| blob | 72887e5e1e3fa962faa4cf892e1f63a46d146061 |
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
3 * 2010 Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
26 /* Some of the stuff needed for Certificate authentication is contained
27 * in this file.
28 */
30 #include <gnutls_int.h>
31 #include <gnutls_errors.h>
32 #include <auth_cert.h>
33 #include <gnutls_cert.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_mpi.h>
36 #include <gnutls_global.h>
37 #include <gnutls_algorithms.h>
38 #include <gnutls_dh.h>
39 #include <gnutls_str.h>
40 #include <gnutls_state.h>
41 #include <gnutls_auth.h>
42 #include <gnutls_x509.h>
44 #ifdef ENABLE_OPENPGP
46 #endif
48 /**
49 * gnutls_certificate_free_keys:
50 * @sc: is a #gnutls_certificate_credentials_t structure.
51 *
52 * This function will delete all the keys and the certificates associated
53 * with the given credentials. This function must not be called when a
54 * TLS negotiation that uses the credentials is in progress.
55 *
56 **/
57 void
59 {
63 {
65 {
67 }
69 }
78 {
80 }
87 }
89 /**
90 * gnutls_certificate_free_cas:
91 * @sc: is a #gnutls_certificate_credentials_t structure.
92 *
93 * This function will delete all the CAs associated with the given
94 * credentials. Servers that do not use
95 * gnutls_certificate_verify_peers2() may call this to save some
96 * memory.
97 **/
98 void
100 {
104 {
106 }
113 }
115 /**
116 * gnutls_certificate_get_x509_cas:
117 * @sc: is a #gnutls_certificate_credentials_t structure.
118 * @x509_ca_list: will point to the CA list. Should be treated as constant
119 * @ncas: the number of CAs
120 *
121 * This function will export all the CAs associated with the given
122 * credentials.
123 *
124 * Since: 2.4.0
125 **/
126 void
130 {
133 }
135 /**
136 * gnutls_certificate_get_x509_crls:
137 * @sc: is a #gnutls_certificate_credentials_t structure.
138 * @x509_crl_list: the exported CRL list. Should be treated as constant
139 * @ncrls: the number of exported CRLs
140 *
141 * This function will export all the CRLs associated with the given
142 * credentials.
143 *
144 * Since: 2.4.0
145 **/
146 void
150 {
153 }
155 #ifdef ENABLE_OPENPGP
157 /**
158 * gnutls_certificate_get_openpgp_keyring:
159 * @sc: is a #gnutls_certificate_credentials_t structure.
160 * @keyring: the exported keyring. Should be treated as constant
161 *
162 * This function will export the OpenPGP keyring associated with the
163 * given credentials.
164 *
165 * Since: 2.4.0
166 **/
167 void
170 {
172 }
174 #endif
176 /**
177 * gnutls_certificate_free_ca_names:
178 * @sc: is a #gnutls_certificate_credentials_t structure.
179 *
180 * This function will delete all the CA name in the given
181 * credentials. Clients may call this to save some memory since in
182 * client side the CA names are not used. Servers might want to use
183 * this function if a large list of trusted CAs is present and
184 * sending the names of it would just consume bandwidth without providing
185 * information to client.
186 *
187 * CA names are used by servers to advertize the CAs they support to
188 * clients.
189 **/
190 void
192 {
194 }
196 /*-
197 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
198 * @rsa_params: holds the RSA parameters or NULL.
199 * @func: function to retrieve the parameters or NULL.
200 * @session: The session.
201 *
202 * This function will return the rsa parameters pointer.
203 -*/
204 gnutls_rsa_params_t
207 gnutls_session_t session)
208 {
209 gnutls_params_st params;
213 {
215 }
218 {
220 }
222 {
225 {
228 }
229 }
232 }
235 /**
236 * gnutls_certificate_free_credentials:
237 * @sc: is a #gnutls_certificate_credentials_t structure.
238 *
239 * This structure is complex enough to manipulate directly thus this
240 * helper function is provided in order to free (deallocate) it.
241 *
242 * This function does not free any temporary parameters associated
243 * with this structure (ie RSA and DH parameters are not freed by this
244 * function).
245 **/
246 void
248 {
252 #ifdef ENABLE_PKI
254 #endif
256 #ifdef ENABLE_OPENPGP
258 #endif
261 }
264 /**
265 * gnutls_certificate_allocate_credentials:
266 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
267 *
268 * This structure is complex enough to manipulate directly thus this
269 * helper function is provided in order to allocate it.
270 *
271 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
272 **/
273 int
275 res)
276 {
286 }
289 /* returns the KX algorithms that are supported by a
290 * certificate. (Eg a certificate with RSA params, supports
291 * GNUTLS_KX_RSA algorithm).
292 * This function also uses the KeyUsage field of the certificate
293 * extensions in order to disable unneded algorithms.
294 */
295 int
299 {
300 gnutls_kx_algorithm_t kx;
301 gnutls_pk_algorithm_t pk;
307 {
311 }
317 {
320 {
321 /* then check key usage */
323 {
325 i++;
326 }
327 }
328 }
331 {
334 }
345 }
348 /**
349 * gnutls_certificate_server_set_request:
350 * @session: is a #gnutls_session_t structure.
351 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
352 *
353 * This function specifies if we (in case of a server) are going to
354 * send a certificate request message to the client. If @req is
355 * GNUTLS_CERT_REQUIRE then the server will return an error if the
356 * peer does not provide a certificate. If you do not call this
357 * function then the client will not be asked to send a certificate.
358 **/
359 void
361 gnutls_certificate_request_t req)
362 {
364 }
366 /**
367 * gnutls_certificate_client_set_retrieve_function:
368 * @cred: is a #gnutls_certificate_credentials_t structure.
369 * @func: is the callback function
370 *
371 * This function sets a callback to be called in order to retrieve the
372 * certificate to be used in the handshake.
373 *
374 * The callback's function prototype is:
375 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
376 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
377 *
378 * @req_ca_cert is only used in X.509 certificates.
379 * Contains a list with the CA names that the server considers trusted.
380 * Normally we should send a certificate that is signed
381 * by one of these CAs. These names are DER encoded. To get a more
382 * meaningful value use the function gnutls_x509_rdn_get().
383 *
384 * @pk_algos contains a list with server's acceptable signature algorithms.
385 * The certificate returned should support the server's given algorithms.
386 *
387 * @st should contain the certificates and private keys.
388 *
389 * If the callback function is provided then gnutls will call it, in the
390 * handshake, after the certificate request message has been received.
391 *
392 * The callback function should set the certificate list to be sent,
393 * and return 0 on success. If no certificate was selected then the
394 * number of certificates should be set to zero. The value (-1)
395 * indicates error and the handshake will be terminated.
396 **/
397 void gnutls_certificate_client_set_retrieve_function
400 {
402 }
404 /**
405 * gnutls_certificate_server_set_retrieve_function:
406 * @cred: is a #gnutls_certificate_credentials_t structure.
407 * @func: is the callback function
408 *
409 * This function sets a callback to be called in order to retrieve the
410 * certificate to be used in the handshake.
411 *
412 * The callback's function prototype is:
413 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
414 *
415 * @st should contain the certificates and private keys.
416 *
417 * If the callback function is provided then gnutls will call it, in the
418 * handshake, after the certificate request message has been received.
419 *
420 * The callback function should set the certificate list to be sent, and
421 * return 0 on success. The value (-1) indicates error and the handshake
422 * will be terminated.
423 **/
424 void gnutls_certificate_server_set_retrieve_function
427 {
429 }
431 /**
432 * gnutls_certificate_set_retrieve_function:
433 * @cred: is a #gnutls_certificate_credentials_t structure.
434 * @func: is the callback function
435 *
436 * This function sets a callback to be called in order to retrieve the
437 * certificate to be used in the handshake.
438 *
439 * The callback's function prototype is:
440 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
441 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
442 *
443 * @req_ca_cert is only used in X.509 certificates.
444 * Contains a list with the CA names that the server considers trusted.
445 * Normally we should send a certificate that is signed
446 * by one of these CAs. These names are DER encoded. To get a more
447 * meaningful value use the function gnutls_x509_rdn_get().
448 *
449 * @pk_algos contains a list with server's acceptable signature algorithms.
450 * The certificate returned should support the server's given algorithms.
451 *
452 * @st should contain the certificates and private keys.
453 *
454 * If the callback function is provided then gnutls will call it, in the
455 * handshake, after the certificate request message has been received.
456 *
457 * In server side pk_algos and req_ca_dn are NULL.
458 *
459 * The callback function should set the certificate list to be sent,
460 * and return 0 on success. If no certificate was selected then the
461 * number of certificates should be set to zero. The value (-1)
462 * indicates error and the handshake will be terminated.
463 **/
464 void gnutls_certificate_set_retrieve_function
467 {
469 }
471 /**
472 * gnutls_certificate_set_verify_function:
473 * @cred: is a #gnutls_certificate_credentials_t structure.
474 * @func: is the callback function
475 *
476 * This function sets a callback to be called when peer's certificate
477 * has been received in order to verify it on receipt rather than
478 * doing after the handshake is completed.
479 *
480 * The callback's function prototype is:
481 * int (*callback)(gnutls_session_t);
482 *
483 * If the callback function is provided then gnutls will call it, in the
484 * handshake, just after the certificate message has been received.
485 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
486 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
487 * can be used.
488 *
489 * The callback function should return 0 for the handshake to continue
490 * or non-zero to terminate.
491 *
492 * Since: 2.10.0
493 **/
494 void
495 gnutls_certificate_set_verify_function
498 {
500 }
502 /*-
503 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
504 * @cert: should contain an X.509 DER encoded certificate
505 *
506 * This function will return the certificate's activation time in UNIX time
507 * (ie seconds since 00:00:00 UTC January 1, 1970).
508 *
509 * Returns a (time_t) -1 in case of an error.
510 *
511 -*/
512 static time_t
514 {
515 gnutls_x509_crt_t xcert;
524 {
527 }
534 }
536 /*-
537 * gnutls_x509_extract_certificate_expiration_time:
538 * @cert: should contain an X.509 DER encoded certificate
539 *
540 * This function will return the certificate's expiration time in UNIX
541 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
542 *
543 * (time_t) -1 in case of an error.
544 *
545 -*/
546 static time_t
548 {
549 gnutls_x509_crt_t xcert;
558 {
561 }
568 }
570 #ifdef ENABLE_OPENPGP
571 /*-
572 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
573 * @session: is a gnutls session
574 *
575 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
576 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
577 -*/
578 static int
581 {
582 cert_auth_info_t info;
583 gnutls_certificate_credentials_t cred;
595 {
598 }
601 {
604 }
606 /* generate a list of gnutls_certs based on the auth info
607 * raw certs.
608 */
612 {
615 }
617 /* Verify certificate
618 */
619 ret =
624 {
627 }
630 }
631 #endif
633 /**
634 * gnutls_certificate_verify_peers2:
635 * @session: is a gnutls session
636 * @status: is the output of the verification
637 *
638 * This function will try to verify the peer's certificate and return
639 * its status (trusted, invalid etc.). The value of @status should
640 * be one or more of the gnutls_certificate_status_t enumerated
641 * elements bitwise or'd. To avoid denial of service attacks some
642 * default upper limits regarding the certificate key size and chain
643 * size are set. To override them use
644 * gnutls_certificate_set_verify_limits().
645 *
646 * Note that you must also check the peer's name in order to check if
647 * the verified certificate belongs to the actual peer.
648 *
649 * This function uses gnutls_x509_crt_list_verify() with the CAs in
650 * the credentials as trusted CAs.
651 *
652 * Returns: a negative error code on error and zero on success.
653 **/
654 int
657 {
658 cert_auth_info_t info;
664 {
666 }
672 {
675 #ifdef ENABLE_OPENPGP
678 #endif
681 }
682 }
684 /**
685 * gnutls_certificate_verify_peers:
686 * @session: is a gnutls session
687 *
688 * This function will try to verify the peer's certificate and return
689 * its status (trusted, invalid etc.). However you must also check
690 * the peer's name in order to check if the verified certificate
691 * belongs to the actual peer.
692 *
693 * This function uses gnutls_x509_crt_list_verify().
694 *
695 * Returns: one or more of the #gnutls_certificate_status_t
696 * enumerated elements bitwise or'd, or a negative value on error.
697 *
698 * Deprecated: Use gnutls_certificate_verify_peers2() instead.
699 **/
700 int
702 {
709 {
712 }
715 }
717 /**
718 * gnutls_certificate_expiration_time_peers:
719 * @session: is a gnutls session
720 *
721 * This function will return the peer's certificate expiration time.
722 *
723 * Returns: (time_t)-1 on error.
724 *
725 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
726 **/
727 time_t
729 {
730 cert_auth_info_t info;
736 {
738 }
741 {
744 }
747 {
749 return
752 #ifdef ENABLE_OPENPGP
754 return
755 _gnutls_openpgp_get_raw_key_expiration_time
757 #endif
760 }
761 }
763 /**
764 * gnutls_certificate_activation_time_peers:
765 * @session: is a gnutls session
766 *
767 * This function will return the peer's certificate activation time.
768 * This is the creation time for openpgp keys.
769 *
770 * Returns: (time_t)-1 on error.
771 *
772 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
773 **/
774 time_t
776 {
777 cert_auth_info_t info;
783 {
785 }
788 {
791 }
794 {
796 return
799 #ifdef ENABLE_OPENPGP
801 return
804 #endif
807 }
808 }
810 /* Converts the first certificate for the cert_auth_info structure
811 * to a gcert.
812 */
813 int
815 gnutls_certificate_type_t type,
816 cert_auth_info_t info,
818 {
820 {
824 flags);
825 #ifdef ENABLE_OPENPGP
831 #endif
835 }
836 }
838 /* This function will convert a der certificate to a format
839 * (structure) that gnutls can understand and use. Actually the
840 * important thing on this function is that it extracts the
841 * certificate's (public key) parameters.
842 *
843 * The noext flag is used to complete the handshake even if the
844 * extensions found in the certificate are unsupported and critical.
845 * The critical extensions will be catched by the verification functions.
846 */
847 int
851 {
853 gnutls_x509_crt_t cert;
857 {
860 }
864 {
868 }
874 }
876 /* Like above but it accepts a parsed certificate instead.
877 */
878 int
881 {
889 {
890 #define SMALL_DER 1536
894 /* initially allocate a bogus size, just in case the certificate
895 * fits in it. That way we minimize the DER encodings performed.
896 */
899 {
902 }
904 ret =
907 {
911 }
914 {
917 {
920 }
922 ret =
926 {
930 }
931 }
935 }
936 else
937 /* now we have 0 or a bitwise or of things to decode */
942 {
947 {
950 }
952 }
956 {
958 ret =
961 {
964 }
965 }
969 }
971 void
973 {
980 {
982 }
985 }
987 /**
988 * gnutls_sign_callback_set:
989 * @session: is a gnutls session
990 * @sign_func: function pointer to application's sign callback.
991 * @userdata: void pointer that will be passed to sign callback.
992 *
993 * Set the callback function. The function must have this prototype:
994 *
995 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
996 * void *userdata,
997 * gnutls_certificate_type_t cert_type,
998 * const gnutls_datum_t * cert,
999 * const gnutls_datum_t * hash,
1000 * gnutls_datum_t * signature);
1001 *
1002 * The @userdata parameter is passed to the @sign_func verbatim, and
1003 * can be used to store application-specific data needed in the
1004 * callback function. See also gnutls_sign_callback_get().
1005 *
1006 * Deprecated: Use the PKCS 11 interfaces instead.
1007 */
1008 void
1011 {
1014 }
1016 /**
1017 * gnutls_sign_callback_get:
1018 * @session: is a gnutls session
1019 * @userdata: if non-%NULL, will be set to abstract callback pointer.
1020 *
1021 * Retrieve the callback function, and its userdata pointer.
1022 *
1023 * Returns: The function pointer set by gnutls_sign_callback_set(), or
1024 * if not set, %NULL.
1025 *
1026 * Deprecated: Use the PKCS 11 interfaces instead.
1027 */
1028 gnutls_sign_func
1030 {
1034 }