| blob | b4a1e20b73cfd502d21411248b61b9e2da3baf7a |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Some of the stuff needed for Certificate authentication is contained
24 * in this file.
25 */
27 #include <gnutls_int.h>
28 #include <gnutls_errors.h>
29 #include <auth/cert.h>
30 #include <gnutls_datum.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_global.h>
33 #include <algorithms.h>
34 #include <gnutls_dh.h>
35 #include <gnutls_str.h>
36 #include <gnutls_state.h>
37 #include <gnutls_auth.h>
38 #include <gnutls_x509.h>
39 #include <gnutls_str_array.h>
41 #ifdef ENABLE_OPENPGP
43 #endif
45 #define _(String) dgettext (PACKAGE, String)
47 /**
48 * gnutls_certificate_free_keys:
49 * @sc: is a #gnutls_certificate_credentials_t structure.
50 *
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
54 *
55 **/
56 void
58 {
62 {
64 {
66 }
69 }
75 {
77 }
83 }
85 /**
86 * gnutls_certificate_free_cas:
87 * @sc: is a #gnutls_certificate_credentials_t structure.
88 *
89 * This function will delete all the CAs associated with the given
90 * credentials. Servers that do not use
91 * gnutls_certificate_verify_peers2() may call this to save some
92 * memory.
93 **/
94 void
96 {
97 /* FIXME: do nothing for now */
99 }
101 /**
102 * gnutls_certificate_get_issuer:
103 * @sc: is a #gnutls_certificate_credentials_t structure.
104 * @cert: is the certificate to find issuer for
105 * @issuer: Will hold the issuer if any. Should be treated as constant.
106 * @flags: Use zero.
107 *
108 * This function will return the issuer of a given certificate.
109 *
110 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
111 * negative error value.
112 *
113 * Since: 3.0
114 **/
115 int
118 {
120 }
122 /**
123 * gnutls_certificate_free_ca_names:
124 * @sc: is a #gnutls_certificate_credentials_t structure.
125 *
126 * This function will delete all the CA name in the given
127 * credentials. Clients may call this to save some memory since in
128 * client side the CA names are not used. Servers might want to use
129 * this function if a large list of trusted CAs is present and
130 * sending the names of it would just consume bandwidth without providing
131 * information to client.
132 *
133 * CA names are used by servers to advertise the CAs they support to
134 * clients.
135 **/
136 void
138 {
140 }
142 /*-
143 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
144 * @rsa_params: holds the RSA parameters or NULL.
145 * @func: function to retrieve the parameters or NULL.
146 * @session: The session.
147 *
148 * This function will return the rsa parameters pointer.
149 -*/
150 gnutls_rsa_params_t
153 gnutls_session_t session)
154 {
155 gnutls_params_st params;
159 {
161 }
164 {
166 }
168 {
171 {
174 }
175 }
178 }
181 /**
182 * gnutls_certificate_free_credentials:
183 * @sc: is a #gnutls_certificate_credentials_t structure.
184 *
185 * This structure is complex enough to manipulate directly thus this
186 * helper function is provided in order to free (deallocate) it.
187 *
188 * This function does not free any temporary parameters associated
189 * with this structure (ie RSA and DH parameters are not freed by this
190 * function).
191 **/
192 void
194 {
200 #ifdef ENABLE_OPENPGP
202 #endif
205 }
208 /**
209 * gnutls_certificate_allocate_credentials:
210 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
211 *
212 * This structure is complex enough to manipulate directly thus this
213 * helper function is provided in order to allocate it.
214 *
215 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
216 **/
217 int
219 res)
220 {
230 {
234 }
240 }
243 /* returns the KX algorithms that are supported by a
244 * certificate. (Eg a certificate with RSA params, supports
245 * GNUTLS_KX_RSA algorithm).
246 * This function also uses the KeyUsage field of the certificate
247 * extensions in order to disable unneded algorithms.
248 */
249 int
253 {
254 gnutls_kx_algorithm_t kx;
260 {
263 }
270 {
273 {
274 /* then check key usage */
276 {
278 i++;
282 }
283 }
284 }
287 {
290 }
295 }
298 /**
299 * gnutls_certificate_server_set_request:
300 * @session: is a #gnutls_session_t structure.
301 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
302 *
303 * This function specifies if we (in case of a server) are going to
304 * send a certificate request message to the client. If @req is
305 * GNUTLS_CERT_REQUIRE then the server will return an error if the
306 * peer does not provide a certificate. If you do not call this
307 * function then the client will not be asked to send a certificate.
308 **/
309 void
311 gnutls_certificate_request_t req)
312 {
314 }
316 /**
317 * gnutls_certificate_client_set_retrieve_function:
318 * @cred: is a #gnutls_certificate_credentials_t structure.
319 * @func: is the callback function
320 *
321 * This function sets a callback to be called in order to retrieve the
322 * certificate to be used in the handshake.
323 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
324 * is much more efficient in the processing it requires from gnutls.
325 *
326 * The callback's function prototype is:
327 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
328 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
329 *
330 * @req_ca_cert is only used in X.509 certificates.
331 * Contains a list with the CA names that the server considers trusted.
332 * Normally we should send a certificate that is signed
333 * by one of these CAs. These names are DER encoded. To get a more
334 * meaningful value use the function gnutls_x509_rdn_get().
335 *
336 * @pk_algos contains a list with server's acceptable signature algorithms.
337 * The certificate returned should support the server's given algorithms.
338 *
339 * @st should contain the certificates and private keys.
340 *
341 * If the callback function is provided then gnutls will call it, in the
342 * handshake, if a certificate is requested by the server (and after the
343 * certificate request message has been received).
344 *
345 * The callback function should set the certificate list to be sent,
346 * and return 0 on success. If no certificate was selected then the
347 * number of certificates should be set to zero. The value (-1)
348 * indicates error and the handshake will be terminated.
349 **/
350 void gnutls_certificate_client_set_retrieve_function
353 {
355 }
357 /**
358 * gnutls_certificate_server_set_retrieve_function:
359 * @cred: is a #gnutls_certificate_credentials_t structure.
360 * @func: is the callback function
361 *
362 * This function sets a callback to be called in order to retrieve the
363 * certificate to be used in the handshake.
364 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
365 * is much more efficient in the processing it requires from gnutls.
366 *
367 * The callback's function prototype is:
368 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
369 *
370 * @st should contain the certificates and private keys.
371 *
372 * If the callback function is provided then gnutls will call it, in the
373 * handshake, after the certificate request message has been received.
374 *
375 * The callback function should set the certificate list to be sent, and
376 * return 0 on success. The value (-1) indicates error and the handshake
377 * will be terminated.
378 **/
379 void gnutls_certificate_server_set_retrieve_function
382 {
384 }
386 /**
387 * gnutls_certificate_set_retrieve_function:
388 * @cred: is a #gnutls_certificate_credentials_t structure.
389 * @func: is the callback function
390 *
391 * This function sets a callback to be called in order to retrieve the
392 * certificate to be used in the handshake. You are advised
393 * to use gnutls_certificate_set_retrieve_function2() because it
394 * is much more efficient in the processing it requires from gnutls.
395 *
396 * The callback's function prototype is:
397 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
398 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
399 *
400 * @req_ca_cert is only used in X.509 certificates.
401 * Contains a list with the CA names that the server considers trusted.
402 * Normally we should send a certificate that is signed
403 * by one of these CAs. These names are DER encoded. To get a more
404 * meaningful value use the function gnutls_x509_rdn_get().
405 *
406 * @pk_algos contains a list with server's acceptable signature algorithms.
407 * The certificate returned should support the server's given algorithms.
408 *
409 * @st should contain the certificates and private keys.
410 *
411 * If the callback function is provided then gnutls will call it, in the
412 * handshake, after the certificate request message has been received.
413 *
414 * In server side pk_algos and req_ca_dn are NULL.
415 *
416 * The callback function should set the certificate list to be sent,
417 * and return 0 on success. If no certificate was selected then the
418 * number of certificates should be set to zero. The value (-1)
419 * indicates error and the handshake will be terminated.
420 *
421 * Since: 3.0
422 **/
423 void gnutls_certificate_set_retrieve_function
426 {
428 }
430 /**
431 * gnutls_certificate_set_retrieve_function2:
432 * @cred: is a #gnutls_certificate_credentials_t structure.
433 * @func: is the callback function
434 *
435 * This function sets a callback to be called in order to retrieve the
436 * certificate to be used in the handshake.
437 *
438 * The callback's function prototype is:
439 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
440 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
441 * unsigned int *pcert_length, gnutls_privkey_t * pkey);
442 *
443 * @req_ca_cert is only used in X.509 certificates.
444 * Contains a list with the CA names that the server considers trusted.
445 * Normally we should send a certificate that is signed
446 * by one of these CAs. These names are DER encoded. To get a more
447 * meaningful value use the function gnutls_x509_rdn_get().
448 *
449 * @pk_algos contains a list with server's acceptable signature algorithms.
450 * The certificate returned should support the server's given algorithms.
451 *
452 * @pcert should contain a single certificate and public or a list of them.
453 *
454 * @pcert_length is the size of the previous list.
455 *
456 * @pkey is the private key.
457 *
458 * If the callback function is provided then gnutls will call it, in the
459 * handshake, after the certificate request message has been received.
460 *
461 * In server side pk_algos and req_ca_dn are NULL.
462 *
463 * The callback function should set the certificate list to be sent,
464 * and return 0 on success. If no certificate was selected then the
465 * number of certificates should be set to zero. The value (-1)
466 * indicates error and the handshake will be terminated.
467 *
468 * Since: 3.0
469 **/
470 void gnutls_certificate_set_retrieve_function2
473 {
475 }
477 /**
478 * gnutls_certificate_set_verify_function:
479 * @cred: is a #gnutls_certificate_credentials_t structure.
480 * @func: is the callback function
481 *
482 * This function sets a callback to be called when peer's certificate
483 * has been received in order to verify it on receipt rather than
484 * doing after the handshake is completed.
485 *
486 * The callback's function prototype is:
487 * int (*callback)(gnutls_session_t);
488 *
489 * If the callback function is provided then gnutls will call it, in the
490 * handshake, just after the certificate message has been received.
491 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
492 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
493 * can be used.
494 *
495 * The callback function should return 0 for the handshake to continue
496 * or non-zero to terminate.
497 *
498 * Since: 2.10.0
499 **/
500 void
501 gnutls_certificate_set_verify_function
504 {
506 }
508 /*-
509 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
510 * @cert: should contain an X.509 DER encoded certificate
511 *
512 * This function will return the certificate's activation time in UNIX time
513 * (ie seconds since 00:00:00 UTC January 1, 1970).
514 *
515 * Returns a (time_t) -1 in case of an error.
516 *
517 -*/
518 static time_t
520 {
521 gnutls_x509_crt_t xcert;
530 {
533 }
540 }
542 /*-
543 * gnutls_x509_extract_certificate_expiration_time:
544 * @cert: should contain an X.509 DER encoded certificate
545 *
546 * This function will return the certificate's expiration time in UNIX
547 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
548 *
549 * (time_t) -1 in case of an error.
550 *
551 -*/
552 static time_t
554 {
555 gnutls_x509_crt_t xcert;
564 {
567 }
574 }
576 #ifdef ENABLE_OPENPGP
577 /*-
578 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
579 * @session: is a gnutls session
580 *
581 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
582 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
583 -*/
584 static int
588 {
589 cert_auth_info_t info;
590 gnutls_certificate_credentials_t cred;
602 {
605 }
608 {
611 }
613 /* generate a list of gnutls_certs based on the auth info
614 * raw certs.
615 */
619 {
622 }
624 /* Verify certificate
625 */
626 ret =
631 {
634 }
637 }
638 #endif
640 /**
641 * gnutls_certificate_verify_peers2:
642 * @session: is a gnutls session
643 * @status: is the output of the verification
644 *
645 * This function will verify the peer's certificate and return
646 * its status (trusted, invalid etc.). The value of @status will
647 * be one or more of the gnutls_certificate_status_t flags
648 * bitwise or'd or zero if the certificate is trusted. Note that verification
649 * does not imply a negative return value. Only the @status is updated.
650 *
651 * If available the OCSP Certificate Status extension will be
652 * utilized by this function.
653 *
654 * To avoid denial of service attacks some
655 * default upper limits regarding the certificate key size and chain
656 * size are set. To override them use gnutls_certificate_set_verify_limits().
657 *
658 * Note that you must also check the peer's name in order to check if
659 * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname().
660 *
661 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
662 **/
663 int
666 {
667 cert_auth_info_t info;
673 {
675 }
681 {
684 #ifdef ENABLE_OPENPGP
687 #endif
690 }
691 }
693 /**
694 * gnutls_certificate_verify_peers3:
695 * @session: is a gnutls session
696 * @hostname: is the expected name of the peer
697 * @status: is the output of the verification
698 *
699 * This function will verify the peer's certificate and its name and
700 * return its status (trusted, invalid etc.). The value of @status will
701 * be one or more of the gnutls_certificate_status_t flags
702 * bitwise or'd or zero if the certificate is trusted. Note that verification
703 * failure does not imply a negative return value. Only the @status is updated.
704 *
705 * In case the @hostname does not match the %GNUTLS_CERT_UNEXPECTED_OWNER
706 * status flag will be set.
707 *
708 * If available the OCSP Certificate Status extension will be
709 * utilized by this function.
710 *
711 * To avoid denial of service attacks some
712 * default upper limits regarding the certificate key size and chain
713 * size are set. To override them use gnutls_certificate_set_verify_limits().
714 *
715 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
716 **/
717 int
721 {
722 cert_auth_info_t info;
728 {
730 }
736 {
739 #ifdef ENABLE_OPENPGP
742 #endif
745 }
746 }
748 /**
749 * gnutls_certificate_expiration_time_peers:
750 * @session: is a gnutls session
751 *
752 * This function will return the peer's certificate expiration time.
753 *
754 * Returns: (time_t)-1 on error.
755 *
756 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
757 **/
758 time_t
760 {
761 cert_auth_info_t info;
767 {
769 }
772 {
775 }
778 {
780 return
783 #ifdef ENABLE_OPENPGP
785 return
786 _gnutls_openpgp_get_raw_key_expiration_time
788 #endif
791 }
792 }
794 /**
795 * gnutls_certificate_activation_time_peers:
796 * @session: is a gnutls session
797 *
798 * This function will return the peer's certificate activation time.
799 * This is the creation time for openpgp keys.
800 *
801 * Returns: (time_t)-1 on error.
802 *
803 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
804 **/
805 time_t
807 {
808 cert_auth_info_t info;
814 {
816 }
819 {
822 }
825 {
827 return
830 #ifdef ENABLE_OPENPGP
832 return
835 #endif
838 }
839 }
841 /**
842 * gnutls_sign_callback_set:
843 * @session: is a gnutls session
844 * @sign_func: function pointer to application's sign callback.
845 * @userdata: void pointer that will be passed to sign callback.
846 *
847 * Set the callback function. The function must have this prototype:
848 *
849 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
850 * void *userdata,
851 * gnutls_certificate_type_t cert_type,
852 * const gnutls_datum_t * cert,
853 * const gnutls_datum_t * hash,
854 * gnutls_datum_t * signature);
855 *
856 * The @userdata parameter is passed to the @sign_func verbatim, and
857 * can be used to store application-specific data needed in the
858 * callback function. See also gnutls_sign_callback_get().
859 *
860 * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead.
861 **/
862 void
865 {
868 }
870 /**
871 * gnutls_sign_callback_get:
872 * @session: is a gnutls session
873 * @userdata: if non-%NULL, will be set to abstract callback pointer.
874 *
875 * Retrieve the callback function, and its userdata pointer.
876 *
877 * Returns: The function pointer set by gnutls_sign_callback_set(), or
878 * if not set, %NULL.
879 *
880 * Deprecated: Use the PKCS 11 interfaces instead.
881 **/
882 gnutls_sign_func
884 {
888 }
890 /* returns error if the certificate has different algorithm than
891 * the given key parameters.
892 */
893 int
895 {
900 {
903 }
906 }
908 /**
909 * gnutls_certificate_verification_status_print:
910 * @status: The status flags to be printed
911 * @type: The certificate type
912 * @out: Newly allocated datum with (0) terminated string.
913 * @flags: should be zero
914 *
915 * This function will pretty print the status of a verification
916 * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
917 *
918 * The output @out needs to be deallocated using gnutls_free().
919 *
920 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
921 * negative error value.
922 **/
923 int
925 gnutls_certificate_type_t type,
927 {
928 gnutls_buffer_st str;
935 else
939 {
954 }
956 {
964 }
970 _gnutls_buffer_append_str (&str, _("Peer's certificate chain uses not yet valid certificate. "));
979 _gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
987 }