch (type)
821 case GNUTLS_CRT_X509:
822 return _gnutls_x509_raw_cert_to_gcert (gcert,
823 &info->raw_certificate_list[0],
824 flags);
825 #ifdef ENABLE_OPENPGP
826 case GNUTLS_CRT_OPENPGP:
827 return _gnutls_openpgp_raw_crt_to_gcert (gcert,
828 &info->raw_certificate_list[0],
829 info->use_subkey ? info->
830 subkey_id : NULL);
831 #endif
832 default:
833 gnutls_assert ();
834 return GNUTLS_E_INTERNAL_ERROR;
838 /* This function will convert a der certificate to a format
839 * (structure) that gnutls can understand and use. Actually the
840 * important thing on this function is that it extracts the
841 * certificate's (public key) parameters.
843 * The noext flag is used to complete the handshake even if the
844 * extensions found in the certificate are unsupported and critical.
845 * The critical extensions will be catched by the verification functions.
848 _gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
849 const gnutls_datum_t * derCert,
850 int flags /* OR of ConvFlags */ )
852 int ret;
853 gnutls_x509_crt_t cert;
855 ret = gnutls_x509_crt_init (&cert);
856 if (ret < 0)
858 gnutls_assert ();
859 return ret;
862 ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
863 if (ret < 0)
865 gnutls_assert ();
866 gnutls_x509_crt_deinit (cert);
867 return ret;
870 ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
871 gnutls_x509_crt_deinit (cert);
873 return ret;
876 /* Like above but it accepts a parsed certificate instead.
879 _gnutls_x509_crt_to_gcert (gnutls_cert * gcert,
880 gnutls_x509_crt_t cert, unsigned int flags)
882 int ret = 0;
884 memset (gcert, 0, sizeof (gnutls_cert));
885 gcert->cert_type = GNUTLS_CRT_X509;
886 gcert->sign_algo = gnutls_x509_crt_get_signature_algorithm (cert);
888 if (!(flags & CERT_NO_COPY))
890 #define SMALL_DER 1536
891 opaque *der;
892 size_t der_size = SMALL_DER;
894 /* initially allocate a bogus size, just in case the certificate
895 * fits in it. That way we minimize the DER encodings performed.
897 der = gnutls_malloc (SMALL_DER);
898 if (der == NULL)
900 gnutls_assert ();
901 return GNUTLS_E_MEMORY_ERROR;
904 ret =
905 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, &der_size);
906 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
908 gnutls_assert ();
909 gnutls_free (der);
910 return ret;
913 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
915 der = gnutls_realloc (der, der_size);
916 if (der == NULL)
918 gnutls_assert ();
919 return GNUTLS_E_MEMORY_ERROR;
922 ret =
923 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
924 &der_size);
925 if (ret < 0)
927 gnutls_assert ();
928 gnutls_free (der);
929 return ret;
933 gcert->raw.data = der;
934 gcert->raw.size = der_size;
936 else
937 /* now we have 0 or a bitwise or of things to decode */
938 flags ^= CERT_NO_COPY;
941 if (flags & CERT_ONLY_EXTENSIONS || flags == 0)
943 ret = gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL);
944 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
945 gcert->key_usage = 0;
946 else if (ret < 0)
948 gnutls_assert ();
949 return ret;
951 gcert->version = gnutls_x509_crt_get_version (cert);
953 gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL);
955 if (flags & CERT_ONLY_PUBKEY || flags == 0)
957 gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
958 ret =
959 _gnutls_x509_crt_get_mpis (cert, gcert->params, &gcert->params_size);
960 if (ret < 0)
962 gnutls_assert ();
963 return ret;
967 return 0;
971 void
972 _gnutls_gcert_deinit (gnutls_cert * cert)
974 int i;
976 if (cert == NULL)
977 return;
979 for (i = 0; i < cert->params_size; i++)
981 _gnutls_mpi_release (&cert->params[i]);
984 _gnutls_free_datum (&cert->raw);
988 * gnutls_sign_callback_set:
989 * @session: is a gnutls session
990 * @sign_func: function pointer to application's sign callback.
991 * @userdata: void pointer that will be passed to sign callback.
993 * Set the callback function. The function must have this prototype:
995 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
996 * void *userdata,
997 * gnutls_certificate_type_t cert_type,
998 * const gnutls_datum_t * cert,
999 * const gnutls_datum_t * hash,
1000 * gnutls_datum_t * signature);
1002 * The @userdata parameter is passed to the @sign_func verbatim, and
1003 * can be used to store application-specific data needed in the
1004 * callback function. See also gnutls_sign_callback_get().
1006 * Deprecated: Use the PKCS 11 interfaces instead.
1008 void
1009 gnutls_sign_callback_set (gnutls_session_t session,
1010 gnutls_sign_func sign_func, void *userdata)
1012 session->internals.sign_func = sign_func;
1013 session->internals.sign_func_userdata = userdata;
1017 * gnutls_sign_callback_get:
1018 * @session: is a gnutls session
1019 * @userdata: if non-%NULL, will be set to abstract callback pointer.
1021 * Retrieve the callback function, and its userdata pointer.
1023 * Returns: The function pointer set by gnutls_sign_callback_set(), or
1024 * if not set, %NULL.
1026 * Deprecated: Use the PKCS 11 interfaces instead.
1028 gnutls_sign_func
1029 gnutls_sign_callback_get (gnutls_session_t session, void **userdata)
1031 if (userdata)
1032 *userdata = session->internals.sign_func_userdata;
1033 return session->internals.sign_func;