search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
If OCSP revocation data are invalid or too old set appropriate verification flags.
[gnutls.git] / lib / gnutls_x509.c
blob8d52bc4ad05aea072e726679ceccae9db922b161
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
38 #include <debug.h>
39 #include <x509_b64.h>
40 #include <gnutls_x509.h>
41 #include <gnutls/ocsp.h>
42 #include "x509/common.h"
43 #include "x509/x509_int.h"
44 #include <gnutls_str_array.h>
45 #include "read-file.h"
46 #ifdef _WIN32
47 # include <wincrypt.h>
48 #endif
49
50 /*
51 * some x509 certificate parsing functions.
52 */
53
54 /* Check if the number of bits of the key in the certificate
55 * is unacceptable.
56 */
57 inline static int
58 check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bits)
59 {
60 int ret, pk;
61 unsigned int bits;
62
63 ret = gnutls_x509_crt_get_pk_algorithm (crt, &bits);
64 if (ret < 0)
65 {
66 gnutls_assert ();
67 return ret;
68 }
69 pk = ret;
70
71 if (bits > max_bits && max_bits > 0)
72 {
73 gnutls_assert ();
74 return GNUTLS_E_CONSTRAINT_ERROR;
75 }
76
77 if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_INSECURE)
78 {
79 gnutls_assert();
80 _gnutls_audit_log(session, "The security level of the certificate (%s: %u) is weak\n", gnutls_pk_get_name(pk), bits);
81 if (session->internals.priorities.allow_weak_keys == 0)
82 return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
83 }
84
85 return 0;
86 }
87
88 /* three days */
89 #define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
90
91 /* If the certificate is revoked status will be GNUTLS_CERT_REVOKED.
92 *
93 * Returns:
94 * Zero on success, a negative error code otherwise.
95 */
96 static int
97 check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
98 gnutls_x509_crt_t issuer,
99 gnutls_datum_t *data, unsigned int * ostatus)
100 {
101 gnutls_ocsp_resp_t resp;
102 int ret;
103 unsigned int status, cert_status;
104 time_t rtime, vtime, ntime, now;
105
106 now = gnutls_time(0);
107
108 ret = gnutls_ocsp_resp_init (&resp);
109 if (ret < 0)
110 return gnutls_assert_val(ret);
111
112 ret = gnutls_ocsp_resp_import (resp, data);
113 if (ret < 0)
114 return gnutls_assert_val(ret);
115
116 ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
117 if (ret < 0)
118 {
119 _gnutls_audit_log (session, "Got OCSP response on an unrelated certificate.\n");
120 goto cleanup;
121 }
122
123 ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
124 if (ret < 0)
125 return gnutls_assert_val(ret);
126
127 /* do not consider revocation data if response was not verified */
128 if (status != 0)
129 {
130 ret = gnutls_assert_val(0);
131 goto cleanup;
132 }
133
134 ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
135 &cert_status, &vtime, &ntime, &rtime, NULL);
136 if (ret < 0)
137 {
138 ret = gnutls_assert_val(0);
139 *ostatus |= GNUTLS_CERT_REVOCATION_DATA_INVALID;
140 goto cleanup;
141 }
142
143 if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
144 {
145 _gnutls_audit_log(session, "The certificate was revoked via OCSP\n");
146 *ostatus |= GNUTLS_CERT_REVOKED;
147 ret = gnutls_assert_val(0);
148 goto cleanup;
149 }
150
151 if (ntime == -1)
152 {
153 if (now - vtime > MAX_OCSP_VALIDITY_SECS)
154 {
155 _gnutls_audit_log(session, "The OCSP response is old\n");
156 }
157 }
158 else
159 {
160 /* there is a newer OCSP answer, don't trust this one */
161 if (ntime < now)
162 {
163 _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
164 if (now-ntime > MAX_OCSP_VALIDITY_SECS)
165 *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
166 }
167 }
168
169 ret = 0;
170 cleanup:
171 gnutls_ocsp_resp_deinit (resp);
172
173 return ret;
174 }
175
176
177 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
178 if (peer_certificate_list[x]) \
179 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
180 } \
181 gnutls_free( peer_certificate_list)
182
183 /*-
184 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
185 * @session: is a gnutls session
186 *
187 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
188 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
189 * However you must also check the peer's name in order to check if the verified certificate belongs to the
190 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
191 -*/
192 int
193 _gnutls_x509_cert_verify_peers (gnutls_session_t session,
194 unsigned int *status)
195 {
196 cert_auth_info_t info;
197 gnutls_certificate_credentials_t cred;
198 gnutls_x509_crt_t *peer_certificate_list;
199 gnutls_datum_t resp;
200 int peer_certificate_list_size, i, x, ret;
201 gnutls_x509_crt_t issuer;
202 unsigned int ocsp_status = 0;
203
204 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
205
206 info = _gnutls_get_auth_info (session);
207 if (info == NULL)
208 {
209 gnutls_assert ();
210 return GNUTLS_E_INVALID_REQUEST;
211 }
212
213 cred = (gnutls_certificate_credentials_t)
214 _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
215 if (cred == NULL)
216 {
217 gnutls_assert ();
218 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
219 }
220
221 if (info->raw_certificate_list == NULL || info->ncerts == 0)
222 return GNUTLS_E_NO_CERTIFICATE_FOUND;
223
224 if (info->ncerts > cred->verify_depth && cred->verify_depth > 0)
225 {
226 gnutls_assert ();
227 return GNUTLS_E_CONSTRAINT_ERROR;
228 }
229
230 /* generate a list of gnutls_certs based on the auth info
231 * raw certs.
232 */
233 peer_certificate_list_size = info->ncerts;
234 peer_certificate_list =
235 gnutls_calloc (peer_certificate_list_size, sizeof (gnutls_x509_crt_t));
236 if (peer_certificate_list == NULL)
237 {
238 gnutls_assert ();
239 return GNUTLS_E_MEMORY_ERROR;
240 }
241
242 for (i = 0; i < peer_certificate_list_size; i++)
243 {
244 ret = gnutls_x509_crt_init (&peer_certificate_list[i]);
245 if (ret < 0)
246 {
247 gnutls_assert ();
248 CLEAR_CERTS;
249 return ret;
250 }
251
252 ret =
253 gnutls_x509_crt_import (peer_certificate_list[i],
254 &info->raw_certificate_list[i],
255 GNUTLS_X509_FMT_DER);
256 if (ret < 0)
257 {
258 gnutls_assert ();
259 CLEAR_CERTS;
260 return ret;
261 }
262
263 ret = check_bits (session, peer_certificate_list[i], cred->verify_bits);
264 if (ret < 0)
265 {
266 gnutls_assert ();
267 CLEAR_CERTS;
268 return ret;
269 }
270
271 }
272
273 /* Use the OCSP extension if any */
274 ret = gnutls_ocsp_status_request_get(session, &resp);
275 if (ret < 0)
276 goto skip_ocsp;
277
278 if (peer_certificate_list_size > 1)
279 issuer = peer_certificate_list[1];
280 else
281 {
282 ret = gnutls_x509_trust_list_get_issuer(cred->tlist, peer_certificate_list[0],
283 &issuer, 0);
284 if (ret < 0)
285 {
286 goto skip_ocsp;
287 }
288 }
289
290 ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp, &ocsp_status);
291 if (ret < 0)
292 {
293 CLEAR_CERTS;
294 return gnutls_assert_val(ret);
295 }
296
297 skip_ocsp:
298 /* Verify certificate
299 */
300 ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
301 peer_certificate_list_size,
302 cred->verify_flags | session->internals.
303 priorities.additional_verify_flags,
304 status, NULL);
305
306 CLEAR_CERTS;
307
308 if (ret < 0)
309 {
310 gnutls_assert ();
311 return ret;
312 }
313
314 *status |= ocsp_status;
315
316 return 0;
317 }
318
319 /* Returns the name of the certificate of a null name
320 */
321 static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names)
322 {
323 size_t max_size;
324 int i, ret = 0, ret2;
325 char name[MAX_CN];
326
327 for (i = 0; !(ret < 0); i++)
328 {
329 max_size = sizeof(name);
330
331 ret = gnutls_x509_crt_get_subject_alt_name(crt, i, name, &max_size, NULL);
332 if (ret == GNUTLS_SAN_DNSNAME)
333 {
334 ret2 = _gnutls_str_array_append(names, name, max_size);
335 if (ret2 < 0)
336 {
337 _gnutls_str_array_clear(names);
338 return gnutls_assert_val(ret2);
339 }
340 }
341 }
342
343 max_size = sizeof(name);
344 ret = gnutls_x509_crt_get_dn_by_oid (crt, OID_X520_COMMON_NAME, 0, 0, name, &max_size);
345 if (ret >= 0)
346 {
347 ret = _gnutls_str_array_append(names, name, max_size);
348 if (ret < 0)
349 {
350 _gnutls_str_array_clear(names);
351 return gnutls_assert_val(ret);
352 }
353 }
354
355 return 0;
356 }
357
358 static int get_x509_name_raw(gnutls_datum_t *raw, gnutls_x509_crt_fmt_t type, gnutls_str_array_t *names)
359 {
360 int ret;
361 gnutls_x509_crt_t crt;
362
363 ret = gnutls_x509_crt_init (&crt);
364 if (ret < 0)
365 {
366 gnutls_assert ();
367 return ret;
368 }
369
370 ret = gnutls_x509_crt_import (crt, raw, type);
371 if (ret < 0)
372 {
373 gnutls_assert ();
374 gnutls_x509_crt_deinit (crt);
375 return ret;
376 }
377
378 ret = get_x509_name(crt, names);
379 gnutls_x509_crt_deinit (crt);
380 return ret;
381 }
382
383 /* Reads a DER encoded certificate list from memory and stores it to a
384 * gnutls_cert structure. Returns the number of certificates parsed.
385 */
386 static int
387 parse_der_cert_mem (gnutls_certificate_credentials_t res,
388 const void *input_cert, int input_cert_size)
389 {
390 gnutls_datum_t tmp;
391 gnutls_x509_crt_t crt;
392 gnutls_pcert_st *ccert;
393 int ret;
394 gnutls_str_array_t names;
395
396 _gnutls_str_array_init(&names);
397
398 ccert = gnutls_malloc (sizeof (*ccert));
399 if (ccert == NULL)
400 {
401 gnutls_assert ();
402 return GNUTLS_E_MEMORY_ERROR;
403 }
404
405 ret = gnutls_x509_crt_init (&crt);
406 if (ret < 0)
407 {
408 gnutls_assert ();
409 goto cleanup;
410 }
411
412 tmp.data = (uint8_t *) input_cert;
413 tmp.size = input_cert_size;
414
415 ret = gnutls_x509_crt_import (crt, &tmp, GNUTLS_X509_FMT_DER);
416 if (ret < 0)
417 {
418 gnutls_assert ();
419 gnutls_x509_crt_deinit (crt);
420 goto cleanup;
421 }
422
423 ret = get_x509_name(crt, &names);
424 if (ret < 0)
425 {
426 gnutls_assert();
427 gnutls_x509_crt_deinit (crt);
428 goto cleanup;
429 }
430
431 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
432 gnutls_x509_crt_deinit (crt);
433
434 if (ret < 0)
435 {
436 gnutls_assert ();
437 goto cleanup;
438 }
439
440 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
441 if (ret < 0)
442 {
443 gnutls_assert ();
444 goto cleanup;
445 }
446
447 return ret;
448
449 cleanup:
450 _gnutls_str_array_clear(&names);
451 gnutls_free (ccert);
452 return ret;
453 }
454
455 /* Reads a base64 encoded certificate list from memory and stores it to
456 * a gnutls_cert structure. Returns the number of certificate parsed.
457 */
458 static int
459 parse_pem_cert_mem (gnutls_certificate_credentials_t res,
460 const char *input_cert, int input_cert_size)
461 {
462 int size;
463 const char *ptr;
464 gnutls_datum_t tmp;
465 int ret, count, i;
466 gnutls_pcert_st *certs = NULL;
467 gnutls_str_array_t names;
468
469 _gnutls_str_array_init(&names);
470
471 /* move to the certificate
472 */
473 ptr = memmem (input_cert, input_cert_size,
474 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
475 if (ptr == NULL)
476 ptr = memmem (input_cert, input_cert_size,
477 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
478
479 if (ptr == NULL)
480 {
481 gnutls_assert ();
482 return GNUTLS_E_BASE64_DECODING_ERROR;
483 }
484 size = input_cert_size - (ptr - input_cert);
485
486 count = 0;
487
488 do
489 {
490 certs = gnutls_realloc_fast (certs, (count + 1) * sizeof (gnutls_pcert_st));
491
492 if (certs == NULL)
493 {
494 gnutls_assert ();
495 ret = GNUTLS_E_MEMORY_ERROR;
496 goto cleanup;
497 }
498
499 tmp.data = (void*)ptr;
500 tmp.size = size;
501
502 if (count == 0)
503 {
504 ret = get_x509_name_raw(&tmp, GNUTLS_X509_FMT_PEM, &names);
505 if (ret < 0)
506 {
507 gnutls_assert();
508 goto cleanup;
509 }
510 }
511
512 ret = gnutls_pcert_import_x509_raw (&certs[count], &tmp, GNUTLS_X509_FMT_PEM, 0);
513 if (ret < 0)
514 {
515 gnutls_assert ();
516 goto cleanup;
517 }
518
519 /* now we move ptr after the pem header
520 */
521 ptr++;
522 /* find the next certificate (if any)
523 */
524 size = input_cert_size - (ptr - input_cert);
525
526 if (size > 0)
527 {
528 char *ptr3;
529
530 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
531 if (ptr3 == NULL)
532 ptr3 = memmem (ptr, size, PEM_CERT_SEP2,
533 sizeof (PEM_CERT_SEP2) - 1);
534
535 ptr = ptr3;
536 }
537 else
538 ptr = NULL;
539
540 count++;
541
542 }
543 while (ptr != NULL);
544
545 ret = certificate_credential_append_crt_list (res, names, certs, count);
546 if (ret < 0)
547 {
548 gnutls_assert ();
549 goto cleanup;
550 }
551
552 return count;
553
554 cleanup:
555 _gnutls_str_array_clear(&names);
556 for (i=0;i<count;i++)
557 gnutls_pcert_deinit(&certs[i]);
558 gnutls_free(certs);
559 return ret;
560 }
561
562
563
564 /* Reads a DER or PEM certificate from memory
565 */
566 static int
567 read_cert_mem (gnutls_certificate_credentials_t res, const void *cert,
568 int cert_size, gnutls_x509_crt_fmt_t type)
569 {
570 int ret;
571
572 if (type == GNUTLS_X509_FMT_DER)
573 ret = parse_der_cert_mem (res, cert, cert_size);
574 else
575 ret = parse_pem_cert_mem (res, cert, cert_size);
576
577 if (ret < 0)
578 {
579 gnutls_assert ();
580 return ret;
581 }
582
583 return ret;
584 }
585
586 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
587 * indicates the certificate format. KEY can be NULL, to indicate
588 * that GnuTLS doesn't know the private key.
589 */
590 static int
591 read_key_mem (gnutls_certificate_credentials_t res,
592 const void *key, int key_size, gnutls_x509_crt_fmt_t type)
593 {
594 int ret;
595 gnutls_datum_t tmp;
596 gnutls_privkey_t privkey;
597
598 if (key)
599 {
600 tmp.data = (uint8_t *) key;
601 tmp.size = key_size;
602
603 ret = gnutls_privkey_init(&privkey);
604 if (ret < 0)
605 {
606 gnutls_assert ();
607 return ret;
608 }
609
610 if (res->pin.cb)
611 gnutls_privkey_set_pin_function(privkey, res->pin.cb, res->pin.data);
612
613 ret = gnutls_privkey_import_x509_raw (privkey, &tmp, type, NULL, 0);
614 if (ret < 0)
615 {
616 gnutls_assert ();
617 return ret;
618 }
619
620 ret = certificate_credentials_append_pkey (res, privkey);
621 if (ret < 0)
622 {
623 gnutls_assert ();
624 gnutls_privkey_deinit (privkey);
625 return ret;
626 }
627
628 }
629 else
630 {
631 gnutls_assert ();
632 return GNUTLS_E_INVALID_REQUEST;
633 }
634
635
636 return 0;
637 }
638
639
640 /* Reads a private key from a token.
641 */
642 static int
643 read_key_url (gnutls_certificate_credentials_t res, const char *url)
644 {
645 int ret;
646 gnutls_privkey_t pkey = NULL;
647
648 /* allocate space for the pkey list
649 */
650 ret = gnutls_privkey_init (&pkey);
651 if (ret < 0)
652 {
653 gnutls_assert ();
654 return ret;
655 }
656
657 if (res->pin.cb)
658 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
659
660 ret = gnutls_privkey_import_url (pkey, url, 0);
661 if (ret < 0)
662 {
663 gnutls_assert ();
664 goto cleanup;
665 }
666
667 ret = certificate_credentials_append_pkey (res, pkey);
668 if (ret < 0)
669 {
670 gnutls_assert ();
671 goto cleanup;
672 }
673
674 return 0;
675
676 cleanup:
677 if (pkey)
678 gnutls_privkey_deinit (pkey);
679
680 return ret;
681 }
682
683 #ifdef ENABLE_PKCS11
684 /* Reads a private key from a token.
685 */
686 static int
687 read_cas_url (gnutls_certificate_credentials_t res, const char *url)
688 {
689 int ret;
690 gnutls_x509_crt_t *xcrt_list = NULL;
691 gnutls_pkcs11_obj_t *pcrt_list = NULL;
692 unsigned int pcrt_list_size = 0;
693
694 /* FIXME: should we use login? */
695 ret =
696 gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url,
697 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
698 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
699 {
700 gnutls_assert ();
701 return ret;
702 }
703
704 if (pcrt_list_size == 0)
705 {
706 gnutls_assert ();
707 return 0;
708 }
709
710 pcrt_list = gnutls_malloc (sizeof (*pcrt_list) * pcrt_list_size);
711 if (pcrt_list == NULL)
712 {
713 gnutls_assert ();
714 return GNUTLS_E_MEMORY_ERROR;
715 }
716
717 ret =
718 gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url,
719 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
720 if (ret < 0)
721 {
722 gnutls_assert ();
723 goto cleanup;
724 }
725
726 xcrt_list = gnutls_malloc (sizeof (*xcrt_list) * pcrt_list_size);
727 if (xcrt_list == NULL)
728 {
729 gnutls_assert ();
730 ret = GNUTLS_E_MEMORY_ERROR;
731 goto cleanup;
732 }
733
734 ret =
735 gnutls_x509_crt_list_import_pkcs11 (xcrt_list, pcrt_list_size, pcrt_list,
736 0);
737 if (ret < 0)
738 {
739 gnutls_assert ();
740 goto cleanup;
741 }
742
743 ret = gnutls_x509_trust_list_add_cas(res->tlist, xcrt_list, pcrt_list_size, 0);
744 if (ret < 0)
745 {
746 gnutls_assert();
747 goto cleanup;
748 }
749
750 cleanup:
751 gnutls_free (xcrt_list);
752 gnutls_free (pcrt_list);
753
754 return ret;
755
756 }
757
758
759 /* Reads a certificate key from a token.
760 */
761 static int
762 read_cert_url (gnutls_certificate_credentials_t res, const char *url)
763 {
764 int ret;
765 gnutls_x509_crt_t crt;
766 gnutls_pcert_st *ccert;
767 gnutls_str_array_t names;
768
769 _gnutls_str_array_init(&names);
770
771 ccert = gnutls_malloc (sizeof (*ccert));
772 if (ccert == NULL)
773 {
774 gnutls_assert ();
775 return GNUTLS_E_MEMORY_ERROR;
776 }
777
778 ret = gnutls_x509_crt_init (&crt);
779 if (ret < 0)
780 {
781 gnutls_assert ();
782 goto cleanup;
783 }
784
785 if (res->pin.cb)
786 gnutls_x509_crt_set_pin_function(crt, res->pin.cb, res->pin.data);
787
788 ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
789 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
790 ret =
791 gnutls_x509_crt_import_pkcs11_url (crt, url,
792 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
793
794 if (ret < 0)
795 {
796 gnutls_assert ();
797 gnutls_x509_crt_deinit (crt);
798 goto cleanup;
799 }
800
801 ret = get_x509_name(crt, &names);
802 if (ret < 0)
803 {
804 gnutls_assert ();
805 gnutls_x509_crt_deinit (crt);
806 goto cleanup;
807 }
808
809 ret = gnutls_pcert_import_x509 (ccert, crt, 0);
810 gnutls_x509_crt_deinit (crt);
811
812 if (ret < 0)
813 {
814 gnutls_assert ();
815 goto cleanup;
816 }
817
818 ret = certificate_credential_append_crt_list (res, names, ccert, 1);
819 if (ret < 0)
820 {
821 gnutls_assert ();
822 goto cleanup;
823 }
824
825 return 0;
826
827 cleanup:
828 _gnutls_str_array_clear(&names);
829 gnutls_free (ccert);
830 return ret;
831 }
832 #endif
833
834 /* Reads a certificate file
835 */
836 static int
837 read_cert_file (gnutls_certificate_credentials_t res,
838 const char *certfile, gnutls_x509_crt_fmt_t type)
839 {
840 int ret;
841 size_t size;
842 char *data;
843
844 #ifdef ENABLE_PKCS11
845 if (strncmp (certfile, "pkcs11:", 7) == 0)
846 {
847 return read_cert_url (res, certfile);
848 }
849 #endif /* ENABLE_PKCS11 */
850
851 data = read_binary_file (certfile, &size);
852
853 if (data == NULL)
854 {
855 gnutls_assert ();
856 return GNUTLS_E_FILE_ERROR;
857 }
858
859 ret = read_cert_mem (res, data, size, type);
860 free (data);
861
862 return ret;
863
864 }
865
866
867
868 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
869 * stores it).
870 */
871 static int
872 read_key_file (gnutls_certificate_credentials_t res,
873 const char *keyfile, gnutls_x509_crt_fmt_t type)
874 {
875 int ret;
876 size_t size;
877 char *data;
878
879 if (gnutls_url_is_supported(keyfile))
880 {
881 return read_key_url (res, keyfile);
882 }
883
884 data = read_binary_file (keyfile, &size);
885
886 if (data == NULL)
887 {
888 gnutls_assert ();
889 return GNUTLS_E_FILE_ERROR;
890 }
891
892 ret = read_key_mem (res, data, size, type);
893 free (data);
894
895 return ret;
896 }
897
898 /**
899 * gnutls_certificate_set_x509_key_mem:
900 * @res: is a #gnutls_certificate_credentials_t structure.
901 * @cert: contains a certificate list (path) for the specified private key
902 * @key: is the private key, or %NULL
903 * @type: is PEM or DER
904 *
905 * This function sets a certificate/private key pair in the
906 * gnutls_certificate_credentials_t structure. This function may be called
907 * more than once, in case multiple keys/certificates exist for the
908 * server.
909 *
910 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
911 * is supported. This means that certificates intended for signing cannot
912 * be used for ciphersuites that require encryption.
913 *
914 * If the certificate and the private key are given in PEM encoding
915 * then the strings that hold their values must be null terminated.
916 *
917 * The @key may be %NULL if you are using a sign callback, see
918 * gnutls_sign_callback_set().
919 *
920 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
921 **/
922 int
923 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
924 const gnutls_datum_t * cert,
925 const gnutls_datum_t * key,
926 gnutls_x509_crt_fmt_t type)
927 {
928 int ret;
929
930 /* this should be first
931 */
932 if ((ret = read_key_mem (res, key ? key->data : NULL,
933 key ? key->size : 0, type)) < 0)
934 return ret;
935
936 if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
937 return ret;
938
939 res->ncerts++;
940
941 if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
942 {
943 gnutls_assert ();
944 return ret;
945 }
946
947 return 0;
948 }
949
950 static int check_if_sorted(gnutls_pcert_st * crt, int nr)
951 {
952 gnutls_x509_crt_t x509;
953 char prev_dn[MAX_DN];
954 char dn[MAX_DN];
955 size_t prev_dn_size, dn_size;
956 int i, ret;
957
958 /* check if the X.509 list is ordered */
959 if (nr > 1 && crt[0].type == GNUTLS_CRT_X509)
960 {
961
962 for (i=0;i<nr;i++)
963 {
964 ret = gnutls_x509_crt_init(&x509);
965 if (ret < 0)
966 return gnutls_assert_val(ret);
967
968 ret = gnutls_x509_crt_import(x509, &crt[i].cert, GNUTLS_X509_FMT_DER);
969 if (ret < 0)
970 {
971 ret = gnutls_assert_val(ret);
972 goto cleanup;
973 }
974
975 if (i>0)
976 {
977 dn_size = sizeof(dn);
978 ret = gnutls_x509_crt_get_dn(x509, dn, &dn_size);
979 if (ret < 0)
980 {
981 ret = gnutls_assert_val(ret);
982 goto cleanup;
983 }
984
985 if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0)
986 {
987 ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
988 goto cleanup;
989 }
990 }
991
992 prev_dn_size = sizeof(prev_dn);
993 ret = gnutls_x509_crt_get_issuer_dn(x509, prev_dn, &prev_dn_size);
994 if (ret < 0)
995 {
996 ret = gnutls_assert_val(ret);
997 goto cleanup;
998 }
999
1000 gnutls_x509_crt_deinit(x509);
1001 }
1002 }
1003
1004 return 0;
1005
1006 cleanup:
1007 gnutls_x509_crt_deinit(x509);
1008 return ret;
1009 }
1010
1011 int
1012 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res,
1013 gnutls_str_array_t names, gnutls_pcert_st * crt, int nr)
1014 {
1015 int ret;
1016
1017 ret = check_if_sorted(crt, nr);
1018 if (ret < 0)
1019 return gnutls_assert_val(ret);
1020
1021 res->certs = gnutls_realloc_fast (res->certs,
1022 (1 + res->ncerts) *
1023 sizeof (certs_st));
1024 if (res->certs == NULL)
1025 {
1026 gnutls_assert ();
1027 return GNUTLS_E_MEMORY_ERROR;
1028 }
1029
1030 res->certs[res->ncerts].cert_list = crt;
1031 res->certs[res->ncerts].cert_list_length = nr;
1032 res->certs[res->ncerts].names = names;
1033
1034 return 0;
1035
1036 }
1037
1038 int
1039 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res,
1040 gnutls_privkey_t pkey)
1041 {
1042 res->pkey = gnutls_realloc_fast (res->pkey,
1043 (1 + res->ncerts) *
1044 sizeof (gnutls_privkey_t));
1045 if (res->pkey == NULL)
1046 {
1047 gnutls_assert ();
1048 return GNUTLS_E_MEMORY_ERROR;
1049 }
1050 res->pkey[res->ncerts] = pkey;
1051 return 0;
1052
1053 }
1054
1055 /**
1056 * gnutls_certificate_set_x509_key:
1057 * @res: is a #gnutls_certificate_credentials_t structure.
1058 * @cert_list: contains a certificate list (path) for the specified private key
1059 * @cert_list_size: holds the size of the certificate list
1060 * @key: is a #gnutls_x509_privkey_t key
1061 *
1062 * This function sets a certificate/private key pair in the
1063 * gnutls_certificate_credentials_t structure. This function may be
1064 * called more than once, in case multiple keys/certificates exist for
1065 * the server. For clients that wants to send more than their own end
1066 * entity certificate (e.g., also an intermediate CA cert) then put
1067 * the certificate chain in @cert_list.
1068 *
1069 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1070 *
1071 * Since: 2.4.0
1072 **/
1073 int
1074 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
1075 gnutls_x509_crt_t * cert_list,
1076 int cert_list_size,
1077 gnutls_x509_privkey_t key)
1078 {
1079 int ret, i;
1080 gnutls_privkey_t pkey;
1081 gnutls_pcert_st *pcerts = NULL;
1082 gnutls_str_array_t names;
1083
1084 _gnutls_str_array_init(&names);
1085
1086 /* this should be first
1087 */
1088 ret = gnutls_privkey_init (&pkey);
1089 if (ret < 0)
1090 {
1091 gnutls_assert ();
1092 return ret;
1093 }
1094
1095 if (res->pin.cb)
1096 gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data);
1097
1098 ret = gnutls_privkey_import_x509 (pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY);
1099 if (ret < 0)
1100 {
1101 gnutls_assert ();
1102 return ret;
1103 }
1104
1105 ret = certificate_credentials_append_pkey (res, pkey);
1106 if (ret < 0)
1107 {
1108 gnutls_assert ();
1109 return ret;
1110 }
1111
1112 /* load certificates */
1113 pcerts = gnutls_malloc (sizeof (gnutls_pcert_st) * cert_list_size);
1114 if (pcerts == NULL)
1115 {
1116 gnutls_assert ();
1117 return GNUTLS_E_MEMORY_ERROR;
1118 }
1119
1120 ret = get_x509_name(cert_list[0], &names);
1121 if (ret < 0)
1122 return gnutls_assert_val(ret);
1123
1124 for (i = 0; i < cert_list_size; i++)
1125 {
1126 ret = gnutls_pcert_import_x509 (&pcerts[i], cert_list[i], 0);
1127 if (ret < 0)
1128 {
1129 gnutls_assert ();
1130 goto cleanup;
1131 }
1132 }
1133
1134 ret = certificate_credential_append_crt_list (res, names, pcerts, cert_list_size);
1135 if (ret < 0)
1136 {
1137 gnutls_assert ();
1138 goto cleanup;
1139 }
1140
1141 res->ncerts++;
1142
1143 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1144 {
1145 gnutls_assert ();
1146 return ret;
1147 }
1148
1149 return 0;
1150
1151 cleanup:
1152 _gnutls_str_array_clear(&names);
1153 return ret;
1154 }
1155
1156 /**
1157 * gnutls_certificate_set_key:
1158 * @res: is a #gnutls_certificate_credentials_t structure.
1159 * @names: is an array of DNS name of the certificate (NULL if none)
1160 * @names_size: holds the size of the names list
1161 * @pcert_list: contains a certificate list (path) for the specified private key
1162 * @pcert_list_size: holds the size of the certificate list
1163 * @key: is a #gnutls_privkey_t key
1164 *
1165 * This function sets a certificate/private key pair in the
1166 * gnutls_certificate_credentials_t structure. This function may be
1167 * called more than once, in case multiple keys/certificates exist for
1168 * the server. For clients that wants to send more than its own end
1169 * entity certificate (e.g., also an intermediate CA cert) then put
1170 * the certificate chain in @pcert_list. The @pcert_list and @key will
1171 * become part of the credentials structure and must not
1172 * be deallocated. They will be automatically deallocated when @res
1173 * is deinitialized.
1174 *
1175 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1176 *
1177 * Since: 3.0
1178 **/
1179 int
1180 gnutls_certificate_set_key (gnutls_certificate_credentials_t res,
1181 const char** names,
1182 int names_size,
1183 gnutls_pcert_st * pcert_list,
1184 int pcert_list_size,
1185 gnutls_privkey_t key)
1186 {
1187 int ret, i;
1188 gnutls_str_array_t str_names;
1189
1190 _gnutls_str_array_init(&str_names);
1191
1192 if (names != NULL && names_size > 0)
1193 {
1194 for (i=0;i<names_size;i++)
1195 {
1196 ret = _gnutls_str_array_append(&str_names, names[i], strlen(names[i]));
1197 if (ret < 0)
1198 {
1199 ret = gnutls_assert_val(ret);
1200 goto cleanup;
1201 }
1202 }
1203 }
1204
1205 if (res->pin.cb)
1206 gnutls_privkey_set_pin_function(key, res->pin.cb, res->pin.data);
1207
1208 ret = certificate_credentials_append_pkey (res, key);
1209 if (ret < 0)
1210 {
1211 gnutls_assert ();
1212 goto cleanup;
1213 }
1214
1215 ret = certificate_credential_append_crt_list (res, str_names, pcert_list, pcert_list_size);
1216 if (ret < 0)
1217 {
1218 gnutls_assert ();
1219 goto cleanup;
1220 }
1221
1222 res->ncerts++;
1223
1224 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1225 {
1226 gnutls_assert ();
1227 return ret;
1228 }
1229
1230 return 0;
1231
1232 cleanup:
1233 _gnutls_str_array_clear(&str_names);
1234 return ret;
1235 }
1236
1237 /**
1238 * gnutls_certificate_set_x509_key_file:
1239 * @res: is a #gnutls_certificate_credentials_t structure.
1240 * @certfile: is a file that containing the certificate list (path) for
1241 * the specified private key, in PKCS7 format, or a list of certificates
1242 * @keyfile: is a file that contains the private key
1243 * @type: is PEM or DER
1244 *
1245 * This function sets a certificate/private key pair in the
1246 * gnutls_certificate_credentials_t structure. This function may be
1247 * called more than once, in case multiple keys/certificates exist for
1248 * the server. For clients that need to send more than its own end
1249 * entity certificate, e.g., also an intermediate CA cert, then the
1250 * @certfile must contain the ordered certificate chain.
1251 *
1252 * This function can also accept URLs at @keyfile and @certfile. In that case it
1253 * will import the private key and certificate indicated by the URLs. Note
1254 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1255 *
1256 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1257 **/
1258 int
1259 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
1260 const char *certfile,
1261 const char *keyfile,
1262 gnutls_x509_crt_fmt_t type)
1263 {
1264 int ret;
1265
1266 /* this should be first
1267 */
1268 if ((ret = read_key_file (res, keyfile, type)) < 0)
1269 return ret;
1270
1271 if ((ret = read_cert_file (res, certfile, type)) < 0)
1272 return ret;
1273
1274 res->ncerts++;
1275
1276 if ((ret = _gnutls_check_key_cert_match (res)) < 0)
1277 {
1278 gnutls_assert ();
1279 return ret;
1280 }
1281
1282 return 0;
1283 }
1284
1285 static int
1286 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res, gnutls_x509_crt_t* crts,
1287 unsigned int crt_size)
1288 {
1289 gnutls_datum_t tmp;
1290 int ret;
1291 size_t newsize;
1292 unsigned char *newdata, *p;
1293 unsigned i;
1294
1295 /* Add DN of the last added CAs to the RDN sequence
1296 * This will be sent to clients when a certificate
1297 * request message is sent.
1298 */
1299
1300 /* FIXME: in case of a client it is not needed
1301 * to do that. This would save time and memory.
1302 * However we don't have that information available
1303 * here.
1304 * Further, this function is now much more efficient,
1305 * so optimizing that is less important.
1306 */
1307
1308 for (i = 0; i < crt_size; i++)
1309 {
1310 if ((ret = gnutls_x509_crt_get_raw_dn (crts[i], &tmp)) < 0)
1311 {
1312 gnutls_assert ();
1313 return ret;
1314 }
1315
1316 newsize = res->x509_rdn_sequence.size + 2 + tmp.size;
1317 if (newsize < res->x509_rdn_sequence.size)
1318 {
1319 gnutls_assert ();
1320 _gnutls_free_datum (&tmp);
1321 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1322 }
1323
1324 newdata = gnutls_realloc (res->x509_rdn_sequence.data, newsize);
1325 if (newdata == NULL)
1326 {
1327 gnutls_assert ();
1328 _gnutls_free_datum (&tmp);
1329 return GNUTLS_E_MEMORY_ERROR;
1330 }
1331
1332 p = newdata + res->x509_rdn_sequence.size;
1333 _gnutls_write_uint16 (tmp.size, p);
1334 if (tmp.data != NULL)
1335 memcpy (p+2, tmp.data, tmp.size);
1336
1337 _gnutls_free_datum (&tmp);
1338
1339 res->x509_rdn_sequence.size = newsize;
1340 res->x509_rdn_sequence.data = newdata;
1341 }
1342
1343 return 0;
1344 }
1345
1346 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1347 * certificate (uses the KeyUsage field).
1348 */
1349 int
1350 _gnutls_check_key_usage (const gnutls_pcert_st* cert, gnutls_kx_algorithm_t alg)
1351 {
1352 unsigned int key_usage = 0;
1353 int encipher_type;
1354
1355 if (cert == NULL)
1356 {
1357 gnutls_assert ();
1358 return GNUTLS_E_INTERNAL_ERROR;
1359 }
1360
1361 if (_gnutls_map_kx_get_cred (alg, 1) == GNUTLS_CRD_CERTIFICATE ||
1362 _gnutls_map_kx_get_cred (alg, 0) == GNUTLS_CRD_CERTIFICATE)
1363 {
1364
1365 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
1366
1367 encipher_type = _gnutls_kx_encipher_type (alg);
1368
1369 if (key_usage != 0 && encipher_type != CIPHER_IGN)
1370 {
1371 /* If key_usage has been set in the certificate
1372 */
1373
1374 if (encipher_type == CIPHER_ENCRYPT)
1375 {
1376 /* If the key exchange method requires an encipher
1377 * type algorithm, and key's usage does not permit
1378 * encipherment, then fail.
1379 */
1380 if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT))
1381 {
1382 gnutls_assert ();
1383 return GNUTLS_E_KEY_USAGE_VIOLATION;
1384 }
1385 }
1386
1387 if (encipher_type == CIPHER_SIGN)
1388 {
1389 /* The same as above, but for sign only keys
1390 */
1391 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
1392 {
1393 gnutls_assert ();
1394 return GNUTLS_E_KEY_USAGE_VIOLATION;
1395 }
1396 }
1397 }
1398 }
1399 return 0;
1400 }
1401
1402 static int
1403 parse_pem_ca_mem (gnutls_certificate_credentials_t res,
1404 const uint8_t * input_cert, int input_cert_size)
1405 {
1406 gnutls_x509_crt_t *x509_cert_list;
1407 unsigned int x509_ncerts;
1408 gnutls_datum_t tmp;
1409 int ret;
1410
1411 tmp.data = (void*)input_cert;
1412 tmp.size = input_cert_size;
1413
1414 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
1415 GNUTLS_X509_FMT_PEM, 0);
1416 if (ret < 0)
1417 {
1418 gnutls_assert();
1419 return ret;
1420 }
1421
1422 if ((ret = add_new_crt_to_rdn_seq (res, x509_cert_list, x509_ncerts)) < 0)
1423 {
1424 gnutls_assert();
1425 goto cleanup;
1426 }
1427
1428 ret = gnutls_x509_trust_list_add_cas(res->tlist, x509_cert_list, x509_ncerts, 0);
1429 if (ret < 0)
1430 {
1431 gnutls_assert();
1432 goto cleanup;
1433 }
1434
1435 cleanup:
1436 gnutls_free(x509_cert_list);
1437 return ret;
1438 }
1439
1440 /* Reads a DER encoded certificate list from memory and stores it to a
1441 * gnutls_cert structure. Returns the number of certificates parsed.
1442 */
1443 static int
1444 parse_der_ca_mem (gnutls_certificate_credentials_t res,
1445 const void *input_cert, int input_cert_size)
1446 {
1447 gnutls_x509_crt_t crt;
1448 gnutls_datum_t tmp;
1449 int ret;
1450
1451 tmp.data = (void*)input_cert;
1452 tmp.size = input_cert_size;
1453
1454 ret = gnutls_x509_crt_init( &crt);
1455 if (ret < 0)
1456 {
1457 gnutls_assert();
1458 return ret;
1459 }
1460
1461 ret = gnutls_x509_crt_import( crt, &tmp, GNUTLS_X509_FMT_DER);
1462 if (ret < 0)
1463 {
1464 gnutls_assert();
1465 goto cleanup;
1466 }
1467
1468 if ((ret = add_new_crt_to_rdn_seq (res, &crt, 1)) < 0)
1469 {
1470 gnutls_assert();
1471 goto cleanup;
1472 }
1473
1474 ret = gnutls_x509_trust_list_add_cas(res->tlist, &crt, 1, 0);
1475 if (ret < 0)
1476 {
1477 gnutls_assert();
1478 goto cleanup;
1479 }
1480
1481 return ret;
1482
1483 cleanup:
1484 gnutls_x509_crt_deinit(crt);
1485 return ret;
1486 }
1487
1488 /**
1489 * gnutls_certificate_set_x509_trust_mem:
1490 * @res: is a #gnutls_certificate_credentials_t structure.
1491 * @ca: is a list of trusted CAs or a DER certificate
1492 * @type: is DER or PEM
1493 *
1494 * This function adds the trusted CAs in order to verify client or
1495 * server certificates. In case of a client this is not required to be
1496 * called if the certificates are not verified using
1497 * gnutls_certificate_verify_peers2(). This function may be called
1498 * multiple times.
1499 *
1500 * In case of a server the CAs set here will be sent to the client if
1501 * a certificate request is sent. This can be disabled using
1502 * gnutls_certificate_send_x509_rdn_sequence().
1503 *
1504 * Returns: the number of certificates processed or a negative error code
1505 * on error.
1506 **/
1507 int
1508 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res,
1509 const gnutls_datum_t * ca,
1510 gnutls_x509_crt_fmt_t type)
1511 {
1512 int ret;
1513
1514 if (type == GNUTLS_X509_FMT_DER)
1515 ret = parse_der_ca_mem (res,
1516 ca->data, ca->size);
1517 else
1518 ret = parse_pem_ca_mem (res,
1519 ca->data, ca->size);
1520
1521 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
1522 return 0;
1523
1524 return ret;
1525 }
1526
1527 /**
1528 * gnutls_certificate_set_x509_trust:
1529 * @res: is a #gnutls_certificate_credentials_t structure.
1530 * @ca_list: is a list of trusted CAs
1531 * @ca_list_size: holds the size of the CA list
1532 *
1533 * This function adds the trusted CAs in order to verify client
1534 * or server certificates. In case of a client this is not required
1535 * to be called if the certificates are not verified using
1536 * gnutls_certificate_verify_peers2().
1537 * This function may be called multiple times.
1538 *
1539 * In case of a server the CAs set here will be sent to the client if
1540 * a certificate request is sent. This can be disabled using
1541 * gnutls_certificate_send_x509_rdn_sequence().
1542 *
1543 * Returns: the number of certificates processed or a negative error code
1544 * on error.
1545 *
1546 * Since: 2.4.0
1547 **/
1548 int
1549 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
1550 gnutls_x509_crt_t * ca_list,
1551 int ca_list_size)
1552 {
1553 int ret, i, j;
1554 gnutls_x509_crt_t new_list[ca_list_size];
1555
1556 for (i = 0; i < ca_list_size; i++)
1557 {
1558 ret = gnutls_x509_crt_init (&new_list[i]);
1559 if (ret < 0)
1560 {
1561 gnutls_assert ();
1562 goto cleanup;
1563 }
1564
1565 ret = _gnutls_x509_crt_cpy (new_list[i], ca_list[i]);
1566 if (ret < 0)
1567 {
1568 gnutls_assert ();
1569 goto cleanup;
1570 }
1571 }
1572
1573 if ((ret = add_new_crt_to_rdn_seq (res, new_list, ca_list_size)) < 0)
1574 {
1575 gnutls_assert();
1576 goto cleanup;
1577 }
1578
1579 ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, 0);
1580 if (ret < 0)
1581 {
1582 gnutls_assert ();
1583 goto cleanup;
1584 }
1585
1586 return ret;
1587
1588 cleanup:
1589 for (j=0;j<i;i++)
1590 gnutls_x509_crt_deinit(new_list[j]);
1591
1592 return ret;
1593 }
1594
1595
1596 /**
1597 * gnutls_certificate_set_x509_trust_file:
1598 * @cred: is a #gnutls_certificate_credentials_t structure.
1599 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1600 * @type: is PEM or DER
1601 *
1602 * This function adds the trusted CAs in order to verify client or
1603 * server certificates. In case of a client this is not required to
1604 * be called if the certificates are not verified using
1605 * gnutls_certificate_verify_peers2(). This function may be called
1606 * multiple times.
1607 *
1608 * In case of a server the names of the CAs set here will be sent to
1609 * the client if a certificate request is sent. This can be disabled
1610 * using gnutls_certificate_send_x509_rdn_sequence().
1611 *
1612 * This function can also accept URLs. In that case it
1613 * will import all certificates that are marked as trusted. Note
1614 * that the supported URLs are the ones indicated by gnutls_url_is_supported().
1615 *
1616 * Returns: number of certificates processed, or a negative error code on
1617 * error.
1618 **/
1619 int
1620 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
1621 const char *cafile,
1622 gnutls_x509_crt_fmt_t type)
1623 {
1624 int ret;
1625 gnutls_datum_t cas;
1626 size_t size;
1627
1628 #ifdef ENABLE_PKCS11
1629 if (strncmp (cafile, "pkcs11:", 7) == 0)
1630 {
1631 return read_cas_url (cred, cafile);
1632 }
1633 #endif
1634
1635 cas.data = (void*)read_binary_file (cafile, &size);
1636 if (cas.data == NULL)
1637 {
1638 gnutls_assert ();
1639 return GNUTLS_E_FILE_ERROR;
1640 }
1641
1642 cas.size = size;
1643
1644 ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, type);
1645
1646 free (cas.data);
1647
1648 if (ret < 0)
1649 {
1650 gnutls_assert ();
1651 return ret;
1652 }
1653
1654 return ret;
1655 }
1656
1657 /**
1658 * gnutls_certificate_set_x509_system_trust:
1659 * @cred: is a #gnutls_certificate_credentials_t structure.
1660 *
1661 * This function adds the system's default trusted CAs in order to
1662 * verify client or server certificates.
1663 *
1664 * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE
1665 * is returned.
1666 *
1667 * Returns: the number of certificates processed or a negative error code
1668 * on error.
1669 *
1670 * Since: 3.0
1671 **/
1672 int
1673 gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
1674 {
1675 return gnutls_x509_trust_list_add_system_trust(cred->tlist, 0, 0);
1676 }
1677
1678 static int
1679 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
1680 const char * input_crl, unsigned int input_crl_size)
1681 {
1682 gnutls_x509_crl_t *x509_crl_list;
1683 unsigned int x509_ncrls;
1684 gnutls_datum_t tmp;
1685 int ret;
1686
1687 tmp.data = (void*)input_crl;
1688 tmp.size = input_crl_size;
1689
1690 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
1691 GNUTLS_X509_FMT_PEM, 0);
1692 if (ret < 0)
1693 {
1694 gnutls_assert();
1695 return ret;
1696 }
1697
1698 ret = gnutls_x509_trust_list_add_crls(tlist, x509_crl_list, x509_ncrls, 0, 0);
1699 if (ret < 0)
1700 {
1701 gnutls_assert();
1702 goto cleanup;
1703 }
1704
1705 cleanup:
1706 gnutls_free(x509_crl_list);
1707 return ret;
1708 }
1709
1710 /* Reads a DER encoded certificate list from memory and stores it to a
1711 * gnutls_cert structure. Returns the number of certificates parsed.
1712 */
1713 static int
1714 parse_der_crl_mem (gnutls_x509_trust_list_t tlist,
1715 const void *input_crl, unsigned int input_crl_size)
1716 {
1717 gnutls_x509_crl_t crl;
1718 gnutls_datum_t tmp;
1719 int ret;
1720
1721 tmp.data = (void*)input_crl;
1722 tmp.size = input_crl_size;
1723
1724 ret = gnutls_x509_crl_init( &crl);
1725 if (ret < 0)
1726 {
1727 gnutls_assert();
1728 return ret;
1729 }
1730
1731 ret = gnutls_x509_crl_import( crl, &tmp, GNUTLS_X509_FMT_DER);
1732 if (ret < 0)
1733 {
1734 gnutls_assert();
1735 goto cleanup;
1736 }
1737
1738 ret = gnutls_x509_trust_list_add_crls(tlist, &crl, 1, 0, 0);
1739 if (ret < 0)
1740 {
1741 gnutls_assert();
1742 goto cleanup;
1743 }
1744
1745 return ret;
1746
1747 cleanup:
1748 gnutls_x509_crl_deinit(crl);
1749 return ret;
1750
1751 }
1752
1753
1754 /* Reads a DER or PEM CRL from memory
1755 */
1756 static int
1757 read_crl_mem (gnutls_certificate_credentials_t res, const void *crl,
1758 int crl_size, gnutls_x509_crt_fmt_t type)
1759 {
1760 int ret;
1761
1762 if (type == GNUTLS_X509_FMT_DER)
1763 ret = parse_der_crl_mem (res->tlist, crl, crl_size);
1764 else
1765 ret = parse_pem_crl_mem (res->tlist, crl, crl_size);
1766
1767 if (ret < 0)
1768 {
1769 gnutls_assert ();
1770 }
1771
1772 return ret;
1773 }
1774
1775 /**
1776 * gnutls_certificate_set_x509_crl_mem:
1777 * @res: is a #gnutls_certificate_credentials_t structure.
1778 * @CRL: is a list of trusted CRLs. They should have been verified before.
1779 * @type: is DER or PEM
1780 *
1781 * This function adds the trusted CRLs in order to verify client or
1782 * server certificates. In case of a client this is not required to
1783 * be called if the certificates are not verified using
1784 * gnutls_certificate_verify_peers2(). This function may be called
1785 * multiple times.
1786 *
1787 * Returns: number of CRLs processed, or a negative error code on error.
1788 **/
1789 int
1790 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
1791 const gnutls_datum_t * CRL,
1792 gnutls_x509_crt_fmt_t type)
1793 {
1794 return read_crl_mem (res, CRL->data, CRL->size, type);
1795 }
1796
1797 /**
1798 * gnutls_certificate_set_x509_crl:
1799 * @res: is a #gnutls_certificate_credentials_t structure.
1800 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1801 * @crl_list_size: holds the size of the crl_list
1802 *
1803 * This function adds the trusted CRLs in order to verify client or
1804 * server certificates. In case of a client this is not required to
1805 * be called if the certificates are not verified using
1806 * gnutls_certificate_verify_peers2(). This function may be called
1807 * multiple times.
1808 *
1809 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1810 *
1811 * Since: 2.4.0
1812 **/
1813 int
1814 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res,
1815 gnutls_x509_crl_t * crl_list,
1816 int crl_list_size)
1817 {
1818 int ret, i, j;
1819 gnutls_x509_crl_t new_crl[crl_list_size];
1820
1821 for (i = 0; i < crl_list_size; i++)
1822 {
1823 ret = gnutls_x509_crl_init (&new_crl[i]);
1824 if (ret < 0)
1825 {
1826 gnutls_assert ();
1827 goto cleanup;
1828 }
1829
1830 ret = _gnutls_x509_crl_cpy (new_crl[i], crl_list[i]);
1831 if (ret < 0)
1832 {
1833 gnutls_assert ();
1834 goto cleanup;
1835 }
1836 }
1837
1838 ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, crl_list_size, 0, 0);
1839 if (ret < 0)
1840 {
1841 gnutls_assert ();
1842 goto cleanup;
1843 }
1844
1845 return ret;
1846
1847 cleanup:
1848 for (j=0;j<i;j++)
1849 gnutls_x509_crl_deinit(new_crl[j]);
1850
1851 return ret;
1852 }
1853
1854 /**
1855 * gnutls_certificate_set_x509_crl_file:
1856 * @res: is a #gnutls_certificate_credentials_t structure.
1857 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1858 * @type: is PEM or DER
1859 *
1860 * This function adds the trusted CRLs in order to verify client or server
1861 * certificates. In case of a client this is not required
1862 * to be called if the certificates are not verified using
1863 * gnutls_certificate_verify_peers2().
1864 * This function may be called multiple times.
1865 *
1866 * Returns: number of CRLs processed or a negative error code on error.
1867 **/
1868 int
1869 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
1870 const char *crlfile,
1871 gnutls_x509_crt_fmt_t type)
1872 {
1873 int ret;
1874 size_t size;
1875 char *data = (void*)read_binary_file (crlfile, &size);
1876
1877 if (data == NULL)
1878 {
1879 gnutls_assert ();
1880 return GNUTLS_E_FILE_ERROR;
1881 }
1882
1883 if (type == GNUTLS_X509_FMT_DER)
1884 ret = parse_der_crl_mem (res->tlist, data, size);
1885 else
1886 ret = parse_pem_crl_mem (res->tlist, data, size);
1887
1888 free (data);
1889
1890 if (ret < 0)
1891 {
1892 gnutls_assert ();
1893 return ret;
1894 }
1895
1896 return ret;
1897 }
1898
1899 #include <gnutls/pkcs12.h>
1900
1901
1902 /**
1903 * gnutls_certificate_set_x509_simple_pkcs12_file:
1904 * @res: is a #gnutls_certificate_credentials_t structure.
1905 * @pkcs12file: filename of file containing PKCS#12 blob.
1906 * @type: is PEM or DER of the @pkcs12file.
1907 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1908 *
1909 * This function sets a certificate/private key pair and/or a CRL in
1910 * the gnutls_certificate_credentials_t structure. This function may
1911 * be called more than once (in case multiple keys/certificates exist
1912 * for the server).
1913 *
1914 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
1915 * private keys are supported. However,
1916 * only password based security, and the same password for all
1917 * operations, are supported.
1918 *
1919 * PKCS#12 file may contain many keys and/or certificates, and there
1920 * is no way to identify which key/certificate pair you want. You
1921 * should make sure the PKCS#12 file only contain one key/certificate
1922 * pair and/or one CRL.
1923 *
1924 * It is believed that the limitations of this function is acceptable
1925 * for most usage, and that any more flexibility would introduce
1926 * complexity that would make it harder to use this functionality at
1927 * all.
1928 *
1929 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1930 **/
1931 int
1932 gnutls_certificate_set_x509_simple_pkcs12_file
1933 (gnutls_certificate_credentials_t res, const char *pkcs12file,
1934 gnutls_x509_crt_fmt_t type, const char *password)
1935 {
1936 gnutls_datum_t p12blob;
1937 size_t size;
1938 int ret;
1939
1940 p12blob.data = (void*)read_binary_file (pkcs12file, &size);
1941 p12blob.size = (unsigned int) size;
1942 if (p12blob.data == NULL)
1943 {
1944 gnutls_assert ();
1945 return GNUTLS_E_FILE_ERROR;
1946 }
1947
1948 ret =
1949 gnutls_certificate_set_x509_simple_pkcs12_mem (res, &p12blob, type,
1950 password);
1951 free (p12blob.data);
1952
1953 return ret;
1954 }
1955
1956 /**
1957 * gnutls_certificate_set_x509_simple_pkcs12_mem:
1958 * @res: is a #gnutls_certificate_credentials_t structure.
1959 * @p12blob: the PKCS#12 blob.
1960 * @type: is PEM or DER of the @pkcs12file.
1961 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
1962 *
1963 * This function sets a certificate/private key pair and/or a CRL in
1964 * the gnutls_certificate_credentials_t structure. This function may
1965 * be called more than once (in case multiple keys/certificates exist
1966 * for the server).
1967 *
1968 * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
1969 * only password based security, and the same password for all
1970 * operations, are supported.
1971 *
1972 * PKCS#12 file may contain many keys and/or certificates, and there
1973 * is no way to identify which key/certificate pair you want. You
1974 * should make sure the PKCS#12 file only contain one key/certificate
1975 * pair and/or one CRL.
1976 *
1977 * It is believed that the limitations of this function is acceptable
1978 * for most usage, and that any more flexibility would introduce
1979 * complexity that would make it harder to use this functionality at
1980 * all.
1981 *
1982 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1983 *
1984 * Since: 2.8.0
1985 **/
1986 int
1987 gnutls_certificate_set_x509_simple_pkcs12_mem
1988 (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
1989 gnutls_x509_crt_fmt_t type, const char *password)
1990 {
1991 gnutls_pkcs12_t p12;
1992 gnutls_x509_privkey_t key = NULL;
1993 gnutls_x509_crt_t *chain = NULL;
1994 gnutls_x509_crl_t crl = NULL;
1995 unsigned int chain_size = 0, i;
1996 int ret;
1997
1998 ret = gnutls_pkcs12_init (&p12);
1999 if (ret < 0)
2000 {
2001 gnutls_assert ();
2002 return ret;
2003 }
2004
2005 ret = gnutls_pkcs12_import (p12, p12blob, type, 0);
2006 if (ret < 0)
2007 {
2008 gnutls_assert ();
2009 gnutls_pkcs12_deinit (p12);
2010 return ret;
2011 }
2012
2013 if (password)
2014 {
2015 ret = gnutls_pkcs12_verify_mac (p12, password);
2016 if (ret < 0)
2017 {
2018 gnutls_assert ();
2019 gnutls_pkcs12_deinit (p12);
2020 return ret;
2021 }
2022 }
2023
2024 ret = gnutls_pkcs12_simple_parse (p12, password, &key, &chain, &chain_size,
2025 NULL, NULL, &crl, 0);
2026 gnutls_pkcs12_deinit (p12);
2027 if (ret < 0)
2028 {
2029 gnutls_assert ();
2030 return ret;
2031 }
2032
2033 if (key && chain)
2034 {
2035 ret = gnutls_certificate_set_x509_key (res, chain, chain_size, key);
2036 if (ret < 0)
2037 {
2038 gnutls_assert ();
2039 goto done;
2040 }
2041 }
2042 else
2043 {
2044 gnutls_assert();
2045 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2046 goto done;
2047 }
2048
2049 if (crl)
2050 {
2051 ret = gnutls_certificate_set_x509_crl (res, &crl, 1);
2052 if (ret < 0)
2053 {
2054 gnutls_assert ();
2055 goto done;
2056 }
2057 }
2058
2059 ret = 0;
2060
2061 done:
2062 if (chain)
2063 {
2064 for (i=0;i<chain_size;i++)
2065 gnutls_x509_crt_deinit (chain[i]);
2066 gnutls_free(chain);
2067 }
2068 if (key)
2069 gnutls_x509_privkey_deinit (key);
2070 if (crl)
2071 gnutls_x509_crl_deinit (crl);
2072
2073 return ret;
2074 }
2075
2076
2077
2078 /**
2079 * gnutls_certificate_free_crls:
2080 * @sc: is a #gnutls_certificate_credentials_t structure.
2081 *
2082 * This function will delete all the CRLs associated
2083 * with the given credentials.
2084 **/
2085 void
2086 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc)
2087 {
2088 /* do nothing for now */
2089 return;
2090 }
2091
2092 /**
2093 * gnutls_certificate_credentials_t:
2094 * @cred: is a #gnutls_certificate_credentials_t structure.
2095 * @fn: A PIN callback
2096 * @userdata: Data to be passed in the callback
2097 *
2098 * This function will set a callback function to be used when
2099 * required to access a protected object. This function overrides any other
2100 * global PIN functions.
2101 *
2102 * Note that this function must be called right after initialization
2103 * to have effect.
2104 *
2105 * Since: 3.1.0
2106 **/
2107 void gnutls_certificate_set_pin_function (gnutls_certificate_credentials_t cred,
2108 gnutls_pin_callback_t fn, void *userdata)
2109 {
2110 cred->pin.cb = fn;
2111 cred->pin.data = userdata;
2112 }
Implementation of the SSL/TLS protocol