/*
* Copyright (C) 2011-2012 Free Software Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see
*
*/
#include "gnutls_int.h"
#include "errors.h"
#include
#include
#include
#include "x509/x509_int.h"
#include
#include "x509_b64.h"
/**
* gnutls_pcert_import_x509:
* @pcert: The pcert structure
* @crt: The certificate to be imported
* @flags: zero for now
*
* This convenience function will import the given certificate to a
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.0
**/
int gnutls_pcert_import_x509(gnutls_pcert_st * pcert,
gnutls_x509_crt_t crt, unsigned int flags)
{
int ret;
memset(pcert, 0, sizeof(*pcert));
pcert->type = GNUTLS_CRT_X509;
pcert->cert.data = NULL;
ret =
gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER,
&pcert->cert);
if (ret < 0) {
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = gnutls_pubkey_init(&pcert->pubkey);
if (ret < 0) {
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0) {
gnutls_pubkey_deinit(pcert->pubkey);
pcert->pubkey = NULL;
ret = gnutls_assert_val(ret);
goto cleanup;
}
return 0;
cleanup:
_gnutls_free_datum(&pcert->cert);
return ret;
}
/**
* gnutls_pcert_import_x509_list:
* @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
* @crt: The certificates to be imported
* @ncrt: The number of certificates in @crt; will be updated if necessary
* @flags: zero or %GNUTLS_X509_CRT_LIST_SORT
*
* This convenience function will import the given certificates to an
* already allocated set of #gnutls_pcert_st structures. The structures must
* be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
* should contain space for at least @ncrt elements.
*
* In the case %GNUTLS_X509_CRT_LIST_SORT is specified and that
* function cannot sort the list, %GNUTLS_E_CERTIFICATE_LIST_UNSORTED
* will be returned. Currently sorting can fail if the list size
* exceeds an internal constraint (16).
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
**/
int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert_list,
gnutls_x509_crt_t *crt, unsigned *ncrt,
unsigned int flags)
{
int ret;
unsigned i;
unsigned current = 0;
gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
gnutls_x509_crt_t *s;
s = crt;
if (flags & GNUTLS_X509_CRT_LIST_SORT && *ncrt > 1) {
if (*ncrt > DEFAULT_MAX_VERIFY_DEPTH) {
ret = _gnutls_check_if_sorted(s, *ncrt);
if (ret < 0) {
gnutls_assert();
return GNUTLS_E_CERTIFICATE_LIST_UNSORTED;
}
} else {
for (i = 0; i < *ncrt; i++) {
sorted[i] = s[i];
}
s = sorted;
*ncrt = _gnutls_sort_clist(s, *ncrt);
}
}
for (i=0;i<*ncrt;i++) {
ret = gnutls_pcert_import_x509(&pcert_list[i], s[i], 0);
if (ret < 0) {
current = i;
goto cleanup;
}
}
return 0;
cleanup:
for (i=0;i= 0) ret = ret2;
}
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else { /* file */
ret = gnutls_load_file(file, &data);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, format, flags|GNUTLS_X509_CRT_LIST_SORT);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
if (crts_size > *pcert_list_size) {
gnutls_assert();
ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
goto cleanup;
}
ret = gnutls_pcert_import_x509_list(pcert_list, crts, &crts_size, flags);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
*pcert_list_size = crts_size;
ret = 0;
cleanup:
for (i=0;icert);
if (ret < 0) {
return gnutls_assert_val(ret);
}
pcert->pubkey = pubkey;
pcert->type = GNUTLS_CRT_RAWPK;
return GNUTLS_E_SUCCESS;
}
/**
* gnutls_pcert_import_rawpk_raw:
* @pcert: The pcert structure to import the data into.
* @rawpubkey: The raw public-key in #gnutls_datum_t format to be imported.
* @format: The format of the raw public-key. DER or PEM.
* @key_usage: An ORed sequence of %GNUTLS_KEY_* flags.
* @flags: zero for now
*
* This convenience function will import (i.e. convert) the given raw
* public key @rawpubkey into a #gnutls_pcert_st structure. The structure
* must be deinitialized afterwards using gnutls_pcert_deinit().
* Note that the caller is responsible for freeing @rawpubkey. All necessary
* values will be copied into @pcert.
*
* Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly
* set because there is no certificate structure around the key to define
* this value. See for more info gnutls_x509_crt_get_key_usage().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.6.6
**/
int gnutls_pcert_import_rawpk_raw(gnutls_pcert_st* pcert,
const gnutls_datum_t* rawpubkey,
gnutls_x509_crt_fmt_t format,
unsigned int key_usage, unsigned int flags)
{
int ret;
if (rawpubkey == NULL) {
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
}
memset(pcert, 0, sizeof(*pcert));
ret = gnutls_pubkey_init(&pcert->pubkey);
if (ret < 0) {
return gnutls_assert_val(ret);
}
// Convert our raw public-key to a gnutls_pubkey_t structure
ret = gnutls_pubkey_import(pcert->pubkey, rawpubkey, format);
if (ret < 0) {
return gnutls_assert_val(ret);
}
pcert->pubkey->key_usage = key_usage;
/* A pcert struct holds a raw copy of the certificate data.
* It is this raw data that will be transferred to the peer via a
* Certificate message. According to the spec (RFC7250) a DER
* representation must be used. Therefore we check the format and
* convert if necessary.
*/
if (format == GNUTLS_X509_FMT_PEM) {
ret = _gnutls_fbase64_decode(PEM_PK,
rawpubkey->data, rawpubkey->size,
&pcert->cert);
if (ret < 0) {
gnutls_pubkey_deinit(pcert->pubkey);
return gnutls_assert_val(ret);
}
} else {
// Directly copy the raw DER data to our pcert
ret = _gnutls_set_datum(&pcert->cert, rawpubkey->data, rawpubkey->size);
if (ret < 0) {
gnutls_pubkey_deinit(pcert->pubkey);
return gnutls_assert_val(ret);
}
}
pcert->type = GNUTLS_CRT_RAWPK;
return GNUTLS_E_SUCCESS;
}
/**
* gnutls_pcert_export_x509:
* @pcert: The pcert structure.
* @crt: An initialized #gnutls_x509_crt_t.
*
* Converts the given #gnutls_pcert_t type into a #gnutls_x509_crt_t.
* This function only works if the type of @pcert is %GNUTLS_CRT_X509.
* When successful, the value written to @crt must be freed with
* gnutls_x509_crt_deinit() when no longer needed.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
*/
int gnutls_pcert_export_x509(gnutls_pcert_st * pcert,
gnutls_x509_crt_t * crt)
{
int ret;
if (pcert->type != GNUTLS_CRT_X509) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
ret = gnutls_x509_crt_init(crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_crt_import(*crt, &pcert->cert, GNUTLS_X509_FMT_DER);
if (ret < 0) {
gnutls_x509_crt_deinit(*crt);
*crt = NULL;
return gnutls_assert_val(ret);
}
return 0;
}
/**
* gnutls_pcert_deinit:
* @pcert: The structure to be deinitialized
*
* This function will deinitialize a pcert structure.
*
* Since: 3.0
**/
void gnutls_pcert_deinit(gnutls_pcert_st * pcert)
{
if (pcert->pubkey)
gnutls_pubkey_deinit(pcert->pubkey);
pcert->pubkey = NULL;
_gnutls_free_datum(&pcert->cert);
}
/* Converts the first certificate for the cert_auth_info structure
* to a pcert.
*/
int
_gnutls_get_auth_info_pcert(gnutls_pcert_st * pcert,
gnutls_certificate_type_t type,
cert_auth_info_t info)
{
switch (type) {
case GNUTLS_CRT_X509:
return gnutls_pcert_import_x509_raw(pcert,
&info->raw_certificate_list[0],
GNUTLS_X509_FMT_DER,
0);
case GNUTLS_CRT_RAWPK:
return gnutls_pcert_import_rawpk_raw(pcert,
&info->raw_certificate_list[0],
GNUTLS_X509_FMT_DER,
0, 0);
default:
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
}