|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2002-2012 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2016-2019 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifndef GNUTLS_LIB_AUTH_CERT_H
|
|
Packit Service |
4684c1 |
#define GNUTLS_LIB_AUTH_CERT_H
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "auth.h"
|
|
Packit Service |
4684c1 |
#include <auth/dh_common.h>
|
|
Packit Service |
4684c1 |
#include <x509/x509_int.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/abstract.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/compat.h>
|
|
Packit Service |
4684c1 |
#include <str_array.h>
|
|
Packit Service |
4684c1 |
#include "abstract_int.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define MAX_OCSP_RESPONSES 8
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* We use the structure below to hold a certificate chain
|
|
Packit Service |
4684c1 |
* with corresponding public/private key pair. This structure will
|
|
Packit Service |
4684c1 |
* also be used when raw public keys are used. The cert_list will
|
|
Packit Service |
4684c1 |
* then not hold the cert chain but only a raw public-key. In that case
|
|
Packit Service |
4684c1 |
* the list length is always 1.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
typedef struct {
|
|
Packit Service |
4684c1 |
gnutls_pcert_st *cert_list; /* a certificate chain */
|
|
Packit Service |
4684c1 |
unsigned int cert_list_length; /* its length */
|
|
Packit Service |
4684c1 |
gnutls_str_array_t names; /* the names in the first certificate */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_status_request_ocsp_func ocsp_func;
|
|
Packit Service |
4684c1 |
void *ocsp_func_ptr; /* corresponding OCSP response function + ptr */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_ocsp_data_st ocsp_data[MAX_OCSP_RESPONSES];
|
|
Packit Service |
4684c1 |
unsigned int ocsp_data_length;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* the private key corresponding to certificate */
|
|
Packit Service |
4684c1 |
gnutls_privkey_t pkey;
|
|
Packit Service |
4684c1 |
} certs_st;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This structure may be complex, but it's the only way to
|
|
Packit Service |
4684c1 |
* support a server that has multiple certificates
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
typedef struct gnutls_certificate_credentials_st {
|
|
Packit Service |
4684c1 |
gnutls_dh_params_t dh_params;
|
|
Packit Service |
4684c1 |
unsigned deinit_dh_params; /* if the internal values are set */
|
|
Packit Service |
4684c1 |
gnutls_sec_param_t dh_sec_param; /* used in RFC7919 negotiation */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* this callback is used to retrieve the DH or RSA
|
|
Packit Service |
4684c1 |
* parameters.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
gnutls_params_function *params_func;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
certs_st *certs;
|
|
Packit Service |
4684c1 |
unsigned ncerts; /* the number of certs */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* contains sorted index values for certs. Sorted in a way
|
|
Packit Service |
4684c1 |
* that RSA-PSS keys always take precedence over plain RSA keys
|
|
Packit Service |
4684c1 |
* to ensure that we use only RSA-PSS keys if present for RSA-PSS
|
|
Packit Service |
4684c1 |
* operations. We keep indexes to certs structures above.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
unsigned int *sorted_cert_idx;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* X509 specific stuff */
|
|
Packit Service |
4684c1 |
gnutls_x509_trust_list_t tlist;
|
|
Packit Service |
4684c1 |
unsigned flags; /* gnutls_certificate_flags */
|
|
Packit Service |
4684c1 |
unsigned int verify_flags; /* flags to be used at
|
|
Packit Service |
4684c1 |
* certificate verification.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
unsigned int verify_depth;
|
|
Packit Service |
4684c1 |
unsigned int verify_bits;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* It's a mess here. However we need to keep the old 3 functions
|
|
Packit Service |
4684c1 |
* for compatibility */
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function *legacy_cert_cb1; /* deprecated */
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function2 *legacy_cert_cb2;
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function3 *get_cert_callback3;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_certificate_verify_function *verify_callback;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
struct pin_info_st pin;
|
|
Packit Service |
4684c1 |
/* temporarily hold the PIN if set_key_file2() is used with a PIN */
|
|
Packit Service |
4684c1 |
char pin_tmp[GNUTLS_PKCS11_MAX_PIN_LEN];
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* OCSP */
|
|
Packit Service |
4684c1 |
gnutls_status_request_ocsp_func glob_ocsp_func;
|
|
Packit Service |
4684c1 |
void *glob_ocsp_func_ptr; /* corresponding OCSP response function */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This is only used by server to indicate whether this
|
|
Packit Service |
4684c1 |
* credentials can be used for signing in TLS 1.3. */
|
|
Packit Service |
4684c1 |
bool tls13_ok;
|
|
Packit Service |
4684c1 |
} certificate_credentials_st;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This is the information we keep for the peer
|
|
Packit Service |
4684c1 |
* certificate.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
typedef struct cert_auth_info_st {
|
|
Packit Service |
4684c1 |
/* These (dh/rsa) are just copies from the credentials_t structure.
|
|
Packit Service |
4684c1 |
* They must be freed.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
dh_info_st dh;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* we store the peer's OCSP responses received during
|
|
Packit Service |
4684c1 |
* this session. */
|
|
Packit Service |
4684c1 |
gnutls_datum_t *raw_ocsp_list;
|
|
Packit Service |
4684c1 |
unsigned int nocsp;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* we store the peer's certificates received during
|
|
Packit Service |
4684c1 |
* this ession */
|
|
Packit Service |
4684c1 |
gnutls_datum_t *raw_certificate_list;
|
|
Packit Service |
4684c1 |
unsigned int ncerts;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t cert_type;
|
|
Packit Service |
4684c1 |
} *cert_auth_info_t;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
typedef struct cert_auth_info_st cert_auth_info_st;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* AUTH X509 functions */
|
|
Packit Service |
4684c1 |
int _gnutls_gen_cert_server_crt(gnutls_session_t, gnutls_buffer_st *);
|
|
Packit Service |
4684c1 |
int _gnutls_gen_cert_client_crt(gnutls_session_t, gnutls_buffer_st *);
|
|
Packit Service |
4684c1 |
int _gnutls_gen_cert_client_crt_vrfy(gnutls_session_t, gnutls_buffer_st *);
|
|
Packit Service |
4684c1 |
int _gnutls_gen_cert_server_cert_req(gnutls_session_t, gnutls_buffer_st *);
|
|
Packit Service |
4684c1 |
int _gnutls_proc_cert_cert_req(gnutls_session_t, uint8_t *, size_t);
|
|
Packit Service |
4684c1 |
int _gnutls_proc_cert_client_crt_vrfy(gnutls_session_t, uint8_t *, size_t);
|
|
Packit Service |
4684c1 |
int _gnutls_proc_crt(gnutls_session_t, uint8_t *, size_t);
|
|
Packit Service |
4684c1 |
int _gnutls_get_selected_cert(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_pcert_st ** apr_cert_list,
|
|
Packit Service |
4684c1 |
int *apr_cert_list_length,
|
|
Packit Service |
4684c1 |
gnutls_privkey_t * apr_pkey);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_select_client_cert(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const uint8_t * _data, size_t _data_size,
|
|
Packit Service |
4684c1 |
gnutls_pk_algorithm_t * pk_algos, int pk_algos_length);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_pcert_to_auth_info(cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_entry_st *cs);
|
|
Packit Service |
4684c1 |
void _gnutls_selected_certs_deinit(gnutls_session_t session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_get_auth_info_pcert(gnutls_pcert_st * gcert,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t type,
|
|
Packit Service |
4684c1 |
cert_auth_info_t info);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_selected_cert_supported_kx(struct gnutls_session_int *session,
|
|
Packit Service |
4684c1 |
gnutls_kx_algorithm_t * alg,
|
|
Packit Service |
4684c1 |
int *alg_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_gen_dhe_signature(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_buffer_st * data, uint8_t * plain,
|
|
Packit Service |
4684c1 |
unsigned plain_size);
|
|
Packit Service |
4684c1 |
int _gnutls_proc_dhe_signature(gnutls_session_t session, uint8_t * data,
|
|
Packit Service |
4684c1 |
size_t _data_size,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * vparams);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_gen_rawpk_crt(gnutls_session_t session, gnutls_buffer_st* data);
|
|
Packit Service |
4684c1 |
int _gnutls_proc_rawpk_crt(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
uint8_t * data, size_t data_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static unsigned get_key_usage(gnutls_session_t session, gnutls_pubkey_t pubkey)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (unlikely(session->internals.priorities &&
|
|
Packit Service |
4684c1 |
session->internals.priorities->allow_server_key_usage_violation))
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return pubkey->key_usage;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif /* GNUTLS_LIB_AUTH_CERT_H */
|