Line data Source code
1 : /*
2 : * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 : *
4 : * Author: Nikos Mavrogiannopoulos
5 : *
6 : * This file is part of GnuTLS.
7 : *
8 : * The GnuTLS is free software; you can redistribute it and/or
9 : * modify it under the terms of the GNU Lesser General Public License
10 : * as published by the Free Software Foundation; either version 2.1 of
11 : * the License, or (at your option) any later version.
12 : *
13 : * This library is distributed in the hope that it will be useful, but
14 : * WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 : * Lesser General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU Lesser General Public License
19 : * along with this program. If not, see <https://www.gnu.org/licenses/>
20 : *
21 : */
22 :
23 : #include "gnutls_int.h"
24 : #include "errors.h"
25 : #include <auth/cert.h>
26 : #include <x509/common.h>
27 : #include <x509.h>
28 : #include "x509/x509_int.h"
29 : #include <gnutls/x509.h>
30 : #include "x509_b64.h"
31 :
32 : /**
33 : * gnutls_pcert_import_x509:
34 : * @pcert: The pcert structure
35 : * @crt: The certificate to be imported
36 : * @flags: zero for now
37 : *
38 : * This convenience function will import the given certificate to a
39 : * #gnutls_pcert_st structure. The structure must be deinitialized
40 : * afterwards using gnutls_pcert_deinit();
41 : *
42 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 : * negative error value.
44 : *
45 : * Since: 3.0
46 : **/
47 17215 : int gnutls_pcert_import_x509(gnutls_pcert_st * pcert,
48 : gnutls_x509_crt_t crt, unsigned int flags)
49 : {
50 17215 : int ret;
51 :
52 17215 : memset(pcert, 0, sizeof(*pcert));
53 :
54 17215 : pcert->type = GNUTLS_CRT_X509;
55 17215 : pcert->cert.data = NULL;
56 :
57 17215 : ret =
58 17215 : gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER,
59 : &pcert->cert);
60 17215 : if (ret < 0) {
61 0 : ret = gnutls_assert_val(ret);
62 0 : goto cleanup;
63 : }
64 :
65 17215 : ret = gnutls_pubkey_init(&pcert->pubkey);
66 17215 : if (ret < 0) {
67 0 : ret = gnutls_assert_val(ret);
68 0 : goto cleanup;
69 : }
70 :
71 17215 : ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
72 17215 : if (ret < 0) {
73 30 : gnutls_pubkey_deinit(pcert->pubkey);
74 30 : pcert->pubkey = NULL;
75 30 : ret = gnutls_assert_val(ret);
76 30 : goto cleanup;
77 : }
78 :
79 : return 0;
80 :
81 30 : cleanup:
82 30 : _gnutls_free_datum(&pcert->cert);
83 :
84 : return ret;
85 : }
86 :
87 : /**
88 : * gnutls_pcert_import_x509_list:
89 : * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
90 : * @crt: The certificates to be imported
91 : * @ncrt: The number of certificates in @crt; will be updated if necessary
92 : * @flags: zero or %GNUTLS_X509_CRT_LIST_SORT
93 : *
94 : * This convenience function will import the given certificates to an
95 : * already allocated set of #gnutls_pcert_st structures. The structures must
96 : * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
97 : * should contain space for at least @ncrt elements.
98 : *
99 : * In the case %GNUTLS_X509_CRT_LIST_SORT is specified and that
100 : * function cannot sort the list, %GNUTLS_E_CERTIFICATE_LIST_UNSORTED
101 : * will be returned. Currently sorting can fail if the list size
102 : * exceeds an internal constraint (16).
103 : *
104 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
105 : * negative error value.
106 : *
107 : * Since: 3.4.0
108 : **/
109 2395 : int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert_list,
110 : gnutls_x509_crt_t *crt, unsigned *ncrt,
111 : unsigned int flags)
112 : {
113 2395 : int ret;
114 2395 : unsigned i;
115 2395 : unsigned current = 0;
116 2395 : gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
117 2395 : gnutls_x509_crt_t *s;
118 :
119 2395 : s = crt;
120 :
121 2395 : if (flags & GNUTLS_X509_CRT_LIST_SORT && *ncrt > 1) {
122 1081 : if (*ncrt > DEFAULT_MAX_VERIFY_DEPTH) {
123 0 : ret = _gnutls_check_if_sorted(crt, *ncrt);
124 0 : if (ret < 0) {
125 0 : gnutls_assert();
126 0 : return GNUTLS_E_CERTIFICATE_LIST_UNSORTED;
127 : }
128 : } else {
129 1081 : s = _gnutls_sort_clist(sorted, crt, ncrt, NULL);
130 1081 : if (s == crt) {
131 0 : gnutls_assert();
132 0 : return GNUTLS_E_UNIMPLEMENTED_FEATURE;
133 : }
134 : }
135 : }
136 :
137 5887 : for (i=0;i<*ncrt;i++) {
138 3492 : ret = gnutls_pcert_import_x509(&pcert_list[i], s[i], 0);
139 3492 : if (ret < 0) {
140 0 : current = i;
141 0 : goto cleanup;
142 : }
143 : }
144 :
145 : return 0;
146 :
147 0 : cleanup:
148 0 : for (i=0;i<current;i++) {
149 0 : gnutls_pcert_deinit(&pcert_list[i]);
150 : }
151 : return ret;
152 :
153 : }
154 :
155 : /**
156 : * gnutls_pcert_list_import_x509_raw:
157 : * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
158 : * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
159 : * @data: The certificates.
160 : * @format: One of DER or PEM.
161 : * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
162 : *
163 : * This function will import the provided DER or PEM encoded certificates to an
164 : * already allocated set of #gnutls_pcert_st structures. The structures must
165 : * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
166 : * should contain space for at least @pcert_list_size elements.
167 : *
168 : * If the Certificate is PEM encoded it should have a header of "X509
169 : * CERTIFICATE", or "CERTIFICATE".
170 : *
171 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
172 : * negative error value; if the @pcert list doesn't have enough space
173 : * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
174 : *
175 : * Since: 3.0
176 : **/
177 : int
178 72 : gnutls_pcert_list_import_x509_raw(gnutls_pcert_st *pcert_list,
179 : unsigned int *pcert_list_size,
180 : const gnutls_datum_t *data,
181 : gnutls_x509_crt_fmt_t format,
182 : unsigned int flags)
183 : {
184 72 : int ret;
185 72 : unsigned int i = 0, j;
186 72 : gnutls_x509_crt_t *crt;
187 :
188 72 : crt = gnutls_malloc((*pcert_list_size) * sizeof(gnutls_x509_crt_t));
189 :
190 72 : if (crt == NULL)
191 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
192 :
193 72 : ret =
194 72 : gnutls_x509_crt_list_import(crt, pcert_list_size, data, format,
195 : flags);
196 72 : if (ret < 0) {
197 1 : ret = gnutls_assert_val(ret);
198 1 : goto cleanup_crt;
199 : }
200 :
201 165 : for (i = 0; i < *pcert_list_size; i++) {
202 94 : ret = gnutls_pcert_import_x509(&pcert_list[i], crt[i], flags);
203 94 : if (ret < 0) {
204 0 : ret = gnutls_assert_val(ret);
205 0 : goto cleanup_pcert;
206 : }
207 : }
208 :
209 71 : ret = 0;
210 71 : goto cleanup;
211 :
212 0 : cleanup_pcert:
213 0 : for (j = 0; j < i; j++)
214 0 : gnutls_pcert_deinit(&pcert_list[j]);
215 :
216 0 : cleanup:
217 165 : for (i = 0; i < *pcert_list_size; i++)
218 94 : gnutls_x509_crt_deinit(crt[i]);
219 :
220 71 : cleanup_crt:
221 72 : gnutls_free(crt);
222 72 : return ret;
223 :
224 : }
225 :
226 : /**
227 : * gnutls_pcert_list_import_x509_url:
228 : * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
229 : * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
230 : * @file: A file or supported URI with the certificates to load
231 : * @format: %GNUTLS_X509_FMT_DER or %GNUTLS_X509_FMT_PEM if a file is given
232 : * @pin_fn: a PIN callback if not globally set
233 : * @pin_fn_userdata: parameter for the PIN callback
234 : * @flags: zero or flags from %gnutls_certificate_import_flags
235 : *
236 : * This convenience function will import a certificate chain from the given
237 : * file or supported URI to #gnutls_pcert_st structures. The structures
238 : * must be deinitialized afterwards using gnutls_pcert_deinit().
239 : *
240 : * This function will always return a sorted certificate chain.
241 : *
242 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
243 : * negative error value; if the @pcert list doesn't have enough space
244 : * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
245 : *
246 : * Since: 3.6.3
247 : **/
248 4 : int gnutls_pcert_list_import_x509_file(gnutls_pcert_st *pcert_list,
249 : unsigned *pcert_list_size,
250 : const char *file,
251 : gnutls_x509_crt_fmt_t format,
252 : gnutls_pin_callback_t pin_fn,
253 : void *pin_fn_userdata,
254 : unsigned int flags)
255 : {
256 4 : int ret, ret2;
257 4 : unsigned i;
258 4 : gnutls_x509_crt_t *crts = NULL;
259 4 : unsigned crts_size = 0;
260 4 : gnutls_datum_t data = {NULL, 0};
261 :
262 4 : if (gnutls_url_is_supported(file) != 0) {
263 2 : ret = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, 0);
264 2 : if (ret < 0) {
265 2 : ret2 = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
266 2 : if (ret2 >= 0) ret = ret2;
267 : }
268 :
269 2 : if (ret < 0) {
270 0 : gnutls_assert();
271 0 : goto cleanup;
272 : }
273 :
274 : } else { /* file */
275 2 : ret = gnutls_load_file(file, &data);
276 2 : if (ret < 0)
277 0 : return gnutls_assert_val(ret);
278 :
279 2 : ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, format, flags|GNUTLS_X509_CRT_LIST_SORT);
280 2 : if (ret < 0) {
281 0 : gnutls_assert();
282 0 : goto cleanup;
283 : }
284 : }
285 :
286 4 : if (crts_size > *pcert_list_size) {
287 2 : gnutls_assert();
288 2 : ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
289 2 : goto cleanup;
290 : }
291 :
292 2 : ret = gnutls_pcert_import_x509_list(pcert_list, crts, &crts_size, flags);
293 2 : if (ret < 0) {
294 0 : gnutls_assert();
295 0 : goto cleanup;
296 : }
297 2 : *pcert_list_size = crts_size;
298 :
299 2 : ret = 0;
300 4 : cleanup:
301 24 : for (i=0;i<crts_size;i++)
302 20 : gnutls_x509_crt_deinit(crts[i]);
303 4 : gnutls_free(crts);
304 4 : gnutls_free(data.data);
305 4 : return ret;
306 : }
307 :
308 :
309 : /**
310 : * gnutls_pcert_import_x509_raw:
311 : * @pcert: The pcert structure
312 : * @cert: The raw certificate to be imported
313 : * @format: The format of the certificate
314 : * @flags: zero for now
315 : *
316 : * This convenience function will import the given certificate to a
317 : * #gnutls_pcert_st structure. The structure must be deinitialized
318 : * afterwards using gnutls_pcert_deinit();
319 : *
320 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
321 : * negative error value.
322 : *
323 : * Since: 3.0
324 : **/
325 4915 : int gnutls_pcert_import_x509_raw(gnutls_pcert_st * pcert,
326 : const gnutls_datum_t * cert,
327 : gnutls_x509_crt_fmt_t format,
328 : unsigned int flags)
329 : {
330 4915 : int ret;
331 4915 : gnutls_x509_crt_t crt;
332 :
333 4915 : memset(pcert, 0, sizeof(*pcert));
334 :
335 4915 : ret = gnutls_x509_crt_init(&crt);
336 4915 : if (ret < 0)
337 0 : return gnutls_assert_val(ret);
338 :
339 4915 : ret = gnutls_x509_crt_import(crt, cert, format);
340 4915 : if (ret < 0) {
341 225 : ret = gnutls_assert_val(ret);
342 225 : goto cleanup;
343 : }
344 :
345 4690 : ret = gnutls_pcert_import_x509(pcert, crt, flags);
346 4690 : if (ret < 0) {
347 30 : ret = gnutls_assert_val(ret);
348 30 : goto cleanup;
349 : }
350 :
351 : ret = 0;
352 :
353 4915 : cleanup:
354 4915 : gnutls_x509_crt_deinit(crt);
355 :
356 4915 : return ret;
357 : }
358 :
359 : /**
360 : * gnutls_pcert_import_rawpk:
361 : * @pcert: The pcert structure to import the data into.
362 : * @pubkey: The raw public-key in #gnutls_pubkey_t format to be imported
363 : * @flags: zero for now
364 : *
365 : * This convenience function will import (i.e. convert) the given raw
366 : * public key @pubkey into a #gnutls_pcert_st structure. The structure
367 : * must be deinitialized afterwards using gnutls_pcert_deinit(). The
368 : * given @pubkey must not be deinitialized because it will be associated
369 : * with the given @pcert structure and will be deinitialized with it.
370 : *
371 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
372 : * negative error value.
373 : *
374 : * Since: 3.6.6
375 : **/
376 2 : int gnutls_pcert_import_rawpk(gnutls_pcert_st* pcert,
377 : gnutls_pubkey_t pubkey, unsigned int flags)
378 : {
379 2 : int ret;
380 :
381 2 : if (pubkey == NULL) {
382 1 : return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
383 : }
384 :
385 1 : memset(pcert, 0, sizeof(*pcert));
386 :
387 : /* A pcert struct holds a raw copy of the certificate data.
388 : * Therefore we convert our gnutls_pubkey_t to its raw DER
389 : * representation and copy it into our pcert. It is this raw data
390 : * that will be transferred to the peer via a Certificate msg.
391 : * According to the spec (RFC7250) a DER representation must be used.
392 : */
393 1 : ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, &pcert->cert);
394 1 : if (ret < 0) {
395 0 : return gnutls_assert_val(ret);
396 : }
397 :
398 1 : pcert->pubkey = pubkey;
399 :
400 1 : pcert->type = GNUTLS_CRT_RAWPK;
401 :
402 1 : return GNUTLS_E_SUCCESS;
403 : }
404 :
405 : /**
406 : * gnutls_pcert_import_rawpk_raw:
407 : * @pcert: The pcert structure to import the data into.
408 : * @rawpubkey: The raw public-key in #gnutls_datum_t format to be imported.
409 : * @format: The format of the raw public-key. DER or PEM.
410 : * @key_usage: An ORed sequence of %GNUTLS_KEY_* flags.
411 : * @flags: zero for now
412 : *
413 : * This convenience function will import (i.e. convert) the given raw
414 : * public key @rawpubkey into a #gnutls_pcert_st structure. The structure
415 : * must be deinitialized afterwards using gnutls_pcert_deinit().
416 : * Note that the caller is responsible for freeing @rawpubkey. All necessary
417 : * values will be copied into @pcert.
418 : *
419 : * Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly
420 : * set because there is no certificate structure around the key to define
421 : * this value. See for more info gnutls_x509_crt_get_key_usage().
422 : *
423 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
424 : * negative error value.
425 : *
426 : * Since: 3.6.6
427 : **/
428 130 : int gnutls_pcert_import_rawpk_raw(gnutls_pcert_st* pcert,
429 : const gnutls_datum_t* rawpubkey,
430 : gnutls_x509_crt_fmt_t format,
431 : unsigned int key_usage, unsigned int flags)
432 : {
433 130 : int ret;
434 :
435 130 : if (rawpubkey == NULL) {
436 1 : return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
437 : }
438 :
439 129 : memset(pcert, 0, sizeof(*pcert));
440 :
441 129 : ret = gnutls_pubkey_init(&pcert->pubkey);
442 129 : if (ret < 0) {
443 0 : return gnutls_assert_val(ret);
444 : }
445 :
446 : // Convert our raw public-key to a gnutls_pubkey_t structure
447 129 : ret = gnutls_pubkey_import(pcert->pubkey, rawpubkey, format);
448 129 : if (ret < 0) {
449 0 : return gnutls_assert_val(ret);
450 : }
451 :
452 129 : pcert->pubkey->key_usage = key_usage;
453 :
454 : /* A pcert struct holds a raw copy of the certificate data.
455 : * It is this raw data that will be transferred to the peer via a
456 : * Certificate message. According to the spec (RFC7250) a DER
457 : * representation must be used. Therefore we check the format and
458 : * convert if necessary.
459 : */
460 129 : if (format == GNUTLS_X509_FMT_PEM) {
461 118 : ret = _gnutls_fbase64_decode(PEM_PK,
462 59 : rawpubkey->data, rawpubkey->size,
463 : &pcert->cert);
464 :
465 59 : if (ret < 0) {
466 0 : gnutls_pubkey_deinit(pcert->pubkey);
467 :
468 0 : return gnutls_assert_val(ret);
469 : }
470 : } else {
471 : // Directly copy the raw DER data to our pcert
472 70 : ret = _gnutls_set_datum(&pcert->cert, rawpubkey->data, rawpubkey->size);
473 :
474 70 : if (ret < 0) {
475 0 : gnutls_pubkey_deinit(pcert->pubkey);
476 :
477 0 : return gnutls_assert_val(ret);
478 : }
479 : }
480 :
481 129 : pcert->type = GNUTLS_CRT_RAWPK;
482 :
483 129 : return GNUTLS_E_SUCCESS;
484 : }
485 :
486 : /**
487 : * gnutls_pcert_export_x509:
488 : * @pcert: The pcert structure.
489 : * @crt: An initialized #gnutls_x509_crt_t.
490 : *
491 : * Converts the given #gnutls_pcert_t type into a #gnutls_x509_crt_t.
492 : * This function only works if the type of @pcert is %GNUTLS_CRT_X509.
493 : * When successful, the value written to @crt must be freed with
494 : * gnutls_x509_crt_deinit() when no longer needed.
495 : *
496 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
497 : * negative error value.
498 : *
499 : * Since: 3.4.0
500 : */
501 2 : int gnutls_pcert_export_x509(gnutls_pcert_st * pcert,
502 : gnutls_x509_crt_t * crt)
503 : {
504 2 : int ret;
505 :
506 2 : if (pcert->type != GNUTLS_CRT_X509) {
507 0 : gnutls_assert();
508 0 : return GNUTLS_E_INVALID_REQUEST;
509 : }
510 :
511 2 : ret = gnutls_x509_crt_init(crt);
512 2 : if (ret < 0)
513 0 : return gnutls_assert_val(ret);
514 :
515 2 : ret = gnutls_x509_crt_import(*crt, &pcert->cert, GNUTLS_X509_FMT_DER);
516 2 : if (ret < 0) {
517 0 : gnutls_x509_crt_deinit(*crt);
518 0 : *crt = NULL;
519 :
520 0 : return gnutls_assert_val(ret);
521 : }
522 :
523 : return 0;
524 : }
525 :
526 : /**
527 : * gnutls_pcert_deinit:
528 : * @pcert: The structure to be deinitialized
529 : *
530 : * This function will deinitialize a pcert structure.
531 : *
532 : * Since: 3.0
533 : **/
534 16832 : void gnutls_pcert_deinit(gnutls_pcert_st * pcert)
535 : {
536 16832 : if (pcert->pubkey)
537 16795 : gnutls_pubkey_deinit(pcert->pubkey);
538 16832 : pcert->pubkey = NULL;
539 16832 : _gnutls_free_datum(&pcert->cert);
540 16832 : }
541 :
542 : /* Converts the first certificate for the cert_auth_info structure
543 : * to a pcert.
544 : */
545 : int
546 2136 : _gnutls_get_auth_info_pcert(gnutls_pcert_st * pcert,
547 : gnutls_certificate_type_t type,
548 : cert_auth_info_t info)
549 : {
550 2136 : switch (type) {
551 2091 : case GNUTLS_CRT_X509:
552 2091 : return gnutls_pcert_import_x509_raw(pcert,
553 2091 : &info->raw_certificate_list[0],
554 : GNUTLS_X509_FMT_DER,
555 : 0);
556 45 : case GNUTLS_CRT_RAWPK:
557 45 : return gnutls_pcert_import_rawpk_raw(pcert,
558 45 : &info->raw_certificate_list[0],
559 : GNUTLS_X509_FMT_DER,
560 : 0, 0);
561 : default:
562 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
563 : }
564 : }
|