search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
updated doc
[gnutls.git] / lib / x509 / verify-high2.c
blob02ab4787337cb0b6d014ecfdf1b4f04aec271216
1 /*
2 * Copyright (C) 2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
25 #include <libtasn1.h>
26 #include <gnutls_global.h>
27 #include <gnutls_num.h>
28 #include <gnutls_sig.h>
29 #include <gnutls_str.h>
30 #include <gnutls_datum.h>
31 #include "x509_int.h"
32 #include <common.h>
33 #include "verify-high.h"
34 #include "read-file.h"
35
36 /* Convenience functions for verify-high functionality
37 */
38
39 /**
40 * gnutls_x509_trust_list_add_trust_mem:
41 * @list: The structure of the list
42 * @cas: A buffer containing a list of CAs (optional)
43 * @crls: A buffer containing a list of CRLs (optional)
44 * @type: The format of the certificates
45 * @tl_flags: GNUTLS_TL_*
46 * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
47 *
48 * This function will add the given certificate authorities
49 * to the trusted list.
50 *
51 * Returns: The number of added elements is returned.
52 *
53 * Since: 3.1
54 **/
55 int
56 gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
57 const gnutls_datum_t * cas,
58 const gnutls_datum_t * crls,
59 gnutls_x509_crt_fmt_t type,
60 unsigned int tl_flags,
61 unsigned int tl_vflags)
62 {
63 int ret;
64 gnutls_x509_crt_t *x509_ca_list = NULL;
65 gnutls_x509_crl_t *x509_crl_list = NULL;
66 unsigned int x509_ncas, x509_ncrls;
67 unsigned int r = 0;
68
69 if (cas != NULL && cas->data != NULL)
70 {
71 ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, type, 0);
72 if (ret < 0)
73 return gnutls_assert_val(ret);
74
75 ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, tl_flags);
76 gnutls_free(x509_ca_list);
77
78 if (ret < 0)
79 return gnutls_assert_val(ret);
80 else
81 r += ret;
82 }
83
84 if (crls != NULL && crls->data != NULL)
85 {
86 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls, type, 0);
87 if (ret < 0)
88 return gnutls_assert_val(ret);
89
90 ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, tl_flags, tl_vflags);
91 gnutls_free(x509_crl_list);
92
93 if (ret < 0)
94 return gnutls_assert_val(ret);
95 else
96 r += ret;
97 }
98
99 return r;
100 }
101
102 #ifdef ENABLE_PKCS11
103 static
104 int import_pkcs11_url(gnutls_x509_trust_list_t list, const char* ca_file, unsigned int flags)
105 {
106 gnutls_x509_crt_t *xcrt_list = NULL;
107 gnutls_pkcs11_obj_t *pcrt_list = NULL;
108 unsigned int pcrt_list_size = 0, i;
109 int ret;
110
111 ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, ca_file,
112 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0);
113 if (ret < 0)
114 return gnutls_assert_val(ret);
115
116 if (pcrt_list_size == 0)
117 {
118 ret = 0;
119 goto cleanup;
120 }
121
122 xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t)*pcrt_list_size);
123 if (xcrt_list == NULL)
124 {
125 ret = GNUTLS_E_MEMORY_ERROR;
126 goto cleanup;
127 }
128
129 ret = gnutls_x509_crt_list_import_pkcs11( xcrt_list, pcrt_list_size, pcrt_list, 0);
130 if (ret < 0)
131 {
132 gnutls_assert();
133 goto cleanup;
134 }
135
136 ret = gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, flags);
137
138 cleanup:
139 for (i=0;i<pcrt_list_size;i++)
140 gnutls_pkcs11_obj_deinit(pcrt_list[i]);
141 gnutls_free(pcrt_list);
142 gnutls_free(xcrt_list);
143
144 return ret;
145 }
146
147 #endif
148
149
150 /**
151 * gnutls_x509_trust_list_add_trust_file:
152 * @list: The structure of the list
153 * @ca_file: A file containing a list of CAs (optional)
154 * @crl_file: A file containing a list of CRLs (optional)
155 * @type: The format of the certificates
156 * @tl_flags: GNUTLS_TL_*
157 * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
158 *
159 * This function will add the given certificate authorities
160 * to the trusted list. pkcs11 URLs are also accepted, instead
161 * of files, by this function.
162 *
163 * Returns: The number of added elements is returned.
164 *
165 * Since: 3.1
166 **/
167 int
168 gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
169 const char* ca_file,
170 const char* crl_file,
171 gnutls_x509_crt_fmt_t type,
172 unsigned int tl_flags,
173 unsigned int tl_vflags)
174 {
175 gnutls_datum_t cas = { NULL, 0 };
176 gnutls_datum_t crls = { NULL, 0 };
177 size_t size;
178 int ret;
179
180 #ifdef ENABLE_PKCS11
181 if (strncmp (ca_file, "pkcs11:", 7) == 0)
182 {
183 ret = import_pkcs11_url(list, ca_file, tl_flags);
184 if (ret < 0)
185 return gnutls_assert_val(ret);
186 }
187 else
188 #endif
189 {
190 cas.data = (void*)read_binary_file (ca_file, &size);
191 if (cas.data == NULL)
192 {
193 gnutls_assert ();
194 return GNUTLS_E_FILE_ERROR;
195 }
196 cas.size = size;
197 }
198
199 if (crl_file)
200 {
201 crls.data = (void*)read_binary_file (crl_file, &size);
202 if (crls.data == NULL)
203 {
204 gnutls_assert ();
205 return GNUTLS_E_FILE_ERROR;
206 }
207 crls.size = size;
208 }
209
210 ret = gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type, tl_flags, tl_vflags);
211 free(crls.data);
212 free(cas.data);
213
214 return ret;
215 }
216
Implementation of the SSL/TLS protocol