|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2001-2016 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2015-2017 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Some of the stuff needed for Certificate authentication is contained
|
|
Packit Service |
4684c1 |
* in this file.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "gnutls_int.h"
|
|
Packit Service |
4684c1 |
#include "errors.h"
|
|
Packit Service |
4684c1 |
#include <auth/cert.h>
|
|
Packit Service |
4684c1 |
#include <datum.h>
|
|
Packit Service |
4684c1 |
#include <mpi.h>
|
|
Packit Service |
4684c1 |
#include <global.h>
|
|
Packit Service |
4684c1 |
#include <algorithms.h>
|
|
Packit Service |
4684c1 |
#include <dh.h>
|
|
Packit Service |
4684c1 |
#include "str.h"
|
|
Packit Service |
4684c1 |
#include <state.h>
|
|
Packit Service |
4684c1 |
#include <auth.h>
|
|
Packit Service |
4684c1 |
#include <x509.h>
|
|
Packit Service |
4684c1 |
#include <str_array.h>
|
|
Packit Service |
4684c1 |
#include <x509/verify-high.h>
|
|
Packit Service |
4684c1 |
#include "x509/x509_int.h"
|
|
Packit Service |
4684c1 |
#include "x509/common.h"
|
|
Packit Service |
4684c1 |
#include "dh.h"
|
|
Packit Service |
4684c1 |
#include "cert-cred.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Adds a public/private key pair to a certificate credential
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_certificate_credential_append_keypair(gnutls_certificate_credentials_t res,
|
|
Packit Service |
4684c1 |
gnutls_privkey_t key,
|
|
Packit Service |
4684c1 |
gnutls_str_array_t names,
|
|
Packit Service |
4684c1 |
gnutls_pcert_st * crt,
|
|
Packit Service |
4684c1 |
int nr)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
res->sorted_cert_idx = gnutls_realloc_fast(res->sorted_cert_idx,
|
|
Packit Service |
4684c1 |
(1 + res->ncerts) *
|
|
Packit Service |
4684c1 |
sizeof(unsigned int));
|
|
Packit Service |
4684c1 |
if (res->sorted_cert_idx == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
res->certs = gnutls_realloc_fast(res->certs,
|
|
Packit Service |
4684c1 |
(1 + res->ncerts) *
|
|
Packit Service |
4684c1 |
sizeof(certs_st));
|
|
Packit Service |
4684c1 |
if (res->certs == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memset(&res->certs[res->ncerts], 0, sizeof(res->certs[0]));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
res->certs[res->ncerts].cert_list = crt;
|
|
Packit Service |
4684c1 |
res->certs[res->ncerts].cert_list_length = nr;
|
|
Packit Service |
4684c1 |
res->certs[res->ncerts].names = names;
|
|
Packit Service |
4684c1 |
res->certs[res->ncerts].pkey = key;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls13_sign_get_compatible_with_privkey(key))
|
|
Packit Service |
4684c1 |
res->tls13_ok = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* move RSA-PSS certificates before any RSA key.
|
|
Packit Service |
4684c1 |
* Note that we cannot assume that any previous pointers
|
|
Packit Service |
4684c1 |
* to sorted list are ok, due to the realloc in res->certs. */
|
|
Packit Service |
4684c1 |
if (crt->pubkey->params.algo == GNUTLS_PK_RSA_PSS) {
|
|
Packit Service |
4684c1 |
unsigned i,ridx;
|
|
Packit Service |
4684c1 |
unsigned tmp;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i=0;i<res->ncerts;i++) {
|
|
Packit Service |
4684c1 |
ridx = res->sorted_cert_idx[i];
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (res->certs[ridx].cert_list->pubkey->params.algo == GNUTLS_PK_RSA) {
|
|
Packit Service |
4684c1 |
tmp = ridx;
|
|
Packit Service |
4684c1 |
res->sorted_cert_idx[i] = res->ncerts;
|
|
Packit Service |
4684c1 |
res->sorted_cert_idx[res->ncerts] = tmp;
|
|
Packit Service |
4684c1 |
goto finish;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* otherwise append it normally on the end */
|
|
Packit Service |
4684c1 |
res->sorted_cert_idx[res->ncerts] = res->ncerts;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
finish:
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_key:
|
|
Packit Service |
4684c1 |
* @res: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @names: is an array of DNS names belonging to the public-key (NULL if none)
|
|
Packit Service |
4684c1 |
* @names_size: holds the size of the names list
|
|
Packit Service |
4684c1 |
* @pcert_list: contains a certificate list (chain) or raw public-key
|
|
Packit Service |
4684c1 |
* @pcert_list_size: holds the size of the certificate list
|
|
Packit Service |
4684c1 |
* @key: is a #gnutls_privkey_t key corresponding to the first public-key in pcert_list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a public/private key pair in the
|
|
Packit Service |
4684c1 |
* gnutls_certificate_credentials_t type. The given public key may be encapsulated
|
|
Packit Service |
4684c1 |
* in a certificate or can be given as a raw key. This function may be
|
|
Packit Service |
4684c1 |
* called more than once, in case multiple key pairs exist for
|
|
Packit Service |
4684c1 |
* the server. For clients that want to send more than their own end-
|
|
Packit Service |
4684c1 |
* entity certificate (e.g., also an intermediate CA cert), the full
|
|
Packit Service |
4684c1 |
* certificate chain must be provided in @pcert_list.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that the @key will become part of the credentials structure and must
|
|
Packit Service |
4684c1 |
* not be deallocated. It will be automatically deallocated when the @res structure
|
|
Packit Service |
4684c1 |
* is deinitialized.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If this function fails, the @res structure is at an undefined state and it must
|
|
Packit Service |
4684c1 |
* not be reused to load other keys or certificates.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that, this function by default returns zero on success and a negative value on error.
|
|
Packit Service |
4684c1 |
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
|
|
Packit Service |
4684c1 |
* it returns an index (greater or equal to zero). That index can be used for other functions to refer to the added key-pair.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since GnuTLS 3.6.6 this function also handles raw public keys.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_set_key(gnutls_certificate_credentials_t res,
|
|
Packit Service |
4684c1 |
const char **names,
|
|
Packit Service |
4684c1 |
int names_size,
|
|
Packit Service |
4684c1 |
gnutls_pcert_st * pcert_list,
|
|
Packit Service |
4684c1 |
int pcert_list_size,
|
|
Packit Service |
4684c1 |
gnutls_privkey_t key)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret, i;
|
|
Packit Service |
4684c1 |
gnutls_str_array_t str_names;
|
|
Packit Service |
4684c1 |
gnutls_pcert_st *new_pcert_list;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Sanity checks */
|
|
Packit Service |
4684c1 |
// Check for a valid credential struct
|
|
Packit Service |
4684c1 |
if (res == NULL) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
// A complete key pair must be given
|
|
Packit Service |
4684c1 |
if (pcert_list == NULL || key == NULL) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Process the names, if any */
|
|
Packit Service |
4684c1 |
_gnutls_str_array_init(&str_names);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (names != NULL && names_size > 0) {
|
|
Packit Service |
4684c1 |
for (i = 0; i < names_size; i++) {
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_str_array_append_idna(&str_names, names[i],
|
|
Packit Service |
4684c1 |
strlen(names[i]));
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
ret = gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (names == NULL && pcert_list[0].type == GNUTLS_CRT_X509) {
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t crt;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_init(&crt;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_import(crt, &pcert_list[0].cert, GNUTLS_X509_FMT_DER);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(crt);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_get_x509_name(crt, &str_names);
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(crt);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (res->pin.cb)
|
|
Packit Service |
4684c1 |
gnutls_privkey_set_pin_function(key, res->pin.cb,
|
|
Packit Service |
4684c1 |
res->pin.data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
new_pcert_list = gnutls_malloc(sizeof(gnutls_pcert_st) * pcert_list_size);
|
|
Packit Service |
4684c1 |
if (new_pcert_list == NULL) {
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
memcpy(new_pcert_list, pcert_list, sizeof(gnutls_pcert_st) * pcert_list_size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_certificate_credential_append_keypair(res, key, str_names,
|
|
Packit Service |
4684c1 |
new_pcert_list,
|
|
Packit Service |
4684c1 |
pcert_list_size);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_free(new_pcert_list);
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
res->ncerts++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Unlike gnutls_certificate_set_x509_key, we deinitialize everything
|
|
Packit Service |
4684c1 |
* local after a failure. That is because the caller is responsible for
|
|
Packit Service |
4684c1 |
* freeing these values after a failure, and if we keep references we
|
|
Packit Service |
4684c1 |
* lead to double freeing */
|
|
Packit Service |
4684c1 |
if ((ret = _gnutls_check_key_cert_match(res)) < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_free(new_pcert_list);
|
|
Packit Service |
4684c1 |
res->ncerts--;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CRED_RET_SUCCESS(res);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
_gnutls_str_array_clear(&str_names);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_free_keys:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will delete all the keys and the certificates associated
|
|
Packit Service |
4684c1 |
* with the given credentials. This function must not be called when a
|
|
Packit Service |
4684c1 |
* TLS negotiation that uses the credentials is in progress.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i, j;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < sc->ncerts; i++) {
|
|
Packit Service |
4684c1 |
for (j = 0; j < sc->certs[i].cert_list_length; j++) {
|
|
Packit Service |
4684c1 |
gnutls_pcert_deinit(&sc->certs[i].cert_list[j]);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_free(sc->certs[i].cert_list);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (j = 0; j < sc->certs[i].ocsp_data_length; j++) {
|
|
Packit Service |
4684c1 |
gnutls_free(sc->certs[i].ocsp_data[j].response.data);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
_gnutls_str_array_clear(&sc->certs[i].names);
|
|
Packit Service |
4684c1 |
gnutls_privkey_deinit(sc->certs[i].pkey);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(sc->certs);
|
|
Packit Service |
4684c1 |
gnutls_free(sc->sorted_cert_idx);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
sc->ncerts = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_free_cas:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function was operational on very early versions of gnutls.
|
|
Packit Service |
4684c1 |
* Due to internal refactorings and the fact that this was hardly ever
|
|
Packit Service |
4684c1 |
* used, it is currently a no-op.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_free_cas(gnutls_certificate_credentials_t sc)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_get_issuer:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @cert: is the certificate to find issuer for
|
|
Packit Service |
4684c1 |
* @issuer: Will hold the issuer if any. Should be treated as constant.
|
|
Packit Service |
4684c1 |
* @flags: Use zero or %GNUTLS_TL_GET_COPY
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the issuer of a given certificate.
|
|
Packit Service |
4684c1 |
* If the flag %GNUTLS_TL_GET_COPY is specified a copy of the issuer
|
|
Packit Service |
4684c1 |
* will be returned which must be freed using gnutls_x509_crt_deinit().
|
|
Packit Service |
4684c1 |
* In that case the provided @issuer must not be initialized.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* As with gnutls_x509_trust_list_get_issuer() this function requires
|
|
Packit Service |
4684c1 |
* the %GNUTLS_TL_GET_COPY flag in order to operate with PKCS#11 trust
|
|
Packit Service |
4684c1 |
* lists in a thread-safe way.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_get_issuer(gnutls_certificate_credentials_t sc,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t cert,
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t * issuer,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_x509_trust_list_get_issuer(sc->tlist, cert, issuer,
|
|
Packit Service |
4684c1 |
flags);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_get_crt_raw:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @idx1: the index of the certificate chain if multiple are present
|
|
Packit Service |
4684c1 |
* @idx2: the index of the certificate in the chain. Zero gives the server's certificate.
|
|
Packit Service |
4684c1 |
* @cert: Will hold the DER encoded certificate.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the DER encoded certificate of the
|
|
Packit Service |
4684c1 |
* server or any other certificate on its certificate chain (based on @idx2).
|
|
Packit Service |
4684c1 |
* The returned data should be treated as constant and only accessible during the lifetime
|
|
Packit Service |
4684c1 |
* of @sc. The @idx1 matches the value gnutls_certificate_set_x509_key() and friends
|
|
Packit Service |
4684c1 |
* functions.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value. In case the indexes are out of bounds %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
|
|
Packit Service |
4684c1 |
* is returned.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.2.5
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_get_crt_raw(gnutls_certificate_credentials_t sc,
|
|
Packit Service |
4684c1 |
unsigned idx1,
|
|
Packit Service |
4684c1 |
unsigned idx2, gnutls_datum_t * cert)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (idx1 >= sc->ncerts)
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
gnutls_assert_val
|
|
Packit Service |
4684c1 |
(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (idx2 >= sc->certs[idx1].cert_list_length)
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
gnutls_assert_val
|
|
Packit Service |
4684c1 |
(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cert->data = sc->certs[idx1].cert_list[idx2].cert.data;
|
|
Packit Service |
4684c1 |
cert->size = sc->certs[idx1].cert_list[idx2].cert.size;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_free_ca_names:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will delete all the CA name in the given
|
|
Packit Service |
4684c1 |
* credentials. Clients may call this to save some memory since in
|
|
Packit Service |
4684c1 |
* client side the CA names are not used. Servers might want to use
|
|
Packit Service |
4684c1 |
* this function if a large list of trusted CAs is present and
|
|
Packit Service |
4684c1 |
* sending the names of it would just consume bandwidth without providing
|
|
Packit Service |
4684c1 |
* information to client.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* CA names are used by servers to advertise the CAs they support to
|
|
Packit Service |
4684c1 |
* clients.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_free_ca_names(gnutls_certificate_credentials_t sc)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&sc->tlist->x509_rdn_sequence);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_free_credentials:
|
|
Packit Service |
4684c1 |
* @sc: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Free a gnutls_certificate_credentials_t structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function does not free any temporary parameters associated
|
|
Packit Service |
4684c1 |
* with this structure (ie RSA and DH parameters are not freed by this
|
|
Packit Service |
4684c1 |
* function).
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_certificate_free_credentials(gnutls_certificate_credentials_t sc)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
// Check for valid pointer and otherwise do nothing
|
|
Packit Service |
4684c1 |
if (sc == NULL)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_trust_list_deinit(sc->tlist, 1);
|
|
Packit Service |
4684c1 |
gnutls_certificate_free_keys(sc);
|
|
Packit Service |
4684c1 |
memset(sc->pin_tmp, 0, sizeof(sc->pin_tmp));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (sc->deinit_dh_params) {
|
|
Packit Service |
4684c1 |
gnutls_dh_params_deinit(sc->dh_params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(sc);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_allocate_credentials:
|
|
Packit Service |
4684c1 |
* @res: is a pointer to a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Allocate a gnutls_certificate_credentials_t structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t *
|
|
Packit Service |
4684c1 |
res)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*res = gnutls_calloc(1, sizeof(certificate_credentials_st));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (*res == NULL)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_trust_list_init(&(*res)->tlist, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_free(*res);
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
(*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS;
|
|
Packit Service |
4684c1 |
(*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* converts the given x509 certificate list to gnutls_pcert_st* and allocates
|
|
Packit Service |
4684c1 |
* space for them.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static gnutls_pcert_st *alloc_and_load_x509_certs(gnutls_x509_crt_t *
|
|
Packit Service |
4684c1 |
certs, unsigned ncerts)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_pcert_st *local_certs;
|
|
Packit Service |
4684c1 |
int ret = 0;
|
|
Packit Service |
4684c1 |
unsigned i, j;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (certs == NULL)
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
local_certs = gnutls_malloc(sizeof(gnutls_pcert_st) * ncerts);
|
|
Packit Service |
4684c1 |
if (local_certs == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < ncerts; i++) {
|
|
Packit Service |
4684c1 |
ret = gnutls_pcert_import_x509(&local_certs[i], certs[i], 0);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
for (j = 0; j < i; j++) {
|
|
Packit Service |
4684c1 |
gnutls_pcert_deinit(&local_certs[j]);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_free(local_certs);
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return local_certs;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* converts the given x509 key to gnutls_privkey* and allocates
|
|
Packit Service |
4684c1 |
* space for it.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static gnutls_privkey_t
|
|
Packit Service |
4684c1 |
alloc_and_load_x509_key(gnutls_x509_privkey_t key, int deinit)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_privkey_t local_key;
|
|
Packit Service |
4684c1 |
int ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL)
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_privkey_init(&local_key);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
gnutls_privkey_import_x509(local_key, key,
|
|
Packit Service |
4684c1 |
deinit ?
|
|
Packit Service |
4684c1 |
GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE : 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_privkey_deinit(local_key);
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return local_key;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_PKCS11
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* converts the given raw key to gnutls_privkey* and allocates
|
|
Packit Service |
4684c1 |
* space for it.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static gnutls_privkey_t
|
|
Packit Service |
4684c1 |
alloc_and_load_pkcs11_key(gnutls_pkcs11_privkey_t key, int deinit)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_privkey_t local_key;
|
|
Packit Service |
4684c1 |
int ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (key == NULL)
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_privkey_init(&local_key);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
gnutls_privkey_import_pkcs11(local_key, key,
|
|
Packit Service |
4684c1 |
deinit ?
|
|
Packit Service |
4684c1 |
GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
|
|
Packit Service |
4684c1 |
: 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_privkey_deinit(local_key);
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return local_key;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_server_set_request:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE, GNUTLS_CERT_IGNORE
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function specifies if we (in case of a server) are going to
|
|
Packit Service |
4684c1 |
* send a certificate request message to the client. If @req is
|
|
Packit Service |
4684c1 |
* GNUTLS_CERT_REQUIRE then the server will return the %GNUTLS_E_NO_CERTIFICATE_FOUND
|
|
Packit Service |
4684c1 |
* error if the peer does not provide a certificate. If you do not call this
|
|
Packit Service |
4684c1 |
* function then the client will not be asked to send a certificate. Invoking
|
|
Packit Service |
4684c1 |
* the function with @req GNUTLS_CERT_IGNORE has the same effect.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_certificate_server_set_request(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_request_t req)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.send_cert_req = req;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int call_legacy_cert_cb1(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const struct gnutls_cert_retr_st *info,
|
|
Packit Service |
4684c1 |
gnutls_pcert_st **certs,
|
|
Packit Service |
4684c1 |
unsigned int *pcert_length,
|
|
Packit Service |
4684c1 |
gnutls_ocsp_data_st **ocsp,
|
|
Packit Service |
4684c1 |
unsigned int *ocsp_length,
|
|
Packit Service |
4684c1 |
gnutls_privkey_t *privkey,
|
|
Packit Service |
4684c1 |
unsigned int *flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_retr2_st st2;
|
|
Packit Service |
4684c1 |
gnutls_pcert_st *local_certs = NULL;
|
|
Packit Service |
4684c1 |
gnutls_privkey_t local_key = NULL;
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*ocsp_length = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memset(&st2, 0, sizeof(st2));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = info->cred->legacy_cert_cb1(session, info->req_ca_rdn, info->nreqs,
|
|
Packit Service |
4684c1 |
info->pk_algos, info->pk_algos_length,
|
|
Packit Service |
4684c1 |
&st2;;
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (st2.ncerts == 0) {
|
|
Packit Service |
4684c1 |
*pcert_length = 0;
|
|
Packit Service |
4684c1 |
*ocsp_length = 0;
|
|
Packit Service |
4684c1 |
*privkey = NULL;
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (st2.cert_type != GNUTLS_CRT_X509) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
local_certs =
|
|
Packit Service |
4684c1 |
alloc_and_load_x509_certs(st2.cert.x509, st2.ncerts);
|
|
Packit Service |
4684c1 |
if (local_certs == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (st2.key_type) {
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_PKCS11
|
|
Packit Service |
4684c1 |
case GNUTLS_PRIVKEY_PKCS11:
|
|
Packit Service |
4684c1 |
if (st2.key.pkcs11 != NULL) {
|
|
Packit Service |
4684c1 |
local_key =
|
|
Packit Service |
4684c1 |
alloc_and_load_pkcs11_key(st2.key.pkcs11,
|
|
Packit Service |
4684c1 |
st2.deinit_all);
|
|
Packit Service |
4684c1 |
if (local_key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INTERNAL_ERROR;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
case GNUTLS_PRIVKEY_X509:
|
|
Packit Service |
4684c1 |
if (st2.key.x509 != NULL) {
|
|
Packit Service |
4684c1 |
local_key =
|
|
Packit Service |
4684c1 |
alloc_and_load_x509_key(st2.key.x509,
|
|
Packit Service |
4684c1 |
st2.deinit_all);
|
|
Packit Service |
4684c1 |
if (local_key == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INTERNAL_ERROR;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
goto cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*privkey = local_key;
|
|
Packit Service |
4684c1 |
*certs = local_certs;
|
|
Packit Service |
4684c1 |
*pcert_length = st2.ncerts;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* flag the caller to deinitialize our values */
|
|
Packit Service |
4684c1 |
*flags |= GNUTLS_CERT_RETR_DEINIT_ALL;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cleanup:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (st2.cert_type == GNUTLS_CRT_X509) {
|
|
Packit Service |
4684c1 |
if (st2.deinit_all) {
|
|
Packit Service |
4684c1 |
for (i = 0; i < st2.ncerts; i++) {
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(st2.cert.x509[i]);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_free(st2.cert.x509);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_retrieve_function:
|
|
Packit Service |
4684c1 |
* @cred: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @func: is the callback function
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a callback to be called in order to retrieve the
|
|
Packit Service |
4684c1 |
* certificate to be used in the handshake. The callback will take control
|
|
Packit Service |
4684c1 |
* only if a certificate is requested by the peer. You are advised
|
|
Packit Service |
4684c1 |
* to use gnutls_certificate_set_retrieve_function2() because it
|
|
Packit Service |
4684c1 |
* is much more efficient in the processing it requires from gnutls.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback's function prototype is:
|
|
Packit Service |
4684c1 |
* int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
|
|
Packit Service |
4684c1 |
* const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @req_ca_dn is only used in X.509 certificates.
|
|
Packit Service |
4684c1 |
* Contains a list with the CA names that the server considers trusted.
|
|
Packit Service |
4684c1 |
* This is a hint and typically the client should send a certificate that is signed
|
|
Packit Service |
4684c1 |
* by one of these CAs. These names, when available, are DER encoded. To get a more
|
|
Packit Service |
4684c1 |
* meaningful value use the function gnutls_x509_rdn_get().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pk_algos contains a list with server's acceptable public key algorithms.
|
|
Packit Service |
4684c1 |
* The certificate returned should support the server's given algorithms.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @st should contain the certificates and private keys.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the callback function is provided then gnutls will call it, in the
|
|
Packit Service |
4684c1 |
* handshake, after the certificate request message has been received.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In server side pk_algos and req_ca_dn are NULL.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback function should set the certificate list to be sent,
|
|
Packit Service |
4684c1 |
* and return 0 on success. If no certificate was selected then the
|
|
Packit Service |
4684c1 |
* number of certificates should be set to zero. The value (-1)
|
|
Packit Service |
4684c1 |
* indicates error and the handshake will be terminated. If both certificates
|
|
Packit Service |
4684c1 |
* are set in the credentials and a callback is available, the callback
|
|
Packit Service |
4684c1 |
* takes predence.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_set_retrieve_function
|
|
Packit Service |
4684c1 |
(gnutls_certificate_credentials_t cred,
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function * func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cred->legacy_cert_cb1 = func;
|
|
Packit Service |
4684c1 |
if (!func)
|
|
Packit Service |
4684c1 |
cred->get_cert_callback3 = NULL;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
cred->get_cert_callback3 = call_legacy_cert_cb1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int call_legacy_cert_cb2(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const struct gnutls_cert_retr_st *info,
|
|
Packit Service |
4684c1 |
gnutls_pcert_st **certs,
|
|
Packit Service |
4684c1 |
unsigned int *pcert_length,
|
|
Packit Service |
4684c1 |
gnutls_ocsp_data_st **ocsp,
|
|
Packit Service |
4684c1 |
unsigned int *ocsp_length,
|
|
Packit Service |
4684c1 |
gnutls_privkey_t *privkey,
|
|
Packit Service |
4684c1 |
unsigned int *flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
*ocsp_length = 0;
|
|
Packit Service |
4684c1 |
/* flags will be assumed to be zero */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = info->cred->legacy_cert_cb2(session, info->req_ca_rdn, info->nreqs,
|
|
Packit Service |
4684c1 |
info->pk_algos, info->pk_algos_length,
|
|
Packit Service |
4684c1 |
certs, pcert_length, privkey);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_retrieve_function2:
|
|
Packit Service |
4684c1 |
* @cred: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @func: is the callback function
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a callback to be called in order to retrieve the
|
|
Packit Service |
4684c1 |
* certificate to be used in the handshake. The callback will take control
|
|
Packit Service |
4684c1 |
* only if a certificate is requested by the peer.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback's function prototype is:
|
|
Packit Service |
4684c1 |
* int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
|
|
Packit Service |
4684c1 |
* const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
|
|
Packit Service |
4684c1 |
* unsigned int *pcert_length, gnutls_privkey_t * pkey);
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @req_ca_dn is only used in X.509 certificates.
|
|
Packit Service |
4684c1 |
* Contains a list with the CA names that the server considers trusted.
|
|
Packit Service |
4684c1 |
* This is a hint and typically the client should send a certificate that is signed
|
|
Packit Service |
4684c1 |
* by one of these CAs. These names, when available, are DER encoded. To get a more
|
|
Packit Service |
4684c1 |
* meaningful value use the function gnutls_x509_rdn_get().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pk_algos contains a list with server's acceptable public key algorithms.
|
|
Packit Service |
4684c1 |
* The certificate returned should support the server's given algorithms.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pcert should contain a single certificate and public key or a list of them.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pcert_length is the size of the previous list.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pkey is the private key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the callback function is provided then gnutls will call it, in the
|
|
Packit Service |
4684c1 |
* handshake, after the certificate request message has been received.
|
|
Packit Service |
4684c1 |
* All the provided by the callback values will not be released or
|
|
Packit Service |
4684c1 |
* modified by gnutls.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In server side pk_algos and req_ca_dn are NULL.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback function should set the certificate list to be sent,
|
|
Packit Service |
4684c1 |
* and return 0 on success. If no certificate was selected then the
|
|
Packit Service |
4684c1 |
* number of certificates should be set to zero. The value (-1)
|
|
Packit Service |
4684c1 |
* indicates error and the handshake will be terminated. If both certificates
|
|
Packit Service |
4684c1 |
* are set in the credentials and a callback is available, the callback
|
|
Packit Service |
4684c1 |
* takes predence.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_set_retrieve_function2
|
|
Packit Service |
4684c1 |
(gnutls_certificate_credentials_t cred,
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function2 * func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cred->legacy_cert_cb2 = func;
|
|
Packit Service |
4684c1 |
if (!func)
|
|
Packit Service |
4684c1 |
cred->get_cert_callback3 = NULL;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
cred->get_cert_callback3 = call_legacy_cert_cb2;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_retrieve_function3:
|
|
Packit Service |
4684c1 |
* @cred: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @func: is the callback function
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a callback to be called in order to retrieve the
|
|
Packit Service |
4684c1 |
* certificate and OCSP responses to be used in the handshake. @func will
|
|
Packit Service |
4684c1 |
* be called only if the peer requests a certificate either during handshake
|
|
Packit Service |
4684c1 |
* or during post-handshake authentication.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback's function prototype is defined in `abstract.h':
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* int gnutls_certificate_retrieve_function3(
|
|
Packit Service |
4684c1 |
* gnutls_session_t,
|
|
Packit Service |
4684c1 |
* const struct gnutls_cert_retr_st *info,
|
|
Packit Service |
4684c1 |
* gnutls_pcert_st **certs,
|
|
Packit Service |
4684c1 |
* unsigned int *pcert_length,
|
|
Packit Service |
4684c1 |
* gnutls_ocsp_data_st **ocsp,
|
|
Packit Service |
4684c1 |
* unsigned int *ocsp_length,
|
|
Packit Service |
4684c1 |
* gnutls_privkey_t *privkey,
|
|
Packit Service |
4684c1 |
* unsigned int *flags);
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The info field of the callback contains:
|
|
Packit Service |
4684c1 |
* @req_ca_dn which is a list with the CA names that the server considers trusted.
|
|
Packit Service |
4684c1 |
* This is a hint and typically the client should send a certificate that is signed
|
|
Packit Service |
4684c1 |
* by one of these CAs. These names, when available, are DER encoded. To get a more
|
|
Packit Service |
4684c1 |
* meaningful value use the function gnutls_x509_rdn_get().
|
|
Packit Service |
4684c1 |
* @pk_algos contains a list with server's acceptable public key algorithms.
|
|
Packit Service |
4684c1 |
* The certificate returned should support the server's given algorithms.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback should fill-in the following values.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @pcert should contain an allocated list of certificates and public keys.
|
|
Packit Service |
4684c1 |
* @pcert_length is the size of the previous list.
|
|
Packit Service |
4684c1 |
* @ocsp should contain an allocated list of OCSP responses.
|
|
Packit Service |
4684c1 |
* @ocsp_length is the size of the previous list.
|
|
Packit Service |
4684c1 |
* @pkey is the private key.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If flags in the callback are set to %GNUTLS_CERT_RETR_DEINIT_ALL then
|
|
Packit Service |
4684c1 |
* all provided values must be allocated using gnutls_malloc(), and will
|
|
Packit Service |
4684c1 |
* be released by gnutls; otherwise they will not be touched by gnutls.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback function should set the certificate and OCSP response
|
|
Packit Service |
4684c1 |
* list to be sent, and return 0 on success. If no certificates are available,
|
|
Packit Service |
4684c1 |
* the @pcert_length and @ocsp_length should be set to zero. The return
|
|
Packit Service |
4684c1 |
* value (-1) indicates error and the handshake will be terminated. If both
|
|
Packit Service |
4684c1 |
* certificates are set in the credentials and a callback is available, the
|
|
Packit Service |
4684c1 |
* callback takes predence.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_certificate_set_retrieve_function3
|
|
Packit Service |
4684c1 |
(gnutls_certificate_credentials_t cred,
|
|
Packit Service |
4684c1 |
gnutls_certificate_retrieve_function3 *func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cred->get_cert_callback3 = func;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_verify_function:
|
|
Packit Service |
4684c1 |
* @cred: is a #gnutls_certificate_credentials_t type.
|
|
Packit Service |
4684c1 |
* @func: is the callback function
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a callback to be called when peer's certificate
|
|
Packit Service |
4684c1 |
* has been received in order to verify it on receipt rather than
|
|
Packit Service |
4684c1 |
* doing after the handshake is completed.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback's function prototype is:
|
|
Packit Service |
4684c1 |
* int (*callback)(gnutls_session_t);
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the callback function is provided then gnutls will call it, in the
|
|
Packit Service |
4684c1 |
* handshake, just after the certificate message has been received.
|
|
Packit Service |
4684c1 |
* To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
|
|
Packit Service |
4684c1 |
* gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
|
|
Packit Service |
4684c1 |
* can be used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback function should return 0 for the handshake to continue
|
|
Packit Service |
4684c1 |
* or non-zero to terminate.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.10.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_certificate_set_verify_function
|
|
Packit Service |
4684c1 |
(gnutls_certificate_credentials_t cred,
|
|
Packit Service |
4684c1 |
gnutls_certificate_verify_function * func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cred->verify_callback = func;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define TEST_TEXT "test text"
|
|
Packit Service |
4684c1 |
/* returns error if the certificate has different algorithm than
|
|
Packit Service |
4684c1 |
* the given key parameters.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_datum_t test = {(void*)TEST_TEXT, sizeof(TEST_TEXT)-1};
|
|
Packit Service |
4684c1 |
gnutls_datum_t sig = {NULL, 0};
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t dig;
|
|
Packit Service |
4684c1 |
int pk, pk2, ret;
|
|
Packit Service |
4684c1 |
unsigned sign_algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (res->flags & GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
pk =
|
|
Packit Service |
4684c1 |
gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts - 1].
|
|
Packit Service |
4684c1 |
cert_list[0].pubkey, NULL);
|
|
Packit Service |
4684c1 |
pk2 =
|
|
Packit Service |
4684c1 |
gnutls_privkey_get_pk_algorithm(res->certs[res->ncerts - 1].pkey,
|
|
Packit Service |
4684c1 |
NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (GNUTLS_PK_IS_RSA(pk) && GNUTLS_PK_IS_RSA(pk2)) {
|
|
Packit Service |
4684c1 |
if (pk2 == GNUTLS_PK_RSA_PSS && pk == GNUTLS_PK_RSA) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("you cannot mix an RSA-PSS key with an RSA certificate\n");
|
|
Packit Service |
4684c1 |
return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pk2 == GNUTLS_PK_RSA_PSS || pk == GNUTLS_PK_RSA_PSS)
|
|
Packit Service |
4684c1 |
pk = GNUTLS_PK_RSA_PSS;
|
|
Packit Service |
4684c1 |
} else if (pk2 != pk) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("key is %s, certificate is %s\n", gnutls_pk_get_name(pk2),
|
|
Packit Service |
4684c1 |
gnutls_pk_get_name(pk));
|
|
Packit Service |
4684c1 |
return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pk == GNUTLS_PK_GOST_01)
|
|
Packit Service |
4684c1 |
dig = GNUTLS_DIG_GOSTR_94;
|
|
Packit Service |
4684c1 |
else if (pk == GNUTLS_PK_GOST_12_256)
|
|
Packit Service |
4684c1 |
dig = GNUTLS_DIG_STREEBOG_256;
|
|
Packit Service |
4684c1 |
else if (pk == GNUTLS_PK_GOST_12_512)
|
|
Packit Service |
4684c1 |
dig = GNUTLS_DIG_STREEBOG_512;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
dig = GNUTLS_DIG_SHA256;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
sign_algo = gnutls_pk_to_sign(pk, dig);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* now check if keys really match. We use the sign/verify approach
|
|
Packit Service |
4684c1 |
* because we cannot always obtain the parameters from the abstract
|
|
Packit Service |
4684c1 |
* keys (e.g. PKCS #11). */
|
|
Packit Service |
4684c1 |
ret = gnutls_privkey_sign_data2(res->certs[res->ncerts - 1].pkey,
|
|
Packit Service |
4684c1 |
sign_algo, 0, &test, &sig);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
/* for some reason we couldn't sign that. That shouldn't have
|
|
Packit Service |
4684c1 |
* happened, but since it did, report the issue and do not
|
|
Packit Service |
4684c1 |
* try the key matching test */
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("%s: failed signing\n", __func__);
|
|
Packit Service |
4684c1 |
goto finish;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_pubkey_verify_data2(res->certs[res->ncerts - 1].cert_list[0].pubkey,
|
|
Packit Service |
4684c1 |
sign_algo,
|
|
Packit Service |
4684c1 |
GNUTLS_VERIFY_ALLOW_BROKEN, &test, &sig);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(sig.data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_CERTIFICATE_KEY_MISMATCH);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
finish:
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_verification_status_print:
|
|
Packit Service |
4684c1 |
* @status: The status flags to be printed
|
|
Packit Service |
4684c1 |
* @type: The certificate type
|
|
Packit Service |
4684c1 |
* @out: Newly allocated datum with (0) terminated string.
|
|
Packit Service |
4684c1 |
* @flags: should be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will pretty print the status of a verification
|
|
Packit Service |
4684c1 |
* process -- eg. the one obtained by gnutls_certificate_verify_peers3().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The output @out needs to be deallocated using gnutls_free().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.1.4
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_verification_status_print(unsigned int status,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t
|
|
Packit Service |
4684c1 |
type, gnutls_datum_t * out,
|
|
Packit Service |
4684c1 |
unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_buffer_st str;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status == 0)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate is trusted. "));
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate is NOT trusted. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type == GNUTLS_CRT_X509) {
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_REVOKED)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain is revoked. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_MISMATCH)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate doesn't match the local copy (TOFU). "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The revocation or OCSP data are old and have been superseded. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The revocation or OCSP data are issued with a future date. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate issuer is unknown. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate issuer is not a CA. "));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain uses insecure algorithm. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain violates the signer's constraints. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_PURPOSE_MISMATCH)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain does not match the intended purpose. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_NOT_ACTIVATED)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain uses not yet valid certificate. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_EXPIRED)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate chain uses expired certificate. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The signature in the certificate is invalid. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The name in the certificate does not match the expected. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_MISSING_OCSP_STATUS)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_INVALID_OCSP_STATUS)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The received OCSP status response is invalid. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (status & GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS)
|
|
Packit Service |
4684c1 |
_gnutls_buffer_append_str(&str,
|
|
Packit Service |
4684c1 |
_
|
|
Packit Service |
4684c1 |
("The certificate contains an unknown critical extension. "));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_buffer_to_datum(&str, out, 1);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_dh_params:
|
|
Packit Service |
4684c1 |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit Service |
4684c1 |
* @dh_params: the Diffie-Hellman parameters.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the Diffie-Hellman parameters for a
|
|
Packit Service |
4684c1 |
* certificate server to use. These parameters will be used in
|
|
Packit Service |
4684c1 |
* Ephemeral Diffie-Hellman cipher suites. Note that only a pointer
|
|
Packit Service |
4684c1 |
* to the parameters are stored in the certificate handle, so you
|
|
Packit Service |
4684c1 |
* must not deallocate the parameters before the certificate is deallocated.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit Service |
4684c1 |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit Service |
4684c1 |
* following RFC7919.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res,
|
|
Packit Service |
4684c1 |
gnutls_dh_params_t dh_params)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (res->deinit_dh_params) {
|
|
Packit Service |
4684c1 |
res->deinit_dh_params = 0;
|
|
Packit Service |
4684c1 |
gnutls_dh_params_deinit(res->dh_params);
|
|
Packit Service |
4684c1 |
res->dh_params = NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
res->dh_params = dh_params;
|
|
Packit Service |
4684c1 |
res->dh_sec_param = gnutls_pk_bits_to_sec_param(GNUTLS_PK_DH, _gnutls_mpi_get_nbits(dh_params->params[0]));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_set_known_dh_params:
|
|
Packit Service |
4684c1 |
* @res: is a gnutls_certificate_credentials_t type
|
|
Packit Service |
4684c1 |
* @sec_param: is an option of the %gnutls_sec_param_t enumeration
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the Diffie-Hellman parameters for a
|
|
Packit Service |
4684c1 |
* certificate server to use. These parameters will be used in
|
|
Packit Service |
4684c1 |
* Ephemeral Diffie-Hellman cipher suites and will be selected from
|
|
Packit Service |
4684c1 |
* the FFDHE set of RFC7919 according to the security level provided.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit Service |
4684c1 |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit Service |
4684c1 |
* following RFC7919.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit Service |
4684c1 |
* negative error value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.5.6
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_certificate_set_known_dh_params(gnutls_certificate_credentials_t res,
|
|
Packit Service |
4684c1 |
gnutls_sec_param_t sec_param)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
res->dh_sec_param = sec_param;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#endif /* DH */
|